All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It might be worth taking a look at the feature Business Workflows. It's possible they may align with your use-case. https://docs.splunk.com/observability/en/apm/workflows/workflows.html
OK, here is what I found. The proxy env variables can't be set in inputs.conf because they are not included in the inputs.conf.spec.  If you want to try a different approach, you might be able to se... See more...
OK, here is what I found. The proxy env variables can't be set in inputs.conf because they are not included in the inputs.conf.spec.  If you want to try a different approach, you might be able to set the proxy env variables in the startup script for the collector. This is not a supported config, but could be worth a try to see if it has the desired effect--and maybe it will lead to other ideas/solutions. For example, if I was running this on a Linux host, I could try setting HTTPS_PROXY in  /opt/splunkforwarder/etc/apps/Splunk_TA_otel/linux_x86_64/bin/Splunk_TA_otel.sh (e.g., export HTTPS_PROXY=http://my-proxy:8080 )  
It looks strange but I'm no expert on Cloud. Are you sure it isn't about visualization only? Anyway, you can probably emulate your relatively simple timechart with either simple bin | stats by _tim... See more...
It looks strange but I'm no expert on Cloud. Are you sure it isn't about visualization only? Anyway, you can probably emulate your relatively simple timechart with either simple bin | stats by _time or several passes with streamstats
Version is Splunk Cloud 9.1.2312 I am looking for only these values day wise may be in last 7 days.    
Well, 1s span for three days is indeed quite a lot of results but I don't see a problem with that. A run-anywhere example | makeresults count=3000000 | streamstats count | eval _time=_time-count... See more...
Well, 1s span for three days is indeed quite a lot of results but I don't see a problem with that. A run-anywhere example | makeresults count=3000000 | streamstats count | eval _time=_time-count/10 | eval _time=_time+((random()%10-5)) | timechart span=1s count What version are you using? EDIT: OK, I read days where you wanted months. Still it's less than 8 million rows. It might be a bit performance-intensive but Splunk should manage provided you have enough memory. And to limit memory usage, remove the raw event value as early as possible. So <your initial search> | fields - _raw | timechart ...    
Hi Splunk Experts, Can you please let me know how we can calculate the max and avg TPS for a time period of last 3 months along with the exact time of occurrence. I came up with below query, ... See more...
Hi Splunk Experts, Can you please let me know how we can calculate the max and avg TPS for a time period of last 3 months along with the exact time of occurrence. I came up with below query, but it is showing me error as the count of event is greater than 50000. Can anyone please help or guide me on how to overcome this issue.   index=XXX "attrs"=traffic NOT metas | timechart span=1s count AS TPS | eventstats max(TPS) as MAX_TPS | eval Peak_Time=if(MAX_TPS==TPS,_time,null()) | stats avg(TPS) as AVG_TPS first(MAX_TPS) as MAX_TPS first(Peak_Time) as Peak_Time | fieldformat Peak_Time=strftime(Peak_Time,"%x %X")      
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort 0 +_time -count | streamstats count as row by _time | where... See more...
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort 0 +_time -count | streamstats count as row by _time | where row <= 10
I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output... See more...
I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output must include 10-Oct, 11-Oct, 12.-Oct and 13-Oct each with top 10  table names with highest insert sum       index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort limit=10 +_time -count         Thanks in advance
I suppose you're talking about Proofpoint Secure Access (formerly Zero Trust Network Access, formerly Proofpoint Meta). I doubt that you're gonna find anything relevant. Firstly, it's not a very pop... See more...
I suppose you're talking about Proofpoint Secure Access (formerly Zero Trust Network Access, formerly Proofpoint Meta). I doubt that you're gonna find anything relevant. Firstly, it's not a very popular soultion, secondly, it's a cloud-based service so you'll most probably need some API-pulling modular input (maybe there's some on-prem component but I didn't touch the stuff so I have no experience here). And thirdly - it's getting retired at the end of 2024.
Indeed there is no direct app for it on Splunkbase, even if you look through the archive. Do you have any logging settings in the Proofpoint VPN interface, or any specific API documentation on the VP... See more...
Indeed there is no direct app for it on Splunkbase, even if you look through the archive. Do you have any logging settings in the Proofpoint VPN interface, or any specific API documentation on the VPN service of Proofpoint?
The log I provided was just a sample set to show what I am searching.   So, if I search for just "View Refresh" for a duration of 1 hour, I see 4 sets of events - i.e 4 entries of "start" and "end... See more...
