All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you for the response. I'm running this search query on Splunk Cloud, I redacted the Splunk Cloud Instance ID for privacy and all the indexes are created via GUI itself. System Indexes like _in... See more...
Thank you for the response. I'm running this search query on Splunk Cloud, I redacted the Splunk Cloud Instance ID for privacy and all the indexes are created via GUI itself. System Indexes like _internal, _audit or others are system generated so I can have them renamed as "Splunk Generated Index User". Apart from that, I'm also researching and assessing the way to fetch creation date as well. About the IDX part, I think that got deprecated in Victoria Experience or so, but it would be helpful if there's any workaround or any other way to find it.
Hi @ITWhisperer  I made small changes in given query. It is working as expected.. Thanks for your support
I am looking to append a value in a lookup csv to an existing search index=* |fields _time,x |chart count(_raw) by X and I want to replace(or append) the X with a value(name) from a csv so I can ... See more...
I am looking to append a value in a lookup csv to an existing search index=* |fields _time,x |chart count(_raw) by X and I want to replace(or append) the X with a value(name) from a csv so I can table the results.
Dear All, Need your help. We have achieved the visualization shown in image 1.  But I'm expecting the results as shown in image 2(semicircle donut or pie chart).   Thanks in adva... See more...
Dear All, Need your help. We have achieved the visualization shown in image 1.  But I'm expecting the results as shown in image 2(semicircle donut or pie chart).   Thanks in advance 
Hi, @sainag_splunk  My problem is still remained. Sorry for that your solution didn't solve my problem...  I tried some cases more, will ask about I tried cases. By the way, I have another questio... See more...
Hi, @sainag_splunk  My problem is still remained. Sorry for that your solution didn't solve my problem...  I tried some cases more, will ask about I tried cases. By the way, I have another question for this issue. I tried to change the props.conf for json parsing, "KV_MODE=json" -> "KV_MODE=none" Add "INDEXED_EXTRACTIONS=json" But I think there are errors in parsing to json.  Why this errors was occurred?? My search query is index=_internal JsonLineBreaker NOT StreamedSearch And results show many below lines. 10-10-2024 13:05:55.318 +0900 ERROR JsonLineBreaker [2427 structuredparsing] - JSON StreamId:8181676460594335103 had parsing error:Unexpected character while looking for value: '}' - data_source="*****.json", data_host="****", data_sourcetype="my_json" host = **** source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd 10-10-2024 13:05:55.315 +0900 ERROR JsonLineBreaker [2427 structuredparsing] - JSON StreamId:8181676460594335103 had parsing error:Unexpected character while looking for value: '}' - data_source="*****.json", data_host="****", data_sourcetype="my_json" host = **** source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd ... I checked the json file, but there is no invalid characters in json. Also, I tried to parse json in Python or JsonParseWebEditor,,, there is no problems. Why this logs are remained??
Agree with @richgalloway.  To ask an answerable question about data analytics, you need to Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a sea... See more...
Agree with @richgalloway.  To ask an answerable question about data analytics, you need to Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at. Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output without SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious. One more suggestion, have you considered transaction command?  People here do not throw transaction into recommendations lightly because there are usually better alternatives.  But without context, transaction is the generic approach that fits your description. | transaction endswith="End View Refresh" startswith="Start View Refresh"
Looking for an output to give me results similar to what I provided below Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office      ... See more...
Looking for an output to give me results similar to what I provided below Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_03                  breakroom       0                                   25 prnt_04                  hallway              1                                   25 I have two separate queries for both respectively and having issues merging them together.  My individual queries are: Working query that gives me job count with sum of total jobs and total pages   ... Results Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_04                  hallway              1                                    25 Is this not confusing for others?  You already get what you wanted.  What is missing here?
Let me premise this by saying that it is rarely a good practice or necessary to have this many subsearches in one place. But without knowing the actual use case such as data involved in each, I am a... See more...
