All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I admin an Enterprise instance. I was adding a report for use of service/default accounts when I noticed all of the built-in accounts (Visitor, DefaultAdmin, etc) generated the Event Code 4798, Event... See more...
I admin an Enterprise instance. I was adding a report for use of service/default accounts when I noticed all of the built-in accounts (Visitor, DefaultAdmin, etc) generated the Event Code 4798, EventType=Audit Success, four times a day on the workstations. All of these accounts are disabled. I'm assuming this is the system verifying that the built-in accounts are still disabled but I wanted to make sure.  Can anyone confirm this or let me know what it actually means?
I am trying to retrieve and display the user name of the logged in user as a label or a non-editable text on the dashboard.  I'm able to fetch the user name using this query (here I'm limiting this ... See more...
I am trying to retrieve and display the user name of the logged in user as a label or a non-editable text on the dashboard.  I'm able to fetch the user name using this query (here I'm limiting this example to 'admin') - | rest /services/authentication/current-context splunk_server=local | where user = "admin" | table user This search will always return single value. I now want to display this as a label/ non-editable text on the dashboard - For example, to display on top of the dashboard like "Logged-in user : admin"  Can someone please help achieve this? 
I have a series of events that always start with EventTypeName = "Node Down" but there are three scenarios I'm trying to capture. 1. "Node Down" --> "Node Up" 2. "Node Down" --> "Node Rebooted" ---... See more...
I have a series of events that always start with EventTypeName = "Node Down" but there are three scenarios I'm trying to capture. 1. "Node Down" --> "Node Up" 2. "Node Down" --> "Node Rebooted" ---> "Node Up" 3. "Node Down" --> "Node Up" --> "Node Rebooted" Is there a way to capture all three of these scenarios?   I'm trying to categorize transactions based on whether or not a Node Rebooted event is present in the transaction or not present. I tried using OR with endswith but it only matches the first event.
I have dropdown with 100 values so-so (the values come from a CSV file), clicking on each of these should open up a different panel and hide the others. Is there a way to do it without having to unse... See more...
I have dropdown with 100 values so-so (the values come from a CSV file), clicking on each of these should open up a different panel and hide the others. Is there a way to do it without having to unset the other 99 for each single value?
Hello,  I have a CSV dataset with 2 colomns (_time , temperature) but when i import the dataset in Splunk to do a visualization of the dataset, Splunk plot the dataset with the temperature as the X ... See more...
Hello,  I have a CSV dataset with 2 colomns (_time , temperature) but when i import the dataset in Splunk to do a visualization of the dataset, Splunk plot the dataset with the temperature as the X value and the time as a Y value. How can I change the two columns?  I tried to modify directly the CSV file but doesn't change anything. Thanks 
Hi Everyone, I have one requirement. I have multiple Dashboards with Time/Range dropdown in all the Dashboards. As of now I have set it as last 7 days for all the Dashboards. For one  dashboard t... See more...
Hi Everyone, I have one requirement. I have multiple Dashboards with Time/Range dropdown in all the Dashboards. As of now I have set it as last 7 days for all the Dashboards. For one  dashboard the data is there  till 21st Feb For second dashboard the data is there till 26th Feb So as of now its showing  "NO RESULT FOUND"  since its set to last 7 days. My requirement is it should populate data from last good date from when data is available . Like for 1st Dashboard since the data is available till 21st feb so it should display the data from 21st Feb till now. Or is there any way that we can set the conditions token that it search first for 24 hours then last 7 days then last 30 days and display the data only when its available.  Is that possible to put any conditions tokens like that. Below is my code for date/Dropdown: <input type="time" token="field1" searchWhenChanged="true"> <label>Date/Time</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> Below is my code for one query for panel when time token is set: <row> <panel> <chart> <title>Overall Salesforce User Licenses</title> <search> <query>index="abc" sourcetype="xyz" $type$ TotalLicenses!=0 | lookup Org_Alias.csv OrgFolderName OUTPUT OrgName as OrgName | search $OrgName$ |dedup OrgFolderName, LicenseName, SalesforceOrgId |chart sum(TotalLicenses) as "Total Licenses" sum(UnusedLicenses) as "Unused Licenses" sum(UsedLicenses) as "Used Licenses" by LicenseName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> Please guide me on this.      
I am trying to create a Splunk alert where the log line is delimited with comma, I need to get the field 4 and check if the value is greater than threshold then raise an alert    I am able to se... See more...
