All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

In the Dashboard Studio there is an attribute that will control the width of a column, the attribute name is called width. This is my column format section, note the values for width. Dashboard Studi... See more...
In the Dashboard Studio there is an attribute that will control the width of a column, the attribute name is called width. This is my column format section, note the values for width. Dashboard Studio says it defaults to 90 and the smallest it can use is 90. "options": { "columnFormat": { "FailRate": { "data": "> table | seriesByName(\"FailRate\") | formatByType(FailRateColumnFormatEditorConfig)", "rowColors": "> table | seriesByName('FailRate') | pick(FailRateRowColorsEditorConfig)", "rowBackgroundColors": "> table | seriesByName(\"FailRate\") | rangeValue(FailRateRowBackgroundColorsEditorConfig)" }, "Integration Name": { "width": 245 }, "Function": { "width": 300 }, "#": { "width": 40 } }
Hello, In the first one I tested the OS's OpenSSL and with the command you mentioned, I get the following response: read:errno=0.
Are you asking a question? If so, this is not clear. Did you follow the installation instructions? Did you verify that there are no host or network rules or filtering that block SNMP packets/quer... See more...
Are you asking a question? If so, this is not clear. Did you follow the installation instructions? Did you verify that there are no host or network rules or filtering that block SNMP packets/queries?
Hi all, Do any of you all run into issues where the bundle replication keeps timing out and splunkd.log references increasing the sendRcvTimeout parameter, in a previous ticket with support, they su... See more...
Hi all, Do any of you all run into issues where the bundle replication keeps timing out and splunkd.log references increasing the sendRcvTimeout parameter, in a previous ticket with support, they supplied a Golden Configuration that says that this value should be around 180. Based on: https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Distsearchconf Under, 'classic' REPLICATION-SPECIFIC SETTINGS connectionTimeout = <integer> * The maximum amount of time to wait, in seconds, before a search head's initial connection to a peer times out. * Default: 60 sendRcvTimeout = <integer> * The maximum amount of time to wait, in seconds, when a search head is sending a full replication to a peer. * Default: 60   Should these two values be adjusted and kept in-sync? I am considering adding another 30 seconds to each. Or, if there is something else I should be verifying first, it would be helpful to get some direction here.
When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.   any suggestion?
Hi @Miguel3393 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma ... See more...
Hi @Miguel3393 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Thanks for the response @gcusello  This is the result I get with what you mention. Regards.
Hi all, Was wondering if there was a way to manually grab the threat intelligence updates for Splunk ES (we are on 7.3.1.) Specifically:  Intelligence download of "mitre_attack" - threatlist downlo... See more...
Hi all, Was wondering if there was a way to manually grab the threat intelligence updates for Splunk ES (we are on 7.3.1.) Specifically:  Intelligence download of "mitre_attack" - threatlist download Our Splunk environment is on-prem and air-gapped, so there is not really any way to create an external connection to the internet. Any ideas or advice would be appreciated.
Have you try it with Splunk's openssl or OS's openssl? You could/should try it with  splunk cmd openssl s_client -showcerts -connect host:port
Please validate your data. Based on your screenshots, it seems that when error code 404 occurs, the field message.incomingRequest.lob does not exist in these events.
There is still no response for 404 status code, its only coming for below query index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.Splunk... See more...
There is still no response for 404 status code, its only coming for below query index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"  
Add message.incomingRequest.lob=* to your base search to filter for events that contain the field message.incomingRequest.lob index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc... See more...
Add message.incomingRequest.lob=* to your base search to filter for events that contain the field message.incomingRequest.lob index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" "message.incomingRequest.lob"=* | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"  
Hello hello! There may be a simpler way to get this working, but my first thought is to use something like this:     Mysearch | eval Guest=if(sid=22, "BOT", "Others") | convert timeformat="%... See more...
Hello hello! There may be a simpler way to get this working, but my first thought is to use something like this:     Mysearch | eval Guest=if(sid=22, "BOT", "Others") | convert timeformat="%Y-%m-%d" ctime(_time) AS date | stats count by date, Guest | eventstats sum(count) as total by date | eval percentage=round((count/total)*100, 0) | eval count=count." (".percentage."%)" | xyseries Guest date count     Edit: Yep, here is a version that's a little shorter:   Mysearch | eval Guest=if(sid=22, "BOT", "Others") | bin _time span=1d | stats count by _time Guest | eval total=count, percentage=round((count/total)*100, 0), count=count." (".percentage."%)" | xyseries Guest _time count  
Thanks is there any way though which we can re-adjust the query so that only correct lob values come. There is 404 status codes which should comes for below shared URL    When i am trying w... See more...
Thanks is there any way though which we can re-adjust the query so that only correct lob values come. There is 404 status codes which should comes for below shared URL    When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.    
Please try: index=<yourindex> sid=* |eval Guest=if(sid=22,BOT,Others) | bin _time span=1d | eventstats count as totalevents by _time | eventstats count as guest_count by Guest | eval percentage... See more...
Please try: index=<yourindex> sid=* |eval Guest=if(sid=22,BOT,Others) | bin _time span=1d | eventstats count as totalevents by _time | eventstats count as guest_count by Guest | eval percentage=round((guest_count/totalevents)*100,2) | eval final_field = guest_count. "(" .percentage. " %)" | eval time=strftime(_time, "%Y-%m-%d") | chart values(final_field) over Guest by time    
You have events where Field message.incomingRequest.lob does not exist but field message.backendCalls{}.responseCode exists in these kind of events. That's why the "NULL" value is set.
  index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode"... See more...
  index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob" Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in above shared result, Any idea? or any instruction for debugging so that we can find the root cause. Let me know if more details is needed.  
Hi, I am using a search Mysearch |eval Guest=if(sid=22,BOT,Others) | convert timeformat="%Y-%m-%d" ctime(_time) AS date |chart count over Guest by date And the results is like below. Gue... See more...
Hi, I am using a search Mysearch |eval Guest=if(sid=22,BOT,Others) | convert timeformat="%Y-%m-%d" ctime(_time) AS date |chart count over Guest by date And the results is like below. Guest                                               2024-12-18                                       2024-12-19 BOT                                                            10                                                            20 Others                                                       90                                                            80 Now I want to display the percentage of activity by Guest over date Maybe something like below Guest                                                       2024-12-18                                                  2024-12-19 BOT                                                            10 (10%)                                                           200(20%) Others                                                       90   (90%)                                                         800(80%) Could someone possible help here? Many thanks   
Hi @hcelep , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the ... See more...
Hi @hcelep , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @anu1 , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the co... See more...
Hi @anu1 , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors