All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @new2splunk21 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karm... See more...
Hi @new2splunk21 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @Teddiz , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poin... See more...
Hi @Teddiz , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
ok i get this, but little experience with rex and especially anchors   is the anchor the word i am looking to match?
Did you come up with any solution?  I'm curious how you had the webhook working with MS Teams before? I never could get the default Splunk Webhook action to properly send to the Teams Webhooks in... See more...
Did you come up with any solution?  I'm curious how you had the webhook working with MS Teams before? I never could get the default Splunk Webhook action to properly send to the Teams Webhooks integration. It seemed like the default Splunk Webhook json is not formatted in a way that Teams accepts?
I am seeing the same thing with a fresh install of v5.0.1 in Splunk Cloud. Splunk Cloud Version: 9.2.2403.109 Build: acf4711b7529   10-21-2024 16:07:58.193 +0000 INFO SavedSplunker - savedsearc... See more...
I am seeing the same thing with a fresh install of v5.0.1 in Splunk Cloud. Splunk Cloud Version: 9.2.2403.109 Build: acf4711b7529   10-21-2024 16:07:58.193 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_host_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_host_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729526878, window_time=-1, skipped_count=11, filtered_count=0 10-21-2024 12:52:14.196 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_sourcetype_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_sourcetype_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729515134, window_time=-1, skipped_count=10, filtered_count=0 10-21-2024 12:26:30.121 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_index_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_index_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729513590, window_time=-1, skipped_count=10, filtered_count=0      Looking at the savedsearches.conf that comes with this version of the app and comparing to the documentation (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf), each of these three searches defines "counttype = number of events" but does not define "quantity" or relation. To fix this in Splunk Enterprise, just remove the config "counttype = number of events" for each search directly in default/savedsearches.conf. To fix in Splunk Cloud, click Edit > Advanced Edit on each search and change "alert_type" from "number of events" to empty. Keep in mind that the app will need to be completely uninstalled and reinstalled when this is fixed to remove the /local/ versions of the searches. Cheers, Jacob --- If this reply helps you, Karma would be appreciated.
Previously created war room template fail to load and attempting to recreated them gives errors.  I've tried as both SAML and Local user accounts, both with admin rights.  
I am planning on upgrading our Splunk infrastructure which requires our Splunk indexers to go offline for few minutes.   I am using smartstore for splunk indexing.  Before I start the upgrade and tak... See more...
I am planning on upgrading our Splunk infrastructure which requires our Splunk indexers to go offline for few minutes.   I am using smartstore for splunk indexing.  Before I start the upgrade and take down our indexers, I want to roll over all the data that is in hot bucket to the smartstore and then start the upgrade.  What is the best way to do this ?      
You could try something like this | eventstats min(CurrentWeek) as lower max(CurrentWeek) as upper min(CurrentWeek-1) as lower1 max(CurrentWeek-1) as upper1 min(CurrentWeek-2) as lower2 max(CurrentW... See more...
You could try something like this | eventstats min(CurrentWeek) as lower max(CurrentWeek) as upper min(CurrentWeek-1) as lower1 max(CurrentWeek-1) as upper1 min(CurrentWeek-2) as lower2 max(CurrentWeek-2) as upper2 | eval lower=min(lower, lower1, lower2), upper=max(upper, upper1, upper2) | fields - lower1 upper1 lower2 upper2 | eval _lowerrate="lower", _upperrate="upper", _predictedrate="CurrentWeek"
Awesome, will do this right away!    Thanks,    JJ 
Assuming your names follow the apparent pattern you have shown, you could do something like this | eval name_prefix=mvjoin(mvindex(split(NAME,"-"),0,1),"-") | eventstats values(eval(if(STATE="master... See more...
Assuming your names follow the apparent pattern you have shown, you could do something like this | eval name_prefix=mvjoin(mvindex(split(NAME,"-"),0,1),"-") | eventstats values(eval(if(STATE="master",STATE,null()))) as master by name_prefix | where master="master"
Thanks for all the info. We are going to go with increasing the truncate on the index server.
Hi, I need help to fetch field based on other field condition. I have lookup table  as below, NAME STATE abc-a-0 host1 master abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b... See more...
Hi, I need help to fetch field based on other field condition. I have lookup table  as below, NAME STATE abc-a-0 host1 master abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b-1 host4 local abc-b-2 host4 local I want to retrieve abc-a-* NAME based on STATE which it is as master. The master STATE is dynamic, it will be abc-b-* group also sometimes. Example: NAME HOST STATE abc-a-0 host1 local abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b-1 host5 master abc-b-2 host6 local The problem is, 1. Retrieve the current master STATE if it is abc-a-* or abc-b* NAME 2. Then fetch 3 NAMEs based on condition if it is abc-a-* or abc-b-*  
Yes...this is my 1st deployment of this node.  I installed the software on a linux VM and at a minimum I would think it would be listening and waiting for data via port 9997.  It's definitely connect... See more...
