All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Good morning,  Getting a weird error this morning when trying to run searches. It is saying that m license is expired, or I have exceeded your license limits too many times.    1. I have a valid E... See more...
Good morning,  Getting a weird error this morning when trying to run searches. It is saying that m license is expired, or I have exceeded your license limits too many times.    1. I have a valid Enterprise License at about 750GB a day 2. Within the license manager all is well. No violations, valid license, etc.  3. Peers are associated to the license group (750GB is what I allocated for it)  4. Everything looks green with no messages    Not sure what is causing this issue but sometimes search will work and sometimes it wont. However, it  will always throw the litsearch error. 
@Hojeong-Seo  I am also facing the same issue. Can you please help me with the solution.
| spath test.nsps{} output=nsps | mvexpand nsps | spath input=nsps Name output=Name | spath input=nsps ReadOnlyConsumerNames{} output=ReadOnlyConsumerNames | table Name ReadOnlyConsumerNames
ITSI for Alert $result.service_name$ on host $result.src$ $result.description$ An event has been detected: Host: $result.host$ Source: $result.source$ Error Code: $result.error_code$ Description... See more...
ITSI for Alert $result.service_name$ on host $result.src$ $result.description$ An event has been detected: Host: $result.host$ Source: $result.source$ Error Code: $result.error_code$ Description: $result.description$ I'm fairly new to ITSI and Splunk in general and I couldn't find out any information on tokens that clearly. The only token that is working right now is $result.description$,. Any assistance will be much appreciated.    Thank you  
It is something that should rather be handled during the ingestion phase - clean your data before indexing.
Hi  I have an event which has prod and test based on env...if it is test it goes to nsps [{},{} ] object an check for the name say A,B,C,D an get their associate  ReadOnlyConsumerNames in tabular fo... See more...
Hi  I have an event which has prod and test based on env...if it is test it goes to nsps [{},{} ] object an check for the name say A,B,C,D an get their associate  ReadOnlyConsumerNames in tabular format Output as: Name      ReadOnlyConsumerNames  A               Application, Lst,data B               Application, Lst C             Lst D            Lst,Gt,PT       { [-] prod: { [] } test: { [-] DistinctAdminConsumers: [ [-] App pd. ] DistinctAdminUser: 2 DistinctReadConsumers: [ [-] Application. GT. Technology. data ] DistinctReadUser: 4 TotalAdminUser: 20 TotalNSPCount: 10 TotalReadUsers: 13 nsps: [ [-] { [-] AdminConsumerNames: [ [-] App. pd. ] AdminUserCount: 2 Name: A ReadOnlyConsumerNames: [ [-] Application Lst data ] ReadonlyUserCount: 3 } { [-] AdminConsumerNames: [ [-] App Data ] AdminUserCount: 2 Name: B ReadOnlyConsumerNames: [ [-] Application Lst ] ReadonlyUserCount: 3 } { [-] AdminConsumerNames: [ [-] preprod pd ] AdminUserCount: 2 Name: C ReadOnlyConsumerNames: [ [-] Lst ] ReadonlyUserCount: 1 } { [-] AdminConsumerNames: [ [+] ] AdminUserCount: 2 Name: D ReadOnlyConsumerNames: [ [-] Lst Gt PT ] ReadonlyUserCount: 1 } ] } }    
Since you have a SHC try this search on each individual SH to see if there is a config mismatch (I'm thinking if you grew from single to cluster maybe). | rest splunk_server=local /services/search/... See more...
Since you have a SHC try this search on each individual SH to see if there is a config mismatch (I'm thinking if you grew from single to cluster maybe). | rest splunk_server=local /services/search/distributed/peers The output should help you determine if one of the SH is out of sync. Other than that is your SHC set to indexer discovery via the CM which may still have those entries?
Hey im trying to play sounds in my dashboard studio dashboard. I heard its not possible because dashboard studio is not as customizable as classic dashboard. Does anyone know any workaround before I'... See more...
Hey im trying to play sounds in my dashboard studio dashboard. I heard its not possible because dashboard studio is not as customizable as classic dashboard. Does anyone know any workaround before I'll have to switch to classic dashboard?
HEC tokens are always stored plan text in .conf files as the token is not related to any authentication or authorization feature.  The token just helps funnel the incoming data to the appropriate ind... See more...
HEC tokens are always stored plan text in .conf files as the token is not related to any authentication or authorization feature.  The token just helps funnel the incoming data to the appropriate index and props configurations. All the encryption and secrecy items should be handled inside the TLS certificates to allow the HTTP handshake to occur.
You could design an input which sets the fields a particular team needs and use that token in a table command alongside the fields which are common to all teams | table _time comoon1 common2 $teamfi... See more...
You could design an input which sets the fields a particular team needs and use that token in a table command alongside the fields which are common to all teams | table _time comoon1 common2 $teamfields$
It is not clear what it is you actually want. For example, do you want an hourly average of the humidity for each hour, then the minimum and maximum average for that hour over your full time period, ... See more...
