All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Are you saying that this event 13:02:59 is not counted? Or it is counted in the 13:00:00 - 13:04:59 bin? You haven't shown an event which is in the wrong time bucket yet!
HI @gowthammahes , I am facing or getting the same warning messages in Splunk. Do I need to ignore this message or any workaround is available.  
@harishsplunk7  query for 90 days. | tstats latest(_time) as lastTime where index=* by index, sourcetype | eval age=now()-lastTime | where age > 7776000 | eval lastTime=strftime(lastTime, "%Y... See more...
@harishsplunk7  query for 90 days. | tstats latest(_time) as lastTime where index=* by index, sourcetype | eval age=now()-lastTime | where age > 7776000 | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | table index, sourcetype, lastTime  
@harishsplunk7  Try this, you can change the age value to 7776000 (90days)    
@ITWhisperer  Hello i think all messages counted by count . But spreading is incorrect. I 've expected count spread on every 5 min (span=5m) but it count spread every hour  I see time in ROW like ... See more...
@ITWhisperer  Hello i think all messages counted by count . But spreading is incorrect. I 've expected count spread on every 5 min (span=5m) but it count spread every hour  I see time in ROW like this I have search with another sourcetype. _time format is the same/ And similar timechart is OK spreading with span =5 min  work OK   Dontknoooooww    
Hi @mayurr98  Try using $rn|s$ which puts quotes around the token output.  does that work?  
Hi @Karthikeya  did you try the btool commands I posted? What did you get back from them? Thanks
Hi @JJMonster  Unfortunately its not possible to download this from Splunkbase because the developers have not uploaded it there. Instead they require you to login to the Symantec site to access the... See more...
Hi @JJMonster  Unfortunately its not possible to download this from Splunkbase because the developers have not uploaded it there. Instead they require you to login to the Symantec site to access the apps. This could be for a number of reasons, such as licensing agreements etc. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @siemsplunk  If you are running this on the previous captain? If so you do not need to specify the mgmt_uri argument. Check out https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/Adda... See more...
Hi @siemsplunk  If you are running this on the previous captain? If so you do not need to specify the mgmt_uri argument. Check out https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/Addaclustermember#:~:text=rejoining%20the%20cluster.-,Add%20the%20instance,-The%20final%20step which covers the commands to add a SH into the cluster. In short: When running the splunk add command on the new member itself, use this version of the command: splunk add shcluster-member -current_member_uri <URI>:<management_port> Note the following: current_member_uri is the management URI and port of any current member of the cluster that this node is joining. This parameter allows the new node to communicate with the cluster. When running the splunk add command from a current cluster member, use this version of the command: splunk add shcluster-member -new_member_uri <URI>:<management_port> Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
even given fields.conf in deployer and pushed to SHs but same.
@gcusello yes created on DS where props and transforms are present and deployed to CM and from CM pushed it to indexers. Still no luck.
I tried to run ./splunk remove shcluster-member -mgmt_uri https://<CAPTAIN_IP>:8089 on the non-captain search head, which was successful.  But on the re-election of the new captain with this comma... See more...
I tried to run ./splunk remove shcluster-member -mgmt_uri https://<CAPTAIN_IP>:8089 on the non-captain search head, which was successful.  But on the re-election of the new captain with this command, it gave me an error. I run the command.  ./splunk add shcluster-member -mgmt_uri https://<NEW_CAPTAIN>:8089 -current_member_uri https://<PREV_CAPTAIN>:8089 WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Argument "mgmt_uri" is not supported by this handler. But now, when I run the command ./splunk show shcluster-status --verbose on the new captain, I see the previous captain is no longer in the member section.  If anyone could help, I would appreciate it. 
Same issue here
May we able to download the apps directly from splunkbase instead of redirect back to Broadcom website as we do not have the access permission to Broadcom web site https://splunkbase.splunk.com/app/... See more...
May we able to download the apps directly from splunkbase instead of redirect back to Broadcom website as we do not have the access permission to Broadcom web site https://splunkbase.splunk.com/app/3454 https://splunkbase.splunk.com/app/3453 Thanks 
I am want to get the list of Index and sourcetype which is not used by anyone for more than 90 days.   
This is a JSON object (except you should add quotes to those bare XXXX).  Do not use regex on structured data.  See the other thread you started.  Your search is inefficient because you use wildcard ... See more...
This is a JSON object (except you should add quotes to those bare XXXX).  Do not use regex on structured data.  See the other thread you started.  Your search is inefficient because you use wildcard at the beginning of a term.  And there's a solution to that.
Your search is slower compared with what?  You don't need to run spath according to my analysis.  Because Splunk has already extracted it, running spath simply wastes CPU and memory.   But running a ... See more...
Your search is slower compared with what?  You don't need to run spath according to my analysis.  Because Splunk has already extracted it, running spath simply wastes CPU and memory.   But running a search with leading wildcard always slows things down considerably. (The way you try to use regex doesn't make things better.)  Why do you need wildcards, anyway?  Your search can be conducted in bare terms without considering the field.  Try index="sample_idx" $serialnumber$ log_level=info Unit state update from cook client target Here's an emulation for you to play with and compare with real data | makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = json_extract(_raw, "timestamp") | spath ``` the abovee emulates index="sample_idx" $serialnumber$ log_level=info ``` | search Unit state update from cook client target  
Are you sure those bare XXXX are not quoted, like this?   {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00... See more...
Are you sure those bare XXXX are not quoted, like this?   {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":"XXXX","longitude":"XXXX","state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}   If so, a "normal" Splunk instance should have given you message as a field with value "martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])". If, for whatever reason your instance doesn't, spath command suffices.  Try this example:   | makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = json_extract(_raw, "timestamp") ``` data emulation above ``` | spath | table message   Hint: output is message martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115]) Alternatively, use json_extract function if your Splunk is 8.1 or later.  Try this example:   | makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = json_extract(_raw, "timestamp") ``` data emulation above ``` | eval message = json_extract(_raw, "message")   If your instance is older, you can also use spath function.  Try this example   | makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = spath(_raw, "timestamp") ``` data emulation above ``` | eval message = spath(_raw, "message")    
Hello, I updated  Splunk App for Lookup File Editing from v3.6.0 to v4.0.5. After the update, when I check the Health > Logs or Health > Status it shows "Status (Old)".  I can see "Status (Old)" i... See more...
Hello, I updated  Splunk App for Lookup File Editing from v3.6.0 to v4.0.5. After the update, when I check the Health > Logs or Health > Status it shows "Status (Old)".  I can see "Status (Old)" in lookup_editor_status.xml file. But what does that mean? What is old? Please, advise
Archived data must be restored before it can be searched.