All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

This is give me data in integers, I want calculate percentages. How can we do it? | savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") | bin _time span=1d | chart count(inc... See more...
This is give me data in integers, I want calculate percentages. How can we do it? | savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") | bin _time span=1d | chart count(incident_number) as IncidentCount over _time by hasAppBlueprints
Hi, I have a json event like below, for each "Build Version" which runs on weekly/daily basis it will try to install different  apps ("appName" in json) reports the  app's "Application install statu... See more...
Hi, I have a json event like below, for each "Build Version" which runs on weekly/daily basis it will try to install different  apps ("appName" in json) reports the  app's "Application install status" as "success" or "failure, similarly for "Application launch status"  and "apkAnalysed" status as "Analysed" or "Not Analysed" Now I want a dashboard that looks like below, for each "Build Version" how many have success ,failure status and "apkAnalysed" status as  "Analysed" in 3 stacks. is this possible in splunk, i have tried plotting using chart option but it doesn't help    { "Device Details": { "Device": "" , "Build Version": "build_01", "Application install status": "success", "Application launch status": "Success" }, "apkAnalysed": "Analysed", "id": "googleplay", "appName": "whatsapp", "appStore": "googleplay", "timeStamp": 0, "md5sum": "", "packageName": "", "date": "2021-12-09", "downloadPath": "https: xxxx", "apkAnalytics": "" }     TIA  
Can anyone confirm if Mongo DB is supported for custom Metrics and I don't find Mongo DB type in option.
Hi, I can only find old articles on this so apologies if I've missed something... Does anyone use Splunk for FIX.5.0? I can only find a now archived app which we are thus far unable to get working ... See more...
Hi, I can only find old articles on this so apologies if I've missed something... Does anyone use Splunk for FIX.5.0? I can only find a now archived app which we are thus far unable to get working in our environment. Any guidance/suggestions would be most welcome. Thanks
I get number from subsearch but get null for string like below on splunk 8.1.4. I found the splunk answer that resolved by appending "format", but it is not resolved for me. Is it bug on 8.x? ... See more...
I get number from subsearch but get null for string like below on splunk 8.1.4. I found the splunk answer that resolved by appending "format", but it is not resolved for me. Is it bug on 8.x? | makeresults | eval foo = [ | makeresults | eval foo="123" | return $foo ] | eval bar = [ | makeresults | eval bar="bar" | return $bar ] | eval baz = tostring([ | makeresults | eval baz="baz" | return $baz ]) | eval qux = tostring([ | makeresults | eval qux="qux" | return $qux | format ]) | table _time foo bar baz qux
Hi , I have requirement like there two panels, in which the 1st one has success and failure as a column name and on click of these success or failure count a drill down panel should show the result.... See more...
Hi , I have requirement like there two panels, in which the 1st one has success and failure as a column name and on click of these success or failure count a drill down panel should show the result. these success and failure was categorized by below values in logs like statusCode = 200 , then its is success statusCode = 400 or 500, then it is failure   as said above the drilldown panel should show result on selection of the success/ failure count. it tried with below query it is not working  having token as $col$ which gets selection of that column name(Success/Failure) query is message.flow="individual" | eval status=$col$| eval source= case(status=="Success",200,status=="Failure",400 OR 500) | message. statusCode= source| table time,details, message. statusCode kindly help on fixing it. the parameter value of source should be passed to the message.statusCode
Hello Splunkers,    is there any way to change that red box name as a test??        Thank you in advance
Hi Folks Is there a way to analyze the bandwith used between the SearchHeads and the indexer cluster peers? I know this has many dependencies on the search and its artifacts but we do need to have ... See more...
Hi Folks Is there a way to analyze the bandwith used between the SearchHeads and the indexer cluster peers? I know this has many dependencies on the search and its artifacts but we do need to have a rough calculation to size the environment. Any help is appreciated. Cheers, Claudio
Hi , am new to this... i want to Identify top 5 usage days from that i want to drill down to how many no. of visitors accessing that application, how many no. of page views are happening, which JSP/... See more...
Hi , am new to this... i want to Identify top 5 usage days from that i want to drill down to how many no. of visitors accessing that application, how many no. of page views are happening, which JSP/ASP pages are mostly accessed by end users.. Please suggest me the query
hi I use a basic search which returns results by site   | stats count(x) as x, count(y) as y by site    In a lookup I have also a site list    | inputlookup site.csv   Now I would like to di... See more...
hi I use a basic search which returns results by site   | stats count(x) as x, count(y) as y by site    In a lookup I have also a site list    | inputlookup site.csv   Now I would like to display in a table panel the site that exists in the lookup but not in the search Is it possible to do this? Thanks
Hai, I am looking for one match condition, Here is my requirement, <condition match="&quot;boilerrole&quot;== IN('$result.roles$')"> <set token="boiler">true</set> <unset token="turbine"></u... See more...
