All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Well, 1s span for three days is indeed quite a lot of results but I don't see a problem with that. A run-anywhere example | makeresults count=3000000 | streamstats count | eval _time=_time-count... See more...
Well, 1s span for three days is indeed quite a lot of results but I don't see a problem with that. A run-anywhere example | makeresults count=3000000 | streamstats count | eval _time=_time-count/10 | eval _time=_time+((random()%10-5)) | timechart span=1s count What version are you using? EDIT: OK, I read days where you wanted months. Still it's less than 8 million rows. It might be a bit performance-intensive but Splunk should manage provided you have enough memory. And to limit memory usage, remove the raw event value as early as possible. So <your initial search> | fields - _raw | timechart ...    
Hi Splunk Experts, Can you please let me know how we can calculate the max and avg TPS for a time period of last 3 months along with the exact time of occurrence. I came up with below query, ... See more...
Hi Splunk Experts, Can you please let me know how we can calculate the max and avg TPS for a time period of last 3 months along with the exact time of occurrence. I came up with below query, but it is showing me error as the count of event is greater than 50000. Can anyone please help or guide me on how to overcome this issue.   index=XXX "attrs"=traffic NOT metas | timechart span=1s count AS TPS | eventstats max(TPS) as MAX_TPS | eval Peak_Time=if(MAX_TPS==TPS,_time,null()) | stats avg(TPS) as AVG_TPS first(MAX_TPS) as MAX_TPS first(Peak_Time) as Peak_Time | fieldformat Peak_Time=strftime(Peak_Time,"%x %X")      
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort 0 +_time -count | streamstats count as row by _time | where... See more...
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort 0 +_time -count | streamstats count as row by _time | where row <= 10
I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output... See more...
I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output must include 10-Oct, 11-Oct, 12.-Oct and 13-Oct each with top 10  table names with highest insert sum       index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort limit=10 +_time -count         Thanks in advance
I suppose you're talking about Proofpoint Secure Access (formerly Zero Trust Network Access, formerly Proofpoint Meta). I doubt that you're gonna find anything relevant. Firstly, it's not a very pop... See more...
I suppose you're talking about Proofpoint Secure Access (formerly Zero Trust Network Access, formerly Proofpoint Meta). I doubt that you're gonna find anything relevant. Firstly, it's not a very popular soultion, secondly, it's a cloud-based service so you'll most probably need some API-pulling modular input (maybe there's some on-prem component but I didn't touch the stuff so I have no experience here). And thirdly - it's getting retired at the end of 2024.
Indeed there is no direct app for it on Splunkbase, even if you look through the archive. Do you have any logging settings in the Proofpoint VPN interface, or any specific API documentation on the VP... See more...
Indeed there is no direct app for it on Splunkbase, even if you look through the archive. Do you have any logging settings in the Proofpoint VPN interface, or any specific API documentation on the VPN service of Proofpoint?
The log I provided was just a sample set to show what I am searching.   So, if I search for just "View Refresh" for a duration of 1 hour, I see 4 sets of events - i.e 4 entries of "start" and "end... See more...
The log I provided was just a sample set to show what I am searching.   So, if I search for just "View Refresh" for a duration of 1 hour, I see 4 sets of events - i.e 4 entries of "start" and "end" of each. To underlying my commandments: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at). Illustrate the desired output from illustrated data. If volunteers do not see actual data (4 sets of events), how can we tell why you do not get desired results (4 durations)?
Hello there,  our shop uses proofpoint vpn for our remote users to access on-prem resources. I've been looking into splunkbase to see if there's a published app, I don't see any add-on for vpn data ... See more...
Hello there,  our shop uses proofpoint vpn for our remote users to access on-prem resources. I've been looking into splunkbase to see if there's a published app, I don't see any add-on for vpn data ingestion. I see there's a proofpoing email security add on, but it doesn't seem to relate to vpn logs.  Any ideas what add-on\apps will work for it? thanks. 
Yes, i followed the steps . But its not worked in this case  Still showing below reason
Try this : |rex "project\sid[\s\:]+(?<project_id>[^\s]+).+?is[\s\:]+(?<size>[^\s]+).+?is[\s\:]+(?<upload_time_ms>\d+)"  
It goes on to say ... options in the source code. The options accept hexadecimal and RGBA formats, and can also be defined in the dashboard defaults. so try something like this { "type":... See more...
It goes on to say ... options in the source code. The options accept hexadecimal and RGBA formats, and can also be defined in the dashboard defaults. so try something like this { "type": "splunk.table", "title": "Sample title for testing color", "options": { "titleColor": "#ff0000"}, "context": {}, "containerOptions": {}, "showProgressBar": false, "showLastUpdated": false }  
While syslog-ng is often used with Splunk, it is not a part of Splunk solution and since your question is not related to issues with "interfacing" syslog-ng with Splunk but is rather a general issue ... See more...
