All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have one field containing an array within an array. How can I run a for loop to query the nested arrays and display them? Eg :- Dept_details : [ {name:"cse", HOD:"somename", students:[ {n... See more...
Hi, I have one field containing an array within an array. How can I run a for loop to query the nested arrays and display them? Eg :- Dept_details : [ {name:"cse", HOD:"somename", students:[ {name:"aditya", rollNo:"1"}, {name:"akash", rollNo="2"} ] }, { name:"ece", HOD:"somename2", students:[ {name:"abhiram", rollNo:"1"}, {name:"abhay", rollNo="2"} ] } ]   I expect the results to be like this :- Dept_details name                    hod cse                        someone   student details name                 rollNo aditya                1 akash                  2   dept details name                    hod ise                        someone2   student details name                 rollNo abhiram           1 abhay               2   Thanks, Aditya
I have a search SID, and currently I am getting its result using the API api/search/jobs/<sid>/results However, I also need to access the search query string behind this search result.  Is there an ... See more...
I have a search SID, and currently I am getting its result using the API api/search/jobs/<sid>/results However, I also need to access the search query string behind this search result.  Is there an API for getting that?
Hi splunk community, So on one of the search heads my SHC environment's /opt/splunk/var/lib/splunk/kvstorebackup/ directory, besides the kvdump.tar.gz, there seems to be multiple folders of tmpKVRes... See more...
Hi splunk community, So on one of the search heads my SHC environment's /opt/splunk/var/lib/splunk/kvstorebackup/ directory, besides the kvdump.tar.gz, there seems to be multiple folders of tmpKVRestore_* Those folders seem to contain the apps and the .json data. I would like to ask if those folders are safe to be removed, and if those folders are caused by restoring splunk kvstore on the search head, which splunk did not remove it as a means of housekeeping after the successful restore? Thanks.
Hi All, We are finding it very hard to calculate the license usage details by each host, I had executed the below query which I had got from one of the post in answers.com based on the query, we are... See more...
Hi All, We are finding it very hard to calculate the license usage details by each host, I had executed the below query which I had got from one of the post in answers.com based on the query, we are able to see the license usage details per sourcetype and per hostname for a particular index, but difficult part is that in hostname field value we are seeing (SQUASHED) as value and that is consuming more license, so could anyone guide me on how to find the exact hostname details from the (SQUASHED) output. index=_internal source=*license_usage.log* type="Usage" idx="XXX" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval st=if(len(st)=0 OR isnull(st),"(UNKNOWN)",st) | fields _time,b,h,st | bin _time span=1d | stats sum(b) AS volume by h, _time,st | stats avg(volume) AS avgVolume max(volume) AS maxVolume by h,st | eval avgVolumeGB=round(avgVolume/1024/1024/1024,3) | eval maxVolumeGB=round(maxVolume/1024/1024/1024,3) | fields h,st, avgVolumeGB, maxVolumeGB | rename avgVolumeGB AS "average" maxVolumeGB AS "peak",st AS "sourcetype", h AS "hostname" | sort - average | head 10 Output  hostname                             Sourcetype                                      average       peak  (SQUASHED)                       test:test1:cisco                               175.934    409.272   Problem statement: how to find the exact hostname details from the (SQUASHED) output.  
Hello my dear splunkers I hope you are doing very well.. I would REALLY be so thankful if u can help me put with the following.... Im trying to create a table where the rows are the results from count... See more...
Hello my dear splunkers I hope you are doing very well.. I would REALLY be so thankful if u can help me put with the following.... Im trying to create a table where the rows are the results from count of some values that I need.. first I will have to search in 3 differentent indexes and then I will have to create this table: fields common to all = ID. the other field is type or product bought A B or C I need to put in a table by month of year the total amount of IDS that bought only product A, and the total amount of product that bought A & B (that means they did not buy C at all) and the total IDS that bought (B & C ) meaning they didnt buy any A at all and finally the IDS that didnot buy anything at all this is the data I'm working with | multisearch [|search index="products_sold" AND productId=A AND ID_INFO=* | IDA=ID_INFO] [|search index="products_sold" AND productId=B AND ID_INFO=* | IDB=ID_INFO] [|search index="products_sold" AND productId=C AND ID_INFO=* | IDC=ID_INFO] | fields IDA IDB IDC # IDA are the people who bought product A, IDB bought product B , IDC bought product C let's say that for yesterday I have the following IDA= 11, 10,12, 78, 89,13 IDB= 11, 10, 45,13 IDC= 11, 10, 25 I want to be able to get this table : Category Total IDS Only A 3 Only B 1 only C 1 A & B 3 B & C 2 C & A 2 A, B, C 2 Only A = 3 because the IDS (12, 78, 89) only bought during that time product A A,B,C = 2 because the IDS (10,11) boought produts A B and C during this time I hope this can ilustrate what I am trying to achive and I can not stress enough how much you guy's help means to me THANK YOU SO SO MUCH to anyone that can help me
Hello guys I am trying to download a CVS file from a query that comes after a | stats values(field) command, thus this function organizes the data in a single row and when I open my cvs file all hell ... See more...
