All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have raw event like : time action severity host , etc.,  But when I checked interesting filed action filed is not showing. All the logs are related to  mcafee getting from tcp:9997 Can some one p... See more...
I have raw event like : time action severity host , etc.,  But when I checked interesting filed action filed is not showing. All the logs are related to  mcafee getting from tcp:9997 Can some one please let me know what can be the issue and what actions can I take to correct this ?
I have multiple severs that have been blacklisted blacklist.0 = nonprod*   I am trying to blacklist all except for nonprod08 How can I do this? tia
I'm getting in my splunk database a set of data coming from 8 sensors Those 8 sensor work in a consecutive sequence That means that when I get the info only 1 of the 8 set of data is updated Cur... See more...
I'm getting in my splunk database a set of data coming from 8 sensors Those 8 sensor work in a consecutive sequence That means that when I get the info only 1 of the 8 set of data is updated Currently my timechart shows only the last set of data all the others are 0 (zero) index="morfi" | timechart bins=100 cont=false last(S3_F_Lp) In the bellow image each column represent one sensor set of data Thanks for your help  
Hi, I have a query which sends email based on the result and is scheduled for every 5mins.Below is the search |mysearch | table Owner, AccountName,Machine | outputcsv Account.csv | map search=" ... See more...
Hi, I have a query which sends email based on the result and is scheduled for every 5mins.Below is the search |mysearch | table Owner, AccountName,Machine | outputcsv Account.csv | map search="        |inputcsv Account.csv        | table Owner, AccountName,Machine|where Owner=\"$Owner$\"        |sendemail        sendresults=true inline=true        from=\"abc@gmail.com\"        to=\"$Owner$\"             subject=\"$AccountName$ \"" this is sending email to the owner every 5mins , my want is the email should be triggered to owner only when it is not triggered in last 24hrs even it is scheduled for 5mins based on the AccountName.  can we use throttling in this case or Could you please provide me a solution.
Below is my log file, i need to send log to my index without the header name and with only the values with there respective field name by using props.conf file Change_Request_Number~^~Planned_Star... See more...
Below is my log file, i need to send log to my index without the header name and with only the values with there respective field name by using props.conf file Change_Request_Number~^~Planned_Start_Date~^~Planned_End_Date~^~CR_Type~^~Short_description CHG0057654~^~9/10/2020 4:45:00 PM~^~9/10/2020 5:45:00 PM~^~Linux~^~BASF Linux Patching testing can anyone tell us how to write props.conf file
Refer to the log file content below: 2021-02-10 open 5.677 close 5.797  high 5.85 low 5.677 vol 945320.188 2021-02-09 open 5.547 close 5.67 high 5.67 low 5.533 vol 1546947.875 ... ... How to disp... See more...
Refer to the log file content below: 2021-02-10 open 5.677 close 5.797  high 5.85 low 5.677 vol 945320.188 2021-02-09 open 5.547 close 5.67 high 5.67 low 5.533 vol 1546947.875 ... ... How to display the candlestick chart on the splunk dashboard with this data source? Splunk is an extremely powerful tool, we heavily rely on splunk to visualize the stock market with massive data source. However the classic line chart is not enough to visualize all the information so we are looking forward to show it in CandleStick chart. If there's not an existing one, how can we develop one from scratch and add to splunk dashboard?  
Hi Splunkers , Our splunk indexers disk has reached 90% and decided to extend the capacity. We have 3 indexers in cluster . What are the steps to be followed to increase the capacity.  Indexers are ... See more...
Hi Splunkers , Our splunk indexers disk has reached 90% and decided to extend the capacity. We have 3 indexers in cluster . What are the steps to be followed to increase the capacity.  Indexers are linux based and the replication factor is 3.    1. Can we increase the storage on the fly without any downtime 2. Will it affect the existing buckets? Any backup is required.   Thanks in Advance 
I'd like to add error bars on scatter graphs like the Image below from Microsoft Excel. Does anyone know how to do that with SPL or useful Apps?   
Hello, I want to update the MAP + component, we have the version 2.0.7 and we want to upgrade to a higher version (the last version 3.1.5) I would like to know if there is a procedure to follow or ... See more...
Hello, I want to update the MAP + component, we have the version 2.0.7 and we want to upgrade to a higher version (the last version 3.1.5) I would like to know if there is a procedure to follow or it is just a simple update by clicking on update is a  do we need to restart Splunk after the update  Thanks for your Help            
In some instances,  Windows event log fields are not extracted properly but in others they are extracted properly.
Hi  I would like to create a search inside of analytics to get the ratio of: Total HTTP 200 requests / Total requests Who can tell me - how the search string should look like? I see curren... See more...
Hi  I would like to create a search inside of analytics to get the ratio of: Total HTTP 200 requests / Total requests Who can tell me - how the search string should look like? I see currently the "requestExperience" or "userExperience" with the state (NORMAL, SLOW, VERY SLOW that gives me already an indication and also data. But I am not able to define out of this the ratio. Also, I do not see the HTTP code of all data. any idea? ^ Edited by @Ryan.Paredez for readability
Hi All, I have created the below table using the query (index=abcde sourcetype=wxyz | rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%" | rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)" | table host,File_... See more...
