All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi , we have instrumented sql server metrics using OTEL. https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/sqlserverreceiver/documentation.md we have a tempdb , ... See more...
Hi , we have instrumented sql server metrics using OTEL. https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/sqlserverreceiver/documentation.md we have a tempdb , 1.need to identify space usage , 2.And which query contributes to more tempdb usage using sqlserver receiver OTEL metrics?  
You might be able to do it in Classic SimpleXML dashboards - would this be an option for you?
Hi @yuanliu    In my case i need to search in textbox with dynamic values from message field not with predefined values.
Hi In the App menu. I have a situation where I need to keep installing apps, with different version names. However, when this gets to high numbers it might not look so great (I might be difficult ... See more...
Hi In the App menu. I have a situation where I need to keep installing apps, with different version names. However, when this gets to high numbers it might not look so great (I might be difficult to find the app you need). I have 2 questions - 1st Can I increase the size of the row - When the text wraps around it does not look good (In my image I needed to shorten the name to stop wrapping around) 2nd Can I make a multi-drop-down to the right? Like the image below      
The _internal index collects Splunk's internal (hence the name) events. Generally, the underscore-beginning indexes are internal to Splunk and you can expect the data there to be governed by default ... See more...
The _internal index collects Splunk's internal (hence the name) events. Generally, the underscore-beginning indexes are internal to Splunk and you can expect the data there to be governed by default Splunk settings (you can adjust some of them like retention period but that is not needed for them to work out of the box). Everything else is up to you. We don't know what are your sources, what does your onboarding process look like what are your indexes and how should the data get into them. So the question you stated is not for us - it's for your Splunk admins and architects. They should know what data should be ingested from where and land into which index. They should also know whether you are allowed to have access to that data because not everyone usually has access to every index.
OK. Three more cents on that. When you're searching for a condition like this field="some value" unless it's some special case which we're not gonna be bothered with at this time Splunk firstly se... See more...
OK. Three more cents on that. When you're searching for a condition like this field="some value" unless it's some special case which we're not gonna be bothered with at this time Splunk firstly searches for occurrences of terms "some" and "value" in its indexes, searches which events contain those two words (hopefully there will not be many events matching such criteria) and only those events will get parsed and Splunk will check if the "some value" string parses out in a proper spot within the event. That's quite effective for typical relatively sparse search. It might get less effective in some border cases so then you might help yourself with other means but that's a relatively advanced topic so let's leave it at that. If you're searching for either field!="some value" or NOT field="some value" (you are aware those are not equivalent, right?) Splunk might be able to relatively quickly find all events when neither "some" nor "value" exists because if the search terms don't show up in the event at all they will obviously not match the field extraction but 1) This will only account for the second case NOT field="some value" If we're talking about the field!="some value" condition Splunk still has to parse the event and check if there is any value for the field. And if we have a multivalued field... Here's where it gets even more confusing - your second condition might still match even if one of the values in multivalued field does equal "some value" but there is another one which doesn't. 2) Even if you have both "some" and "value in the event, they still might be in different places within the event so the event as a whole might stil not match our initial condition. So it's way way better to specify searches by means of multiple inclusion conditions which by intersecting narrow our event set which Splunk will finally have to reach raw data for and parse all the fields from than to use general exclusion on a very "wide" basis. Another thing worth knowing which might not be important in your particular case since you're simply using inputlookup within your subsearch which is a very quick command is that subsearches have limits. If your subsearch hits time execution limit (by default it's 60 seconds IIRC) or exceeds the limit for returned results (10k rows; 50k in some specific use cases like join) it is _silently_ finalized and only results obtained so far are returned to the outer search. What is most tricky here is that the subsearch will get finalized _silently_ so you won't be aware that the subsearch didn't get a full result set and you won't be aware that your search including a subsearch might as a whole return incomplete or plain wrong results. So you must be very very careful with subsearches and always make sure that you're not gonna hit those subsearch limits.
@PickleRick : Thank you for the explanations, now I understand what is going on. About inclusion/ exclusion and search efficiency: I was not aware about this; this is something I would need to take ... See more...
@PickleRick : Thank you for the explanations, now I understand what is going on. About inclusion/ exclusion and search efficiency: I was not aware about this; this is something I would need to take care of as well....
Ah okay, I'm pretty sure that this is not possible but maybe someone else has a solution for it.
