All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello there, When we add business transaction availability to the dashboard, it calculates incorrectly. When I calculate the incoming values, different results are obtained in the dashboard. It... See more...
Hello there, When we add business transaction availability to the dashboard, it calculates incorrectly. When I calculate the incoming values, different results are obtained in the dashboard. It gives the results: 100-(({CallperMin}-{ErrorperMin}) / {CallperMin}) as an example (717-{ErrorperMin}) / 717 Result -0.17% If the error is 0, it gives a true result; if it is 1, it gives a false result. In addition, how can I show the error rate shown in BT on the dashboard?
While trying to login on controller for first time, all users in account are getting login failed message. Though, users are able to login on Account Management UI. Kindly help resolve the issue. T... See more...
While trying to login on controller for first time, all users in account are getting login failed message. Though, users are able to login on Account Management UI. Kindly help resolve the issue. Thanks
Hi How can I monitor java applications with splunk, I try nmon but it only give whole java process, not specific pid! Any idea? Thanks,
Hi All, We are using Splunk Cloud and have a Universal Forwarder setup on a windows machine - it reads CSV files from a particular folder and sends to indexer.  inputs.conf:       [monito... See more...
Hi All, We are using Splunk Cloud and have a Universal Forwarder setup on a windows machine - it reads CSV files from a particular folder and sends to indexer.  inputs.conf:       [monitor://D:\Test\Monitoring\Abc] disabled=0 index=indexabc sourcetype = csv crcSalt = <SOURCE>       props.conf:       [source::D:\Test\Monitoring\Abc\*.csv] CHECK_METHOD = modtime       various CSV files are being placed under D:\Test\Monitoring\Abc hourly/daily and this setup works without any issues most of the times for all the CSV files. but there are some instances where data from a single file for a particular hour/day is missing in the index "indexAbc" - this doesn't happen with a particular file but various files. for example, there is a CSV called memory.csv which updates daily at 23:47 and when I checked data for the previous month (timechart span=1d), it doesn't show data for 25th March - I have checked the 3rd party script which sends data to this windows server and it has done that successfully. when a CSV file is read and indexed, i see below entry in the splunkd.log but this is not available for the 25th march for which the data is missing:       03-26-2022 23:47:49.495 +0000 INFO WatchedFile [6952 tailreader0] - Will begin reading at offset=0 for file='D:\Test\Monitoring\Abc\memory.csv'.        for period 25th March 23:40 to 23:50, I have checked splunkd error in _internal index and the results are given below: Can you please suggest what could be causing this intermittent issue and whet troubleshooting steps I can follow? Thank you.
Hi, Can I create Dashboard like this with checkbox filtering? ^ Post edited by @Ryan.Paredez for an improved title. 
I encountered a problem when opening the Microsoft O365 Email Add-on for Splunk. It is developer supported but the developer didn't reply.  When I open the add-on, it keeps loading forever. It is th... See more...
I encountered a problem when opening the Microsoft O365 Email Add-on for Splunk. It is developer supported but the developer didn't reply.  When I open the add-on, it keeps loading forever. It is the same for all three tabs, Inputs, Configurations, and Search.       I have tested the add-on on a on-premises Splunk and it worked perfectly. Is it a problem specific to Splunk Cloud? What could we do solve this problem? Thank you.
hi everyone,   could you please help me with below query. i want to create Custom alert action and  send results as Excelsheet via email. does anyone happens to know similar app and compatibl... See more...
hi everyone,   could you please help me with below query. i want to create Custom alert action and  send results as Excelsheet via email. does anyone happens to know similar app and compatible with splunk 8.2.   thanks for your support.
Dear All, I'm writing, regarding, the submit button, functionality (in Dashboard Studio) As you can see, in the image, we currently have a dashboard (with, a few inputs (and, a submit button)) ... See more...
