All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @tchimento_splun @rjteh_splunk  looks like this bug is still happening in 9.3.0
I have created an index to store my data on Splunk.  The data contains 5 csv files uploaded one by one in the index. Now, if I try to show the data inside  the index, it shows the latest data (the ... See more...
I have created an index to store my data on Splunk.  The data contains 5 csv files uploaded one by one in the index. Now, if I try to show the data inside  the index, it shows the latest data (the csv file that was uploaded at the end ) We can show the data of other files by querying, including specific source names, but by default, we can not see the whole data; we can only see the data of the last table. To overcome this challenge we have used joins to join all the tables and show them through the query in one report. I wanted to find out if there is a better way to do this. I have to show this data in Power BI, and for that, I should have a complete report of the data.
| timechart sum(count) as total span=1h | timewrap 1w | where strftime(_time,"%a") = strftime(now(),"%a") | eval hour=strftime(_time,"%H") | fields - _time | table hour *
It sounds like it is working, just not with the results you expect? Search has an implied AND so perhaps you need an explicit OR? | search node="$form.tokenNode$" OR outcome="$form.tokenSwitch$"
HI  hour 0 for count1 is the total of all the counts for 00:00 to 00:59 for the current day (Monday) in the current week.  hour 0 for count2 is the total of all the counts for 00:00 to 00:59 for th... See more...
HI  hour 0 for count1 is the total of all the counts for 00:00 to 00:59 for the current day (Monday) in the current week.  hour 0 for count2 is the total of all the counts for 00:00 to 00:59 for the current day (Monday) in the previous week hour 0 for count3 is the total of all the counts for 00:00 to 00:59 for the current day (Monday) in the Current week -2  So, in X Axis we have 0-24 hours for the current day and in the Y axis, we have 3 lines  count1: Count of particular hour of the day in the current week    count2 : Count of particular hour of the day in the previous week    count3 : Count of particular hour of the day in the  current week  Plan is to compare : when current day is Monday the count of 8th hour of Monday with the last week Monday and with the last to last week Monday.  the count of 9th hour of Monday with the last week Monday and with the last to last week Monday.  the count of 10th hour of Monday with the last week Monday and with the last to last week Monday.  and so on till 24th Hour  We have fields like Current_day (example Monday , Tuesday etc) , Current_Week (example 41 or 40 etc) extracted in the query. 
So, just to be clear, count1 is the sum of the hourly counts for the current week, e.g. hour 0 for count1 is the total of all the counts for 00:00 to 00:59 for all the days (so far) in the current we... See more...
So, just to be clear, count1 is the sum of the hourly counts for the current week, e.g. hour 0 for count1 is the total of all the counts for 00:00 to 00:59 for all the days (so far) in the current week, hour 0 for count2 is the total of all the counts for 00:00 to 00:59 for all the days in the previous week, etc.?
I'm sorry if I'm causing confusion. And not sure if you would call this drilldown. My requirement: I have two input fields(type - radio buttons). And depending on what value the user selects I wa... See more...
I'm sorry if I'm causing confusion. And not sure if you would call this drilldown. My requirement: I have two input fields(type - radio buttons). And depending on what value the user selects I want the filters to apply on two of the fields in the table namely node & outcome. For which I've written these statements in the table query: | search node="$form.tokenNode$" outcome="$form.tokenSwitch$" Node(radio button has below options): ABC DEF XYZ Outcome(radio button has below options): True False Both If I use one radio button(lets say just node) field it works, however when I add the second one it doesn't work. Means when im selecting node values from the radio button, the table is reloading & filtering the data based on the node value selected. I want the same to work for the second radio button as well. here is how these input (radio buttons look like): <input type="radio" token="tokenNode" searchWhenChanged="true"> <label>Node</label> <choice value="ABC">ABC</choice> <choice value="DEF">DEF</choice> <choice value="XYZ">XYZ</choice> <default>ABC</default> <initialValue>ABC</initialValue> </input> <input type="radio" token="tokenSwitch" searchWhenChanged="true"> <label>Outcome</label> <choice value="True">True</choice> <choice value="False">False</choice> <choice value="Both">Both</choice> <default>True</default> <initialValue>True</initialValue> </input> Hope I'm able to explain it.
Yes , I want to do the hourly count (0-23) in the X Axis.  X Axis = Hour of the day ( stored in the field Time ).  Y axis : 3 lines ( Count1 , count2 , count3) .  Count 1 : Corresponds to the ... See more...
