All Topics

Top

All Topics

How can I display the subsearch_scheduler. index=_internal [ inputlookup splunk-servers | search splunk-component="Search Head" | fields host] source=/opt/ovz/splunk/var/log/splunk/scheduler.log... See more...
How can I display the subsearch_scheduler. index=_internal [ inputlookup splunk-servers | search splunk-component="Search Head" | fields host] source=/opt/ovz/splunk/var/log/splunk/scheduler.log [search index=_internal [ inputlookup splunk-servers | search splunk-component="Search Head" | fields host] log_level=ERROR component=SearchMessages sid=subsearch_scheduler* | table sid | dedup sid] | stats count values(savedsearch_name) dc(savedsearch_name) by user | sort - count
I have the record like this:     _time  id status  1        x     yes 1         x     no 2          x      yes 1          x      unknow    I want to return the record based on status ... See more...
I have the record like this:     _time  id status  1        x     yes 1         x     no 2          x      yes 1          x      unknow    I want to return the record based on status value: if status has yes ,then return the lasted row that has yes. if there is none yes value then I want the row with no,  if there is none yes or none no, return unknow row.
Disclaimer - Fairly New to Splunk I'm stuck on building a table for a dashboard. I would like to list a table of Computer Names with columns displaying the last 5min average values for CPU% / Mem... See more...
Disclaimer - Fairly New to Splunk I'm stuck on building a table for a dashboard. I would like to list a table of Computer Names with columns displaying the last 5min average values for CPU% / Mem% / DiskTransfers / etc The search is  index=azure sourcetype="mscs:azure:eventhub:vmmetrics" body.Computer=* body.ObjectName="Processor" | stats first(body.CounterValue) by body.Computer That gives me the last Processor value for each Computer. (I cant do 5min average - that can be a bonus point answer !) How would I add the same search into the table but with replacing the body.ObjectName field value for body.ObjectName="Memory"  and then  body.ObjectName="DiskTransfers"  and then combine that into one table . Thanks for helping
Hello, Here is my data! Basically everything is in the same table, however I separated to better explain my problem!  number customer ref 1 1 A ... See more...
Hello, Here is my data! Basically everything is in the same table, however I separated to better explain my problem!  number customer ref 1 1 A 2 1 B 3 1 C 4 2 D   number customer ref 2-1 X B 2-2 X B 3-1 X C   I would like a table that groups all the data as you can see here, with an order as you can see made by a correlation on the "ref" : number customer ref 1 1 A 2 1 B 2-1 X B 2-2 X B 3 1 C 3-1 X C 4 2 D   I have already tried many things, the map, the append, the foreach, etc.  Do you have any ideas? Thank you
When you run the following  https://<IP Address of Splunk instance>:<PortNumber>/en-US/debug/refresh  What exactly do you refresh? E.g. Indexes.conf, reading for new applications installed into... See more...
When you run the following  https://<IP Address of Splunk instance>:<PortNumber>/en-US/debug/refresh  What exactly do you refresh? E.g. Indexes.conf, reading for new applications installed into splunk? Is there a page where i can reference as to what it does, and a list of what it refreshes. Thank you in advance for any help provided.
Hi All, I'm totally new to Splunk. Please let know if any can explain what are the below searchhead, in perspective of installing an app.  1- AdHocSH 2-Premium SH 3-SH Cluster 4-IDM    
We are using Splunk Enterprise Ver.:8.2.3 and currently solving a Issue with displaying Line chart. The Use of the "search" and visualizing it into a line chart works properly with time range f... See more...
We are using Splunk Enterprise Ver.:8.2.3 and currently solving a Issue with displaying Line chart. The Use of the "search" and visualizing it into a line chart works properly with time range from 20:00 to 20:30 with span=1m but not with time range from 20:00 to 21:00 and span=1m time range 20:00-20:30   line charts looks ok with time range 20:00-20:30   in dashboard looks line chart ok as wellwith time range 20:00-20:30   but in this case with time range 20:00-21:00 in dashboard the line chart is incomplete, there is 13 mins a gap with 0  here you cans see 13mins gap and we don't know why, because we have events to display. events with time range 20:00-21:00 looks ok  The search is working properly here but not in dashboard. Can you explain me this weird behavior and where is the Issue please? Thank you in advance      
Hi All, Please let me know if anyone can help me with this query. I need a query to find total number of Network devices reporting to the indexer for any specified time range
To try something new, I decided to try my hand at creating one of my new dashboards in Dashboard Studio. I'm running into an issue that I can't seem to overcome. I have a table which is using an SP... See more...
