All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @timtekk , are you speaking of removal from the Forwarders list in Deployment Server or Monitoring Console? if Monitoring Console, you have only to rebuild the Forwarders List [Settings > Monito... See more...
Hi @timtekk , are you speaking of removal from the Forwarders list in Deployment Server or Monitoring Console? if Monitoring Console, you have only to rebuild the Forwarders List [Settings > Monitoring Console > Settings > Forwarder Monitoring Setip]. If from Deployment Server list, you can remove it from web interface [Settings > Forwarder Management > Clients]. Ciao. Giuseppe
OK got it. The answer is no, you can't display the same input panel in two different rows of the dashboard.
For Splunk, the cost saving is between hot/warm storage and cold storage. It sounds like, for this other software, if the hot and warm buckets are on different storage devices, moving the buckets bet... See more...
For Splunk, the cost saving is between hot/warm storage and cold storage. It sounds like, for this other software, if the hot and warm buckets are on different storage devices, moving the buckets between hot and warm is going to be processor and i/o intensive, whereas, moving files which are on the same *nix file system is fast and efficient as all that needs to be done is to point the warm file path to the same i-node on the file system as it occupied as a hot bucket and remove the hot bucket path (pointer) to the i-node. While the other software may appear to give you more flexibility, by putting the hot and warm bucket locations on different file systems (even if they were on the same physical device) would incur runtime costs and inefficiencies.
That works perfectly. Thank you very much 
i am trying to verify  the username from editing the code but i do not know where to submit the code. i checked the domumentation but it only advice on how to edit the code but it does not mention wh... See more...
i am trying to verify  the username from editing the code but i do not know where to submit the code. i checked the domumentation but it only advice on how to edit the code but it does not mention where to sbmit the code. 
HI @ITWhisperer  Below is the requirement:  I want to use an input (radio button) in 2 panels and there are total 3 panels in my dashboard.  Is it possible to make an input (radio button) visibl... See more...
HI @ITWhisperer  Below is the requirement:  I want to use an input (radio button) in 2 panels and there are total 3 panels in my dashboard.  Is it possible to make an input (radio button) visible in 2 panels and not visible in the 3rd panel.  I've used below code to achieve it but I've to write the same code 2 times.  I want to use the show the Deviation input in the PanelB and PanelC but it should not be visible in panelA.   <label>Mode Selection</label> <choice value="panelA">panelA</choice> <choice value="panelB">panelB</choice> <choice value="panelC">panelC</choice>   <row> <panel depends= "$tokShowPanelB$"> <input type="radio" token="Devib" searchWhenChanged="true"> <label>Deviation</label> <choice value="">ALL</choice> <choice value="| where Dev = 0">Dev = 0</choice> <choice value="| where Dev &gt; 150" > Dev > 150 </choice> <default></default> </input> </panel> </row> <row> <panel depends= "$tokShowPanelC$"> <input type="radio" token="Devib" searchWhenChanged="true"> <label>Deviation</label> <choice value="">ALL</choice> <choice value="| where Dev = 0">Dev = 0</choice> <choice value="| where Dev &gt; 150" > Dev > 150 </choice> <default></default> </input> </panel> </row>
Hi @Shan , are you using a visualization from an add-on or the standard charts? if a visualization, which one? For my knowledge, you can have the value of the chart section where the mouse is movi... See more...
Hi @Shan , are you using a visualization from an add-on or the standard charts? if a visualization, which one? For my knowledge, you can have the value of the chart section where the mouse is moving on but not localized in the center. Maybe if there's some visualization that I don't know. Ciao. Giuseppe
Hi, I have large number of queries which needs to be created as metrics in Analytics (because we can't retain data more than 8 days in Analytics, so making metrics to retain it). Is there any tool/... See more...
Hi, I have large number of queries which needs to be created as metrics in Analytics (because we can't retain data more than 8 days in Analytics, so making metrics to retain it). Is there any tool/API or CURL command we can use to create these metrics by providing Query and Metrics name as payload/arguments? Creating them manually is error prone and time taking
Hi @sbhatnagar88 , it isn't a best practice to have different OSs but it can run for a momentary period, but Splunk must have the same version. Ciao. Giuseppe
Hi @Topher22 , you can append or replace a value , as you would, simply using the lookup command: if in the lookup the field to replace is Y and must be related to X from the main search and you wa... See more...
Hi @Topher22 , you can append or replace a value , as you would, simply using the lookup command: if in the lookup the field to replace is Y and must be related to X from the main search and you want to use the value X_descrition from the lookup, you can use something like this: index=* | lookup my-lookup.csv Y AS X OUTPUT X_description | chart count(_raw) by X_description  You can find more infos about the lookup command at https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Lookup Ciao. Giuseppe
Thank you for the response. I'm running this search query on Splunk Cloud, I redacted the Splunk Cloud Instance ID for privacy and all the indexes are created via GUI itself. System Indexes like _in... See more...
Thank you for the response. I'm running this search query on Splunk Cloud, I redacted the Splunk Cloud Instance ID for privacy and all the indexes are created via GUI itself. System Indexes like _internal, _audit or others are system generated so I can have them renamed as "Splunk Generated Index User". Apart from that, I'm also researching and assessing the way to fetch creation date as well. About the IDX part, I think that got deprecated in Victoria Experience or so, but it would be helpful if there's any workaround or any other way to find it.