Hello guys I am trying to download a CVS file from a query that comes after a | stats values(field) command, thus this function organizes the data in a single row and when I open my cvs file all hell breaks loose... can you please teach me how to have the values shown in an inidivual row please? thank you
When I see this issue it is in a dashboard table visualization not in the search result.  The number is shown correctly as a number (right justified) in search statistics view.  Strings are shown l... See more...
When I see this issue it is in a dashboard table visualization not in the search result.  The number is shown correctly as a number (right justified) in search statistics view.  Strings are shown left justified by default and numbers are right.   In my case the issue concerns representing a number as currency in a dashboard. The generating search ends with something like :   | eval Amount=round(Amount,2) | fieldformat Amount=printf("%.2f",Amount)   So there is a clear indication that Amount can only be Null or a number.  The eval is not necessary if you want to keep the original value completely in tact - I left it there to demonstrate as I was trying various things to force the table to display my value how I wished.  I use fieldformat since I wish to be able to drilldown on the actual value of Amount and not the string representation.  Fieldformat works as intended however as OP noted, table visualization doesn't maintain the intended field's right justification. To further enhance my dashboard relating to the "Amount" field I have the following.   <format type="number" field="Amount"> <option name="unit">$</option> <option name="unitPosition">before</option> </format> <format type="color" field="Amount"> <colorPalette type="list">[#F1813F,#B6C75A]</colorPalette> <scale type="threshold">9.999</scale> </format>   My field should be right justified since I have "told" the table visualization it's a number in the specific way that is documented and the base search has resulted in the field being denoted with 'numeric' td class anyhow. By this reasoning it's a bug because "table visualization does not respect numeric field right justification CSS directive". My hack solution for dashboard: Of interest to me is that when I examine the html of the generated dashboard, the field in question is denoted with class=td.numeric which includes text-align:right however it's then overridden by the table class from dahsboard itself.   .table tr, .table td, .table th { font-family: Roboto,Droid,Helvetica Neue,Helvetica,Arial,sans-serif; font-size: 12px; line-height: 16px; text-align: left; padding: 4px 8px; } td.numeric, th.numeric { text-align: right; }​    So this leads to a simple hack which solves the visualization issue for me.  Perhaps it will solve for others.   <row> <html depends="$nothing$"> <style type="text/css"> td.numeric, th.numeric { text-align: right !important; } </style> </html> </row>    I assume the CSS defined within the dashboard xml has precedence over the generated CSS which is very handy indeed.   This will result in any numeric field in a table visualization in a dashboard maintaining the right justification that the developer of the table view in statistics view intended.  Probably when that enhancement was made, no thought was given to the dashboard table visualization issue. Full dashboard example with hack    <dashboard> <label>test3</label> <row> <panel> <table> <search> <query> | makeresults | eval Amount=1234.5678 | fieldformat Amount1=printf("%.2f",Amount) | fieldformat Amount2=printf("$%.2f",Amount) | fieldformat Amount3=printf("%12.2f",Amount) | fieldformat Amount4=printf("$%12.2f",Amount) | eval x1=Amount </query> <earliest>1616708511</earliest> <latest>1616709413.085</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="number" field="Amount1"> <option name="unit">$</option> <option name="unitPosition">before</option> </format> <format type="color" field="Amount1"> <colorPalette type="list">[#F1813F,#B6C75A]</colorPalette> <scale type="threshold">9.999</scale> </format> <format type="number" field="Amount2"> <option name="unit">$</option> <option name="unitPosition">before</option> </format> <format type="color" field="Amount2"> <colorPalette type="list">[#F1813F,#B6C75A]</colorPalette> <scale type="threshold">9.999</scale> </format> <format type="number" field="Amount3"> <option name="unit">$</option> <option name="unitPosition">before</option> </format> <format type="color" field="Amount3"> <colorPalette type="list">[#F1813F,#B6C75A]</colorPalette> <scale type="threshold">9.999</scale> </format> <format type="number" field="Amount4"> <option name="unit">$</option> <option name="unitPosition">before</option> </format> <format type="color" field="Amount4"> <colorPalette type="list">[#F1813F,#B6C75A]</colorPalette> <scale type="threshold">9.999</scale> </format> </table> </panel> </row> <row> <html depends="$nothing$"> <style type="text/css"> td.numeric, th.numeric { text-align: right !important; } </style> </html> </row> </dashboard>   Note that Amount3 is rendered as string although it's being colored correctly as a number so it's a weird one.  The table visualization is troubled by printf's attempt to left pad the value and ignores the padding however still thinks of the value as numeric in terms of the type="color" format block. Finally my question: Is there something I've missed or a better way to handle this simple requirement?  I want the dashboard table visualization to render numbers the same way as the search statistic view.
Is there an SPL search for Searches (saved or scheduled) that run in Real time? Should the all scheduled or saved searches be saved on the SH?
Our Windows admins are complaining about high CPU usage on our AD DCs and are pointing their finger at the Splunk UF. In the inputs.conf file i the default folder, there is a stanza: [admon] / interv... See more...
Our Windows admins are complaining about high CPU usage on our AD DCs and are pointing their finger at the Splunk UF. In the inputs.conf file i the default folder, there is a stanza: [admon] / interval=60 / baseline = 0. This is installed on about 10K workstations/servers. There are no other inputs.conf files with settings to monitor AD. Does this cause the workstations to query AD even if no other inputs are defined?
I got the answer for my previous question here : https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545615#M154587 Here is my current search    <search A> | b... See more...
I got the answer for my previous question here : https://community.splunk.com/t5/Splunk-Search/Join-searches-and-make-a-calculation/m-p/545615#M154587 Here is my current search    <search A> | bin span=1d _time | stats count max(size) AS Users_Waiting by _time | append [search <search B> | bin span=1d _time | stats count as Daily_Users by _time | streamstats sum(Daily_Users) as Cumulative_Users ] | stats values(*) as * by _time | eval Users_Not_Waiting = Cumulative_Users - Users_Waiting | timechart span=1d Users_Not_Waiting   The issue that I am having is the following:  Search A - Has events for the last 9 days so I can get Users_Waiting data Search B - Doesnt have events for the last 2 days so I dont get any data  Because Search B doesnt have events for the last 2 days, when I do the eval, I am not able to difference for the last 2 days. I want Search B (which is cumulative data) to continue to show 3765156 so the diff is calculated.    
Good day! A question of this nature: I have a Splunk cluster. The alert manager application is installed. There is a script for sending messages to the messenger. Is it possible through the applicat... See more...
Good day! A question of this nature: I have a Splunk cluster. The alert manager application is installed. There is a script for sending messages to the messenger. Is it possible through the application mechanisms to send an alert via a script when creating an incident? I searched through all the documentation of the application, and did not find how to do it...
Hi, we have one search head and one indexer, and installed db connect app on the indexer. we created some searches on indexer related to db connect logs, and saved these searches as alerts. the is... See more...
Hi, we have one search head and one indexer, and installed db connect app on the indexer. we created some searches on indexer related to db connect logs, and saved these searches as alerts. the issue is we cannot edit or delete these searches or alerts, as the alerts tap is empty. how can we edit there alerts.
Hello People !! II have a dashboard that has 5 pannels with single values in it, I want to creat a new single value pannel that comes from the sum or the difference of some of the other single value p... See more...
Hello People !! II have a dashboard that has 5 pannels with single values in it, I want to creat a new single value pannel that comes from the sum or the difference of some of the other single value pannels in the same dashboard... is that possible?
Hello my dear splunkers I hope you are doing very well.. I would REALLY be so thankful if u can help me put with the following.... Im trying to create a table where the rows are the results from count... See more...
Hello my dear splunkers I hope you are doing very well.. I would REALLY be so thankful if u can help me put with the following.... Im trying to create a table where the rows are the results from count of some values that I need.. first I will have to search in 3 differentent indexes and then I will have to create this table: fields common to all = ID. the other field is type or product bought A B or C I need to put in a table by month of year the total amount of IDS that bought only product A, and the total amount of product that bought A & B (that means they did not buy C at all) and the total IDS that bought (B & C ) meaning they didnt buy any A at all and finally the IDS that didnot buy anything at all like this: Category ids total Only A 58 (A & B) 15 Nothing at all 254 THANK YOU SO SO MUCH I TRULLY REALLY MEAN IT
I keep getting delayed searches marked in red "Health Status - Splunkd". How do I investigate and fix this issue?