To try something new, I decided to try my hand at creating one of my new dashboards in Dashboard Studio. I'm running into an issue that I can't seem to overcome. I have a table which is using an SPL as a data source. One of the fields is "zip code" . When viewing the SPL in search, the zip code displays as intended (i.e. 5 characters, with leading zeros in tact).  However, when I add it to the table object in DS, it detects that column as a number which in turn cuts off any leading zeros. I have tried everything I can find in the documentation regarding column formatting, but can't seem to convert it back to string. Any ideas on how to either prevent the table from detecting it as a number, or how to convert it back to string once it's loaded in?
Every time i run a specific SPL query( can not reveal  due to some security process ). I am getting the below error. Currently displaying the recent 1000 events in the select range .Select a narr... See more...
Every time i run a specific SPL query( can not reveal  due to some security process ). I am getting the below error. Currently displaying the recent 1000 events in the select range .Select a narrow range or zoom in to see more events.   Please help me resolve this issue. Please provide  splunk documentation if any.
Hi, When creating a health rule, use data from last ----- mins (1 to 120 mins), Is this the rolling time window ? Like every time it calculates the last X minutes ?  Is there any way to choose the ... See more...
Hi, When creating a health rule, use data from last ----- mins (1 to 120 mins), Is this the rolling time window ? Like every time it calculates the last X minutes ?  Is there any way to choose the static timeframe ? Means, Choose the first 5 mins of data for evaluation, the next time choose the next 5 mins of time for evaluation.  Thanks,  Viji
Hi,   How to suppress the notable events in Splunk itsi ? And when an episode breaks will the related notable events gets cleared?  And when an new episode gets created the related notable ev... See more...
Hi,   How to suppress the notable events in Splunk itsi ? And when an episode breaks will the related notable events gets cleared?  And when an new episode gets created the related notable events count will be a fresh count from the time of episode creation or it will be a accumulated from the previous count. Please clarify. Thanks!
i have this dropdown which produces correct results:       <input type="dropdown" token="tUser" searchWhenChanged="true"> <label>User Name</label> <choice value="*">All<... See more...
i have this dropdown which produces correct results:       <input type="dropdown" token="tUser" searchWhenChanged="true"> <label>User Name</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>numUsername</fieldForLabel> <fieldForValue>username</fieldForValue> <search> <query>index=tvlog | stats count AS "Quantity" by username | strcat username " (" Quantity ")" numUsername </query> <earliest>$tokEarliestTime$</earliest> <latest>$tokLatestTime$</latest> </search> </input>       there's, among other's, one user named "Support Sul" and an additional user named "Support SuL 2". both show up in the dropdown with the correct number of connections (Quantity). BUT when i select  "Support SuL" from the dropdown, the resulting table contains both users. even worse: when i select "Support SuL 2", i get all "Support SuL 2" users and some "Support SuL" users. this is the table:         <table> <search> <query>index=tvlog $tUser$ | table start_date, end_date, duration, username, devicename | sort start_date desc | rename start_date as "Start Date" | rename end_date as "End Date" | rename username as "User Name" | rename devicename as "Device Name" </query> <earliest>$tokEarliestTime$</earliest> <latest>$tokLatestTime$</latest> </search> <option name="count">20</option> <option name="drilldown">none</option> </table>          the source file is a simple utf-8 encoded csv. what's wrong here?
Hi fellas, How can we fetch details of a playbook like action_run_id, playbook_run_id and status. We need to monitor health of a playbook with those data. If anyone have any ideas please help me out.
Hi All I have configured Splunk_TA_vmware along with SA_Hydra in our HF to collect data from vcenter. I have also installed VMWIndex add-on on Indexer clusters as suggested in the documentation. H... See more...