Hi @ITWhisperer  I made small changes in given query. It is working as expected.. Thanks for your support
I am looking to append a value in a lookup csv to an existing search index=* |fields _time,x |chart count(_raw) by X and I want to replace(or append) the X with a value(name) from a csv so I can ... See more...
I am looking to append a value in a lookup csv to an existing search index=* |fields _time,x |chart count(_raw) by X and I want to replace(or append) the X with a value(name) from a csv so I can table the results.
Dear All, Need your help. We have achieved the visualization shown in image 1.  But I'm expecting the results as shown in image 2(semicircle donut or pie chart).   Thanks in adva... See more...
Dear All, Need your help. We have achieved the visualization shown in image 1.  But I'm expecting the results as shown in image 2(semicircle donut or pie chart).   Thanks in advance 
Hi, @sainag_splunk  My problem is still remained. Sorry for that your solution didn't solve my problem...  I tried some cases more, will ask about I tried cases. By the way, I have another questio... See more...
Hi, @sainag_splunk  My problem is still remained. Sorry for that your solution didn't solve my problem...  I tried some cases more, will ask about I tried cases. By the way, I have another question for this issue. I tried to change the props.conf for json parsing, "KV_MODE=json" -> "KV_MODE=none" Add "INDEXED_EXTRACTIONS=json" But I think there are errors in parsing to json.  Why this errors was occurred?? My search query is index=_internal JsonLineBreaker NOT StreamedSearch And results show many below lines. 10-10-2024 13:05:55.318 +0900 ERROR JsonLineBreaker [2427 structuredparsing] - JSON StreamId:8181676460594335103 had parsing error:Unexpected character while looking for value: '}' - data_source="*****.json", data_host="****", data_sourcetype="my_json" host = **** source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd 10-10-2024 13:05:55.315 +0900 ERROR JsonLineBreaker [2427 structuredparsing] - JSON StreamId:8181676460594335103 had parsing error:Unexpected character while looking for value: '}' - data_source="*****.json", data_host="****", data_sourcetype="my_json" host = **** source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd ... I checked the json file, but there is no invalid characters in json. Also, I tried to parse json in Python or JsonParseWebEditor,,, there is no problems. Why this logs are remained??
Agree with @richgalloway.  To ask an answerable question about data analytics, you need to Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a sea... See more...
Agree with @richgalloway.  To ask an answerable question about data analytics, you need to Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at. Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output without SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious. One more suggestion, have you considered transaction command?  People here do not throw transaction into recommendations lightly because there are usually better alternatives.  But without context, transaction is the generic approach that fits your description. | transaction endswith="End View Refresh" startswith="Start View Refresh"
Looking for an output to give me results similar to what I provided below Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office      ... See more...
Looking for an output to give me results similar to what I provided below Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_03                  breakroom       0                                   25 prnt_04                  hallway              1                                   25 I have two separate queries for both respectively and having issues merging them together.  My individual queries are: Working query that gives me job count with sum of total jobs and total pages   ... Results Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_04                  hallway              1                                    25 Is this not confusing for others?  You already get what you wanted.  What is missing here?
Let me premise this by saying that it is rarely a good practice or necessary to have this many subsearches in one place. But without knowing the actual use case such as data involved in each, I am a... See more...
Let me premise this by saying that it is rarely a good practice or necessary to have this many subsearches in one place. But without knowing the actual use case such as data involved in each, I am also not sure if I can understand what your desired results are.  If I disregard the pseudo code structure, and just interpret your words literally, all you need to do is something like search1 | stats count | where count > 5000 | eval this = "search 1" | append [search2 | stats count | where count > 5000 | eval this = "search 2"] | append [search3 | stats count | where count > 5000 | eval this = "search 3"] | append [search 4 | stats count | where count > 5000 | eval this = "search 4"] | stats values(this) as message | eval message = if(isnull(message), null(), mvjoin(message, ", and") . " exceed 5000")  
I recently upgraded Splunk Enterprise from version 9.1.0.2 to 9.3.1, and I've encountered an issue where the menu bar is no longer visible in the Search and Reporting UI. Issue Details: Previous V... See more...
I recently upgraded Splunk Enterprise from version 9.1.0.2 to 9.3.1, and I've encountered an issue where the menu bar is no longer visible in the Search and Reporting UI. Issue Details: Previous Version: 9.1.0.2 Current Version: 9.3.1 Issue: The menu bar has disappeared, and to access menus, users must utilize the 'Find box' in the top right corner. For example, if a user wants to view dashboards, they need to type "dashboards" into the search box and select it from the results. Screenshots:  Before Upgrade (9.1.0.2) Before Upgrade (9.1.0.2) with Menubar After Upgrade (9.3.1) After Upgrade (9.3.1)- No menu bart Request: Is there a way to restore the traditional menu bar in the Search and Reporting window?  Thank you
Hello, Hello, How do I send email alert if  one or more subsearch exceed 50000 results? For example below I have 4 subsearch.   if subsearch 1 and 4 exceed 50000, I would like to get an email al... See more...
Hello, Hello, How do I send email alert if  one or more subsearch exceed 50000 results? For example below I have 4 subsearch.   if subsearch 1 and 4 exceed 50000, I would like to get an email alert stating that subsearch 1 and 4 exceed 5000. Please suggest  Thank you so much. | base search [| subsearch 1] [| subsearch 2] [| subsearch 3] [| subsearch 4]