All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm having an issue with DBX where I'm trying to change an existing input or create a new input (I've attempted both) to change the field I'm using for the rising column. I've been using a date/time ... See more...
I'm having an issue with DBX where I'm trying to change an existing input or create a new input (I've attempted both) to change the field I'm using for the rising column. I've been using a date/time field for rising column out of necessity but we recently added a proper rising column field to the table that I'd like to switch to. The problem I'm running into is every time I switch to the new ID column from the EventDateTime column, the DBX input queries the data once with the new ID value and then appends the latest EventDateTime value into the rising column log. The ID field remains in the configuration but the input is now broken because the rising column value reverted. This happens whether or not I'm re-using the old Input or if I create a completely new input from scratch. I AM attempting to use the existing custom source and sourcetype information so I don't have to edit my 20+ dashboards and many more field extractions. If anyone has any thoughts on this I'd greatly appreciate the feedback!   Thanks,
I am looking to catalog which reports/alerts utilize which notification actions. I have a search currently that keys off of, "alert_action", but this is only effective IF the alert has already fired ... See more...
I am looking to catalog which reports/alerts utilize which notification actions. I have a search currently that keys off of, "alert_action", but this is only effective IF the alert has already fired off in the specified time frame. However, I need to be able to see any alerts that will take a given action, even if they have not fired off. Any help is greatly appreciated.  
I'm trying to extract this field that has colon, backslash and quotes around it and its not yielding any result. Field looks like this: [{\"errorCode\":9810, This is what I tried: index=main error... See more...
I'm trying to extract this field that has colon, backslash and quotes around it and its not yielding any result. Field looks like this: [{\"errorCode\":9810, This is what I tried: index=main errorCode | rex field=_raw  "\"errorCode\\\":(?<code>....)" | table code This is giving empty result. Would appreciate any hints or suggestions.
Hi,  This configuration is working well for me, but I am wondering if it is possible to set both earliest and latest value - e.g. to set up "Yesterday" as a choice, I would need earliest=-1d@d lates... See more...
Hi,  This configuration is working well for me, but I am wondering if it is possible to set both earliest and latest value - e.g. to set up "Yesterday" as a choice, I would need earliest=-1d@d latest=@d, but the config below only allows to set up $earliest.tok$ with latest=now.  snippet from "Conditional operations with form inputs"  https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/tokens Many thanks, Bea
I am getting the following error when try to make a new input "java.lang.IllegalStateException: Column name conflicted, please set shortnames option to false and retry" my query is as followed    S... See more...
I am getting the following error when try to make a new input "java.lang.IllegalStateException: Column name conflicted, please set shortnames option to false and retry" my query is as followed    SELECT DISTINCT * FROM [LOG].ActivityDetail a INNER JOIN setup.ProcessGovernance b ON a.ProcessGovernance1Up=b.ProcessGovernance1up WHERE b.ProcessStatus1Up=3 AND Severity = 3 AND IndentLevel=1;   I am horrible with sql so I have no idea what to do.    thank you! 
Hi,  I have a report that I scheduled and embeded on my own personal/external website. I can see the results just fine on my local machine. However, When I visit the site from any other device I get... See more...
Hi,  I have a report that I scheduled and embeded on my own personal/external website. I can see the results just fine on my local machine. However, When I visit the site from any other device I get this error:  "127.0.0.1 refused to connect" Any ideas on how to fix this? 
Hi All, Need some assistance combining 3 queries in tabular form so I can export them to a lookup table. I'm also trying to add a date range Example - On 2021-02-18 morning we report metrics from ... See more...
Hi All, Need some assistance combining 3 queries in tabular form so I can export them to a lookup table. I'm also trying to add a date range Example - On 2021-02-18 morning we report metrics from  2021-02-16 5:00 PM to 2021-02-17 5:00 PM Q1: index=tst1 sourcetype IN (tst2, tst4, tst5) source IN ("/opt/performance.log", "/opt/formance.log", "/opt/test.log") | fields TRAN_TYPE, respTime, TRAN_TIME_MS |stats count as Total, count(eval(TRAN_TIME_MS<=3000)) as Total_Under_3sec1 ,count(eval(respTime<=3000)) as Total_Under_3sec2 | addtotals fieldname="Total_Under_3sec" Total_Under_3sec1 Total_Under_3sec2 | eval Perc = (Total_Under_3sec / Total)*100 |fields Perc Q2: index=tst2 sourcetype=tst2 PAGE_ID_WEIGHT=* TRAN_TYPE =* PAGE_ID=345 ACTION=GET | eval USER_ID=lower(USER_ID) | stats dc(USER_ID) Q3: index=tst3 sourcetype=test3 method=POST login=/tst3* user!=unauthenticated msgCode=302 | eval action=case(status==302,"Success") | stats dc(user) Col1    Col2      Col3 99        89         97 Any assistance is appreciated.
