All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Team, Due to SSL cert issue I see the Database queries tab is not loading which we are working on it. Customer is asking to fetch the following data => Query, time executed, time took for complet... See more...
Hi Team, Due to SSL cert issue I see the Database queries tab is not loading which we are working on it. Customer is asking to fetch the following data => Query, time executed, time took for completion etc.  Is there any way we can get the data from the database? Queries data is located in which database also the path to DB? Please can share the DB and table name to so we can export the data from database. Thanks
Hello Splunkers!! In a scheduled search within Splunk, we have set up email notifications with designated recipients. However, there is an intermittent issue where sometime recipients do not consis... See more...
Hello Splunkers!! In a scheduled search within Splunk, we have set up email notifications with designated recipients. However, there is an intermittent issue where sometime recipients do not consistently receive the scheduled search email. To address this, we need to determine if there is a way within Splunk to verify whether the recipients successfully received the email notifications. Please help me identify how address and how to check this things in Splunk.   index=_internal source=*splunkd.log sendemail I have tried above search but above search is not providing the information about receipents email address. 
Note i'm using :  1. Splunk Enterprise Version : 9.3.1 2. Enterprise Security Version : 7.3.2   According to this documentation : https://docs.splunk.com/Documentation/VersionCompatibility/curren... See more...
Note i'm using :  1. Splunk Enterprise Version : 9.3.1 2. Enterprise Security Version : 7.3.2   According to this documentation : https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/CompatMatrix  All is good, but i don't have any idea why this is happening. 
Hi, i got error after completed set up Enterprise Security on my lab. First im using Windows but when want to setup Enterprise Security always got    Error in 'essinstall' command: (InstallExcepti... See more...
Hi, i got error after completed set up Enterprise Security on my lab. First im using Windows but when want to setup Enterprise Security always got    Error in 'essinstall' command: (InstallException) "install_apps" stage failed - Splunkd daemon is not responding: ('Error connecting to /services/admin/localapps: The read operation timed out',)   then i want to try install fresh Splunk Enterprise in WSL (in my case Ubuntu 22) i got success install and can doing anything normally. After that, i try install Enterprise Security again. And now i got successful notification when setup Enterprise Security via WebGUI, but unfortunately when successful restart i can't open Splunk Enterprise    This is my CLI looks like    i cannot see any error in my CLI that's why i ask it here, maybe somebody can help me ?      
Hello @Cheng2Ready  The global time range picker cannot be applied to saved searches in Dashboard Studio since each saved search has its own predefined time range. Unlike Classic Dashboards, when yo... See more...
Hello @Cheng2Ready  The global time range picker cannot be applied to saved searches in Dashboard Studio since each saved search has its own predefined time range. Unlike Classic Dashboards, when you reference a Saved Search in Studio, it will always use its own time range settings, ignoring any global time range selections. For your use case, I recommend: Schedule a report with your required metrics Use the '|collect' command to store results in a new index Create a new role for third-party access that only has permissions for this new index Optionally, you can: Disable specific capabilities for this role Restrict access to only the required dashboard This approach helps maintain security by avoiding direct access to the original index. If this reply helps you. Please UpVote.
@PickleRick I am using single column multiple entries and just trying to compare values in lookup file with the logs which contains those values and output the results
@ITWhisperer I am using lookup file with single column, multiple entries which contains filenames. I am trying to match that names with the Filename field in query to obtain results which matches the... See more...
@ITWhisperer I am using lookup file with single column, multiple entries which contains filenames. I am trying to match that names with the Filename field in query to obtain results which matches the value.
LOL...so you formatted the data as json then used |collect mode=raw i ended up just editing the limits.conf to enable mv mode for raw mode collect and didnt end up using the json at all
Hi @catta99, To clear the server-side cache, restart splunkweb as you have done: $SPLUNK_HOME/splunk/bin/splunk restart splunkweb To clear the client-side cache, use your browser's cache functions... See more...
Hi @catta99, To clear the server-side cache, restart splunkweb as you have done: $SPLUNK_HOME/splunk/bin/splunk restart splunkweb To clear the client-side cache, use your browser's cache functions or temporarily disable caching in your browser's dev tools. To prevent splunkweb from caching source files during development, you can disable caching in web.conf and restart Splunk:  # $SPLUNK_HOME/etc/system/local/web.conf [settings] cacheBytesLimit = 0 The example I provided can be expanded as needed. If you're still having issues after clearing all caches, reply with a reduced SimpleXML and JavaScript example, and we'll take another look.
