All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Greetings,  I recently uploaded my new term license. However, I noticed the following message: * 1 cle_pool_over_quota message reported by 1 indexer - correct by midnight to avoid warning  Howe... See more...
Greetings,  I recently uploaded my new term license. However, I noticed the following message: * 1 cle_pool_over_quota message reported by 1 indexer - correct by midnight to avoid warning  However, my company purchased a sizable term license. Is this message safe to ignore? I cannot provide a screenshot because I am operating on an airgapped network. Furthermore, is there a way to mitigate this alert  to prevent receiving a warning? Again, we have a very large license and are quota is nowhere near our volume limit. Is it somehow related to updating my license? As a I mentioned, I recently updated the new term license to replace the license that is set to expire. Or should I delete the pool from the previous license and create a new one associated with the new term license?  Thank you. 
I work in a large environment, Splunk Ent + ES ( SH & Indexer clustered). I need to see what network servers are viewed / contained / monitored in any of indexes. Any help / SPLs are much appreciated.
Hello! I would like to have timechart span configurable from the dashboard UI (e.g. via using dropdown field values), but I am not sure, how to set it up. Any help would be much appreciated!
I have some data that their event field is sometimes... lengthy (not always) so when I try to tag the events of interest, I am not allowed (presented with the error 'Parameter "name" must be less tha... See more...
I have some data that their event field is sometimes... lengthy (not always) so when I try to tag the events of interest, I am not allowed (presented with the error 'Parameter "name" must be less than 1024 characters.'). Is there a workaround or a better way of tagging those events?
Hello, I am stuck and need assistance regarding below topic. I have a dashboard with multiselect filter. When a click on drilldown view, the URL is not converting "%20" to "&". This is the result ... See more...
Hello, I am stuck and need assistance regarding below topic. I have a dashboard with multiselect filter. When a click on drilldown view, the URL is not converting "%20" to "&". This is the result URL when I click the drilldown view. https://.....&form.token1=value1%26form.TPC_1%3Dvalue2 This same code and logic is working for tables and stats. I have used the same code there and it is working fine. But in this dashboard I have used Chart and here it is not working. The correct result what I should get is https://.....&form.token1=value1&form.TPC_1=value2 I am not sure why %26 is not converted to "&" and %3D to "=" And in filter, we can see this is converted to & and = but not in URL. Due to copyright issue, I have replaced the original value to Value1 and token as field1 Below mentioned is the code used for drilldown link. <condition> <eval token="trans_field1">replace("".$form.field1$,",","&amp;form.field1="</eval> <link target="_blank">$details_dashboard$?form.field1=$trans_field1$</link> </condition> Any work around?
Hi Experts, We performed "check_for_vulnerable_javascript_library_usage" check for our add-on app. As per report we need to upgrade jquery version. We have one common.js file which is minified js... See more...
Hi Experts, We performed "check_for_vulnerable_javascript_library_usage" check for our add-on app. As per report we need to upgrade jquery version. We have one common.js file which is minified js and located in following directory - appserver/static/js/build/common.js  Could you please suggest how can we upgrade the jquery version in this minified js file? I went through article - https://dev.splunk.com/enterprise/docs/developapps/visualizedata/updatejquery/?_ga=2.112247757.872217667.1643345201-285550.1643345200 but the steps mentioned here aren't applicable in my case. I am add-on app's tgz file and need to update the jquery version.   Appreciate any inputs on this.   Best regards, Saurabh
Hi all, Im attempting to create a graph that plots total number of events over time. I have tried various usages of timechart, which does not have the desired effect.    sourcetype=* index=* | tim... See more...
Hi all, Im attempting to create a graph that plots total number of events over time. I have tried various usages of timechart, which does not have the desired effect.    sourcetype=* index=* | timechart span=1h count     This yields the following result:   The total number of events in this example is 16, however the data points on the graph correspond to imports and go from 0 -> 13 -> 3. Is there any way I can plot the total number of events over time (so the 3 data point actually becomes 16)?   Thanks in advance for any assistance.
Platform has been live for close to two year. Firewall ports are still open. MTU is still 1500 has not been changed. No error in the OS logs. 3 of my nine clusters started doing this.  In fact 7 ... See more...
