All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@FQzy   You can check the _internal logs to find the specific error related to "failed to create input" in the app by using the following search query: index=_internal source=*cisco*. You can also f... See more...
@FQzy   You can check the _internal logs to find the specific error related to "failed to create input" in the app by using the following search query: index=_internal source=*cisco*. You can also filter the logs by setting the log level to "error." For troubleshooting any add-ons, refer to the "Troubleshoot Add-ons" document available in the Splunk Documentation. Troubleshoot add-ons - Splunk Documentation. You can provide internal error to developer team for future investigation. Also, @PickleRick response was not generated using any AI. 
hey there!!
Right-click on the chart area and choose Select Data. Click Add and enter Duration as the series name. Select cells E5:E11 as the series values and click OK. The Edit Series window will reappear. Cli... See more...
Right-click on the chart area and choose Select Data. Click Add and enter Duration as the series name. Select cells E5:E11 as the series values and click OK. The Edit Series window will reappear. Click OK. Click OK on the Select Data Source window. The duration will be added to the chart.
Hi all,  I am trying to show the connected duration, which is calculated using transaction command in a timechart. When I try below query, the entire duration shows in the earliest timestamp(start... See more...
Hi all,  I am trying to show the connected duration, which is calculated using transaction command in a timechart. When I try below query, the entire duration shows in the earliest timestamp(start time) as a single column. I would like to show the connected duration in a column chart, with area between start and end time colored.  For example, if device was connected from 20th August to 23rd August, I want the column to extend across these days. Currently, the entire duration is shown on the 20th date alone. Kindly let me know your suggestions to implement this. Query: | transaction dvc_id startswith="CONNECTED" endswith="DISCONNECTED" | timechart sum(duration) by connection_protocol
Anyway I tried the CLI manner and it works. So not sure why there is an issue on the browser though.    
Thanks for the suggestion. I don't think the Domain Controllers from two different client setups out of a number of clients that we look after would be considered a large environment - it's not been ... See more...
Thanks for the suggestion. I don't think the Domain Controllers from two different client setups out of a number of clients that we look after would be considered a large environment - it's not been every DC, just a few random ones. One setup has about 300 workstations / accounts talking to a DC, another is a management zone, with a 100 or so accounts and a small quantity of servers for providing services.
Hello, I am running Splunk Enterprise 9.2.2. I am trying to install Python for Scientific Computing for Windows as I am running it on a Windows Server.  Python for Scientific Computing (for Windo... See more...
Hello, I am running Splunk Enterprise 9.2.2. I am trying to install Python for Scientific Computing for Windows as I am running it on a Windows Server.  Python for Scientific Computing (for Windows 64-bit) | Splunkbase However, I am getting the following errors when I try installing the application. I tried with the tgz file, and also with the extracted tar file but both has the same issue. It looks like the webpage at https://localhost:8000/en-US/manager/appinstall/_upload might be having issues, or it may have moved permanently to a new web address. ERR_CONNECTION_ABORTED Is it due to the file size being overly huge? And what could be the solution? Thanks
I have a Splunk cloud instance that receives log from Linux server that has a Splunk Heavy Forwarder on it. I am trying to update the Forwarder to 9.3.x, but found online I should step to 9.2.x firs... See more...
I have a Splunk cloud instance that receives log from Linux server that has a Splunk Heavy Forwarder on it. I am trying to update the Forwarder to 9.3.x, but found online I should step to 9.2.x first. It appears on the server that it's updated, and running the Splunk 9.2.0 as expected. I am also seeing metric.log files being shown on my cloud instance. But none of the other logs I have pushing from this server are showing up. When I check the Splunk app CMC, it appears that the update has taken and is now showing in compliance. I am not sure what I am doing wrong, or what logs you might need to help further figure out where the issue is. I only have about 6 months of Splunk experience so forgive me if this is a silly question.
You deserve all the kudos.  We had app and custom did the trick. 
We ended up disabling fapolicyd and testing the install again. It worked. After it was configured, we enabled fapolicyd and is still working.
@PickleRick Thank you for the prompt response. I still don't see how I can get the Status in GCP for the Kubernetes pods?  
I want to get the date when the Splunk admin credential got changed, is there any way to get it?
Yes! a combination of makemv delim="," views and mvexpand views got me what I was looking for. thanks!
For web.conf Change the AuthMethod, and add the PivOid list certBasedUserAuthMethod = PIV certBasedUserAuthPivOidList = 1.3.6.1.4.1.311.20.2.3, Microsoft Universal Principal Name
And also, add the Tier into the display of the business transactions, and count the number of Business Transactions per Tier including the ones that do not have performance data. It is possible that ... See more...
And also, add the Tier into the display of the business transactions, and count the number of Business Transactions per Tier including the ones that do not have performance data. It is possible that you have the limit of 50 in a Tier. Mark
No. It's not how not how it works. You wrote that you want to simulate a live system. That usually means continuous generation of events and reacting to them as they are ingested. TA_eventgen does j... See more...
No. It's not how not how it works. You wrote that you want to simulate a live system. That usually means continuous generation of events and reacting to them as they are ingested. TA_eventgen does just that - it creates events based on configuration and templates.
We have also applied the same work around and will advise in a couple of days if things are looking better.
Timewrap works on output from timechart. So you need an output from timechart. To get this you need to use tstats with prestats=t option.   | tstats prestats=t `summariesonly` count from datamodel=... See more...
Timewrap works on output from timechart. So you need an output from timechart. To get this you need to use tstats with prestats=t option.   | tstats prestats=t `summariesonly` count from datamodel="Web" where sourcetype="f5:bigip:ltm:http:irule" by _time Web.site span=10m | timechart span=10m count as event_count by Web.site  
The error means that during execution of that script an exception was thrown at line 1245 because it tried to connect somewhere and got 403 as a response. It doesn't have anything to do with filesyst... See more...
The error means that during execution of that script an exception was thrown at line 1245 because it tried to connect somewhere and got 403 as a response. It doesn't have anything to do with filesystem permissions.
https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/mvexpand