All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

  bowesmana  ,      appreciate your help, thank you so much the script works for me
Let me restate what you are trying to do. Select multiple values of prefix from the lookup. Perform the search that filters on values of IPC that equals to any of selected prefix. Is this correc... See more...
Let me restate what you are trying to do. Select multiple values of prefix from the lookup. Perform the search that filters on values of IPC that equals to any of selected prefix. Is this correct?  Based on your mock SPL, IPC is already extracted at search time.  You don't need a second pipe to search for it.  Let me first give you a mock dashboard using your search.  Then, I will show a demo dashboard using emulations to show how it works.   <form version="1.1"> <label>Multivalue input</label> <description>https://community.splunk.com/t5/Splunk-Search/Passing-a-mutiple-values-of-label-in-input-dropdown/m-p/706304</description> <fieldset submitButton="false"> <input type="multiselect" token="my_token" searchWhenChanged="true"> <label>select all applicable</label> <choice value="*">All</choice> <initialValue>*</initialValue> <fieldForLabel>displayname</fieldForLabel> <fieldForValue>prefix</fieldForValue> <search> <query>| inputlookup site_ids.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <delimiter>,</delimiter> </input> </fieldset> <row> <panel> <table> <title>token value: &gt;$my_token$&lt;</title> <search> <query>index=abc sourcetype=sc* IPC IN ($my_token$) | fields _time index Eventts FIELD* IPC</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>   This should deliver the functionality you described.  Note I moved your filter into index search.  This is more efficient.  I also do not know why you list source in the first fields command but then remove this field in the last fields command.  So I also removed these. Anyway, let me demonstrate the functionality with an emulation of these events FIELD1 FIELD2 IPC 2 stuff 23456789 4 more stuff 78945612 6 stuff 2 12356789 8 even more stuff 56897412 5 and stuff 78945612 14 and more stuff 23456789 9 even more 12356789 Play with the following dashboard and compare with real data.   <form version="1.1"> <label>Multivalue input</label> <description>https://community.splunk.com/t5/Splunk-Search/Passing-a-mutiple-values-of-label-in-input-dropdown/m-p/706304</description> <fieldset submitButton="false"> <input type="multiselect" token="my_token" searchWhenChanged="true"> <label>select all applicable</label> <choice value="*">All</choice> <initialValue>*</initialValue> <fieldForLabel>displayname</fieldForLabel> <fieldForValue>prefix</fieldForValue> <search> <query>| makeresults format=csv data="displayname,prefix abc12,23456789 qwe14,78945612 rty12,12356789 yuui13,56897412" ``` the above emulates | inputlookup site_ids.csv ```</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <delimiter>,</delimiter> </input> </fieldset> <row> <panel> <table> <title>token value: &gt;$my_token$&lt;</title> <search> <query>| makeresults | eval _raw="IPC, FIELD1, FIELD2 23456789, 2, stuff 78945612, 4, more stuff 12356789, 6, stuff 2 56897412, 8, even more stuff 78945612, 5, and stuff 23456789, 14, and more stuff 12356789, 9, even more" | multikv | search IPC IN ($my_token$) ``` the above emulates index=abc sourcetype=sc* IPC IN ($my_token$)``` | fields _time index Eventts FIELD* IPC</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>   If I select abc12 and yyui13, I get _time index Events FIELD1 FIELD2 IPC 2024-12-10 23:32:17     2 stuff 23456789 2024-12-10 23:32:17     8 even more stuff 56897412 2024-12-10 23:32:17     14 and more stuff 23456789 This fits exactly what you describe.  In other words, I do not see any unexpected results when selecting multiple values.
Hi,  We are going back and forth with Splunk support on an error coming from your automatic lookup as we can't seem to correct this from our end (no edit option on Splunk Cloud web console). And w... See more...
Hi,  We are going back and forth with Splunk support on an error coming from your automatic lookup as we can't seem to correct this from our end (no edit option on Splunk Cloud web console). And we need your help in fixing this. This error shows up when we run some correlation searches. x-------------------------Start of ERROR---------------------------------x Cannot expand lookup field 'severity' due to a reference cycle in the lookup configuration. Check search.log for details and update the lookup configuration to remove the reference cycle. x-------------------------End of ERROR----------------------------------x This error happens if one field is present in both input and output field in an automatic lookup. Splunk is saying the error is generating from "arista_switch_log : LOOKUP-syslogseverity" automatic lookup. The configs in this lookup needs to be corrected by removing the severity field from the output field. Current settings: syslogseverity severity OUTPUTNEW severity severity_desc Recommended settings by Splunk to avoid reference cycle error: syslogseverity severity OUTPUTNEW severity_desc Please assist.
