All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

| rex "\"policyId\":\"(?<policyId>\w+)\""
Hello @PickleRick  Thats an interesting topic, I will dig more information about it. I let you know here If I found something interesting Thanks ! Nicolas
Can you give an example of an event which generates the incorrect values? (Perhaps with the correct field names too?)
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a str... See more...
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a string. Also I want to count how many of them occured per one day.  Is this possible? index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value="*Load Balancer*" OR "*Endpoints*"
Remove _raw from the by clause
Hi @RAVISHANKAR , the best approach is to create an Indexer Cluster that automatically replicate indexes between Indexers, but it requests an additional machine as Cluster Manager, in this way you h... See more...
Hi @RAVISHANKAR , the best approach is to create an Indexer Cluster that automatically replicate indexes between Indexers, but it requests an additional machine as Cluster Manager, in this way you have HA on your data and you don't pay twice the indexed logs. Otherwise, you could forward logs to the two Indexers: in this way you pay twice the logs and you don't have HA, but you don't need an additional machine. Ciao. Giuseppe
I highly doubt that you managed to 1) Run DBConnect on UF 2) Send data from UF to Logstash (logstash doesn't have Splunk input plugin and UF cannot send anything except S2S or S2S over HTTP).
OK. Short story is Splunk has no means for native inbuilt HA when we're talking about inputs (regardless of whether we're talking UFs or HFs). Period. So the only thing you can do is use external me... See more...
OK. Short story is Splunk has no means for native inbuilt HA when we're talking about inputs (regardless of whether we're talking UFs or HFs). Period. So the only thing you can do is use external means to replicate config and state between nodes and make sure that only one node is actually active. That's not a trivial issue. While replicating config is usually relatively easy (maybe except for some border cases when you - for example - need to authenticate with a private key and don't want the key to leave the box), the other two points are tricky. Different inputs keep their state using different methods. Some store checkpoints as simple text files, some use kvstore, some (monitor input) use fishbucket. So you have to find where the state is being stored and replicate it to the passive node. You also need to have a way to make sure only one input is active at a time. It's not a trivial task and there are several different approaches to this. From some rsync-based handcrafted scripts to simply migrating whole VMs with a forwarder between separate hypervisors (with several other possible solutions "in between"). I think there was a .conf presentation about this topic but I can never find it
Normally that means that you've put some key that shouldn't be there in a config stanza. Infortunately, this is a third-party provided app for which the authors didn't give any docs or even contact i... See more...
Normally that means that you've put some key that shouldn't be there in a config stanza. Infortunately, this is a third-party provided app for which the authors didn't give any docs or even contact info. So it might be a bad config but also can be a bad spec file (the file defining proper syntax and elements for app's config). If this is for an input that the GUI dialog created for you, it's probably the latter. BTW, it's polite to actually ask the question if you expect an answer.
Hi Splunkers, I received a notice about upgrading jQuery to version 3.5 or higher, and I ran a jQuery scan through the Upgrade Readiness dashboard. The incompatibility issue is coming from my custom... See more...
Hi Splunkers, I received a notice about upgrading jQuery to version 3.5 or higher, and I ran a jQuery scan through the Upgrade Readiness dashboard. The incompatibility issue is coming from my custom app. The file in question: C:\Program Files\Splunk\etc\apps\custom_app\appserver\static\help\en-GB\jquery.js needs to be updated. Remediation(Sugested by the dashboard): The jQuery 1.11.1 bundled with the app introduces vulnerabilities. Splunk apps must use jQuery 3.5 or higher, as lower versions are no longer supported in Splunk Cloud Platform. What I’ve done so far: I downloaded the new jQuery.js file from jquery.com, renamed it, and replaced the file in the specified path and restarted splunk, but this hasn't resolved the upgrade issue. I'm unsure of the next steps and would appreciate any guidance or suggestions. Thanks! Upgrade Readiness App  
Wait a second. You're mixing several things. One is the forwarder which is supposed to read the data. Another is a Deployment Server. You show a inputs.conf stanza pointing to a local directory but y... See more...
