All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for the reply. Sorry that's not what I want to achieve. My search spans over last 30 days - This will only make it look for the timespan > 7 and < 14 days.  I want Splunk to run this search... See more...
Thanks for the reply. Sorry that's not what I want to achieve. My search spans over last 30 days - This will only make it look for the timespan > 7 and < 14 days.  I want Splunk to run this search on the given Cron schedule not to change the search time span. 
In Our environment: Technologies observability --IBM Sterling File Gateway AppDynamics Agent--Java 23.12 Problem statement-- AppDynamics is not able to discover BT's. and IBM SFG vendor is not agr... See more...
In Our environment: Technologies observability --IBM Sterling File Gateway AppDynamics Agent--Java 23.12 Problem statement-- AppDynamics is not able to discover BT's. and IBM SFG vendor is not agree to share Class name and method name with Cisco tools. Can someone please support to discover the BT's for SFG. Appreciate for support here. 
Hello @ITWhisperer ,     Hope i have added more information, please let me know if i need to add any other info. Actual need is, I'm having a field where sometimes i will get empty value, When ... See more...
Hello @ITWhisperer ,     Hope i have added more information, please let me know if i need to add any other info. Actual need is, I'm having a field where sometimes i will get empty value, When i'm selecting All in input drodown the values can be anything, it can be empty as well but when we choose any specific value in input drodown, we don't need to consider empty values, so I planned to create 2 base searches, one is when we choose all in input drodown, other is when we choose any values apart from All in input drodown, Since when we are choosing any other values in input drodown,  we can use | where isnotnull(field_name) | head 10000 which is not needed when we are selecting all in inputdrodown, since the data volume is huge . thanks! thanks!
I have data like this in splunk search 2024-10-29 20:14:49 (715) worker.6 worker.6 txid=XXXX JobPersistence Total records archived per table: sn_vul_vulnerable_item: 1000 sn_vul_detection: 1167 T... See more...
I have data like this in splunk search 2024-10-29 20:14:49 (715) worker.6 worker.6 txid=XXXX JobPersistence Total records archived per table: sn_vul_vulnerable_item: 1000 sn_vul_detection: 1167 Total records archived: 2167 Total related records archived: 1167 2024-10-29 20:13:17 (337) worker.0 worker.0 txid=YYYY JobPersistence Total records archived per table: sn_vul_vulnerable_item: 1000 sn_vul_detection: 1066 Total records archived: 2066 Total related records archived: 1066   How can i prepare a table as below ? Basically prepare  a list of tables and sum of their counts between text "Total records archived per table:" and "Total records archived: " sn_vul_vulnerable_item:2000 sn_vul_detection:2233   This is what i have so far node=* "Total records archived per table" "Total related records archived:" | rex field=_raw "Total records archived per table ((?m)[^\r\n]+)(?<tc_table>\S+): (?<tc_archived_count>\d+) Total related records archived:"
Hello Splunkers,    I'm having a inputput dropdown field, when i'm selecting "*" in that input dropdown field, I need to pass base search 1 to all searches in dashboard, when I'm selecting any oth... See more...
Hello Splunkers,    I'm having a inputput dropdown field, when i'm selecting "*" in that input dropdown field, I need to pass base search 1 to all searches in dashboard, when I'm selecting any other values apart from "*". I need to pass base search 2 to all searches in dashboard. <form version="1.1"> <label>Clone sample</label> <search> <query> | makeresults | eval curTime=strftime(now(), "GMT%z") | eval curTime=substr(curTime,1,6) |rename curTime as current_time </query> <progress> <set token="time_token_now">$result.current_time$</set> </progress> </search> <search id="base_1"> <query> index=2343306 sourcetype=logs* | head 10000 | fields _time index Eventts IT _raw | fillnull value="N/A" </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <search id="base_2"> <query> index=2343306 sourcetype=logs* | where isnotnull(CODE) | head 10000 | fields _time index Eventts IT CODE _raw | fillnull value="N/A" </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <fieldset submitButton="false" autoRun="true"> <input type="radio" token="field1"> <label>field1</label> <choice value="All">All</choice> <choice value="M1">M1</choice> <choice value="A2">A2</choice> <change> <eval token="base_token">case("All"="field1", "base_1", "All"!="field1", "base_2")</eval> </change> </input> <input type="time" token="time_token" searchWhenChanged="true"> <label>Time Range</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table> <title>table</title> <search base="$base_token$"> <query>| table *</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> I have tries passing token in input dropdown it dosent work, can you please help me in fixing this issue. Thanks!
You are so great!
Thanks for your reply! But if I use oneshot to upload the csv file, could it match the specific sourcetype I added in the props.conf?