Platform has been live for close to two year. Firewall ports are still open. MTU is still 1500 has not been changed. No error in the OS logs. 3 of my nine clusters started doing this.  In fact 7 our of 9 have search factor not meet errors.  Which where fixed by putting CM into main. manual rolling restart of the Indexer and restarting CM and taking it out of Main mode.  But I ma left with three with 1000's of bucket fix ups and this error now.
I have value in field: value: 10,5 CC,00136;CY,00004;JE,00004;QK,00004 Where  CC,CY,JE - type message and there are more of them than in example 00136,00004 - number of message But I need to ge... See more...
I have value in field: value: 10,5 CC,00136;CY,00004;JE,00004;QK,00004 Where  CC,CY,JE - type message and there are more of them than in example 00136,00004 - number of message But I need to get table: Type Count CC 136 CY 4 JE 4   How can i do it with SPL language?
Hi! Concerning the chart radar, I would like to know if we have to use only static values like below or if it is possible to use dynamic values from a search?       | makeresults | eval ke... See more...
Hi! Concerning the chart radar, I would like to know if we have to use only static values like below or if it is possible to use dynamic values from a search?       | makeresults | eval key="current", "Business Value"=.37, Enablement=8.64, Foundations=2.56, Governance=1.68, "Operational Excellence"=4.992, "Community"=9.66 | untable key,"axis","value" | eval keyColor="magenta"       If we can use only static values, how to combine many different key? thanks
How to set the width of the bar chart panel ? For example  if huge data comes the horizontal slider moves left to right and if less data occurs scroll bar will be hidden based on the drilldown "CAS... See more...
How to set the width of the bar chart panel ? For example  if huge data comes the horizontal slider moves left to right and if less data occurs scroll bar will be hidden based on the drilldown "CASE" condition we need to check (Multi-Value Dropdown) please help me with the solution ,Thanks in Advance 
hi   what I have to do for doing a total sum of the 3 fields? Thanks   | stats count(toto) as 1, count(tutu) as 2 count(titi) as 3 by site    
Especially when alot of collegues have our dashboard opened we get a lot of delayed searches, and our deployment becomes terribbly slow! We have quite a beefy machine but it still seems to eat all of... See more...
Especially when alot of collegues have our dashboard opened we get a lot of delayed searches, and our deployment becomes terribbly slow! We have quite a beefy machine but it still seems to eat all of it's CPU. Is there any search finetuning we can do to get a quicker deployment?
I need an example of how to create desktop widgets of Splunk dashboards. It should auto run in the background when we work on other applications. 
hello I need to do a timechart from a stats count  this stats count is used to pre filter events (sante=OK) index=toto sourcetype=tutu | stats count(hang) as hang, count(crash) as crash, count(we... See more...
hello I need to do a timechart from a stats count  this stats count is used to pre filter events (sante=OK) index=toto sourcetype=tutu | stats count(hang) as hang, count(crash) as crash, count(web) as web by site | eval sante=if((hang>5) AND (crash>2) AND (webduration>=1), "OK","KO") | search sante=OK  Now I wonder how to do to timechart these events? Thanks
How to set the width of the bar chart panel ? for example  if huge comes comes the horizontal slider moves left to right and if less data occurs scroll bar will be hidden please help me with the ... See more...
How to set the width of the bar chart panel ? for example  if huge comes comes the horizontal slider moves left to right and if less data occurs scroll bar will be hidden please help me with the solution ,Thanks in Advance 
Hi, all! I am very confused with drilldown right now. I hope to set three different search commands to three columns on the table using drilldown! But right now, when I click one of these cells, it... See more...
Hi, all! I am very confused with drilldown right now. I hope to set three different search commands to three columns on the table using drilldown! But right now, when I click one of these cells, it will jump to one result. I don't know how I could edit the simple XML to feed the requirements.  
Hi Splunk team,  When I used Splunk to search the log data and found it didn't split correctly, It displayed as below: The two data have been combined together, Can anyone has some suggestions ... See more...
Hi Splunk team,  When I used Splunk to search the log data and found it didn't split correctly, It displayed as below: The two data have been combined together, Can anyone has some suggestions do this situation? appreciate it.
Hi All, How to onboard Tandem XMA data to splunk?
Below column has two values after eventstats command. i want to ignore the second events "Passed" from the column "Value". i tried Mvexpand  to spilt but i totally dont want since i cant use dedup to... See more...
Below column has two values after eventstats command. i want to ignore the second events "Passed" from the column "Value". i tried Mvexpand  to spilt but i totally dont want since i cant use dedup to remove duplicates