Yes...this is my 1st deployment of this node.  I installed the software on a linux VM and at a minimum I would think it would be listening and waiting for data via port 9997.  It's definitely connecting to the cloud on that port.  I don't see anything in the edge.log file that would indicate why it's not listening on that port.  I do see the following but not sure what it may be referring to: "message":"current settings have previously caused failures. aborting update","type":"provided","status":"failed"},{"time":"2024-10-21T16:16:37.959Z","settings_id":"3080980952365928851","type":"telemetry","status":"running"}]}}
I would suggested a stacked bar chart and leave min/max/curr/curr-1/curr-2 as chart overlays but I don't know if that would solve your problem. Stack the below-min(white) / between_max_min(shaded) /... See more...
I would suggested a stacked bar chart and leave min/max/curr/curr-1/curr-2 as chart overlays but I don't know if that would solve your problem. Stack the below-min(white) / between_max_min(shaded) / above-min(white).  Calculate the above min as some percentage above overall max value ie. overall_max=max(all_numbers)x1.25 It's the only way I can think to get the below min value as white - but I think that also violates some of the other things you were asking for.
Try something like this (although you will have to tweak it to get the size you want) | eventstats values(hdr_mid) as msgid by qid | stats values(from) as sender, values(to) as recipient values(subj... See more...
Try something like this (although you will have to tweak it to get the size you want) | eventstats values(hdr_mid) as msgid by qid | stats values(from) as sender, values(to) as recipient values(subject) as subject values(size) as size by msgid
Ideally it should clear right away, however if not try manually electing a new SH captain and wait 5-10 minutes for the SH bundle to replicate.
I want to be able to change the color of a text input border when you focus on the input box.  I want to change the blue border to red when the field is empty.  I have the javascript logic but not th... See more...
I want to be able to change the color of a text input border when you focus on the input box.  I want to change the blue border to red when the field is empty.  I have the javascript logic but not the css that would change the blue border.  Here is the css I have so far but all it does is put a border around the whole input panel, not just the text box. .required button{ border: 2px solid #f6685e !important; }      
Glad you saw sense and ditched chatGPT! Try something like this index=sample_index sourcetype=kube:container:sample_container | fields U, S, D | where isnotnull(U) and isnotnull(S) and isnotnull(D)... See more...
Glad you saw sense and ditched chatGPT! Try something like this index=sample_index sourcetype=kube:container:sample_container | fields U, S, D | where isnotnull(U) and isnotnull(S) and isnotnull(D) | rex field=U "(?P<ApiName>[^/]+)(?=\/[0-9a-fA-F\-]+$|$)" | eventstats min(D) as Min, max(D) as Max, avg(D) as Avg, perc95(D) as P95, perc98(D) as P98, perc99(D) as P99 by ApiName | stats count as TotalReq, by ApiName, Min, Max, Avg, P95, P98, P99, S | eval {S}=TotalReq | stats values(1*) as 1* values(2*) as 2* values(3*) as 3* values(4*) as 4* values(5*) as 5* sum(TotalReq) as TotalReq by ApiName, Min, Max, Avg, P95, P98, P99 | addtotals labelfield=ApiName col=t label="ColumnTotals" 1* 2* 3* 4* 5* TotalReq | addinfo | eval Availability% = round(100 - ('500'*100/TotalReq),8) | fillnull value=100 Availability% | eval range = info_max_time - info_min_time | eval AvgTPS=round(TotalReq/range,5) | eval Avg=floor(Avg) | eval P95=floor(P95) | eval P98=floor(P98) | eval P99=floor(P99) | sort TotalReq | table ApiName, 1*, 2*, 3*, 4*, 5*, Min, Max, Avg, P95, P98, P99, AvgTPS, Availability%, TotalReq
Thanks @tscroggins , for your answer. But i still have some big problem with javascript, because sometimes Splunk web did not load the code, sometimes  the code didn't work and some times works with... See more...
Thanks @tscroggins , for your answer. But i still have some big problem with javascript, because sometimes Splunk web did not load the code, sometimes  the code didn't work and some times works without changing it. I have red the documentation, i use the refresh button (http://<ip:port>/debug/refresh), i'm using my browser in incognito mode but nothing, i restar splunk web when i add a new js file. I even tried to fully restart splunk       Thank for your help
I believe I figured out what was wrong.  Turns out our admin forgot to point the newly installed SH cluster member to the license manager.  It is now pointing to the LM. How long does it take for the... See more...
I believe I figured out what was wrong.  Turns out our admin forgot to point the newly installed SH cluster member to the license manager.  It is now pointing to the LM. How long does it take for the lit search error to clear?