All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?
I have an index which has information for available bytes on each host. I want to display free bytes in a table for all the hosts. I have a csv file which has the hostname and the total bytes for eac... See more...
I have an index which has information for available bytes on each host. I want to display free bytes in a table for all the hosts. I have a csv file which has the hostname and the total bytes for each server.  I am trying something like below: index="perfmon" ([| from inputlookup:"HostTotalBytes_Lookup" | table host]) earliest=-5m latest=now | eval TotalBytes=[| from inputlookup:"HostTotalBytes_Lookup" | table totalBytes] | eval MemoryUsedPct = round((TotalBytes - Available_Bytes) / TotalBytes * 100, 2) | chart max(MemoryUsedPct) as "Used Memory", max(Available_Bytes) as "Available Bytes" by host   But it returns an error: Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). I understand that I am trying to store an entire table in one variable and trying to use it as separate bytes against each host. I am quite new to Splunk and don't really know what to use in this case. Any help would be highly appreciated. My csv file looks like the following: host,name,totalBytes host1,host1_name,16000000000 host2,host2_name,16000000000 host3,host3_name,16000000000 host4,host4_name,16000000000
Hello All, We upgraded our test environment with Splunk 8.2 post which our JavaScript dashboards stopped working. The dashboards have been updated to include version="1.1" as suggested by the docs.... See more...
Hello All, We upgraded our test environment with Splunk 8.2 post which our JavaScript dashboards stopped working. The dashboards have been updated to include version="1.1" as suggested by the docs.  The JavaScript which isn't working is referencing jQuery as follows :    require([ "splunkjs/mvc", "splunkjs/mvc/utils", "splunkjs/mvc/tokenutils", "underscore", "jquery",......])   I am aware that 8.2 is dependent on jQuery 3.5 and I feel that this is causing the issue. But where in the code the updates need to be made is something I need assistance with.  @jeffland Do assist if possible. Thanks. 
Hi Team i have a log message and i want to filter the all log messages which contains the below highlighted text. and if the status value is other than 200 status!=200 separate that messages {"time... See more...
Hi Team i have a log message and i want to filter the all log messages which contains the below highlighted text. and if the status value is other than 200 status!=200 separate that messages {"timestamp":"2022-03-04T11:04:41.143Z","message":"ABCDEFG :::{\"status\":200,\"headers\": {"timestamp":"2022-03-05T11:02:41.143Z","message":"ABCDEFG :::{\"status\":400,\"headers\": {"timestamp":"2022-03-02T11:05:41.143Z","message":"ABCDEFG :::{\"status\":500,\"headers\":
Hello, Is it possible to add banner to dashboard in order to separate between panels ?   Thanks
Hi All, I am using Splunk ES. We create short Ids for notables. How can we search the notables using short id as filter in incident dashboard on Splunk ES.
Hello, We are in need of field extractions in Splunk. What is the best and reliable way to do the field extraction in Splunk and data ingested is in json format.  Please let us know if there is... See more...
Hello, We are in need of field extractions in Splunk. What is the best and reliable way to do the field extraction in Splunk and data ingested is in json format.  Please let us know if there is any way to do the extractions during ingestion so that it gets auto extracted and by searching index=sample sourcetype=json we could get them as fields under the interesting fields. Can this be done by editing the props.conf file? Please do provide some examples which would of great help. Thanks.    
Hi All, In ES or in Splunk in general ,   How to return field value in double quotes ?   We have the below setting for "Drill Down Name"  which displays the Policy Name when alert is triggered.  I... See more...
Hi All, In ES or in Splunk in general ,   How to return field value in double quotes ?   We have the below setting for "Drill Down Name"  which displays the Policy Name when alert is triggered.  I did like the Policy Name to be enclosed in double quotes when it displays in the alert though.  Any suggestions ? Should i try this ?   \"$policy_name$\"    
Hi, we would to correlate data between 2 idx, but we cant seem to find the right query. Examples Index= Firewall Sourcetype = A Field = Bytes, SourceIP Index=AD Sourcetype=B Field=Source... See more...
