All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi,  Thanks 
@shenoyveer   Try this and see if it meets your requirements. You can remove | eval date=strftime(_time, "%Y-%m-%d")  
Hi @inessa40408 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma ... See more...
Hi @inessa40408 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi Everyone,   I am trying to create one dashboard out of search query but I am getting stuck where I am unable to the host details in the dashboard.   query is -  index="vm-details" | eval... See more...
Hi Everyone,   I am trying to create one dashboard out of search query but I am getting stuck where I am unable to the host details in the dashboard.   query is -  index="vm-details" | eval date=strftime(_time, "%Y-%m-%d") | stats dc(host) as host_count, values(host) as hosts by date | sort date I am getting host_count and date in dashboard but my requirement is I need hostname should come while hovering host_count I tried using values(host) directly but that didnt work. can someone help? CC: @ITWhisperer  Thanks, Veeresh Shenoy S
Thank you very much for your help!  
Have you verified that you use a token with the API permission or a session token to use the API?
@Priya70 Could you please clarify what you are looking for ? 
@AANAND Could you please clarify what you mean by "export real event"? 
Hello @kiran_panchavat, Thanks for explaining this in very details, thanks for your time. Really appreciated.
@rahusri2  Install the forwarder credentials on individual forwarders in *nix From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder. Click Download Universal Forwarder Credent... See more...
@rahusri2  Install the forwarder credentials on individual forwarders in *nix From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder. Click Download Universal Forwarder Credentials. Note the location where the credentials package splunkclouduf.spl has been downloaded. Copy the file to a temporary directory, this is usually your "/tmp" folder. Install the splunkclouduf.spl app by entering the following in command line: $SPLUNK_HOME/bin/splunk install app /tmp/splunkclouduf.spl. When you are prompted for a user name and password, enter the user name and password for the Universal Forwarder. The following message displays if the installation is successful: App '/tmp/splunkclouduf.spl' installed. Restart the forwarder to enable the changes by entering the following command: ./splunk restart. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@rahusri2 Please check this documentation  https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/ConfigSCUFCredentials  I hope this helps, if any reply helps you, you could add your upvot... See more...
@rahusri2 Please check this documentation  https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/ConfigSCUFCredentials  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@rahusri2  1. Configure the `inputs.conf` file on your forwarders to monitor the `/var/log` directory and create an index on the indexers.  2. Download the `outputs.conf` file (Splunk Cloud Platfor... See more...
@rahusri2  1. Configure the `inputs.conf` file on your forwarders to monitor the `/var/log` directory and create an index on the indexers.  2. Download the `outputs.conf` file (Splunk Cloud Platform universal forwarder credentials package )from Splunk Cloud. - If there is no intermediate forwarder, you can directly apply the file to your universal forwarders. - If you are using an intermediate forwarder, download the file from Splunk Cloud and apply it to the heavy forwarder or intermediate forwarder. 3. If you have a deployment server, retrieve the `outputs.conf`(Splunk Cloud Platform universal forwarder credentials package) file from Splunk Cloud and push it to the forwarders using the deployment server. If you do not have a deployment server and prefer to implement the configuration directly, you can apply it manually to the forwarders. 4. Restart the Splunk instance to apply the changes. **Note:** 1. Ensure that the firewall rules between your on-premises environment and Splunk Cloud are properly configured. 2. A Splunk Cloud Platform receiving port is configured and enabled by default. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@rahusri2  When you work with forwarders to send data to Splunk Cloud Platform, you must download an app that has the credentials specific to your Splunk Cloud Platform instance. You install the for... See more...
@rahusri2  When you work with forwarders to send data to Splunk Cloud Platform, you must download an app that has the credentials specific to your Splunk Cloud Platform instance. You install the forwarder credentials app on your universal forwarder, heavy forwarder, or deployment server, and it lets you connect to Splunk Cloud Platform. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. 
Hi @jpillai , two main things: 4/8 CPUs are very few for Indexers that should have at least 12 CPUs each one (if you don't have ES or ITSI). You should analyze your requirements, with special atte... See more...
Hi @jpillai , two main things: 4/8 CPUs are very few for Indexers that should have at least 12 CPUs each one (if you don't have ES or ITSI). You should analyze your requirements, with special attention to especially input next growth  and the number of scheduled searches and concurrent users, because usually it's used one IDX every 200 GB indexed (less if you have ES or ITSI), so you have too many IDXs. In addition you should analyze the performances of your disks (storage and system disks) to find the correct number of IDXs, because you need at least 800 IOPS better if more! About configurations, SHs usually require more CPUs than IDXs, So I'd use (if you don't have ES or ITSI): SH and IDX: 24/48 CPUs 64 GB RAM, HF, CM, SHC-D, MC and DS: 12/24 CPUs 64 GB RAM.  About the secondary site, as also @dural_yyz said, the secondary site, in the normal activity) is mainly used for the data replication, but you should analyze also the worst case, so I'd use the same configuration of the main site. Then, the Cluster Manager isn't required so performant and it must be only one in the cluster. In other words, you can have only one CM because the cluster continue to run also if the CM is down, eventually having a silent copy to turn on if the Primary Site down is longer that predicted. At least, I don't see in your infrastructure SHC-Deployer, Monitoring Console and Deployment Server for which you can apply the same considerations of the Cluster Manager. Ciao. Giuseppe
Yeah budget is a concern. Given the fact that the secondary site will only be used during a site1 failure, most of the hardware will just be sitting there without much activity except for may be inde... See more...
