All Topics

Top

All Topics

i am trying to verify  the username from editing the code but i do not know where to submit the code. i checked the domumentation but it only advice on how to edit the code but it does not mention wh... See more...
i am trying to verify  the username from editing the code but i do not know where to submit the code. i checked the domumentation but it only advice on how to edit the code but it does not mention where to sbmit the code. 
Hi, I have large number of queries which needs to be created as metrics in Analytics (because we can't retain data more than 8 days in Analytics, so making metrics to retain it). Is there any tool/... See more...
Hi, I have large number of queries which needs to be created as metrics in Analytics (because we can't retain data more than 8 days in Analytics, so making metrics to retain it). Is there any tool/API or CURL command we can use to create these metrics by providing Query and Metrics name as payload/arguments? Creating them manually is error prone and time taking
Hi all, While I was registering to www.splunk.com I made a typo in my Company's name and chose the wrong location, can anyone support in how I can change this information?
I am looking to append a value in a lookup csv to an existing search index=* |fields _time,x |chart count(_raw) by X and I want to replace(or append) the X with a value(name) from a csv so I can ... See more...
I am looking to append a value in a lookup csv to an existing search index=* |fields _time,x |chart count(_raw) by X and I want to replace(or append) the X with a value(name) from a csv so I can table the results.
Dear All, Need your help. We have achieved the visualization shown in image 1.  But I'm expecting the results as shown in image 2(semicircle donut or pie chart).   Thanks in adva... See more...
Dear All, Need your help. We have achieved the visualization shown in image 1.  But I'm expecting the results as shown in image 2(semicircle donut or pie chart).   Thanks in advance 
I recently upgraded Splunk Enterprise from version 9.1.0.2 to 9.3.1, and I've encountered an issue where the menu bar is no longer visible in the Search and Reporting UI. Issue Details: Previous V... See more...
I recently upgraded Splunk Enterprise from version 9.1.0.2 to 9.3.1, and I've encountered an issue where the menu bar is no longer visible in the Search and Reporting UI. Issue Details: Previous Version: 9.1.0.2 Current Version: 9.3.1 Issue: The menu bar has disappeared, and to access menus, users must utilize the 'Find box' in the top right corner. For example, if a user wants to view dashboards, they need to type "dashboards" into the search box and select it from the results. Screenshots:  Before Upgrade (9.1.0.2) Before Upgrade (9.1.0.2) with Menubar After Upgrade (9.3.1) After Upgrade (9.3.1)- No menu bart Request: Is there a way to restore the traditional menu bar in the Search and Reporting window?  Thank you
Hello, Hello, How do I send email alert if  one or more subsearch exceed 50000 results? For example below I have 4 subsearch.   if subsearch 1 and 4 exceed 50000, I would like to get an email al... See more...
Hello, Hello, How do I send email alert if  one or more subsearch exceed 50000 results? For example below I have 4 subsearch.   if subsearch 1 and 4 exceed 50000, I would like to get an email alert stating that subsearch 1 and 4 exceed 5000. Please suggest  Thank you so much. | base search [| subsearch 1] [| subsearch 2] [| subsearch 3] [| subsearch 4] 
Hello, How do I change the font size on the column chart in the Splunk Dashboard Studio See below the 170500 is overlapping with 170400.  How do I display 0 on the column chart?   0 is ignored. ... See more...
Hello, How do I change the font size on the column chart in the Splunk Dashboard Studio See below the 170500 is overlapping with 170400.  How do I display 0 on the column chart?   0 is ignored. Please suggest. Thank you for your help.    
Hello, I developed a Splunk add-on that is working well.  I attempted to set up several event types and data model mapping, but the add-on builder page fails to load after creating the event typ... See more...
Hello, I developed a Splunk add-on that is working well.  I attempted to set up several event types and data model mapping, but the add-on builder page fails to load after creating the event types. It never loads the model mapping page, then displays a blank page with no event types even though they are present in the system. I can see the data models and the event types in the system--just not in the add-on builder. I've attached a screenshot for reference. Any ideas? I noticed that developer tools indicates a 500 error for get_eventtype_info and get_model_tree  
Looking to see if Splunk has the ability to highlight a row in an output table based on a value in that row in a dashboard using dashboard studio.    Created a dashboard to show printers using a look... See more...
Looking to see if Splunk has the ability to highlight a row in an output table based on a value in that row in a dashboard using dashboard studio.    Created a dashboard to show printers using a lookup and number of print logs associated to a printer that is pulled from indexed print logs. I know how to highly a single row value based on a condition but wanted to know if the whole row can be highlighted using the output in the row: I used the color and style option to set conditions of the jobs field to highlight if print count = 0 Printer Jobs Prints Pntr_01 149 285 Pntr_02 25 78 Pntr_03 0   Pntr_04 75 528 Pntr_05 85 149 Pntr_06 0     Would like to highlight the printer name in red as well if the value = 0 Printer Jobs Prints Pntr_01 149 285 Pntr_02 25 78 Pntr_03 0   Pntr_04 75 528 Pntr_05 85 149 Pntr_06 0     I searched Splunk community as well as other areas of the Splunk matrix with no luck.   If someone has some insight or reference if this can be done, it would be greatly appreciated.  Thanks  
Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for Pearson VUE, our Splunk Certification testing partner. Below are the details: Outage... See more...
Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for Pearson VUE, our Splunk Certification testing partner. Below are the details: Outage Window: The Pearson Vue system will be unavailable from Friday, October 11, at 1:00 p.m. CDT to Sunday, October 13, at 9:00 a.m. CDT.  Impact: During this maintenance window you will be unable to create a Pearson VUE account or log into your existing account to schedule, reschedule, or cancel exam appointments.  Global Outage: Please note that this is a planned global outage, impacting all of Pearson VUE's clients worldwide. Splunk Certification Support: Due to this outage, the Splunk Certification Team will be unable to provide support until Monday, October 14 following the maintenance period. We will resume support services immediately after. Planning your certification activities around this schedule will ensure that you are minimally impacted. For any immediate concerns or questions, please contact certification@splunk.com before the maintenance begins. Thank you for your patience and understanding during this maintenance window.
I would like to apply the custom style to a set of inputs. How do I correctly write this code?  I'm aware of the option to create one style clause for each input ID but this seems ridiculous and t... See more...
I would like to apply the custom style to a set of inputs. How do I correctly write this code?  I'm aware of the option to create one style clause for each input ID but this seems ridiculous and the wrong way to do it for, say, 20 inputs. Cheers.     <form version="1.1" theme="light"> <fieldset submitButton="false"> </fieldset> <row> <panel> <html> <style> #LineByLine { display:flex !important; padding-right: 10px; padding-top: 5px; } </style> </html> </panel> </row> <row> <panel> <input id="input1" type="text" token="1"> <label>1</label> </input> </panel> <panel> <input id="input2" type="text" token="2"> <label>2</label> </input> </panel> </row> </form>      
Hello, we are on Splunk 9.3 on prem. I am unable to remove a server from the Splunk forwarder management list, after it has been decommissioned and the Universal Forwarder is uninstalled.  I get an ... See more...
Hello, we are on Splunk 9.3 on prem. I am unable to remove a server from the Splunk forwarder management list, after it has been decommissioned and the Universal Forwarder is uninstalled.  I get an error stating that the DELETE option is depreciated, but what has it been replaced with? I have a server that has not logged to Splunk in 9 days (and never will again), how do I remove it correctly?  (screenshot attached)  
Looking for help running a stats count and stats count sum referencing a lookup using print logs.  Looking to output all printers from a lookup to give "total job" count counting each record in the q... See more...
Looking for help running a stats count and stats count sum referencing a lookup using print logs.  Looking to output all printers from a lookup to give "total job" count counting each record in the query for a single printer and giving a "total page" count for all pages that was printed for each printer listed in lookup.    Logs from my index  date                      printer_name           user            pages_printed 2024_10_09    prnt_01                        user1            10 2024_10_09    prnt_02                        user4            15 2024_10_09    prnt_01                        user6            50 2024_10_09    prnt_04                        user9            25 2024_10_09    prnt_01                        user2            20 Data from my lookup file name: printers.cvs printer_name        printer_location prnt_01                      main office prnt_02                      front desk prnt_03                      breakroom prnt_04                      hallway Looking for an output to give me results similar to what I provided below Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_03                  breakroom       0                                   25 prnt_04                  hallway              1                                   25 I have two separate queries for both respectively and having issues merging them together.  My individual queries are: Working query that gives me job count with sum of total jobs and total pages   index=printer sourcetype=printer:logs | stats count sum(pages_printed) AS pages_printed by printer_name, | lookup printers.csv printer_name AS printer_name OUTPUT printer_location | table printer_name, printer_location, count, pages_printed | rename printer_name AS "Printer Name", printer_location AS "Location", count AS "Print Job", pages_printed AS "Pages Printed", Results Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_04                  hallway              1                                    25 Working query that gives me list of all printers and job count index=printer sourcetype=printer:logs | eval printer_name=lower(printer_name) | stats count BY printer_name | append [| inputlookup printers.csv | eval printer_name=lower(printer_name), count=0 | fields printer_name count] | stats sum(count) AS print_jobs by printer_name | table printer_name, total | rename printer_name AS "Printer Name", print_jobs AS "Print Job" Results Printer Name      Print Jobs                 prnt_01                 3                                   prnt_02                 1                                    prnt_04                 1                                Again, trying to merge the two to give me Printer Name, Location, # of print jobs and total pages printed.  Any assistance will be greatly appreciated.
I recently upgraded my deployment from a 9.0.3 to 9.2.2. After the upgrade, the KV stopped working. Based on my research, i found that the kv store version reverted to version 3.6 after the upgrade c... See more...
I recently upgraded my deployment from a 9.0.3 to 9.2.2. After the upgrade, the KV stopped working. Based on my research, i found that the kv store version reverted to version 3.6 after the upgrade causing the kvstore to fail. "__wt_conn_compat_config, 226: Version incompatibility detected: required max of 3.0cannot be larger than saved release 3.2:" I looked through the bin directory and found 2 versions for mongod.  1.mongod-3.6 2.mongod-4.6 3.mongodump-3.6 Will removing the mongod-3.6  and mongodump-3.6 from the bin directory resolve this issue?
Hello, This is the result from one of my rows in Search & Reporting (Web). Job Code 039081934400000 (4) 082441325900000 (199)   However, when my code is used in a classic dashboard the results ... See more...
Hello, This is the result from one of my rows in Search & Reporting (Web). Job Code 039081934400000 (4) 082441325900000 (199)   However, when my code is used in a classic dashboard the results are this.   Job Code 039081934400000 (4) 082441325900000 (199)   How do I control my dashboard output to display like my search output?     | inputlookup job_codes_2024.csv ```all fields in the lookup above begin with the letter j, except for the field cntrl``` | foreach j* ```add line feed at the end of all fields beginning with the letter j``` [| rex field=<<FIELD>> mode=sed "s/$/\n/g"] ```group all fields by the cntrl value``` | stats values(*) as * by cntrl     Thanks and God bless, Genesius
Hi All, Thanks for your time. I am sorry in advance as this is very basic question. just started exploring the search query.. If i have something like below index=ADFS_AWS AND clientId IN ("Abc12... See more...
Hi All, Thanks for your time. I am sorry in advance as this is very basic question. just started exploring the search query.. If i have something like below index=ADFS_AWS AND clientId IN ("Abc123","ABC123",ABC_ABC","abc_abc") This is searching only for these clientIds   - option1 or with Where Where clientID IN (clientId IN ("Abc123","ABC123",ABC_ABC","abc_abc") which one should we be using and more efficient      
I'm using the splunk-otel-collector, and attempting to get multi-line java exceptions into a standardly formatted event. Using the example, my values file contains         multilineConfigs:... See more...
I'm using the splunk-otel-collector, and attempting to get multi-line java exceptions into a standardly formatted event. Using the example, my values file contains         multilineConfigs: - namespaceName: value: example useRegexp: true firstEntryRegex: ^[^\s].* combineWith: ""     The rendered configMap contains   - combine_field: attributes.log combine_with: "" id: example is_first_entry: (attributes.log) matches "^[^\\s].*" max_log_size: 1048576 output: clean-up-log-record source_identifier: resource["com.splunk.source"] type: recombine   With that config, the logs continue to split . Then I change the value to       combineWith: "\t"         the following happens with the logs:     Has anyone experienced this and worked around it?
Hello, I am looking to calculate how long it takes to refresh the view using the time of the events "End View Refresh" and "Start View Refresh" i.e. find the difference in time for each of these e... See more...
Hello, I am looking to calculate how long it takes to refresh the view using the time of the events "End View Refresh" and "Start View Refresh" i.e. find the difference in time for each of these events whenever these 2 events occur. Tried number of things using streamstat and range, but it does provide me the desired result. Any assistance would be appreciated. Regards  
I have two rex queries and want know how to combine Query : 1 index=test1 sourcetype=teams | search "osversion=" | rex field=_raw "\s+(?<osVersion>.*?)$" | table Time(utc) "OSVersion" output ... See more...
I have two rex queries and want know how to combine Query : 1 index=test1 sourcetype=teams | search "osversion=" | rex field=_raw "\s+(?<osVersion>.*?)$" | table Time(utc) "OSVersion" output :        time      osversion 1.1 123 1.2 1234 1.3 12345 1.4 123456 Query : 2 index=test1 sourcetype=teams | search "host=12* | rex field=_raw "\w+(?<host>*)$" | table Time(utc) "OSVersion" output :        time      host 1.1 abc 1.2 abcd 1.3 abcde Pls help me how to combine above queries and should show table like below time      osversion        host 1.1          123                    abc 1.2          1234                abcd 1.3           12345            abcde