Hi, we would to correlate data between 2 idx, but we cant seem to find the right query. Examples Index= Firewall Sourcetype = A Field = Bytes, SourceIP Index=AD Sourcetype=B Field=SourceIP, Hostname We would like to calculate the byte in firewall index, and display the Hostname of SourceIP by correlating with AD index. Here is example of our query which not work well. (index=Firewall OR index=AD) sourcetype=A OR sourcetype=B | eval TotalBandwidth = round((Bytes)/1024/1204,2) | stats sum(TotalBandwidth) as "Total Bandwidth", latest(Hostname) as Hostname by SourceIP | sort 10 - "Total Bandwidth" When we run the above query, we able to display the as what we what, but some the result consist of unwanted Hostname. We tried to filter the Hostname by using | where Hostname!=" " ,  but the result is messed up. Other query that we have generate is;   (index=Firewall sourcetype=A SourceIP=* Bytes=*) OR (index=AD sourcetype=B SourceIP=* Hostname=*) | fields index SourceIP Bytes SourceIP Hostname | eval SourceIPNew=coalesce(SourceIP, SourceIP) | eval TotalBandwidth = round((Bytes)/1024/1204,2) | stats sum(TotalBandwidth) as "Total Bandwidth", values(Hostname) as Hostname by SourceIPNew   This also not working  . Please advise us. Thankyou. 
I try to edit lookup file through the lookup file editor, but below message is shown. The file is too big to be edited (must be less than 10 MB) Is there any workaround other than reducing the look... See more...
I try to edit lookup file through the lookup file editor, but below message is shown. The file is too big to be edited (must be less than 10 MB) Is there any workaround other than reducing the lookup file size?
Machine agent log shows error as below. We have restarted the machine agent and the issue still persists. Can someone help in fixing this? [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SimAgentRep... See more...
Machine agent log shows error as below. We have restarted the machine agent and the issue still persists. Can someone help in fixing this? [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SimAgentRepetitiveLoggingModule - The turnover time for the SIM agent repetitive logger is 5 minutes [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SimAgentRepetitiveLoggingModule - The cache size for the SIM agent repetitive logger is 1000 [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SystemAgent - #################################################################################### [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SystemAgent - Agent Install Directory [C:\Program Files\AppDynamics\AppD_Infra_Monitoring] [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SystemAgent - Using Agent Version [Machine Agent v4.4.3.1214 GA Build Date 2018-04-28 05:12:10] [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SystemAgent - JVM Runtime: java.home=c:\program files\appdynamics\appd_infra_monitoring\jre java.vm.vendor=Oracle Corporation java.vm.name=Java HotSpot(TM) 64-Bit Server VM java.runtime.version=1.8.0_111-b14 java.io.tmpdir=C:\Windows\TEMP\ user.language=en user.country=US user.variant= Default locale=en_US [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SystemAgent - OS Runtime: os.name=Windows Server 2012 os.arch=amd64 os.version=6.2 user.name=<servername is removed>$ user.home=C:\Windows\system32\config\systemprofile user.dir=C:\Program Files\AppDynamics\AppD_Infra_Monitoring\bin [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SystemAgent - JVM Args : -Dexe4j.semaphoreName=Local\c:_program_files_appdynamics_appd_infra_monitoring_bin_machineagentservice.exe0 | -Dexe4j.isService=true | -Dexe4j.moduleName=C:\Program Files\AppDynamics\AppD_Infra_Monitoring\bin\MachineAgentService.exe | -Dexe4j.tempDir=C:\Windows\TEMP\e4j9F57.tmp_dir1646630412 | -Dexe4j.unextractedPosition=316127 | -Djava.library.path=D:\apps_srv\webagent\win32\bin;D:\apps_srv\webagent\win64\bin;D:\apps_srv\webagent\win64\install_config_info\lib;D:\apps_srv\webagent\win64\bin;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\IBM\ITM\InstallITM;;C:\Program Files\BMCperform\Patrol3\BEST1\11.5.00\bgs\bin;C:\Windows;C:\Windows\system32;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\IBM\ITM\bin;C:\IBM\ITM\TMAITM6;C:\Program Files\PKWARE\pkzipc;C:\Program Files\NCache\bin\tools;;c:\program files\appdynamics\appd_infra_monitoring\jre\bin | -Dexe4j.consoleCodepage=cp0 | -Dlog4j.configuration=file:..