The log I provided was just a sample set to show what I am searching.   So, if I search for just "View Refresh" for a duration of 1 hour, I see 4 sets of events - i.e 4 entries of "start" and "end" of each. To underlying my commandments: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at). Illustrate the desired output from illustrated data. If volunteers do not see actual data (4 sets of events), how can we tell why you do not get desired results (4 durations)?
Hello there,  our shop uses proofpoint vpn for our remote users to access on-prem resources. I've been looking into splunkbase to see if there's a published app, I don't see any add-on for vpn data ... See more...
Hello there,  our shop uses proofpoint vpn for our remote users to access on-prem resources. I've been looking into splunkbase to see if there's a published app, I don't see any add-on for vpn data ingestion. I see there's a proofpoing email security add on, but it doesn't seem to relate to vpn logs.  Any ideas what add-on\apps will work for it? thanks. 
Yes, i followed the steps . But its not worked in this case  Still showing below reason
Try this : |rex "project\sid[\s\:]+(?<project_id>[^\s]+).+?is[\s\:]+(?<size>[^\s]+).+?is[\s\:]+(?<upload_time_ms>\d+)"  
It goes on to say ... options in the source code. The options accept hexadecimal and RGBA formats, and can also be defined in the dashboard defaults. so try something like this { "type":... See more...
It goes on to say ... options in the source code. The options accept hexadecimal and RGBA formats, and can also be defined in the dashboard defaults. so try something like this { "type": "splunk.table", "title": "Sample title for testing color", "options": { "titleColor": "#ff0000"}, "context": {}, "containerOptions": {}, "showProgressBar": false, "showLastUpdated": false }  
While syslog-ng is often used with Splunk, it is not a part of Splunk solution and since your question is not related to issues with "interfacing" syslog-ng with Splunk but is rather a general issue ... See more...
While syslog-ng is often used with Splunk, it is not a part of Splunk solution and since your question is not related to issues with "interfacing" syslog-ng with Splunk but is rather a general issue with syslog-ng itself it'll be much better answered on its own mailing list. https://lists.balabit.hu/mailman/listinfo/syslog-ng  
Hello, 2 events does not produce 4 results, 2 events will produce just 1 result. The log I provided was just a sample set to show what I am searching.   So, if I search for just "View Refresh" for... See more...
Hello, 2 events does not produce 4 results, 2 events will produce just 1 result. The log I provided was just a sample set to show what I am searching.   So, if I search for just "View Refresh" for a duration of 1 hour, I see 4 sets of events - i.e 4 entries of "start" and "end" of each.   So when I ran my query I was expecting 4 duration values, 1 for each set. But I get 2 duration values.  RichGalloway, suggested to add maxspan along with transaction. I did that, but I still get the same result i.e. 2 duration values and NOT 4 duration values.  
In release 9.2.2403 I see that: You can customize the text color of dashboard panel titles and descriptions with the titleColor and descriptionColor options in the source code... But I'm ... See more...
In release 9.2.2403 I see that: You can customize the text color of dashboard panel titles and descriptions with the titleColor and descriptionColor options in the source code... But I'm not sure how to modify the source code appropriately to make this work.  If I have this basic starting point:   { "type": "splunk.table", "title": "Sample title for testing color", "options": {}, "context": {}, "containerOptions": {}, "showProgressBar": false, "showLastUpdated": false }   Where can I insert titleColor? My Splunkcloud version is Version:9.2.2403.108
Since I don't control the growth of data in the Contact DB,  I am trying to figure out a way to get an email alert if one of the groups exceeded 50k limit. That's exactly what my first suggestio... See more...
Since I don't control the growth of data in the Contact DB,  I am trying to figure out a way to get an email alert if one of the groups exceeded 50k limit. That's exactly what my first suggestion does: Print a line if and only if one of them exceeded 50k (if you substitute 5000 with 50000).  All you need is add sendmail after that.
Trying to use syslog-ng for latest Splunk enterprise.  I am getting error " Failed to acquire /run/systemd/journal/syslog socket, disabling systemd-syslog source" when I try to run the service manual... See more...
Trying to use syslog-ng for latest Splunk enterprise.  I am getting error " Failed to acquire /run/systemd/journal/syslog socket, disabling systemd-syslog source" when I try to run the service manually.  This error prevents me to run the syslog-ng service in systemctl during bootup.  Any idea or help would be appreciated.