Dear All, I'm writing, regarding, the submit button, functionality (in Dashboard Studio) As you can see, in the image, we currently have a dashboard (with, a few inputs (and, a submit button)) Now, this button, perfectly, does, its job (it allows, the queries, to be loaded, only, when the button is clicked (which, is,  exactly, what we intended, by adding, the button, to the dashboard ?)) Now, our wish, would be: we would like, to have, the submit button, clicked, by default (as you may probably imagine; this would be just so that the user does not have to click on the button Don't know if maybe this is something possible Thanks a lot! Sincerely, Francisco
My logs are in the format:   My-Application Log: Some-Key= 99, SomeOtherKey= 231, SomeOtherKey2= 1231, Some Different Key= 0, Another Key= 121   I currently use query: index="myindex" "My-Applic... See more...
My logs are in the format:   My-Application Log: Some-Key= 99, SomeOtherKey= 231, SomeOtherKey2= 1231, Some Different Key= 0, Another Key= 121   I currently use query: index="myindex" "My-Application Log:" | extract pairdelim=",  " kvdelim="= " | table Some-Key  SomeOtherKey SomeOtherKey2 "Some Different Key" "Another Key"   It is able to extract events however the table is filled with blank/null values.   How can i visualise the data if i have this format of logs. I have to group by Some-key. Example visualization should be grouped basis Some-key Thanks in advance.
Hi,   I have trained a FieldSelector model and I need to inspect the findings with the summary function/ However, I am receiving the following error:   Can you please help? Many tha... See more...
Hi,   I have trained a FieldSelector model and I need to inspect the findings with the summary function/ However, I am receiving the following error:   Can you please help? Many thanks, Patrick
I have created a field transformatie via the gui of splunk. I want to add a field in this transformation. If I open the field transformation (settings-fields-field transformation) the already existi... See more...
I have created a field transformatie via the gui of splunk. I want to add a field in this transformation. If I open the field transformation (settings-fields-field transformation) the already existing fields are not visible. Is it possible to change the existing fields via the gui?
hi everyone,  Could you guys please help me with the below queries? how to delete macro from the cli ? ( if the macro permission is private ) how to delete macro from the cli ? ( if the macro p... See more...
hi everyone,  Could you guys please help me with the below queries? how to delete macro from the cli ? ( if the macro permission is private ) how to delete macro from the cli ? ( if the macro permission is this app only)
I want to specify a field that contains time as earliest and another field as latest so that my spl will be executed with the earliest value of the earliest value of fileld1 and latest value as the l... See more...
I want to specify a field that contains time as earliest and another field as latest so that my spl will be executed with the earliest value of the earliest value of fileld1 and latest value as the latest value of the filed 2. Example, index=abcd  |table starttimeUTC endtimeutc in the above search should run as earliest=<earlier value of tarttimeUTC> and latest=<latest value of endtimeutc>
Hi, I am looking to plot a graph using four fields in splunk. Looking for relationship  graph among Domain, Category , Ipaddress and Severity similar to excel graph as below. Sample Data: Domai... See more...
Hi, I am looking to plot a graph using four fields in splunk. Looking for relationship  graph among Domain, Category , Ipaddress and Severity similar to excel graph as below. Sample Data: Domain Category Ipaddress Severity domain1 prod 192.168.1.20 Low domain2 non-prod 192.168.1.21 High domain3 prod 192.168.1.22 Critical domain3 prod 192.168.1.22 Medium domain4 non-prod 192.168.1.23 Low domain1 prod 192.168.1.20 Low domain2 non-prod 192.168.1.21 High domain3 prod 192.168.1.22 Critical domain3 prod 192.168.1.22 Medium domain4 non-prod 192.168.1.23 Low domain1 prod 192.168.1.20 Low domain2 non-prod 192.168.1.21 High domain3 prod 192.168.1.22 Critical domain3 prod 192.168.1.22 Medium domain1 prod 192.168.1.20 High domain1 prod 192.168.1.20 Critical   Graph prepared using excel:     Please advise search command to see the relationship in Visualization to plot the graph.  