\conf\logging\log4j.xml | -XX:-CreateMinidumpOnCrash | -Xrs | [system-thread-0] 07 Mar 2022 00:20:17,926 INFO SystemAgent - Machine Agent is resolving bootstrap info.... [system-thread-0] 07 Mar 2022 00:20:17,942 INFO SystemAgent - Orchestration is disabled - disabling virtualization resolvers by default. [system-thread-0] 07 Mar 2022 00:20:17,942 INFO SystemAgent - Full Agent Registration Info Resolver found system property [appdynamics.agent.create.agent.info.if.missing] for appdynamics.agent.create.agent.info.if.missing [false] [system-thread-0] 07 Mar 2022 00:20:17,942 INFO SystemAgent - Default Host Identifier Resolver using host name for unique host identifier [<servername is removed>] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - Default IP Address Resolver found IP addresses [[169.171.32.81, 169.254.128.132]] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - Full Agent Registration Info Resolver using selfService [false] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - Full Agent Registration Info Resolver using application name [null] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - Full Agent Registration Info Resolver using tier name [null] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - Full Agent Registration Info Resolver using node name [null] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - XML Controller Info Resolver found controller host [appdync-nam-icg-p1.wlb2.nam.nsroot.net] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - XML Controller Info Resolver found controller port [8181] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - XML Agent Account Info Resolver using account name [customer1] [system-thread-0] 07 Mar 2022 00:20:18,445 INFO SystemAgent - XML Agent Account Info Resolver using account access key [****] [system-thread-0] 07 Mar 2022 00:20:18,523 WARN FrameworkBootstrap - Failed to start framework com.google.inject.CreationException: Unable to create injector, see the following errors: 1) Error injecting constructor, java.lang.NoClassDefFoundError: org/apache/commons/fileupload/FileUploadException at com.singularity.ee.agent.systemagent.SystemAgent.<init>(SystemAgent.java:50) at com.appdynamics.agent.sim.legacy.LegacyAgentModule.configure(LegacyAgentModule.java:59) while locating com.singularity.ee.agent.systemagent.SystemAgent Caused by: java.lang.NoClassDefFoundError: org/apache/commons/fileupload/FileUploadException at com.singularity.ee.agent.systemagent.Agent.setupHttpClientWrapper(Agent.java:265) at com.singularity.ee.agent.systemagent.Agent.<init>(Agent.java:248) at com.singularity.ee.agent.systemagent.SystemAgent.<init>(SystemAgent.java:42) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.google.inject.internal.DefaultConstructionProxyFactory$2.newInstance(DefaultConstructionProxyFactory.java:86) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:105) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41) at com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:205) at com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:199) at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092) at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:199) at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:180) at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:110) at com.google.inject.internal.InjectorImpl.createChildInjector(InjectorImpl.java:226) at com.appdynamics.voltron.FrameworkBootstrap.createInjector(FrameworkBootstrap.java:105) at com.appdynamics.voltron.FrameworkBootstrap.start(FrameworkBootstrap.java:162) at com.appdynamics.agent.sim.main.SecondStageSystem.start(SecondStageSystem.java:175) at com.appdynamics.agent.sim.main.SecondStageSystem.loadFeatures(SecondStageSystem.java:128) at com.appdynamics.agent.sim.main.SecondStageSystem.access$000(SecondStageSystem.java:48) at com.appdynamics.agent.sim.main.SecondStageSystem$1.run(SecondStageSystem.java:115) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.ClassNotFoundException: org.apache.commons.fileupload.FileUploadException at java.net.URLClassLoader.findClass(URLClassLoader.java:381) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ... 36 more
  I have following splunk fields Date,Group,State State can have following values InProgress|Declined|Submitted I like to get following result Date. Group. TotalInProg... See more...
  I have following splunk fields Date,Group,State State can have following values InProgress|Declined|Submitted I like to get following result Date. Group. TotalInProgress. TotalDeclined TotalSubmitted. Total ----------------------------------------------------------------------------- 12-12-2021 A. 13. 10 15 38 I couldn't figured it out. Any help would be appreciated
I have a log like below:     index=login sourcetype=login new_user=1     I also have logs without new_user label     index=login sourcetype=aa     What's the difference between I  search ... See more...
I have a log like below:     index=login sourcetype=login new_user=1     I also have logs without new_user label     index=login sourcetype=aa     What's the difference between I  search which specify the sourcetype     index=login sourcetype=login new_user=1     and do not specify the sourcetype just using new_user like     index=login new_user=1     I wonder which one is faster or perform better and why? And if I make new_user=1 as a sourcetype, does      index=login sourcetype=new_user     better than     index=login sourcetype=login new_user=1     Thank you in advance
Hi have a results from my mail index say log look like below sender=abc recipient=xyz@sample.com,ghi@nonsample.com country=abc sender=def recipient=team@nonsample.com country=xyz sender=gfh r... See more...
