All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The cluster/manager/info endpoint should have what you want.  See https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTcluster#cluster.2Fmanager.2Finfo
Is this an XML or Studio dashboard example?  What viz are you using? custom vs OOTB?
https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTcluster#cluster.2Fmanager.2Finfo  
If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same ba... See more...
If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same base search but augment each with a unique timechart command.
time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the inp... See more...
time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the input not to close files that have been updated in the past 'time_before_close' seconds. * Default: 3 Is it possible that the file is not producing an EOF marker? or that something keeps chatting to the file?
Thank you for your reply and sorry for the confusing description. I have a basic search and want to output two graphics by timecahrt: -first contains timechart of my search -second contains the sa... See more...
Thank you for your reply and sorry for the confusing description. I have a basic search and want to output two graphics by timecahrt: -first contains timechart of my search -second contains the same timechart of the same search, but with a dedup of one specific field in the search.   Hope it clarifies a bit my request.   Thanks
| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you ... See more...
| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you need is. Do the timechart to 'count by field' and then eventstats to calculate the total.
I hope I can find this trick in the future if I ever need this.
Morning everyone, i want to display for my search two timecharts, one with and one without dedup of a certain field. Thanks!
How long has it been?  Sometimes it takes a day or two.
Can you help with spath 
This looks like JSON - you might be better off using spath to parse the event.
I have a log which contain multiple countries in same format so it grabbing all other countries from  same individual log . for example: Student:{"country":"IND","firstName":"XYZ","state":"MH",... See more...
I have a log which contain multiple countries in same format so it grabbing all other countries from  same individual log . for example: Student:{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} teacher:{"country":"USA","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} So if i use | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" it showing me IND and USA. but i only want country related to student.  Also as i stated earlier position of  "country":"*" is not same for all logs. its coming between anywhere Student:{*}
Hello to everyone! I planned to ingest *.csv files using Universal Forwarder from Windows Server 2019 in batch mode. It sounds pretty trivial, but I collided with the problem. After an appearance ... See more...
Hello to everyone! I planned to ingest *.csv files using Universal Forwarder from Windows Server 2019 in batch mode. It sounds pretty trivial, but I collided with the problem. After an appearance of a new file, I observe new events through a search head, and in the end, expecting that file will be deleted by Splunk UF, but the file is still remaining. It seemed that the problem was related to file access, but I can't find any related errors in the logs of this UF instance. So, what can be the root of this behavior? inputs.conf   [batch://C:\ProgramData\ScriptLog\spl_export_vmtools_status\vmtools_stats_*.csv] disabled = false index = vsi crcSalt = <SOURCE> move_policy = sinkhole sourcetype = vsi_file_vmtools-stats   props.conf   [vsi_file_vmtools-stats] ANNOTATE_PUNCT = false BREAK_ONLY_BEFORE_DATE = true INDEXED_EXTRACTIONS = CSV HEADER_FIELD_LINE_NUMBER = 1 SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = Time    
hi  The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log. Regex: \"country\":\": This part lo... See more...
hi  The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log. Regex: \"country\":\": This part looks for "country":". (?<country>[^\"]+): (?<country>...): Creates a group named country. [^\"]+: Matches any character other than ". This part extracts the country value. Finally, the country value (for example, IND) is stored in a new field named country. This structure helps extract the word country wherever it appears. | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" You can test with this structure in regex101 (country":"([^"]+))
Hi Rick, thanks for reply. Many customers are using this app as final product from Splunk.  We would like to enable injections as easy as possible and not break connections between Splunk_TA_nix a... See more...
Hi Rick, thanks for reply. Many customers are using this app as final product from Splunk.  We would like to enable injections as easy as possible and not break connections between Splunk_TA_nix and our custom app. You can see my example in article.  Only think what is needed for this  to work is small change in scripts. Here is very easy and dirty example how the script could be improved: diff cpu_metric.sh cpu_metric_new.sh 4a5,11 > # OPTIONS > if [ "$#" -eq 1 ]; then > OPTIONS="$1" > else > OPTIONS="-P ALL 1 1" > fi > 24c31,32 < CMD='sar -P ALL 1 1' --- > #CMD='sar -P ALL 1 1' > CMD="sar $OPTIONS" I hope I am not the only one who will appreciate this.
Hi all, Is it possible to get informations on the cluster manager config bundle through rest api? I am specifically looking for active bundle hash/Active Bundle ID.
Hi Team, I am Firewall engineer and working on creation of some dashboard. I have created one dashboard whenever our firewall failover the dashboard will show result as "Active" & " Standby" & "Dow... See more...
Hi Team, I am Firewall engineer and working on creation of some dashboard. I have created one dashboard whenever our firewall failover the dashboard will show result as "Active" & " Standby" & "Down" in Guage format. However I would like to set up the dashboard in this way : 1) whenever firewall failover and it is in "down state"  the guage color should be red 2) whenever firewall failover and it is in "Active state"  the guage color should be Green 3) whenever firewall failover and it is in "Standby state"  the guage color should be Amber   Does anyone know about it and help me with some sample examples to understand
Hi Team, I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to creat... See more...
Hi Team, I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to create regex field for country only ? sample1 Student":{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} sample2 :Student":{"firstName":"XYZ","state":"MH","rollNum":147,"country":"IND","phoneNum":1478,"lastName":"qwe","phoneNu} sample3 :Student":{"firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu,"country":"IND"} so its mean, "country":"IND" anywhere in Student":{} should catch by regex
hi    i have registered for Splunk cloud and clicked start free trail, but still didn't receive the email with Splunk cloud free trail account details, like creds and link.