All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello everyone, I have set up my Splunk server and Splunk forwarder. When I explore the settings, I can see one host as shown in the image. However, when I try to add data from the Add Data section,... See more...
Hello everyone, I have set up my Splunk server and Splunk forwarder. When I explore the settings, I can see one host as shown in the image. However, when I try to add data from the Add Data section, I get an error like in the other image. Can you help me resolve this issue?  
Hi as @richgalloway said you must test your python with command "splunk cmd python <..../bin/your script>" If you are using "python <..../bin/your script>" then it use wrong python version. Anyhow y... See more...
Hi as @richgalloway said you must test your python with command "splunk cmd python <..../bin/your script>" If you are using "python <..../bin/your script>" then it use wrong python version. Anyhow you should find hints from _internal logs why it didn't work. There are couple of presentations how you can do development with splunk, python and vscode. https://www.splunk.com/en_us/blog/it/splunk-enterprise-visual-studio-code-better-together.html https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-debug-Python-code-running-in-Splunk-Enterprise/m-p/629355 https://conf.splunk.com/files/2022/slides/DEV1127C.pdf There are also some other .conf presentations about this same area. r. Ismo
As others already said, it's obviously that timestamp extractions are not working correctly.  If you could get someone to check this from MC (Monitoring Console) side there should be an answer for a... See more...
As others already said, it's obviously that timestamp extractions are not working correctly.  If you could get someone to check this from MC (Monitoring Console) side there should be an answer for a reason. Settings -> MC Indexing -> Inputs -> Data Quality There are some selections to try to find errors. Then just click those error counts and it will open you query which shows more information about that issue. You could also modify that query to get more information about that issue. Until you can get someone to look those it's not possible to be sure the real reason which a behind this. r. Ismo
Hi You could try MC (monitoring console) to look those possible errors in ingestion phase. Settings -> MC Indexing -> Inputs -> Data Quality There are some selections to try to find errors. Then ... See more...
Hi You could try MC (monitoring console) to look those possible errors in ingestion phase. Settings -> MC Indexing -> Inputs -> Data Quality There are some selections to try to find errors. Then just click those error counts and it will open you query which shows more information about that issue. You could also modify that query to get more information about that issue. r. Ismo
I am having two index( index A and index B). Here I need to measure response time of topup of prepaid or postpaid number with help of transaction ID. From index A I can filter where the transaction ... See more...
I am having two index( index A and index B). Here I need to measure response time of topup of prepaid or postpaid number with help of transaction ID. From index A I can filter where the transaction is prepaid or postpaid,index A contains(customer ID, Type(Prepaid or Postpaid). In indexB we have two logs one is request log and other is response log. With help of customer ID from Index A I need to find the transaction ID from Request log since customer ID is not available in response log. Once we get the transaction ID, we need to substract the time stamp (Response log time- Request log time). Index A. Log pattern---> _timestamp, customerID,type Index B----> contains request and response log. Request log pattern---> timestamp, transactionID, customer ID Response log pattern--->timestamp, transactionID,status.   Method to measure --> From index A we need to get customerID and then go to index B to find out the transaction ID from Request log. With help of transactionID need to subtract the timestamp between response and request log from index B Please help us how we can proceed,in SPL query.
Any news on PHP8.3 support please ? Also will ARM cpu support be coming ? Thanks.
This is the query i am using in my search. I need my output into mutiple rows.(snippet provided)   index=mail "*tanium*" |spath body |rex field=body max_match=0 "\"(?<Computer_name>.*)\",\"ACN" |... See more...
This is the query i am using in my search. I need my output into mutiple rows.(snippet provided)   index=mail "*tanium*" |spath body |rex field=body max_match=0 "\"(?<Computer_name>.*)\",\"ACN" |rex field=body max_match=0 "\"(?<Computer_name1>.*)\",\"\[n" |rex field=Computer_name1 max_match=0 "(?<Computer_name2>.*)\",\"\[n" |rex field=body max_match=0 "\,(?<Patch_List_Name1>.*)\"\[" |rex field=Patch_List_Name1 max_match=0 "\"(?<Patch_List_Name>.*)\",\"" |rex field=Patch_List_Name1 max_match=0 "\",\""(?<Compliance_status>.*)\" |eval Computer_name=mvappend(Computer_name,Computer_name2) |table Computer_name Compliance_status Patch_List_Name
Please just post your current query inside code block "</>" button when you write your post. Then mockup what and how you want too see the result. One picture is usually better than thousand words.
