All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Easy-peasy index=_internal host=* component=Metrics name=thruput earliest=-24h | stats sum(total_k_processed) as "total data transfer" by host ```Convert KB to GB``` | eval "total data transfer" = '... See more...
Easy-peasy index=_internal host=* component=Metrics name=thruput earliest=-24h | stats sum(total_k_processed) as "total data transfer" by host ```Convert KB to GB``` | eval "total data transfer" = 'total data transfer'/1024/1024
No, i get the same result. Thanks tho
I am troubleshooting an API failure for a Splunk SOAR app. I found that the response code and details of the API are written to the system via save_progress method under BaseConnector class. But I ca... See more...
I am troubleshooting an API failure for a Splunk SOAR app. I found that the response code and details of the API are written to the system via save_progress method under BaseConnector class. But I can't find those logs in the actiond log file. Could you guide me if those were somewhere else so that I can find tham?
On a new install of Splunk Enterprise 9.4.0 on the intended Deployment Server Settings ==> Forwarding Management We get the following: Forwarder Management unavailable There is an error in your s... See more...
On a new install of Splunk Enterprise 9.4.0 on the intended Deployment Server Settings ==> Forwarding Management We get the following: Forwarder Management unavailable There is an error in your serverclass.conf which is preventing deployment server from initializing. Please see your serverclass.conf.spe file for more information.   This is the first time that I've seen this in the years that I've been Splunking and the only serverclass.conf file is from the installation in $SPLUNK_HOME/etc/system/default. What am I missing? Help, please
Sorry missed to ask, And how can I see same in this search result for multiple hosts ?
Hi @anlePRH , you could try something like this (to adapt to your requirement):   index=source sourcetype="source" | eval type=if(_time>now()-86400,"Today","Last30days") | chart count OVER Source... See more...
Hi @anlePRH , you could try something like this (to adapt to your requirement):   index=source sourcetype="source" | eval type=if(_time>now()-86400,"Today","Last30days") | chart count OVER SourceIP BY type   Ciao. Giuseppe
Thanks Rich, that helps. How can I get it in MB or GB as it is tough to read "91345084304594.000"
Hi all  Trying to work on something which currently shows a bunch of IP hits and counts against it, the current output is the last 2 hours Query: index=source sourcetype="source"  | stats count... See more...
Hi all  Trying to work on something which currently shows a bunch of IP hits and counts against it, the current output is the last 2 hours Query: index=source sourcetype="source"  | stats count values(Hostname) by SourceIP | sort by -count | rename "count" to "Total count", "values(Hostname)" to "Hosts" Output: IP                                              Count 100.100.100.100               5 I want to add a new column called "Last30days" that looks at the IP address found in column 1 and a count search for the last 30 days, so like above but another column for the last 30days, final output below. IP                                              Count                 Last30days 100.100.100.100               1                          10 tried various variaitions but can't get it to work
Only one attention point: don't use only one HF to concentrate logs, because in this way you have a Single Point of Failure.   So, in this case, how can we make it redundant? 
Hi everyone. I need to modify this bar chart  In order to hide the overlay lay and display the overlay values. Also need to remove "Total" value from the legend. This is my CSS configurati... See more...
Hi everyone. I need to modify this bar chart  In order to hide the overlay lay and display the overlay values. Also need to remove "Total" value from the legend. This is my CSS configurations that doesn't works: <row> <panel depends="$css$"> <title>CSS</title> <html> <style/> <!-- hide numbers on the chart --> #hide_number_distribution .highcharts-data-label text tspan { visibility:hidden; } <!-- show numbers for "Total" --> #hide_number_distribution .highcharts-series-0 .highcharts-data-label text tspan { visibility:visible !important; } <!-- hide line for "Total" --> #hide_number_distribution .highcharts-series-0.highcharts-line-series path { visibility:hidden !important; } <!-- hide "Total" from the legend --> #hide_number_distribution .highcharts-legend-item .highcharts-line-series .highcharts-color-undefined .highcharts-series-0 { visibility:hidden !important; } </style> </html> </panel> </row> The id "hide_number_distribution" is on the panel (not on the chart) and the dataLabels option for the chart is: <option name="charting.chart.showDataLabels">none</option> Can anyone help me to understand why this not works and fix it? Thanks in advance  
I see multiple versions of the inputs.conf Visio stencil however I'm looking for props.conf and transforms.conf ones. Anybody knows anything?