Hi have a results from my mail index say log look like below sender=abc recipient=xyz@sample.com,ghi@nonsample.com country=abc sender=def recipient=team@nonsample.com country=xyz sender=gfh recipient=tip@nonsample.com country=efg sender=abc recipient=none@sample.com,sample@nonsample.com country=pqr I want to shows in a table only the non comma separated recipients only (as highlighted in bold where there are no multiple recipients)   can some one help me on this  
Can we suppress the trigger actions of the alert at its first trigger and then on the next time when the alert triggers it should do the trigger actions.... Please assist if this can be doable and ho... See more...
Can we suppress the trigger actions of the alert at its first trigger and then on the next time when the alert triggers it should do the trigger actions.... Please assist if this can be doable and how to configure it to achieve this.   Thanks a ton !
As the title suggests, I want to index data from Splunk user email account's inbox folder. Splunk version - 8.2.4 Have already checked out TA-mailclient and IMAP Mailbox addons but none of them w... See more...
As the title suggests, I want to index data from Splunk user email account's inbox folder. Splunk version - 8.2.4 Have already checked out TA-mailclient and IMAP Mailbox addons but none of them work and are unsupported In the first add-on, no matter how many times I change the attribute disabled to 0 in inputs.conf, it goes back to 1 after a restart. In the second addon, after using the troubleshooting command, I get the following error   File "/opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py", line 104 self.port = 993 ^ TabError: inconsistent use of tabs and spaces in indentation     Hence, can someone please advise how best to achieve this ?
I am using 2 lookup tables to correlate and combine data to create a new .csv. In this process, I have a field that has numerical values in it that i want to sum based on the values of another field.... See more...
I am using 2 lookup tables to correlate and combine data to create a new .csv. In this process, I have a field that has numerical values in it that i want to sum based on the values of another field.  The raw data looks something like this: stage,resource,hours x,rick,1 x,rick,10 x,dave,1 y,rick,5 y,dave,3 y,dave,8   I want the output to look like: x,rick,11 x,dave,1 y,rick,5 y,dave,11   Below is the search I have, it almost works but it does not sum the totals for rick and dave individually, it sums them all, so the output looks like: x,rick,12 x,dave,12 y,rick,16 y,dave,16   |inputlookup mod_master |lookup lookuptable1 Engagement OUTPUTNEW ResourceLastName,RegularHours | eval Resource=mvdedup(ResourceLastName) | mvexpand Resource | eval Hours=sum(RegularHours) | fillnull value=0 Hours | table Stage,Resource,Hours     How can i change the logic in this search so I get the correct individual sums for Rick and Dave and not the combined total for each? Thank you in advance!  
Hello everyone, when I imported the entities, the operating system family value was mapped to 'Entity Type'. I'm currently setting up a couple services, one for Linux and another for Windows. In ... See more...
Hello everyone, when I imported the entities, the operating system family value was mapped to 'Entity Type'. I'm currently setting up a couple services, one for Linux and another for Windows. In the Entity Rules builder, I can't find a way to include a condition 'Entity Type matches Windows Server'. Is it really so? (bit suprised). It seems to me I'll have to re-import the entities (using the update option) with an extra field for OS Family and set it as informational field. Any hints or tips are welcome! Thanks!
I'm trying to see if there is a report or a query I can run to sum up all the events in all the indexers with a month total? I tried this but i'm not sure if this is the right search: index=* | sta... See more...
I'm trying to see if there is a report or a query I can run to sum up all the events in all the indexers with a month total? I tried this but i'm not sure if this is the right search: index=* | stats count by Period
I am using timewrap to get the info for last 3 weeks and show data correspondly for 3 week with 3 different pie chart(when i activate the trellis layout). Although the data are correct it shows the c... See more...
I am using timewrap to get the info for last 3 weeks and show data correspondly for 3 week with 3 different pie chart(when i activate the trellis layout). Although the data are correct it shows the chart where the dates are  incorrect like they are showing the dates for current week for others previous week and last 2 weeks. How would i make it show each date data in 3 pie chart with 7 days data information.   index=mysearch earliest=-21d@d latest=@d | timechart count span=1d | timewrap w