All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, How do I change the font size on the column chart in the Splunk Dashboard Studio See below the 170500 is overlapping with 170400.  How do I display 0 on the column chart?   0 is ignored. ... See more...
Hello, How do I change the font size on the column chart in the Splunk Dashboard Studio See below the 170500 is overlapping with 170400.  How do I display 0 on the column chart?   0 is ignored. Please suggest. Thank you for your help.    
Hello, I developed a Splunk add-on that is working well.  I attempted to set up several event types and data model mapping, but the add-on builder page fails to load after creating the event typ... See more...
Hello, I developed a Splunk add-on that is working well.  I attempted to set up several event types and data model mapping, but the add-on builder page fails to load after creating the event types. It never loads the model mapping page, then displays a blank page with no event types even though they are present in the system. I can see the data models and the event types in the system--just not in the add-on builder. I've attached a screenshot for reference. Any ideas? I noticed that developer tools indicates a 500 error for get_eventtype_info and get_model_tree  
@ITWhisperer that's true. But for me, it will only make sense if hot and warm buckets reside in separate disks Please take a look at this         Hot: Used for high read/write operations. For... See more...
@ITWhisperer that's true. But for me, it will only make sense if hot and warm buckets reside in separate disks Please take a look at this         Hot: Used for high read/write operations. For this we need our best CPU/RAM nodes here, and we use SSD storage. Warm: Lighter search, read only. We can have less powerful nodes here. Warm nodes can use very large spindle drives instead of SSD storage.         the above statement refers to another software, but just like Splunk, it also follows the hot-warm-cold architecture, so I figured it would be a good point of comparison. There, it was stated that hot and warm use different disks, which makes sense to me. On the other hand, Splunk hot and warm buckets share the same directory in the same disk, so I don't understand how is that exactly gonna save us cost (if cost management is part of the reason why there is warm bucket). That brings me back to my original question: what's the point of having warm bucket when we already have the hot bucket which is also searchable and, most importantly, resides in the same directory/disk. Maybe I'm missing something here but that's what I'm hoping to find out by posting this question.
Never mind, this is a basic question I answered myself by learning about HTML in general (apply style to the div/container wrapped around the input, if someone's looking for this basic answer).
Thank you PickleRick  AND is working as an implicit AND operator which filters data ...but WHERE is used to filter on top of the results that are pulled BEFORE the WHERE command. If the data returne... See more...
Thank you PickleRick  AND is working as an implicit AND operator which filters data ...but WHERE is used to filter on top of the results that are pulled BEFORE the WHERE command. If the data returned is huge we will see the diff of filtering out using these 2 options.... WHERE has lot more options when it comes to filtering out something.....   Thank you all
Looking to see if Splunk has the ability to highlight a row in an output table based on a value in that row in a dashboard using dashboard studio.    Created a dashboard to show printers using a look... See more...
Looking to see if Splunk has the ability to highlight a row in an output table based on a value in that row in a dashboard using dashboard studio.    Created a dashboard to show printers using a lookup and number of print logs associated to a printer that is pulled from indexed print logs. I know how to highly a single row value based on a condition but wanted to know if the whole row can be highlighted using the output in the row: I used the color and style option to set conditions of the jobs field to highlight if print count = 0 Printer Jobs Prints Pntr_01 149 285 Pntr_02 25 78 Pntr_03 0   Pntr_04 75 528 Pntr_05 85 149 Pntr_06 0     Would like to highlight the printer name in red as well if the value = 0 Printer Jobs Prints Pntr_01 149 285 Pntr_02 25 78 Pntr_03 0   Pntr_04 75 528 Pntr_05 85 149 Pntr_06 0     I searched Splunk community as well as other areas of the Splunk matrix with no luck.   If someone has some insight or reference if this can be done, it would be greatly appreciated.  Thanks  
Hey @PickleRick , thanks for calling that out. You're absolutely right, and I totally dropped the ball on some of those details. My bad. I was trying to keep things simple  but I guess I oversimplif... See more...
Hey @PickleRick , thanks for calling that out. You're absolutely right, and I totally dropped the ball on some of those details. My bad. I was trying to keep things simple  but I guess I oversimplified a bit too much while typing. You nailed it with the AND being an operator, not a command. That's a rookie mistake on my part. About the performance thing - yeah, I should've been clearer. For simple stuff, it might not make a huge difference, but you're spot on that it can matter a lot with complex searches or big data sets.
I would like to apply the custom style to a set of inputs. How do I correctly write this code?  I'm aware of the option to create one style clause for each input ID but this seems ridiculous and t... See more...
I would like to apply the custom style to a set of inputs. How do I correctly write this code?  I'm aware of the option to create one style clause for each input ID but this seems ridiculous and the wrong way to do it for, say, 20 inputs. Cheers.     <form version="1.1" theme="light"> <fieldset submitButton="false"> </fieldset> <row> <panel> <html> <style> #LineByLine { display:flex !important; padding-right: 10px; padding-top: 5px; } </style> </html> </panel> </row> <row> <panel> <input id="input1" type="text" token="1"> <label>1</label> </input> </panel> <panel> <input id="input2" type="text" token="2"> <label>2</label> </input> </panel> </row> </form>      
It is not clear what you are trying to achieve here, both your radio button inputs are identical, you have shown where tokShowPanelB and tokShowPanelC are set, nor where you are using the Devib token... See more...
It is not clear what you are trying to achieve here, both your radio button inputs are identical, you have shown where tokShowPanelB and tokShowPanelC are set, nor where you are using the Devib token. Please clarify your requirement.
Good. Your issue is resolved.
Hello, we are on Splunk 9.3 on prem. I am unable to remove a server from the Splunk forwarder management list, after it has been decommissioned and the Universal Forwarder is uninstalled.  I get an ... See more...
