All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

1. What do you mean by "they don't seem to be taking an effect"? 2. Did you verify with btool that the settings you've put into your configs are effective? 3. Did you restart Splunk? 4. Self-signe... See more...
1. What do you mean by "they don't seem to be taking an effect"? 2. Did you verify with btool that the settings you've put into your configs are effective? 3. Did you restart Splunk? 4. Self-signed certs don't actually raise your level of security much. You should be using an external CA-issued certs (even if it's your own CA).
Pruebe esto: Usuario: admin Contraseña: changeme
Try adding it as you would a header dictionary: headers = {"Authorization": "Bearer TOKENGOESHERE"}
Did you set cliVerifyServerName = true ?  It would be helpful if you post your server.conf [sslConfig] stanza (sanitized if it contains sensitive information)
In an ideal world there would be an app for autosys that adds a "trigger autosys job" action, then you could select it for your alerts. However there appears to be no such app on Splunkbase, meaning ... See more...
In an ideal world there would be an app for autosys that adds a "trigger autosys job" action, then you could select it for your alerts. However there appears to be no such app on Splunkbase, meaning that you will either have to build an app yourself or find a way to do it without an app. Do you have a working REST call that can trigger a test job? That would be a good starting point.
AND is just a boolean operator for the (in this case) implied search command. If you don't specify any explicit command at the beginning of your search Splunk inserts an implied search one so your se... See more...
AND is just a boolean operator for the (in this case) implied search command. If you don't specify any explicit command at the beginning of your search Splunk inserts an implied search one so your search is actually | search index=something field=value another_field IN (value1,value2,...) And the AND boolean operator is implied for search terms if another operator isn't specified so the search above is equivalent to | search index=something AND field=value AND another_field IN (value1,value2,...) You can of course use other boolean operators to make more complex search conditions like | search (index=something sourcetype=something) OR (index=another host=host1 NOT source=/var/log/m3essages) So AND is not a command. As per the difference between adding another condition to the initial search and using the "where command" the where command uses different matching conditions - search can only match fields with static values (possibly wildcarded) whereas where can use way more complicated conditions possibly using evaluation functions or dynamic comparison between field values. But the where command operates on a stream of results coming from previous command. So there will be a difference in performance. How big that difference will be depends on the actual conditions used. EDIT: And I can't agree with @sainag_splunk on the performance being generally similar.
I recently upgraded my deployment from a 9.0.3 to 9.2.2. After the upgrade, the KV stopped working. Based on my research, i found that the kv store version reverted to version 3.6 after the upgrade c... See more...
I recently upgraded my deployment from a 9.0.3 to 9.2.2. After the upgrade, the KV stopped working. Based on my research, i found that the kv store version reverted to version 3.6 after the upgrade causing the kvstore to fail. "__wt_conn_compat_config, 226: Version incompatibility detected: required max of 3.0cannot be larger than saved release 3.2:" I looked through the bin directory and found 2 versions for mongod.  1.mongod-3.6 2.mongod-4.6 3.mongodump-3.6 Will removing the mongod-3.6  and mongodump-3.6 from the bin directory resolve this issue?
Hello, This is the result from one of my rows in Search & Reporting (Web). Job Code 039081934400000 (4) 082441325900000 (199)   However, when my code is used in a classic dashboard the results ... See more...
Hello, This is the result from one of my rows in Search & Reporting (Web). Job Code 039081934400000 (4) 082441325900000 (199)   However, when my code is used in a classic dashboard the results are this.   Job Code 039081934400000 (4) 082441325900000 (199)   How do I control my dashboard output to display like my search output?     | inputlookup job_codes_2024.csv ```all fields in the lookup above begin with the letter j, except for the field cntrl``` | foreach j* ```add line feed at the end of all fields beginning with the letter j``` [| rex field=<<FIELD>> mode=sed "s/$/\n/g"] ```group all fields by the cntrl value``` | stats values(*) as * by cntrl     Thanks and God bless, Genesius
Hi sainag... Thank you so much for your guiance
Perhaps you could try remaking the sc4s using the official guide. It may take less time than trying to debug the current instance.
Hi The solution was the next on Windows: 1. go to path : x:\<db_agent_home>\bin 2. Edit the file called DataBaseAgentService add the next line to the end of the file: -Ddbagent.name=(your collect... See more...
Hi The solution was the next on Windows: 1. go to path : x:\<db_agent_home>\bin 2. Edit the file called DataBaseAgentService add the next line to the end of the file: -Ddbagent.name=(your collector name) 3. Go to service and restart the appdynamics database agent Attached print like an example
Thanks for the help.  Much appreciated.
HI @ITWhisperer  I've an input which i want to use in 2 different panels.  Example :  There are 3 panels in my dashboard :  <label>Mode Selection</label> <choice value="panelA">panelA</choice... See more...
