All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That's a warning, not an error.  The file will be ingested, but while Splunk is busy with it other monitored files are ignored. Consider standing up a separate UF on that server just for the large f... See more...
That's a warning, not an error.  The file will be ingested, but while Splunk is busy with it other monitored files are ignored. Consider standing up a separate UF on that server just for the large files. Also, make sure maxKBps in limits.conf is set to 0 or the largest value the network can support.
For a particular sourcetype I am facing log ingestion issue. Getting below error.  As checked with the team, this log file can not be split. So is there any solution to resolve this issue.  
I agree!  Oh well self service CIM it is.
Thanks for that information.  We actually had the previous version installed and the upgrade wouldn't work.  So we deleted and intended to re-install.  Didn't even think to check compatibility since ... See more...
Thanks for that information.  We actually had the previous version installed and the upgrade wouldn't work.  So we deleted and intended to re-install.  Didn't even think to check compatibility since the previous version was installed already
Hello All, We’re recently encountering an issue when editing a classic dashboard in Splunk. Whenever we try to edit a dashboard containing a "mailto" protocol, we receive the following error: Use... See more...
Hello All, We’re recently encountering an issue when editing a classic dashboard in Splunk. Whenever we try to edit a dashboard containing a "mailto" protocol, we receive the following error: Uses scheme: "mailto", but the only acceptable schemes are: {"https", "http"} However, dashboards without the "mailto" protocol are working fine and we are able to edit them without any issues. Has anyone experienced this before? Is there a known solution or workaround to bypass or resolve this issue, allowing us to edit dashboards that include the "mailto" protocol? would appreciate any guidance or suggestions. Thanks in advance! I
Sorry, I don’t know why it’s not available in the trial. It could be that the trial version is a lower than production version which is why it’s not displaying for you.?
Hi @Ankur.Sharma, Thanks for checking out the Community. Given how old this post is, it may not get a reply. If the community does not jump in soon, you can reach out to AppDynamics Support: How do... See more...
Hi @Ankur.Sharma, Thanks for checking out the Community. Given how old this post is, it may not get a reply. If the community does not jump in soon, you can reach out to AppDynamics Support: How do I open a case with AppDynamics Support? 
Also... INDEXED_EXTRACTIONS uses up disk space... so I almost never use it 
Thank you @gcusello. Our Proofpoint account manager said the following -  "There is an API but no mail flow API so Splunk wouldn't have anything on the Essentials side. Enterprise side - Remote Sysl... See more...
Thank you @gcusello. Our Proofpoint account manager said the following -  "There is an API but no mail flow API so Splunk wouldn't have anything on the Essentials side. Enterprise side - Remote Syslog gets them all sorts of mail flow details!  Having said that, the only way to get an integration with Splunk would be to upgrade from Essentials to our Enterprise email." Is there a way to get the Proofpoint data without an upgrade?
Hi @Kenny_splunk  other people will still be able to reply but the one accepted will be at the top to allow others to see it easily if they come across the same questions.  Thanks! will
LOL/SOB I really wish there was more compliance around CIM, especially for these TAs built by big industry types... but yes...self-CIM
I don't think you actually want to remove "ALL" from the multi-select...it makes it so people can go back to the default when they are done with whatever choice they made originally.  I would say if ... See more...
I don't think you actually want to remove "ALL" from the multi-select...it makes it so people can go back to the default when they are done with whatever choice they made originally.  I would say if you don't want people to go back to the default...then maybe you don't it there at all in the first place?  Or maybe you don't actually want a multi-select but just a regular drop-down list?  But it seems to me if you want it there in the first place, you actually want it there always so people can revert back to the default behavior of the dashboard when they are done messing around  (IMO).
Here is my existing multiselect XML.. <input type="multiselect" token="app_name"> <label>Application Name</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValu... See more...
Here is my existing multiselect XML.. <input type="multiselect" token="app_name"> <label>Application Name</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>app_name</fieldForLabel> <fieldForValue>app_name</fieldForValue>   <search base="base_search"> <query> |stats count by app_name </query> </search> <valuePrefix>app_name="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> </input>
@ITWhisperer thanks for the reply. Where I need to give this input? In my existing multiselect input?
I just removed complete kvstore folder from "/opt/splunk/var/lib/splunk/" after taking the backup and restart the splunk services.
Please provide more detail as to what you are trying to do and what you have already tried.
You can do this without javascript - here is a SimpleXML example <input type="multiselect" token="alloptions" searchWhenChanged="true"> <label>Options $alloptions$</label> <choice va... See more...
You can do this without javascript - here is a SimpleXML example <input type="multiselect" token="alloptions" searchWhenChanged="true"> <label>Options $alloptions$</label> <choice value="All">All</choice> <search> <query> | makeresults count=20 | streamstats count as row | eval option="Option ".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),row-1) | eval label="Option ".mvindex(split("abcdefghijklmnopqrstuvwxyz",""),row-1) | table option label </query> </search> <fieldForLabel>label</fieldForLabel> <fieldForValue>option</fieldForValue> <delimiter>,</delimiter> <change> <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval> </change> </input>  
Hi @emkenick , could you share your search in the multiselect? Ciao. Giuseppe
In which component ( I mean deployer or direct search head) I need to give this JS? can you please specify full path?
Where I need to keep this JS? In dashboard or in any path?