Hi , I am new to Splunk administation and getting KV store errors. After checking mongod.log, found that the SSL and server certificates are expired. We have a clustered environment : SHC -sh1 and... See more...
Hi , I am new to Splunk administation and getting KV store errors. After checking mongod.log, found that the SSL and server certificates are expired. We have a clustered environment : SHC -sh1 and sh2 IDXC -sh1 acting as idx1, idx2, idx3 Stand alone acting as DS and LM One Cluster Master and one HF. We using Solunk 6.3 version and I  not sure if ssl communication is enabled between splunk servers or not.  Could you please help me with the below: 1) How to check if ssl communication is enabled between splunk servers 2) how to check if the existing certificates are default or self signed or third party generated  3) How to renew server certificates on each splunk instance, to fix the kv store errors Many thanks!! 
I am looking for a Splunk Tutor.  Someone who is experienced with Dashboards/Reports.  Not just creating dashboards but working through some of the more advanced commands while working with the Dashb... See more...
I am looking for a Splunk Tutor.  Someone who is experienced with Dashboards/Reports.  Not just creating dashboards but working through some of the more advanced commands while working with the Dashboards.  The tutoring will be conducted via google hangout and will be 2 hours per week at one session.  If you are interested please email me at pglover4264@gmail.com. I have taken several online courses and really just need the tutoring of how I can use the splunk logic in a more efficient manner, use advanced commands, etc.
I have a distributed environment where the Splunk instances are clustered and the version  I am using is 6.6.3. The server certificates are expired and there is no SSL communication enabled between S... See more...
I have a distributed environment where the Splunk instances are clustered and the version  I am using is 6.6.3. The server certificates are expired and there is no SSL communication enabled between Splunk servers. I have few queries: 1. How to enable the SSL communication? 2. How expired server certs are  going to impact  my Splunk environment? 3. How to know from the existing configurations, if there is any SSL communication between Splunk instances? 4. How can I resolve this error: a. KV store changed its status to failed. KV store process terminated. b. Failed to start KV store process. See mongod.log and splunkd.log for details. c. KV store process terminated abnormally(exit code 14, status exited with code 14)
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However my tokens ($test1$, $test2$ and $tes... See more...
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However my tokens ($test1$, $test2$ and $test3$) get never set. Any ideas what I'm doing wrong?   <dashboard> <label>Titel</label> <row> <panel depends="$alwaysHideCSS$"> <single> <search> <query> index=someSearch| rename searchResult AS XX </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="myToken">$result.XX$</set> </done> </search> <drilldown> <condition match="5==5"> <set token="test1">a</set> <set token="test2">b</set> <set token="test3">c</set> </condition> <condition match="1==9"> <set token="test1">d</set> <set token="test2">e</set> <set token="test3">f</set> </condition> <condition match="2==3"> <set token="test1">g</set> <set token="test2">h</set> <set token="test3">i</set> </condition> </drilldown> </single> </panel> </row> [... ] <!-- here I want to use those test-tokens but they never get set --> </dashboard>   The token "myToken" is working. Why do the tokens ($test1$, $test2$ and $test3$) not get set? The condition "5==5" cannot be false.
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However my tokens ($test1$, $test2$ and $tes... See more...
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However my tokens ($test1$, $test2$ and $test3$) get never set. Any ideas what I'm doing wrong? <dashboard> <label>Titel</label> <row> <panel depends="$alwaysHideCSS$"> <single> <search> <query> index=someSearch| rename searchResult AS XX </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="testtest">$result.XX$</set> </done> </search> <drilldown> <condition match="5==5"> <set token="test1">a</set> <set token="test2">b</set> <set token="test3">c</set> </condition> <condition match="1==9"> <set token="test1">d</set> <set token="test2">e</set> <set token="test3">f</set> </condition> <condition match="2==3"> <set token="test1">g</set> <set token="test2">h</set> <set token="test3">i</set> </condition> </drilldown> </single> </panel> </row> [... ] <!-- here I want to use those test-tokens but they never get set --> The token "testtest" is working. Why do the tokens ($test1$, $test2$ and $test3$) not get set? The condition "5==5" cannot be false.