All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try  https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Hi @splunklearner . could you share the two main searches in the two dashboards? Ciao. Giuseppe
Checkout alternative workaround. https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Hi @Hemant_h , if the structure of your events is fixed, you coult try something like this: | rex field=product_name "^(?<field1>\w+)\s[^\s]+\s[^\s]+\s[^\s]+\s[^\s]+\s(?<field2>[^ ]+)"  Ciao. Giu... See more...
Hi @Hemant_h , if the structure of your events is fixed, you coult try something like this: | rex field=product_name "^(?<field1>\w+)\s[^\s]+\s[^\s]+\s[^\s]+\s[^\s]+\s(?<field2>[^ ]+)"  Ciao. Giuseppe
If it's not related to windows restart, Checkout alternative workaround. https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Till date, we have seperate dashboards for seperate application teams. Now the ask is to create a common dashboard for all applications. Is it really possible? We have restricted users via index to ... See more...
Till date, we have seperate dashboards for seperate application teams. Now the ask is to create a common dashboard for all applications. Is it really possible? We have restricted users via index to refrain from other applications. We dont have any app_name specific in logs as well... Only index wise logs are segregated and sourcetype is also same. The log format for all applications is similar.  How can I achieve this? Should I extract app_name from the host we have and keep it in drop-down and involve index as well in drop-down?  Is it really possible? Please help me with your action plan for this.
How does it mess up the nexpose appliance?
We are a small Managed Service Provider (MSP) currently testing Splunk with a deployment on a Windows 2019 server using a trial version. After adding a remote device and integrating the Fortinet Fort... See more...
We are a small Managed Service Provider (MSP) currently testing Splunk with a deployment on a Windows 2019 server using a trial version. After adding a remote device and integrating the Fortinet FortiGate App for Splunk, the system functioned well initially. However, the next day, we noticed that the system encountered 5 violations in one night. Subsequently, when accessing the dashboard, we were greeted with the following message: "Error in 'rtlitsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store." Is there a way to resolve this issue without performing a full reinstall? Additionally, is there a way to set a limit on the amount of data being indexed to avoid triggering the violation? I have come across references to routing logs to the "nullQueue" and would appreciate feedback from the community on this approach or any other recommended solutions. Thank you in advance for your help!
Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still d... See more...
Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still don't have a role named 'Phantom'. Please, I would really appreciate a response." Let me know if you need anything else!
Hi, Thanks for the response. we don't have _time but we have Time column (Indexed time - it will be same for all events so we cant use Time column). My expectation is without timestamp events need t... See more...
Hi, Thanks for the response. we don't have _time but we have Time column (Indexed time - it will be same for all events so we cant use Time column). My expectation is without timestamp events need to be merged with previous events using any logic  need not save results and it will be used for some calculation and then it will be saved in saved search) Yes always this is the case for all logs, so i need to write a query to transform this, Please help on this  and share your comments
"Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still ... See more...
"Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still don't have a role named 'Phantom'. Please, I would really appreciate a response." Let me know if you need anything else!
Are these separate events? Do you already have any fields extracted? Please share your raw event data in code blocks using the </> button above to preserve formatting in the event.
Want to extract HIGCommercialAuto  and MLM-RS-H only from below logs in field product name. HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8... See more...
Want to extract HIGCommercialAuto  and MLM-RS-H only from below logs in field product name. HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-RS-H higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-R3-N higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16    
The events will have a value for _time. If you sort by this, are these events in the order you showed? Your events which do have timestamps in the event seem to have the same timestamp for the event... See more...
The events will have a value for _time. If you sort by this, are these events in the order you showed? Your events which do have timestamps in the event seem to have the same timestamp for the events either side of the events without timestamps. Is this always the case? For the events without timestamps, is each line in a different event of multiple events? Please provide more detail so we can see what needs to be done and work out a solution for you.
Hi @Dikshi, Do you see other kvstore errors in splunkd.log and mongod.log?
What is your question?  Have you checked mongod.log and splunkd.log?  What did they say?
I want to add an endpoint to the webhook allow list . I checked the for that. However, I cannot find "Webhook allow list" under Settings > Server settings. Can someone please help me with this. ... See more...
I want to add an endpoint to the webhook allow list . I checked the for that. However, I cannot find "Webhook allow list" under Settings > Server settings. Can someone please help me with this. where to find this option whether this option is available in Trail version or not ?   if there is any other alternative for this ? Splunk Cloud Version: 9.3.2408.107 Build: b802f6467976 Webhooks Input  Custom Alert Webhook   
Hi Giuseppe,   Thank you for the response. Its coming from one of our device and these logs has been already uploaded to splunk and indexed already . now i want to write SPL query to merge the line... See more...
Hi Giuseppe,   Thank you for the response. Its coming from one of our device and these logs has been already uploaded to splunk and indexed already . now i want to write SPL query to merge the line items
Hi Giuseppe,   Thank you for the response. Its coming from one of our device and these logs has been already uploaded to splunk and indexed already . now i want to write SPL query to merge the line... See more...
Hi Giuseppe,   Thank you for the response. Its coming from one of our device and these logs has been already uploaded to splunk and indexed already . now i want to write SPL query to merge the line items 
Hi @ckarthikin , where do your logs come from? which technology? did you used a standard add-on or not? it seems to be a parsing error. youshould try adding to your sourcetype SHOULD_LINEMERGE = ... See more...
Hi @ckarthikin , where do your logs come from? which technology? did you used a standard add-on or not? it seems to be a parsing error. youshould try adding to your sourcetype SHOULD_LINEMERGE = True, in this way you configure a multiline sourcetype. Ciao. Giuseppe