@ITWhisperer : Thank you for this, based on your input I was able to find a working answer for my 3rd question. 
On which splunk instance type do you face this issue? As a last option you could clean up the whole kvstore...
Hi @Jyo_Reel , in _internal index you see the Splunk logs, if you need other logs (e.g. operative system or appications), you have to install also the rerated add-ons (Linux https://splunkbase.splun... See more...
Hi @Jyo_Reel , in _internal index you see the Splunk logs, if you need other logs (e.g. operative system or appications), you have to install also the rerated add-ons (Linux https://splunkbase.splunk.com/app/833 or windows https://splunkbase.splunk.com/app/742 ) enabling the input stanzas that you want. Having the _internal logs from all hosts is a good starting point because it means that you correctly configured your connections and there isn't any connection issue. Ciao. Giuseppe
Good day! We would like to know if it is possible to reduce the number of fields displayed in the Alert Fields section or hide the section entirely for incidents created in Splunk OnCall (VictorOp... See more...
Good day! We would like to know if it is possible to reduce the number of fields displayed in the Alert Fields section or hide the section entirely for incidents created in Splunk OnCall (VictorOps), please see the attached screenshot. Currently, ITSI is passing an excessive number of fields. Can the Splunk OnCall incident details UI be customized to address this? Thank you.
Hi @arjun , to monitor windows or Linux machines having a Universal Forwarder installed, you have to install on these UFs the related add on (Linux https://splunkbase.splunk.com/app/833 or windows h... See more...
Hi @arjun , to monitor windows or Linux machines having a Universal Forwarder installed, you have to install on these UFs the related add on (Linux https://splunkbase.splunk.com/app/833 or windows https://splunkbase.splunk.com/app/742 ) enabling the input stanza for memory monitoring. In this way you'll have the logs to use in your searches. Ciao. Giuseppe
Hi @iamsahil , as also @marnall said, which is the CLI command you used Even if I use CLI onsi if I have to use an unattended installation, otherwise, I always use directly the msi. What if you re... See more...
Hi @iamsahil , as also @marnall said, which is the CLI command you used Even if I use CLI onsi if I have to use an unattended installation, otherwise, I always use directly the msi. What if you retry the CLI command on another machine, there's the same issue? About the failCA, could you share your message? Try to search this message on the Community, probably is a known message or issue. Ciao. Giuseppe
I use default account : sys I use default databse : FREE
HI, All I am trying to ingest data from Oracle DB to Splunk Observability Cloud  Q1:Should I Create a database user for this monitor OR just using the default account Q2: as the sample " datasourc... See more...
HI, All I am trying to ingest data from Oracle DB to Splunk Observability Cloud  Q1:Should I Create a database user for this monitor OR just using the default account Q2: as the sample " datasource: "oracle://<username>:<password>@<host>:<port>/<database>" Should I create a  database OR I can use the default database   thanks in advance
By default, the Splunk Universal Forwarder ("agent") cannot execute arbitrary commands (what a security hole *that* would be!).  In addition, it does not monitor a port so there is no mechanism for s... See more...
By default, the Splunk Universal Forwarder ("agent") cannot execute arbitrary commands (what a security hole *that* would be!).  In addition, it does not monitor a port so there is no mechanism for sending commands. With some effort, you may be able to add a script to the appropriate Deployment Server app that the agent would then download and execute.  It's also possible Splunk SOAR might help.
hi index=idx_myindex source="/var/log/mylog.log" host="myhost-*" "memoryError" I know that if I give the conditions above, I can search for the log that caused the memoryError. As in the example a... See more...
hi index=idx_myindex source="/var/log/mylog.log" host="myhost-*" "memoryError" I know that if I give the conditions above, I can search for the log that caused the memoryError. As in the example above, when a log occurs in myhost-*, I would like to send a command to the host where the log occurred and execute a specific command on the agent. Is there a way?
I've applied this solution to my dashboard and it worked fine! Thanks a lot!
Good morning, I am having consistent trouble with UI in the editor in both firefox and chrome in that I cannot get the Dynamic Element selector to do anything. It displays the available options but ... See more...
Good morning, I am having consistent trouble with UI in the editor in both firefox and chrome in that I cannot get the Dynamic Element selector to do anything. It displays the available options but I cannot select any of them. When I click on one, e.g. Background, nothing happens and it still says Select. Has anyone seen the before and have a workaround, or know what's causing it and how to fix it? Thank you, Charles