All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Am having trouble getting a .json file into splunk through the backend to help support a customized dashboard. Is there a particular step i need to follow to get it in through the deployer?
I need a query that lists URLs a particular host has reached out in a particular time e.g in the last 24 hours. Please help
Hi @jroedel , you can create an eventtype for login and one for logout, tagging these eventtypes with a related tag, so you can use then in your searches. but what's your requirement? what do you... See more...
Hi @jroedel , you can create an eventtype for login and one for logout, tagging these eventtypes with a related tag, so you can use then in your searches. but what's your requirement? what do you need to receive as result? Ciao. Giuseppe
I have onboarded data from a system,  that scatters actual events over many logging events. Especially successful or failed logins cause me some headache. Successful login: <timestamp> Connection '... See more...
I have onboarded data from a system,  that scatters actual events over many logging events. Especially successful or failed logins cause me some headache. Successful login: <timestamp> Connection 'id123' from '192.168.1.100' has logged onto the server
 <timestamp> User 'johndoe' logged on (Connection id='id123')
 [ Time passes until John eventually decides to logoff again] 
<timestamp> Connection 'id123' from has logged off the server Failed login: <timestamp> Connection 'id123' from '192.168.1.100' has logged onto the server
 <timestamp> Connection 'id123' from has logged off the server   Of course, I can fiddle around with transaction or even stats or whatever to list successful and failed logins or create an alert for it. However that is absolutely not elegant. What is best practice, to get those data nicely streamlined with eventtypes and tags?
Thank you. 
Hi @rhaj09 , here you can download Splunk Enterprise versions older that the last: https://www.splunk.com/en_us/download/previous-releases.html Ciao. Giuseppe
Where can I download the installer for Splunk Enterprise 9.2.1?  
Hi @Real_captain May i know if the issue is resolved or not yet, thanks. 
Splunk is not well-known for reporting on things that don't exist, you have to give it some clues! index=printer sourcetype=printer:logs | stats count sum(pages_printed) AS pages_printed by printer_... See more...
Splunk is not well-known for reporting on things that don't exist, you have to give it some clues! index=printer sourcetype=printer:logs | stats count sum(pages_printed) AS pages_printed by printer_name, | lookup printers.csv printer_name AS printer_name OUTPUT printer_location | table printer_name, printer_location, count, pages_printed | append [| inputlookup printers.cvs ``` Should this be csv? ``` | eval count = 0, pages_printed = 0 | table printer_name printer_location count pages_printed] | stats sum(count) as count sum(pages_printed) as pages_printed by printer_name printer_location | rename printer_name AS "Printer Name", printer_location AS "Location", count AS "Print Job", pages_printed AS "Pages Printed"
Which code are you talking about? Where are you trying to submit it to? Where are you editing this code?
Hi @timtekk , are you speaking of removal from the Forwarders list in Deployment Server or Monitoring Console? if Monitoring Console, you have only to rebuild the Forwarders List [Settings > Monito... See more...
Hi @timtekk , are you speaking of removal from the Forwarders list in Deployment Server or Monitoring Console? if Monitoring Console, you have only to rebuild the Forwarders List [Settings > Monitoring Console > Settings > Forwarder Monitoring Setip]. If from Deployment Server list, you can remove it from web interface [Settings > Forwarder Management > Clients]. Ciao. Giuseppe
OK got it. The answer is no, you can't display the same input panel in two different rows of the dashboard.
For Splunk, the cost saving is between hot/warm storage and cold storage. It sounds like, for this other software, if the hot and warm buckets are on different storage devices, moving the buckets bet... See more...
For Splunk, the cost saving is between hot/warm storage and cold storage. It sounds like, for this other software, if the hot and warm buckets are on different storage devices, moving the buckets between hot and warm is going to be processor and i/o intensive, whereas, moving files which are on the same *nix file system is fast and efficient as all that needs to be done is to point the warm file path to the same i-node on the file system as it occupied as a hot bucket and remove the hot bucket path (pointer) to the i-node. While the other software may appear to give you more flexibility, by putting the hot and warm bucket locations on different file systems (even if they were on the same physical device) would incur runtime costs and inefficiencies.
That works perfectly. Thank you very much 
i am trying to verify  the username from editing the code but i do not know where to submit the code. i checked the domumentation but it only advice on how to edit the code but it does not mention wh... See more...
i am trying to verify  the username from editing the code but i do not know where to submit the code. i checked the domumentation but it only advice on how to edit the code but it does not mention where to sbmit the code. 
HI @ITWhisperer  Below is the requirement:  I want to use an input (radio button) in 2 panels and there are total 3 panels in my dashboard.  Is it possible to make an input (radio button) visibl... See more...
HI @ITWhisperer  Below is the requirement:  I want to use an input (radio button) in 2 panels and there are total 3 panels in my dashboard.  Is it possible to make an input (radio button) visible in 2 panels and not visible in the 3rd panel.  I've used below code to achieve it but I've to write the same code 2 times.  I want to use the show the Deviation input in the PanelB and PanelC but it should not be visible in panelA.   <label>Mode Selection</label> <choice value="panelA">panelA</choice> <choice value="panelB">panelB</choice> <choice value="panelC">panelC</choice>   <row> <panel depends= "$tokShowPanelB$"> <input type="radio" token="Devib" searchWhenChanged="true"> <label>Deviation</label> <choice value="">ALL</choice> <choice value="| where Dev = 0">Dev = 0</choice> <choice value="| where Dev &gt; 150" > Dev > 150 </choice> <default></default> </input> </panel> </row> <row> <panel depends= "$tokShowPanelC$"> <input type="radio" token="Devib" searchWhenChanged="true"> <label>Deviation</label> <choice value="">ALL</choice> <choice value="| where Dev = 0">Dev = 0</choice> <choice value="| where Dev &gt; 150" > Dev > 150 </choice> <default></default> </input> </panel> </row>
Hi @Shan , are you using a visualization from an add-on or the standard charts? if a visualization, which one? For my knowledge, you can have the value of the chart section where the mouse is movi... See more...
Hi @Shan , are you using a visualization from an add-on or the standard charts? if a visualization, which one? For my knowledge, you can have the value of the chart section where the mouse is moving on but not localized in the center. Maybe if there's some visualization that I don't know. Ciao. Giuseppe
Hi, I have large number of queries which needs to be created as metrics in Analytics (because we can't retain data more than 8 days in Analytics, so making metrics to retain it). Is there any tool/... See more...
Hi, I have large number of queries which needs to be created as metrics in Analytics (because we can't retain data more than 8 days in Analytics, so making metrics to retain it). Is there any tool/API or CURL command we can use to create these metrics by providing Query and Metrics name as payload/arguments? Creating them manually is error prone and time taking
Hi @sbhatnagar88 , it isn't a best practice to have different OSs but it can run for a momentary period, but Splunk must have the same version. Ciao. Giuseppe
Hi @Topher22 , you can append or replace a value , as you would, simply using the lookup command: if in the lookup the field to replace is Y and must be related to X from the main search and you wa... See more...
Hi @Topher22 , you can append or replace a value , as you would, simply using the lookup command: if in the lookup the field to replace is Y and must be related to X from the main search and you want to use the value X_descrition from the lookup, you can use something like this: index=* | lookup my-lookup.csv Y AS X OUTPUT X_description | chart count(_raw) by X_description  You can find more infos about the lookup command at https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Lookup Ciao. Giuseppe