Hi there, we worked around this problem by having the same 'splunk.secret' file on all instances, this enables you to have encrypted passwords or secrets in your deployment apps. Hope this helps ..... See more...
Hi there, we worked around this problem by having the same 'splunk.secret' file on all instances, this enables you to have encrypted passwords or secrets in your deployment apps. Hope this helps ... cheers, MuS
Hi there, I worked around that problem by using `tojson` before the `collect` | tojson | collect index=schnafu   Hope this helps ... cheers, MuS
I believe I was over think it. I was able to get what I needed with this.     index=store source="softwareinventory" host="SNC****" | dedup host | rex field=host "(SNC|POPS)(?<Store>\d+)" | searc... See more...
I believe I was over think it. I was able to get what I needed with this.     index=store source="softwareinventory" host="SNC****" | dedup host | rex field=host "(SNC|POPS)(?<Store>\d+)" | search "Message.Rogue.AllDskID{}"="E:" OR "Message.Rogue.AllDskID{}"="F:" OR "Message.Rogue.AllDskID{}"="G:" | rename Message.Rogue.AllDskID{} as Drive_Letter | rename Message.Rogue.AllVlmName{} as Volume_Name | table Store Drive_Letter Volume_Name    
Oddly - no. In the other (non orig) index, '...|table myField,_raw' shows nothing for myField, and the _raw data is there, represented as full JSON, including myField with the expected value.  
I don't think we can change that in the JSON code. Looks like a bug to me. I can check internally and see what I can do.
is your | collect mode=hex also showing an empty _raw {} in your summary index?  mine is   index=orig | collect mode=hec | table _raw displays {some stuff in here} index=summary | table _raw di... See more...
is your | collect mode=hex also showing an empty _raw {} in your summary index?  mine is   index=orig | collect mode=hec | table _raw displays {some stuff in here} index=summary | table _raw displays {} nothing inside (but all the fields are search time present...just not the original _raw json {})  
"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot ... See more...
"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"64GB","FreeSpaceBytes":"69178445824","PercentFree":"44%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:"," ","F:","G:"],"AllVlmName":["Sonic","Micros","Sonic","Micros"]},"Stall":{"12":"GENERIC","16":"GENERIC","10":"POPS4","06":"POPS4","26":"GENERIC","100":"POPS4","11":"POPS4","07":"GENERIC","05":"POPS4","32":"GENERIC","94":"DriveThru","02":"POPS4","04":"POPS4","08":"POPS4","25":"GENERIC","56":"GENERIC","09":"POPS4","01":"POPS4","03":"POPS4"},"ErrorPCG":"No recent PCG Install errors detected","Ddrive":{"DriveName":"Micros","TotalFriendlySize":"91GB","TotalSizeBytes":"98123640832","FriendlyFreeSpace":"33GB","FreeSpaceBytes":"35223568384","PercentFree":"36%","ChkDskNeeded":"NotAvailable"},"RAIDinfo":{"DriverVersion":"15.9.0.1015","ToolVersion":"15.9.0.1015"},"RAIDtest":{"SystemType":"UnableToQuery","RAIDstatus":"UnableToQuery","ErrorMessage":"Provider failure "},"VigilixRegistry":"VigilixRegistryCorrect"}}
Hi @Robwhoa78 , in the sample you shared, there's only one value "C:", not also the others, could you share a sample with all the values to extract? highlighting in bold the values to extract? Cia... See more...
Hi @Robwhoa78 , in the sample you shared, there's only one value "C:", not also the others, could you share a sample with all the values to extract? highlighting in bold the values to extract? Ciao. Giuseppe
Wait a second. Does your raw data contain the string in quotes or without them?
I tried this and it still showed results for a stats or timechart output.
I need this to show the AllDskID which is C,D,E,F, or G.  Examples are below.    "Rogue":{"AllDskID":["C:","D:","E","F"] "Rogue":{"AllDskID":["C:","D:","F","G"] "Rogue":{"AllDskID":["C:","D:"]