All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

this happened to me in a clustered and distributed environment.  I toggled from Distributed to Stand along and back to Distributed then clicked apply changes.  Cleared right up.
I am using Splunk enterprise's DSDL app and can't run any of the examples as I typically end up with this error. [mlspl.MLTKContainer] [get_endpoint_url] Failed to connect to the container I am new... See more...
I am using Splunk enterprise's DSDL app and can't run any of the examples as I typically end up with this error. [mlspl.MLTKContainer] [get_endpoint_url] Failed to connect to the container I am new to Splunk and using Golden Image CPU (5.1.2) for MLTK container with docker backend on local machine to try out the examples in this app.  For example, when trying to run Neural Network Classifier Example, it uses the diabetes_classifier_model but I constantly keep running into above error. I am using container mode as PROD but even DEV doesn't work.
Was this ever resolved? Facing this same issue.
For splunk cloud platform. Where is it documented that splunk cloud logs cannot be changed? 
looks like they all have the same settings as the others. The logs look identical to the already ones that are blacklisted.
Hi @ITWhisperer  Below is pannel to pannel - thanks for the help <row> <panel> <title>Process Resources</title> <html depends="$alwaysHideCSSStyle$"> <style> #... See more...
Hi @ITWhisperer  Below is pannel to pannel - thanks for the help <row> <panel> <title>Process Resources</title> <html depends="$alwaysHideCSSStyle$"> <style> #tableWithHiddenHeader6 th[data-sort-key=label] { width: 40% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=value] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=threshold] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=limit] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 td { text-align: left; } #tableWithHiddenHeader7 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader7 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader7 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader7 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader7 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader7 td { text-align: left; } #tableWithHiddenHeader8 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader8 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader8 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader8 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader8 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader8 td { text-align: left; } #tableWithHiddenHeader9 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader9 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader9 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader9 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader9 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader9 td { text-align: left; } #tableWithHiddenHeader10 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader10 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader10 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader10 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader10 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader10 td { text-align: left; } </style> </html> <table id="tableWithHiddenHeader6"> <search id="twenty_one"> <done> <set token="tokStatus20">$result.threshold$</set> <set token="tokStatus30">$result.limit$</set> </done> <query>| mstats max("mx.database.space.usage") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Database space" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus30$, "$TOKEN_RED$",if(value &gt; $tokStatus20$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> <table id="tableWithHiddenHeader7"> <search id="twenty_two"> <done> <set token="tokStatus40">$result.threshold$</set> <set token="tokStatus50">$result.limit$</set> </done> <query>| mstats max("mx.database.statement.top_running.time") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Top Running" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus50$, "$TOKEN_RED$",if(value &gt; $tokStatus40$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> <table id="tableWithHiddenHeader8"> <search id="twenty_three"> <done> <set token="tokStatus60">$result.threshold$</set> <set token="tokStatus70">$result.limit$</set> </done> <query>| mstats max("mx.database.lock.top_blocking.time") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Blocking Locks" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus70$, "$TOKEN_RED$",if(value &gt; $tokStatus60$, "#ffae46", "$TOKEN_GREEN$"))</colorPalette> </format> </table> <table id="tableWithHiddenHeader9"> <search id="twenty_four"> <done> <set token="tokStatus80">$result.threshold$</set> <set token="tokStatus90">$result.limit$</set> </done> <query>| mstats max("mx.database.oracle.redo_switch.count") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Redo Switch Count" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus90$, "$TOKEN_RED$",if(value &gt; $tokStatus80$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> <table id="tableWithHiddenHeader10"> <search id="twenty_five"> <done> <set token="tokStatus100">$result.threshold$</set> <set token="tokStatus110">$result.limit$</set> </done> <query>| mstats max("mx.database.object.invalid.count") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Database space" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus110$, "$TOKEN_RED$",if(value &gt; $tokStatus100$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> </panel> </row>  
This app does not support Aruba Central. I am working on adding support for Syslog from Central OnPrem and evaluating creating an app using the supported central module, but that would like to be ano... See more...
This app does not support Aruba Central. I am working on adding support for Syslog from Central OnPrem and evaluating creating an app using the supported central module, but that would like to be another App and not part of this app. 
If the alerts are shared in an app, they will be in the savedsearches.conf in the app. If they are private alerts, they will be in your user directory in splunk. When in doubt, you can take a unique ... See more...
If the alerts are shared in an app, they will be in the savedsearches.conf in the app. If they are private alerts, they will be in your user directory in splunk. When in doubt, you can take a unique string from the alert like its name (if it has a unique name) and then run 'grep -r "<name>"' in the /opt/splunk/ directory to find where the alert's configuration file is.
@marnallThanks!  I do not have admin privileges to check the filesystems but I can check with my admins. Just curious is there one config file per alert or is it one master config file for each app w... See more...
@marnallThanks!  I do not have admin privileges to check the filesystems but I can check with my admins. Just curious is there one config file per alert or is it one master config file for each app within Splunk?
If you make a new dashboard and then add this one choropleth panel, without adding anything else, then does the new dashboard and its single panel load without complaint? 
If you are running Splunk on-prem, you can edit the alert webhooks using the filesystem. Search for your alert name in /opt/splunk/etc/apps/<appnameorall>/local/savedsearches.conf , then replace the ... See more...