I have a line graph that allows me to click on the line and it populates the Country and the date/time automatically, through the drilldown/XML code, into a new search. The issue is, I have top 10 co... See more...
I have a line graph that allows me to click on the line and it populates the Country and the date/time automatically, through the drilldown/XML code, into a new search. The issue is, I have top 10 countries and the rest get consolidated into the OTHER value. Ideally, I want the OTHER value to be able to search for all of the countries not in the top 10. Right now, it's setup that if I click OTHER, then the search would just say: Country="OTHER" (which is obviously not an actual country). Any help is greatly appreciated!
I know you can use a search with format to return the results of the subsearch to the main query. Like for example I can do this: index=unified_tlx [search index=i | top limit=1 acct_id | fields acc... See more...
I know you can use a search with format to return the results of the subsearch to the main query. Like for example I can do this: index=unified_tlx [search index=i | top limit=1 acct_id | fields acct_id | format] | stats count by acct_id Where it finds the top acct_id and formats it so that the main query is index=i ( ( acct_id="top_acct_id" ) ) | stats count by acct_id. How can I use format to do that for a tstats command instead so that it could look something like | tstats count where index=i AND TERM(random_acct_id) ? I want to use the subsearch to find the top_acct_id and then format it so it will look like the above
Hi all, hope all is well! I'm unsetting a token in the <change> block of a <query>. However, I'm finding that the <unset> event in the <change> block gets fired on initial load before the user eve... See more...
Hi all, hope all is well! I'm unsetting a token in the <change> block of a <query>. However, I'm finding that the <unset> event in the <change> block gets fired on initial load before the user ever makes a change to the input. Is this a bug? Sample code: <input>   <search>     <query>     </query>     <change>       <condition>         <unset token="some_token"></unset>       </condition>     </change>   </search> </input>
Receiving the following error: java.sql.SQLSyntaxErrorException: ORA-00911: invalid character However, no character is highlighted in the Data Lab SQL editor for the following query: select LI.BBY_... See more...
Receiving the following error: java.sql.SQLSyntaxErrorException: ORA-00911: invalid character However, no character is highlighted in the Data Lab SQL editor for the following query: select LI.BBY_ACTIVATION_LINK_SEQ ,li.bby_activation_line_seq , li.bby_pos_sale_seq, li.bby_plan_match_flg, pl.pos4partkey, pl.line_item_type POS_LINE_ITEM_TYPE,pl.hardware_sku POS_HARDWARE_SKU,pl.hardware_esn POS_HARDARE_ESN,pl.void_status POS_VOID_STATUS,pl.activation_phone_nbr POS_PHONE_NUMBER,pl.bbym_bskt_id POS_BAKT_ID, pl.bby_plan_sku POS_PLAN_SKU,al.hardware_type ACTIVATION_LINE_TYPE, al.hardware_esn ACTIVATION_HARDWARE_ESN,al.activation_phone_nbr ACTIVATION_PHNE_NUMBER, al.activation_type,al.tender_status ACTIVATION_TENDER_TYPE, al.actv_mthd, al.created_on ACTIVATION_CREATED_ON, al.amended_on ACTIVATION_AMENDED_ON,pl.created_on POS_LINE_CREATED_ON,pl.amended_on POS_LINE_CREATED_ON,li.created_on LINK_CREATED_ON from bst_bbym_sch01.BBY_POS_BEAST_ACTIVATION_LINK LI,bst_bbym_sch01.BBY_ACTIVATION_LINE AL,bst_bbym_sch01.BBY_POS_SALE_LINE PL where LI.BBY_POS_SALE_SEQ = PL.BBY_POS_SALE_SEQ and LI.BBY_ACTIVATION_LINE_SEQ = AL.BBY_ACTIVATION_LINE_SEQ and li.transaction_line_no = pl.transaction_line_no AND LI.created_on >= sysdate – 1 Is there something obvious I'm missing?
I want to show how many ES Notables were opened in the last 30 days and how many investigations were opened on a line chart.  I can get the notable Index over the last 30 days, no problem but how do ... See more...
I want to show how many ES Notables were opened in the last 30 days and how many investigations were opened on a line chart.  I can get the notable Index over the last 30 days, no problem but how do I add in the `investigations` to the same line chart?   Here is the query I am using for the notables   index=notable |bucket _time span=day |stats count by _time
The IdP returned role Distinguished Name (DN) 'cn=splunk_dns,ou=groups,dc=foo,dc=bar', which matches configured role map Common Name (CN) splunk_dns'. This role DN has now been locked to the role map... See more...
The IdP returned role Distinguished Name (DN) 'cn=splunk_dns,ou=groups,dc=foo,dc=bar', which matches configured role map Common Name (CN) splunk_dns'. This role DN has now been locked to the role map CN, using the 'dns' role. Future assertions that contain this CN but do not match the locked DN will be rejected.  Seeing multiple messages like this, every time we login. Is something wrong with our config? how to stop this notification...
