All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

 I am unable to select the option in dropdown or type anything (first part of URL) in the "Select Cloud Stack" while creating support case. Dropdown for adding Cloud Stack Name seems to be stuck, t... See more...
 I am unable to select the option in dropdown or type anything (first part of URL) in the "Select Cloud Stack" while creating support case. Dropdown for adding Cloud Stack Name seems to be stuck, tried other browsers too
@loknath  To ensure proper monitoring, verify that the file you wish to track grants read access to the 'splunk' user.
@paleewawa  Better to assign the knowledge object to a user that has a role and give that role the quota it needs.  Check this one for work around: https://community.splunk.com/t5/Security/ERROR-Use... See more...
@paleewawa  Better to assign the knowledge object to a user that has a role and give that role the quota it needs.  Check this one for work around: https://community.splunk.com/t5/Security/ERROR-UserManagerPro-user-quot-system-quot-had-no-roles/m-p/309026 
@loknath   Verify the following details: Confirm whether the inputs.conf file is configured to point to the correct monitoring directory. Ensure that the index has been created on the indexer bef... See more...
@loknath   Verify the following details: Confirm whether the inputs.conf file is configured to point to the correct monitoring directory. Ensure that the index has been created on the indexer before sending data from the Universal Forwarder (UF). Check the connection between the UF and the indexer. Make sure the receiving port is enabled on the indexer. Review the internal logs on the Splunk UF to gather insights. Examine the outputs.conf file for correct configurations. Please review these details thoroughly.
Iam not able to see the file content in indexer,  After restarting the universal Forwarder what can be the reason 
I am trying to execute the sample command in Splunk MLTK. For some reason, I am getting an error everytime I run a stats command after the sample command.  index=_internal | sample partitions=3 see... See more...
I am trying to execute the sample command in Splunk MLTK. For some reason, I am getting an error everytime I run a stats command after the sample command.  index=_internal | sample partitions=3 seed=42 | stats count by action, partition_number Search error Error in 'sample' command: The specified field name for the partition already exists: partition_number   I tried providing different field name and it is still the same error. If I remove stats command and try running the same search multiple times, it works without any issues. What could be the reason ?  
Hi @Afterimage, There is an option to force the dropdown to re-run the search every X seconds. Go into the Edit view and add this to the search: <refresh>30</refresh> <refreshType>delay</refreshTy... See more...
Hi @Afterimage, There is an option to force the dropdown to re-run the search every X seconds. Go into the Edit view and add this to the search: <refresh>30</refresh> <refreshType>delay</refreshType> Like this: That will make the lookup search re-run every 30 seconds, picking up any new values in the process.   -Spav
If you have JS that is creating the new POA&M, then you could set a token in the JS that the multiselect search uses, When the token changes value, the multiselect search will re-run. The MS would h... See more...
If you have JS that is creating the new POA&M, then you could set a token in the JS that the multiselect search uses, When the token changes value, the multiselect search will re-run. The MS would have something like | inputlookup sp6_poams ``` $ms_trigger_token$ ``` i.e. it just needs to be in comments in the SPL and in your JS would do something like var defTokens = mvc.Components.get('default'); var subTokens = mvc.Components.get('submitted'); var value = defTokens.get('ms_trigger_token') + 1; defTokens.set('ms_trigger_token', value); subTokens.set('ms_trigger_token', value); Untested, but it's easy enough to do directly in XML but with JS you just need to get and increment the current token value and set it back - not sure exactly which of the default and/or submitted token models needs updating, but doesn't hurt to do both.
FWIW, it's usually better to ask a new question than to pile on to a 4-year-old thread. To keep only the BAD events, try one of these index=my_index | eval my_check=if(my_field>100,"NOK","OK") | wh... See more...
FWIW, it's usually better to ask a new question than to pile on to a 4-year-old thread. To keep only the BAD events, try one of these index=my_index | eval my_check=if(my_field>100,"NOK","OK") | where my_check="NOK" | table _time my_check or index=my_index | where my_field>100 | table _time my_field    
I have a question I Did this on an event and basically did the If command - that if above 15 mins then Output is BAD and if under 15 the. output is GOOD - This works. My question is I now want to s... See more...
