All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ITWhisperer   OK , How we can create such a line chart with  X axis as Time ( not _time)  Y axis as count1 count2 count3 
Thank you @gcusello I'll get with support!
I want to make a sound alert in my dashboard studio dashboard. Is it even possible?
No, the y-axis represents a numeric which in your example would be the values from count1, count2 and count3
Hi @jaburke1 , try it, but, as I said, I usually avoid to use automatic lookups. Ciao. Giuseppe
Hi @FPERVIL , I usually deploy on all the Forwarders an app, usually called TA_Forwarders, containing at least three files: app.conf deploymentclient.conf, outputs.conf. in this way I can cent... See more...
Hi @FPERVIL , I usually deploy on all the Forwarders an app, usually called TA_Forwarders, containing at least three files: app.conf deploymentclient.conf, outputs.conf. in this way I can centrally manage both sending data to Indexers and Conncection to Deployment Server. Ciao. Giuseppe
Hi @gcusello  ,   I believe using roles (creating a new one to run the saved search) might work.
Hi @timtekk , it's very strange because in this documentation https://docs.splunk.com/Documentation/Splunk/9.3.1/Updating/Useforwardermanagementtomanageclients#View_client_status (latest version), t... See more...
Hi @timtekk , it's very strange because in this documentation https://docs.splunk.com/Documentation/Splunk/9.3.1/Updating/Useforwardermanagementtomanageclients#View_client_status (latest version), this feature is still present. But many people in Community reported the same issu: https://community.splunk.com/t5/Deployment-Architecture/Unable-to-remove-records-from-the-Deployment-Server/m-p/698055 Open a case to Splunk Support, because there's a behavior different than documentation. Ciao. Giuseppe
Hi @waJesu , exactly define your requirement and match it to your fields, then it's easy to use commands. Ciao. Giuseppe
Hi @jaburke1 , I don't like automatic lookups! And I use them only when I must! Ciao. Giuseppe
Our Splunk Add-on app was created with python modules ( like cffi, cryptography and PyJWT) where these modules are placed under app /bin/lib folder..  this add-on is working as expected. When we try... See more...
Our Splunk Add-on app was created with python modules ( like cffi, cryptography and PyJWT) where these modules are placed under app /bin/lib folder..  this add-on is working as expected. When we try to upgrade Splunk Enterprise from 8.2.3  to 9.3,  our add-on is failing to load python modules and throwing error 'No module named '_cffi_backend'    Note: we are running on python 3.7. and updated Splunk python SD to latest 2.0.2
How do you get a Saved Search to ignore a specific automatic lookup? The reason for wanting to do this is because the lookup being used is very large and the enrichment is not needed for a specific ... See more...
How do you get a Saved Search to ignore a specific automatic lookup? The reason for wanting to do this is because the lookup being used is very large and the enrichment is not needed for a specific search. Using something like | fields - FieldA FieldB Did not not speed up the search (where FieldA and FieldB are fields that are matched on in the automatic lookup) When the automatic lookup has the permissions changed to just one app then the saved search runs very fast but I do not believe keeping it like that is an option. Ideally there would be an option that could be a setting just for this one saved search so that it would not know the automatic lookup exists. Thanks in advance for any suggestions.
HI @ITWhisperer  Can we have a line chart with  d X axis = _time  Y axis = column1   and value of count1 count2 count3 as 3 lines on the chart ?? 
Hi, I am just facing the same problem. Did you finally figured out any solution? I am dealing with this issue directly with tufin, hope to have an answer soon. I´ll come back if I have any update. 
Essentially, a line chart will be visualised from a table with the first column being the x-axis, normally a timestamp (_time), with the subsequent columns providing the values for the lines on the c... See more...
Essentially, a line chart will be visualised from a table with the first column being the x-axis, normally a timestamp (_time), with the subsequent columns providing the values for the lines on the chart. Your table does not match these criteria so you would not be able to represent your table as a line chart (without removing or combining some of your data.
Hi, figured out to get the week number based on the day number  Get_Week_Number=floor(tonumber(strftime(ToDateTime1, "%d"))/7)+1, also adjusted my preferences to the datetime to show eastern
Hi sainag, Thank you so much for your quick response. I was able to use your example and get it as follow - 2 things i noticed are 1 is the week number as 40 this should have been the october month... See more...