I am trying to create a Splunk alert where the log line is delimited with comma, I need to get the field 4 and check if the value is greater than threshold then raise an alert    I am able to search the field from corresponding file but unable to fetch the uniq filed and please help with getting the corresponding field which is delimit with comma > threshold log: when i search for ,dat1,  it get me both the lines  date,dat1,queue,0,100,0,0,0,0 date,am.dat1,queue,10000,23,34,0,0 index=index host="hostname" source="logpath" dat1        
Is it possible to have particular result in custom column which will fetch values from existing search and will show particular result in that column. For example If there is one job which shows stat... See more...
Is it possible to have particular result in custom column which will fetch values from existing search and will show particular result in that column. For example If there is one job which shows status as false then it's adjacent custom column should show time at which it's last status was true. 
  I am comparing two column values and want to highlight first column value with Red Color if it does not match with other column value. I want to color "la_stg" column value if it does not match wi... See more...
  I am comparing two column values and want to highlight first column value with Red Color if it does not match with other column value. I want to color "la_stg" column value if it does not match with "qa_p" column value. Can someone please help. this is kind of urgent    
I want to set up an on-prem AppD Platform according to this tutorial: https://github.com/sherifadel90/AppDynamicsPoVReadyLab (see Steps 1-3) After unzipping and installing the Enterprise Console - 6... See more...
I want to set up an on-prem AppD Platform according to this tutorial: https://github.com/sherifadel90/AppDynamicsPoVReadyLab (see Steps 1-3) After unzipping and installing the Enterprise Console - 64-bit Linux(sh) on my AWS instance sudo su ./platform-setup-x64-linux-20.x.x.x.sh with inputing the below I accept the agreement: 1 Where should AppDynamics Enterprise Console be installed?: /usr/local/appdynamics/platform Database Root User Password: AppD123 Database Port: 3377 (default) Enterprise Console Database Password: AppD123 Enable Https Connection: n Enterprise Console Host Name: In case of AWS, Enter the public DNS name of the lab EC2 instance Enterprise Console Port: 9191 (default) Enterprise Console Root User Name: admin (default) Enterprise Console Root User Password: AppD123 I get the message that the installation succeeded. Setup has finished installing AppDynamics Enterprise Console on your computer. To install and manage your AppDynamics Platform, use the Enterprise Console CLI from /usr/local/appdynamics/platform/platform-admin/bin directory. Finishing installation ... When calling my Enterprise Console through my web browser via ec2-52-59-205-162.eu-central-1.compute.amazonaws.com:9191  I get no response, although my service is running on port 9191   Does anyone have any idea how to get the Enterprise Controller properly started? All inbound ports on my AWS instance are open. So that's not an issue. Thank you so much! I am running a m5.xlarge instace with 4 CPUs, 16 GB RAM and 100 GB storage. Os: Ubuntu 18.04. Openjdk version: 1.8.0_282
Hi,  Following search query produces output in table below: index=_pods  pod=* project=project_name state="Running" | eventstats latest(_time) as current | where current=_time | stats count as Ac... See more...
Hi,  Following search query produces output in table below: index=_pods  pod=* project=project_name state="Running" | eventstats latest(_time) as current | where current=_time | stats count as Active by pod | rename pod as "Pod Name" | table "Pod Name" "Active" | fillnull "Active" Output:   Pod Name Active 1 pod5 2 2 pod1 2 3 pod3 2   Now, I am having a csv file with the following info: pod,Expected pod1,2 pod5,100 pod3,2  I want to add the "Expected" row from the csv file into the search output.  So far I have done:  index=_pods  pod=* project=project_name state="Running" | eventstats latest(_time) as current | where current=_time | stats count as Active by pod | appendcols [| from inputlookup:"lookup_expected_pods_dk0766.csv"] | rename pod as "Pod Name" | table "Pod Name" "Active" "Expected" | fillnull "Active" But the output is:   pod name Active Expected 1 pod5 2 2 2 pod1 2 100 3 pod3 2 2   As it can be seen, the value Expected=100 should be for pod5 (csv file), but the output is showing 100 to pod1 in splunk.  I have no idea how to have inputlookup to search for the pod name in the csv file and have the "Expected" value added to the proper pod name.  How should I adjust the search query to have the needed output? Also, is there a possiblity to highlight with a color differences between active and expected? Thanks
Hi All, I have a query like below. index="abc" host=xxx  | eval Indicator=if(state=="RUNNING", "10", "0") | timechart span=5min min(Indicator) as "Trend" and it will give me results like below.... See more...
Hi All, I have a query like below. index="abc" host=xxx  | eval Indicator=if(state=="RUNNING", "10", "0") | timechart span=5min min(Indicator) as "Trend" and it will give me results like below.  I am trying to get the time(_time) value when there is a change in the value of Trend happens. eg myTime = 2021-03-18 16:55:00    (When trend changes from 10 to 0)       myTime = 2021-03-18 17:25:00     (When trend changes from 0 to 10)   Can someone please help me do it. Would really appreciate if someone can help with the difference between these times also.  myTime = 2021-03-18 16:55:00     myTime = 2021-03-18 17:25:00     Difference = 30 minutes
Hi, My search returns a pie chart that is a sum of a variable (memory_usage_GB) and ploted by another variable (user). .... | stats sum(memory_usage_GB) by user .... On the other side, I have an... See more...
Hi, My search returns a pie chart that is a sum of a variable (memory_usage_GB) and ploted by another variable (user). .... | stats sum(memory_usage_GB) by user .... On the other side, I have an input in the same dashboard where you can select a specific user. The input is referenced with the token $userfilter$. I want the pie chart to color the result corresponding to the selected user in the input with one color, and all the other results with another color. So in the XML of the pie chart, I have tried the following: <option name="charting.fieldColors">{"$userfilter$": 0x39ff14,"all":0xa9a9a9}</option> It colors the desired user. However,  I don't know how can I refer to the rest of the results. Maybe there is another way to do the coloring in the search string? Thank you!
I am aware of this https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Merge however, we have a version of ES older than 6.4 and that feature does not exist there. The behaviour of identitymerge is... See more...
I am aware of this https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Merge however, we have a version of ES older than 6.4 and that feature does not exist there. The behaviour of identitymerge is really unhelpful and has been causing many headaches. Is there a way to turn it off?
Hi all, we are trying to configure Splunk on premise (7.3.6) to work with SAML and ADFS but we are stuck with some errors: with signedAssertion = false we see in internal logs:   ERROR Saml - Fai... See more...
Hi all, we are trying to configure Splunk on premise (7.3.6) to work with SAML and ADFS but we are stuck with some errors: with signedAssertion = false we see in internal logs:   ERROR Saml - Failed to parse issuer. Could not evaluate xpath expression //saml:Assertion/saml:Issuer or no matching nodes found. No value found in SamlResponse for key=//saml:Assertion/saml:Issuer   with signedAssertion = true   ERROR UiSAML - Verification of SAML assertion using the IDP's certificate provided failed. Error: start node xmlSecNodeSignature not found in document     Any suggestions?
Hi all, I have two scheduled searches, is there the possibility to launch the second one at the end of the first? can you help me? thanks for any answer Best Regards, Simone
Hi,  I am a student and very new to Splunk so I need a help. I need to create a custom visualisation which includes creating a table from the search results. It shouldn't be a static table as I need... See more...
Hi,  I am a student and very new to Splunk so I need a help. I need to create a custom visualisation which includes creating a table from the search results. It shouldn't be a static table as I need to add some additional features to it. So table should be created and uploaded like a panel which can be used for the visualisation. https://docs.splunk.com/Documentation/Splunk/6.5.0/AdvancedDev/CustomVizTutorial This link shows the custom visualisation for radial meter, but I need the 1 for table creation using javascript. Any leads and help is appreciated. Thanks in advance
Hi All, I have an external website and Splunk Dashboard. I want to display the contents of Splunk dashboard directly into the external website without navigating to splunk website. Is there a way to... See more...
Hi All, I have an external website and Splunk Dashboard. I want to display the contents of Splunk dashboard directly into the external website without navigating to splunk website. Is there a way to do it. Thanks.
I have an alert with timechart span=6h, where I need to check if there is no data for more than 6hours, I need to trigger an alert... How do I get that work?    
Hi @Ryan.Paredez ,  Greetings for the day! Regarding the error, while trying to register to app dynamics newly (There was an error with your request. Refresh the page and try again) Me and ... See more...
Hi @Ryan.Paredez ,  Greetings for the day! Regarding the error, while trying to register to app dynamics newly (There was an error with your request. Refresh the page and try again) Me and my team has been trying to register to Appdynamics with different ID's and Different browsers since the existing account has been expired but facing this issue while registering(Please refer to the image.)  Please help me in resolving this.