Wait a second. You're mixing several things. One is the forwarder which is supposed to read the data. Another is a Deployment Server. You show a inputs.conf stanza pointing to a local directory but your screenshot shows listing of a network share. We need much more words from you - what are you trying to ingest, how, where and so on.
That's something you normally achieve by deploying an indexer cluster. There is a possibility to migrate a standalone indexer to a clustered setup but it requires some careful planning and is usuall... See more...
That's something you normally achieve by deploying an indexer cluster. There is a possibility to migrate a standalone indexer to a clustered setup but it requires some careful planning and is usually best done with help from Professional Services or your friendly local experienced Splunk Partner to work out all the architectural details and plan the whole process.
same issue here, fresh trial installation with SSE & ESCU to see if its any good me -1 : splunk - 0 moving on to a different product for my problem
Currently I am having a Splunk Indexer with multiple Indexes and a Search Head. I would like to have one or two indexes to be available in two splunk indexer and data should be available to access... See more...
Currently I am having a Splunk Indexer with multiple Indexes and a Search Head. I would like to have one or two indexes to be available in two splunk indexer and data should be available to access from Search Head from both Indexer. Thanks
The difference is that if you have the data in Splunk you probably don't have to neither append nor join any data sets. You can probably just search for all your events and do manipulation using "nat... See more...
The difference is that if you have the data in Splunk you probably don't have to neither append nor join any data sets. You can probably just search for all your events and do manipulation using "native" Splunk ways (i.e. using stats instead of join).
I'm trying to update the Splunklib version in our app because it currently uses an older version that doesn't comply with Splunk's new App Inspect rules. After updating and validating the app, I enco... See more...
I'm trying to update the Splunklib version in our app because it currently uses an older version that doesn't comply with Splunk's new App Inspect rules. After updating and validating the app, I encountered an "unknown error" when attempting to upload the new version to Splunkbase, despite the validation process not showing any errors or failures. Please refer to below image. What could be causing this issue?
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "packa... See more...
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "package": "ABC", "tests": 0, "name": "ABC_test", "id": 0, "time": 0, "errors": 0, "testcase": [ { "classname": "xyz", "name": "foo1", "time": 0, "status": "Passed" }, { "classname": "pqr", "name": "foo2", "time": 0, "status": "Passed" }, . . . ] } ] } This is the data. For a given project there'll be many JSON files like above. So i want to get the unique data while taking the counts. Tried with mvdedup, it did not work. |spath output=jenkins_url path=JenkinsMetaData.JENKINS_URL | spath output=suite path=suite{}.name | spath output=case path=suite{}.case{}.name | spath output=Build_Num path=JenkinsMetaData.buildnumber | spath output=Status path=suite{}.case{}.status | fields - _raw | eventstats max(Build_Num) as Latest_Build by Job_Name | where Latest_Build=Build_Num | stats values(Build_Num) as Build_Num count(eval(Status="Execution Failed" OR Status="Testcase_Failed")) AS Failed_cases, count(eval(Status="Passed")) AS Passed_cases, count(eval(Status="Failed" OR Status="Testcase_Error")) AS Execution_Failed_cases, dc(case) as Total_cases dc(suite) as "Total suite" by Job_Name Build_Variant Jenkins_Server When i do this Total_cases and Total suite are are correct, but other values are not correct. But when i use |Status="Passed"| stats dc(case) as Passed_cases for one project, im getting correct value. But my requirement is to create a table for all the projects. Anyone know how to handle this?
Hi @Alex_Rus , so, if you run the above command from a cmd window, you have the list of the files in that folder, is it true? If yes, the inputs.conf is correct, otherwise there's an error i the in... See more...
Hi @Alex_Rus , so, if you run the above command from a cmd window, you have the list of the files in that folder, is it true? If yes, the inputs.conf is correct, otherwise there's an error i the input path. In addition, from the photo I cannot read the label in the first row, the one before the files, is it another folder or what else? Ciao. Giuseppe
Hi @Real_captain , if fieldA is extracted for the data set, in this way you can use it. Ciao. Giuseppe
@gcusello :  I want to use FieldA :  Will the below query works??  <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> ... See more...
@gcusello :  I want to use FieldA :  Will the below query works??  <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>fieldA</fieldForLabel> <fieldForValue>fieldA</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>