Let me premise this by saying that it is rarely a good practice or necessary to have this many subsearches in one place. But without knowing the actual use case such as data involved in each, I am also not sure if I can understand what your desired results are.  If I disregard the pseudo code structure, and just interpret your words literally, all you need to do is something like search1 | stats count | where count > 5000 | eval this = "search 1" | append [search2 | stats count | where count > 5000 | eval this = "search 2"] | append [search3 | stats count | where count > 5000 | eval this = "search 3"] | append [search 4 | stats count | where count > 5000 | eval this = "search 4"] | stats values(this) as message | eval message = if(isnull(message), null(), mvjoin(message, ", and") . " exceed 5000")  
I recently upgraded Splunk Enterprise from version 9.1.0.2 to 9.3.1, and I've encountered an issue where the menu bar is no longer visible in the Search and Reporting UI. Issue Details: Previous V... See more...
I recently upgraded Splunk Enterprise from version 9.1.0.2 to 9.3.1, and I've encountered an issue where the menu bar is no longer visible in the Search and Reporting UI. Issue Details: Previous Version: 9.1.0.2 Current Version: 9.3.1 Issue: The menu bar has disappeared, and to access menus, users must utilize the 'Find box' in the top right corner. For example, if a user wants to view dashboards, they need to type "dashboards" into the search box and select it from the results. Screenshots:  Before Upgrade (9.1.0.2) Before Upgrade (9.1.0.2) with Menubar After Upgrade (9.3.1) After Upgrade (9.3.1)- No menu bart Request: Is there a way to restore the traditional menu bar in the Search and Reporting window?  Thank you
Hello, Hello, How do I send email alert if  one or more subsearch exceed 50000 results? For example below I have 4 subsearch.   if subsearch 1 and 4 exceed 50000, I would like to get an email al... See more...
Hello, Hello, How do I send email alert if  one or more subsearch exceed 50000 results? For example below I have 4 subsearch.   if subsearch 1 and 4 exceed 50000, I would like to get an email alert stating that subsearch 1 and 4 exceed 5000. Please suggest  Thank you so much. | base search [| subsearch 1] [| subsearch 2] [| subsearch 3] [| subsearch 4] 
Hello, How do I change the font size on the column chart in the Splunk Dashboard Studio See below the 170500 is overlapping with 170400.  How do I display 0 on the column chart?   0 is ignored. ... See more...
Hello, How do I change the font size on the column chart in the Splunk Dashboard Studio See below the 170500 is overlapping with 170400.  How do I display 0 on the column chart?   0 is ignored. Please suggest. Thank you for your help.    
Hello, I developed a Splunk add-on that is working well.  I attempted to set up several event types and data model mapping, but the add-on builder page fails to load after creating the event typ... See more...
Hello, I developed a Splunk add-on that is working well.  I attempted to set up several event types and data model mapping, but the add-on builder page fails to load after creating the event types. It never loads the model mapping page, then displays a blank page with no event types even though they are present in the system. I can see the data models and the event types in the system--just not in the add-on builder. I've attached a screenshot for reference. Any ideas? I noticed that developer tools indicates a 500 error for get_eventtype_info and get_model_tree  
@ITWhisperer that's true. But for me, it will only make sense if hot and warm buckets reside in separate disks Please take a look at this         Hot: Used for high read/write operations. For... See more...
@ITWhisperer that's true. But for me, it will only make sense if hot and warm buckets reside in separate disks Please take a look at this         Hot: Used for high read/write operations. For this we need our best CPU/RAM nodes here, and we use SSD storage. Warm: Lighter search, read only. We can have less powerful nodes here. Warm nodes can use very large spindle drives instead of SSD storage.         the above statement refers to another software, but just like Splunk, it also follows the hot-warm-cold architecture, so I figured it would be a good point of comparison. There, it was stated that hot and warm use different disks, which makes sense to me. On the other hand, Splunk hot and warm buckets share the same directory in the same disk, so I don't understand how is that exactly gonna save us cost (if cost management is part of the reason why there is warm bucket). That brings me back to my original question: what's the point of having warm bucket when we already have the hot bucket which is also searchable and, most importantly, resides in the same directory/disk. Maybe I'm missing something here but that's what I'm hoping to find out by posting this question.
