All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I stood up a test instance of Splunk  that is a "all in one" system, that is indexer and search head.  I wrote an app that pulls data via REST API but realized I wasn't sure if I needed to ensure it ... See more...
I stood up a test instance of Splunk  that is a "all in one" system, that is indexer and search head.  I wrote an app that pulls data via REST API but realized I wasn't sure if I needed to ensure it had a custom outputs.conf if I am "sending" to the same system. Since it is acting as in indexer, wouldn't it immediately pull the data and then index it without needing a /local/outputs.conf?  I wasn't sure and couldn't find any clear documentation explaining this specific scenario. My script pulls data but I don't have anything populating the main index.  If I run the script manually, the data prints to stdout as expected.
Hi, I have a savedsearch which i am calling like below.  | loadjob savedsearch="admin:Splunk_Security:chk_coding_pie_accl" |search Time="*2020-08-24*" When i have to use Time tokens then its not w... See more...
Hi, I have a savedsearch which i am calling like below.  | loadjob savedsearch="admin:Splunk_Security:chk_coding_pie_accl" |search Time="*2020-08-24*" When i have to use Time tokens then its not working This loadjob query is my pie chart query for a panel where earlist time and latest time will be as per the choosen time from the time field.  Now when i try to pass this like below i get no results although it has value for that Time.  |loadjob savedsearch="admin:appname:savedsearch" |search earliest=$field1.earliest$ latest=$field1.latest$ | stats count by Manager How to pass the time properly here ?  
I am trying to get the data into a chart from an index were a user may answer a question daily.  This is what I need to produce: email sun mon tue wed thu fri sat bob@email.com - NO ... See more...
I am trying to get the data into a chart from an index were a user may answer a question daily.  This is what I need to produce: email sun mon tue wed thu fri sat bob@email.com - NO NO NO Yes - - aaron@email.com Yes - - NO - - - chuck@email.com NO NO NO Yes NO - Yes This i s what I am currently getting: email sun mon tue wed thu fri sat bob@email.com - - - - Yes - - bob@email.com - - - NO - - - bob@email.com - - NO - - - - bob@email.com - NO - - - - - aaron@email.com - - - NO - - - aaron@email.com - - - NO - - - aaron@email.com Yes - - - - - - chuck@email.com - - NO - - - - chuck@email.com - - - - NO - - chuck@email.com - - - Yes - - - chuck@email.com NO - - - - - - chuck@email.com - NO - - - - - chuck@email.com - - - - - - Yes Here is what I have so far, but I am stuck and not to sure what process I should use: index=someindex  | eval qualdayOfWeek=strftime(_time, "%a") | rex field=_raw "is\s(?<status>(NO|YES))\sto" | eval sun=if(qualdayOfWeek="Sun", $status$, "-") | eval mon=if(qualdayOfWeek="Mon", $status$, "-") | eval tue=if(qualdayOfWeek="Tue", $status$, "-") | eval wed=if(qualdayOfWeek="Wed", $status$, "-") | eval thu=if(qualdayOfWeek="Thu", $status$, "-") | eval fri=if(qualdayOfWeek="Fri", $status$, "-") | eval sat=if(qualdayOfWeek="Sat", $status$, "-") | table email, sun, mon, tue, wed, thu, fri, sat
Hello Everyone, I am new to base search and need some help from you. The query is taking a while, I would like to create base search to load faster. Basically, I want to count error data 200 and... See more...
Hello Everyone, I am new to base search and need some help from you. The query is taking a while, I would like to create base search to load faster. Basically, I want to count error data 200 and 400 by hosts, action and referer_domain. Below is the xml. Can you help me? <dashboard theme="dark"> <label>INDEX WEB</label> <row> <panel> <title>GET POR HOSTS</title> <chart> <search> <query>index=web source="access.log" "GET" | stats count by host</query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <title>STATUS 200 POR ACTION</title> <chart> <search> <query>index=web source="access.log" status=200 | stats count by action</query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">bar</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <title>referer_domain</title> <chart> <search> <query>index=web status=200 | stats count by referer_domain</query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">pie</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> <row> <panel> <title>POST POR HOSTS</title> <chart> <search> <query>index=web source="access.log" "POST" | stats count by host</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <title>STATUS 400 POR ACTION</title> <chart> <search> <query>index=web source="access.log" status=400 | stats count by action</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">bar</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <title>referer_domain</title> <chart> <search> <query>index=web status=400 | stats count by referer_domain</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">pie</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </dashboard>  
I had converted my Splunk Head to use SSL. I added /opt/splunk/etc/system/local/web.conf and updated [settings] to put the enableSplunkWebSSL, privKeyPath, serverCert. It seemed to work. However, ... See more...
