All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

  Hi @ITWhisperer  Raw code 2024-10-29 20:42:43.702 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 38040 host = lgposput50341.gso.aexp.com source = /amex/app/abs-up... See more...
  Hi @ITWhisperer  Raw code 2024-10-29 20:42:43.702 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 38040 host = lgposput50341.gso.aexp.com source = /amex/app/abs-upstreamer/logs/abs-upstreamer.log sourcetype = 600000304_gg_abs_ipc2 my query: index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)" | timechart span=1d values(processed) AS ProcessedCount   index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)" | timechart span=1d values(processed) AS ProcessedCount  
Hi @Kenny_splunk , it's possible to change the ownership of orphaned (or not) knowledge objests in [Settings > All Configurations > Reassign Knowledge Objects] and then modifying filters. Ciao. Gi... See more...
Hi @Kenny_splunk , it's possible to change the ownership of orphaned (or not) knowledge objests in [Settings > All Configurations > Reassign Knowledge Objects] and then modifying filters. Ciao. Giuseppe
Trying to find out how to show the error message(hourly) when we hover over spunk sparkline graph in a splunk dashboard. Do we have such an option for sparkline. 
Hey guys, i sometimes have the task of reassigning ownership to certain teams, and at times it can be multiple dashboards/alerts at once. I have the option to select multiple dashboards/alerts , but ... See more...
Hey guys, i sometimes have the task of reassigning ownership to certain teams, and at times it can be multiple dashboards/alerts at once. I have the option to select multiple dashboards/alerts , but when I try to reassign all at once, it doesn't work.  I remember someone mentioning that it can be done, so i wanted to talk with my favorite community. thanks again.
As mentioned, try changing the CS from continuous to real-time.
Try using tokens set to the ASCII hex value.  When written the token gets replaced by the single character.
Have you looked at the internal Splunk logs on that node for application activity.
That level of JAVA support typically is beyond the Splunk community board.  These answer posts tend to focus on Splunk configurations.
That does indeed answer the question on: What is going on, thanks. Any idea how I could stop it from trying to run an insane amount of searches? Or should I just wait? (Splunk Cloud btw, so can't ss... See more...
That does indeed answer the question on: What is going on, thanks. Any idea how I could stop it from trying to run an insane amount of searches? Or should I just wait? (Splunk Cloud btw, so can't ssh in and do things.... already restarted from the server settings GUI part)
Only the dropdown input does not work or are you facing issues with all inputs? Have you checked if the inputs are passed correctly into the search?
With SimpleXML, you can add a selection handler which gets tokens for the start of the timerange, end of the timerange, start of the selection and end of the selection. You can use these token values... See more...
With SimpleXML, you can add a selection handler which gets tokens for the start of the timerange, end of the timerange, start of the selection and end of the selection. You can use these token values to set tokens for use elsewhere in your dashboard. This doesn't select lines, just time ranges. If you don't have a selection handler, the chart will just zoom in.
Try using the max function instead of values. | bin span=3h _time | stats max(uptime) AS Uptime BY _time, component_hostname | where Uptime=0  
If the correlation search is set to run in Continuous mode (as opposed to real-time) then, yes, Splunk will attempt to re-run the skipped search intervals.  Change to real-time mode to avoid that.  S... See more...
If the correlation search is set to run in Continuous mode (as opposed to real-time) then, yes, Splunk will attempt to re-run the skipped search intervals.  Change to real-time mode to avoid that.  See https://docs.splunk.com/Documentation/ES/7.1.2/Admin/Configurecorrelationsearches#Change_correlation_search_scheduling for more information.
In this case review inputs.conf sourcetype and change it if you use default pretrained :   https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Listofpretrainedsourcetypes   "The source types ... See more...
In this case review inputs.conf sourcetype and change it if you use default pretrained :   https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Listofpretrainedsourcetypes   "The source types marked with an asterisk ( * ) use the INDEXED_EXTRACTIONS attribute, which sets other attributes in props.conf to specific defaults and requires special handling to forward to another Splunk platform instance. See Forward fields extracted from structured data files."
Hello, if you are using _TCP_ROUTING and index rename on target platform, logs may go to "last chance index"       
Hello, see table below please. There are results for components A, B and C: _time component_hostname uptime 2024-11-11 15:00 Host A 0.00000 1.00000 5.00000 2024-11-11 15:... See more...
Hello, see table below please. There are results for components A, B and C: _time component_hostname uptime 2024-11-11 15:00 Host A 0.00000 1.00000 5.00000 2024-11-11 15:00 Host B 0.00000 1.00000 2024-11-11 15:00 Host C 0.00000   If I apply where uptime=0 my results will look following: _time component_hostname uptime 2024-11-11 15:00 Host A 0.00000 2024-11-11 15:00 Host B 0.00000 2024-11-11 15:00 Host C 0.00000   But this is not what I need because component A was also showing uptime during my span 1.00000 and 5.00000. Same applies for component B as it was showing uptime 0.00000 and 1.00000. Which means that components A and B where uptime during my span and that is ok. But I´m interested only for components which during the span where showing no other value then 0 e.g. component C. Like this I know that components A and B are responding during my span but component C not responding because its always 0.  
You need access to the search head to confirm the data has been received properly.  Coordinate that with your Splunk admin(s)
I found that I had an error in one of my correlation searches because I saw it in the cloud monitoring console. When I fixed the error I suddenly saw that the latency over this specific correlation s... See more...
I found that I had an error in one of my correlation searches because I saw it in the cloud monitoring console. When I fixed the error I suddenly saw that the latency over this specific correlation search was >4 million seconds. Looking into the actual events that the cloud monitoring console is looking at I see scheduled_time is more than a month ago. Did I do something dumb or is Splunk actually just trying to run all those failed scheduled tasks now and I just need to wait it out? Or is there a way to stop them from running? I disabled the correlation search already and did a restart from the server controls....
Hi @mana_pk123  Can you please share the link of the application that you installed and trying to integrate ? Is it a Splunkbase application or custom?
Hi There, I am experiencing the same issue here, how did you resolve it?   Kind Regards gift