All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I am configuring a custom splunk alert. My search query is as follows   | dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m... See more...
Hello, I am configuring a custom splunk alert. My search query is as follows   | dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m/%d/%y %W\") as date from ida_files_inventory where created_at > Date_sub(Curdate(), INTERVAL 30 Day) and created_at < Curdate() group by DATE_FORMAT(created_at,\"%m/%d/%y %W\")" | fields file_count,date |where file_count<100 | chart avg(file_count) as avg_count   I want to send an alert when the file_count is less than 0.95*avg_count or greater than 1.5*avg_count So can I configure a custom alert with condition "search file_count < (0.95*avg_count) OR file_count > (1.5*avg_count)"
Hello, I am trying to use the Java SDK to update a Lookup automatically on a daily basis. My source is a csv File with ca. 22000 rows. My current approach (and the approach from the other threa... See more...
Hello, I am trying to use the Java SDK to update a Lookup automatically on a daily basis. My source is a csv File with ca. 22000 rows. My current approach (and the approach from the other thread in the community) consists of reading the csv row per row and updating the KV Store by search jobs using outputlookup. After some hundreds of lines the server refuses the connection and my searches raise exceptions. My question is: Is there a smarter way of updating the KV Store (or uploading the csv as whole) using the Java SDK? I can get information about the KV Store using:     service.getConfs().get("collections").get("KV_Name")     But I did not find a way of accessing the data within the KVStore inside the documentation/javadoc. Thanks in advance 
Hi guys, I'm using splunk 8.0 I want to create a command that can send some infos to another via web or api. I read the Dev page but hard to understand. Do you know some easy script? Like I have ... See more...
Hi guys, I'm using splunk 8.0 I want to create a command that can send some infos to another via web or api. I read the Dev page but hard to understand. Do you know some easy script? Like I have an table after search a b c Action 312 213 13 1 13 123 46 0 When Action=1, the script will send info {a:1,b:213,c:13} to another platform, exp: send message to telegram.        <basesearch> | where action=1 | sendinfo a,b,c      
Hi here is my spl, that show different status: index="myindex" | rex "status\[(?<status>\w+)"| stats count(status) by status here is the current result: status                       count(sta... See more...
Hi here is my spl, that show different status: index="myindex" | rex "status\[(?<status>\w+)"| stats count(status) by status here is the current result: status                       count(status) successful             3581   here is the exception result: status                       count(status) successful             3581 fail                                0 exception                0   FYI: some time fail or exception might bot be in log file some time might be exist, neet to show in stats result even if these stats not exist. Any idea? Thanks
Hi,   Closing high number of incident was always done but the slowness is a new thing.   Now we are facing the slowness when close a high number of incident. Is there a way to enhancement t... See more...
Hi,   Closing high number of incident was always done but the slowness is a new thing.   Now we are facing the slowness when close a high number of incident. Is there a way to enhancement this, please your support.   We have Splunk version 8.2.4 and Enterprise security 7.0.0.   Regards 
Hi I am trying to setup Cluster Monitoring and wish to integrate it with my Rest API scraper. Though, in the metric browser only hardware resources of cluster and containers are available. So in thi... See more...
Hi I am trying to setup Cluster Monitoring and wish to integrate it with my Rest API scraper. Though, in the metric browser only hardware resources of cluster and containers are available. So in this case, metric API is not able to fetch the pod state etc. details. I need following metrics via the API. Please indicate the right way of achieving this.
Hi Team,  I have below JSON structure  data.searchByUserName.customerDetails.... data.searchByLastName.customerDetails.... data.searchByUUID.customerDetails.... data.searchByDOB.customerDet... See more...
Hi Team,  I have below JSON structure  data.searchByUserName.customerDetails.... data.searchByLastName.customerDetails.... data.searchByUUID.customerDetails.... data.searchByDOB.customerDetails....   While creating a search query I need to give the search type highlighted above in bold wild char like  data.*.customerDetails is there any way I can achieve it?   Thanks in Advance!  
hide Tables from a Dashboard if there are no results. is there a generic command. I have around 900 tables in a dashboard and i refuse to set 900 different tokens.