Hi, I am in the feature selection stage of my ML assignment. The data I am working with is as follows: index=nwstats sourcetype="traffic:delta" I need to find the 3 "best" features to use befo... See more...
Hi, I am in the feature selection stage of my ML assignment. The data I am working with is as follows: index=nwstats sourcetype="traffic:delta" I need to find the 3 "best" features to use before I test different ML models on the data. To do this, I am trying to use the FieldSelector in MLTK and then see te results with the summary.   As you can see, I am getting an error ..... can you please help? Many thanks, Patrick
Good day, I am managing an infrastructure that currently has both sas-2 and sas-3 hard drives mixed in with the OS and Data partitions on the indexers. I was curious if this would have an impact acr... See more...
Good day, I am managing an infrastructure that currently has both sas-2 and sas-3 hard drives mixed in with the OS and Data partitions on the indexers. I was curious if this would have an impact across all of the other indexers since sas-2 operates at 6gbps vs sas-3 that operates at 12-gbps. If I remember correctly indexers utilize the member with the lowest CPU and memory. Would this happen for sas speeds too?
The new DBv3 doesn't like inline comments (--) in the SQL query you must update the query to user  multi-line comments to save the queries.  Use This:    /* your SQL STATEMENT COMMENT */   Not T... See more...
The new DBv3 doesn't like inline comments (--) in the SQL query you must update the query to user  multi-line comments to save the queries.  Use This:    /* your SQL STATEMENT COMMENT */   Not This:     --your SQL comment here   Once the comment have been cleaned up you should be able to run your queries again.  Note: if you're using queries configured with rising columns watch the below video on YouTube by the Splunk team. https://www.youtube.com/watch?v=oPB2Lpd9ZAs good luck! 
Hello, so I have an input on my dashboard page of either month"01-2022,02-2022" and also quarter"Q1-2022". So depending on the search I want to have my timechart command. For example: query| time... See more...
Hello, so I have an input on my dashboard page of either month"01-2022,02-2022" and also quarter"Q1-2022". So depending on the search I want to have my timechart command. For example: query| timechart span="1mon" count(number) [For month] query| timechart span="qtr" count(number) [For quarter]. I want query like this: if [input_month="Q%"] then query| timechart span="qtr" count(number) else query| timechart span="1mon" count(number)   How can I do this  ?
Gentlemen, We are on Splunk Cloud. In my raw events coming from AWS , splunk by default shows a field called "category" under "Interesting fields" . However, it's value ( as in it's extraction)  ... See more...
Gentlemen, We are on Splunk Cloud. In my raw events coming from AWS , splunk by default shows a field called "category" under "Interesting fields" . However, it's value ( as in it's extraction)  isn't what we are expecting it to be. It only manages to extract a part of the complete string.   For example:   The raw events have category as follows (In JSON format)  "Policy:IAMUser/RootCredentialUsage"   (without quotes) But Splunk is instead showing the value of category as:  Policy   .Now,  whats happening is if i use the IFX or rex command to create a field extraction  keeping the same name for my field i.e.  category and value: Policy:IAMUser/RootCredentialUsage   ,  my newly extracted field keeps getting overwritten with the default old values again . I am assuming this is because  the names of the fields are same  ( category) , so splunk takes its own precedence.  IS this the case of Index time vs Search Time field extraction conflict ? How to make Splunk use whatever value my field extraction ( as in rex or IFX) is extracting for category and at the same time also retain its name as is ?   Dont want the category field to display its old indexed value.
Hi, I need to use Linear Regression to predict network volumes at the moment. The index I am using has a number of categorical data that I wish to change to dummy variables. I am using the Fi... See more...
Hi, I need to use Linear Regression to predict network volumes at the moment. The index I am using has a number of categorical data that I wish to change to dummy variables. I am using the FieldSelector functionality and i am getting the following error:   Can you please help? Thanks, Patrick