Hi at least some older splunk versions (e.g. 7.3.x) there was (probably) bug which leads this kind of behavior when you are using REST with a increased storage areas like increased filesystem. The f... See more...
Hi at least some older splunk versions (e.g. 7.3.x) there was (probably) bug which leads this kind of behavior when you are using REST with a increased storage areas like increased filesystem. The fix was restart splunkd. r. Ismo
Did you check the results which the initial rest command yields?
Hi All,  I just wanted to know if there is any way to display text boxes upon clicking any of the buttons in my dashboard. I uploaded pic for your reference.  Upon clicking any of the button, i w... See more...
Hi All,  I just wanted to know if there is any way to display text boxes upon clicking any of the buttons in my dashboard. I uploaded pic for your reference.  Upon clicking any of the button, i want to display 2 text boxes. And later i would like to provide input in those text boxes and search for the logs.       <dashboard version="1.1" script="customview.js" theme="dark"> <label>Search Dashboard</label> <row> <panel> <html> <h1 style="text-align: center;">Choose from the below options to get started :)</h1> <!-- Centered button container --> <div style="display: flex; justify-content: center; align-items: center; gap: 10px; margin-top: 20px;"> <button id="proxySearch" onclick="showTextBoxes()" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">Proxy Search</button> <button id="WAFsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">WAF Search</button> <button id="DNSsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">DNS Search</button> <button id="Emailsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">Email Search</button> </div> <div id="mychart"></div> </html> </panel> </row> </dashboard>       I first wanted to know how to show text boxes upon clicking any of the button. I know we have to use js for this kind of activity, but can anyone suggest how it needs to be done?   
I haven't used it, but based on docs I suppose that it works also for HW based environments? https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/centos-migration https://develo... See more...
I haven't used it, but based on docs I suppose that it works also for HW based environments? https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/centos-migration https://developers.redhat.com/articles/2023/04/11/how-use-convert2rhel-migrate-centos-rhel#7_steps_to_migrate_centos_to_rhel_using_convert2rhel
Have you SPL-xxxx code for fix it? It will helps other to add this in their support cases.
I agree with @PickleRick about data optimization of bucket. Those warm and cold buckets are identically. Of course you could additionally configure tsindex reduction there, but it hasn't anything to d... See more...
I agree with @PickleRick about data optimization of bucket. Those warm and cold buckets are identically. Of course you could additionally configure tsindex reduction there, but it hasn't anything to do with warm -> cold movements. Here is one old, but still mostly valid presentation about event lifecycle. https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf After one have read it, one probably understand this better.
Case created.
Its on monitoring console, Disk Usage part. If we see there, there is a bar show the storage used. I already restart the service too, but the value still like the picture. I also inspect search from ... See more...
Its on monitoring console, Disk Usage part. If we see there, there is a bar show the storage used. I already restart the service too, but the value still like the picture. I also inspect search from the panel, and the value are same, i copy it on excel like this one.  
Ouch. This is a very ugly data. It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains ... See more...
Ouch. This is a very ugly data. It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains a huge blob of stuff that is effectively separate data points. So if you want to search for just one pf those hosts, you still have to make Splunk dig through whole load of completely irrelevant data. Additionally, you are doing something to your data because the body field if simply extracted from the json would have just have a long string, not separate fields. So maybe just post your search as it is. My glass orb is being fixed as we speak.
Hi, I cannot "login", truth is that after login I get 500 error and UI will only show following screenshot so Web UI is unusable.     
Yes. It does look as if the SHC members weren't properly communicating with one another. What is interesting though is that the captain is responsible for scheduling searches. So if you had connectiv... See more...
Yes. It does look as if the SHC members weren't properly communicating with one another. What is interesting though is that the captain is responsible for scheduling searches. So if you had connectivity problems you should also have problems with captain election. But your behaviour suggests that each cluster node works independently, What does your "splunk show shcluster status" say on each node?
Hi @Nawab , the correct action is that the Correlation Search is runned on only one of the SHs and only one Notable is created. If more than one Notable is created, means that the Cluster is out of... See more...
Hi @Nawab , the correct action is that the Correlation Search is runned on only one of the SHs and only one Notable is created. If more than one Notable is created, means that the Cluster is out of sync, as @aasabatini said. In this case, you have to check the sync and restart the members and eventually rebuild the configurations. For more infos see at https://docs.splunk.com/Documentation/Splunk/9.3.1/DistSearch/SHCdeploymentoverview Ciao. Giuseppe