All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That's not much for anyone to work with.  Have you checked splunkd.log?  What did you find there?
This could be an issue with a SAML provider configuration. Please check on your SAML configuration and any authentication extensions are set up correctly. Some scripts require arguments that may be ... See more...
This could be an issue with a SAML provider configuration. Please check on your SAML configuration and any authentication extensions are set up correctly. Some scripts require arguments that may be case sensitive.   If this Helps, Please UpVote.
Hi @PickleRick @richgalloway  My number of delayed search has increased upto 5000plus. I did some investigation and using this command- index=_internal sourcetype=scheduler savedsearch_name=* statu... See more...
Hi @PickleRick @richgalloway  My number of delayed search has increased upto 5000plus. I did some investigation and using this command- index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count by reason I see the error "The maximum number of concurrent historical scheduled searches on this cluster has been reached" has 2000 plus count. Two solution to fix this that I have understood is- 1. Staggering the searches that are causing the error by modifying the cron schedule and change the frequency. 2. to increase the search concurrency limit under limits.conf (pls feel free to correct if I am wrong) Since I am on splunk cloud, I understand I don't have access to limits.conf. What I want to ask is I see an option under Settings>Server Settings> Search Preference>Relative concurrency limit for scheduled searches which is set as 60 for my system. Will increasing this setting help, if yes, to what value is it safe to increase. Please help, I am stuck in this problem from some days    
Below search might be helpful. index=_* AND (SMTP OR sendemail OR email) AND (FAIL* OR ERR* OR TIMEOUT OR CANNOT OR REFUSED OR REJECTED)   Sample errors: ERROR sendemail:. ... ........whi... See more...
Below search might be helpful. index=_* AND (SMTP OR sendemail OR email) AND (FAIL* OR ERR* OR TIMEOUT OR CANNOT OR REFUSED OR REJECTED)   Sample errors: ERROR sendemail:. ... ........while sending mail to: If this helps,  please UpVote.
Looking back through the documentation, back to 7.0.0 which is as far back as I can find, it has been recommended that base searches are transforming searches https://docs.splunk.com/Documentation/S... See more...
Looking back through the documentation, back to 7.0.0 which is as far back as I can find, it has been recommended that base searches are transforming searches https://docs.splunk.com/Documentation/Splunk/7.0.0/Viz/Savedsearches#Post-process_searches_2  
KV_MODE has nothing to do with line breaking. And I'd expect that you simply don't have properly set up line breaker and you have line merging enabled. Which results in Splunk splitting your input s... See more...
KV_MODE has nothing to do with line breaking. And I'd expect that you simply don't have properly set up line breaker and you have line merging enabled. Which results in Splunk splitting your input stream at each line and then merges the lines back (which is also very ineffective performancewise).
Hi, My enterprise is using Mothership 2.0 and recently, mothership seemed to continue its collection of data, but a few are not uploading to their respective indexes and we are having trouble gettin... See more...
Hi, My enterprise is using Mothership 2.0 and recently, mothership seemed to continue its collection of data, but a few are not uploading to their respective indexes and we are having trouble getting it to work.
Hi @Dave.Lemon, Thanks for asking your question on the Community. Have you happened to find a solution to your problem you can share? If you still need help, please contact AppDynamics Support: Ho... See more...
Hi @Dave.Lemon, Thanks for asking your question on the Community. Have you happened to find a solution to your problem you can share? If you still need help, please contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
Hi @Fadil.CK, Thanks for asking your question on the Community. Did you happen to find a solution to your question you can share? If you still need help with your question, you can contact AppDy... See more...
Hi @Fadil.CK, Thanks for asking your question on the Community. Did you happen to find a solution to your question you can share? If you still need help with your question, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
@ITWhisperer wrote: Try adding a table command to your base search listing the fields you want to be used in your subsequent panels. Yes, adding "| table *" to the base-search expression, res... See more...
@ITWhisperer wrote: Try adding a table command to your base search listing the fields you want to be used in your subsequent panels. Yes, adding "| table *" to the base-search expression, restored the panels. Could someone explain, why this quietly became necessary?
Try adding a table command to your base search listing the fields you want to be used in your subsequent panels.
