All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm working with some syslog data that is being pulled in from a gzip file.  The data looks like this     Apr 28 23:59:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:59:01 host... See more...
I'm working with some syslog data that is being pulled in from a gzip file.  The data looks like this     Apr 28 23:59:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:59:01 hostname systemd: Started Session 9904 of user pdw. Apr 28 23:59:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:58:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:58:01 hostname systemd: Started Session 9903 of user pdw. Apr 28 23:58:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:57:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:57:01 hostname systemd: Started Session 9902 of user pdw. Apr 28 23:57:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:56:01 hostname systemd: Removed slice User Slice of pdw.      The issue is instead of seeing April 28 in _time, what I'm seeing is what appears to be timestamp of the file source="/var/log/messages-20220501.gz".  The 2,974,360 events in the gzip run from Aug 1 to May 3.  Does Splunk not get the date from each event in the gzip or did Splunk run up against a limitation and not process due to the number of events?
Hello! I am looking for your help. I have 2 indexer nodes in a splunk indexer cluster with rf=2 and sf=2 and we want to add 2 more nodes to this site, I only have one virtual site. I need your help... See more...
Hello! I am looking for your help. I have 2 indexer nodes in a splunk indexer cluster with rf=2 and sf=2 and we want to add 2 more nodes to this site, I only have one virtual site. I need your help because I want to update the rf to 3. So by adding a new node and updating the rf, the historical data from the 2 oldest nodes will be replicated to the new nodes to meet the replication factor?
I have logs that resemble the table below. index=linux sourcetype=group | table group group_id, users group group_id users splunk 1 admin, john, jill apache 2 sarah,... See more...
I have logs that resemble the table below. index=linux sourcetype=group | table group group_id, users group group_id users splunk 1 admin, john, jill apache 2 sarah, bill   I would like the events to be separated by individual users so it looks like the table below. Is there a way to utilize transforms/props to separate the events by each different user?  index=linux sourcetype=group | table group group_id, users group group_id users splunk 1 admin splunk 1 john splunk 1 jill apache 2 sarah apache 2 bill
Hello, everyone! I get error "WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer." when I'm trying to make search on Search Head. I started to got... See more...
Hello, everyone! I get error "WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer." when I'm trying to make search on Search Head. I started to got such errors after I changed peers in distributed search settings. Now, I added my indexers in distributed search, and get this error with search "index=*" when I'm trying search "index=* splunk_server" it works fine. Peers are connected. Help me please.
Hello @chrisyounger, Love your components.  I'm trying to use the Dendrogram drilldown to "Manage tokens on this dashboard" but it doesn't seem to work. Looking in the browser console I can see the... See more...
Hello @chrisyounger, Love your components.  I'm trying to use the Dendrogram drilldown to "Manage tokens on this dashboard" but it doesn't seem to work. Looking in the browser console I can see the tokens being set but my form values don't get set. Any ideas?     <viz type="dendrogram_viz.dendrogram_viz"> <title>title</title> <search> <query>~Query Here~</query> <earliest>0</earliest> <latest></latest> </search> <option name="dendrogram_viz.dendrogram_viz.color1">#171d21</option> <option name="dendrogram_viz.dendrogram_viz.color2">#ffffff</option> <option name="dendrogram_viz.dendrogram_viz.delimiter">-&gt;</option> <option name="dendrogram_viz.dendrogram_viz.html">no</option> <option name="dendrogram_viz.dendrogram_viz.label_size">100</option> <option name="dendrogram_viz.dendrogram_viz.layout">vertical</option> <option name="dendrogram_viz.dendrogram_viz.linkcolor">#555555</option> <option name="dendrogram_viz.dendrogram_viz.max_rows">1000</option> <option name="dendrogram_viz.dendrogram_viz.node_ancestor_spacing">400</option> <option name="dendrogram_viz.dendrogram_viz.node_sibling_spacing">400</option> <option name="dendrogram_viz.dendrogram_viz.node_size">80</option> <option name="dendrogram_viz.dendrogram_viz.nodecolor">#999999</option> <option name="dendrogram_viz.dendrogram_viz.radius">500</option> <option name="dendrogram_viz.dendrogram_viz.tidy">yes</option> <option name="dendrogram_viz.dendrogram_viz.zoom">yes</option> <option name="drilldown">all</option> <option name="height">1000</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="form.parentageSpan">$dendrogram_viz_id$</set> </drilldown> </viz>      
Hi all, I'm not a English native speaker, but I will do my best to explain ther question. To be clear, I need done this in "Report". So that means I can't use a saved job as in Dashboard. So I nee... See more...