Hi everyone,  I am using rex field to extract content that containst the following word: full   | rex field=msg_old "(?<msg_keyword>full).*"   However, what I actually need is to extract content... See more...
Hi everyone,  I am using rex field to extract content that containst the following word: full   | rex field=msg_old "(?<msg_keyword>full).*"   However, what I actually need is to extract content with the word full alone, not words that contain full in between, just the word full itself.  Can you please advise if the sentence needs to be different? Thanks  
If the search term is a fixed string then just add it to the table command. | table Environment, userid, "THE_TERM"  
If I understand the requirements correctly, this query will only return events that do not match the sample text. index=foo NOT "*c.q.s.c.StoreHourSyncRestController*" | regex _raw!="c\.q\.s\.c\.Sto... See more...
If I understand the requirements correctly, this query will only return events that do not match the sample text. index=foo NOT "*c.q.s.c.StoreHourSyncRestController*" | regex _raw!="c\.q\.s\.c\.StoreHourSyncRestController : \*\*\* Sync Busy \*\*\*" | appendpipe [stats count | eval _raw="App is failing!" | where count=0]
Hi,   just wondered if oracle cloud had tagging to onboard data like AWS does for Splunk like this:   splunk add monitor /var/log/secure   thanks
Hi Team  How do i install Splunk UF on AIX system  I refer to the below link, but still not sure ... Link  - Install a *nix universal forwarder - Splunk Documentation Thanks 
I am trying to create a text input in splunk dashboard that should ignore the ticket numbers entered by the user in the text box while running the query and If user doesn't input anything in that tex... See more...
I am trying to create a text input in splunk dashboard that should ignore the ticket numbers entered by the user in the text box while running the query and If user doesn't input anything in that text box then by default it should search all tickets. I tried a few ways to achieve this through eval, makeresults, etc. but no luck in getting it to work. Any ideas on how can i achieve this functionality ? <form version="1.1" theme="light"> <label>TEST</label> <search id="tickets"> <query> index=tickets earliest=-1d latest=now | eval search_ticket=if(len("$ticket_number$")=0, "ticket_number=*", "NOT ticket_number IN ($ticket_number$)") </query> </search> <fieldset submitButton="true" autoRun="false"> <input type="text" token="ticket_number"> <label>ticket_number</label> </input> <row> <panel> <table> <title>Results</title> <search base="tickets"> <query>| search $search_ticket$|table ticket_number</query> </search> </table> </panel> </row> </form>
Hey @ssj3abid , were you able to figure this out? I'm having the same issues.
I did have luck running the following command on the deployment server under: directory: /opt/splunk/bin ./splunk reload deploy-server After the reload the other instance disappeared.
We are ingesting large volume of network data and would like to use tstats to make the searches faster.  The query  index=myindex is returning results as expected, but when I run a basic tstats li... See more...
We are ingesting large volume of network data and would like to use tstats to make the searches faster.  The query  index=myindex is returning results as expected, but when I run a basic tstats like | tstats count where index=myindex returns zero results. What could be the cause?   Attempted also to use : | tstats count where index=federated:myindex but it did not help.  
This is my first time using Splunk in my environment, we have chosen the Splunk cloud platform. Since, it is my first time, how can I determine the system requirements for a server (Physical or Virt... See more...
This is my first time using Splunk in my environment, we have chosen the Splunk cloud platform. Since, it is my first time, how can I determine the system requirements for a server (Physical or Virtual) before installing the Universal Forwarder?    
I had the same issue.  The UF was installed improperly initially, but was showing it reported into the deployment server.  So, the UF was uninstalled, and reinstalled.  It created a new instance in t... See more...
I had the same issue.  The UF was installed improperly initially, but was showing it reported into the deployment server.  So, the UF was uninstalled, and reinstalled.  It created a new instance in the Deployment server, and will not go away.  I'm curious how I am supposed to deal with this.  I am curious also - will it drop off over time, or is there a way I can go into a config file or something and delete it via CLI?
What is the reason that Splunk UBA Kafka  give me this error, how can i fix this Kafka topics are not receiving events and Kafka Broker
Hey, good afternoon. The configurations on these servers weren't done by me, and I have limited knowledge of Splunk administration. That’s why it's been challenging to identify where the "_time" dis... See more...
Hey, good afternoon. The configurations on these servers weren't done by me, and I have limited knowledge of Splunk administration. That’s why it's been challenging to identify where the "_time" discrepancy is coming from. The search query is exactly the same, retrieving the same data within the same time range. The user’s timezone is set to "Default System TimeZone." I believe all the SHs are also set to "Default System TimeZone" (although it’s been difficult to confirm this information). SH1 and SH2 are older servers, while SH3, which shows the difference in "_time," is a recently installed and configured server within the cluster (also configured by someone else).