Hi All, I have created the below table using the query (index=abcde sourcetype=wxyz | rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%" | rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)" | table host,File_System,Disk_Usage): Server     File_System        Disk_usage abc           /apps                      23 cde           /logs                       18 fgh            /var                          60 xyz            /opt                         62 abc           /opt                         60 cde           /var                          55 fgh            /opt                         58 xyz           /logs                        10 Here I want to create a query to make the Disk_Usage below 60 as "Ok" and above 60 as "NotOk". I tried using the query | eval if(Disk_Usage <= "60", "Ok", "NotOk") but unable to get the desired result. Please help create the query to get the desired output. Thank you.
Hi everyone, Can I read the value of a field from each previous result using a search? Something similar to:   | streamstats current=f last(status) as lastStatus by _time | eval status = if(isnull... See more...
Hi everyone, Can I read the value of a field from each previous result using a search? Something similar to:   | streamstats current=f last(status) as lastStatus by _time | eval status = if(isnull(lastStatus), 0, lastStatus+1) | table status, lastStatus   I want to get the result: status lastStatus 1 0 2 1 3 2   Is it possible? Thanks
Hi, Is it possible to export/archive data during license violation causing search function lockdown? In our case we have seen license violation warnings during system integration. And It might cause... See more...
Hi, Is it possible to export/archive data during license violation causing search function lockdown? In our case we have seen license violation warnings during system integration. And It might cause search function lockdown.... We are certain that during production environment we will not be seeing large amount of logs and risking a license violation. However it is important that we can export/archive regularly even if there would be a license violation in the future that would lock down the search function. Grateful for clarity on this issue!
Hello folks, I am having a hard time getting the difference between two fields of the same record, where the search query returns multiple record set. The query uses streamstat to bring the "prev... See more...
Hello folks, I am having a hard time getting the difference between two fields of the same record, where the search query returns multiple record set. The query uses streamstat to bring the "previous" field into the current record, here's a dummy that shows the same results | makeresults | eval RoleContents = "a;b;c" | eval _time = now() | append [| makeresults | eval RoleContents="b;c;d" | eval _time=now()-10] | append [| makeresults | eval RoleContents="a;d" | eval _time =now()-20] | streamstats current=f window=1 first(RoleContents) as LastRoleContents | sort _time | streamstats current=f window=1 first(RoleContents) as PrevRoleContents | sort - _time | makemv delim=";" RoleContents | makemv delim=";" PrevRoleContents | table RoleContents, PrevRoleContents What i am looking to acheive is within the row, to show the difference between those two fields, which will show , for each record returned, what changed in comparison to the previous record. Any help would be appreciated. Thanks
I got a log file with below content. 2021-02-10 open 5.677 close 5.797  high 5.85 low 5.677 vol 945320.188 2021-02-09 open 5.547 close 5.67 high 5.67 low 5.533 vol 1546947.875 ... ... How can I d... See more...
I got a log file with below content. 2021-02-10 open 5.677 close 5.797  high 5.85 low 5.677 vol 945320.188 2021-02-09 open 5.547 close 5.67 high 5.67 low 5.533 vol 1546947.875 ... ... How can I display the candle stick bar on the splunk dashboard with this data source? We heavily rely on splunk to visualize the stock market but the classic line chart cannot contain much information.
Hi Everyone, Is that possible I can add refresh Button to Refresh my Dashboard (It consists of one panel in tabular form). I dont want to use JavaScript for Refresh Button. Is that possible to do? ... See more...
Hi Everyone, Is that possible I can add refresh Button to Refresh my Dashboard (It consists of one panel in tabular form). I dont want to use JavaScript for Refresh Button. Is that possible to do? Thanks in advance 
1. I have an alert scheduled to run every hour to get updated list of IPs of public nodes. 2. I need to run the script against each result IP and if output=success, I need to send email to specific ... See more...
1. I have an alert scheduled to run every hour to get updated list of IPs of public nodes. 2. I need to run the script against each result IP and if output=success, I need to send email to specific DL to identify potential hacking activity from the IP. possible? Can we measure the output of script execution and send email in same Alert action OR I should create the script to test the result and send email also from the script? Any pointers or am i missing something?
Hello, I'm really a newbie with Splunk and just started to use it. First, can someone recommend me good tutorials about Splunk? And second, we have Splunk logging our whole infrastructure (job... See more...
Hello, I'm really a newbie with Splunk and just started to use it. First, can someone recommend me good tutorials about Splunk? And second, we have Splunk logging our whole infrastructure (jobs failing, crons, daemons, API calls etc...). I already set up  a dashboard to monitor everything. But now I would like to be able to get the whole output of a "pod". For example:  I would like to get the same output as when I click on `Event Actions > Show Source` but only for the pod: `cron-prod-campaignactivator-1612980360-49zss`. How would look like my query?  Thank you in advance, Jeremy
Hi, Not sure this is possible but. . . .If I have a series of panels on a dashboard and each presents a series of metrics. Is it possible to change the order of the panels based on a search result? ... See more...
Hi, Not sure this is possible but. . . .If I have a series of panels on a dashboard and each presents a series of metrics. Is it possible to change the order of the panels based on a search result? Another way to explain  it, if each panel represents one of many systems and I would like the system with the lowest metric to be presented first/top. Thanks, David