All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to divide a value from a string into fields?

by in Splunk Search
‎01-28-2022 03:03 AM
‎01-28-2022 03:03 AM
I have value in field: value: 10,5 CC,00136;CY,00004;JE,00004;QK,00004 Where  CC,CY,JE - type message and there are more of them than in example 00136,00004 - number of message But I need to ge... See more...
I have value in field: value: 10,5 CC,00136;CY,00004;JE,00004;QK,00004 Where  CC,CY,JE - type message and there are more of them than in example 00136,00004 - number of message But I need to get table: Type Count CC 136 CY 4 JE 4   How can i do it with SPL language?
Labels

Can we use only static values or is it possible to use dynamic values from a radar search?

by in Splunk Enterprise
‎01-28-2022 02:27 AM
‎01-28-2022 02:27 AM
Hi! Concerning the chart radar, I would like to know if we have to use only static values like below or if it is possible to use dynamic values from a search?       | makeresults | eval ke... See more...
Hi! Concerning the chart radar, I would like to know if we have to use only static values like below or if it is possible to use dynamic values from a search?       | makeresults | eval key="current", "Business Value"=.37, Enablement=8.64, Foundations=2.56, Governance=1.68, "Operational Excellence"=4.992, "Community"=9.66 | untable key,"axis","value" | eval keyColor="magenta"       If we can use only static values, how to combine many different key? thanks

How to customize bar chart or time chart based based on time?

by in All Apps and Add-ons
‎01-28-2022 02:23 AM
‎01-28-2022 02:23 AM
How to set the width of the bar chart panel ? For example  if huge data comes the horizontal slider moves left to right and if less data occurs scroll bar will be hidden based on the drilldown "CAS... See more...
How to set the width of the bar chart panel ? For example  if huge data comes the horizontal slider moves left to right and if less data occurs scroll bar will be hidden based on the drilldown "CASE" condition we need to check (Multi-Value Dropdown) please help me with the solution ,Thanks in Advance 
Labels

how to sum different fields

by in Splunk Enterprise
‎01-28-2022 02:01 AM
‎01-28-2022 02:01 AM
hi   what I have to do for doing a total sum of the 3 fields? Thanks   | stats count(toto) as 1, count(tutu) as 2 count(titi) as 3 by site    

Splunk performance issue

by in Other Usage
‎01-28-2022 01:58 AM
‎01-28-2022 01:58 AM
Especially when alot of collegues have our dashboard opened we get a lot of delayed searches, and our deployment becomes terribbly slow! We have quite a beefy machine but it still seems to eat all of... See more...
Especially when alot of collegues have our dashboard opened we get a lot of delayed searches, and our deployment becomes terribbly slow! We have quite a beefy machine but it still seems to eat all of it's CPU. Is there any search finetuning we can do to get a quicker deployment?
Labels

Desktop Widgets

by in Splunk Dev
‎01-28-2022 01:54 AM
‎01-28-2022 01:54 AM
I need an example of how to create desktop widgets of Splunk dashboards. It should auto run in the background when we work on other applications. 

help on timechart

by in Splunk Enterprise
‎01-28-2022 01:14 AM
‎01-28-2022 01:14 AM
hello I need to do a timechart from a stats count  this stats count is used to pre filter events (sante=OK) index=toto sourcetype=tutu | stats count(hang) as hang, count(crash) as crash, count(we... See more...
hello I need to do a timechart from a stats count  this stats count is used to pre filter events (sante=OK) index=toto sourcetype=tutu | stats count(hang) as hang, count(crash) as crash, count(web) as web by site | eval sante=if((hang>5) AND (crash>2) AND (webduration>=1), "OK","KO") | search sante=OK  Now I wonder how to do to timechart these events? Thanks

How to customize bar chart or time chart based based on time?

by in All Apps and Add-ons
‎01-28-2022 12:41 AM
‎01-28-2022 12:41 AM
How to set the width of the bar chart panel ? for example  if huge comes comes the horizontal slider moves left to right and if less data occurs scroll bar will be hidden please help me with the ... See more...
How to set the width of the bar chart panel ? for example  if huge comes comes the horizontal slider moves left to right and if less data occurs scroll bar will be hidden please help me with the solution ,Thanks in Advance 
Labels

How could I pass different search commands to different cells at one row using drilldown on dashboard?

by in Dashboards & Visualizations
‎01-28-2022 12:34 AM
‎01-28-2022 12:34 AM
Hi, all! I am very confused with drilldown right now. I hope to set three different search commands to three columns on the table using drilldown! But right now, when I click one of these cells, it... See more...
Hi, all! I am very confused with drilldown right now. I hope to set three different search commands to three columns on the table using drilldown! But right now, when I click one of these cells, it will jump to one result. I don't know how I could edit the simple XML to feed the requirements.  
Labels

Splunk data doesn't split correctly

by in Splunk Search
‎01-27-2022 11:31 PM
‎01-27-2022 11:31 PM
Hi Splunk team,  When I used Splunk to search the log data and found it didn't split correctly, It displayed as below: The two data have been combined together, Can anyone has some suggestions ... See more...
Hi Splunk team,  When I used Splunk to search the log data and found it didn't split correctly, It displayed as below: The two data have been combined together, Can anyone has some suggestions do this situation? appreciate it.
Labels

Help on onboarding data

by in All Apps and Add-ons
‎01-27-2022 11:16 PM
‎01-27-2022 11:16 PM
Hi All, How to onboard Tandem XMA data to splunk?
Labels

After Eventstats two events are clubbed to a single row. how to ignore second event

by in Splunk Search
‎01-27-2022 07:54 PM
‎01-27-2022 07:54 PM
Below column has two values after eventstats command. i want to ignore the second events "Passed" from the column "Value". i tried Mvexpand  to spilt but i totally dont want since i cant use dedup to... See more...
Below column has two values after eventstats command. i want to ignore the second events "Passed" from the column "Value". i tried Mvexpand  to spilt but i totally dont want since i cant use dedup to remove duplicates    
Labels

Is there "Microsoft Office 365 Reporting Add-on for Splunk" support for jQuery 3.5?

by in All Apps and Add-ons
‎01-27-2022 07:37 PM
‎01-27-2022 07:37 PM
We are currently using "Microsoft Office 365 Reporting Add-on for Splunk" in Splunk Cloud. https://splunkbase.splunk.com/app/3720/ According to the "Upgrade Readiness App", this Add-on does not s... See more...
We are currently using "Microsoft Office 365 Reporting Add-on for Splunk" in Splunk Cloud. https://splunkbase.splunk.com/app/3720/ According to the "Upgrade Readiness App", this Add-on does not support jQuery 3.5 yet. Does anyone know if there is a plan to support it? Or are there any other Add-ons that can retrieve o365 email logs? Thank you.
Labels

Splunk SHC cluster bundle with ES errors: What configs can I change to increase this limit so I can use my SHC Deployer?

by in Splunk Enterprise
‎01-27-2022 07:17 PM
3 Karma
‎01-27-2022 07:17 PM
3 Karma
I have an SHC and I am using an SHC Deployer to deploy apps to it. Those apps include Splunk ES which is very large. The latest 7.0.0 update for ES may be so large that it causes errors when I apply ... See more...
I have an SHC and I am using an SHC Deployer to deploy apps to it. Those apps include Splunk ES which is very large. The latest 7.0.0 update for ES may be so large that it causes errors when I apply the cluster bundle. I have tried increasing max_content_length in [httpServer] in server.conf, this did not work. What configs can I change to increase this limit so I can use my SHC Deployer? It seems odd that I can't deploy an unmodified ES installation according to the documentation because it's beyond Splunk's limits.      splunk apply shcluster-bundle -target xxx -auth xxx Error while deploying apps to target=xxx with members=x: Error while updating app=Splunk_SA_Scientific_Python_Linux_x86_64 on target=xxx: Non-200/201 status_code=413; {"messages":[{"type":"ERROR","text":"Content-Length of 2147484959 too large (maximum is 2147483648)"}]},...repeated for each member        