Yes , I want to do the hourly count (0-23) in the X Axis.  X Axis = Hour of the day ( stored in the field Time ).  Y axis : 3 lines ( Count1 , count2 , count3) .  Count 1 : Corresponds to the count of record of current week at a particular hour.  Count 2 : Corresponds to the count of record of current week - 1  at a particular hour.  Count 3 : Corresponds to the count of record of current week - 2  at a particular hour.  Result should be like below:     
Given that the number of orders is always 1 (as previously explained and shown in your screenshot), the dedup is not actually doing anything useful and can be removed. This could affect the orders fi... See more...
Given that the number of orders is always 1 (as previously explained and shown in your screenshot), the dedup is not actually doing anything useful and can be removed. This could affect the orders field in that it could be more than 1. This could be resolved by either evaluating it to 1 after the stats command, or by using distinct count | stats dc(Ordernumber) AS orders by area aisle section movement_category movement_type Ordernumber _raw
This seems a bit confused - drilldown happens when the user clicks on a cell in the table. In your instance, this appears to set two tokens to the same value (based on where the user clicked). Your s... See more...
This seems a bit confused - drilldown happens when the user clicks on a cell in the table. In your instance, this appears to set two tokens to the same value (based on where the user clicked). Your search also includes using the value of two input tokens. When either of these inputs is changed, the search will run again, using the new values of the tokens. This isn't drilldown. This is just how inputs and tokens work. Please can you try to give more concrete examples of what your events look like, what the rest of your dashboard looks like, what you would like to happen when the user interacts with your dashboard, etc.?
You will need to clarify what it is you are trying to do - do you want an hourly count i.e. the x-axis is 0-23? If so, what has weekly counts got to do with it? What are count1, count2 and count3 in ... See more...
You will need to clarify what it is you are trying to do - do you want an hourly count i.e. the x-axis is 0-23? If so, what has weekly counts got to do with it? What are count1, count2 and count3 in this respect? What does your source data look like and what do you want your results to look like?
@ITWhisperer  Thanks for your response. As per your suggestion  I will take care of the join and replace that will lookup command.  I am adding screenshots of the results so that you can get a li... See more...
@ITWhisperer  Thanks for your response. As per your suggestion  I will take care of the join and replace that will lookup command.  I am adding screenshots of the results so that you can get a little more clarity. Below are the results while executing the above query. Order number is same but one entry is for "Storage" & other one for "Retrieval" .  Job inspection   while executing above query Do you have any suggestion so that I can replace dedup with some more optimized command?
We setup a SAML login with Azure AD for our self hosted Splunk Enterprise.  When we try to login we are redirected to  https://<instance>.westeurope.cloudapp.azure.com/en-GB/account/login which di... See more...
We setup a SAML login with Azure AD for our self hosted Splunk Enterprise.  When we try to login we are redirected to  https://<instance>.westeurope.cloudapp.azure.com/en-GB/account/login which displays a blank page with {"status":1}  So login seems somehow to work but after that it gets stuck in this page and in the splunkd.logs I can see the following Error message: "ERROR UiAuth [28137 TcpChannelThread] - user= action=login status=failure reason=missing-username" so it sounds that there is maybe something wrong in the claims mapping ? here is my local/authentication.conf       [roleMap_SAML] admin = test [splunk_auth] constantLoginTime = 0.000 enablePasswordHistory = 0 expireAlertDays = 15 expirePasswordDays = 90 expireUserAccounts = 0 forceWeakPasswordChange = 0 lockoutAttempts = 5 lockoutMins = 30 lockoutThresholdMins = 5 lockoutUsers = 1 minPasswordDigit = 0 minPasswordLength = 8 minPasswordLowercase = 0 minPasswordSpecial = 0 minPasswordUppercase = 0 passwordHistoryCount = 24 verboseLoginFailMsg = 1 [authentication] authSettings = saml authType = SAML [authenticationResponseAttrMap_SAML] mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress realName = http://schemas.microsoft.com/identity/claims/displayname role = http://schemas.microsoft.com/ws/2008/06/identity/claims/groups [saml] caCertFile = /opt/splunk/etc/auth/cacert.pem clientCert = /opt/splunk/etc/auth/server.pem entityId = <instance>.westeurope.cloudapp.azure.com fqdn = https://<instance>.westeurope.cloudapp.azure.com idpCertExpirationCheckInterval = 86400s idpCertExpirationWarningDays = 90 idpCertPath = idpCert.pem idpSLOUrl = https://login.microsoftonline.com/<tentantid>/saml2 idpSSOUrl = https://login.microsoftonline.com/<tentantid>/saml2 inboundDigestMethod = SHA1;SHA256;SHA384;SHA512 inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256;RSA-SHA384;RSA-SHA512 issuerId = https://sts.windows.net/<tentantid>/ lockRoleToFullDN = true nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress redirectPort = 0 replicateCertificates = true signAuthnRequest = false signatureAlgorithm = RSA-SHA1 signedAssertion = true sloBinding = HTTP-POST sslPassword = <pw> ssoBinding = HTTP-POST       does anyone has a hint what could go wrong in our setup? Thanks in advance!  
I have a table which is getting data from one of our indexes, somewhat like below: <table> <title>Tech Spec Values for Selected Node:</title> <search> <query>index=test_index_prod sourcetype="SPE... See more...
I have a table which is getting data from one of our indexes, somewhat like below: <table> <title>Tech Spec Values for Selected Node:</title> <search> <query>index=test_index_prod sourcetype="SPEC" | eventstats max(rundate) as maxDate, max(runtime) as maxTime, count as fno | where rundate=maxDate AND runtime=maxTime | search node="$form.tokenNode$" outcome="$form.tokenSwitch" | table node, outcome, name, class, resource | sort node, name</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <drilldown> <set token="tokenNode">$click.value$</set> <set token="tokenSwitch">$click.value$</set> </drilldown> </table>   And then I have two radio button fields with token names as tokenNode & tokenSwitch with both having different values. I want the drilldown to happen when any of the radio button value is selected by user from the two radio button input fields.
Hi @ITWhisperer  It resolved my query.  Time = Corresponds to hour of Time count1 = Count of records of current week count2 = Count of records of current week - 1   count3 = Count of records of ... See more...
Hi @ITWhisperer  It resolved my query.  Time = Corresponds to hour of Time count1 = Count of records of current week count2 = Count of records of current week - 1   count3 = Count of records of current week - 2  I need to restrict the X axis with the hour of the current day (Today) only. But when i select the Global time range as today, count2 and count3 becomes blank.  Is it possible to select the global time range as Last 30 days to fetch last 30 days data and view the X Axis with the hour of Time. 0-24 hour.  (1 day ) Current it shows 0-24 hour in X axis many times (every hour in last 30 days).  Can you please help me with this request.   
Hi @anandhalagaras1 , as I said, start with the default configuration (12CPUs and 12 GB RAM) and analyze the machine load using the monitoring console and the queues. If you haven't too high queues... See more...
Hi @anandhalagaras1 , as I said, start with the default configuration (12CPUs and 12 GB RAM) and analyze the machine load using the monitoring console and the queues. If you haven't too high queues and too high load maintain the default configuration, otherwise, add more resources, It isn't possible to give a general configuration. Ciao. Giuseppe
Extending a previously answered question is perhaps not the best way of getting your question answered, particularly when the extension is a bit vague. Please start a new question with more specifics... See more...
Extending a previously answered question is perhaps not the best way of getting your question answered, particularly when the extension is a bit vague. Please start a new question with more specifics about your particular usecase and the difficulties you are having i.e. what would you want the solution to look like.
@gcusello , Thank you for your swift response. For the Deployment Master server, we have around 1,000+ client machines in our environment. So it would be helpful if you could help me with the recomm... See more...
@gcusello , Thank you for your swift response. For the Deployment Master server, we have around 1,000+ client machines in our environment. So it would be helpful if you could help me with the recommended hardware specifications for this setup? As for the Heavy Forwarders, we will be ingesting over 40 GB of approximate data daily from both the HF servers. The primary data sources include Microsoft Azure Storage Table and Blob using the Splunk Add-On for Microsoft Cloud Services, the Qualys Technology Add-On, Splunk DB Connect, and data parsing for approximately 120+ client machines per Heavy Forwarder. What would be the recommended hardware specifications for these servers? , 
There is no single good answer to such question. A Deployment Server (not Deployment Master), depending on your environment size and configuration parameters, can run perfectly well on a relatively ... See more...
There is no single good answer to such question. A Deployment Server (not Deployment Master), depending on your environment size and configuration parameters, can run perfectly well on a relatively small server (like 4CPU and 8GB; if you disable GUI, probably even smaller) but can need to be load-balanced over several quite big machines if you have many clients and many often changing apps. As for HF, good thing is that you don't have to have just one HF in your environment (technically, you can have multiple separate DS instances for separate segments of your deployment but it makes app management more troublesome).. So you can start with a moderately sized HF (like a reference all-in-one server) and either scale out by adding cores/memory if you start lacking resources or add more instances of HF and migrate some inputs there.
Hi everyone, I have configured otx alienvault taxii source in Threat Intelligence Management , as I can see in logs some data was downloaded successfully, but is there a way to know which data exact... See more...
Hi everyone, I have configured otx alienvault taxii source in Threat Intelligence Management , as I can see in logs some data was downloaded successfully, but is there a way to know which data exactly?