All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am on Splunk 8.2.12. I am trying to get a distinct count of incidents that have happened in each month, year to date. I'd like to compare that to the year prior.  I feel like this should be pre... See more...
I am on Splunk 8.2.12. I am trying to get a distinct count of incidents that have happened in each month, year to date. I'd like to compare that to the year prior.  I feel like this should be pretty easy, but my results aren't showing the current year in comparison to the previous year. This shows the current year data (2024) (earliest=-1@y@y AND latest=now()) | eval date_month=strftime(_time, "%mon") | eval date_year = strftime(_time, "%Y") | timechart span=1mon dc(RMI_MastIncNumb) as "# of Incidents" When I add | timewrap 1year series=exact time_format=%Y it ends up just showing me 2023  
As @MuS said, you must as that your account team add rights to you to download it after you have bought it.
Hi shortly Nope.  There are quite many answers which this has already discussed earlier. Main point here is that bucket is manage by youngest event inside it. As there are several bucket which _ti... See more...
Hi shortly Nope.  There are quite many answers which this has already discussed earlier. Main point here is that bucket is manage by youngest event inside it. As there are several bucket which _time can differ heavily to each other _time:s in that bucket, you cannot get exactly 1 month time period in hot+warm+cold. It's always defined by combination of several parameters. You can found those from older answers or docs. r. Ismo
Hi if your company is Splunk Partner and your company fulfills some defined requirements, then there is possibility to get Splunk Cloud Sandbox environment for 12 months. I cannot recall those requi... See more...
Hi if your company is Splunk Partner and your company fulfills some defined requirements, then there is possibility to get Splunk Cloud Sandbox environment for 12 months. I cannot recall those requirement now, but you or your company's partner manager can check those and if those are fulfilled then order that sandbox to your use. r. Ismo
Basically it's possible that they create a report which use |rest to indexer if they also set it run as owner. That way it can execute those rest queries and return correct responses.
As I said earlier if you want to use hashed password instead of plain text, then you must use same splunk.secret on both nodes.
Here's what I ended up doing:  Created a dropdown for the versions and added conditions in that to pass to the panels with the queries.  Then I added a row at the top that displays for the user which... See more...
Here's what I ended up doing:  Created a dropdown for the versions and added conditions in that to pass to the panels with the queries.  Then I added a row at the top that displays for the user which version to pick from the dropdown.  This wasn't what I had in mind but for now it works.  Below is the dashboard code in case anyone smarter and more experienced happens to notice something I could improve on. <form version="1.1" theme="light"> <label>Education Title Report</label> <search> <query>| inputlookup HealthcareMasterList.csv | search propertyId=$propertyId$ | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* earliest=-24@h propertyId=$propertyId$ | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion</query> <preview> <eval token="MarinaVersion">$result.version$</eval> </preview> </search> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="propertyId" searchWhenChanged="true"> <label>Site</label> <fieldForLabel>FullHospitalName</fieldForLabel> <fieldForValue>propertyId</fieldForValue> <search> <query>| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* [| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | fields propertyId | format] | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion | sort FullHospitalName</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="WhichVersion"> <label>Marina Version</label> <choice value="Pre15">Pre15</choice> <choice value="Post15">Post15</choice> <choice value="NA">NA</choice> <change> <condition value="Post15"> <unset token="NoAssignments"></unset> <set token="IncludesAssignments">true</set> <unset token="NoInfo"></unset> </condition> <condition value="Pre15"> <set token="NoAssignments">true</set> <unset token="IncludesAssignments"></unset> <unset token="NoInfo"></unset> </condition> <condition value="NA"> <unset token="NoAssignments"></unset> <unset token="IncludesAssignments"></unset> <set token="NoInfo">true</set> </condition> </change> </input> <input type="time" token="field1" searchWhenChanged="true"> <label>Date Picker</label> <default> <earliest>-1mon@mon</earliest> <latest>@mon</latest> </default> </input> </fieldset> <row> <panel> <html>Please select the following for the Marina Version dropdown:</html> </panel> <panel> <html>$MarinaVersion$</html> </panel> </row>
This is old question, but I still comment here if someone needs it later. When you are using hashed password in user-seed.conf you mast hash it with same splunk.secret string as you have in your new ... See more...
This is old question, but I still comment here if someone needs it later. When you are using hashed password in user-seed.conf you mast hash it with same splunk.secret string as you have in your new server! If you have hashed it with some other random splunk.secret and in a new server you have something else in splunk.secret those didn't match as hash keys have been different.
Here's what I've ended up doing until I can find another solution.  I created a dropdown for the version and set up conditions that I then passed to the panels below with my queries to indicate which... See more...
