All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Further to my last reply, I've tested with the following which I think does what you need <form version="1.1"> <label>Testing</label> <row> <panel> <title>Support cases</title> <tab... See more...
Further to my last reply, I've tested with the following which I think does what you need <form version="1.1"> <label>Testing</label> <row> <panel> <title>Support cases</title> <table id="myTable"> <search> <query>index=_internal | head 3 | eval "Time (UTC)"=_time | eval "Support ID"="Testing" |eval _epoch_time=_time, _epoch_plus60=_time+60 | table "Support ID","Time (UTC)", _time, _epoch_time, _epoch_plus60</query> <earliest>-15m</earliest> <latest>now</latest> </search> <!-- Drilldown Configuration --> <!-- Enable row-level drilldown --> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs support_id="$click.value$"&amp;earliest=$row._epoch_time$&amp;latest=$row._epoch_plus60$</link> </drilldown> </table> </panel> </row> </form>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
The Splunk documentation says that the order rule is lexicographic. I am trying to sort the following values: | makeresults | eval fruit="apple" | append [ | makeresults | eval fruit="Banana" ] ... See more...
The Splunk documentation says that the order rule is lexicographic. I am trying to sort the following values: | makeresults | eval fruit="apple" | append [ | makeresults | eval fruit="Banana" ] | append [ | makeresults | eval fruit="zebra" ] | append [ | makeresults | eval fruit="10" ] | append [ | makeresults | eval fruit="2" ] | append [ | makeresults | eval fruit="20" ] | append [ | makeresults | eval fruit="30" ] | append [ | makeresults | eval fruit="3" ] | append [ | makeresults | eval fruit="1" ] | append [ | makeresults | eval fruit="25" ] | append [ | makeresults | eval fruit="38" ] | table fruit | sort fruit The output I am getting is: 1, 2, 3, 10, 20, 25, 30, 38, Banana, apple, zebra I understand that Banana appears before apple because B<a. But what is up with string numerics? Shouldn't the order be: 1, 10, 2, 20, 25, 3, 30, 38, Banana, apple, zebra ?  Even the documentation says that between 10, 9, 70, 100 the sorted output should be 10, 100, 70, 90.  https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.2/search-commands/sort 
Hi @splunklearner  If you prefix those epoch fields with an underscore _ then it wont show up in the Table, but you can still reference it as a token.  Try the following: <table id="myTable"> <sea... See more...
Hi @splunklearner  If you prefix those epoch fields with an underscore _ then it wont show up in the Table, but you can still reference it as a token.  Try the following: <table id="myTable"> <search> <query>index=sony_summary sourcetype=stash |search <passed drop-down tokens> |sort 0 -"Time (UTC)" |eval _epoch_time=_time, _epoch_plus60=_time+60 (added this now) | table "Support ID","Time (UTC)", _time -------- , _epoch_time, _epoch_plus60</query> </search> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search> <!-- Drilldown Configuration --> <!-- Enable row-level drilldown --> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs support_id="$click.value$"&amp;earliest=$row._epoch_time$&amp;latest=$row._epoch_plus60</link> </drilldown> ... etc...  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
This splunk thread was the answer: https://community.splunk.com/t5/Knowledge-Management/Why-is-KV-Store-initialization-failing-on-one-of-our-add-on-to/m-p/435188#M3872
Hi @ITWhisperer , thanks for your reply I didn't know about this multivalue strategy and it seems very useful. But how would I use, e.g., a "foreach *" structure to implement it between two differ... See more...
Hi @ITWhisperer , thanks for your reply I didn't know about this multivalue strategy and it seems very useful. But how would I use, e.g., a "foreach *" structure to implement it between two different fields? Because the only thing I could think of in the lines of using multivalue is something of the sort: for each field   if field should be compared     if field.value > nextField.value         value = mvappend(value, "RED") But I'm still confused regarding how to use this logic to compare two different fields. Thanks in advance,  Pedro
I created a summary index to call it in dashboard because it has so much data and need to run for larger time frames. Configured summary index in this way - <my search query> ---- ---- ---- | eval ... See more...
