All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If the search term is a fixed string then just add it to the table command. | table Environment, userid, "THE_TERM"  
If I understand the requirements correctly, this query will only return events that do not match the sample text. index=foo NOT "*c.q.s.c.StoreHourSyncRestController*" | regex _raw!="c\.q\.s\.c\.Sto... See more...
If I understand the requirements correctly, this query will only return events that do not match the sample text. index=foo NOT "*c.q.s.c.StoreHourSyncRestController*" | regex _raw!="c\.q\.s\.c\.StoreHourSyncRestController : \*\*\* Sync Busy \*\*\*" | appendpipe [stats count | eval _raw="App is failing!" | where count=0]
Hi,   just wondered if oracle cloud had tagging to onboard data like AWS does for Splunk like this:   splunk add monitor /var/log/secure   thanks
Hi Team  How do i install Splunk UF on AIX system  I refer to the below link, but still not sure ... Link  - Install a *nix universal forwarder - Splunk Documentation Thanks 
I am trying to create a text input in splunk dashboard that should ignore the ticket numbers entered by the user in the text box while running the query and If user doesn't input anything in that tex... See more...
I am trying to create a text input in splunk dashboard that should ignore the ticket numbers entered by the user in the text box while running the query and If user doesn't input anything in that text box then by default it should search all tickets. I tried a few ways to achieve this through eval, makeresults, etc. but no luck in getting it to work. Any ideas on how can i achieve this functionality ? <form version="1.1" theme="light"> <label>TEST</label> <search id="tickets"> <query> index=tickets earliest=-1d latest=now | eval search_ticket=if(len("$ticket_number$")=0, "ticket_number=*", "NOT ticket_number IN ($ticket_number$)") </query> </search> <fieldset submitButton="true" autoRun="false"> <input type="text" token="ticket_number"> <label>ticket_number</label> </input> <row> <panel> <table> <title>Results</title> <search base="tickets"> <query>| search $search_ticket$|table ticket_number</query> </search> </table> </panel> </row> </form>
Hey @ssj3abid , were you able to figure this out? I'm having the same issues.
I did have luck running the following command on the deployment server under: directory: /opt/splunk/bin ./splunk reload deploy-server After the reload the other instance disappeared.
We are ingesting large volume of network data and would like to use tstats to make the searches faster.  The query  index=myindex is returning results as expected, but when I run a basic tstats li... See more...
We are ingesting large volume of network data and would like to use tstats to make the searches faster.  The query  index=myindex is returning results as expected, but when I run a basic tstats like | tstats count where index=myindex returns zero results. What could be the cause?   Attempted also to use : | tstats count where index=federated:myindex but it did not help.  
This is my first time using Splunk in my environment, we have chosen the Splunk cloud platform. Since, it is my first time, how can I determine the system requirements for a server (Physical or Virt... See more...
This is my first time using Splunk in my environment, we have chosen the Splunk cloud platform. Since, it is my first time, how can I determine the system requirements for a server (Physical or Virtual) before installing the Universal Forwarder?    
I had the same issue.  The UF was installed improperly initially, but was showing it reported into the deployment server.  So, the UF was uninstalled, and reinstalled.  It created a new instance in t... See more...
I had the same issue.  The UF was installed improperly initially, but was showing it reported into the deployment server.  So, the UF was uninstalled, and reinstalled.  It created a new instance in the Deployment server, and will not go away.  I'm curious how I am supposed to deal with this.  I am curious also - will it drop off over time, or is there a way I can go into a config file or something and delete it via CLI?
What is the reason that Splunk UBA Kafka  give me this error, how can i fix this Kafka topics are not receiving events and Kafka Broker
Hey, good afternoon. The configurations on these servers weren't done by me, and I have limited knowledge of Splunk administration. That’s why it's been challenging to identify where the "_time" dis... See more...
Hey, good afternoon. The configurations on these servers weren't done by me, and I have limited knowledge of Splunk administration. That’s why it's been challenging to identify where the "_time" discrepancy is coming from. The search query is exactly the same, retrieving the same data within the same time range. The user’s timezone is set to "Default System TimeZone." I believe all the SHs are also set to "Default System TimeZone" (although it’s been difficult to confirm this information). SH1 and SH2 are older servers, while SH3, which shows the difference in "_time," is a recently installed and configured server within the cluster (also configured by someone else).