Hi All I have configured Splunk_TA_vmware along with SA_Hydra in our HF to collect data from vcenter. I have also installed VMWIndex add-on on Indexer clusters as suggested in the documentation. However the data is going to lastchance index when I was hoping the VMWIndex add-on would take care of the proper index configuration.  Is there any additional configuration I need to do to get the logs into the indexes created by VMWIndex addon. Attaching the indexes.conf file from the addon. Tried adding index=index_name in the inputs.conf of Splunk_TA_vmware addon, but no luck. It is not getting any effect and still going into lastchance index only. Kindly suggest.  
Hello,   I have a report that uses federated search: index="federated:xxx" filter="Value" | rest_of_the_search I can insert it in my dashboards as follow and it works:  <search id="base_... See more...
Hello,   I have a report that uses federated search: index="federated:xxx" filter="Value" | rest_of_the_search I can insert it in my dashboards as follow and it works:  <search id="base_search_name" ref="report_name"></search>   However, I now want to give an argument to this second report: index="federated:xxx" filter=$token$ | rest_of_the_search So that I can call it like this: <search id="base_search_name2"> <query>| savedsearch "report_name2" token=$dashboard_token$</query> </search>   This does not work. Because probable "savedsearch" does not work with federated search? https://docs.splunk.com/Documentation/Splunk/9.0.1/Search/Aboutfederatedsearch     Long story short, How to pass a parameter to a report that uses federated search     Thanks in advance, Tom          
I want to have a graph where where you can easily see when that system is no longer taking kerberos authentications.  But when it doesn't show anything for over 12h, then that object is no longer in ... See more...
I want to have a graph where where you can easily see when that system is no longer taking kerberos authentications.  But when it doesn't show anything for over 12h, then that object is no longer in that graph. Is there a way to keep my servers showing even if there are 0 events for that time period? index=perfmon source="Perfmon:Security System-Wide Statistics" counter="Kerberos Authentications" earliest=-12h latest=now [inputlookup Prod_DC.csv] | eval host=lower(host) |bucket span=5m time | stats count by _time,host|eval count=if(count>0,1,0) |timechart span=5m limit=0 last(count) by host
HI,   I would like to get the servers who use only ntlmv1.   So in a first search I using this command       index="windows" EventCode=4624 AND(host="*-toto") Authentication_Packag... See more...
HI,   I would like to get the servers who use only ntlmv1.   So in a first search I using this command       index="windows" EventCode=4624 AND(host="*-toto") Authentication_Package=NTLM Package_Name__NTLM_only_="NTLM V1"       I want to inject the result of this search in a second command line to retrieve the server which using ntlmV2.   At the end of those search i Want to get the server that only uses NTLMV1.   How can I proceed ?   Regards
I found follow logs in _audit logs.  The user who run this search cannot access internal logs, so I assume the underline part is added by Splunk system.  Could anyboda explain follow 2 questions? W... See more...
I found follow logs in _audit logs.  The user who run this search cannot access internal logs, so I assume the underline part is added by Splunk system.  Could anyboda explain follow 2 questions? What does the underline part mean? what does the field _cd mean? search='search (index=* OR index=_*) _time>=1661000447 _time<1661000460 host="XXX" source="XXX" | eval _DBID = replace(_cd, "(\d+):\d+", "\1") | eval _OFFSET = replace(_cd, "\d+:(\d+)", "\1")']
Hi all, I am pretty new to splunk myself. I recently installed an add-on for ingesting CAS logs from our exchange servers on a Heavy Forwarder. Ref: Splunk Add-on for Microsoft Exchange - https:... See more...
Hi all, I am pretty new to splunk myself. I recently installed an add-on for ingesting CAS logs from our exchange servers on a Heavy Forwarder. Ref: Splunk Add-on for Microsoft Exchange - https://splunkbase.splunk.com/app/3225/ The splunk universal forwarder version on the exchange servers are currently 8.x and the Splunk version on the HF is version 9.  The logs were not coming thru, and we identified this was probably due to version 9 now having authentication features to communicate with UF.  So I temporarily modified the "authKeyStanza" in the restmap.conf file to "requireAuthentication = false" Restarted splunk  Recreated server class via web console in forwader management. Immediately started seeing quite a few events.  After getting proof of the events coming into the Search Heads also, I went back and change the "authKeyStanza" in the restmap.conf file to "requireAuthentication = true" and Restarted splunk again Coming to MY QUESTION NOW is, will reverting my authentication value to true; STOP the ingestion of those logs?  I have not been able to view any error in splunkd.log, but I dont even see latest events.