I created a summary index to call it in dashboard because it has so much data and need to run for larger time frames. Configured summary index in this way - <my search query> ---- ---- ---- | eval log_datetime=strftime(_time, "%Y-%m-%d %H:%M:%S") | rename log_datetime AS "Time (UTC)" |table _time, "Time (UTC)", <wanted fields> | collect index=sony_summary Now calling it in one of my dashboard panel in this way -  index=sony_summary sourcetype=stash |search <passed drop-down tokens> |sort 0 -"Time (UTC)" | table "Support ID","Time (UTC)", _time --------  Now my requirement is I don't want users to see this summary index data. So I have created a drilldown and linked to different search as below. Whenever they click on any field value in table, new search will be opened with clicked support_id   <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search> <!-- Drilldown Configuration --> <!-- Enable row-level drilldown --> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs support_id="$click.value$"&amp;earliest=$time_range.earliest$&amp;latest=$time_range.latest</link> </drilldown>   Now when I click on dashboard panel's field, it is opening with expected support_id as expected, but it is opening with token time range. I am expecting that this should return the particular time range at what time event indexed as per Time (UTC) or _time. Example - An event has support ID with time 07:00 am, when I click on it it should open for 7 am, but it is taking token time range. When I checked in chatgpt, it given in following one and modified it in this way. <table id="myTable"> <search> <query>index=sony_summary sourcetype=stash |search <passed drop-down tokens> |sort 0 -"Time (UTC)" |eval epoch_time=_time, epoch_plus60=_time+60 (added this now) | table "Support ID","Time (UTC)", _time -------- , epoch_time, epoch_plus60</query> </search> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search> <!-- Drilldown Configuration --> <!-- Enable row-level drilldown --> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs support_id="$click.value$"&amp;earliest=$row.epoch_time$&amp;latest=$row.epoch_plus60</link> </drilldown> Now this is working fine and time range is also coming what I clicked on. but here the issue is I don't want these two new fields - epoch_time, epoch_plus60 to be visible in dashboard. These should get hided completely but still drilldown should work as expected. What to do here? Please suggest me. Am I missing anything? Even if I keep those fields in the last in panel, still my manager said hide it but it should work as expected.
Assuming you are using SimpleXML / Classic dashboards, you might be able to implement something along these lines. For each cell that you want coloured, calculate what the colour should be and make t... See more...
Assuming you are using SimpleXML / Classic dashboards, you might be able to implement something along these lines. For each cell that you want coloured, calculate what the colour should be and make the field a multivalue field, placing the colour as the second value. Then you can use CSS to hide the second multivalue in each cell. This technique has been documented in many answer on this site. For example, https://community.splunk.com/t5/Dashboards-Visualizations/Highlight-row-if-unique-values-exist-within-dynamic-pivot-table/m-p/560950/highlight/true#M39026  
Hi everyone, I'm working on a dashboard that's comparing two different applications. One of the tables has their performance throught different metrics side-by-side, as such: "Avg Time App1" | ... See more...
Hi everyone, I'm working on a dashboard that's comparing two different applications. One of the tables has their performance throught different metrics side-by-side, as such: "Avg Time App1" | "Avg Time App2" | "Max Time App1" | "Max Time App2" | ... Additionally, each row of the table represents a different date, so my team and I can check their performance through an arbitrary time interval.  My idea was to color a certain cell based on its value compared to the equivalent value of the other app. So, for example, let's say "Avg Time App1" = 5.0 and "Avg Time App2" = 8.0 on day X (an arbitrary row). My idea is to highlight the cell for the "Avg Time App2" on day X as its value is bigger than for App1.  I'm aware I can color cells dinamically with the `<format>` block, by setting `type="color"` and the `field` to whatever my field is. But I wanted to know how I can do this by each row (this means that even if the cell on the first row of column X is highlighted, the next rows won't necessarily be) and based on a comparison with another cell, from another column, on the same row.  One other detail is that the name of my columns contains a token. So a somewhat related problem I've been having is accessing the value from the cells, because, to my understanding, it would turn out as something of the sort: $row."Avg Time $app1$"$ So if someone could help me implement this conditional coloring idea, I would be very grateful. Thanks in advance,  Pedro
Hi @tech_g706 ,   Sometime the issue with the MongoDB as well  Please check the following, it will helpful for further troubleshooting. Mongodb status ps -ef | grep -i mongod if we are not gett... See more...
Hi @tech_g706 ,   Sometime the issue with the MongoDB as well  Please check the following, it will helpful for further troubleshooting. Mongodb status ps -ef | grep -i mongod if we are not getting any output means kvstore is not running. check the below logs, try to find any clue on this logs cat $SPLUNK_HOME/var/log/splunk/kvstore.log cat $SPLUNK_HOME/var/log/splunk/mongod.log
Hi @mchoudhary  The reason for the warning you are seeing is because its scheduled to run more frequently than the duration it takes to run. e.g. 5 minutes into the 8 minute runtime it wants to be r... See more...