Some years ago I've created a (beautiful!) dashboard, with multiple panels, which presented related data at different angles. Some upgrades of the Splunk-server later (currently using Splunk Enterpri... See more...
Some years ago I've created a (beautiful!) dashboard, with multiple panels, which presented related data at different angles. Some upgrades of the Splunk-server later (currently using Splunk Enterprise 9.1.5), all of the panels -- except for the one, that shows the raw results of the base search -- stopped working... The common base-search is defined as:   <form version="1.1" theme="dark"> <label>Curve Calibration Problems</label> <search id="common"> <query>index=$mnemonic$ AND sourcetype="FOO" ... | eval Curve=replace(Description, ".* curve ([^\(]+) \(.*", "\1") </query> <earliest>$range.earliest$</earliest> <latest>$range.latest$</latest> </search>    And then the panels add to it like this, for one example:   <panel> <title>Graph of count of errors for $mnemonic$</title> <chart> <search base="common"> <query>top limit=50 Curve</query> </search> ...   Note, how the base search's ID is "common", which is exactly the value referred to as base. Again, the base search itself works correctly. But, when I attempt to edit the panel now, the search-expression is shown only as just that query, that used to be added to the base: If I click on the "Run Search" link in the above window, I see, that, indeed, only that expression is searched for, predictably yielding no results. It seems like something has changed in Splunk, how do I restore this dashboard to working order?
I think you had the below somewhere in there. You need to get rid of that.   INDEXED_EXTRACTIONS = json     You might be able to find the offending event with something like    index=_internal... See more...
I think you had the below somewhere in there. You need to get rid of that.   INDEXED_EXTRACTIONS = json     You might be able to find the offending event with something like    index=_internal sourcetype=my_json NOT datetime=*​        
Hello Smarties... Can someone offer some assistance; We recently started ingesting Salesforce into Splunk, Username are coming in as ID's (00000149345543qba), instead of Jane Doe. So was told to us... See more...
Hello Smarties... Can someone offer some assistance; We recently started ingesting Salesforce into Splunk, Username are coming in as ID's (00000149345543qba), instead of Jane Doe. So was told to use the Join to get the Usernames or Names, and add to the sourcetype I need "joined" with;  So I am trying to get the "Login As"  events which is under the sourcetype="sfdc:setupaudittrail" - how do I get the Login As events with usernames, if usernames are under the user index and the login as events are under the setupaudittrail sourcetype? Here is my attempted search which doesn't come up with anything; But I know the events exist...   index=salesforce sourcetype="sfdc:user" | join type=outer UserAccountId [search index=salesforce sourcetype="sfdc:setupaudittrail" Action=suOrgAdminLogin]
Hi @d123r432k , you have to manually remove, from server.conf the SHC stanzas and restart the three SHs. Ciao. Giuseppe
Hi @santhipriya , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma ... See more...
Hi @santhipriya , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
| dedup field1 field2 field3
@marnall I think the cleanest way, until they fix it, would be to build a Custom Function that uses REST to check the for the <thing> you want and then output a boolean to then use downstream.  At... See more...
@marnall I think the cleanest way, until they fix it, would be to build a Custom Function that uses REST to check the for the <thing> you want and then output a boolean to then use downstream.  At least the CF could be made re-usable for similar use cases.   
Hello Everyone, Having a hard time finding the appropriate way to display data. I have duplicate data where one field is unique. I would like to dedup but leaving one instance of the unique value.  ... See more...
Hello Everyone, Having a hard time finding the appropriate way to display data. I have duplicate data where one field is unique. I would like to dedup but leaving one instance of the unique value.  Example of what I want to dedup: field1 field2 field3 field4 a b c d a b c e a b c f   Example of what I would like to see: field1 field2 field3 field4 a b c d   Any help would be greatly appreciated. Regards.
@PickleRick    I changed the URL to use raw endpoint. This seems to have fixed the timestamp but Splunk is now breaking the events at the timestamp fields. I have added  KV_MODE = json for thi... See more...
@PickleRick    I changed the URL to use raw endpoint. This seems to have fixed the timestamp but Splunk is now breaking the events at the timestamp fields. I have added  KV_MODE = json for this sourcetype on both HF and SH but that did not fix the line breaking.