Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Topics
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Topics
All Topics
01-20-2022
07:18 AM
I have a JSON with a field containing another object, but this object varies depending on type. For example, you may have these 3 logs under the same sourcetype/index: { "Log":"something","user": "m...
See more...
I have a JSON with a field containing another object, but this object varies depending on type. For example, you may have these 3 logs under the same sourcetype/index: { "Log":"something","user": "me" ,"type":"car", "data": {"case1":"something"} } { "Log":"something","user": "me" ,"type":"apple", "data": {"fruity":"yummy"} } { "Log":"something","user": "me","type":"Cauliflower", "data":{"veggie":"eww", "fact":"good for you"} } and I want a table query to look something like this: user | data me | {"case1":"something"} me | {"fruity":"yummy"} me | {"veggie":"eww", "fact":"good for you"} I tried the following query: index=mylog | table user,data but my results usually look like this (with either nulls or straight up empty): user | data me | null me | me | null data itself may sometimes be very long, but I would still like to see its entire output in the table. How can I go about this?
Labels
- Labels:
-
field extraction
01-20-2022
06:54 AM
I was able to find the date when the correlation search was last updated, but cant seem to find the original creation date of a correlation search.
Labels
01-20-2022
06:44 AM
Hello, I upload to splunk a csv with list of names (only one column) and I wand to add additional names to the csv. how can I do that?
Labels
- Labels:
-
CSV
01-20-2022
03:53 AM
Is Type=Left the same as type=outer in Splunk? If so why do they list it as three options? https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Join type Syntax: type=inner | oute...
See more...
Is Type=Left the same as type=outer in Splunk? If so why do they list it as three options? https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Join type Syntax: type=inner | outer | left Description: Indicates the type of join to perform. The difference between an inner and a left (or outer) join is how the events are treated in the main search that do not match any of the events in the subsearch. In both inner and left joins, events that match are joined. The results of an inner join do not include events from the main search that have no matches in the subsearch. The results of a left (or outer) join includes all of the events in the main search and only those values in the subsearch have matching field values. Default: inner
Labels
- Labels:
-
join
01-20-2022
03:52 AM
hi Form my first panel, when I click on a row I want to display the results of the row Actually it opens the details for all row and not for a specific wrong What is wrong please? <row>
...
See more...
hi Form my first panel, when I click on a row I want to display the results of the row Actually it opens the details for all row and not for a specific wrong What is wrong please? <row>
<panel>
<table>
<title>Bureau : $Site$</title>
<search base="sante">
<query>| stats count as "Nombre de lenteurs" by name | rename name as Nom
| sort - "Nombre de lenteurs"</query>
</search>
<option name="drilldown">row</option>
<format type="color" field="Nombre de lenteurs">
<colorPalette type="minMidMax" maxColor="#DC4E41" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<drilldown>
<set token="name">$click.value$</set>
</drilldown>
</table>
</panel>
<panel depends="$name$">
<table>
<title>Bureau : $Site$</title>
<search base="sante">
<query>| stats count(web_app_duration_avg_ms) as "Nb lenteurs Web" count(hang_process_name) as "Nb hang", count(crash_process_name) as "Nb crash" by name
| rename name as Nom</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
- Tags:
- other
01-20-2022
03:01 AM
Hello there, i've a report that is scheduled as follows: * * * * * But in the next scheduled time i got 2022-01-20 11:53:40 CET but i want 2022-01-20 11:53:00 CET Is there a way to set second...
See more...
Hello there, i've a report that is scheduled as follows: * * * * * But in the next scheduled time i got 2022-01-20 11:53:40 CET but i want 2022-01-20 11:53:00 CET Is there a way to set seconds? TY
Labels
- Labels:
-
saved search
-
scheduled search
01-20-2022
02:41 AM
I have a problem when I set DLTK containers. I chose Golden Image CPU (3.7) from the list and I already pull phdrieger/mltk-container-golden-image-cpu:3.7.0 to the local docker, but always have the e...
See more...
I have a problem when I set DLTK containers. I chose Golden Image CPU (3.7) from the list and I already pull phdrieger/mltk-container-golden-image-cpu:3.7.0 to the local docker, but always have the error say [list index out of range] Can someone help me, that would be great
Labels
- Labels:
-
troubleshooting
01-20-2022
02:21 AM
I have created a bar graph. The following is the query. index= "cx_metrics_analysis" sourcetype="cx_metrics_httpevent" | eval duration=floor((TASK_DURATION)/3600000)| bin duration span=2s|chart dis...
See more...
I have created a bar graph. The following is the query. index= "cx_metrics_analysis" sourcetype="cx_metrics_httpevent" | eval duration=floor((TASK_DURATION)/3600000)| bin duration span=2s|chart distinct_count(TASK_NUM) as "Tasks" by duration | bin duration span=2 Since the bar graph is having a lot of values in x axis i'm trying to limit the values. I'm trying to group the values into 3. One which has duration less than 15, second one having duration between 15 to 25 and last one having duration greater than 25. | eval red = if(duration>25,duration,0)
| eval yellow = if(duration<=25 AND duration>15,duration,0)
| eval green = if(duration<=15, duration, 0) Is this the correct method to do this? Anyone knows how to solve this?
Labels
- Labels:
-
chart
01-20-2022
02:05 AM
I know this can be done in the classic dashboard but is there a way to provide the tooltip/ hover functionality when using Dashboard Studio?
Labels
- Labels:
-
Dashboard Studio
01-20-2022
02:02 AM
Is there an option to add Header & Footer with jpg in scheduled report ?
Labels
- Labels:
-
saved search
-
scheduled search
01-20-2022
01:58 AM
Hi Team, i want to configure an mail alert when the status code is 400,401, 500... which means other than 200 trigger the alert. check every 30 min once.
- Tags:
Labels
- Labels:
-
alert condition
01-20-2022
01:49 AM
Hi Splunkers, I am experiencing issues with an index cluster and it would be great if you could help me out. Every time I change or create an index a restart is required and it takes up to an hour u...
See more...
Hi Splunkers, I am experiencing issues with an index cluster and it would be great if you could help me out. Every time I change or create an index a restart is required and it takes up to an hour until all the indexers are ready again. This used to work without a restart and only started happening after an upgrade at some point. I found this, but that doesn't say anything about creating indexes. Do you have an idea where this is coming from exactly and if it can be avoided in some way? Since changes are made weekly, it is really annoying.
Labels
- Labels:
-
indexer clustering
01-20-2022
01:38 AM
Hi, Splunkers, I have a field duration in the panel, I added the following <format></format> into the panel. I want this duration field to show different color when it is greater than 20. but i...
See more...
Hi, Splunkers, I have a field duration in the panel, I added the following <format></format> into the panel. I want this duration field to show different color when it is greater than 20. but it doesn't work. <format type="color" field="duration"> <colorPalette type="expression">if(tonumber(value)>20),"#789056")</colorPalette> </format> thx in advance. Kevin
Labels
- Labels:
-
Dashboard Studio
01-20-2022
01:36 AM
After reviewing the Intelligence Audit Events, the following error message shows up, it seems that the feed cannot write to intel. Any idea? 2022-01-20 09:24:09,703+0000 ERROR pid=28186 tid=MainT...
See more...
After reviewing the Intelligence Audit Events, the following error message shows up, it seems that the feed cannot write to intel. Any idea? 2022-01-20 09:24:09,703+0000 ERROR pid=28186 tid=MainThread file=threat_intelligence_manager.py:process:432 | status="Error when writing output - threat intelligence may be incomplete." filename="/opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/2022-01-18T11-23-26.053064.xml" Traceback (most recent call last): File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threat_intelligence_manager.py", line 427, in process self.write_output(filename, metadata, intel) File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threat_intelligence_manager.py", line 497, in write_output time_field='time' File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/kvstore.py", line 150, in batch_create response, content = splunk.rest.simpleRequest(uri, sessionKey=session_key, jsonargs=json.dumps(records)) File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 500, in simpleRequest raise splunk.SplunkdConnectionException('Error connecting to %s: %s' % (path, str(e))) SplunkdConnectionException: Splunkd daemon is not responding: ("Error connecting to /servicesNS/nobody/DA-ESS-ThreatIntelligence/storage/collections/data/threat_group_intel/batch_save: ('The read operation timed out',)",)
Labels
- Labels:
-
troubleshooting
01-20-2022
12:09 AM
HI All, I am looking for host mapped to a list of app in the serverclass using the btool command but unfortunately I am unable to get details. ./splunk cmd btool serverclass list --app="test-fw...
See more...
HI All, I am looking for host mapped to a list of app in the serverclass using the btool command but unfortunately I am unable to get details. ./splunk cmd btool serverclass list --app="test-fwd-p" --debug | grep -i "testhost*" Please correct me if the above syntax is in correct.
- Tags:
- btool
- configuration
Labels
- Labels:
-
administration
01-20-2022
12:08 AM
Hi. As in Subject, only Admin Role can edit an object "ACL", turning an object from Private to Public, with relative "ACL" permissions. What's the "Capability" giving this feature, only Admins have?
Labels
- Labels:
-
permissions
01-19-2022
10:53 PM
Getting the following message in splunkd logs ERROR CMRemotePrimaryManager - Failed to evict delete for bid=index_name~XXXX.XXXX.XXXX as part of onPrimary initialization task, delete files might not...
See more...
Getting the following message in splunkd logs ERROR CMRemotePrimaryManager - Failed to evict delete for bid=index_name~XXXX.XXXX.XXXX as part of onPrimary initialization task, delete files might not be synced Please help fix this issue. Thanks
- Tags:
- smartstore
01-19-2022
10:38 PM
I would like to send a monthly report with month and year in the Subject , like "Report for 01/2021" I have done "Report for - $trigger_date$" , but now I want to print the month and year only ...
See more...
I would like to send a monthly report with month and year in the Subject , like "Report for 01/2021" I have done "Report for - $trigger_date$" , but now I want to print the month and year only How I can do it ?
Labels
- Labels:
-
saved search
01-19-2022
10:25 PM
In my environment, I've setup the SSL communication and authentication between Deployment Server and its deployment client. It is working fine. The trouble came when nearly 1 year - the renewal of t...
See more...
In my environment, I've setup the SSL communication and authentication between Deployment Server and its deployment client. It is working fine. The trouble came when nearly 1 year - the renewal of the SSL is needed, meaning the server.pem and cacert.pem in UF require to be updated with renewed SSL. For the first year, we have used DS to push the SSL cert over to UF. Question is - is there any way to push the second year's SSL cert (server.pem and cacert.pem) over to UF using Deployment servers while the first year SSL still valid? Or is there any best practice how to renew the cert in UF (deployment client) in yearly basis? Thanks.
Labels
- Labels:
-
configuration
01-19-2022
10:18 PM
Hi, When I ran the command ./splunk list forward-server , we are getting below error message. Active forwards: 10.20.30.40:9997 Configured but inactive forwards: None Can you please help me to ...
See more...
Hi, When I ran the command ./splunk list forward-server , we are getting below error message. Active forwards: 10.20.30.40:9997 Configured but inactive forwards: None Can you please help me to troubleshoot the below error? Regards, Rahul Gupta
Labels
- Labels:
-
universal forwarder