Here's what I've ended up doing until I can find another solution.  I created a dropdown for the version and set up conditions that I then passed to the panels below with my queries to indicate which one to display.  I added two panels at the top that tell the user which version to choose from the Marina Version dropdown. <form version="1.1" theme="light"> <label>Education Title Report</label> <search> <query>| inputlookup HealthcareMasterList.csv | search propertyId=$propertyId$ | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* earliest=-24@h propertyId=$propertyId$ | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion</query> <preview> <eval token="MarinaVersion">$result.version$</eval> </preview> </search> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="propertyId" searchWhenChanged="true"> <label>Site</label> <fieldForLabel>FullHospitalName</fieldForLabel> <fieldForValue>propertyId</fieldForValue> <search> <query>| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* [| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | fields propertyId | format] | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion | sort FullHospitalName</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="WhichVersion"> <label>Marina Version</label> <choice value="Pre15">Pre15</choice> <choice value="Post15">Post15</choice> <choice value="NA">NA</choice> <change> <condition value="Post15"> <unset token="NoAssignments"></unset> <set token="IncludesAssignments">true</set> <unset token="NoInfo"></unset> </condition> <condition value="Pre15"> <set token="NoAssignments">true</set> <unset token="IncludesAssignments"></unset> <unset token="NoInfo"></unset> </condition> <condition value="NA"> <unset token="NoAssignments"></unset> <unset token="IncludesAssignments"></unset> <set token="NoInfo">true</set> </condition> </change> </input> <input type="time" token="field1" searchWhenChanged="true"> <label>Date Picker</label> <default> <earliest>-1mon@mon</earliest> <latest>@mon</latest> </default> </input> </fieldset> <row> <panel> <html>Please select the following for the Marina Version dropdown:</html> </panel> <panel> <html>$MarinaVersion$</html> </panel> </row>   Having the user have to use the version dropdown what not what I wanted to do but this at least works for now until stumble upon a better method.  
As @ITWhisperer says, you can use selections. See the documentation here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#selection_.28area.2C_column.2C_and_li... See more...
As @ITWhisperer says, you can use selections. See the documentation here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#selection_.28area.2C_column.2C_and_line_charts.29  
One additional comments which haven't mentioned yet. There is upper limits for buckets in clusters (if I recall right both per node and per cluster). Normally this is not an issue, but if you have qu... See more...
One additional comments which haven't mentioned yet. There is upper limits for buckets in clusters (if I recall right both per node and per cluster). Normally this is not an issue, but if you have quite active site which have hundreds/thousands sources and TB/PB ingesting per day, you could hit those limits.
I think that currently it is used XMLWinEventLog at least that is used on those nodes which I can check now.
Are you able to show that query? Using subsearches will not work for datasets where the subsearch has more than 50k results - not sure what your meaning of a 'large' dataset is. If you can show an a... See more...
Are you able to show that query? Using subsearches will not work for datasets where the subsearch has more than 50k results - not sure what your meaning of a 'large' dataset is. If you can show an anonymised version of each of the data sets and show the relationships it will help us provide a solution.  
If your lookup only contains hostname, ip address and location, how will you find any events where MESSAGE_TEXT="Radius"?
I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "ra... See more...
I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "radius". |inputlookup filename | search (MESSAGE_TEXT="Radius")
Hi there, Please contact your Splunk sales account team for this, they are able to help you. cheers, MuS
Reply:   Can we enforce the data to be rolled from the Hot/warm to Cold after one month then from Cold to frozen after one month.
Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolume... See more...
Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolumeDataSizeMB = 7602176 [volume:cold] path = /opt/splunk-Colddata maxVolumeDataSizeMB = 4980736 ================================== [Win] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume [FW] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume   ==================================== Notice we have re-configured the below: [diskUsage] minFreeSpace = 20000 Finally, we have reached the bottom of the question  .   I am doubt if this configuration can maintain the below requirements: The data retention period for the online data is 2 months. - Hot/Warm – 1 month - Cold – 1 month        
Hi there, Can you please post an example _raww event in a code block, thanks  cheers, MuS
This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.  import urllib.parse #This line won't change between differe... See more...
This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.  import urllib.parse #This line won't change between different searches base_url = "[splunk URL]/en-US/app/SplunkEnterpriseSecuritySuite/search?q=" #This should be dynamically built with whatever you're searching for. my_search = "index=* | stats count by index" #This is optional, Splunk will use your default if you don't include it #Times should be epoch format time_range = f'&earliest={[start]}&latest={[end]}' #Urllib parse is required. It's the difference between "index=* | stats count by index" (human readable) and "index%3D%2A%20..." (working URL) full_url = base_url + urllib.parse.quote(my_search) + time_range