All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

My test machine is also on Splunk version 9.3.1. Could you post sanitized snippets of your JS or dashboard source code? It's hard to see where the issue lies without seeing the full picture.
Well, both yes and no. No, because the message only indicates that schedules searches have been delayed (ad-hoc searches have highest priority and unless you have many concurrent users and very low-... See more...
Well, both yes and no. No, because the message only indicates that schedules searches have been delayed (ad-hoc searches have highest priority and unless you have many concurrent users and very low-spec environment are usually properly run). Yes, because ad-hoc search activity influences how many scheduled searches can be spawned. And yes, all-time searches are very rarely a good idea. At least on raw data. Also even if you have many searches that are supposed to be running every 5 minutes, you can often "spread" them over those 5 minutes so that some of them start at 0,5,10 and so on, some on 1,6,11... some on 2,7,12... You get the drift.
Hi @redmandba , as @ITWhisperer said, you surely have a multivalue in MountedOn field and this isn't acceptable, so use the BY clause: | mstat min(df_metric.*) WHERE (host=myhost) span=1h index="l... See more...
Hi @redmandba , as @ITWhisperer said, you surely have a multivalue in MountedOn field and this isn't acceptable, so use the BY clause: | mstat min(df_metric.*) WHERE (host=myhost) span=1h index="linux_os_metric" BY MountedOn | stats count BY MountedOn | sort MountedOn | table MountedOn Ciao. Giuseppe
Hi @richgalloway , Apologies, this might be silly question but I am fairly new to Splunk. I want to understand, is this delayed error message because of only scheduled searches, or ad-hoc searches ... See more...
Hi @richgalloway , Apologies, this might be silly question but I am fairly new to Splunk. I want to understand, is this delayed error message because of only scheduled searches, or ad-hoc searches also contributes to the error. I have few scheduled searches running on "All time" , this could be the cause of delayed search? Should I reduce the timeframe of these searches. Also, there are many schedules searches all running at a cron of every 5 mins, do I need to change them as well.   Thanks in advance.
Could you try this regex: (?s)EventCode=4688.*Token Elevation Type: (%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited) And also post your (sanitized) props.conf and transforms.conf... See more...
Could you try this regex: (?s)EventCode=4688.*Token Elevation Type: (%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited) And also post your (sanitized) props.conf and transforms.conf if it does not work?
@sainag_splunk I opened inspect for two recently created dashboards, the last one that does not have this problem and the first one that has.  The one that I cannot use the magnifying glass has data-... See more...
@sainag_splunk I opened inspect for two recently created dashboards, the last one that does not have this problem and the first one that has.  The one that I cannot use the magnifying glass has data-disabled="true" whereas the earlier one has data-disabled="false". condition data-disabled date dashboard created Unable to Open in Search true 2024-10-16 Able to Open in Search false 2024-10-09 Date created is the only obvious difference between the two.  Even the construction of the two dashboards are the same.  I saved a search to create a dashboard, and added some inputs. So, my hope is that there is a code element in JSON that I can tweak to fix this problem.  Just need to know where.
So i had the same issues on my splunk forwarder 9.3.** version and used the recommendation provided on https://www.hurricanelabs.com/splunk-tutorials/splunk-7-1-performing-a-splunk-password-reset. Es... See more...
So i had the same issues on my splunk forwarder 9.3.** version and used the recommendation provided on https://www.hurricanelabs.com/splunk-tutorials/splunk-7-1-performing-a-splunk-password-reset. Especially the last video, which finally granted me access.
Try specifying which index and sourcetype you want to search to narrow your search. Also, look at the time frame used to see if that can be narrowed but still deliver the results you require.
The issue is probably that the stats values part of the search will give you a multivalue field in a single event when you actually need separate events for each value. Try removing the stats command.
I created the following query to check the status of ldap service but i was wonder if there a better query  tag=NAME "AuthenticationResult=Passed" "Authentication failed" NOT "Identity Groups" NOT... See more...
I created the following query to check the status of ldap service but i was wonder if there a better query  tag=NAME "AuthenticationResult=Passed" "Authentication failed" NOT "Identity Groups" NOT "ExternalGroups=CN" | stats count by host | search count > 15   Eventually I would like to add this search to my dashboard 
Infrastructure as code? Does that mean you are terminating the indexers rather than shutting them off, upgrading, then turning them on again?
