All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@dmrhodes101 , it looks like you are trying to process EDI, we do have a solution accelerator for processing EDIs, love to share some of the content we have.  Let me know if you're interested.
@_gkollias It looks like you are trying to process EDI data.  We do have a solutions accelerator for EDI, we can share.  Are you interesting in learning about it?  Love to set-up some time to share w... See more...
@_gkollias It looks like you are trying to process EDI data.  We do have a solutions accelerator for EDI, we can share.  Are you interesting in learning about it?  Love to set-up some time to share what we have.
My email is youngc@splunk.com Please send me an email, I will send a zoom meeting invite for us to connect.
@gcusello As per the below screenshot, I need to specify in the match_type for both the fields ? FYI @gcusello  I have added below entries and it starts working as expected. WILDCARD(so... See more...
@gcusello As per the below screenshot, I need to specify in the match_type for both the fields ? FYI @gcusello  I have added below entries and it starts working as expected. WILDCARD(source), WILDCARD(position), WILDCARD(destination)
Hi @uagraw01 , what's the issue? did you unflagged the checkbox for exact match in the Lookup Definition? Ciao. Giuseppe
Hello Splunkers!! We have events that contains source and destination fields with complete values, and we want to match these fields against event data where the corresponding fields (source and des... See more...
Hello Splunkers!! We have events that contains source and destination fields with complete values, and we want to match these fields against event data where the corresponding fields (source and destination) may include wildcard values in the lookup. The goal is to accurately match the event data with the appropriate lookup values, ensuring that wildcard patterns in the lookup are properly evaluated during the matching process. Values to be match with below lookup. What I have tried so far to match events field values with the lookup field values. But no luck found. Please give me some suggestion to execute this correctly. | lookup movement_type_ah mark_code as mark_code destination as destination source as source OUTPUTNEW movement_type  
Hello All, Is there any official document which can guide to setting up Splunk on AWS Elastic Beanstalk. Thanks.
Did your lookup grow in size during this time?  I had this problem with a large lookup a while ago.  Check out Why does lookup return null when there are multiple matches.
I have set up email authentication and SMTP using Amazon SES. The test email was successful. I configured the mail server by entering the SMTP ID and password. I created a simple alert, configured ... See more...
I have set up email authentication and SMTP using Amazon SES. The test email was successful. I configured the mail server by entering the SMTP ID and password. I created a simple alert, configured it to trigger in real-time, and set it to send an email. However, the alert is not being generated, and the alert email is not being sent. Is there a way to configure Amazon SES SMTP with Splunk Enterprise's mail server and alert settings to ensure the emails are sent? Thank you!                
Splunk does not support changing logs at all - that is not what Splunk is, it is simply a repository where data is stored as read-only data. I am not sure where it is documented though. Neither Splu... See more...
Splunk does not support changing logs at all - that is not what Splunk is, it is simply a repository where data is stored as read-only data. I am not sure where it is documented though. Neither Splunk Cloud, nor Enterprise support the concept of changing raw data once ingested.  
Splunk will only ever show milliseconds for the _time field, but if you do ... | head 5 | eval actual_time_value=_time | table _time actual_time_value You can see the time field as it is stored as ... See more...
Splunk will only ever show milliseconds for the _time field, but if you do ... | head 5 | eval actual_time_value=_time | table _time actual_time_value You can see the time field as it is stored as a number  
Try like this #tableWithHiddenHeader7 thead{ display: none; } #tableWithHiddenHeader7 tr td:nth-child(1) { width: 40% !important; ... See more...
Try like this #tableWithHiddenHeader7 thead{ display: none; } #tableWithHiddenHeader7 tr td:nth-child(1) { width: 40% !important; } #tableWithHiddenHeader7 tr td:nth-child(2) { width: 20% !important; } #tableWithHiddenHeader7 tr td:nth-child(3) { width: 20% !important; } #tableWithHiddenHeader7 tr td:nth-child(4) { width: 20% !important; } #tableWithHiddenHeader7 td { text-align: left; } #tableWithHiddenHeader8 thead{ display: none; } #tableWithHiddenHeader8 tr td:nth-child(1) { width: 40% !important; } #tableWithHiddenHeader8 tr td:nth-child(2) { width: 20% !important; } #tableWithHiddenHeader8 tr td:nth-child(3) { width: 20% !important; } #tableWithHiddenHeader8 tr td:nth-child(4) { width: 20% !important; } #tableWithHiddenHeader8 td { text-align: left; } #tableWithHiddenHeader9 thead{ display: none; } #tableWithHiddenHeader9 tr td:nth-child(1) { width: 40% !important; } #tableWithHiddenHeader9 tr td:nth-child(2) { width: 20% !important; } #tableWithHiddenHeader9 tr td:nth-child(3) { width: 20% !important; } #tableWithHiddenHeader9 tr td:nth-child(4) { width: 20% !important; } #tableWithHiddenHeader9 td { text-align: left; } #tableWithHiddenHeader10 thead{ display: none; } #tableWithHiddenHeader10 tr td:nth-child(1) { width: 40% !important; } #tableWithHiddenHeader10 tr td:nth-child(2) { width: 20% !important; } #tableWithHiddenHeader10 tr td:nth-child(3) { width: 20% !important; } #tableWithHiddenHeader10 tr td:nth-child(4) { width: 20% !important; } #tableWithHiddenHeader10 td { text-align: left; }
@BTA_BT May we have the doc link pls  Do you see the add comment or feedback on the lower page?!?!  Did (could you pls) you submit comment / feedback?!?!   Thx and best regards 
this happened to me in a clustered and distributed environment.  I toggled from Distributed to Stand along and back to Distributed then clicked apply changes.  Cleared right up.