Extract erros from logs

by in Splunk Search
‎01-27-2022 06:46 PM
‎01-27-2022 06:46 PM
Hi, I'm new to Splunk and I would like to get top errors on a table, but the external API returns a stack tracing making it difficult to work on it. I'm trying to make a regex that groups those err... See more...
Hi, I'm new to Splunk and I would like to get top errors on a table, but the external API returns a stack tracing making it difficult to work on it. I'm trying to make a regex that groups those errors by error code "*Return code: [<code>]*"( letting it work with other errors), than count it. Could you help me, please? 🥺
Labels

Using Eval to Filter Values

by in Splunk Search
‎01-27-2022 03:39 PM
‎01-27-2022 03:39 PM
Hello Splunkers -  I am trying to filter any value that is wrapped in $, such as $host$or $value$.  I thought the below would work, but it is not.  Can someone point out what I am doing wrong?  Th... See more...
Hello Splunkers -  I am trying to filter any value that is wrapped in $, such as $host$or $value$.  I thought the below would work, but it is not.  Can someone point out what I am doing wrong?  Thanks! | eval dollar_sign=if(host_value=="$host$" OR host_value=="$value$", "yes", "no") | search NOT dollar_sign=yes
Labels

rex for http2 field in log

by in Splunk Search
‎01-27-2022 02:15 PM
‎01-27-2022 02:15 PM
In the following log entry as "_raw": "OPTIONS /nnrf-nfm/v1 HTTP/2.0" 405 173 "-" "gmlc-http-client/2.0" "-"   I have successful rex for the "405" error field location and "173" error field locati... See more...
In the following log entry as "_raw": "OPTIONS /nnrf-nfm/v1 HTTP/2.0" 405 173 "-" "gmlc-http-client/2.0" "-"   I have successful rex for the "405" error field location and "173" error field location. I would like to build a rex to identify the "gmlc-http-client" section of that log entry.  (That field can show several different client types between those quotes.) My rex is as follows: rex field=_raw "HTTP\/2\.0\"\s\d{3}\s\d{3}\s\"\-\"\s\"(?<Error3>)\"\s\"\-\"" This rex does not error, but the result comes back as null/blank.  
Labels

Data model tags whitelist- Should I add tags used inside constraints on my own?

by in Getting Data In
‎01-27-2022 11:14 AM
‎01-27-2022 11:14 AM
Hi all, I installed the Splunk CIM on my Splunk instance and I've a doubt regarding tags whitelisting. The docs says that (https://docs.splunk.com/Documentation/Splunk/8.2.4/Knowledge/Designdatam... See more...
Hi all, I installed the Splunk CIM on my Splunk instance and I've a doubt regarding tags whitelisting. The docs says that (https://docs.splunk.com/Documentation/Splunk/8.2.4/Knowledge/Designdatamodelobjects This means that the tags whitelist configuration in Splunk CIM settings must have at least tags used within the constraints used in the specific datamodel. Let's do an example with Authentication datamodel. This is the default tags whitelist configuration after installing the app: And this is the root dataset constraint: How you can see, the tag authentication used as root constraint isn't by default one of whitelisted tags for Authentication datamodel. Shall I add tags used inside constraints on my own? Or is there something I'm missing? Thanks a lot
Labels

universal forwarder setup wizard ended prematurely 8.2.4

by in Installation
‎01-27-2022 10:59 AM
‎01-27-2022 10:59 AM
universal forwarder setup wizard ended prematurely 8.2.4  
Labels

Not able to export in preferred time zone

by in Getting Data In
‎01-27-2022 10:43 AM
‎01-27-2022 10:43 AM
I'm having an issue on my SHC, running a simple stats count by _time for any particular index, the _time comes through with my preferred time zone set in my preferences, when I go to export it to a C... See more...
I'm having an issue on my SHC, running a simple stats count by _time for any particular index, the _time comes through with my preferred time zone set in my preferences, when I go to export it to a CSV file it reverts back to local time zone. Anyone know why this would be happening?
Labels