Keep in mind that while points 1 and 4 are relatively easy, there is no 100% reliable way to do 2 and 3. You can account for some typical searches but what if the searches behind a dashboard are defi... See more...
Keep in mind that while points 1 and 4 are relatively easy, there is no 100% reliable way to do 2 and 3. You can account for some typical searches but what if the searches behind a dashboard are defined based on macros? Macros containing macros? Eventtypes? What if they're powered by saved searches? Lookups created with saved searches? Datamodels? There are so many possible use cases even before I try to explicitly obfuscate the search.
I'm guessing this is Chris Younger's Number Display Viz - those spinner gauges look familiar Is this what you're after - this is an example of setting the color field based on the desired colours |... See more...
I'm guessing this is Chris Younger's Number Display Viz - those spinner gauges look familiar Is this what you're after - this is an example of setting the color field based on the desired colours | makeresults format=csv data="State_Before,State_After,Cluster_Name DOWN,STANDBY,Host1 STANDBY,ACTIVE,Host2 STANDBY,DOWN,Host3" | eval color=case(State_After="DOWN", "#FF0000", State_After="ACTIVE", "#00FF00", State_After="STANDBY", "#FFBF00") | rename Cluster_Name as value, State_After as title | table title value color and you end up with this  
Take a look at index=_audit sourcetype=audittrail - that logs searches made. Looking at the provenance=UI:dashboard:XX you can see the dashboard searches for each dashboard and along with the sid, yo... See more...
Take a look at index=_audit sourcetype=audittrail - that logs searches made. Looking at the provenance=UI:dashboard:XX you can see the dashboard searches for each dashboard and along with the sid, you can work out the app and see all the metrics about the search time/results etc.
Note @PickleRick response though about relationship between MV values in different fields. You can easily find yourself in a world of MV pain if you're not careful. You need to KNOW your data well to... See more...
Note @PickleRick response though about relationship between MV values in different fields. You can easily find yourself in a world of MV pain if you're not careful. You need to KNOW your data well to start correlating MV fields using an index/offset. If there is a null() or empty value in any of the MV fields then the index offset will be out of alignment. 
Why did you do that? That's different to what you originally posted as well as changing the != to == Your original posted attempt was this <condition match="$row.Services$ != &quot;vpc&quot;"> You... See more...
Why did you do that? That's different to what you originally posted as well as changing the != to == Your original posted attempt was this <condition match="$row.Services$ != &quot;vpc&quot;"> You just tried this <condition match="$Services$ == &quot;vpc&quot;"> </condition>  You changed both the match token AND the comparator. You only need to change the comparator - it works fine.
Hi team I'm trying to attach multiline config for all the pods in a namespace. Is there a way to achieve that?  Adding the config for a single container works but adding it for all the pods with wi... See more...
Hi team I'm trying to attach multiline config for all the pods in a namespace. Is there a way to achieve that?  Adding the config for a single container works but adding it for all the pods with wildcard, it doesnot work.  Below example: app1 works, but app2 does not work (But removing the wildcard and adding specific namespace, container and pod name works)           logsCollection: containers: multilineConfigs: - namespaceName: value: app1-dev podName: value: app1.* useRegexp: true containerName: value: app1 firstEntryRegex: ^(?P<EventTime>\d+\-\w+\-\d+\s+\d+:\d+:\d+\.\d+\s+\w+) - namespaceName: value: app2-* podName: value: .* useRegexp: true containerName: value: .* firstEntryRegex: /^\d{1}\.\d{1}\.\d{1}\.\d{1}\.\d{1}/|^[^\s].*          
I want to create a Splunk dashboard that breaks down a splunk dashboard: What app does it belong too. what index or indexes feed it. what sourcetype or sourcetypes feed it. Users accessing it ... See more...