Hi @mchoudhary  The reason for the warning you are seeing is because its scheduled to run more frequently than the duration it takes to run. e.g. 5 minutes into the 8 minute runtime it wants to be running again. There are two approaches to take here, which vary depending on your setup and stack load. Basically you want that search to take less than 5 minutes to run. Given that its an ES out of the box search it shouldnt need modifying (and doing so could end up with incorrect results). One thing I would want you to check though is to check what the `notable` macro expands to. If you find the macro through the UI (Settings -> Advanced Search -> Search macros) can you see the definition for the "notable" macro? Has this been modified at all? The other thing that could be impacting the time it takes for the search to run is the load on the service. What does your architecture look like? Is your deployment based on the recommended reference hardware spec? (Min 16 Physical cores and 32GB RAM for the Searchheads) Check out https://help.splunk.com/en/splunk-enterprise-security-8/install/8.1/planning/minimum-specifications-for-a-production-deployment for more information. Are there any other long-running searches which could be contributing to the load on the stack and thus slowing this search down?  In other words, its going to take some digging, sometimes the search that takes longer to run isnt the problematic search - its just starved of resource and cant run faster!  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
hi @dbloms , Glad to hear. happy splunking! P.S.: Karma Points are appreciated by me and the other contributors     
Hi Team, I have been getting a skipped search notification in my CMC overview under Health from quite some time. It is a scheduled report Search name: ESS - Notable Events Cron: every 5 mins ( ... See more...
Hi Team, I have been getting a skipped search notification in my CMC overview under Health from quite some time. It is a scheduled report Search name: ESS - Notable Events Cron: every 5 mins ( 1-59/5 * * * *) Timerange:  earliest - 48d@d  ; latest - +0s (now) Message: The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached Search query:  `notable` | search NOT `suppression` | eval timeDiff_type=case(_time>=relative_time(now(), "-24h@h"),"current", 1=1, "historical") | expandtoken rule_title | table _time,event_id,security_domain,urgency,rule_name,rule_title,src,dest,src_user,user,dvc,status,status_group,owner,timeDiff_type,governance,control | outputlookup es_notable_events | stats count It is writing the output to an output-lookup.  and takes around 8 mins as runtime when checked under job management. Can some help me understand where the issue lies, what's making this search in particular to skip. The percentage skipped it around 50% and the status is critical.  
We are building an iOS app that using URLSession for making network traffics in our app. But AppDynamics does not collect any traffics which built with async/await. For the traffics that use the trad... See more...
We are building an iOS app that using URLSession for making network traffics in our app. But AppDynamics does not collect any traffics which built with async/await. For the traffics that use the traditional ways (completion handler) the AppD still collect properly. AppDynamics 
Yes, you are right. The admin password was changed, now it it starts without problems. Many thanks to you, you saved my day!
in my local i am using EST time zone only. 
Hi @amanthri ,    Disabling the KO is the safest option from your savedsearches.conf [<name_of_your aved_search>] disabled = 1   you can placed in the local directory /local/savedsearches.conf,... See more...
Hi @amanthri ,    Disabling the KO is the safest option from your savedsearches.conf [<name_of_your aved_search>] disabled = 1   you can placed in the local directory /local/savedsearches.conf, it will effectively overide from the default this works for the other KOs too.
Hi @bigchungusfan55 , Please do the following check to find and fix the issue 1. check and confirm that the KV store collection exists 2. Check where the KV Store Lookup is defined 3. Check... See more...
Hi @bigchungusfan55 , Please do the following check to find and fix the issue 1. check and confirm that the KV store collection exists 2. Check where the KV Store Lookup is defined 3. Check the permission for the lookup 4. check lookup defintion and collection configuration.
The error indicates the automation can't authenticate against 127.0.0.1:8089 Accept the license and try with below docker run -d \ --name splunk \ -e SPLUNK_START_ARGS="--accept-license" \ -e SP... See more...
The error indicates the automation can't authenticate against 127.0.0.1:8089 Accept the license and try with below docker run -d \ --name splunk \ -e SPLUNK_START_ARGS="--accept-license" \ -e SPLUNK_PASSWORD="yourpassword" \ splunk/splunk:latest
Hi @Sahansral  Have you set any local user-prefs.conf changes? Please could you run the following: $SPLUNK_HOME/bin/splunk cmd btool user-prefs list --debug In the [general] stanza do you have a "... See more...
Hi @Sahansral  Have you set any local user-prefs.conf changes? Please could you run the following: $SPLUNK_HOME/bin/splunk cmd btool user-prefs list --debug In the [general] stanza do you have a "lang" setting? There is no default so it could be missing but if its there it should be a valid lang value (e.g. "de-DE" not "de") lang = <string> * Specifies the per-user language preference for non-web ui operations, where multiple tags are separated by commas. * If unset, English "en-US" is used when required. * Only tags used in the "Accept-Language" HTTP header are allowed, such as "en-US" or "fr-FR". * Fuzzy matching is supported, where "en" will match "en-US". * Optional quality settings are supported, such as "en-US,en;q=0.8,fr;q=0.6" * No default.    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing