All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have created a search that will trigger if no events from the following search is being returned index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOppt... See more...
I have created a search that will trigger if no events from the following search is being returned index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOpptjeningsperioder status=OK Search is only being triggerd during business hours Monday to Friday, problem is that I cannot instruct the cron schedule to not trigger on holidays. Holidays means no activity, so to make it a bit easier to evaluate if this is a false positive or not I want to add to the email being sent statistics of all statuses. Then we know if no other statuses has been found either, it is safe to ignore. index=ipl_prod source="e:\\logs\\icc-application.log" sourcetype="log4j:ipl" operationName=hentOpptjeningsperioder status=OK [if no eventes then subsearch and return those events]
Hey All,   I have data that needs to be ingested with multiple lines similar to the following: ************ Start Display Current Environment ************ ***data*** ***data*** ***data*** ****... See more...
Hey All,   I have data that needs to be ingested with multiple lines similar to the following: ************ Start Display Current Environment ************ ***data*** ***data*** ***data*** ************* End Display Current Environment ************* [13/11/21 5:21:15:183 AEDT] 00000001 ***data*** [13/11/21 5:21:15:276 AEDT] 00000001 ***data*** [13/11/21 5:21:15:278 AEDT] 00000001 ***data*** ************ Start Display Current Environment ************ ***data*** ***data*** ***data*** ************* End Display Current Environment ************* [17/11/21 5:21:15:183 AEDT] 00000001 ***data*** [17/11/21 5:21:15:276 AEDT] 00000001 ***data*** [17/11/21 5:21:15:278 AEDT] 00000001 ***data***   Please note that the Start and End Display current Environment lines are constant in length and how they start but belong to the timestamp after themselves. Is there a way to parse this data?
Is there an SPL idea that allows you to specify multiple conditions with "OR" and assign a control number to the search results for each condition? =====SPL===== index=xxxx sourcetype=yyyy (ip=10.... See more...
Is there an SPL idea that allows you to specify multiple conditions with "OR" and assign a control number to the search results for each condition? =====SPL===== index=xxxx sourcetype=yyyy (ip=10.1.1.10 url=google.com earlest=1642899600 latest=1642900200 ) OR (ip=10.1.1.20 url=facebook.com earlest=1642849200 latest=1642849800 ) OR (ip= ・・・・ =====The expected search results===== NO,ip,url,_time 1,10.1.1.10,google.com/xxx,2022-01-23 10:04:30 2,10.1.1.20,facecook.com/xxxxx,2022-01-22 20:01:00 2,10.1.1.20,facecook.com/xxxxx,2022-01-22 20:01:30 3,・・・・
Hi,   Is it possible to have two different Time Formats? Some logs are having the first time format and other logs are having second time format. Apart from datetime.xml, is there any other way? ... See more...
Hi,   Is it possible to have two different Time Formats? Some logs are having the first time format and other logs are having second time format. Apart from datetime.xml, is there any other way?   2022-01-24 02:27:20.989 2022-01-24T02:27:20.989
Hi Splunkers, We have configured 3 new heavy forwarder in our splunk enterprise where 2 HF was already working. Now we want traffic route from universal forwarder to  all the 5 HF but we are receiv... See more...
Hi Splunkers, We have configured 3 new heavy forwarder in our splunk enterprise where 2 HF was already working. Now we want traffic route from universal forwarder to  all the 5 HF but we are receiving traffic from only old 2 HF but not from 3 newly introduced HF. telnet from UF to HF is working fine and input and output are configured properly. Can any one suggest solution for this.  Thanks.
index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | sort - count | where count > 100 I would get results of 5 users and i want to initiate a different search usin... See more...
index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | sort - count | where count > 100 I would get results of 5 users and i want to initiate a different search using the results ,  can you let me know how i can do it  index=logs   appname="appname  " user="here i need those 5 user names  found in the results to be inserted   "    url=*somewebsitenamestring   |   table _time user url   I would prefer to receive 5 individual csv files for each user rather than one file with all 5 user data.   Thanks for your help , please let me know if this is possible     
Getting a strange error when starting my Spring boot application. We have a large number of applications already running AppDynamics without problems but for one of them it does not work. The special... See more...
Getting a strange error when starting my Spring boot application. We have a large number of applications already running AppDynamics without problems but for one of them it does not work. The special thing with this app is that it uses Springs LdapTemplate. The error: j.l.IllegalAccessError: Class javax/naming/directory/InitialDirContext(module java.naming) can not access class com/singularity/ee/agent/appagent/entrypoint/bciengine/FastMethodInterceptorDelegatorBoot(unnamed module 0x00000000EE842658) because module module java.naming does not read module unnamed module 0x00000000EE842658 at j.n.d.InitialDirContext.search(InitialDirContext.java) at o.s.l.c.LdapTemplate$4.executeSearch(LdapTemplate.java:322) at o.s.l.c.LdapTemplate.search(LdapTemplate.java:363) at o.s.l.c.LdapTemplate.search(LdapTemplate.java:328) at o.s.l.c.LdapTemplate.search(LdapTemplate.java:604) at o.s.l.c.LdapTemplate.search(LdapTemplate.java:594) at o.s.l.c.LdapTemplate.search(LdapTemplate.java:482) at o.s.l.c.LdapTemplate.search(LdapTemplate.java:498) at o.s.l.c.LdapTemplate.search(LdapTemplate.java:514) I have trie various combinations of add-opens, add-reads and add-exports to the jvm but nothing helps so far.
I have installed Splunk on a cgroup1/2 hybrid system using "enable boot-start systemd-managed 1" to start it on bootup. Yesterday I switched to a cgroup2 only system by disabling the usage of cgroup... See more...
I have installed Splunk on a cgroup1/2 hybrid system using "enable boot-start systemd-managed 1" to start it on bootup. Yesterday I switched to a cgroup2 only system by disabling the usage of cgroup1 via grub/kernel boot parameters. Now splunk doesn't start anymore due to a file in the cgroup1 file system hierarchy no longer been present:     Jan 22 10:25:54 bigigloo systemd[1]: Stopping Systemd service file for Splunk, generated by 'splunk enable boot-start'... Jan 22 10:30:58 bigigloo systemd[1]: Splunkd.service: Killing process 2847689 (python3.7) with signal SIGKILL. Jan 22 10:30:58 bigigloo systemd[1]: Splunkd.service: Succeeded. Jan 22 10:30:58 bigigloo systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. -- Reboot -- Jan 22 10:36:19 bigigloo systemd[1]: Starting Systemd service file for Splunk, generated by 'splunk enable boot-start'... Jan 22 10:36:19 bigigloo bash[3180]: chown: cannot access '/sys/fs/cgroup/cpu/system.slice/Splunkd.service': No such file or directory Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Control process exited, code=exited, status=1/FAILURE Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Killing process 3393 (sh) with signal SIGKILL. Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Killing process 3408 (sh) with signal SIGKILL. Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Failed with result 'exit-code'. Jan 22 10:36:22 bigigloo systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 22 10:36:22 bigigloo bash[3475]: chown: cannot access '/sys/fs/cgroup/cpu/system.slice/Splunkd.service': No such file or directory Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Scheduled restart job, restart counter is at 1. Jan 22 10:36:23 bigigloo bash[3480]: chown: cannot access '/sys/fs/cgroup/cpu/system.slice/Splunkd.service': No such file or directory Jan 22 10:36:22 bigigloo systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 22 10:36:22 bigigloo systemd[1]: Starting Systemd service file for Splunk, generated by 'splunk enable boot-start'... Jan 22 10:36:23 bigigloo bash[3496]: chown: cannot access '/sys/fs/cgroup/cpu/system.slice/Splunkd.service': No such file or directory Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Control process exited, code=exited, status=1/FAILURE Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Killing process 3476 (sh) with signal SIGKILL. Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Killing process 3477 (btool) with signal SIGKILL. Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Failed with result 'exit-code'. Jan 22 10:36:22 bigigloo systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Scheduled restart job, restart counter is at 2. Jan 22 10:36:22 bigigloo systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 22 10:36:22 bigigloo systemd[1]: Starting Systemd service file for Splunk, generated by 'splunk enable boot-start'... Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Control process exited, code=exited, status=1/FAILURE Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Killing process 3481 (sh) with signal SIGKILL. Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Killing process 3482 (btool) with signal SIGKILL. Jan 22 10:36:22 bigigloo systemd[1]: Splunkd.service: Failed with result 'exit-code'. Jan 22 10:36:22 bigigloo systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 22 10:36:23 bigigloo systemd[1]: Splunkd.service: Scheduled restart job, restart counter is at 3. Jan 22 10:36:23 bigigloo systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 22 10:36:23 bigigloo systemd[1]: Starting Systemd service file for Splunk, generated by 'splunk enable boot-start'... Jan 22 10:36:23 bigigloo systemd[1]: Splunkd.service: Control process exited, code=exited, status=1/FAILURE Jan 22 10:36:23 bigigloo systemd[1]: Splunkd.service: Killing process 3497 (sh) with signal SIGKILL. Jan 22 10:36:23 bigigloo systemd[1]: Splunkd.service: Killing process 3499 (btool) with signal SIGKILL. Jan 22 10:36:23 bigigloo systemd[1]: Splunkd.service: Failed with result 'exit-code'. Jan 22 10:36:23 bigigloo systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 22 10:36:23 bigigloo systemd[1]: Splunkd.service: Scheduled restart job, restart counter is at 4. Jan 22 10:36:23 bigigloo systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 22 10:36:23 bigigloo systemd[1]: Starting Systemd service file for Splunk, generated by 'splunk enable boot-start'...       I tracked the problem down to the two ExecStartPost commands in the unit file /etc/systemd/system/Splunkd.service. Commenting those two fixed the problem.       #This unit file replaces the traditional start-up script for systemd #configurations, and is used when enabling boot-start for Splunk on #systemd-based Linux distributions. [Unit] Description=Systemd service file for Splunk, generated by 'splunk enable boot-start' After=network.target [Service] Type=simple Restart=always ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd KillMode=mixed KillSignal=SIGINT TimeoutStopSec=360 LimitNOFILE=65536 SuccessExitStatus=51 52 RestartPreventExitStatus=51 RestartForceExitStatus=52 User=root Group=root Delegate=true CPUShares=1024 MemoryLimit=20868083712 PermissionsStartOnly=true #ExecStartPost=/bin/bash -c "chown -R root:root /sys/fs/cgroup/cpu/system.slice/%n" #ExecStartPost=/bin/bash -c "chown -R root:root /sys/fs/cgroup/memory/system.slice/%n" [Install] WantedBy=multi-user.target      However, I presume updates of Splunk might restore the files to the old variant again. What do I need to do in order to make the start of Splunk cgroup2 compliant?
My file contains a line at the last where it mentions the return code. The format look like below mentioned. If the job fails, It returns 32 and if the job is successful it returns 0. Main -> ** Exe... See more...
My file contains a line at the last where it mentions the return code. The format look like below mentioned. If the job fails, It returns 32 and if the job is successful it returns 0. Main -> ** Execution completed with returnCode: 0, Can some one help me in building a splunk query to alert me if the code is 32 or 0.  
Hello, I am running Splunk Add for Microsoft Hyper-V  on 10 different Hyper-V hosts with a splunk forwarder each, but not all powershell scripts are executed on schedule.    My problem is with the lo... See more...
Hello, I am running Splunk Add for Microsoft Hyper-V  on 10 different Hyper-V hosts with a splunk forwarder each, but not all powershell scripts are executed on schedule.    My problem is with the long running scripts getvm_inventory.ps1 and getvm_inventoryext.ps1. The rest of the scripts are executed on schedule. I have the following inputs.conf ############# VM ############# [powershell://GetVM_Inventory] script = . "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" schedule = 0 0 4-8/1 ? * * source = microsoft:hyperv:powershell:getvm_inventory.ps1 sourcetype = microsoft:hyperv:vm index = ctc_hyperv_inventory disabled = 0 [powershell://GetVM_InventoryEXT] script = . "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_InventoryEXT.ps1" schedule = 0 20 4-8/1 ? * * source = microsoft:hyperv:powershell:getvm_inventoryext.ps1 sourcetype = microsoft:hyperv:vm:ext index = ctc_hyperv_inventory disabled = 0   from the logs I see that they are executed correctly . The only difference from other scripts is the execution that is much longer.   01-23-2022 06:00:10.4694493+2 INFO End of executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory, execution_time=10.3504674 seconds 01-23-2022 06:00:00.1169827+2 INFO Start executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory 01-23-2022 06:00:00.1139817+2 INFO enqueue job for stanza=GetVM_Inventory 01-23-2022 05:00:10.5518190+2 INFO End of executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory, execution_time=10.4093991 seconds 01-23-2022 05:00:00.1404194+2 INFO Start executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory 01-23-2022 05:00:00.1374214+2 INFO enqueue job for stanza=GetVM_Inventory 01-23-2022 04:00:13.0595973+2 INFO End of executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory, execution_time=11.6046748 seconds   Thank you in advance.
Hi I need to display a table panel and 4 chart panel like in the screenshot  could you help please? Here is my xml <form> <row> <panel depends="$alwaysHideCSS$"> <html> <sty... See more...
Hi I need to display a table panel and 4 chart panel like in the screenshot  could you help please? Here is my xml <form> <row> <panel depends="$alwaysHideCSS$"> <html> <style> #map{ width:60% !important; #chart{ width:20% !important; } #chart2{ width:20% !important; } } </style> </html> </panel> <panel id="map"> <map> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="mapping.map.center">(46,2)</option> <option name="mapping.map.zoom">5</option> <option name="mapping.type">marker</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </map> </panel> <panel id="chart4"> <chart> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.text">Bureaux</option> <option name="charting.axisTitleY.text">Nb utilisateurs</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"nbsam":#27B508}</option> <option name="charting.legend.placement">none</option> <option name="height">230</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="chart"> <chart> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.text">Bureaux</option> <option name="charting.axisTitleY.text">Nb utilisateurs</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"nbsam":#f70505}</option> <option name="charting.legend.placement">none</option> <option name="height">230</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="chart2"> <chart> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.text">Bureaux</option> <option name="charting.axisTitleY.text">Nb utilisateurs</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"nbsam":#27B508}</option> <option name="charting.legend.placement">none</option> <option name="height">230</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="chart3"> <chart> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.text">Bureaux</option> <option name="charting.axisTitleY.text">Nb utilisateurs</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"nbsam":#f70505}</option> <option name="charting.legend.placement">none</option> <option name="height">230</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>  
Hi All,   We are looking for a script to restart the splunk agent when ever it gets stopped could you please help us if anyone has any script to restart it on both linux & windows servers   THank... See more...
Hi All,   We are looking for a script to restart the splunk agent when ever it gets stopped could you please help us if anyone has any script to restart it on both linux & windows servers   THanks in Advance
At the end of the installation I got this in a terminal window: *************************************************** This appears to be your first time running this version of Splunk.   Splunk sof... See more...
At the end of the installation I got this in a terminal window: *************************************************** This appears to be your first time running this version of Splunk.   Splunk software must create an administrator account during startup. Otherwise, you cannot log in. Create credentials for the administrator account. Characters do not appear on the screen when you type in credentials.   Please enter an administrator username: /bin/echo Usernames cannot contain '/' or space characters (base) wel51x@Winstons-MacAir ~ %  *************************************************** Any ideas?
How can I get multiple output in one cell and upon clicking the output, it should show logs in a table below. Below is the format. statuscode for success =100, statuscode for warning = 200, sta... See more...
How can I get multiple output in one cell and upon clicking the output, it should show logs in a table below. Below is the format. statuscode for success =100, statuscode for warning = 200, statuscode for failure=300   Country1 Country2 Country3 Application1 Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Application2 Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Application3 Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value
We are facing indexing delays we see the below error messages on heavuy forwarders. can some on suggest us   01-22-2022 07:32:15.845 +0000 INFO TailReader [9126 tailreader1] - ...continuing. 01-22... See more...
We are facing indexing delays we see the below error messages on heavuy forwarders. can some on suggest us   01-22-2022 07:32:15.845 +0000 INFO TailReader [9126 tailreader1] - ...continuing. 01-22-2022 07:32:10.845 +0000 WARN TailReader [9126 tailreader1] - Could not send data to output queue (parsingQueue), retrying... 01-22-2022 07:31:54.057 +0000 WARN TailReader [9124 tailreader0] - Could not send data to output queue (parsingQueue), retrying... 01-22-2022 07:31:49.056 +0000 INFO TailReader [9124 tailreader0] - ...continuing. 01-22-2022 07:31:44.056 +0000 WARN TailReader [9124 tailreader0] - Could not send data to output queue (parsingQueue), retrying... 01-22-2022 07:31:39.056 +0000 INFO TailReader [9124 tailreader0] - ...continuing. 01-22-2022 07:30:09.054 +0000 WARN TailReader [9124 tailreader0] - Could not send data to output queue (parsingQueue), retrying... 01-22-2022 07:29:59.053 +0000 INFO TailReader [9124 tailreader0] - ...continuing. 01-22-2022 07:29:49.053 +0000 WARN TailReader [9124 tailreader0] - Could not send data to output queue (parsingQueue), retrying...
Hi Guys   I have a query like this   <query>| stats avg(CurrentConnections) as CC by host    And the output is as below with multiple rows     But we have a requirement to get all the re... See more...
Hi Guys   I have a query like this   <query>| stats avg(CurrentConnections) as CC by host    And the output is as below with multiple rows     But we have a requirement to get all the results in a single row (all outputs are required but in a single row instead of multiple rows one after one) some thing like this;   host   CC server01 server02 server03 server04 server05 server06 368.333333333333 365.333333333333 345.333333333333 379.666666666666 356.333333333333 381.666666666666   Can someone please guide us how to do this?  
Hi, Splunkers,   | where ENT_CallType=if($t_VQ$ =="*","*",ltrim($t_VQ$,"VQ_")) t_VQ is a dropdown token,  value is either ALL/*  or VQ_abc_efg  (string starting with VQ_) what my code expected is... See more...
Hi, Splunkers,   | where ENT_CallType=if($t_VQ$ =="*","*",ltrim($t_VQ$,"VQ_")) t_VQ is a dropdown token,  value is either ALL/*  or VQ_abc_efg  (string starting with VQ_) what my code expected is when t_VQ = *,  then  |where ENT_CallType=*  when t_VQ = VQ_abc_efg,   then |where ENT_CallType=abc_efg but when I selected ALL/*, has the following error Error in ‘where’ command: The expression is malformed. An unexpected character is reached at ‘* == “*”,”*”, ltrim(*,”VQ_”)   when VQ_abc_efg is selected, doesn't work either.   thx in advance Kevin
Hello, I have a script gathering the last updated timestamp of three different files and I'm ingesting that data into Splunk to help identify when one of the three files fails to update.  What I am ... See more...
Hello, I have a script gathering the last updated timestamp of three different files and I'm ingesting that data into Splunk to help identify when one of the three files fails to update.  What I am trying to do is build a dashboard table view of all of the dates and eval any that do match the others as "Not_Matching". In the below screenshot i'd like to identify Servername2.file as "Not_Matching" (since it has a Timestamp of 2022-01-21 12:XX, instead of 2022-01-21 15:XX like the other two files) using an eval statement if possible. Note that all three files live within the same Index/Source/Sourcetype. Thanks for any help!
Hi all, I am working on a project that take SPL input from user. So, i need to be sure that SPL has a correct syntax without making a search with the SPL. I could not see but is there a validator fo... See more...
Hi all, I am working on a project that take SPL input from user. So, i need to be sure that SPL has a correct syntax without making a search with the SPL. I could not see but is there a validator for SPLs?
Is there an ETA on when Proofpoint 2.0 add-on's/apps will be updated to support jQuery 3.5? These two are failing the upgrade readiness test in Splunk Cloud: splunkbase.splunk.com/app/4327/ splunk... See more...
Is there an ETA on when Proofpoint 2.0 add-on's/apps will be updated to support jQuery 3.5? These two are failing the upgrade readiness test in Splunk Cloud: splunkbase.splunk.com/app/4327/ splunkbase.splunk.com/app/4328/  Thank you!