I want to create a Splunk dashboard that breaks down a splunk dashboard: What app does it belong too. what index or indexes feed it. what sourcetype or sourcetypes feed it. Users accessing it Any other detail you might find useful, this can be a very powerful tool for anyone, and I see to find bits and pieces of this around the community so it must mean someone either already did it, or is planning to. Something kinda this     <form version="1.6" theme="dark"> <label>Custom Dashboard Usage</label> <!-- 1.1 Added line view and host info 1.2 Added sort 1.3 Added sort by in dashboard 1.4 Fixed new forma 1.5 Fixed dashboard regex by adding space and added Pie chart 1.6 Fixed missing user --> <search id="base_search"> <query> index="_internal" "data/ui/views/" NOT "servicesNS/-" sourcetype=splunkd_ui_access | rex "(?&lt;app&gt;[^\/]+)\/data\/ui\/views\/(?&lt;dashboard&gt;[^? ]+)" | rex "servicesNS\/(?&lt;user2&gt;[^\/]+)" | rex mode=sed field=user2 "s/%40/@/" | eval user=if(user="-",user2,user) | search app=* host="$Host$" user="$User$" app="$App$" dashboard="$Dashboard$" | fields _time host user app dashboard </query> </search> <fieldset submitButton="false"> <input type="time"> <label>Max is 30 days back</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Host"> <label>Host</label> <search base="base_search"> <query> | eval data=host | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="User"> <label>User</label> <search base="base_search"> <query> | eval data=user | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="App"> <label>Application</label> <search base="base_search"> <query> | eval data=app | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="Dashboard"> <label>Dashboard</label> <search base="base_search"> <query> | eval data=dashboard | stats count by data | eval info=data." (".count.")" | sort -count </query> </search> <choice value="*">Any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>data</fieldForValue> <default>*</default> </input> <input type="dropdown" token="Sort"> <label>Graph by</label> <choice value="dashboard">Dashboard</choice> <choice value="app">Application</choice> <choice value="user">User</choice> <choice value="host">Host</choice> <default>dashboard</default> </input> </fieldset> <row> <panel> <chart> <title>Dashboards usage frequency by count</title> <search base="base_search"> <query> | timechart limit=25 useother=f count by $Sort$ </query> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.fieldColors">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</option> <option name="height">400</option> </chart> </panel> <panel> <chart> <title>Dashboards usage frequency by percent</title> <search base="base_search"> <query> | stats count by $Sort$ </query> </search> <option name="charting.chart">pie</option> <option name="charting.fieldColors">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</option> <option name="height">385</option> </chart> </panel> </row> <row> <panel> <table> <title>Dashboards usage frequency by time, sh-server, user &amp; application</title> <search base="base_search"> <query> | sort 0 - _time | table _time host user app dashboard </query> </search> <option name="count">50</option> <format type="color" field="host"> <colorPalette type="map">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</colorPalette> </format> <format type="color" field="user"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="app"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="dashboard"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </form>    
Honestly, I have no idea. I just did a search, chose visualization, switched to stacked and did "save as" and chose "new dashboard".
Thanks for the response @PickleRick , I have copied the charting options to my html and still see single line as below. Although when I copied the fill code as a new panel it is working as expected. ... See more...
Thanks for the response @PickleRick , I have copied the charting options to my html and still see single line as below. Although when I copied the fill code as a new panel it is working as expected. Do I need to change anything to make the charting options work for my search ?  
The answer will depend greatly on your particular use case. If it's a simple count, @dural_yyz 's answer is what you're looking for. But if you're trying to calculate some more complicated stats it m... See more...
The answer will depend greatly on your particular use case. If it's a simple count, @dural_yyz 's answer is what you're looking for. But if you're trying to calculate some more complicated stats it might be more troublesome to do and it might turn out that it's easier to just have two separate searches (possibly appended within one aggregating search). The approach I'd probably use would be to find unique values, mark them and use eval-based stats to calculate "deduped" stats.
<dashboard version="1.1" theme="dark"> <label>vertical_stacked_chart</label> <row> <panel> <chart> <search> <query>| makeresults format=csv data="a,b,c,d a,1,2,3 b,2,3... See more...
<dashboard version="1.1" theme="dark"> <label>vertical_stacked_chart</label> <row> <panel> <chart> <search> <query>| makeresults format=csv data="a,b,c,d a,1,2,3 b,2,3,4 c,1,3,4"</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">bar</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> </dashboard>
@dural_yyzYou got me here. I was pretty sure this setting was for monitor input only. But come to think of it, it makes sense in batch context as well (you don't want to batch-read a file while it's ... See more...
@dural_yyzYou got me here. I was pretty sure this setting was for monitor input only. But come to think of it, it makes sense in batch context as well (you don't want to batch-read a file while it's still being - for example - rsynced from remote). But that should not change much in terms of deleting files. I reckon it could only make Splunk end reading prematurely. But together with a lock on an open file from another process that could make file undeletable (windows has different concurrent access paradigm than unices).
@PickleRick wrote: @dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. Yes - admittedly I'm not as familiar with batch so I verified with the docs where... See more...