HI @ITWhisperer  I've an input which i want to use in 2 different panels.  Example :  There are 3 panels in my dashboard :  <label>Mode Selection</label> <choice value="panelA">panelA</choice> <choice value="panelB">panelB</choice> <choice value="panelC">panelC</choice> I want to show the Input in panelb and panelC and not in panel A . I have used below code to solve it. I want to know if it is possible to write the input type code only once and use it with multiple panels (panelb and panelC).  <row> <panel depends= "$tokShowPanelB$"> <input type="radio" token="Devib" searchWhenChanged="true"> <label>Deviation</label> <choice value="">ALL</choice> <choice value="| where Dev = 0">Dev = 0</choice> <choice value="| where Dev &gt; 150" > Dev > 150 </choice> <default></default> </input> </panel> </row> <row> <panel depends= "$tokShowPanelC$"> <input type="radio" token="Devib" searchWhenChanged="true"> <label>Deviation</label> <choice value="">ALL</choice> <choice value="| where Dev = 0">Dev = 0</choice> <choice value="| where Dev &gt; 150" > Dev > 150 </choice> <default></default> </input> </panel> </row>
So we don't waste too much of your time repeated what you've already tried, please share your queries, some sample events, the desired results, and the current results.
That works! Thank you so much!
Hi @Raj_Splunk_Ing No need to apologize - we all start somewhere, and asking questions is how we learn! Let's break down your question about using AND ... IN (...) versus WHERE ... IN (...) in Splunk... See more...
Hi @Raj_Splunk_Ing No need to apologize - we all start somewhere, and asking questions is how we learn! Let's break down your question about using AND ... IN (...) versus WHERE ... IN (...) in Splunk searches. Both of your examples will work, but there are some slight differences:   AND ... IN (...): index=ADFS_AWS AND clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc")   This is part of the main search string and is evaluated early in the search process.   Using WHERE:   index=ADFS_AWS | WHERE clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc") The WHERE command is a separate search command that filters results after the initial search. In terms of efficiency: For most cases, they'll perform similarly. The AND version might be slightly faster as it's applied earlier in the search process. The WHERE version is more flexible if you need to do more complex filtering. Remember, the best approach often depends on your specific data and use case. Don't hesitate to test both and see which works better for you! Splunk Search Manual: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearch Search Processing Language (SPL) Reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual WHERE command documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where Comparison of search commands (including AND and WHERE): https://docs.splunk.com/Documentation/Splunk/latest/Search/Comparesearchcommands Best practices for searching: https://docs.splunk.com/Documentation/Splunk/latest/Search/Bestpracticesforsearching Using the IN operator: https://docs.splunk.com/Documentation/Splunk/latest/Search/Usetheinoperator Splunk Search Tutorials: https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial Hope this helps.    
Hi All, Thanks for your time. I am sorry in advance as this is very basic question. just started exploring the search query.. If i have something like below index=ADFS_AWS AND clientId IN ("Abc12... See more...
Hi All, Thanks for your time. I am sorry in advance as this is very basic question. just started exploring the search query.. If i have something like below index=ADFS_AWS AND clientId IN ("Abc123","ABC123",ABC_ABC","abc_abc") This is searching only for these clientIds   - option1 or with Where Where clientID IN (clientId IN ("Abc123","ABC123",ABC_ABC","abc_abc") which one should we be using and more efficient      
I'm using the splunk-otel-collector, and attempting to get multi-line java exceptions into a standardly formatted event. Using the example, my values file contains         multilineConfigs:... See more...
I'm using the splunk-otel-collector, and attempting to get multi-line java exceptions into a standardly formatted event. Using the example, my values file contains         multilineConfigs: - namespaceName: value: example useRegexp: true firstEntryRegex: ^[^\s].* combineWith: ""     The rendered configMap contains   - combine_field: attributes.log combine_with: "" id: example is_first_entry: (attributes.log) matches "^[^\\s].*" max_log_size: 1048576 output: clean-up-log-record source_identifier: resource["com.splunk.source"] type: recombine   With that config, the logs continue to split . Then I change the value to       combineWith: "\t"         the following happens with the logs:     Has anyone experienced this and worked around it?
Hello, I am looking to calculate how long it takes to refresh the view using the time of the events "End View Refresh" and "Start View Refresh" i.e. find the difference in time for each of these e... See more...
Hello, I am looking to calculate how long it takes to refresh the view using the time of the events "End View Refresh" and "Start View Refresh" i.e. find the difference in time for each of these events whenever these 2 events occur. Tried number of things using streamstat and range, but it does provide me the desired result. Any assistance would be appreciated. Regards  
The queries can be combined like this. index=test1 sourcetype=teams ("osversion=" OR "host=12*") | rex field=_raw "\s+(?<osVersion>.*?)$" | rex field=_raw "\w+(?<host>*)$" | table Time(utc) "OSVersi... See more...
The queries can be combined like this. index=test1 sourcetype=teams ("osversion=" OR "host=12*") | rex field=_raw "\s+(?<osVersion>.*?)$" | rex field=_raw "\w+(?<host>*)$" | table Time(utc) "OSVersion" host That will give you lists of OSVersions and hosts separately, but in a single table.  Then you should compare the time values to see if OSVersion and host are in events with the timestamp so they can be merged.  If so, then this query will do it. index=test1 sourcetype=teams ("osversion=" OR "host=12*") | rex field=_raw "\s+(?<osVersion>.*?)$" | rex field=_raw "\w+(?<host>*)$" | stats values(*) as * by "Time(utc)" | table "Time(utc)" "OSVersion" host