I had converted my Splunk Head to use SSL. I added /opt/splunk/etc/system/local/web.conf and updated [settings] to put the enableSplunkWebSSL, privKeyPath, serverCert. It seemed to work. However, the /opt/splunk/var/log/splunk/splunkd.log file keeps showing the following warnings every 20 seconds: 08-28-2020 23:41:09.135 +0000 INFO  LMStackMgr - license_warnings_update_interval=auto has reached the minimum threshold 10.  Will not reduce license_warnings_update_interval beyond this value. So, I undid the web.conf changes and restarted splunk but I'm still seeing the license_warnings_log*. Help please.  
Input page not loading on IDM for Microsoft Azure add-on Fix:   Microsoft Azure add-on for splunk application installed on IDM which was previously working and user was able to on setup several Eve... See more...
Input page not loading on IDM for Microsoft Azure add-on Fix:   Microsoft Azure add-on for splunk application installed on IDM which was previously working and user was able to on setup several Event Hub data inputs without any issues. Now user needs to add another input and modify some of the existing inputs but when they go to Settings > data inputs it is not working as expected. The input configuration page keeps spinning with loading. Run the search below on the search head to find the errors: index=_internal component=AdminManagerExternal log_level=ERROR  Look for the affected App in this case File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/splunktaucclib/rest_handler/handler.py" It seems that this is caused by a lock generated between the 3rd party data provider, in this case Microsoft, and the application if an incorrect credentials is keyed in. By removing the local files that save those credentials, in this case the following: inputs.conf ta_ms_aad_settings.conf ta_ms_aad_account.conf passwords.conf From the /opt/splunk/etc/apps/TA-MS-AAD/local directory and restarting the IDM, we remove the lock and force Splunk to request a re-keying of the credentials to move forward, allowing you to once again load the Inputs page and the Configuration page of the Microsoft Azure Add-on for Splunk.
I have some dashboards in Splunk and I would like to use basesearch so that they load a little faster, I don't have much experience with this use. I have the example of xml using the data provided by... See more...
I have some dashboards in Splunk and I would like to use basesearch so that they load a little faster, I don't have much experience with this use. I have the example of xml using the data provided by Splunk itself, could you help me in the best way how to use basesearch in these panels?   <form theme="dark"> <label>2808 Leandro Matos</label> <fieldset submitButton="false" autoRun="false"> <input type="checkbox" token="checkhost" searchWhenChanged="true"> <label>Selecione o Host</label> <valuePrefix>host="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>index=web | table host | dedup host</query> <earliest>0</earliest> <latest></latest> </search> <default>*</default> <initialValue>*</initialValue> <choice value="*">ALL</choice> </input> <input type="multiselect" token="multiselect" searchWhenChanged="true"> <label>Selecione os endereços de IP</label> <prefix>clientip IN (</prefix> <suffix>)</suffix> <delimiter>, </delimiter> <fieldForLabel>clientip</fieldForLabel> <fieldForValue>clientip</fieldForValue> <search> <query>index=web | table clientip | dedup clientip</query> <earliest>0</earliest> <latest></latest> </search> <choice value="*">ALL</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="link" token="listcategoria"> <label>Selecione a Categoria:</label> <choice value="*">ALL</choice> <fieldForLabel>categoryId</fieldForLabel> <fieldForValue>categoryId</fieldForValue> <search> <query>index=web | table categoryId | dedup categoryId | sort categoryId</query> <earliest>0</earliest> <latest></latest> </search> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel> <table> <search> <query>index=web $multiselect$ | stats count by clientip</query> <earliest>0</earliest> <latest></latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <search> <query>index=web categoryId=$listcategoria$ | stats count by categoryId</query> <earliest>0</earliest> <latest></latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <search> <query>index=web $checkhost$ | stats count by host</query> <earliest>0</earliest> <latest></latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Mapa</title> <input type="time" token="time" searchWhenChanged="true"> <label>Selecione o range de tempo</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <html/> <html>Selecione a posição no mapa para detalhamento na tabela</html> <map> <search> <query>index=web | iplocation clientip | geostats count by Country</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">all</option> <option name="mapping.type">marker</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="map.click.south">$click.bounds.south$</set> <set token="map.click.east">$click.bounds.east$</set> <set token="map.click.north">$click.bounds.north$</set> <set token="map.click.west">$click.bounds.west$</set> </drilldown> </map> <html/> </panel> <panel> <title>Lista de IP's</title> <table> <search> <query>index=web | iplocation clientip prefix=client | table client* | search clientlat &gt;= $map.click.south$ clientlat &lt;= $map.click.north$ clientlon &gt;= $map.click.west$ clientlon &lt;= $map.click.east$</query> <earliest>0</earliest> <latest></latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Hosts</title> <input type="time" token="time2" searchWhenChanged="true"> <label>Selecione o intervalo de tempo</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <html/> <chart> <search> <query>index=web | stats count by host</query> <earliest>$time2.earliest$</earliest> <latest>$time2.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="charting.fieldColors">{"count": "#00FFFF"}</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> <html/> </panel> </row> <row depends="$alwaysHideCSSPanel$"> <panel> <html> <style> .dashboard-body { background: #f28500 !important; } .dashboard-panel{ border-radius: 20px; } h2{ color: #f28500; } </style> </html> </panel> </row> </form>  
Hallo, I have Splunk 8.0.5 on Windows. One thing I would like to setup is "STEALTHbits Active Directory & LDAP Monitoring" app. But STEALTHbits app dashboard and other reports just doesn't show any... See more...
Hallo, I have Splunk 8.0.5 on Windows. One thing I would like to setup is "STEALTHbits Active Directory & LDAP Monitoring" app. But STEALTHbits app dashboard and other reports just doesn't show any data. I install the app. Then I setup Active Directory Data Input with settings that correspond to STEALTHbits app.  Data is saved to index "sb_ad". Using search I see a lot of events in Splunk from Active Directory, located in "sb_ad". But out of the box dashboard is empty. Does anybody know if this is the right approach? Anybody knows how to setup STEALTHbits  Active Directory app? Thanks.
I have a weekly report sent via email.  It is created from a dashboard that has multiple panels. The dashboard titles are in large font, but the tables and data in the tables are in small font.  I l... See more...
I have a weekly report sent via email.  It is created from a dashboard that has multiple panels. The dashboard titles are in large font, but the tables and data in the tables are in small font.  I looked everywhere to increase the size of those tables but cannot find any information on how to do that. How can I increase the size of the tables in my scheduled PDF reports?
What is the best practice of importing CEF files into Splunk, retrieved from Forcepoint CASB's siem tool?  We have a Windows server that is downloading the cef files from Forcepoint CASB into into it... See more...
What is the best practice of importing CEF files into Splunk, retrieved from Forcepoint CASB's siem tool?  We have a Windows server that is downloading the cef files from Forcepoint CASB into into its local directories.  We have a Splunk universal forwarder installed on this server as well.   We also have a heavy forwarder, search head and three indexers running 8.0.5.
Trying to figure out what gets added upon running OUTPUTCSV vs manually exporting to CSV and how to remove it. We run a weekly audit I'd like to automate and then run a script to zip the resulting f... See more...
Trying to figure out what gets added upon running OUTPUTCSV vs manually exporting to CSV and how to remove it. We run a weekly audit I'd like to automate and then run a script to zip the resulting file. I did some experimenting and found that using outputcsv or outputlookup instead of exporting manually is almost tripling the file size of the output, from 300 Mb to 1.11 Gb. Exact same search criteria, the exact same time range, returning the exact same number of results. I also checked https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Outputcsv and removed the internal fields it listed as being added. Any insight here would be great!
Hello Everyone, I have metrics in different metric indexes but I want to perform a timechart count on these, adding all of them into a single count each day. I can make a timechart count of them ... See more...
Hello Everyone, I have metrics in different metric indexes but I want to perform a timechart count on these, adding all of them into a single count each day. I can make a timechart count of them separately, but I want to make a timechart count, where the count in each minute, hour, day, etc., is the sum of each of the counts separately. Can you please help me perform this query? Thank you!
i'm trying to centralize all the scripts with version control. i wanted to run a script scheduled with Azure automation to bring data into splunk. I was looking at various options to do this and ... See more...
i'm trying to centralize all the scripts with version control. i wanted to run a script scheduled with Azure automation to bring data into splunk. I was looking at various options to do this and didn't want to write the data to a file, but was looking for something to directly pump the data into splunk. i noticed that inputs.conf leverages splunk-powershell.exe (i think).  can i call this from my azure automation script (via hybrid worker on windows) and push the data directly to splunk the same way inputs.conf powershell input does?   
I noticed that Splunk MINT is now listed under "Legacy products": https://docs.splunk.com/Documentation/Legacy Does this mean this product is being deprecated or will soon be no longer supported?
Hi, I'm trying to configure HPE NonStop JDBC type 4 with Splunk with Splunk DB Connect. I'm using the latest t4sqlmx jar and have following configuration in place. I checked the logs, for all meth... See more...
Hi, I'm trying to configure HPE NonStop JDBC type 4 with Splunk with Splunk DB Connect. I'm using the latest t4sqlmx jar and have following configuration in place. I checked the logs, for all method calls, it's showing error of "Abstract" [t4sqlmx] jdbcDriverClass = com.tandem.t4jdbc.SQLMXDriver jdbcUrlFormat = jdbc:t4sqlmx://<host>:<port>/ displayName = HP NonStop SQL/MX serviceClass = com.splunk.dbx2.DefaultDBX2JDBC port = 18650 ui_default_catalog = $database$ testQuery = select * from $DAT329.XMADAT.AUDDET browse access In the DB Input section, it is able to load the Catalog, but it is not able to fetch Schemas. (it was working perfectly fine on DB Connect 2.2.2 version). Errors, java.lang.AbstractMethodError: Method com/tandem/t4jdbc/SQLMXDatabaseMetaData.getSchemas(Ljava/lang/String;Ljava/lang/String;)Ljava/sql/ResultSet; is abstract java.lang.AbstractMethodError: Method com/tandem/t4jdbc/SQLMXConnection.isValid(I)Z is abstract  
Hi All,   we have a LB behind two deployment server. we found that the forwarders are getting restart constantly. below is what i can see.  we have the same config in the two deployment servers.wh... See more...
Hi All,   we have a LB behind two deployment server. we found that the forwarders are getting restart constantly. below is what i can see.  we have the same config in the two deployment servers.what could be the reason for this ?      WARN DC:DeploymentClient - Restarting Splunkd...     Regards
Hi, I have a Splunk log which logs messages in the following JSON format -  @timestamp: 2020-08-28T11:24:27.289-04:00 @version: 1 ACTIVE_PROFILE: prod-east HOSTNAME: XXXXXXXX appName... See more...
Hi, I have a Splunk log which logs messages in the following JSON format -  @timestamp: 2020-08-28T11:24:27.289-04:00 @version: 1 ACTIVE_PROFILE: prod-east HOSTNAME: XXXXXXXX appName: autopay-instance-fulfillment level: INFO level_value: 20000 logger_name: abc.xyz.AccountServiceImpl message: Number of records retrieved from accounts table : 67 thread_name: pool-7-thread-1 I want to extract the value that shows up in the message (after "The number of records retrieved") as a number every day and create a table using those values. Could I please have some guidance regarding that?  Thank you in advance!
I am trying create an Add-on in which i used `Network Session` CIM Datamodel in one savedsearch query, When trying to inspect my package, it gets failing due to below error. An error occurred execu... See more...
I am trying create an Add-on in which i used `Network Session` CIM Datamodel in one savedsearch query, When trying to inspect my package, it gets failing due to below error. An error occurred executing the search: 'Work_From_Home_Data' - HTTP 400 Bad Request -- Error in 'SearchOperator:datamodel': Error in 'DataModelEvaluator': Data model 'Network_Sessions' was not found Please give how to proceed with this . Requriement: Get data from Network_Sessions CIM data model and to create an report from the data . I am done with creating report and its working fine but it failed to pass appinspect.
Hello, I'm trying to determine if we are getting all the TrendMicro logs by comparing what's in Splunk and what's in Trend. There are 2 date/time stamps in the Splunk logs which I assume 1 is the ac... See more...
Hello, I'm trying to determine if we are getting all the TrendMicro logs by comparing what's in Splunk and what's in Trend. There are 2 date/time stamps in the Splunk logs which I assume 1 is the actual event date/time and the other is the Splunk index date/time.  I've ran the following 2 searches which return the same date_time stamps but I would expect to be different since the 2 date/times are different. Times: Aug 28 11:18:43 x.x.x.x Aug 28 15:12:19 index=trendmicro | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q %Z") 2020-08-28T11:18:43.000 EDT index=trendmicro | eval mytime=strftime(_indextime,"%Y-%m-%dT%H:%M:%S.%Q %Z") 2020-08-28T11:18:43.000 EDT How can I pull/report on both of these fields with both of the date_time stamps so we can determine we are getting all logs as well as if the indexer(s) are under resourced?
Until now I was importing data to Splunk from Oracle. I have migrated from Oracle to Postgresql so I will no longer use Oracle and now need to import the data from Postgresql. I have configured the... See more...
Until now I was importing data to Splunk from Oracle. I have migrated from Oracle to Postgresql so I will no longer use Oracle and now need to import the data from Postgresql. I have configured the JDBC driver, set the connection settings and credentials, and from Splunk DB connect I have created a new input. When I click "Execute query" the data is displayed correctly, so the connection to PostgreSQL should be correct. The problem is when I finish creating the input, I schedule it and assign it an index to which it should dump the data. There is no error (or at least I can't find it) in the input health/input performance section, the data is simply not imported into the assigned index. What could I do to solve this? I need to be able to import data from PostgreSQL.