All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello , I have an event log being printed as : Mon May 24 07:15:19 PDT 2021 buildAndExecuteQuery query SELECT emp.Name,emp.age,emp.address from emp where (emp.Region LIKE :1 OR emp:Region LIKE :2) ... See more...
Hello , I have an event log being printed as : Mon May 24 07:15:19 PDT 2021 buildAndExecuteQuery query SELECT emp.Name,emp.age,emp.address from emp where (emp.Region LIKE :1 OR emp:Region LIKE :2) AND emp.department LIKE :3  with parameters [%region07%, %region09%,%0840%].   I m trying to extract an sql query field with the following desired output  SELECT emp.Name,emp.age,emp.address from emp where (emp.Region LIKE : "region07" OR emp:Region LIKE :"region09") AND emp.department LIKE :"0840 "   Tried extracting the input variable fields and the parameter fields using rex command command and not able to move further on how to replace the value in the query .   Any help would be appreciated.   Thanks in advance. Harris 
Hi Everyone, I have one query like this which is showing the count of the Failed jobs in a single value like shown below: <panel> <title>Count of Jobs Failed</title> <single> <search> <query>in... See more...
Hi Everyone, I have one query like this which is showing the count of the Failed jobs in a single value like shown below: <panel> <title>Count of Jobs Failed</title> <single> <search> <query>index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"| eval fields=split(_raw,",") |eval Environment=mvindex(fields,11)|eval JOBFLOW_ID=mvindex(fields,0) |eval JOB_EXEC_TIME=mvindex(fields,8)|eval RunDate=mvindex(fields,3)|eval JOB_STATUS=mvindex(fields,5)|where Environment="E3"|where JOBFLOW_ID LIKE "%%"|eval RunDate="20".mvindex(fields,3)|eval Run_Date=strptime(RunDate,"%Y%m%d") |fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|where JOB_STATUS=="FAILED"|stats COUNT</query> <earliest>-2d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">0</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="show_panel">true</set> <set token="selected_value">$click.value$</set> </drilldown> </single> I am getting the single value as 2 which are the Failed Job I want when I should Click on 2 it should show me the details of the two failed Jobs. I have tried like this but not working. Can someone guide me on this: <panel depends="$show_panel$"> <table> <title>Failed RID Details</title> <search> <query>index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"| eval fields=split(_raw,",") |eval Environment=mvindex(fields,11)|eval JOBFLOW_ID=mvindex(fields,0) |eval JOB_EXEC_TIME=mvindex(fields,8)|eval RunDate=mvindex(fields,3)|eval JOB_STATUS=mvindex(fields,5)|where Environment="E3"|where JOBFLOW_ID LIKE "%%"|eval RunDate="20".mvindex(fields,3)|eval Run_Date=strptime(RunDate,"%Y%m%d") |fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|where JOB_STATUS=="FAILED" $selected_value$ </query> <earliest>-2d@d</earliest> <latest>now</latest> </search> <option name="count">100</option> </table> </panel> Can someone guide me on this.
Hi Guys, Hope you are doing great. We are planning to send the data to the indexer via HTTP event collector from an application server. Actually, the data is in CSV format. How can we achieve this? Y... See more...
Hi Guys, Hope you are doing great. We are planning to send the data to the indexer via HTTP event collector from an application server. Actually, the data is in CSV format. How can we achieve this? Your help would be really appreciated. Please let me know if we can achieve this using only HEC. 
Hi  For splunk DB connect addon, do we need to have the Java path and driver set up in the Database server which we are trying to connect?   Thanks  
I have a question regarding the Splunk and Postman interaction. I've set up a Splunk instance inside a Linux virtual machine. I am able to use the curl command to access Splunk endpoints in the VM. D... See more...
I have a question regarding the Splunk and Postman interaction. I've set up a Splunk instance inside a Linux virtual machine. I am able to use the curl command to access Splunk endpoints in the VM. Doing so returns an SID which I can then use to get Splunk data. However, I am having a hard time retrieving the SID from Postman. When I try to connect to the API I am met with an "Unauthorized" message (pic attached). I am using Basic Auth and inputting an admin username and PW.  Any ideas on what to do? What piece am I missing?    
hi, I have few URL's and I am logging their response in Splunk like status (0,1) and status code (Success, Failure) and many other fields. I want to create a chart which can depict me the up/downtime... See more...
hi, I have few URL's and I am logging their response in Splunk like status (0,1) and status code (Success, Failure) and many other fields. I want to create a chart which can depict me the up/downtime of URL over selected span of time. Further color code in graph whenever the URL is having Status 1 (i.e Success), the line is in green and red in status=0. | timechart count by Status will not give me the URL which is at 0 OR 1. So i want URL, Status, Time  along with color codes. The final output should be in hearbeat shape. Thanks
Hi Team! I would like to clean all the old data from Splunk so that i can limit to 2 years only. Currently it is storing all the data. How do I achieve it and the steps to do it. Thank you so much... See more...
Hi Team! I would like to clean all the old data from Splunk so that i can limit to 2 years only. Currently it is storing all the data. How do I achieve it and the steps to do it. Thank you so much and really apreciated.  
Is it possible to configure mutual tls when accessing an external link from a dashboard drill down? I need to call out to a rest api from a dashboard link but also have the connection secured.
Hi Everyone, I have created one Query: index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"|join type=outer JOBFLOW_ID [ inputlookup JOB_MDJX_CS_MASTER_E3.csv ]|eval fields=split(_raw,",")... See more...
Hi Everyone, I have created one Query: index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"|join type=outer JOBFLOW_ID [ inputlookup JOB_MDJX_CS_MASTER_E3.csv ]|eval fields=split(_raw,",")|eval Environment=mvindex(fields,11)|eval JOBFLOW_ID=mvindex(fields,0) |eval JOB_EXEC_TIME=mvindex(fields,8)|eval RunDate=mvindex(fields,3)|where Environment="E3"|where JOBFLOW_ID LIKE "%%"|eval RunDate="20".mvindex(fields,3)|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart sum(JOB_EXEC_TIME) as TotalExecTime by JOBFLOW_ID |eval TotalExecTime=round(TotalExecTime,2)|sort -TotalExecTime limit=10 The issue I am facing is I am getting jobs Trend but I am getting one more line as Other. How we can hide that OTHER. Attached is the screenshot for the same. Can someone please guide me.
I'm trying to install a few apps in Splunk.    The dialogue says "Enter your Splunk.com username and password to download the app."   I use the username/password combination I'm using for splunk.com ... See more...
I'm trying to install a few apps in Splunk.    The dialogue says "Enter your Splunk.com username and password to download the app."   I use the username/password combination I'm using for splunk.com and I continually get back an error message "Incorrect username or password".     Given that I had to log into splunk.com using the same credentials to post this message I'm out of ideas on how to make this work.    
Hi all, I have a dynamic drop down which has the values from a search query. I want to assign all those values to a token for <condition Label= "All">. Also i want those values to be delimited durin... See more...
Hi all, I have a dynamic drop down which has the values from a search query. I want to assign all those values to a token for <condition Label= "All">. Also i want those values to be delimited during the assignment. I have tried a lot and failed to implement. Can anyone please help me with this??
I would like to know if there is any performance impact that EUM can cause to the web application that it monitors. We are in the process of deploying EUM in PROD. It is to monitor a web-based .Net ... See more...
I would like to know if there is any performance impact that EUM can cause to the web application that it monitors. We are in the process of deploying EUM in PROD. It is to monitor a web-based .Net application that our customers login to pay their bills. I would like to know if inserting the EUM java script could cause any performance impact to the application? I will be using option to hosts all JavaScript Agent files from cdn.appdynamics.com. Any input will be very much appreciated it. Thank you. Ferhana
I have  logs like below  findContractsByPersonId(String) executed in 463 milliseconds findContractsByPersonId(String) executed in 4,681 milliseconds findContractsByPersonId(String) executed in 3,6... See more...
I have  logs like below  findContractsByPersonId(String) executed in 463 milliseconds findContractsByPersonId(String) executed in 4,681 milliseconds findContractsByPersonId(String) executed in 3,671 milliseconds findContractsByPersonId(String) executed in 681 milliseconds and i want to create a field which will give values from log like below 463 4,681 3,671 681 i did filed extraction with below log findContractsByPersonId(String) executed in 463 milliseconds i am able to create filed but i can only get non coma separated values, i mean i am getting only  463 681 values i am not getting coma included values (those are 4,681 and 3,671) could you please suggest in order to get all the values (comma included values also)
  Hi All,Is this possible in splunk  i have data like below  field1           field2       1500m        20GB    2000m        21GB 45                  500mb 1440m         250mb 12             ... See more...
  Hi All,Is this possible in splunk  i have data like below  field1           field2       1500m        20GB    2000m        21GB 45                  500mb 1440m         250mb 12                  15GB   in the field1,   if any digit is not ending with "m" then should multiply by 1000. in field2,   if any digit is not ending with  'GB' then divided by 1024  for example, the result should be like this.   field1             field2       1500 m         20GB    2000 m         21GB 45000 m      0.48GB 1440 m         0.24GB 12000 m       15GB          
Hi Team, I have a search query that searches for checking the busy tread and showing their occurrence in the log the value I need to print in the Splunk dashboard. We need printing bsy value beside ... See more...
Hi Team, I have a search query that searches for checking the busy tread and showing their occurrence in the log the value I need to print in the Splunk dashboard. We need printing bsy value beside the bsy like bsy 1,bsy 2 so we want to print those 1,2 value. Attached the image for reference      @scelikok @gcusello  and all Splunk enthusiastic please help
Hi, I'm not sure about the effect of the general setting "Save results to KVStore / index". Is there a difference in the functionality/features of the alert handling depending on this setting? Can ... See more...
Hi, I'm not sure about the effect of the general setting "Save results to KVStore / index". Is there a difference in the functionality/features of the alert handling depending on this setting? Can I just activate one or the other? What if I activate both? Best regards
Any suggestion on approach to connect Splunk (hosted on prem) to Database (hosted on AWS cloud) using Splunk DB Connect. Is this achievable in any manner?
I am getting several ERROR messages under the component TailReader in Splunk HF for Splunkd sourctype. Ran out of data while looking for end of header Unfortunately, its not giving any indication a... See more...
I am getting several ERROR messages under the component TailReader in Splunk HF for Splunkd sourctype. Ran out of data while looking for end of header Unfortunately, its not giving any indication as to where this issue is arising from. Lot of other posts with same issue seem to indicate their source of this issue. Can anyone please advise what else I can do to narrow down the rootcause of this issue ?
I have 3 panels and three inputs ( two multiselect and one search input box). The first two panels in first row are column charts and the third panel element in second row is a table . I want to use ... See more...
I have 3 panels and three inputs ( two multiselect and one search input box). The first two panels in first row are column charts and the third panel element in second row is a table . I want to use the two multiselect dropdowns to populate data in all the 3 panels. But the select text input should only affect results of third  panel after data is populated by the dropdowns. Is there a way I can use search input after information is populated as a result of the dropdowns and get the required information.  Right now, I am getting "No result found "in the third panel which is actioned by both dropdowns and  the search input box .