Ok maybe it is too much Splunk today.  Whatever it is I can not for the life of me remember how to do this. I am doing a basic search on some logs.  I want to show the search term in the table resul... See more...
Ok maybe it is too much Splunk today.  Whatever it is I can not for the life of me remember how to do this. I am doing a basic search on some logs.  I want to show the search term in the table results.  The term is being queried out of the _raw   index=myindex sourcetype=mystuff Environment=thisone "THE_TERM" | top Environment by userid | table Environment, userid   Where and how to I add "THE_TERM" to the table results?
i still get the rollback error 
Hello, we have 2 Splunk platforms and we are using _TCP_ROUTING to forward logs. System logs from 1st platform indexers are currently logged on themself.   We want to also receive system logs fro... See more...
Hello, we have 2 Splunk platforms and we are using _TCP_ROUTING to forward logs. System logs from 1st platform indexers are currently logged on themself.   We want to also receive system logs from  indexers of the 1st platform on our 2nd platform however there is no default tcpout group on 1st platform indexers.   So should we create default outputs.conf on 1st platform indexers to continue indexing local system logs?   Thanks for your help.  
Hi All, Thanks for your time, I have a query for getting the number of errors for each client/customer, api_name,time etc index=index_api | stats count by customer,api_name, _time   If i have... See more...
Hi All, Thanks for your time, I have a query for getting the number of errors for each client/customer, api_name,time etc index=index_api | stats count by customer,api_name, _time   If i have the dataset like below - how do i take the snapshot of it and compare in the next 30 minute dataset Client/customer   api_name            _time                                   count Abc                            Validation_V2   2024 oct 29 10.30             10 Xyz                             Testing_V2         2024 oct 29 10.30             15 TestCust                   Testing_V3         2024 oct 29 10.30            20   assuming these are for the last 30 mins...  when i get to the next run say after 30 mins  i want to see if the same dataset is repeated so that i can get the consecutive error count any guidance or helpful suggestions....     
Hello @ITWhisperer ,    I would like to pass based search to panels in dashboard   <search id="base_search_1"> <query> index=$siteid$ sourcetype=log* values IN (Ax01, Ms09) ..... | table * ... See more...
Hello @ITWhisperer ,    I would like to pass based search to panels in dashboard   <search id="base_search_1"> <query> index=$siteid$ sourcetype=log* values IN (Ax01, Ms09) ..... | table * </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <search id="base_search_2"> <query> index=$siteid$ sourcetype=log* Values IN (*) ..... | table * </query> <earliest>$time_token.earliest$</earliest>   I need to pass base_search_1 when a inut drodpown is selected with "All", when other values are selected in the input dropdown, it need to pass base_search_2 to the panel in dashboard. thanks! <latest>$time_token.latest$</latest> </search> the reason why i choose this is, Actually we are having a input dropdown field which may be empty at some time also we are filtering only head 10000 records as per need, So when the input dropdown field is selected with "All" values, we don't have any issues either the field can be with values or can be empty but when the inputdropdown field is having spome field values to be filtered then empty field should not be giving proper results, so instead of head 10000, we need to filter non empty values of 10k, rather than head 10k, also please suggest other possible efiicient way to do this. thanks!
came in handy here in Germany after Winter-Time Change
Hello, I need help in creating a search query to filter info showing just our logfile with same error line for all rows. This error code also appear in other days on the same logfile but I don't wa... See more...
Hello, I need help in creating a search query to filter info showing just our logfile with same error line for all rows. This error code also appear in other days on the same logfile but I don't want that to show up. If no other info except this error shows up in the logfile, our app is failing and I need to catch that. c.q.s.c.StoreHourSyncRestController : *** Sync Busy *** Please assist. Thank you! Andie Medalla
Are the search heads in the same time zone, are they configured for the same time zone? Are the user profiles set to the appropriate time zone? There are a lot of factors at play here and mostly to... See more...
Are the search heads in the same time zone, are they configured for the same time zone? Are the user profiles set to the appropriate time zone? There are a lot of factors at play here and mostly to do with local configurations which you haven't confirmed yet.