All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks, so this means only certain out-of-box use cases can be used immediately. The rest would need some works to be done.
Hello @solg  @bendeloitte  Go to the https://partners.splunk.com and select "My Cases".         
As it's built on Node.JS, It should work. best to try it and see if you pick up any issues
Hi, did you find a solution?
Try both | eventstats values(catchup_updated_time) as catchup_updated_time, values(sky_ui_timestamp) as sky_ui_timestamp by sky_id | sort -sky_id catchup_updated_time | filldown catchup_updated_time... See more...
Try both | eventstats values(catchup_updated_time) as catchup_updated_time, values(sky_ui_timestamp) as sky_ui_timestamp by sky_id | sort -sky_id catchup_updated_time | filldown catchup_updated_time, sky_ui_timestamp
Hi, Has anyone tried using the node.js agent to see if it will work with detecting the Nest.js framework? NestJS is a framework for building efficient, scalable Node.js web applications. It uses mo... See more...
Hi, Has anyone tried using the node.js agent to see if it will work with detecting the Nest.js framework? NestJS is a framework for building efficient, scalable Node.js web applications. It uses modern JavaScript. So don't know if this would at least partially work.
Hi Aind,  This worked for me as well! Thanks for helping us out!  
hello, I have an issue when creating some visualization in splunk dashboard. Im using dashboard studio, and my objective is want made a table panel with multiple token for each column, Is it possible... See more...
hello, I have an issue when creating some visualization in splunk dashboard. Im using dashboard studio, and my objective is want made a table panel with multiple token for each column, Is it possible in splunk? Like for this capture dashboard, is it possible when i click in signature value   The rest visualization belows the table will dynamically changes based on the clicked column values, the action also can applied when i click on different column values from the first table. Is it possible in dashboard studio ?
it comes from this part | join type=left sky_id [ search index=sky sourcetype=sky_cashfx_catchup_logs .... .... | table sky_id, catchup_updated_time, _raw ] So yes once it has that part it sh... See more...
it comes from this part | join type=left sky_id [ search index=sky sourcetype=sky_cashfx_catchup_logs .... .... | table sky_id, catchup_updated_time, _raw ] So yes once it has that part it should filldown everything  below until a populated field of catchup_updated_time after sorting by sky_id descending. then once a populated field of catchup_updated_time is met it fills down until another populated field, same for sky_ui_timestamp. This is working but randomly not
Please share your raw events and the configurations you have tried
Where would 10:02:43 come from as all these sky_id's are different?
  I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.   I tried to do this via line breaker but didnt succeed. Any method to do it v... See more...
  I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.   I tried to do this via line breaker but didnt succeed. Any method to do it via search after indexing  
Hello, i am trying to intergrate the Splunk Ui Toolkit into my  own Splunk instace that is running on localhost. I am using react to get a sessionkey with the following function: async function ... See more...
Hello, i am trying to intergrate the Splunk Ui Toolkit into my  own Splunk instace that is running on localhost. I am using react to get a sessionkey with the following function: async function GetSessionKey(username, password, server) {     var key = await fetch(server + "/services/auth/login", {       method: "POST",       body: new URLSearchParams({         username: username,         password: password,         output_mode: "json",       }),       headers: {         "Content-Type": "application/x-www-form-urlencoded",       },     })       .then((response) => response.json())       .then((data) => {         return data["sessionKey"];       }); But i always get this on my network showing  
With HF - it can be complicated because the problem here typically would be not to have multiple instances but to _not_ have multiple input instances running at the same time and you'd need to replic... See more...
With HF - it can be complicated because the problem here typically would be not to have multiple instances but to _not_ have multiple input instances running at the same time and you'd need to replicate the state of the inputs in case of a need for fail-over. There is nothing out-of-the-box to do it. You can to devise something with zip ties and duct tape but those solutions typically have some issues specific to chosen architecture. Of course if you're not running any scripted/modular inputs and only have HFs as a "parsing layer" in front of indexes, there is no problem with having multiple HFs receiving data from UFs. With SC4S there is no problem with running multiple instances. The problem is that you want the sources to send only to one of them. You can try to do some tricks with "floating IP" either on the hosts themselves using keepalived or something similar or on the router using some form of network-level load-balancing but it doesn't give you 100% guarantee of no data loss during the switchover period. It's just how the syslog works.
And back to the original question - I suspect it's just how it works. Macro expansion is after all just a simple string substitution, there is no complicated magic behind it. If it's something that c... See more...
And back to the original question - I suspect it's just how it works. Macro expansion is after all just a simple string substitution, there is no complicated magic behind it. If it's something that could be useful, you might consider posting an idea on https://ideas.splunk.com
nothing happens when i use it doesnt fill the rows below when i use that. issue is happening for both catchup_updated_time and sky_ui_timestamp | sort -sky_id | eventstats values(catchup_updated_ti... See more...
nothing happens when i use it doesnt fill the rows below when i use that. issue is happening for both catchup_updated_time and sky_ui_timestamp | sort -sky_id | eventstats values(catchup_updated_time) as catchup_updated_time, values(sky_ui_timestamp) as sky_ui_timestamp by sky_id  
Hi @ejwade  I’m a Community Moderator in the Splunk Community. you are replying to question was posted couple of  years ago, so it might not get the attention you need for your question to be answe... See more...
Hi @ejwade  I’m a Community Moderator in the Splunk Community. you are replying to question was posted couple of  years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question with errors so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Hi @PeterBoard  Infact recently we faced same issue for domain controller server where UF stopped sending data found that ququs filled up. as per support they asked to change to useACK to Fals... See more...
Hi @PeterBoard  Infact recently we faced same issue for domain controller server where UF stopped sending data found that ququs filled up. as per support they asked to change to useACK to False to aviod issue and they said it not recomneded to Use useack= true on UF. in your case any errors your obeserved in splunkd.log during issue 
So what happens if you use eventstats instead of filldown?
How can we do  High availability for Heavy Forwarders and SC4S