Hoping someone can point me in the right direction. Our Splunk monitoring keeps reporting 90-100% CPU utilization however when checking the  servers one core will be close to maxing during a few functions for up to 20 min but the rest of the cores are quite low with no perf issues with the server. So looking for a better way to report, is there a core level monitoring or a field I can add to the CPU monitoring to address this?  Thank you in advance.

Hello,  I have onboarded the data into Splunk which we have multiple timestamps in the event in different formats. I believe my props settings are correct however it's giving an error in Splunkd.log. Please Advise Error Details : DateParserVerbose [99999 merging_0] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (16) characters of event. Defaulting to timestamp of previous event Event Details:  Jul 10 14:19:08 abcdefgh81 dnsmask Jul 10 14:19:08 dnsmask[1520]: cached abcdefg43.wellness.com is 10.220.200.72 Jul 10 14:19:08 abcdefgh81 dnsmask -- [10/July/2022:18:10:10 -9900] dnsmask[1520]: cached abcdefg43.wellness.com is 10.220.200.72 Here are my props settings TIME_PREFIX=^ TIME_FORMAT=%b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 16    

Getting 404 errors when trying to access the MC Summary and Health Check pages after an upgrade from 8.1.5 to 8.2.7.   First error is: monitoringconsole_landing.js:283 Uncaught (in promise) TypeError: _swcMc.ThemeUtils.getReactUITheme is not a function etc. etc. Any seen something similar?  Other pages in MC console work fine.  

My question is about this solution:  https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288846#M9051  I do not have Admin rights. When I run this query  I get the following warning: "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability". In the result I get only a partial listing. Anything I can do besides engaging admins to run the query for me? We use Splunk Enterprise Version: 8.2.1

We are, unfortunately, having to change index names to match a naming convention.  I have a list of indexes that need to be "renamed" ... for routing to the new indexes, rather than track down all the configs which are managed with DS, chef, and other tools, I would like use props\transforms on the HWF's and IDX's to look at every event, and if it was destined for index foo, send it to index foo.   Here is what I have on a single Splunk instance, in system/local (for simplicity and testing the config): props:       [default] TRANSFORMS-foo_idx_rename= foo_idx_rename       transforms:       [foo_idx_rename] SOURCE_KEY = MetaData:Index REGEX = (foo) DEST_KEY = _MetaData:Index FORMAT = bar       I've tried: REGEX = foo REGEX = "foo" REGEX = "*foo*" REGEX = index::foo Nothing I've tried seems to work. Questions I have: What is the actual value that the regex needs to evaluate for the index metadata field? (ie-  index::foo or just foo) Are double quotes required in the regex?  Must there be ()'s? I've seen a couple examples that say they work, but when I copy them verbatim, they do not.

Hi, Have following query: 1) Does Splunk provides a detailed document/write ups for Architecting observability of Apigee (Private Cloud)   for Apigee Platform components and Apigee API Proxies ?  2) Any detailed documentation  on Architecting and configuring the observability with respect to compliance /alerts when handling Apigee Private Cloud ?  

Is there any API we could use to query Splunk performance/monitoring metrics. We want to leverage the data for our internal analysis. We see the data in the monitoring console but we want to programmatically query the data.

We would like to track our Splunk Enterprise Cluster performance to keep an eye on whether we have sufficient resources allocated, as part of this we would like to track average search queue volume and wait time but I have had a hard time finding any way to generate this data.  Is this data exposed anywhere for searching in Splunk? we are using the MC saturated event queue for the indexers already as well as CPU / Mem usage for both indexers and search heads. 

HI, We are trying to process and  ingest  aws s3 events into splunk, but noticed few events are getting split, after checking the configuration we realized this should be caused by splunk internal parsing algorithm.  Please let us know if there is any issues in my configuration or could it be something related to splunk parser? Below is the entries on props and transform.conf: props--> [proxy] REPORT-proxylogs-fields = proxylogs_fields,extract_url_domain LINE_BREAKER = ([\r\n]+) # EVENT_BREAKER = ([\r\n]+) # EVENT_BREAKER_ENABLE = true SHOULD_LINEMERGE = false CHARSET = AUTO disabled = false TRUNCATE = 1000000 MAX_EVENTS = 1000000 EVAL-product = "Umbrella" EVAL-vendor = "xyz" EVAL-vendor_product = "abc" MAX_TIMESTAMP_LOOKAHEAD = 22 NO_BINARY_CHECK = true TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S TZ = UTC   Transforms.conf --> [proxylogs_fields] DELIMS = "," FIELDS = Timestamp,policy_identities,src,src_translated_ip,dest,content_type,action,url,http_referrer,http_user_agent,status,requestSize,responseSize,responseBodySize,sha256,category,av_detection,pua,amp_disposition,amp_malwarename,amp_score,policy_identity_type,blocked_category,identities,identity_type,request_method,dlp_status,certificate_errors,filename,rulesetID,ruleID,destinationListID,s3_filename example of the events: "2022-06-27 08:57:14","wer.com","1.1.1.1","1.1.1.1","10.10.10.10","image/gif","ALLOWED","https://www.moug.net/img/btn_learning.gif","https://www.mikhgg.net/tech/woopr/0025.html","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.124 Safari/537.36 Edg/102.0.1245.44","200","","3571","3328","1a146b09676811234dddccd6dc0ee3cf11aa1803e774df17aa9a49a7370a40ec","Allow List,Fashion","","","","","","AD Users","","wer.com","AD Users,Network Tunnels","GET","ALLOWED","","btn_learning.gif","13347559","346105","15065619",2022-06-27-09-50-ade8.csv.gz   Events as seen in splunk:    

Hi all, I'm trying to create a search that gives me back a table of all Apps and the amount of users that have access to it. I can generate a list with all indexes and the amount of users that have access to it but I can't think of a way to do the same with Apps. I can generate who has accessed the app and when, but I can't seem to generate a list with the amount of users that have access to a specific app. Anyone with an idea?

Hi All, I want to display a panel depending on the value clicked by a user from a table of results. Let me explain the problem with below example: Say I have a dashboard which lists top 3 products sold and their related figures. Panel 1 = top 3 products sold. (let products names be A, B and C) Panel 2 = this is an interactive panel which displays sales figures and more information about product A, only when a user clicks on the product A event from panel 1. Panel 3 = this is an interactive panel which displays sales figures and more information about product B, only when a user clicks on the product B event from panel 1. Panel 4 = this is an interactive panel which displays sales figures and more information about product C, only when a user clicks on the product C event from panel 1. This means at a time my dashboard would display only 2 panels, panel 1 and panel 2 or 3 or 4 (depending on the product event clicked by the user). My approach to solve this: I am trying to use drilldown on panel 1 to capture the clicked value from it and storing it in a token. Then I am using <condition> to match the value captured in that token to set and unset tokens related to panels 2, 3 and 4. Then I'm using these tokens to show (depends) and hide (rejects) panels 2,3 and 4. Doing this, I'm getting warnings such as "<set> is not allowed in condition-drilldown block" etc. Can anyone please guide me on how to solve this problem? Thanks, Sajal

Hello, I want to use "Parallel Coordinates" chart in Dashboard Studio, but no matter what size it has, it always truncate labels to 6 charts and 3 dots.  Strange is, that when I use this chart for visualization of SPL query, then labels are displayed in full length. Does anyone know, what should I change in Dashboard Studio to get labels in full length?   Best Regards Daniel