Hi all, I'm not a English native speaker, but I will do my best to explain ther question. To be clear, I need done this in "Report". So that means I can't use a saved job as in Dashboard. So I need done this in a single search, I guess.   I did some previous search, and get a result table like this below table: Test_Project Test_Site Failed_Test_Items Test_Admin_Email Notebook_XX A Item_1 Item_5 Item_7 dog@mail.com, cat@mail.com, bird@mail.com  Mobile_DD A Item_1 Item_2 dog@mail.com Notebook_XX B Item_3 cat@mail.com Mobile_DD B Item_6 Item_7 bird@mail.com, cat@mail.com  Faild_Test_Items is a multi-value  column. Test_Admin_Email is a single-string column. Anyway, I need send email about the testing result row by row. For example, send this to 3 different email address:  dog@mail.com, cat@mail.com, bird@mail.com Test_Project Test_Site Failed_Test_Items Notebook_XX A Item_1 Item_5 Item_7   And send this to two email address: bird@mail.com, cat@mail.com  Test_Project Test_Site Failed_Test_Items Mobile_DD B Item_6 Item_7 Every row will represent different email. So in this case, I will send 4 emails. And it need to be done by Report, because I need schedule it. Please help me in a simple way, maybe use some simple examples. I am still a Splunk noob.
Hi, I am trying to set up a health rule which can trigger an alert when the calls per min for a given Business Transaction drops below a certain percentile (in my care I am thinking 50% or maybe 25%... See more...
Hi, I am trying to set up a health rule which can trigger an alert when the calls per min for a given Business Transaction drops below a certain percentile (in my care I am thinking 50% or maybe 25%). I added a screenshot from an issue that triggered a few days back. I have an alert already set up if it drops below a specific value of 10, but in this case it went from about 415 calls/min to below 200 calls/min.
Hi, I have a table like this: id       value 1            12 2             10 I want to do this calculation by splunk: (10/12)*100% (means value  of second id / value of the first id)*100% How ... See more...
Hi, I have a table like this: id       value 1            12 2             10 I want to do this calculation by splunk: (10/12)*100% (means value  of second id / value of the first id)*100% How do I do, please?
Retrieving SAM data from the event server via RETS API, I get records like this: <metricId>11326213</metricId>\n <metricName>Hardware Resources|Service Availability|59|Success Rate (%)</metricName>... See more...
Retrieving SAM data from the event server via RETS API, I get records like this: <metricId>11326213</metricId>\n <metricName>Hardware Resources|Service Availability|59|Success Rate (%)</metricName>\n <metricPath>Application Infrastructure Performance|Root|Individual Nodes|usl00001292.us.hsbc|Hardware Resources|Service Availability|59|Success Rate (%)</metricPath>\n <frequency>SIXTY_MIN</frequency>\n <metricValues>\n <metric-value>\n <startTimeInMillis>1651823040000</startTimeInMillis>\n <occurrences>60</occurrences>\n <current>0</current>\n <min>0</min>\n <max>100</max>\n <useRange>true</useRange>\n <count>24</count>\n <sum>2400</sum>\n <value>100</value>\n <standardDeviation>0</standardDeviation>\n </metric-value>\n </metricValues>\n </metric-data>\n <metric-data>\n As you can see, the service monitored is identified by a number, here 59. Same thing in the metrics browser. This attribute is called the config ID. However, I cannot see how to map the number (59 in the above example) to the (service name, URL target, machine agent server) identifier. I cannot find the (service name, URL target, machine agent server) triplet identifier of the SAM monitor anywhere in the metrics tree. Any clue? Thanks in advance regards Philippe
hi usually i use the dashboard in full screen mode (Firefox). how can i remove the first two rows (splunk>enterprise...(in black) and Search Analytics....(in green))? want this because i don't ... See more...
hi usually i use the dashboard in full screen mode (Firefox). how can i remove the first two rows (splunk>enterprise...(in black) and Search Analytics....(in green))? want this because i don't have a lot of space in the screen  
I use the add-on builder to create custom apps for interacting with the AWS API through Splunk, but I've found that some of the more recent boto3 features are missing from the version embedded within... See more...
I use the add-on builder to create custom apps for interacting with the AWS API through Splunk, but I've found that some of the more recent boto3 features are missing from the version embedded within Splunk. Does anyone know how to update Splunk's embedded boto3 version?
Hello all, I have a clustered indexer and SH environment. I'm now noticing that there's a long delay in some of my data showing up. I can see that the logs are being continuously generated at the... See more...