Never mind, this is a basic question I answered myself by learning about HTML in general (apply style to the div/container wrapped around the input, if someone's looking for this basic answer).
Thank you PickleRick  AND is working as an implicit AND operator which filters data ...but WHERE is used to filter on top of the results that are pulled BEFORE the WHERE command. If the data returne... See more...
Thank you PickleRick  AND is working as an implicit AND operator which filters data ...but WHERE is used to filter on top of the results that are pulled BEFORE the WHERE command. If the data returned is huge we will see the diff of filtering out using these 2 options.... WHERE has lot more options when it comes to filtering out something.....   Thank you all
Looking to see if Splunk has the ability to highlight a row in an output table based on a value in that row in a dashboard using dashboard studio.    Created a dashboard to show printers using a look... See more...
Looking to see if Splunk has the ability to highlight a row in an output table based on a value in that row in a dashboard using dashboard studio.    Created a dashboard to show printers using a lookup and number of print logs associated to a printer that is pulled from indexed print logs. I know how to highly a single row value based on a condition but wanted to know if the whole row can be highlighted using the output in the row: I used the color and style option to set conditions of the jobs field to highlight if print count = 0 Printer Jobs Prints Pntr_01 149 285 Pntr_02 25 78 Pntr_03 0   Pntr_04 75 528 Pntr_05 85 149 Pntr_06 0     Would like to highlight the printer name in red as well if the value = 0 Printer Jobs Prints Pntr_01 149 285 Pntr_02 25 78 Pntr_03 0   Pntr_04 75 528 Pntr_05 85 149 Pntr_06 0     I searched Splunk community as well as other areas of the Splunk matrix with no luck.   If someone has some insight or reference if this can be done, it would be greatly appreciated.  Thanks  
Hey @PickleRick , thanks for calling that out. You're absolutely right, and I totally dropped the ball on some of those details. My bad. I was trying to keep things simple  but I guess I oversimplif... See more...
Hey @PickleRick , thanks for calling that out. You're absolutely right, and I totally dropped the ball on some of those details. My bad. I was trying to keep things simple  but I guess I oversimplified a bit too much while typing. You nailed it with the AND being an operator, not a command. That's a rookie mistake on my part. About the performance thing - yeah, I should've been clearer. For simple stuff, it might not make a huge difference, but you're spot on that it can matter a lot with complex searches or big data sets.
I would like to apply the custom style to a set of inputs. How do I correctly write this code?  I'm aware of the option to create one style clause for each input ID but this seems ridiculous and t... See more...
I would like to apply the custom style to a set of inputs. How do I correctly write this code?  I'm aware of the option to create one style clause for each input ID but this seems ridiculous and the wrong way to do it for, say, 20 inputs. Cheers.     <form version="1.1" theme="light"> <fieldset submitButton="false"> </fieldset> <row> <panel> <html> <style> #LineByLine { display:flex !important; padding-right: 10px; padding-top: 5px; } </style> </html> </panel> </row> <row> <panel> <input id="input1" type="text" token="1"> <label>1</label> </input> </panel> <panel> <input id="input2" type="text" token="2"> <label>2</label> </input> </panel> </row> </form>      
It is not clear what you are trying to achieve here, both your radio button inputs are identical, you have shown where tokShowPanelB and tokShowPanelC are set, nor where you are using the Devib token... See more...
It is not clear what you are trying to achieve here, both your radio button inputs are identical, you have shown where tokShowPanelB and tokShowPanelC are set, nor where you are using the Devib token. Please clarify your requirement.
Good. Your issue is resolved.