Hi, Im trying to set up HTTP integration in ChirpStack for some IOT devices, to forward json data into Splunk via the HTTP Event Collector, however when the data is sent, splunk reports "ERROR HttpIn... See more...
Hi, Im trying to set up HTTP integration in ChirpStack for some IOT devices, to forward json data into Splunk via the HTTP Event Collector, however when the data is sent, splunk reports "ERROR HttpInputDataHandler...  reply=5... parsing_err="No data" " I've been logging the data sent to the Splunk server from the Chirpstack server with wireshark. If i pull the JSON data and URI from each packet, and send that to Splunk via CURL instead, it imports just fine and i get a Success response back from Splunk. Has anyone had a similar issue in the past? I've found essentially nothing on a Chirpstack/Splunk  stack out there. This is (part of ) the CURL command I've tested with, which works successfully: curl -H "Authorization: Splunk 11f6095d-9907-4649-a706-b75ebca67ecc" http://192.168.16.18:8088/services/collector/event?event=up -d '{"event":{"applicationID":"1","applicationName":"LHT65","deviceName":"LHT65-Test3","objectJSON":"{\"BatV\":2.918,\"Ext_sensor\":\"Temperature Sensor\",\"Hum_SHT\":\"41.1\",\"TempC_DS\":\"-4.00\",\"TempC_SHT\":\"4.29\"}","deviceProfileName":"LHT65"}}'
I'm trying to forward events to a Splunk instance using the HTTP event collector (http://<splunk_instance>:8088/services/collector/event) but it seems that the connection is being rejected by Splunk.... See more...
I'm trying to forward events to a Splunk instance using the HTTP event collector (http://<splunk_instance>:8088/services/collector/event) but it seems that the connection is being rejected by Splunk. The error I'm getting is: "read tcp 127.0.0.1:46660->127.0.1.1:8088: read: connection reset by peer" The HTTP event collector is configured as: Enable SSL: true HTTP Port number: 8088    
I created a dashboard a couple of weeks ago, but now I'm unable to edit it.   Any Change that I make results in a "Server Error" Message.   I've tried restarting Splunk, but no dice.    We're running... See more...
I created a dashboard a couple of weeks ago, but now I'm unable to edit it.   Any Change that I make results in a "Server Error" Message.   I've tried restarting Splunk, but no dice.    We're running 8.2.5 Error Message        
I know this is an unsupported app, https://splunkbase.splunk.com/app/3501/ But does anyone have any suggestion? After the app install, when the app is launched. the inputs and configuration page ... See more...
I know this is an unsupported app, https://splunkbase.splunk.com/app/3501/ But does anyone have any suggestion? After the app install, when the app is launched. the inputs and configuration page is stuck on a loading screen with an unending spinning circle. have installed on 2 heavy forwarders and same thing. Any insight is highly appreciated.
Splunk newbie here again, Currently search for a way to create a dependent drilldown where the Year would be the basis the independent and the Month would be the dependent since the reports that wo... See more...
Splunk newbie here again, Currently search for a way to create a dependent drilldown where the Year would be the basis the independent and the Month would be the dependent since the reports that would be generated would need to look back from the previous, current, and possibly future reports. My temporary fix is using the Input Panel to pass it like in a string format. However the team I am  creating this for was searching for a way to avoid the users from typing in the input. Attaching a screenshot of the code along with the code at the moment.     <form theme="dark"> <label>CSC/ERSC/PSI PAGING Report</label> <fieldset submitButton="true" autoRun="true"> <input type="dropdown" token="lpar"> <label>Select to View</label> <choice value="----">----</choice> <choice value="D7X0">D7X0</choice> <choice value="H7X0">H7X0</choice> <choice value="D1D0">D1D0</choice> <choice value="DAD0">DAD0</choice> <choice value="E1D0">E1D0</choice> <choice value="H1D0">H1D0</choice> <choice value="WSYS">WSYS</choice> <choice value="YSYS">YSYS</choice> <default>----</default> </input> <input type="dropdown" token="&quot;y&quot;"> <label>Select Year</label> <choice value="2022">2022</choice> <default>2022</default> </input> <input type="dropdown" token="month"> <label>Select Month</label> <choice value="earliest=@y latest=@y+1mon">January</choice> <choice value="earliest=@y+1mon latest=@y+2mon">February</choice> <choice value="earliest=@y+2mon latest=@y+3mon">March</choice> <choice value="earliest=@y+3mon latest=@y+4mon">April</choice> <choice value="earliest=@y+4mon latest=@y+5mon">May</choice> <choice value="earliest=@y+5mon latest=@y+6mon">June</choice> <choice value="earliest=@y+6mon latest=@y+7mon">July</choice> <choice value="earliest=@y+7mon latest=@y+8mon">August</choice> <choice value="earliest=@y+8mon latest=@y+9mon">September</choice> <choice value="earliest=@y+9mon latest=@y+10mon">Ocotber</choice> <choice value="earliest=@y+10mon latest=@y+11mon">November</choice> <choice value="earliest=@y+11mon latest=@y+12mon">December</choice> </input> <input type="text" token="from"> <label>From MM/DD/YYYY</label> <default>01/01/2022</default> </input> <input type="text" token="to"> <label>To MM/DD/YYYY</label> <default>01/31/2022</default> </input> </fieldset> <row> <panel> <title>$lpar$ Date Panel</title> <chart> <title>From &amp; To Input: $from$ - $to$</title> <search> <query>index=mainframe-platform sourcetype="mainframe:mpage" MVS_SYSTEM_ID=$lpar$ | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | eval _time=strptime(DATE." ","%Y-%m-%d") | where _time &gt;= strptime("$from$", "%m/%d/%Y") AND _time &lt;= strptime("$to$", "%m/%d/%Y") | eval epochtime=strptime(TIME, "%H:%M:%S")| eval desired_time=strftime(epochtime, "%H:%M:%S") | chart sum(VIO_PAGING_SEC) as "$lpar$ Sum of VIO_PAGING_SEC" sum(SYSTEM_PAGEFAULTS_SEC) as "$lpar$ SYSTEM_PAGEFAULTS_SEC" sum(SWAP_PAGIN_SEC) as "$lpar$ SWAP_PAGIN_SEC" sum(LOCAL_PAGEFAULTS_SEC) as "$lpar$ LOCAL_PAGEFAULTS_SEC" over _time</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option> <option name="charting.axisTitleX.text">Date of Occurrence</option> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="height">789</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank">/app/mainframe-platform/csierscpsi_paging_individual_report?_time=$click.name2$</link> </drilldown> </chart> </panel> </row> <row> <panel> <chart> <title>Select a Month using $month$</title> <search> <query>index=mainframe-platform sourcetype="mainframe:mpage" MVS_SYSTEM_ID=$lpar$ | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | eval _time=strptime(DATE." ","%Y-%m-%d") | where $month$ | chart sum(VIO_PAGING_SEC) as "$lpar$ Sum of VIO_PAGING_SEC" sum(SYSTEM_PAGEFAULTS_SEC) as "$lpar$ SYSTEM_PAGEFAULTS_SEC" sum(SWAP_PAGIN_SEC) as "$lpar$ SWAP_PAGIN_SEC" sum(LOCAL_PAGEFAULTS_SEC) as "$lpar$ LOCAL_PAGEFAULTS_SEC" over _time</query> <earliest>$range.earliest$</earliest> <latest>$range.latest$</latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="height">789</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>  
Hi again, Seeking your advise on the topic above. The link target method was suggested to me as a work around on my concern on the standard Splunk chart limitations. However I am unable to find a w... See more...