It is not clear what it is you actually want. For example, do you want an hourly average of the humidity for each hour, then the minimum and maximum average for that hour over your full time period, then discount events which are outside the minimum and maximum average for the hour they are taken. Or do you want the average for the day and then the minimum and maximum over the full time period and discount events which are outside this daily average. Or do you want the average over the whole time period and discount values which are more than a specified distance from the average. All of these would have different SPL. Please explain what you are trying to do in non-SPL terms.
I am working on a dashboard that has a bunch of field and will be used by multiple teams and people who will be needing different fields from the table.  Is there anyway to add a toggle or filter or... See more...
I am working on a dashboard that has a bunch of field and will be used by multiple teams and people who will be needing different fields from the table.  Is there anyway to add a toggle or filter or anything similar to give a couple of presets (ex fields A D E H to preset 1 for team 1, fields B C D F G to preset 2 for team 2 and so on) I also use filters on fields in the dashboard table as well if possible i would want hiding of the field to not impact the filters at all.  Thanks in advance.
Yes, unfortunately I realised that. Let's say it is a lack that can be useful to make the names inside the boxes or panels more readable and make the whole dashboard graphics look more trendy. I open... See more...
Yes, unfortunately I realised that. Let's say it is a lack that can be useful to make the names inside the boxes or panels more readable and make the whole dashboard graphics look more trendy. I opened a post on splunk ideas for this missing functionality.
Palo introduced HTTP Event stream in OS 8.x, so if you have anything recent install it should support that as outbound log streaming.  Alternatively the logs can be exported over syslog but becomes i... See more...
Palo introduced HTTP Event stream in OS 8.x, so if you have anything recent install it should support that as outbound log streaming.  Alternatively the logs can be exported over syslog but becomes infinitely more difficult ingest if you have a novice Splunk experience. Once you can export from Palo the HTTP Event stream then you need to setup your Splunk instance to collect HEC/HTTP Event Collection and there is a lot of documentation on how to do that. Warning: Palo can generate a tremendous amount of logs and almost certainly exceeds your trial license capacity.
You haven't mentioned anything about which OS specifically and what else is or may be using resources.  Since your system exceeds minimum recommendations I would look for the total package.  You may ... See more...
You haven't mentioned anything about which OS specifically and what else is or may be using resources.  Since your system exceeds minimum recommendations I would look for the total package.  You may need an OS expert and not a Splunk expert to help track this down.
So just to close the loop- after some deep diving by a splunk support rep the issues that caused me to not see all the jobs on that page were due to: 1- permission levels- I was not an ADMIN and so ... See more...
So just to close the loop- after some deep diving by a splunk support rep the issues that caused me to not see all the jobs on that page were due to: 1- permission levels- I was not an ADMIN and so several private jobs were not visible to me 2- incorrect expectations on how the page should work. I assumed it should show all jobs from x amount of time, regardless of how often a job runs or any other job attributes. The page was intended be used real time and not so much for historical runs like from a month ago. 3- TTL - each job has a life expectancy that determines how long its visible on that page. The calculations are convoluted and not obvious. So some jobs might show for longer vs others depending on various things like  scheduled search should adhere to that dispatch.ttl adhoc search should default to 10 minutes (no matter how long you are searching back alert should have a TTL that depends on the action that it is taking 4- a bug that created a 2025 expiry date on the TTL for some of my searches/jobs which contributed to the confusion as to why some jobs show and others dont.- Rep was unable to determine cause of the 2025 bug.
Text align is not currently an option with Markdown boxes in Dashboard Studio. Here is a link to what is possible. https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/chartsText#Source_opt... See more...
Text align is not currently an option with Markdown boxes in Dashboard Studio. Here is a link to what is possible. https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/chartsText#Source_options_for_Markdown  
Another option perhaps closer to what you seek is to have each input set a token with the appropriate query string.  Then the search will just invoke that token. For instance, if "banana" is selecte... See more...
Another option perhaps closer to what you seek is to have each input set a token with the appropriate query string.  Then the search will just invoke that token. For instance, if "banana" is selected, then the input token's <change> element might set a token called $query$ to what is needed to search for fruit.  The <query> element then becomes simply <query>$query$</query>  
Thanks for the reply, however Im not quite looking for an alternative solution. Im wondering if this is something splunk is capable of. 
No worries,  I suppose your attempts at English are better than my Japanese. Loopback is a name for a virtual network interface that every networked host has - it's an interface used by software to ... See more...
No worries,  I suppose your attempts at English are better than my Japanese. Loopback is a name for a virtual network interface that every networked host has - it's an interface used by software to talk to other components on the same host (that's the one having 127.0.0.1 address). Anyway. TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING This line says that your port 8000 is listening on 0.0.0.0, which means that it should be reachable from everywhere. (if the connections are not filtered on other layers). So you have to check your windows firewall - as far as I remember windows server by default blocks pretty much of incoming communication so you might need to create a rule to open traffic from the network to local 8000 port.