Yeah budget is a concern. Given the fact that the secondary site will only be used during a site1 failure, most of the hardware will just be sitting there without much activity except for may be indexers doing some replication. So I am trying to see how we can minimize hardware at site2. We probably be using site2 for indexing and searching for may be few hours over a period of months when site1 is down or under maintenance.
Few questions. 1. You are not using the input token form.Tail in your post processing search. Is it used in the base search? 2. What are you clicking to expect something to occur? The <set> stateme... See more...
Few questions. 1. You are not using the input token form.Tail in your post processing search. Is it used in the base search? 2. What are you clicking to expect something to occur? The <set> statement you have WILL set the input token in the display to be the clicked Tail value if you click the LEGEND of the column chart. 3. It looks like you are using base searches incorrectly. Base searches are NOT intended to hold RAW data, they are designed to hold aggregated data that has been transformed in some way - see this article https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/Savedsearches#Post-process_searches_2 You are likely to make performance worse by not using a transforming search in a base search and in any case, base searches have result limits. I am guessing your dashboard is something like this (note, please post using the code sample option in the menu <> when posting code. <form version="1.1" theme="light"> <label>Tail</label> <fieldset submitButton="false"> <input type="dropdown" token="Tail" searchWhenChanged="true"> <label>Tail</label> <choice value="*">All</choice> <choice value="1">1</choice> <choice value="2">2</choice> <choice value="3">3</choice> <default>*</default> </input> </fieldset> <row> <panel> <chart> <search> <query>| makeresults count=60 | eval Tail=random() % 3 | streamstats c | eval r=random() % 100 | eval Tail=if(r&lt;30,"*",Tail) | eval source=random() % 10 | search Tail=$Tail$ | chart count over source by Tail</query> <earliest>-30m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="form.Tail">$click.name2$</set> </drilldown> </chart> </panel> </row> <row> <panel> <html>$form.Tail$</html> </panel> </row> </form> You can see that when you click the legend this will change the input to what you have clicked if you click the legend. Can you clarify exactly what is NOT working and what you are actually doing that does NOT work
thanks -that works now
Hello, I have a requirement to collect and monitor logs from several machines running in a private network. These machines are generating logs that need to be sent to Splunk Cloud for monitoring. ... See more...
Hello, I have a requirement to collect and monitor logs from several machines running in a private network. These machines are generating logs that need to be sent to Splunk Cloud for monitoring. Here's what I've done so far: Installed Universal Forwarder: I have installed the Splunk Universal Forwarder on each machine that generates logs. Configured Forwarding: I used the command ./splunk add forward-server prd-xxx.splunkcloud.com:9997 to set the server address for forwarding logs to Splunk Cloud. Set Up Monitoring: I added the directory to be monitored with the command ./splunk add monitor /var/log. However, I'm unable to see any logs on the Splunk Cloud dashboard at "prd-xxx.splunkcloud.com:9997". I have a question regarding port 9997; it seems that this port should be open on Splunk Cloud, but I don't see an option to configure this in Splunk Cloud as there is no "Settings > Forwarding and Receiving > Receive data" section available. How can I resolve this issue and ensure that logs are properly sent to and visible on Splunk Cloud? Thanks.
If you want to end up with several multivalue fields that are correlated with each other, you can't use stats values() as the output from a values() aggregation is always in sorted order. There are ... See more...
If you want to end up with several multivalue fields that are correlated with each other, you can't use stats values() as the output from a values() aggregation is always in sorted order. There are a number of options 1. Use stats list() which will record the item for EVERY event but the order is preserved, but of course if you have duplicates for the same user on the same _time, you will have multiple entries. Note that list() has a maximum list length of 100 items 2. Make a combination field of the items you want to end up with and use stats values(new_field) and then split them out again, e.g. like this   ... | eval _tmp=SourceUser."###".Login_Time | stats values(_tmp) as _tmp count by _time host | rex field=_tmp max_match=0 "(?<User>.*)###(?<VPN_Login_Time>.*)" | fields - _tmp   3. Do this to handle the potential duplicate logins on the same _time for the same user   ... | stats values(Login_Time) as VPN_Login_Time count by _time host SourceUser | stats list(*) as * sum(count) as count by _time host   so include the SourceUser initially then use stats list finally Hope this helps    
@zksvc which version of Splunk are you using?