Hi again, Seeking your advise on the topic above. The link target method was suggested to me as a work around on my concern on the standard Splunk chart limitations. However I am unable to find a way to pass link target where in the target is the X-Axis value where in this instance is the specific dates. For reference, attaching the screenshot of the chart along with the entire XML code. I have already considered making a separate panel where the dates would be generated but I was wondering if this type pf Link Target would be possible so that I could apply it with my other reports.     <form theme="dark"> <label>CSC/ERSC/PSI PAGING Report</label> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="lpar"> <label>Select to View</label> <choice value="----">----</choice> <choice value="D7X0">D7X0</choice> <choice value="H7X0">H7X0</choice> <choice value="D1D0">D1D0</choice> <choice value="DAD0">DAD0</choice> <choice value="E1D0">E1D0</choice> <choice value="H1D0">H1D0</choice> <choice value="WSYS">WSYS</choice> <choice value="YSYS">YSYS</choice> <default>----</default> </input> <input type="text" token="from"> <label>From MM/DD/YYYY</label> <default>01/01/2022</default> </input> <input type="text" token="to"> <label>To MM/DD/YYYY</label> <default>01/31/2022</default> </input> </fieldset> <row> <panel> <title>$lpar$ Date Panel</title> <chart> <title>From &amp; To Input: $from$ - $to$</title> <search> <query>index=mainframe-platform sourcetype="mainframe:mpage" MVS_SYSTEM_ID=$lpar$ | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | eval _time=strptime(DATE." ","%Y-%m-%d") | where _time &gt;= strptime("$from$", "%m/%d/%Y") AND _time &lt;= strptime("$to$", "%m/%d/%Y") | eval epochtime=strptime(TIME, "%H:%M:%S")| eval desired_time=strftime(epochtime, "%H:%M:%S") | chart sum(VIO_PAGING_SEC) as "$lpar$ Sum of VIO_PAGING_SEC" sum(SYSTEM_PAGEFAULTS_SEC) as "$lpar$ SYSTEM_PAGEFAULTS_SEC" sum(SWAP_PAGIN_SEC) as "$lpar$ SWAP_PAGIN_SEC" sum(LOCAL_PAGEFAULTS_SEC) as "$lpar$ LOCAL_PAGEFAULTS_SEC" over _time</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option> <option name="charting.axisTitleX.text">Date of Occurrence</option> <option name="charting.chart">column</option> <option name="charting.chart.overlayFields">"D1D0 Sum of VIO_PAGING_SEC","D1D0 SYSTEM_PAGEFAULTS_SEC","D1D0 SWAP_PAGIN_SEC",D1D0_LOCAL_PAGEFAULTS_SEC</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="height">789</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank">/app/mainframe-platform/csierscpsi_paging_individual_report?_time=$click.name2$</link> </drilldown> </chart> </panel> </row> </form>        
Hi, Iam trying a simple query where i want to see the percentage of calls with a particular response time in splunk and somehow the percent field is coming as empty in the table.   index = xyz ... See more...
Hi, Iam trying a simple query where i want to see the percentage of calls with a particular response time in splunk and somehow the percent field is coming as empty in the table.   index = xyz http_status=200 | stats count(request_ms) as web-calls by request_ms | eventstats sum(web-calls) as totalwb |eval percent=(web-calls*100/totalwb) | table request_ms web-calls totalwb percent
Hello All, I am wanting to create a user-defined "dictionary" for a dashboard and would desire for the user to click on a link within the dashboard to launch the Lookup Editor app on a specific *.cs... See more...
Hello All, I am wanting to create a user-defined "dictionary" for a dashboard and would desire for the user to click on a link within the dashboard to launch the Lookup Editor app on a specific *.csv file. I would seed the dictionary with specific columns.  Is this possible? I tried something like the following but got an error ... "The lookup could not be loaded from the server" <drilldown> <link> http://myServer:8000/en-US/app/lookup_editor/lookup_edit?owner=nobody&amp;namespace=myAppName&amp;type=csv&amp;Name=client_information.csv </link> </drilldown>  Appreciate the help.  
I want to show the time range of that panel that a dashboard has ran from the time select drop -down.For instance , if I select last 90 mins  at 1PM from time select the dashboard panel should show t... See more...
I want to show the time range of that panel that a dashboard has ran from the time select drop -down.For instance , if I select last 90 mins  at 1PM from time select the dashboard panel should show the time like  earliest_time= 11:30:00 AM to Latest_Time:13:00:00 .   I tried using            $field2.earliest$ To Latest_Time: $field2.latest$ but the output is showing as below  Earliest_Time: -90m@m To Latest_Time: now     Thanks in Advance
We would like to send our wineventlog data to the on-perm cluster as well as to the cloud. How can we do that? we can fork at the UF level but we are not happy about this approach.  
Hi All, what does eliminated_buckets mean in splunk index=_internal <sourcetype> mean in splunk ? Regards, NVP
I have multiple tables on a dashboard. Is there a way that i can sow all the values that show up in red in the page below to highlight on top of the page ?