All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The Web datamodel appears to have the fields needed for that use case.  It is documented at https://docs.splunk.com/Documentation/CIM/5.1.0/User/Web Do you have data for that DM?  Is the data CIM-co... See more...
The Web datamodel appears to have the fields needed for that use case.  It is documented at https://docs.splunk.com/Documentation/CIM/5.1.0/User/Web Do you have data for that DM?  Is the data CIM-compliant so the DM can find it?
I'm building a search which takes a URL and returns all events from separate indexes/products where a client (user endpoint, server, etc) attempted access.  The goal is to answer "who tried to visit ... See more...
I'm building a search which takes a URL and returns all events from separate indexes/products where a client (user endpoint, server, etc) attempted access.  The goal is to answer "who tried to visit url X". I have reviewed the default CIM data models here: https://docs.splunk.com/Documentation/CIM/5.1.0/User/CIMfields However, none seem to fit this specific use case.  Can anyone sanity check me to see if I've overlooked one?  Thanks!
Thanks for the new knowledge. That is what I was looking for
Have you checked the logs of the Otel Collector? Could you please define a separate pipeline for the statsd metrics like: service: pipelines: metrics/statsd: receivers: - stats... See more...
Have you checked the logs of the Otel Collector? Could you please define a separate pipeline for the statsd metrics like: service: pipelines: metrics/statsd: receivers: - statsd exporters: - signalfx
I actually started using this approach and I realized that adding some more search conditions to the returned $search could actually massively reduce the amount of data to look at. I may still face s... See more...
I actually started using this approach and I realized that adding some more search conditions to the returned $search could actually massively reduce the amount of data to look at. I may still face some problems when joining the data with the backbone of my search. It is a hairy problem, I must admit. In the end the problem I have is is that the eventID is far from unique for reasonable search windows and I am trying to figure out how to pair events in the two mostly independent streams of events. The lifetime of an eventID is less than 5 minutes, how to construct an attribute to join on from a time window. I have some more thinking to do.
thanks, this worked for me as well. Is there a way to rename the csv attached to the report ?
Hi @Chirag812 , at first you don't need to uninstall the old version, and anyway you can follow the instructions at https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/Upgradetheunivers... See more...
Hi @Chirag812 , at first you don't need to uninstall the old version, and anyway you can follow the instructions at https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/Upgradetheuniversalforwarder , you can upgrade your UFs using a deployment tool such as Group Policy or System Center Configuration Manager. Officially Splunk don't  support UF binary upgrade via DS., fortunately this feature seems to be in development phase https://ideas.splunk.com/ideas/EID-I-70. you can use two apps from Splunkbase: for nix Forwarders https://splunkbase.splunk.com/app/5004 for windows Forwarders https://splunkbase.splunk.com/app/5003 the only limitation is that they are archived.  Ciao. Giuseppe
1. form.Tail is used to not only change the token of Tail but to also set the filter Tail to be $Tail$ value 2) I am clicking on the legend of a chart where the values (names) there are the numbers ... See more...
1. form.Tail is used to not only change the token of Tail but to also set the filter Tail to be $Tail$ value 2) I am clicking on the legend of a chart where the values (names) there are the numbers of the tails *for eaxmple 120, 170 200 etc..), on the first click it's setting the token of $tail$ to be the legend i clicked which is working great, what not going great is on the second click to unset the token. 3) the base search is doing aggragation by other filters and is doing some of the thinking and indeed save loading times (tested before and after).
I need to upgrade the Splunk Universal forwarder version to all the existing installed windows 2016 and 2019 servers. I am using Splunk Enterprise as a Search head and indexer. Is there a way that I... See more...
I need to upgrade the Splunk Universal forwarder version to all the existing installed windows 2016 and 2019 servers. I am using Splunk Enterprise as a Search head and indexer. Is there a way that I can upgrade the old version with the latest without uninstalling the old and install the new one. And how this task can be done for all the servers together instead of one by one.
Hi,  Thanks 
@shenoyveer   Try this and see if it meets your requirements. You can remove | eval date=strftime(_time, "%Y-%m-%d")  
Hi @inessa40408 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma ... See more...
Hi @inessa40408 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi Everyone,   I am trying to create one dashboard out of search query but I am getting stuck where I am unable to the host details in the dashboard.   query is -  index="vm-details" | eval... See more...
Hi Everyone,   I am trying to create one dashboard out of search query but I am getting stuck where I am unable to the host details in the dashboard.   query is -  index="vm-details" | eval date=strftime(_time, "%Y-%m-%d") | stats dc(host) as host_count, values(host) as hosts by date | sort date I am getting host_count and date in dashboard but my requirement is I need hostname should come while hovering host_count I tried using values(host) directly but that didnt work. can someone help? CC: @ITWhisperer  Thanks, Veeresh Shenoy S
Thank you very much for your help!  
Have you verified that you use a token with the API permission or a session token to use the API?
@Priya70 Could you please clarify what you are looking for ? 
@AANAND Could you please clarify what you mean by "export real event"? 
Hello @kiran_panchavat, Thanks for explaining this in very details, thanks for your time. Really appreciated.
@rahusri2  Install the forwarder credentials on individual forwarders in *nix From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder. Click Download Universal Forwarder Credent... See more...
@rahusri2  Install the forwarder credentials on individual forwarders in *nix From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder. Click Download Universal Forwarder Credentials. Note the location where the credentials package splunkclouduf.spl has been downloaded. Copy the file to a temporary directory, this is usually your "/tmp" folder. Install the splunkclouduf.spl app by entering the following in command line: $SPLUNK_HOME/bin/splunk install app /tmp/splunkclouduf.spl. When you are prompted for a user name and password, enter the user name and password for the Universal Forwarder. The following message displays if the installation is successful: App '/tmp/splunkclouduf.spl' installed. Restart the forwarder to enable the changes by entering the following command: ./splunk restart. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@rahusri2 Please check this documentation  https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/ConfigSCUFCredentials  I hope this helps, if any reply helps you, you could add your upvot... See more...
@rahusri2 Please check this documentation  https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/ConfigSCUFCredentials  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.