All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Normally that means that you've put some key that shouldn't be there in a config stanza. Infortunately, this is a third-party provided app for which the authors didn't give any docs or even contact i... See more...
Normally that means that you've put some key that shouldn't be there in a config stanza. Infortunately, this is a third-party provided app for which the authors didn't give any docs or even contact info. So it might be a bad config but also can be a bad spec file (the file defining proper syntax and elements for app's config). If this is for an input that the GUI dialog created for you, it's probably the latter. BTW, it's polite to actually ask the question if you expect an answer.
Hi Splunkers, I received a notice about upgrading jQuery to version 3.5 or higher, and I ran a jQuery scan through the Upgrade Readiness dashboard. The incompatibility issue is coming from my custom... See more...
Hi Splunkers, I received a notice about upgrading jQuery to version 3.5 or higher, and I ran a jQuery scan through the Upgrade Readiness dashboard. The incompatibility issue is coming from my custom app. The file in question: C:\Program Files\Splunk\etc\apps\custom_app\appserver\static\help\en-GB\jquery.js needs to be updated. Remediation(Sugested by the dashboard): The jQuery 1.11.1 bundled with the app introduces vulnerabilities. Splunk apps must use jQuery 3.5 or higher, as lower versions are no longer supported in Splunk Cloud Platform. What I’ve done so far: I downloaded the new jQuery.js file from jquery.com, renamed it, and replaced the file in the specified path and restarted splunk, but this hasn't resolved the upgrade issue. I'm unsure of the next steps and would appreciate any guidance or suggestions. Thanks! Upgrade Readiness App  
Wait a second. You're mixing several things. One is the forwarder which is supposed to read the data. Another is a Deployment Server. You show a inputs.conf stanza pointing to a local directory but y... See more...
Wait a second. You're mixing several things. One is the forwarder which is supposed to read the data. Another is a Deployment Server. You show a inputs.conf stanza pointing to a local directory but your screenshot shows listing of a network share. We need much more words from you - what are you trying to ingest, how, where and so on.
That's something you normally achieve by deploying an indexer cluster. There is a possibility to migrate a standalone indexer to a clustered setup but it requires some careful planning and is usuall... See more...
That's something you normally achieve by deploying an indexer cluster. There is a possibility to migrate a standalone indexer to a clustered setup but it requires some careful planning and is usually best done with help from Professional Services or your friendly local experienced Splunk Partner to work out all the architectural details and plan the whole process.
same issue here, fresh trial installation with SSE & ESCU to see if its any good me -1 : splunk - 0 moving on to a different product for my problem
Currently I am having a Splunk Indexer with multiple Indexes and a Search Head. I would like to have one or two indexes to be available in two splunk indexer and data should be available to access... See more...
Currently I am having a Splunk Indexer with multiple Indexes and a Search Head. I would like to have one or two indexes to be available in two splunk indexer and data should be available to access from Search Head from both Indexer. Thanks
The difference is that if you have the data in Splunk you probably don't have to neither append nor join any data sets. You can probably just search for all your events and do manipulation using "nat... See more...
The difference is that if you have the data in Splunk you probably don't have to neither append nor join any data sets. You can probably just search for all your events and do manipulation using "native" Splunk ways (i.e. using stats instead of join).
I'm trying to update the Splunklib version in our app because it currently uses an older version that doesn't comply with Splunk's new App Inspect rules. After updating and validating the app, I enco... See more...
I'm trying to update the Splunklib version in our app because it currently uses an older version that doesn't comply with Splunk's new App Inspect rules. After updating and validating the app, I encountered an "unknown error" when attempting to upload the new version to Splunkbase, despite the validation process not showing any errors or failures. Please refer to below image. What could be causing this issue?
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "packa... See more...
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "package": "ABC", "tests": 0, "name": "ABC_test", "id": 0, "time": 0, "errors": 0, "testcase": [ { "classname": "xyz", "name": "foo1", "time": 0, "status": "Passed" }, { "classname": "pqr", "name": "foo2", "time": 0, "status": "Passed" }, . . . ] } ] } This is the data. For a given project there'll be many JSON files like above. So i want to get the unique data while taking the counts. Tried with mvdedup, it did not work. |spath output=jenkins_url path=JenkinsMetaData.JENKINS_URL | spath output=suite path=suite{}.name | spath output=case path=suite{}.case{}.name | spath output=Build_Num path=JenkinsMetaData.buildnumber | spath output=Status path=suite{}.case{}.status | fields - _raw | eventstats max(Build_Num) as Latest_Build by Job_Name | where Latest_Build=Build_Num | stats values(Build_Num) as Build_Num count(eval(Status="Execution Failed" OR Status="Testcase_Failed")) AS Failed_cases, count(eval(Status="Passed")) AS Passed_cases, count(eval(Status="Failed" OR Status="Testcase_Error")) AS Execution_Failed_cases, dc(case) as Total_cases dc(suite) as "Total suite" by Job_Name Build_Variant Jenkins_Server When i do this Total_cases and Total suite are are correct, but other values are not correct. But when i use |Status="Passed"| stats dc(case) as Passed_cases for one project, im getting correct value. But my requirement is to create a table for all the projects. Anyone know how to handle this?
Hi @Alex_Rus , so, if you run the above command from a cmd window, you have the list of the files in that folder, is it true? If yes, the inputs.conf is correct, otherwise there's an error i the in... See more...
Hi @Alex_Rus , so, if you run the above command from a cmd window, you have the list of the files in that folder, is it true? If yes, the inputs.conf is correct, otherwise there's an error i the input path. In addition, from the photo I cannot read the label in the first row, the one before the files, is it another folder or what else? Ciao. Giuseppe
Hi @Real_captain , if fieldA is extracted for the data set, in this way you can use it. Ciao. Giuseppe
@gcusello :  I want to use FieldA :  Will the below query works??  <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> ... See more...
@gcusello :  I want to use FieldA :  Will the below query works??  <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>fieldA</fieldForLabel> <fieldForValue>fieldA</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>
as in the photo, files in which events are stored
Hi @Alex_Rus , and what if yourun the cmd command? Ciao. Giuseppe
Yes, I'm sure. I checked on Deployment-server there are no such folders for monitoring
Hi @Alex_Rus , what if you run from cmd: dir C:\ExchData\MessageTracking\* ? Are you sure that there isn't another Splunk input that reads these logs? Ciao. Giuseppe 
Hi, @gcusello ! [monitor://C:\ExchData\MessageTracking\*] disabled = 0 index = MyIndex sourcetype = MySourcetype #FcrcSalt = <SOURCE
Hi @Real_captain , there an error: in the input search you have as output only the fieldA field, but in the FieldForLabel and FieldForValue tags you want to use the POH_Group1 field that isn't in th... See more...
Hi @Real_captain , there an error: in the input search you have as output only the fieldA field, but in the FieldForLabel and FieldForValue tags you want to use the POH_Group1 field that isn't in the input search outputs. Ciao. Giuseppe
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Pane... See more...
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Panels --> <query>index=ABC | eval fieldA =  If (fieldB = "ABC" ,  fieldB , fieldA )</query> I want to use the value of the fieldA in the dropdown of the input POH_Group. Below query is not working and i am not getting the values of fieldA in the dropdown of POH_Group: <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>POH_Group1</fieldForLabel> <fieldForValue>POH_Group1</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>   Can you please help to fix this issue. 
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line ... See more...
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line 2: token (value: xyznkbejrfhrekfjrltjgltrkgltrkgtkhgythytlhmylth).