Perhaps this will help index=_internal host=<<forwarder name>> component=Metrics name=thruput earliest=-24h | stats sum(total_k_processed) as "total data transfer"
Hi @Amith55555  Does the following work for you? SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}) TIME_PREFIX = ^ TIME_FORMAT = %d/%m/%Y %H:%M:%S This assu... See more...
Hi @Amith55555  Does the following work for you? SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}) TIME_PREFIX = ^ TIME_FORMAT = %d/%m/%Y %H:%M:%S This assumes your date format is DD/MM/YYYY not MM/DD/YYYY but feel free to tweak if required. Let me know how you get on!
It depends on what you  mean by "network traffic". If you can define the events, you could look at the eventgen tool to create your own data sets. Alternatively, if it is web traffic (which comes fro... See more...
It depends on what you  mean by "network traffic". If you can define the events, you could look at the eventgen tool to create your own data sets. Alternatively, if it is web traffic (which comes from a network), you could look at the tutorial dataset.
Hi, I wanted to check that how can I get total data transfer from on-prem heavy forwarders and intermediate forwarders to cloud indexer cluster? is there a search which can look into splunkd.log or ... See more...
Hi, I wanted to check that how can I get total data transfer from on-prem heavy forwarders and intermediate forwarders to cloud indexer cluster? is there a search which can look into splunkd.log or metrics.log from heavy forwarder for data transferred for 24 hours...
Hi Splunkers,  does anyone know if I there are datasets free to download? More precisely, I would need some network traffic dataset including good and bad domains for some Splunk Machine Learning t... See more...
Hi Splunkers,  does anyone know if I there are datasets free to download? More precisely, I would need some network traffic dataset including good and bad domains for some Splunk Machine Learning testing. I would appreciate every idea you have. Thanks in advance! BR
I've had a working Splunk instance for a month, but post patch it refuses to start the webUI. Where I would either start splunk (no issues) but the UI won't work. I've tried: Checking web.conf Ch... See more...
I've had a working Splunk instance for a month, but post patch it refuses to start the webUI. Where I would either start splunk (no issues) but the UI won't work. I've tried: Checking web.conf Checking ports Checking firewall-cmd Checking permissions. When restarting webserver via ./splunk restart splunkweb the splunkd.log shows it restarting then instantly stopping the module - what could be doing that?
Hello all, I am wondering if anyone has run into an issue where they receive a "500 error" on some large reports (small reports work fine)? The only feedback I got from the cSAM admin was to add a t... See more...
Hello all, I am wondering if anyone has run into an issue where they receive a "500 error" on some large reports (small reports work fine)? The only feedback I got from the cSAM admin was to add a time out value in Microsoft PowerQuery, doesn't quite seem to relate to CURL though.     personal_access_token = "MyRealToken", request_timeout_in_minutes = 10, // Specify your timeout value here data = Table.FromRecords( Json.Document( Web.Contents( csam_api_endpoint_url, [ Headers = [ #"Authorization"="Bearer " & personal_access_token, #"Content-Type" = "application/json" ], Timeout = #duration(0, 0, request_timeout_in_minutes, 0) ] ) ) ) in data  
Thank you for the responses. None of the above worked. I think this feature is not available in Splunk Dashboard Studio
Hello, I need some help for a query. I have to do this :  At the moment I haven't managed to get exactly what I've asked for, I can't place the dates on the last few days in the column, I've tr... See more...
Hello, I need some help for a query. I have to do this :  At the moment I haven't managed to get exactly what I've asked for, I can't place the dates on the last few days in the column, I've tried several things but to no avail.   All I've managed to do is this: index=aws_app_corp-it_datastage | spath input=_raw | eval Country=INVOCATIONID | eval StartTime=strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval EndTime=strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval Duration=round(abs(EndTime - StartTime)/60, 2) | eval Status = case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown" ) | eval StartTimeFormatted=strftime(StartTime, "%H:%M") | eval EndTimeFormatted=strftime(EndTime, "%H:%M") | eval StartTimeDisplay=if(isnotnull(StartTimeFormatted), "Start time: ".StartTimeFormatted, "Start time: N/A") | eval EndTimeDisplay=if(isnotnull(EndTimeFormatted), "End time: ".EndTimeFormatted, "End time: N/A") | table JOBNAME PROJECTNAME Country _time StartTimeDisplay EndTimeDisplay Status | rename JOBNAME as Job, PROJECTNAME as App | sort -_time |search Country="*" App="*" Status="*"