@PickleRick wrote: @dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. Yes - admittedly I'm not as familiar with batch so I verified with the docs where I found this under batch.  I guess they did not write out the config definitions twice but just did a reference back to how it works with monitor. # The following settings work identically as for [monitor::] stanzas, # documented previously host_regex = <regular expression> host_segment = <integer> crcSalt = <string> recursive = <boolean> whitelist = <regular expression> blacklist = <regular expression> initCrcLength = <integer> time_before_close = <integer>  @PickleRick answers are more likely a good place to start.  It's possible you can did into the default debug logging levels at the UF but I wouldn't start with trying to increase logging until exhausting all other options first.
Hi All, I’m trying to create a stacked Vertical bar chart in Splunk, where each bar represents a unique field (e.g., SWC), and the bar is segmented into multiple colors based on a specific status fi... See more...
Hi All, I’m trying to create a stacked Vertical bar chart in Splunk, where each bar represents a unique field (e.g., SWC), and the bar is segmented into multiple colors based on a specific status field (e.g., RAG_Status with values Green, Amber, and Red). Here’s what I’m trying to achieve: • Each horizontal bar corresponds to a unique SWC. • The bar is segmented based on the RAG_Status (e.g., Green, Amber, Red). • The length of each segment represents the count of records for that combination. • I want the segments to be stacked within the bar, with distinct colors for Green, Amber, and Red. Sample Query:   | inputlookup example_data.csv | eval RAG_Status = case( KPI_Score >= KPI_Threshold, "Green", KPI_Score >= (KPI_Threshold - 5), "Amber", KPI_Score < (KPI_Threshold - 5), "Red" ) | chart count BY SWC RAG_Status | sort SWC   Visualization Requirements: 1. Chart Type: Vertical Bar Chart. 2. Stacked Mode: Each bar should show Green, Amber, and Red segments stacked horizontally. 3. Color Scheme: • Green: #28a745 • Amber: #ffc107 • Red: #dc3545. Screenshot for Reference: The above is an example of horizontal but I am looking for vertical.  Current Issue: I’m unable to configure the Splunk visualization settings or XML code to properly display this data as a Vertical stacked bar chart. Either the entire bar shows as one solid color, or the segments are not stacking as expected. Any guidance or sample XML code to achieve this would be greatly appreciated! Current XML code:-    <dashboard version="1.1" theme="light"> <label>SWC KPI Performance and RAG Distribution_new</label> <row> <panel> <title>RAG Status Distribution by SWC</title> <chart> <search> <query>| inputlookup example_data.csv | eval RAG_Status = case( KPI_Score >= KPI_Threshold, "Green", KPI_Score >= (KPI_Threshold - 5), "Amber", KPI_Score < (KPI_Threshold - 5), "Red" ) | chart count BY SWC RAG_Status | sort SWC</query> <earliest>@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.seriesColors">#28a745,#ffc107,#dc3545</option> <option name="charting.legend.placement">right</option> <option name="charting.axisTitleX.text">SWC</option> <option name="charting.axisTitleY.text">count</option> </chart> </panel> </row> </dashboard>   Current situation:-  Thanks in advance!
@dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. @NoSpacesThere are two reasons that file might not get deleted even if it theoretically should. 1. Permi... See more...
@dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. @NoSpacesThere are two reasons that file might not get deleted even if it theoretically should. 1. Permissions - check that the user splunkd.exe runs with has proper permissions to the directory and log files 2. Locking - if the file stays opened for writing, Splunk might not be able to remove it. Unfortunately while monitor input is typically relatively verbose about its problems with reading files, I'm not sure about how batch input behaves in that regard.
Handling structured data (and this looks like JSON; the question is whether it is a well-formed JSON or a JSON with headers or any other similar invention) with regex is prone to cause problems soone... See more...
Handling structured data (and this looks like JSON; the question is whether it is a well-formed JSON or a JSON with headers or any other similar invention) with regex is prone to cause problems sooner or later. When a source produces structured data there is no guarantee that it will always output the fields in any particular order (that's why you use structured formats so you don't have to worry about stuff like position within a line and so on). If your event is well-formed JSON data you should be better off with KV_MODE=json - let Splunk handle parsing.
Hi @., Thank you for asking your question on the community. It's been a few days with no reply, have you been able to find any new information or a solution you can share here as a reply? If you... See more...
Hi @., Thank you for asking your question on the community. It's been a few days with no reply, have you been able to find any new information or a solution you can share here as a reply? If you still need help, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM)