All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I'm trying to make use of the Forecast Chart Visualisation. I have added this visualisation to my dashboard, but I'm getting this message when I run a search: Error rendering Forecast Chart visu... See more...
Hi I'm trying to make use of the Forecast Chart Visualisation. I have added this visualisation to my dashboard, but I'm getting this message when I run a search: Error rendering Forecast Chart visualization: This visualization requires the `forecastviz` or `smartforecastviz` macro to generate data. See the custom visualization docs for details. I have set the correct permissions for the MLTK. I have also located the forecastviz(4) macro in the macros.conf file (in /etc/apps/Splunk_ML_Toolkit/default).
hey there   i'm trying to make a table with the next fields: name, last name and message: index a | table name last name message i want to add the identifier of event to my table - (the identi... See more...
hey there   i'm trying to make a table with the next fields: name, last name and message: index a | table name last name message i want to add the identifier of event to my table - (the identifier which splunk generate (c_id?) ) how can i done that?  
I have search query that looked like this, index = aries sourcetype = onezone  | fields aaa baa | stats values(aaa) as aaa  | table aaa append    [ search index = leo sourcetype =twofone    ... See more...
I have search query that looked like this, index = aries sourcetype = onezone  | fields aaa baa | stats values(aaa) as aaa  | table aaa append    [ search index = leo sourcetype =twofone         | fields ccc         | stats ccc ] | stats value(aaa) as sd , values(ccc) as cc Now the optimizedQuery option of Splunk changed the "append" command in the search and replaced it with  to "[  | " search (index = leo  sourcetype=twofone  etc..etc...."..... And my output doesn't change. Both version has same output. My question is, in the world of subsearches is using "append" the same as  using " [ | search (index = ....." Is using ""[ | "" better in terms of performnce than using "append "  ?
Hi, I was trying to add 2 searches       | multisearch [search host=p-css* SRCreateRequest 400 | stats count as CreateSR | appendcols [search host=p-css* SRUpdateRequest 400 | stats... See more...
Hi, I was trying to add 2 searches       | multisearch [search host=p-css* SRCreateRequest 400 | stats count as CreateSR | appendcols [search host=p-css* SRUpdateRequest 400 | stats count as UpdateSR] | appendcols [search host=p-css* SREscalateRequest 400 | stats count as EscalateSR] | appendcols [search host=p-css* SRCloseRequest 400 | stats count as CloseSR] | eval type="400"] [appendcols search host=p-css* SRCreateRequest Publisher: Completed | stats count as CreateSR | appendcols [search host=p-css* SRUpdateRequest Publisher: Completed | stats count as UpdateSR] | appendcols [search host=p-css* SREscalateRequest Publisher: Completed | stats count as EscalateSR] | appendcols [search host=p-css* SRCloseRequest Publisher: Completed | stats count as CloseSR] | eval type="Completed"] | chart count(Name) over 400 by Completed       Getting error "Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command)."   My expected output  will be having a table format: giving some example here API 400 Completed CreateSR 30 50 UpdateSR 5 25 CloseSR 24 30
When I create simple basic search (throught index) for events, I get such amount of results All events are tagged, and therefore should be in a datamodel (as I understand correctly, this is the ... See more...
When I create simple basic search (throught index) for events, I get such amount of results All events are tagged, and therefore should be in a datamodel (as I understand correctly, this is the only way for events to go to datamodel) But when I search a datamodel for these events, the amount is different   What can be the reason?
Hi, I have a first dashboard with this query: index=ind  hostname=* (cat_name=success OR cat_name=failed) service=* | eval site=substr(DeviceName,1,7) + substr(DeviceName, -4) | stats values(cat_... See more...
Hi, I have a first dashboard with this query: index=ind  hostname=* (cat_name=success OR cat_name=failed) service=* | eval site=substr(DeviceName,1,7) + substr(DeviceName, -4) | stats values(cat_name) as status by mac service site | where mvcount(status)=1 and status="failed" and service="x" | dedup mac | stats count by site In the result I have a count of only "failed" by site. If I click on a count, I go to another dashboard that shows some informations for the specific site. This is the second dashboard query: index=ind  hostname=* (cat_name=success OR cat_name=failed) service=* | eval site=substr(DeviceName,1,7) + substr(DeviceName, -4) | stats values(cat_name) as status by mac service site | where mvcount(status)=1 and status="failed" and service="x" | dedup mac | search site="$token$" | dedup mac   | table site mac status ip dest The problem is that I have not results for ip and dest, I think beacause I lost them after stats command. Can you help me???   Thanks in advance
Hello,  As i see all of you are experts in css,js styling and have worked on this topic in past can you please help me here.  How can i freeze or dock the column header (all the columns) in a table... See more...
Hello,  As i see all of you are experts in css,js styling and have worked on this topic in past can you please help me here.  How can i freeze or dock the column header (all the columns) in a table where we have 100+ rows ? I have tried https://community.splunk.com/t5/Splunk-Search/Fix-table-header-and-add-vertical-scrollbar-using-CSS-and/td-p/300908 It works well when i choose ALL rows, but the problem with this is when i have just 1 row (this happens when i choose 1 device instead of all from one of my dropdowns) then the length of the table remains bigger, it doesn't squeeze.  Do we have a solution to that ? thanks
I have a query similar to the following which we are using to capture information about email traffic between certain (internal) email domains   index="exchdomains" | stats count by SenderDomain,r... See more...
I have a query similar to the following which we are using to capture information about email traffic between certain (internal) email domains   index="exchdomains" | stats count by SenderDomain,recipientDomain | xyseries SenderDomain,recipientDomain,count   This builds a nice table, however: Part 1 How do I limit the query to only certain values of 'SenderDomain' and 'recipientDomain' without having to type all the domains (there are about 8 ATM) into the query? Can I use a CSV lookup for this? Part 2 Assuming part one is achievable how do I add a 'catchall' row where I count messages sent from domains NOT in my list of 'SenderDomain' values of interest? And similarly add a 'catchall' column for 'recipientDomain' not in a list of 'known good'.  
I have the following Json object: object{ Id 123 , status : { Id : 123 value: NotKnown } Id 456 , status : { Id : 456 value: success } Id 789 , status : { Id :789  value: notFound } } ... See more...
I have the following Json object: object{ Id 123 , status : { Id : 123 value: NotKnown } Id 456 , status : { Id : 456 value: success } Id 789 , status : { Id :789  value: notFound } } I wanted to list the results of id 123 and 789. I tried the following and still could not achieve the desired output. index =foo |search "object.id *.status, value" ! = success
I have a setup of Indexer Cluster (with 2 Indexers and Master node), 2 Search Heads, and 2 Heavy Forwarders. I have created and replicates the indexes on the Indexer cluster. But how I can get the ... See more...
I have a setup of Indexer Cluster (with 2 Indexers and Master node), 2 Search Heads, and 2 Heavy Forwarders. I have created and replicates the indexes on the Indexer cluster. But how I can get the same indexes on Heavy Forwarders? Do I need to create the same indexes manually on HFs as well?
My requirement is just to skip few lines of SPL query if a certain condition is met. Or some kind of If-Else for running the part of SPL. Exact Requirement: I have two panels in my Dashboard. In Fi... See more...
My requirement is just to skip few lines of SPL query if a certain condition is met. Or some kind of If-Else for running the part of SPL. Exact Requirement: I have two panels in my Dashboard. In First Panel, we have data for different tickets/sessions which will be passed to panel 2 on selection. In Panel2, we have to validate certain parameters and if all ok then save the data to Splunk index (using collect command) and show success message otherwise throw error message on to panel2. Hi @gcusello  @niketn @woodcock @somesoni2 @thambisetty, if you guys have any ideas, kindly share it with me.
We have created an app with Navigation and some Simple XML reports. When we go to the first report and select a datetime range and after that we use the navigation menu to go to the next report the s... See more...
We have created an app with Navigation and some Simple XML reports. When we go to the first report and select a datetime range and after that we use the navigation menu to go to the next report the selected datetime range is lost and we need to select the datetime range again. Is is possible to keep the previous datetime range value? We tried to use tokens, but that is only used for the current report. Are there some kind of global session or tokens that can be used within an app? We could use a drilldown link within our report that takes the token earliest and latest modifier and use those tokens to drilldown to the report, but is this also possible within the navigation?
Hi All Im using F5 Monitoring Extension My goal is to simply display a dashboard that shows which pool members are active and which are not However when I create a new dashboard in Dashboards ... See more...
Hi All Im using F5 Monitoring Extension My goal is to simply display a dashboard that shows which pool members are active and which are not However when I create a new dashboard in Dashboards & reports tab, I cant see any option or widget to add Metric Browser / Server Visibility to a dashboard.  searched here as well but couldnt find it, what am I missing? AppDynamics Controller build 20.4.2-3673 thanks for any help...
Hi our logs stop forwarding for a while after they have been archived, and this causes us to miss out on valuable data, how can I make splunk start monitoring that log after the old one has been rena... See more...
Hi our logs stop forwarding for a while after they have been archived, and this causes us to miss out on valuable data, how can I make splunk start monitoring that log after the old one has been renamed and archived ?
Hello Is it possible to merge between Kafka connect sink & source to Splunk index and collection ? And is there a way to use kafka connect source? thanks
Hi, we are using splunk 8.0.6 with LDAP authentication in a SHC, and with a few local splunk users. We would be adding MFA (RSA) soon. My question is, how will the local users be tied to the RSA MFA... See more...
Hi, we are using splunk 8.0.6 with LDAP authentication in a SHC, and with a few local splunk users. We would be adding MFA (RSA) soon. My question is, how will the local users be tied to the RSA MFA, and will it be possible to only exclude local splunk users from MFA? Does RSA support SAML authentication, should I change from using LDAP to SAML if it does, and ultimately my intention is to exclude local users from the MFA using the logontype=splunk in url.
Hi All, How do we all the values for a single field? Currently, the chart is displayed with the LoginName(x axis) with the count of LoginName(Y axis). Please see below ScreenShot,  What is nee... See more...
Hi All, How do we all the values for a single field? Currently, the chart is displayed with the LoginName(x axis) with the count of LoginName(Y axis). Please see below ScreenShot,  What is needed- Display all the values(Endpoint channel, Destination, FileName,IncidentTime, Count) of the each and every LoginName.  Screenshot below, Currently, I am not getting these values and only getting count of LoginName. This is the query that is used, index="prod" sourcetype="*" |rex "sourceServiceName=(?<sourceServiceName>[\w\s]+)\s+\w+=" |rex "duser=(?<duser>[\w\s]+)\s+\w+=" |rex "fname=(?<fname>[\w\s]+)\s+\w+=" |rex "cat=(?<cat>[\w\s]+)\s+\w+=" |rename sourceServiceName as EndpointChannel duser as Destination loginName as LoginName fname as FileName _time as IncidentTime cat as PolicyName |fieldformat IncidentTime = strftime(IncidentTime, "%Y/%m/%d %H:%M:%S") |top showperc=f EndpointChannel Destination FileName PolicyName IncidentTime by LoginName | sort -IncidentTime This query works only in Statistics view and when I click the visualization, I'm not getting the other values. Can someone please help? TIA 
Below is a sample log message.  Each message will have string "500 Server Error for HTTP" and i need to extract 3 fields after the occurrence of "500 Server Error for HTTP" string 2020-11-18T00:32:3... See more...
Below is a sample log message.  Each message will have string "500 Server Error for HTTP" and i need to extract 3 fields after the occurrence of "500 Server Error for HTTP" string 2020-11-18T00:32:37.632Z LCS userId=null LCE [helper-http-epoll-1] ERROR o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler.error(122) - 500 Server Error for HTTP POST "/sports/v1/boxing"java.net.UnknownHostException: my-rest-service.backend--> at java.base/java.net.InetAddress$CachedAddresses.get(InetAddress.java:797)--> Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: I need to extract 2 fields  - 1) method (e.g. - POST) 2) path (between 1st pair of quotes) - e.g, /sports/v1/boxing and 2)exception_type (anything between 1st quote closing and before first occurrence of -->) java.net.UnknownHostException: alert-rest-service.backend- Splunk query i am trying is below index="k8s*" messageType=ERROR "*Exception:*-->" | rex "500 Server Error for HTTP (?<http_method>\\S+).*\\\\\"(?<resource_url>.*)\\\\\"(?<java_exception>.*?(Exception)).*"  Query works fine to extract "http_method" and "resource_url" but "java_exception" is not being extracted properly. Can someone help?
All,  I am seeing the following error on my Splunk server in the logs and I have not been able to figure out what it means?  "11-17-2020 17:40:55.204 -0800 WARN SearchAssistant - recurseSyntax: Sta... See more...
All,  I am seeing the following error on my Splunk server in the logs and I have not been able to figure out what it means?  "11-17-2020 17:40:55.204 -0800 WARN SearchAssistant - recurseSyntax: Stanza entry not found for data-type 'time-specifier'" Any idea what it's referring to? What config? 
Hi All, I have an HTML page which is basically created to list the different process run time on a daily basis in a Gantt chart. So when I click on the specific process it will show the 7 days histo... See more...
Hi All, I have an HTML page which is basically created to list the different process run time on a daily basis in a Gantt chart. So when I click on the specific process it will show the 7 days history of the process run time. I tried to use Gantt chart in Splunk apps but that doesn't satisfy my purpose of showing the history when I click on the process.  So I would like to know whether we can append this change to the Splunk Gantt chart  and also is there a way whether we can use the HTML code and recreate the same in Splunk dashboard. Any reference would help. Thanks,