I am using Splunk enterprise's DSDL app and can't run any of the examples as I typically end up with this error. [mlspl.MLTKContainer] [get_endpoint_url] Failed to connect to the container I am new... See more...
I am using Splunk enterprise's DSDL app and can't run any of the examples as I typically end up with this error. [mlspl.MLTKContainer] [get_endpoint_url] Failed to connect to the container I am new to Splunk and using Golden Image CPU (5.1.2) for MLTK container with docker backend on local machine to try out the examples in this app.  For example, when trying to run Neural Network Classifier Example, it uses the diabetes_classifier_model but I constantly keep running into above error. I am using container mode as PROD but even DEV doesn't work.
Was this ever resolved? Facing this same issue.
For splunk cloud platform. Where is it documented that splunk cloud logs cannot be changed? 
looks like they all have the same settings as the others. The logs look identical to the already ones that are blacklisted.
Hi @ITWhisperer  Below is pannel to pannel - thanks for the help <row> <panel> <title>Process Resources</title> <html depends="$alwaysHideCSSStyle$"> <style> #... See more...
Hi @ITWhisperer  Below is pannel to pannel - thanks for the help <row> <panel> <title>Process Resources</title> <html depends="$alwaysHideCSSStyle$"> <style> #tableWithHiddenHeader6 th[data-sort-key=label] { width: 40% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=value] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=threshold] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 th[data-sort-key=limit] { width: 20% !important; text-align: left; } #tableWithHiddenHeader6 td { text-align: left; } #tableWithHiddenHeader7 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader7 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader7 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader7 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader7 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader7 td { text-align: left; } #tableWithHiddenHeader8 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader8 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader8 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader8 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader8 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader8 td { text-align: left; } #tableWithHiddenHeader9 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader9 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader9 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader9 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader9 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader9 td { text-align: left; } #tableWithHiddenHeader10 thead{ visibility: hidden; height: min-content; } #tableWithHiddenHeader10 th[data-sort-key=label] { width: 40% !important; } #tableWithHiddenHeader10 th[data-sort-key=value] { width: 20% !important; } #tableWithHiddenHeader10 th[data-sort-key=threshold] { width: 20% !important; } #tableWithHiddenHeader10 th[data-sort-key=limit] { width: 20% !important; } #tableWithHiddenHeader10 td { text-align: left; } </style> </html> <table id="tableWithHiddenHeader6"> <search id="twenty_one"> <done> <set token="tokStatus20">$result.threshold$</set> <set token="tokStatus30">$result.limit$</set> </done> <query>| mstats max("mx.database.space.usage") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Database space" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus30$, "$TOKEN_RED$",if(value &gt; $tokStatus20$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> <table id="tableWithHiddenHeader7"> <search id="twenty_two"> <done> <set token="tokStatus40">$result.threshold$</set> <set token="tokStatus50">$result.limit$</set> </done> <query>| mstats max("mx.database.statement.top_running.time") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Top Running" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus50$, "$TOKEN_RED$",if(value &gt; $tokStatus40$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> <table id="tableWithHiddenHeader8"> <search id="twenty_three"> <done> <set token="tokStatus60">$result.threshold$</set> <set token="tokStatus70">$result.limit$</set> </done> <query>| mstats max("mx.database.lock.top_blocking.time") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Blocking Locks" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus70$, "$TOKEN_RED$",if(value &gt; $tokStatus60$, "#ffae46", "$TOKEN_GREEN$"))</colorPalette> </format> </table> <table id="tableWithHiddenHeader9"> <search id="twenty_four"> <done> <set token="tokStatus80">$result.threshold$</set> <set token="tokStatus90">$result.limit$</set> </done> <query>| mstats max("mx.database.oracle.redo_switch.count") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Redo Switch Count" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus90$, "$TOKEN_RED$",if(value &gt; $tokStatus80$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> <table id="tableWithHiddenHeader10"> <search id="twenty_five"> <done> <set token="tokStatus100">$result.threshold$</set> <set token="tokStatus110">$result.limit$</set> </done> <query>| mstats max("mx.database.object.invalid.count") as value WHERE "index"="murex_metrics" AND "mx.env"="*" AND process.pid ="*" span=10s BY degraded.threshold down.threshold process.pid | rename degraded.threshold as T_CpuPerc | rename down.threshold as limit | sort - _time | head 1 | eval value = round(value,1) | eval label="Database space" | eval threshold=T_CpuPerc | eval limit=limit | table label value threshold limit | appendpipe [ stats count | eval "label"="No results Found" | where count=0 | table "label"]</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="value"> <colorPalette type="expression">if(value &gt; $tokStatus110$, "$TOKEN_RED$",if(value &gt; $tokStatus100$, "$TOKEN_YELLOW$", "$TOKEN_GREEN$"))</colorPalette> </format> </table> </panel> </row>  
This app does not support Aruba Central. I am working on adding support for Syslog from Central OnPrem and evaluating creating an app using the supported central module, but that would like to be ano... See more...
This app does not support Aruba Central. I am working on adding support for Syslog from Central OnPrem and evaluating creating an app using the supported central module, but that would like to be another App and not part of this app.