All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Team, I am looking for a list of the top used JSP's used in our application. Is it possible to get from AppDynamics?   TIA
Hi, I am just taking the total count of incident using stats command form the json and the query is working fine. But when I using timechart command it is not giving me the visualization. Please any... See more...
Hi, I am just taking the total count of incident using stats command form the json and the query is working fine. But when I using timechart command it is not giving me the visualization. Please anyone help me on this. index=incident_index  source="/mi_data/dc_in_events.json" | spath path=Incident__Number output=INC | stats values(*) as * by INC | stats count(Incident__Number) Thanks  
My security device cannot set the data type to be transmitted. How can I convert these data? Something like this:\xB0\xD7\xC3\xFB\xB5\xA5
I have a query that returns multiple times and I need to step through this result doing a subtraction count between one and the other. Example: Time = time[0] - time[1] Time = time[1] - time[2] e... See more...
I have a query that returns multiple times and I need to step through this result doing a subtraction count between one and the other. Example: Time = time[0] - time[1] Time = time[1] - time[2] etc .... My search looks like this:   <my search> | eval Time=_time | stats values(Time) as Time by UserName| eval reconnection=if(UserName == UserName, tonumber(mvindex(Time,1))-tonumber(mvindex(Time,0)), "falha") | where reconnection>0 AND reconnection<600 | eval reconnection=tostring(reconnection, "duration")
hello my friends.  how using regex can delete everything in bold   {"test": "  {   \n \"data\": \"check\",\n \"git_branch\": \"master\",\n \"git_repo_name\": \"reponame\",\n \"id\": 234,\n \"times... See more...
hello my friends.  how using regex can delete everything in bold   {"test": "  {   \n \"data\": \"check\",\n \"git_branch\": \"master\",\n \"git_repo_name\": \"reponame\",\n \"id\": 234,\n \"timestamp\": 16378522342,\n } "}   output  { \"data\": \"check\", \"git_branch\": \"master\", \"git_repo_name\": \"reponame\", \"id\": 3413, \"timestamp\": 16378522342 }
I can send events to Splunk cloud and Splunk Enterprise servers with HttpEventCollectorLogbackAppender, but with SSL not enabled. I need to do this with SSL Enabled for my HEC connection.  I need to... See more...
I can send events to Splunk cloud and Splunk Enterprise servers with HttpEventCollectorLogbackAppender, but with SSL not enabled. I need to do this with SSL Enabled for my HEC connection.  I need to send events over a secure connection from my java application to Splunk Enterprise. I need to configure my HttpEventCollector to verify certs.   How do I configure my HttpEventCollectorLogbackAppender to use a certificate? I only see code examples wit  disableCertificateValidation="true"    How do I specify verify with my certificate?  Have you a code example please?
| eval new_name=mvindex(split(name, ","),0),         first name 0 and last name 1 split first and last name why split and 0&1 used in the pipeline
Hi, Sorry for repeating questions, that were already answered in...  https://community.splunk.com/t5/Dashboards-Visualizations/Button-to-run-splunk-query/m-p/576236#M47218 I'm trying to make a s... See more...
Hi, Sorry for repeating questions, that were already answered in...  https://community.splunk.com/t5/Dashboards-Visualizations/Button-to-run-splunk-query/m-p/576236#M47218 I'm trying to make a simple outputlookup with user's confirmation window and I'm struggling with the following issues: 1. Every time I refresh the page the query executes by itself but when I press the submit button, nothing happens. 2. How can I make a comment or popup or display some message after clicking the submit button: "Thank you for clicking" + writing a click time. This is what I have for now <form script="test_submit.js"> <row> <panel id="test"> <table> <search id="base"> <query>index=_internal | head 10000 | bin _time span=12h | stats count by sourcetype source name _time</query> <sampleRatio>1</sampleRatio> </search> <option name="count">6</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <html> <div> <button type="button" id="buttonId" class="btn btn-primary">Submit</button> </div> </html> </panel> </row> <row> <panel> <search base="base"> <query>| eval time = now() | outputlookup append=t users.csv</query> </search> </panel> </row> </form>   JS   require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function ($, mvc) { function submit_btn() { var submittedTokens = mvc.Components.get('submitted'); var defaultTokens = mvc.Components.get('default'); if (submittedTokens && defaultTokens) { submittedTokens.set(defaultTokens.toJSON()); } } $('#buttonId').on("click", function (){ submit_btn(); }); });   Thanks a lot
Hi  I've noticed that controller verison 21.11.1-778 has introduced a new create users method, previously on older controller versions, it was possible to enter username, email, name and password fo... See more...
Hi  I've noticed that controller verison 21.11.1-778 has introduced a new create users method, previously on older controller versions, it was possible to enter username, email, name and password for a new user, now this has been changed to only name and e-mail. I'm very curious to why this has been implemented? It makes sense that newly created users now receive an e-mail where they can enter their own desired password, but the fact that the e-mail address now functions as their username .. Well that's really a pain.. Is there any way to change this back? I administer a fairly large amount of AppDynamics users where everyone has their initials as current username and I really dislike this new enforced "email as username" idea that has been implemented.. 
I opened report acceleration for a report.The acceleration summary build well when user role has no Search filter restrictions. But as long I add any search filter restrictions for the role,the acce... See more...
I opened report acceleration for a report.The acceleration summary build well when user role has no Search filter restrictions. But as long I add any search filter restrictions for the role,the acceleration summary will never start to build. In page Report Acceleration summaries,the summary status shows that the progress is 0. Can anyone tell me why this happens?Any response will be appreciated  
Hello all, I do appreciate this question has been asked several times, but I am struggling to understand how to link searches together.  I have search A that highlights what src_ip communicated w... See more...
Hello all, I do appreciate this question has been asked several times, but I am struggling to understand how to link searches together.  I have search A that highlights what src_ip communicated with dest_ip on a specific port-  (index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23") | table src_ip, dest_ip, dest_port, _time I then take the results from the src_ip and link it to the second search in a new tab to find the computer hostname from the src_ip via DHCP logs -  index=oswinsec sourcetype=dhcp ip=192.168.*.* | table ip, dest, date, time Is it at all possible to combine these so when I do a search on a specific destination IP, the results src_ip is converted into the hostnames found in the DHCP source type? thank you
Hi All, trying to get WinEventlogs from SF to Indexer via HF. The logs are getting indexed but seems likes they are not getting parsed through TA as i am getting sourcetype as XMLWinEventLog instea... See more...
Hi All, trying to get WinEventlogs from SF to Indexer via HF. The logs are getting indexed but seems likes they are not getting parsed through TA as i am getting sourcetype as XMLWinEventLog instead or Wineventlog. Any help is appreciated. Splunk_TA_Windows is installed on SF,HF,Indexers. regards,  
hi, I have a question to ask: can you assign values to multiple variables in Splunk with the case command? I need that based on a filter chosen in the dashboard, it performs a different search base... See more...
hi, I have a question to ask: can you assign values to multiple variables in Splunk with the case command? I need that based on a filter chosen in the dashboard, it performs a different search based on what has been selected. I have a filter with options: red, green, yellow, blue, black If you choose red, the search must be: search field1 = A AND field2 = B if you choose green: search field1 = C AND field2 = D AND field3 = E if you choose yellow: search field1 = X AND field2 = Y ..... I wanted to use a case like: eval KK, HH, JJ = case ( color = "red", KK = A, HH = B, JJ = "", color = "green", KK = C, HH = D, JJ = E, color = "yellow", KK = X, HH = Y, JJ = "", 1 = 1, "INV") It can be done? Or do I have to use as many cases as there are variables I need in the search? Tks Bye Antonio
hi All, I need to send windows event logs from Splunkforwarder to Indexers via a heavyforwarder. I have done some configuration but it seems like something is incorrect as I am getting cooked data ... See more...
hi All, I need to send windows event logs from Splunkforwarder to Indexers via a heavyforwarder. I have done some configuration but it seems like something is incorrect as I am getting cooked data in splunk instead of logs. All the help is appreciated.   regards,  
Hello SPlunkers!! I have upgraded my HF from 8.0.0 to 8.1.2, while upgradation everything is working fine. But the issue is the i am not able to open the server on UI on port 8000. tcp 0 0 0.0.0.0:... See more...
Hello SPlunkers!! I have upgraded my HF from 8.0.0 to 8.1.2, while upgradation everything is working fine. But the issue is the i am not able to open the server on UI on port 8000. tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 2170/splunkd port 8000 is also working fine. But the issue is that whenever i have tried to pen the server from Ui it throughing bad request error.   What the things i have done yet. 1. copy the web.conf file from the system default to system local 2. change the splunk user cmod splunk:splunk /opt/splunk But still the issue is persist please help me to get it resolve.    
Hi all, I need to get a list of all the saved searches that are created in a Splunk Cloud environment. I tried to execute the regular rest command from the search view but the following message appe... See more...
Hi all, I need to get a list of all the saved searches that are created in a Splunk Cloud environment. I tried to execute the regular rest command from the search view but the following message appears: I have been checking the capabilities available at the platform but the dispatch to indexers one doesn´t appear in the list (as it does in the on prem version). Do you know which is the proper way on getting this info in Splunk Cloud? Many thanks in advance. Best regards.
I want to make the panel and the font smaller in size.  So that I can put more panel in one line with the font visible. Does anyone know how to do this?
Hi , My query is like below,  index=s sourcetype=Fire | fillnull value="" | eval OS=case(like(OS,"%Windows%"),"Windows",like(OS,"%Linux%"),"Linux",1=1,"Others") | eval group = case(OS="Windows",... See more...
Hi , My query is like below,  index=s sourcetype=Fire | fillnull value="" | eval OS=case(like(OS,"%Windows%"),"Windows",like(OS,"%Linux%"),"Linux",1=1,"Others") | eval group = case(OS="Windows","Windows Host Intrusion Detection Prevention Agents Not Reporting",OS="Linux","Linux Host Intrusion Detection Prevention Agents Not Reporting") | search Environment="Production" OR Environment="PSE" | rename Reporting_Status as Compliance_Status | replace Reporting with Compliant "Not Reporting" with Noncompliant "Not Reporting (possibly due to ITAM FQDN field not populated)" with NotReporting "Not Reporting (ITAM FQDN field not populated)" with NotReporting in Compliance_Status | eval Compliance_Status=case(Compliance_Status="Compliant" OR Compliance_Status="Excluded from reporting, yet is reporting","Compliant",Compliance_Status="Noncompliant" OR Compliance_Status="Not Reporting" OR Compliance_Status="Error","NonCompliant")  | append [| search index=s  sourcetype=Work | fillnull value="" | eval group = case(Environment="Production" OR Environment="PSE","Workstations Host Intrusion Detection Prevention Agents Not Reporting") | rename Reporting_Status as Compliance_Status | replace Reporting with Compliant "Not Reporting" with Noncompliant "Not Reporting (possibly due to ITAM FQDN field not populated)" with NotReporting "Not Reporting (ITAM FQDN field not populated)" with NotReporting in Compliance_Status | eval Compliance_Status=case(Compliance_Status="Compliant" OR Compliance_Status="Excluded from reporting, yet is reporting","Compliant",Compliance_Status="Noncompliant" OR Compliance_Status="Not Reporting" OR Compliance_Status="Error","NonCompliant") ] | append [| search index=c sourcetype=cloud | fillnull value="" | eval group = case(Cloud_Platform="Azure","Azure Baseline Noncompliance",Cloud_Platform="Aws","AWS Baseline Noncompliance") | search Account_Environment="PROD" OR Account_Environment="PRD" OR Account_Environment="PSE" | stats sum(CountOf_Compliant_AssetsTested) as Compliant sum(CountOf_Noncompliant_AssetsTested) as NonCompliant ] |stats count by group The last append is not taken into count ,since Compliance and Non Compliance are not in Compliance_Status field. | stats sum(CountOf_Compliant_AssetsTested) as Compliant sum(CountOf_Noncompliant_AssetsTested) as NonCompliant Is there a way to bring them to new field Compliance_Status ,which will help to show after stats by group.
There is a dashboard which uses a scheduled search using the |loadjob command.  I recently changed the search query for that scheduled search, which was basically added a index = indexname stanza to... See more...
There is a dashboard which uses a scheduled search using the |loadjob command.  I recently changed the search query for that scheduled search, which was basically added a index = indexname stanza to it to make it a little more efficient.  However, after doing that, the dashboard started showing the below error Cannot find artifacts for savedsearch_ident... When I click on the "View Recent" option of the saved search, it still loads the results. Any ideas? 
Hi I'm looking to search a dataset to returns entries from yesterday's date based off a date field which has been converted as such (from another job):  | eval event_time = now() | convert ctime(even... See more...
Hi I'm looking to search a dataset to returns entries from yesterday's date based off a date field which has been converted as such (from another job):  | eval event_time = now() | convert ctime(event_time)  The value is stored as 11/24/2021 22:28 Please assist how to search and return this value using a yesterday variable? I hope that makes sense, forgive me I'm still learning.   To illustrate,  manually entering eventDate="11/24" works, but not sure how to get a 'yesterday' to work with the dataset. | inputlookup thisDataset.csv | search eventDate="11/24*" | sort Brand, eventDate | iplocation clientip | table _time Brand clientip City Region count eventDate