I am trying to use the Drilldown on Click >  Link to Search > custom : LOGRC_TYPE=F8 | eval FUNC_TRAN =AFI_LOG03FUN+"-"+AFI_LOG03TRN | eval temp=if("$click.value$"=="REPL-(batch) ","REPL-      ... See more...
I am trying to use the Drilldown on Click >  Link to Search > custom : LOGRC_TYPE=F8 | eval FUNC_TRAN =AFI_LOG03FUN+"-"+AFI_LOG03TRN | eval temp=if("$click.value$"=="REPL-(batch) ","REPL-          ",FUNC_TRAN) | search temp="$click.value$"    I want that the search $click.value$ will be replaced with the clicked value, First If the clicked value is == "REPL-(batch)"  change it by  "REPL-         " if not i want to keep the clicked value as it is, it seems that is not working and the search keeps the first clicked value in both $click.value$, i dont know hot to pass the updated value of $click.value$ in the  search statement.   Coudl you help me, please?   Thanks.    
Hello, I have log in the format  "2021-02-18T16:17:12,189Z [main] INFO logname -streamstart-k1:V1,K2:V2,K3:V3,streamstop, <ADDIITONAL DATA>"  i want to parse out json elements k1:v1 etc thats betwe... See more...
Hello, I have log in the format  "2021-02-18T16:17:12,189Z [main] INFO logname -streamstart-k1:V1,K2:V2,K3:V3,streamstop, <ADDIITONAL DATA>"  i want to parse out json elements k1:v1 etc thats between  "-streamstart" and streamstop
Hey all, I hope this is the correct board for this question, but I am having an issue when I try to export a search to CSV from a search. I keep getting the following error when trying to run the ex... See more...
Hey all, I hope this is the correct board for this question, but I am having an issue when I try to export a search to CSV from a search. I keep getting the following error when trying to run the export. Has anyone seen this and how to resolve it? I am using version 8.1.2 FWIW. Unrecoverable error in the server. Traceback (most recent call last): File "C:\Program Files\Splunk\Python-3.7\lib\site-packages\cherrypy\_cpwsgi.py", line 184, in trap return func(*args, **kwargs) File "C:\Program Files\Splunk\Python-3.7\lib\site-packages\cherrypy\_cpwsgi.py", line 277, in __next__ return next(self.iter_response) File "C:\Program Files\Splunk\Python-3.7\lib\site-packages\cherrypy\lib\encoding.py", line 99, in encoder for chunk in body: File "C:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 698, in readall data = response.read(blocksize) File "C:\Program Files\Splunk\Python-3.7\lib\http\client.py", line 457, in read n = self.readinto(b) File "C:\Program Files\Splunk\Python-3.7\lib\http\client.py", line 501, in readinto n = self.fp.readinto(b) File "C:\Program Files\Splunk\Python-3.7\lib\socket.py", line 589, in readinto return self._sock.recv_into(b) File "C:\Program Files\Splunk\Python-3.7\lib\ssl.py", line 1071, in recv_into return self.read(nbytes, buffer) File "C:\Program Files\Splunk\Python-3.7\lib\ssl.py", line 929, in read return self._sslobj.read(len, buffer) socket.timeout: The read operation timed out THanks!  
I have been looking in to using model-driven telemetry in our Cisco ASR9k's. At the moment I am looking mostly in to stream interface counters. Information about this on Cisco.com: https://www.cisc... See more...
I have been looking in to using model-driven telemetry in our Cisco ASR9k's. At the moment I am looking mostly in to stream interface counters. Information about this on Cisco.com: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-6/telemetry/configuration/guide/b-telemetry-cg-asr9000-66x/b-telemetry-cg-asr9000-66x_chapter_01.html From what I can tell it can encode the data in protocol buffer or JSON. I am quite new to Splunk and wonder what is needed on Splunk side to be able to handle this data. Do I need to process the data somewhere else and then send to Splunk? Thankful for any ideas and documentation you think I should look at. Also interested if someone else has done this and how.    
What Machine Agent version uses java 11?
When I try to get License Usage for the last 30 days via the Monitoring Console, I only get the last day (the day before the current date). Looking at the events, it appears that RolloverSummary is O... See more...
When I try to get License Usage for the last 30 days via the Monitoring Console, I only get the last day (the day before the current date). Looking at the events, it appears that RolloverSummary is ONLY stored for a single day. In other words, there are NO events with RolloverSummary for days past the day before the current date. Need help fixing this problem.
What is the impact on performance when DBConnect indexes data from tables in DB2 on the core application associated with database? Does it lock the tables while indexing or hinder the core applicati... See more...
What is the impact on performance when DBConnect indexes data from tables in DB2 on the core application associated with database? Does it lock the tables while indexing or hinder the core application performance associated with DB2 ?