I have a question I Did this on an event and basically did the If command - that if above 15 mins then Output is BAD and if under 15 the. output is GOOD - This works. My question is I now want to search only the BAD and alert - so guess how do I start another search after I have run eval and got my BAD output?
Hi there, make sure the user role has the required capabilities: edit_tokens_settings, which turns token authentication on or off edit_tokens_all, which lets you create, view, and manage token... See more...
Hi there, make sure the user role has the required capabilities: edit_tokens_settings, which turns token authentication on or off edit_tokens_all, which lets you create, view, and manage tokens for any user on the instance edit_tokens_own, which lets you create, view, and manage tokens for yourself https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Security/Setupauthenticationwithtokens#Prerequisites_for_creating_and_configuring_tokens   Hope this helps ... cheers, MuS    
I don't see a create new token option under Settings>Token. Anyone else having this issue? Not sure if its a permission related issue, but others in the team also can't create a new token.
Try setting your alert to look back at least 15 minutes and use a search like this | eval starttime=if(event="Starting",_time,null()) | eval stoptime=if(event="Stopping",_time,null()) | sort 0 _time... See more...
Try setting your alert to look back at least 15 minutes and use a search like this | eval starttime=if(event="Starting",_time,null()) | eval stoptime=if(event="Stopping",_time,null()) | sort 0 _time desc | streamstats time_window=15m latest(stoptime) as nextStop | eval alert=if(isnull(nextStop) and time() - starttime > 15*60, "missing", null())
Thanks! This works wonders
So the Events basically have a start every 15 mins We have one event saying Starting and when it finishes within the 15 mins then it will says Stopped    once I know that time then I can alert the... See more...
So the Events basically have a start every 15 mins We have one event saying Starting and when it finishes within the 15 mins then it will says Stopped    once I know that time then I can alert the team IF it takes over 15 mins since it could be an issue
Thanks for clarifying.  I take it this is on Splunk Cloud.  Try this query | rest splunk_server=local /services/cluster_blaster_indexes/sh_indexes_manager | search * | where isnull(archiver.selfSt... See more...
Thanks for clarifying.  I take it this is on Splunk Cloud.  Try this query | rest splunk_server=local /services/cluster_blaster_indexes/sh_indexes_manager | search * | where isnull(archiver.selfStorageProvider) | table title *self*
With that I mean by that are indexes which do not have an S3 bucket attached for backup. When you go to Settings > Indexes and the list is displayed, there's a column called "Self storage". I want t... See more...
With that I mean by that are indexes which do not have an S3 bucket attached for backup. When you go to Settings > Indexes and the list is displayed, there's a column called "Self storage". I want to configure a dashboard that displays all the indexes without self storage attached.
We have a custom dashboard in Splunk that has a few filters, one of which is a multiselect. This dashboard allows users to perform CRUD operations with POA&Ms. The multiselect in question lists all P... See more...
We have a custom dashboard in Splunk that has a few filters, one of which is a multiselect. This dashboard allows users to perform CRUD operations with POA&Ms. The multiselect in question lists all POA&M statuses that have been previously created, filtering the results displayed in the table. The filter works fine for searching results for the table. The issue is that if someone creates a new POA&M with a status that hasn't been used yet, i.e. "Closed", the page must be refreshed for the multiselect to execute the search powering it and display "Closed" as an option. Is there a way to "refresh" the multiselect with Javascript after a new POA&M is created? The POA&M CRUD operations are performed with JS and Python btw. Here's the XML of the multiselect for reference:  
How are the two events linked? Can there be more that one "start" before any "stops"? Can "start/Stop" pair be intertwined? How frequently do you want to check?
So I have an Index which contains the following "Starting iteration"on 1 event and "Stopping iteration" on another event I want to get the time taken from event 1 to event 2. And if over 15 mins t... See more...
So I have an Index which contains the following "Starting iteration"on 1 event and "Stopping iteration" on another event I want to get the time taken from event 1 to event 2. And if over 15 mins then I can setup an alert to warn me