Hello, we are on Splunk 9.3 on prem. I am unable to remove a server from the Splunk forwarder management list, after it has been decommissioned and the Universal Forwarder is uninstalled.  I get an error stating that the DELETE option is depreciated, but what has it been replaced with? I have a server that has not logged to Splunk in 9 days (and never will again), how do I remove it correctly?  (screenshot attached)  
Unless I am mistaken, this warning is saying that if you try to restore KV backups from versions earlier than 9.3 then it will fail. That is, the restoration will fail, not the update to 9.3.*. Thus,... See more...
Unless I am mistaken, this warning is saying that if you try to restore KV backups from versions earlier than 9.3 then it will fail. That is, the restoration will fail, not the update to 9.3.*. Thus, if you do not need to make a restore from your <9.3 kvstore backups, then this is not a problem. If there is data in your KV store backup that you need in the future, then you should restore them now, then update to 9.3, then you can make another backup. Or if you are confident that it does not contain unique data, then you could delete the old kvstore backup and then make a new backup after upgrading to 9.3.  These docs could help: https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/BackupKVstore  
Looking for help running a stats count and stats count sum referencing a lookup using print logs.  Looking to output all printers from a lookup to give "total job" count counting each record in the q... See more...
Looking for help running a stats count and stats count sum referencing a lookup using print logs.  Looking to output all printers from a lookup to give "total job" count counting each record in the query for a single printer and giving a "total page" count for all pages that was printed for each printer listed in lookup.    Logs from my index  date                      printer_name           user            pages_printed 2024_10_09    prnt_01                        user1            10 2024_10_09    prnt_02                        user4            15 2024_10_09    prnt_01                        user6            50 2024_10_09    prnt_04                        user9            25 2024_10_09    prnt_01                        user2            20 Data from my lookup file name: printers.cvs printer_name        printer_location prnt_01                      main office prnt_02                      front desk prnt_03                      breakroom prnt_04                      hallway Looking for an output to give me results similar to what I provided below Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_03                  breakroom       0                                   25 prnt_04                  hallway              1                                   25 I have two separate queries for both respectively and having issues merging them together.  My individual queries are: Working query that gives me job count with sum of total jobs and total pages   index=printer sourcetype=printer:logs | stats count sum(pages_printed) AS pages_printed by printer_name, | lookup printers.csv printer_name AS printer_name OUTPUT printer_location | table printer_name, printer_location, count, pages_printed | rename printer_name AS "Printer Name", printer_location AS "Location", count AS "Print Job", pages_printed AS "Pages Printed", Results Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_04                  hallway              1                                    25 Working query that gives me list of all printers and job count index=printer sourcetype=printer:logs | eval printer_name=lower(printer_name) | stats count BY printer_name | append [| inputlookup printers.csv | eval printer_name=lower(printer_name), count=0 | fields printer_name count] | stats sum(count) AS print_jobs by printer_name | table printer_name, total | rename printer_name AS "Printer Name", print_jobs AS "Print Job" Results Printer Name      Print Jobs                 prnt_01                 3                                   prnt_02                 1                                    prnt_04                 1                                Again, trying to merge the two to give me Printer Name, Location, # of print jobs and total pages printed.  Any assistance will be greatly appreciated.
You would like to send a file INTO Splunk, or OUT of Splunk into a service that takes the file and returns enrichment information about the file?
1. What do you mean by "they don't seem to be taking an effect"? 2. Did you verify with btool that the settings you've put into your configs are effective? 3. Did you restart Splunk? 4. Self-signe... See more...
1. What do you mean by "they don't seem to be taking an effect"? 2. Did you verify with btool that the settings you've put into your configs are effective? 3. Did you restart Splunk? 4. Self-signed certs don't actually raise your level of security much. You should be using an external CA-issued certs (even if it's your own CA).
Pruebe esto: Usuario: admin Contraseña: changeme
Try adding it as you would a header dictionary: headers = {"Authorization": "Bearer TOKENGOESHERE"}
Did you set cliVerifyServerName = true ?  It would be helpful if you post your server.conf [sslConfig] stanza (sanitized if it contains sensitive information)
In an ideal world there would be an app for autosys that adds a "trigger autosys job" action, then you could select it for your alerts. However there appears to be no such app on Splunkbase, meaning ... See more...
In an ideal world there would be an app for autosys that adds a "trigger autosys job" action, then you could select it for your alerts. However there appears to be no such app on Splunkbase, meaning that you will either have to build an app yourself or find a way to do it without an app. Do you have a working REST call that can trigger a test job? That would be a good starting point.
AND is just a boolean operator for the (in this case) implied search command. If you don't specify any explicit command at the beginning of your search Splunk inserts an implied search one so your se... See more...
AND is just a boolean operator for the (in this case) implied search command. If you don't specify any explicit command at the beginning of your search Splunk inserts an implied search one so your search is actually | search index=something field=value another_field IN (value1,value2,...) And the AND boolean operator is implied for search terms if another operator isn't specified so the search above is equivalent to | search index=something AND field=value AND another_field IN (value1,value2,...) You can of course use other boolean operators to make more complex search conditions like | search (index=something sourcetype=something) OR (index=another host=host1 NOT source=/var/log/m3essages) So AND is not a command. As per the difference between adding another condition to the initial search and using the "where command" the where command uses different matching conditions - search can only match fields with static values (possibly wildcarded) whereas where can use way more complicated conditions possibly using evaluation functions or dynamic comparison between field values. But the where command operates on a stream of results coming from previous command. So there will be a difference in performance. How big that difference will be depends on the actual conditions used. EDIT: And I can't agree with @sainag_splunk on the performance being generally similar.