SOAR does not officially support RHEL 9, only 8 and 7. It /might/ work, but if something goes wrong then you will have limited options for support.
Hi, I am trying to install API gateway extension. For this I have installed machine agent independently on a server with SIM Enabled. The server does not have an App agent. Then I cloned and extracte... See more...
Hi, I am trying to install API gateway extension. For this I have installed machine agent independently on a server with SIM Enabled. The server does not have an App agent. Then I cloned and extracted the API gateway extension from github in /machineagent/monitors. After extraction i couldn't find yml file. I have installed java 8 in server. Machine agent version os 24.9. Please let me know where this is wrong and whether any additional things to be done. Regards Fadil
Hi Guys. I've configured the Splunk_TA_nix plug-in running on a Linux server and this is providing data for a Metric Based Index in Splunk Enterprise v9.2.1 I've configured the most basic (Classi... See more...
Hi Guys. I've configured the Splunk_TA_nix plug-in running on a Linux server and this is providing data for a Metric Based Index in Splunk Enterprise v9.2.1 I've configured the most basic (Classic) Dashboard with just a dropdown and search based on this Index. The drop down never populates, so my question is whether dropdown searches can be based on Metric Indexes? My search works in the Search and Reporting field: |mstat min(df_metric.*) WHERE (host=myhost) span=1h index="linux_os_metric" BY MountedOn |stats values(MountedOn) as MountedOn |sort MountedOn |table MountedOn It says populating and does not return an error, but the dropdown is greyed out and not selectable. I was hoping it was going to present a list of mounted Filesystems thanks in advance if anyone can solve this.  
Hi @Tim.Manley, Were you able to find a solution? If you still need help, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case M... See more...
Hi @Tim.Manley, Were you able to find a solution? If you still need help, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
Hi @Khalid.Rehan, If I find any new info, I'll share it here. If you find any new information or a solution, please share it here.
Hi @hazem , this is the only app for that technology in Splunkbase, I understand that it isn't supported neither by Splunk and another developer, but this is the only alternative solution than crea... See more...
Hi @hazem , this is the only app for that technology in Splunkbase, I understand that it isn't supported neither by Splunk and another developer, but this is the only alternative solution than create your own custom add-on, so I hint to use it, eventually customizing it and supporting by yourself. Ciao. Giuseppe
Exactly what I needed. Thanks!
Try something like this | stats list(URI) as URI by SESSION | eval URI=mvjoin(URI,",")
My search returns something like this: SESSION URI b4db1013-e31d-4df5-94ed-3b5b2fc0dc1f Page1.html b4db1013-e31d-4df5-94ed-3b5b2fc0dc1f Page2.html b4db1013-e31d-4df5-94ed-3b5b2fc0dc1f... See more...
My search returns something like this: SESSION URI b4db1013-e31d-4df5-94ed-3b5b2fc0dc1f Page1.html b4db1013-e31d-4df5-94ed-3b5b2fc0dc1f Page2.html b4db1013-e31d-4df5-94ed-3b5b2fc0dc1f Page3.html 42b772ff-b142-471c-a780-080261b084a0 Page2.html 42b772ff-b142-471c-a780-080261b084a0 Page1.html 42b772ff-b142-471c-a780-080261b084a0 Page4.html 42b772ff-b142-471c-a780-080261b084a0 Page5.html 5136941f-a2e7-4c39-83bd-bd5d2709fb18 Page3.html 5136941f-a2e7-4c39-83bd-bd5d2709fb18 Page1.html   And I'd like to transform the results into this (preserving the sort sequence): SESSION URI b4db1013-e31d-4df5-94ed-3b5b2fc0dc1f Page1.html, Page2.html, Page3.html 42b772ff-b142-471c-a780-080261b084a0 Page2.html, Page1.html, Page4.html, Page5.html 5136941f-a2e7-4c39-83bd-bd5d2709fb18 Page3.html, Page1.html   We can either concatenate the URIs into the same field (as in this example), or we can create a separate column for each URI, whichever is easier. Thanks!