Hello all, I have a clustered indexer and SH environment. I'm now noticing that there's a long delay in some of my data showing up. I can see that the logs are being continuously generated at the source but they do not show up in Splunk until a long time later. Some items I'm not able to search on until the next day. The UF is set to monitor a directory with all .log files to be read and sent to Splunk. No issues with permissions and no fw blocks either. Additionally, the exact same configurations seem to work on my qa servers but not on the prod ones. The biggest difference between the two is the log volume, approximately in the ratio 1:600 qa to prod. Also, the file is set to roll over to archive once it hits the size of 50MB. Does this have something to do with the zipping/archiving? Splunk unable to read when other processes are writing to the file, reach the limit and zip before Splunk can do anything?? Or would this concern something in the pipelines or limits.conf? All help is appreciated.
hi i add a + or a - sign before a percent result like this   | eval perc=if(s<2,"-","+").round((s/2)*100,1). "% "    But I need to substract 100 to the percentage result like below   |... See more...
hi i add a + or a - sign before a percent result like this   | eval perc=if(s<2,"-","+").round((s/2)*100,1). "% "    But I need to substract 100 to the percentage result like below   | eval perc=if(sam<sam2,"-","+").round(100-(sam/sam2)*100,1). "% "   but when I do this, I have + and - before the percent result   how to avoid this please?  
How can I configure a different user and password other than admin to make rest end point calls to my Universal Forwader.  Current Functionality:    curl -k -u admin:changeme "https://<host>:<port... See more...
How can I configure a different user and password other than admin to make rest end point calls to my Universal Forwader.  Current Functionality:    curl -k -u admin:changeme "https://<host>:<port>/services/receivers/simple?index=abc&source=test&sourcetype=test" -d "splunk rest test"   What I want:   curl -k -u mu_user:mypwd "https://<host>:<port>/services/receivers/simple?index=abc&source=test&sourcetype=test" -d "splunk rest test"     I tried putting this new user in authentication.conf with binddnuser and binddnpassword but it is throwing Unauthorized error.
Dear community, I am using this community since years, so far I've found everything I needed. Now I am stuck!!! I am trying the following: I want to list all the index'es fields so when I build... See more...
Dear community, I am using this community since years, so far I've found everything I needed. Now I am stuck!!! I am trying the following: I want to list all the index'es fields so when I build a query, to know immediately if a specific source has that field. Second part is easy. Once I have the list I know what I need to do. So, basically, I need something like this: Fields index1 index2 index3 indexn field1 1 1 0 1 field2 0 0 1 1 fieldn 1 1 1 1   where 0 is when the field doesn't exist, 1 there is at least one value in the specific field. My search looks like: index IN ( index 1 index2 indexn ) | stats count(*) as * by index | transpose column_name=Field header_field=index |outputlookup whateverfile.csv The problem with this search is that it takes ages, I don't need a full count. I just need to count the first value it gets and stop and then move on. In this way I will have a count of 0 if the field doesn't exist, 1 if exists. Any ideas?    
Hi Team, I am trying to take the backup of lookups using search head console and for the same I have tried two ways. a) Using below Rest Command | rest /servicesNS/-/-/properties/lookups Issue :-... See more...
Hi Team, I am trying to take the backup of lookups using search head console and for the same I have tried two ways. a) Using below Rest Command | rest /servicesNS/-/-/properties/lookups Issue :- Since we have only limited permissions, hence the links of lookups are not working. b) | inputlookup abcd.csv | append [inputlookup wxyz.csv] Issue:- I could see the output of both the .csv files but unable to identify the content from where abcd.csv or  wxyz.csv is starting. Can anyone please suggest the best possible way to do it from splunk gui since we have only power user access.
I am trying to send data to a Splunk Cloud free trial account. Following the documentation here: https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/UsetheHTTPEventCollector This is what I sh... See more...
I am trying to send data to a Splunk Cloud free trial account. Following the documentation here: https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/UsetheHTTPEventCollector This is what I should use You must send data using a specific URI for HEC. The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows: <protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint> But the domain name does not exist (the subdomain with http-inputs. part) Is the documentation wrong? How do I get this working?  
I want to change bin value ranges in calendar heat map. How can I do that? I don’t want by default bin values over there in heatmap.
ITE work app was installed from back end and when we tried opening the page it showed Internal Server Error and the app is not loading
Hi, I can successfully log in to my account overview, however from there, when I click "Launch AppDynamics" (see image) I get taken to another login screen and I can't get further takes me here... See more...
Hi, I can successfully log in to my account overview, however from there, when I click "Launch AppDynamics" (see image) I get taken to another login screen and I can't get further takes me here Looking through the forum I saw a ppst that said to go to  https://help.appdynamics.com/support but if I try that I get: I tried resetting my password with "forgot password" but it didn't work. I got no email. Looking at the debug console in chrome I see the request with this response: Any help would be appreciated Regards, Doug ^ Post edited by @Ryan.Paredez to remove images that show the Controller name and URL. For security and privacy reasons, please do not share your Controller URL on the community forum.