All Topics

Top

All Topics

wget -O splunk-8.2.2-87344edfcdb4-linux-2.6-amd64.deb ' : Read-only file system
Hi,  Need to create dashboard with visualization type as line chart,  need to have a default value which is as reference line, for this i have added eval Target=1|table Target in splunk query. Now ... See more...
Hi,  Need to create dashboard with visualization type as line chart,  need to have a default value which is as reference line, for this i have added eval Target=1|table Target in splunk query. Now i need to highlight the target/default  line always, and this line is to thicker than remaining lines in visualization and Bold, so that it can be distinct from others.  Need to achieve this only from Splunk , no JS or others is needed. TIA.
Please assist to provide detailed steps to replace cluster master for the indexer cluster.  I've tried few things however peers are not connecting to the new clustermaster.   
Hello Team, I not sure what I am missing but I am unable to extract or display ModifiedProperties{}.Name fields into table. For example: Under extended fields of ModifiedProperties{}.Name there is ... See more...
Hello Team, I not sure what I am missing but I am unable to extract or display ModifiedProperties{}.Name fields into table. For example: Under extended fields of ModifiedProperties{}.Name there is another field "OtherMail". I would like to display OtherMail field value/data into a table I remember doing sometime back but seems to have completely forgotten. Can someone please help with it. Thanks in advance,
Hi, I hav a "Planned Start date" Field through which I am trying to extract month in the format (e.g January).Can somebody suggest? Below is what i have tried  index="tier1" sourcetype="csv"| st... See more...
Hi, I hav a "Planned Start date" Field through which I am trying to extract month in the format (e.g January).Can somebody suggest? Below is what i have tried  index="tier1" sourcetype="csv"| stats latest("Planned Start Date") AS Time| eval monthdisplay=strftime(strptime('Planned Start Date',"%m-%d-%Y"),"%B")|fields Time monthdisplay    
  Hello Splunkers !!   What timeformat should i use for the below time in props?   [2021-09-06T09:10:01.459-04:00]
  Hi everyone,  is there a possibility to get data in with renderXML=true via wmi.conf stanza? Thanks for helping me.
We currently operate on-prem and are considering moving to Splunk Cloud. A potential blocker is the manual process required to deploy apps in Splunk Cloud. Currently we have a fully automated SDLC p... See more...
We currently operate on-prem and are considering moving to Splunk Cloud. A potential blocker is the manual process required to deploy apps in Splunk Cloud. Currently we have a fully automated SDLC pipeline. We have multiple teams who make changes across multiple apps, currently with a weekly deployment cycle but we are about to move to fully automated deployments. We are informed that we would need to replace this process - where each app would need to be manually assessed and there would be up to two days delay. I'm interesting in other large customers' experience in this respect. Did you need to change your deployment mechanisms/processes when moving to the cloud? Is it cumbersome? Did you find workarounds?  
Hi, I hope someone can help guide me in what type of query or visualisation to use here so show the linkage of access permissions. I have a simple data set like the format below (I have a much bigge... See more...
Hi, I hope someone can help guide me in what type of query or visualisation to use here so show the linkage of access permissions. I have a simple data set like the format below (I have a much bigger dataset) It shows a user ID and the access they have to a folder. Users can have access to more than one folder. I would like to answer the question: Of the users who have access to a specific folder, say "Apple", what other folders to they have access to and what are the associated volumes with that connection. I was thinking Sankey diagram but I am having trouble getting the data in the right format. UserID Folder 1 Apple 1 Banana 2 Apple 3 Apple 3 Orange   Many thanks,    Tim
Hello team, Hope you are doing good ! Myself Gowtham from AppViewX Inc , working as SRE. We need to monitoring our application and the infrastructure of our organization, where in we are explori... See more...
Hello team, Hope you are doing good ! Myself Gowtham from AppViewX Inc , working as SRE. We need to monitoring our application and the infrastructure of our organization, where in we are exploring Appdynamics. We need a demo session on the Appdynamics  to our team regarding the setup an use cases of your product. I tried to book for a demo session through the website, but unfortunately I cant register for a demo. Could you please help me on registering the demo session? Regards, Gowtham  SRE  AppViewX
I have 2 search boxes. I am using it to make to get parameters to REST API call. Now When there is no value in the search box then also the search gets executed. I want to restrict this and make it m... See more...
I have 2 search boxes. I am using it to make to get parameters to REST API call. Now When there is no value in the search box then also the search gets executed. I want to restrict this and make it mandatory that until the user enters some value the search doesn't gets executed. Attaching the screenshot of the problem where search is getting executed even if there are no values in the search box. Note: I don't want to use submit button for this.
In a bare-metal deployment, the indexer keeps three copies of data on three physical nodes for data availability. Even if 2 node goes down, data will be available on the third node. But, in the case ... See more...
In a bare-metal deployment, the indexer keeps three copies of data on three physical nodes for data availability. Even if 2 node goes down, data will be available on the third node. But, in the case of microservices, how do the containers manage the data copies? There can be multiple indexer-containers running on the same physical node and three copies of data might sit on the same physical node. If such node goes down we might lose the data. Now, is there a way to keep three copies of data on the different physical nodes in a container-based deployment?
Hi, I'm trying to upgrade splunk from 8.0.9 to 8.2.2. According to the docs, the upgrade starts with the cluster master. After upgrading the cluster master and removing the maintenance mode, all the... See more...
Hi, I'm trying to upgrade splunk from 8.0.9 to 8.2.2. According to the docs, the upgrade starts with the cluster master. After upgrading the cluster master and removing the maintenance mode, all the indexers are stuck at in the "batchadding" status. Looking at the logs from one indexer, it goes through a cycle of: event=addPeer Batch=1/9 ...success... event=addPeer Batch=2/9 ...success... ... event=addPeer Batch=9/9 ERROR Read Timeout... WARN Master is down! Make sure pass4SymmKey is matching if master is running... WARN Failed to register with cluster master... Master is back up! Rinse and repeat. So basically it talks ok to the cluster master for a while and then get a timeout and starts over. Any idea what's going on? I did check the pass4SymmKey and they are the same everywhere, they haven't changed. Cheers, Gabriel.
I have been unable to get the universal forwarders to correctly collect the SMB Server audit logs. The inputs.conf file on the deployment server has the following stanza configured but there are no l... See more...
I have been unable to get the universal forwarders to correctly collect the SMB Server audit logs. The inputs.conf file on the deployment server has the following stanza configured but there are no logs flowing in. The other events in the inputs file work without any issues.  ## Application and Services Logs - SMB Server Audit Log [WinEventLog://Microsoft-Windows-SMBServer/Audit] index = wineventlog disabled = 0 start_from = oldest current_only = 0 Thanks   
Hi,   I am looking to build a query based on the service status of 2 hosts and then combine 2 of them into 1 and change colour based on the condition below:   For example:   I want A1 + B1 = x ... See more...
Hi,   I am looking to build a query based on the service status of 2 hosts and then combine 2 of them into 1 and change colour based on the condition below:   For example:   I want A1 + B1 = x then i want to check the service status, if both are running then green, if 1 is running then yellow and if none is running then red. Any idea how can I achieve this? Any help appreciated!  
Hi, Ever since upgrading to ES 6.2, there has been a problem bugging our team. Whenever we select one of the notable events in Incident Review dashboard, the screen would jump to the top. The worka... See more...
Hi, Ever since upgrading to ES 6.2, there has been a problem bugging our team. Whenever we select one of the notable events in Incident Review dashboard, the screen would jump to the top. The workaround is to zoom out enough so all notable events show in one screen, but it is suboptimal. Our operator team now either spends lots of time scrolling, or risks selecting wrong notable event for processing. We have tried to provision a new standalone Splunk instance in our environment as a testing (Splunk 8.1.5 + ES6.2), but it is the same. I didn't seem to find anyone talking about this in the community and also no mentioning of this bug under known issues section in the release notes. Is there any fix for this apart from upgrading to ES 6.4?
Splunkers, I have an external analytic engine that is currently making Splunk REST API calls to a specific search head in a search head cluster to pull data sets for analysis. It works great but I ... See more...
Splunkers, I have an external analytic engine that is currently making Splunk REST API calls to a specific search head in a search head cluster to pull data sets for analysis. It works great but I want to be able to load balance these REST calls across the search head cluster and each search requires a minimum of three REST calls to start the search, check the search status, and retrieve any available search results. I am sure I am not the first individual to require this functionality. Is this functionality already available in Splunk? Has anyone seen an open source implementation? Does a Phantom instance connect to a single Splunk search head? I don't want to degrade the user experience on a search head by having it dedicated to serving up data sets. Please advise... Thanks, Mark
I believe that the TIME_FORMAT value for this add-on is incorrect - more specifically, I believe that the trailing percentage sign (%) at the end needs to be removed. Is someone who is more familiar... See more...
I believe that the TIME_FORMAT value for this add-on is incorrect - more specifically, I believe that the trailing percentage sign (%) at the end needs to be removed. Is someone who is more familiar with XML formatted Sysmon events able to confirm this?    
I have a splunk query that finds top errors in the log using regular expression. I then display it as a bar chart:             someSearchQuery|rex "someTerm(?<error>)|stats count by error|sort -coun... See more...
I have a splunk query that finds top errors in the log using regular expression. I then display it as a bar chart:             someSearchQuery|rex "someTerm(?<error>)|stats count by error|sort -count | head 10 I want to use the values returned by the query in a drill down such that on click on barchart the drilldown displays result for that value the drilldown xml i used for setting token is this         <drilldown>             <set token="show_panel">true</set>             <set token="selected_value">$click.value$</set>        </drilldown> and then I use this token in the drilldown query as such someSearchQuery|rex "someTerm(?<error>)|search error=$selected_value$|timechart count by errorType span="1m"|addcoltotals|rename NULL as count These error name are too technical and i want to change them in the main panel and drilldown. for e.g. if regex returns error"ID not found", I want to replace it with "Data_error" also i want my title to change with the general name         <title>$$selected_value$</title> But the problem is when I change the name using eval, the drilldown query doesnot get the actual error name and search fails becuase there is no such error as "Data_error". the query needs "ID not found" to fucntion. Is there any way this can be achieved?Can I change the name of my searchTerm and at the same time use the old searchTerm in drilldown query as well?  
Hi, im splunking a shelly EM3 Powermeter and get MV Values of the JSON status Rest API http://192.168.1.2/status  which works fine but im getting the Power, Current etc for 3 Phases as Multivalue F... See more...
Hi, im splunking a shelly EM3 Powermeter and get MV Values of the JSON status Rest API http://192.168.1.2/status  which works fine but im getting the Power, Current etc for 3 Phases as Multivalue Fields ..  how do i access or separate those individual Phases out of the MVFields ? Like to have simple fields PowerL1=-76.85  PowerL2=635.06 PowerL3=-16.91  or would it be better to fix that index time ?  Thanks