Hai, I am looking for one match condition, Here is my requirement, <condition match="&quot;boilerrole&quot;== IN('$result.roles$')"> <set token="boiler">true</set> <unset token="turbine"></unset> </condition> if my boilerrole matches to any of the value in "result.roles".(result.roles contains a results of multiple roles) --> my "boiler"  token should be true. is it possible. the above query is not worked for me, Can any one help me.
   It configure the timestamp to be the date when I upload the file. I want the timestamp to be like the highlighted one. How can I do that?
If I run the following command on an indexer after stopping Splunk and my session on the terminal times out after few hours but before the process finishes, does the repair process continues to run o... See more...
If I run the following command on an indexer after stopping Splunk and my session on the terminal times out after few hours but before the process finishes, does the repair process continues to run or will it stop ? If it continues to run, will the result be saved in some log file? if yes, which one ?     splunk fsck repair --all-buckets-all-indexes      
I am trying to figure out why does my Y-axis values are not showing. I've tried the below configuration but still, no luck.  "charting.axisTitleY.visibility": "visible", "charting.axisLabels... See more...
I am trying to figure out why does my Y-axis values are not showing. I've tried the below configuration but still, no luck.  "charting.axisTitleY.visibility": "visible", "charting.axisLabelsY.axisVisibility": "show", "charting.axisLabelsY.integerUnits" : "true", "charting.axisY.fields" : "true",  
Hi Team,   How to write the time format for 2021-07-30T03:22:00.0000000Z, the below one is not working %Y-%m-%dT%H:%M:%S.9N
Hi, all!  I am want to custom the search command when I click the element but I don't know how to write the search using values from the clicked element like Auto function.  For example, here's... See more...
Hi, all!  I am want to custom the search command when I click the element but I don't know how to write the search using values from the clicked element like Auto function.  For example, here's my dashboard and I hope that when I click on one of the Call_Session_ID, then it will jump to the search which combines the four different times with the same Call_Session_ID. Thanks a lot for your help!  
Hi Team, A former team configured the add-on for Active Directory and it has not been working for at least a few months now. The dashboards now display below error or "search auto-canceled". Extern... See more...
Hi Team, A former team configured the add-on for Active Directory and it has not been working for at least a few months now. The dashboards now display below error or "search auto-canceled". External search command 'ldapsearch' returned error code 1. Script output = "error_message=socket connection error while opening: [Errno 111] Connection refused ". Can you explain what this error means and what we can try to resolve it?   Thanks, Mark.      
I have table like below using my splunk query. Request1_tps Request1_avg Request1_p95 Request1_p90 Request2_tps Request2_avg Request2_p95 Request2_p90 10 1 1.2 1.1 20 2 2.2 2.1 ... See more...
I have table like below using my splunk query. Request1_tps Request1_avg Request1_p95 Request1_p90 Request2_tps Request2_avg Request2_p95 Request2_p90 10 1 1.2 1.1 20 2 2.2 2.1   I need to convert above table to below format. Can you provide search criteria for this. Thanks API tps avg p95 p90 Request1 10 1 1.2 1.1 Request2 20 2 2.2 2.1
We setup an Azure Event Hub to send logs to Splunk. We installed the Microsoft for Cloud Services add-on. We created an Azure Account and gave it a Reader role with Azure Event Hubs Data Receiver ass... See more...
We setup an Azure Event Hub to send logs to Splunk. We installed the Microsoft for Cloud Services add-on. We created an Azure Account and gave it a Reader role with Azure Event Hubs Data Receiver assigned as well. We then link that account in Splunk. We created a new Event Hub input in Splunk Cloud v8.2.2112.1. In Azure, we can the Event Hub is sending messages, but they're not being received into Splunk. First question is, what the roles necessary for the Azure Account for this to work correctly? Second question, I see in documentation and other sites people are using the connection string. But our window asks for the FQDN. We tried both, and neither work. Is there a specific format we have to use for the Event Hub Namespace (FQDN)? Finally, is there a query we can run in Splunk to search for errors associated with the Event Hub input? I tried to search using the SourceType in the Event Hub input and no logs are returned.