All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Requirement- i am trying to create a report based on State of Incident( ticket).  looking for latest State of ticket below is the my search query.  if time range is selected more then "Today". resul... See more...
Requirement- i am trying to create a report based on State of Incident( ticket).  looking for latest State of ticket below is the my search query.  if time range is selected more then "Today". results showing the previous Ticket State as well.  ex Tkt123 current State is Resolved , prior to  resolved State it was "IN PROGRESS".  expected result should show current State of Tkt123 . In below query i am looking for "IN PROGRESS" ticket State in Q_name=IT . but it is showing Tkt123 as well.  when checked Tkt123  in SNOW tool it is resolved status index=SNOW source=SNOW_source Q_name=IT |stats latest(State) AS State BY Number Last_Updated | stats dc(Number) AS Total |search State="IN PROGRESS" |appendpipe [stats count| eval Total="NODATA" |where count==0|table Total] @ITWhisperer 
I've been getting this error for a few weeks. Search peer <indexer> has the following message: Failed to make bucket = main~5360~4D6B6D21-6F08-44EA-B793-EFEB8C344E21 searchable, retry count = 743. ... See more...
I've been getting this error for a few weeks. Search peer <indexer> has the following message: Failed to make bucket = main~5360~4D6B6D21-6F08-44EA-B793-EFEB8C344E21 searchable, retry count = 743. I have a case open with Splunk Support and I wanted to know if their logic or feedback is sound. After stopping the indexer I ran fsck and saw multiple buckets have needed to be rebuilt. They all rebuilt successfully except the one was in the error message.  After sharing this information and the logs with Support I was told that "For a single bucket you can ignore this warning. Data will still be searchable for this bucket. " So, should I think all is well because Support told me so and ignore the Health of Splunk Deployment report that shows the "red exclamation mark" icons for Buckets and Data Durability?    
Hello, i am trying to make life easier for my colleagues by providing filtering to error logs. So i have different types of errors/warnings and want to display the number of the occurrences in the ... See more...
Hello, i am trying to make life easier for my colleagues by providing filtering to error logs. So i have different types of errors/warnings and want to display the number of the occurrences in the checkbox. Something like: <input type="checkbox" token="tok_dummy_6">   <label>Erroneous Calls ($tok_sum_erroneous$)</label>   <choice value="yes">Erroneous Calls ($tok_sum_erroneous$)</choice>   <search>     <query>       index=<myIndex> Trace_ID = $tok_traceid$ error_type="Erroneous Call"       | stats count as Errors     </query>     <done>       <set token="tok_sum_erroneous">$result.Errors$</set>     </done>   </search> </input> the green part works like a charme, but i really do not like the label as it makes no sense if the checkbox itself is actually stating the same and just putting "yes" seems kinda childish. So i want to delete the label and just go with the text for the choice option. Any ideas? I tried double $$ with no luck.   Kind regards, Mike
Hi  I think I have found a bug in Splunk!! I have a table like below, I need to click on different columns and for different actions to happen (drill-down). I have noticed because I have a 5-secon... See more...
Hi  I think I have found a bug in Splunk!! I have a table like below, I need to click on different columns and for different actions to happen (drill-down). I have noticed because I have a 5-second refresh rate on the table when a user clicks on the column the tokens get set 80% of the time and the other 20% value of "null" is set.  Is there a workaround for this I am on 8.2.0. When I changed the refresh to 60 seconds it works all the time, when I put it a 1 second, it never works. The process_serviceName token can get set to the correct value 80% of the time, but "null" can be added to the other 20%. <eval token="process_serviceName">mvindex(split($row.service_name$," # "),0)</eval> I have other columns that work fine, but i think as i am doing a calculation on the value this is why it is not working.     <condition match="$click.name2$==&quot;Process_Name&quot; AND ($row.Service_type$==&quot;agent-based&quot; OR $row.Service_type$==&quot;launcher-based&quot;)"> <!--set token="process_serviceName">$row.service_name$</set--> <eval token="process_serviceName">mvindex(split($row.service_name$," # "),0)</eval> <set token="pid_clicked">$row.PID$</set> <set token="launcher_name_set_from_process_token">*</set> <unset token="Process_historic_graph"></unset> <unset token="Health_Token"></unset> <unset token="Resources_Token"></unset> <unset token="Java_Token"></unset> </condition>      
Hello, I am not getting events from the uptime.sh which gives system date and uptime information via the shell command. This script is a part of Splunk Add-On for Unix and Linux which is installed o... See more...
Hello, I am not getting events from the uptime.sh which gives system date and uptime information via the shell command. This script is a part of Splunk Add-On for Unix and Linux which is installed on the universal forwarder. I am getting data from other inputs like cpu.sh, vmstat.sh, df.sh etc...but not only from uptime.sh. I check the disabled is also set to false and in sync with other stanzas like the stanzas of cpu,vmstat etc. Any insights into if I am missing anything?  
Hi,  I have a problem in my infrastructure the logs are being duplicated, I am trying to identify from which origin (HF, UF, or Syslog) the logs are being sent, worse I have not been successful, any... See more...
Hi,  I have a problem in my infrastructure the logs are being duplicated, I am trying to identify from which origin (HF, UF, or Syslog) the logs are being sent, worse I have not been successful, any search ideas that can identify the origin that sent it , Thanks  
I have multiple artifacts and there is a check box beside it. Is there a datapath to access the currently selected artifact? Or perhaps a means to select it and ONLY run playbook or actions on the se... See more...
I have multiple artifacts and there is a check box beside it. Is there a datapath to access the currently selected artifact? Or perhaps a means to select it and ONLY run playbook or actions on the selected artifacts in the UI? Can't seem to find a datapath or parameter to playbook that does this. Please help!
Hi! I want to display a large number in a table in Splunk dashboard studio, but the format of the number is altered. Example: myfield=2201103670207336994001422000 In the table it is formatted to... See more...
Hi! I want to display a large number in a table in Splunk dashboard studio, but the format of the number is altered. Example: myfield=2201103670207336994001422000 In the table it is formatted to a standard format: 2.201103670207337e+27 When i try to add precision 0 (0) on the field I get this: 2201103670207337000000000000 And when I open the table in search I get the actual value: 2201103670207336994001422000 Have tried to add myfield=tostring(myfield), and other formatting options, but nothing works in the dashboard studio table view. Preferrably this field should be treated as a string, but splunk seems to automatically set the field as a number. Has anyone experienced this before and found a solution?  
Hi, I am facing the next problem. When having the next _raw:   process="\"C:\\Windows\\regedit.exe\" /s \"C:\\Program Files (x86)\\SAP\\RPW.reg\""   The value of the process field that I expect ... See more...
Hi, I am facing the next problem. When having the next _raw:   process="\"C:\\Windows\\regedit.exe\" /s \"C:\\Program Files (x86)\\SAP\\RPW.reg\""   The value of the process field that I expect is:   "C:\Windows\regedit.exe" /s "C:\Program Files (x86)\etc\etc.etc"   But what the automatic extraction gets is the same but without the initial and ending quotation marks:   C:\Windows\regedit.exe" /s "C:\Program Files (x86)\etc\etc.etc     Any ideas of how to get the expected value? It seems it doesn't respect the escaped characters.
Hello there, we use an alert action that has a lot of technical dependencies. In order to make sure that all searchheads are able to perform this alert action we would like to make a regular check o... See more...
Hello there, we use an alert action that has a lot of technical dependencies. In order to make sure that all searchheads are able to perform this alert action we would like to make a regular check of all of them. Our idea was to use a simple scheduled search that triggers the alert action on a regular basis as a test, to see if everything is fine. The problem is, that we don't know if it is possible to force the searchhead captain to allocate this specific search to all members of its cluster. Otherwise we would only see if the member that coincidentally got the search functions properly. Do you know of any way to achieve, that all members of a searchead cluster run a specific search? Thanks in advance for the help.
We have a heavy forwarder running some Add-ons, and one of them (SNow) is eating up all the memory. We have workload management enabled on our search head clusters for cpu/memory management, but wan... See more...
We have a heavy forwarder running some Add-ons, and one of them (SNow) is eating up all the memory. We have workload management enabled on our search head clusters for cpu/memory management, but wanted to see if it's possible to restrict mem/cpu usage for ingest on the HF using WM. If that's a possibility, where would I edit settings to update the configurations accordingly? 
Is there a way of checking if the latest csv updates were successful and if they were the most up to date versions (as I have csv files updated daily) - also if they were successful when they were ru... See more...
Is there a way of checking if the latest csv updates were successful and if they were the most up to date versions (as I have csv files updated daily) - also if they were successful when they were run via scheduled tasks?
Hi, I have csv file containing emailID and domain  and I would like to search the email exchanges between these two(emaild and domain) Csv file looks like below  emailID                           ... See more...
Hi, I have csv file containing emailID and domain  and I would like to search the email exchanges between these two(emaild and domain) Csv file looks like below  emailID                                           domain test1@company.com             abc.com test2@company.com             xyz.com test3@company.com             some.com so on .......... based on the above I need to check how many time the emails exchanged between emailID and domain, I tried with below query but unable to get the result my search.... [| inputlookup test.csv | eval emailID = mvjoin(emailID ,",") | eval domain= "*@.".domain | eval condition1 = "Sender IN (".domain.") AND Rcpt IN (".emailID .") " | return $condition1 ] | table Sender Rcpt  
I would like some guidance on creating a ticket in an in-house ticketing system when an alert is raised from Splunk.     Are there any links to documentation that would help me towards this please?
In my events, there is a field called "is_interactive"  which has value of either 0 or 1. Now the thing is, not all of my events has the field "is_interactive" in them. How to do I know, how much o... See more...
In my events, there is a field called "is_interactive"  which has value of either 0 or 1. Now the thing is, not all of my events has the field "is_interactive" in them. How to do I know, how much of of my events have this field in them ?
hi   I would like to know if it is possible to ruse a comand as a token I need to replace the command "perc90"  by "perc95" from a dropdown list | stats perc90(web_dur) thanks
Hello I'm having this situation where I have a query returning a single event and I need to build a compound table from different fields from that event. Here are the fields: severity severity... See more...
Hello I'm having this situation where I have a query returning a single event and I need to build a compound table from different fields from that event. Here are the fields: severity severity_id riskFactor riskFactor_id exploitAvailable exploitAvailable_id How can I build a table like this: Indicator Value Id Severity severity severity_id Risk Factor riskFactor riskFactor_id Exploit Available exploitAvailable exploitAvailable_id   Thanks for your help!
How would I configure a CRON expression such that an alert was sent 50 minutes past every hour, but only between 7:50am (0750) to 4:50pm (1650) Monday to Friday? And if possible, excluding bank holid... See more...
How would I configure a CRON expression such that an alert was sent 50 minutes past every hour, but only between 7:50am (0750) to 4:50pm (1650) Monday to Friday? And if possible, excluding bank holidays. Thanks.
Hi all, I have to plot a bar graph in which duration in hours will be in x axis and number of tasks will be in y axis. I want to specify the label of x axis as 0-1(hr), 1-2(hr), 2-3(hr),.... Can any... See more...
Hi all, I have to plot a bar graph in which duration in hours will be in x axis and number of tasks will be in y axis. I want to specify the label of x axis as 0-1(hr), 1-2(hr), 2-3(hr),.... Can anyone please help me in doing this.
What is the reason behind keeping default RF - 3 and SF - 2 ?? why splunk recommad it ?? what happen if we keep RF - 100 ??