While syslog-ng is often used with Splunk, it is not a part of Splunk solution and since your question is not related to issues with "interfacing" syslog-ng with Splunk but is rather a general issue with syslog-ng itself it'll be much better answered on its own mailing list. https://lists.balabit.hu/mailman/listinfo/syslog-ng  
Hello, 2 events does not produce 4 results, 2 events will produce just 1 result. The log I provided was just a sample set to show what I am searching.   So, if I search for just "View Refresh" for... See more...
Hello, 2 events does not produce 4 results, 2 events will produce just 1 result. The log I provided was just a sample set to show what I am searching.   So, if I search for just "View Refresh" for a duration of 1 hour, I see 4 sets of events - i.e 4 entries of "start" and "end" of each.   So when I ran my query I was expecting 4 duration values, 1 for each set. But I get 2 duration values.  RichGalloway, suggested to add maxspan along with transaction. I did that, but I still get the same result i.e. 2 duration values and NOT 4 duration values.  
In release 9.2.2403 I see that: You can customize the text color of dashboard panel titles and descriptions with the titleColor and descriptionColor options in the source code... But I'm ... See more...
In release 9.2.2403 I see that: You can customize the text color of dashboard panel titles and descriptions with the titleColor and descriptionColor options in the source code... But I'm not sure how to modify the source code appropriately to make this work.  If I have this basic starting point:   { "type": "splunk.table", "title": "Sample title for testing color", "options": {}, "context": {}, "containerOptions": {}, "showProgressBar": false, "showLastUpdated": false }   Where can I insert titleColor? My Splunkcloud version is Version:9.2.2403.108
Since I don't control the growth of data in the Contact DB,  I am trying to figure out a way to get an email alert if one of the groups exceeded 50k limit. That's exactly what my first suggestio... See more...
Since I don't control the growth of data in the Contact DB,  I am trying to figure out a way to get an email alert if one of the groups exceeded 50k limit. That's exactly what my first suggestion does: Print a line if and only if one of them exceeded 50k (if you substitute 5000 with 50000).  All you need is add sendmail after that.
Trying to use syslog-ng for latest Splunk enterprise.  I am getting error " Failed to acquire /run/systemd/journal/syslog socket, disabling systemd-syslog source" when I try to run the service manual... See more...
Trying to use syslog-ng for latest Splunk enterprise.  I am getting error " Failed to acquire /run/systemd/journal/syslog socket, disabling systemd-syslog source" when I try to run the service manually.  This error prevents me to run the syslog-ng service in systemctl during bootup.  Any idea or help would be appreciated.
Thanks for the reply.  Cheers.
Can you explain @richgalloway 's main question: How can two events produce 4 transactions (durations)? Here is an emulation of the two events you illustrated, and the transaction command to follow ... See more...
Can you explain @richgalloway 's main question: How can two events produce 4 transactions (durations)? Here is an emulation of the two events you illustrated, and the transaction command to follow   | makeresults format=csv data="_raw 2024-10-10T06:30:11.478-04:00 | INFO | 1 | | xxxxxxxxxxxxxxxxx : Start View Refresh (price_vw) !!! 2024-10-10T06:30:11.509-04:00 | INFO | 1 | | xxxxxxxxxxxxxxxxx : End View Refresh (price_vw) !!!" | eval _time = strptime(replace(_raw, "(\S+).*", "\1"), "%FT%T.%3N%z") | sort - _time ``` the above emulates index=* ("Start View Refresh (price_vw)" OR "End View Refresh (price_vw)") ``` | transaction endswith="End View Refresh" startswith="Start View Refresh"   The result is _raw _time closed_txn duration eventcount field_match_sum linecount 2024-10-10T06:30:11.478-04:00 | INFO | 1 | | xxxxxxxxxxxxxxxxx : Start View Refresh (price_vw) !!! 2024-10-10T06:30:11.509-04:00 | INFO | 1 | | xxxxxxxxxxxxxxxxx : End View Refresh (price_vw) !!! 2024-10-10 03:30:11.478 1 0.031 2 0 2 As richgalloway predicted, one duration.
So your timestamp extraction definition is not used because unless &auto_extract_timestamp=true is added to the /event URI, that endpoint skips timestamp extraction completely and uses the "time" fie... See more...
So your timestamp extraction definition is not used because unless &auto_extract_timestamp=true is added to the /event URI, that endpoint skips timestamp extraction completely and uses the "time" field from the event's envelope or (if there isn't one) a current timestamp from the receiving component (in your case - the HF).
@PickleRick  It is sending to services/collector/event