If you are running Splunk on-prem, you can edit the alert webhooks using the filesystem. Search for your alert name in /opt/splunk/etc/apps/<appnameorall>/local/savedsearches.conf , then replace the webhook lines using your favorite text editor.
Please share the panel source including the search you have used
Hi  I have the below code to produce this table - but does anyone know how to get rid of the part in red (I have added this with paint) - it's just taking up too much real estate on the screen. It i... See more...
Hi  I have the below code to produce this table - but does anyone know how to get rid of the part in red (I have added this with paint) - it's just taking up too much real estate on the screen. It is like an extra line of black that I don't want. Thanks so much in advance   <panel> <title>Process Resources</title> <html depends="$alwaysHideCSSStyle$"> <style> #tableWithHiddenHeader6 th[data-sort-key=label] { width: 40% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=value] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=threshold] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=limit] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 td { text-align: left; } #tableWithHiddenHeader7 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader7 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader7 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader7 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader7 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader7 td { text-align: left; } #tableWithHiddenHeader8 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader8 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader8 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader8 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader8 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader8 td { text-align: left; } #tableWithHiddenHeader9 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader9 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader9 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader9 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader9 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader9 td { text-align: left; } #tableWithHiddenHeader10 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader10 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader10 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader10 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader10 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader10 td { text-align: left; } </style> </html> <table id="tableWithHiddenHeader6"> <search id="twenty_one"> <done> <set token="tokStatus20">$result.threshold$</set> <set token="tokStatus30">$result.limit$</set> </done> <query>| mstats max("mx.database.space.usage") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Database space" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus30$, "$TOKEN_RED$",if(value &gt; $tokStatus20$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> etc,, for each row of the table            
Thanks, I will work on that information.
Hi All, I have 300+  Splunk alerts which are pointing to webhook endpoint "A" but soon I have a migration planned for the webhook.  All the 300 + alerts need to be edited so the webhook endpoint po... See more...
Hi All, I have 300+  Splunk alerts which are pointing to webhook endpoint "A" but soon I have a migration planned for the webhook.  All the 300 + alerts need to be edited so the webhook endpoint points to "B" I was wondering if there is an easy way of bulk editing all the alerts rather than doing it individually for each alert.    Thanks.
it should replicate automatically once its joined in SH cluster ,because replication is happening between the members , not with deployer. 1.what is the status of  KVstore status? 2.Newly added... See more...
it should replicate automatically once its joined in SH cluster ,because replication is happening between the members , not with deployer. 1.what is the status of  KVstore status? 2.Newly added member able to connect with rest of the SH member with replication port ? 3.Are you seeing any error in the splunkd.log ? 4.what is your replication factor in SH cluster? 5. did you check the deployer and newly added member pass4symmkey ? 6. if everything looks good , you may  run the splunk resync shcluster-replicated-config  on the newly added member.
Do you have any other sources of information, e.g. other logs, connection logs, meta-data about the "empty" logs, when the events happen, where were they originally logged. Can you work your way back... See more...
Do you have any other sources of information, e.g. other logs, connection logs, meta-data about the "empty" logs, when the events happen, where were they originally logged. Can you work your way back up the chain to find where the event was generated?
Hi, I have a problem with this panel. Token $Y$ and $N$ lost values when change between radio input options (Yes/No). The $trobots$ token show the literal value not the token value (Show literl... See more...
Hi, I have a problem with this panel. Token $Y$ and $N$ lost values when change between radio input options (Yes/No). The $trobots$ token show the literal value not the token value (Show literlally $N$ and $N$) <input type="dropdown" token="tintervalo" searchWhenChanged="true"> <label>Intervalo</label> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoultimasemana">Última semana completa</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoultimomes">Último mes completo</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoultimotrimestre">Último trimestre completo</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoultimoaño">Último año completo</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusomescurso">Mes en curso</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoañoencurso">Año en curso</choice> <choice value="7">Otros</choice> <change> <condition value="7"> <set token="show_timepicker">true</set> <unset token="show_timepicker2"></unset> if($ttime.earliest$=="",<set token="ttime.earliest">-4h@m</set>) if($ttime.latest$=="",<set token="ttime.latest">now</set>) if($trobots$=="",<set token="trobots">`filter_robots` `filter_robots_ip`</set>) <set token="Y">| eval delete=delete</set> <set token="N">`filter_robots` `filter_robots_ip`</set> </condition> <condition> <unset token="show_timepicker"></unset> <set token="show_timepicker2"></set> if($trobots$=="",<set token="trobots">SinBots"</set>) <set token="Y">conBots"</set> <set token="N">sinBots"</set> </condition> <input type="radio" token="trobots" depends="$show_timepicker$" id="inputRadioRI" searchWhenChanged="true"> <label>Robots</label> <choice value="$Y$">Yes</choice> <choice value="$N$">No</choice> <initialValue>$N$</initialValue> </input>
I suspect two possibilities, although there may be others. 1) The five UFs do not have the right settings.  Confirm using btool. 2) The regex is failing to match on the five UFs because of some dif... See more...
I suspect two possibilities, although there may be others. 1) The five UFs do not have the right settings.  Confirm using btool. 2) The regex is failing to match on the five UFs because of some difference(s) in the event log.
I agree, but how can I fix this?