All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Close. But not complete.   index=* [| inputlookup numbers.csv | rename number as search | table search | format ] Without the final format command Splunk will use only first row of the subsearch r... See more...
Close. But not complete.   index=* [| inputlookup numbers.csv | rename number as search | table search | format ] Without the final format command Splunk will use only first row of the subsearch results as a condition. So it will only look for the first value from the lookup.  
@richgalloway ,  Maybe my post was not clear enough sorry, i did state that one of my index on the partition (and i already know which one, the one i gave in the indexes.conf) is saturated with warm... See more...
@richgalloway ,  Maybe my post was not clear enough sorry, i did state that one of my index on the partition (and i already know which one, the one i gave in the indexes.conf) is saturated with warm buckets (db_*) and taking all the space available, even though it's configurate as shown in the indexes.conf. Of course multiple indexes are using the disk, but only one went highly above the maxTotalDataSizeMB and saturated it.
Hi @bowesmana, Events are not showing as expected after selecting "show source".  
Have you tried to stop Splunk, removing the mongod.lock file and then start Splunk again?
Hi @Naa_Win , let me understand: you want to send data from abc servers to new index and all the others to the old one, is it correct? you could try something like this: monitor:///usr/local/apps... See more...
Hi @Naa_Win , let me understand: you want to send data from abc servers to new index and all the others to the old one, is it correct? you could try something like this: monitor:///usr/local/apps/logs/*/base_log/*/*/*/*.log] disabled = 0 sourcetype = base:syslog index = base host_segment = 9 blacklist1 = /usr/local/apps/logs/*/base_log/*/*/*xyz*/*.log blacklist2 = /usr/local/apps/logs/*/base_log/*/*/*abc*/*.log monitor:///usr/local/apps/logs/*/base_log/*/*/*xyz*/*.log] disabled = 0 sourcetype = base:syslog index = mynewindex host_segment = 9 monitor:///usr/local/apps/logs/*/base_log/*/*/*abc*/*.log] disabled = 0 sourcetype = base:syslog index = mynewindex host_segment = 9 Ciao. Giuseppe
Hi @Siddharthnegi , as I said, I don't know any tool that autamates the documentation writing of Splunk Dashboard. You could create a python (or another language) that extracts the contents of a da... See more...
Hi @Siddharthnegi , as I said, I don't know any tool that autamates the documentation writing of Splunk Dashboard. You could create a python (or another language) that extracts the contents of a dashboard and copies in a word file, but it must be created from scratch, maybe using ChatGPT or anothe AI. Ciao. Giuseppe  
Hi @jaibalaraman , do you need a dashboard or can you use a report? It's possible to share a report. To share a dashboard users must be authenticated, so the real question is: is it possible to im... See more...
Hi @jaibalaraman , do you need a dashboard or can you use a report? It's possible to share a report. To share a dashboard users must be authenticated, so the real question is: is it possible to implement SSO in Splunk? For more infos see at https://docs.splunk.com/Documentation/UBA/5.4.1/Admin/SSO Ciao. Giuseppe
Check out Embed scheduled reports - Splunk Documentation  You must save your dashboard searches as reports and then you enable embedding.  
like documentation of dashboard , if people want to understand about the dashboard
Hi @Siddharthnegi , what kind of document: a User Manual, or a technical documentation? Anyway I don't know any tool or command that generates documentation about a dashboard. Ciao. giuseppe
Klick on your table in Dashboard Studio and choose Data display --> Header row --> Fixed
Hi @Crotyo , I see from your screenshot that you have results, so what's the issue? Ciao. Giuseppe
Hi @Rak , at first, check the condition of the presence in both the main searches. Then, if you have the stats command you should have statistics, it's strange if you haven't, did you copied all my... See more...
Hi @Rak , at first, check the condition of the presence in both the main searches. Then, if you have the stats command you should have statistics, it's strange if you haven't, did you copied all my search, with also the stats command? Otherwise, please try this: (index=testindex OR index=testindex2 source="insertpath" ErrorCodesResponse=PlanInvalid TraceId=*) OR (index=test ("Test SKU")) | eval type=if(index="test","2","1") | stats earliest('@t') AS '@t' values('@m') AS '@m' values(RequestPath) AS RequestPath dc(type) AS type_count BY TraceId | where type_count=2 | eval date=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%Y-%m-%d"), time=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%H:%M") | fields - '@t' Ciao. Giuseppe
Good Morning! Is the order for the name always the same? So that VZEROP002 is always the first entry in the list? If yes you could try: index=zn| spath "items{0}.state" | spath "items{0}.name"| sea... See more...
Good Morning! Is the order for the name always the same? So that VZEROP002 is always the first entry in the list? If yes you could try: index=zn| spath "items{0}.state" | spath "items{0}.name"| search "items{0}.name"=VZEROP002 "items{0}.state"=1 Do you need the list entries in one event for comparison within the event or could you split them in separate events?    
Hello, My apologies, I hope this makes sense, still learning.  I have events coming in that look like this: I need to create an alert for when state = 1 for name = VZEROP002.  But, I can't figu... See more...
Hello, My apologies, I hope this makes sense, still learning.  I have events coming in that look like this: I need to create an alert for when state = 1 for name = VZEROP002.  But, I can't figure out how to write the query to only look at the state for VZEROP002.  The query I'm running is: index=zn | spath "items{1}.state" | search "items{1}.state"=1   But, the search results still return events where VZEROP002 has a state of 2, and VZEROP001 has the state of 1. I hope that makes sense, and thanks in advance for any help with this. Thanks, Tom    
I usually have to make document of splunk dashboard and its really time consuming as well , so I was thinking maybe I can automate it. So that it can make a simple document of any dashboard. Is it po... See more...
I usually have to make document of splunk dashboard and its really time consuming as well , so I was thinking maybe I can automate it. So that it can make a simple document of any dashboard. Is it possible?
Hi All I there any way to freeze the tile in the dashboard when we scroll down in the dashboard.   
Hi  Any help or use case for the below question ?? How do i share a dashboard to the internal team as an URL link , where it won't ask to enter user name and password and login directly into the da... See more...
Hi  Any help or use case for the below question ?? How do i share a dashboard to the internal team as an URL link , where it won't ask to enter user name and password and login directly into the dashboard as Read only ( Dashboard Studio).
Here's picture of my csv files and search result. It only display the result for the first number. When I search using OR, it does display correctly      
I'm afraid I met the same issue described in the original question at that time: I couldn't map data into the data model. The problem  was related to the macro (cim_Network_Resolution_indexes) define... See more...
I'm afraid I met the same issue described in the original question at that time: I couldn't map data into the data model. The problem  was related to the macro (cim_Network_Resolution_indexes) defined in the constraint of the Network Resolution (DNS) data model. I believe the person who asked this question several years ago might also be a beginner like me :). So, since I've solved the problem, the comment I left here was to help anyone else who might get stuck on this issue. Sorry for any inconvenience (if any) caused by bringing up this question.