Hi sainag, Thank you so much for your quick response. I was able to use your example and get it as follow - 2 things i noticed are 1 is the week number as 40 this should have been the october month week number 2 is the time part - i have 08.48.12 which is EST - but in my results i see it as 07.48.12 ToDateTime1=strptime(TempDate1, "%a %d %b %Y %H:%M:%S:%3N %Z"), Get_Day_Name=strftime(ToDateTime1, "%A"), Get_Month_Num=strftime(ToDateTime1, "%d"), Get_Month_Name=strftime(ToDateTime1, "%b"), Get_Year=strftime(ToDateTime1, "%Y"), Get_Week_Number=strftime(ToDateTime1, "%U"), Get_Time_Part=strftime(ToDateTime1, "%H:%M:%S") Thanks a lot
Hi  Can you please help me to create multi line chart with the below data.  Data in the below format is fetched in SPlunk. I need to create a multi line chart with the same data as below:  Data : ... See more...
Hi  Can you please help me to create multi line chart with the below data.  Data in the below format is fetched in SPlunk. I need to create a multi line chart with the same data as below:  Data :  On the X axis : Time  Y axis : column1  Count1, count2 and count3 should be the 3 lines in the multi line chart.  Last command in the Splunk Query to fetch the data in the table form is below :  | table column1  column2  Time Count1 Count2 Count3  With this data can we create a multi linechart in SPlunk ?     
I started noticing this error recently too, and found the following (old) Community post that pointed my in the direction of splunkd web timeout: https://community.splunk.com/t5/All-Apps-and-Add-o... See more...
I started noticing this error recently too, and found the following (old) Community post that pointed my in the direction of splunkd web timeout: https://community.splunk.com/t5/All-Apps-and-Add-ons/Error-while-installing-an-app-on-Splunk-6-on-Windows/m-p/138027/highlight/true Sure enough I had the default 30 seconds in place, and after increasing that (and restarting Splunk) I haven't observed the message.   @TiagoTLD3 wrote: Hello! Since 7.3.0 I'm seeing the reload process for assets and identities failing frequently. Any ideas?       RROR pid=20559 tid=MainThread file=base_modinput.py:execute:820 | Execution failed: 'SplunkdConnectionException' object has no attribute 'get_message_text' Traceback (most recent call last): File "/app/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 601, in simpleRequest serverResponse, serverContent = h.request(uri, method, headers=headers, body=payload) File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1710, in request conn, authority, uri, request_uri, method, body, headers, redirections, cachekey, File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1425, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1377, in _conn_request response = conn.getresponse() File "/app/splunk/lib/python3.7/http/client.py", line 1373, in getresponse response.begin() File "/app/splunk/lib/python3.7/http/client.py", line 319, in begin version, status, reason = self._read_status() File "/app/splunk/lib/python3.7/http/client.py", line 280, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/app/splunk/lib/python3.7/socket.py", line 589, in readinto return self._sock.recv_into(b) File "/app/splunk/lib/python3.7/ssl.py", line 1079, in recv_into return self.read(nbytes, buffer) File "/app/splunk/lib/python3.7/ssl.py", line 937, in read return self._sslobj.read(len, buffer) socket.timeout: The read operation timed out During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 483, in reload_settings raiseAllErrors=True File "/app/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 613, in simpleRequest raise splunk.SplunkdConnectionException('Error connecting to %s: %s' % (path, str(e))) splunk.SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /services/identity_correlation/identity_manager/_reload: The read operation timed out',) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/app/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 811, in execute log_exception_and_continue=True File "/app/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 380, in do_run self.run(stanzas) File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 586, in run reload_success = self.reload_settings() File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 486, in reload_settings logger.error('status="Failed to reload settings" error="%s"', e.get_message_text()) AttributeError: 'SplunkdConnectionException' object has no attribute 'get_message_text'        
Thank you for your prompt response and help. Logs are coming from other sources e.g firewall. Maybe I should have used hostname/computername that is reaching out to those URLs