All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

hello Guys, I'm very very noob using Splunk, I have a very simple log file  which contains 5 columns of data: bloque1 | 2020-04-01| 05:39:35.407 | 09:14:34.398 | 03:34:58.991 bloque1 | 2020-04-02|... See more...
hello Guys, I'm very very noob using Splunk, I have a very simple log file  which contains 5 columns of data: bloque1 | 2020-04-01| 05:39:35.407 | 09:14:34.398 | 03:34:58.991 bloque1 | 2020-04-02| 03:50:29.469 | 07:26:32.869 | 03:36:03.4 bloque1 | 2020-04-03| 04:09:47.659 | 08:05:38.248 | 03:55:50.589 bloque1 | 2020-04-04| 04:49:51.142 | 08:37:40.141 | 03:47:48.999 bloque1 | 2020-04-05| 05:27:43.616 | 09:06:23.898 | 03:38:40.282 bloque1 | 2020-04-06| 06:51:08.264 | 10:27:12.113 | 03:36:03.849 bloque1 | 2020-04-07| 04:05:32.292 | 07:54:32.055 | 03:48:59.763 etc, I am trying to graph the second field with the last field. The second field is the day of execution of a process and the last field is the average execution time  of that process.  I just want a graph that places the value of the execution date on "x" axis and the average time per day on the "y" Axis.  But I only get a straight line graph with the event count per day.  Could you help me with the query or the necessary steps to be able to obtain the graph I want. I greatly appreciate the support and your comments.  
Hi,  I have a remote file (on  server 2) which can be accessed directly from my Indexer (on server 1). What is the best and recommended way to ingest data from that file into indexer   1) Read dir... See more...
Hi,  I have a remote file (on  server 2) which can be accessed directly from my Indexer (on server 1). What is the best and recommended way to ingest data from that file into indexer   1) Read directly from indexer's inputs.conf (monitor://remote-path to the file) - Everything on server 1 2) Install universal forwarder on the target machine and forward data (complete log file. no props and transforms) - indexer on server1 and forwarder on server 2   Whats the main difference between these 2 options? pros and cons?   Thanks
Hi, I have written a query to generate lookup file for last 30days, which is taking  a lot of time like almost 4 hours which is high on cpu. So can is there a option to run query everyday but run on... See more...
Hi, I have written a query to generate lookup file for last 30days, which is taking  a lot of time like almost 4 hours which is high on cpu. So can is there a option to run query everyday but run only for last 24 hours and append to the same lookup file generated yesterday, so that the dashboard populates quickly with all the 30days data post comparison
Greetings, I'm looking for documentation on how to structure a deployment server app, the part that goes into deployment-apps/myapp directory.   I want to know if there's a specific way to do it.  ... See more...
Greetings, I'm looking for documentation on how to structure a deployment server app, the part that goes into deployment-apps/myapp directory.   I want to know if there's a specific way to do it.   For example, I want to set up a remote universal forwarder.  Can all the files I want to send go in the myapp/ directory?  Or should they be split up in a certain way? Example: I need to send down a splunk.secret file: this file lives in $SPLUNK_HOME/SplunkForwarder/etc, would I put this file in deployment-apps/myapp/etc/?  or can it just go into deployment-apps/myapp/ along with all the other files I need to send down and the Deployment Client will know what to do with it when it restarts?   Thanks in advance    
I have a search that I have been asked to organize in a different way. Mysearch | rex (FieldA)(FieldB)(FieldC)(FieldD) | chart latest(FieldD),FieldC by FieldB by FieldA FieldD and FieldC have uniqu... See more...
I have a search that I have been asked to organize in a different way. Mysearch | rex (FieldA)(FieldB)(FieldC)(FieldD) | chart latest(FieldD),FieldC by FieldB by FieldA FieldD and FieldC have unique values There will be multiple FieldD values for each FieldB and multiple FieldB values for FieldA That will be for the full list, at some point I have been asked to do a relation for the top values of FieldD compared to FieldB as well. I am a bit lost as to how to proceed with this.
Hello,   I have a single splunk indexer.   How do I add a search head?   I do not have an index cluster.  At this time I have a single indexer but may go to two indexers.   Documentation talks about... See more...
Hello,   I have a single splunk indexer.   How do I add a search head?   I do not have an index cluster.  At this time I have a single indexer but may go to two indexers.   Documentation talks about index cluster which I do not have.   My simple goal was to have a search head and a indexer or two indexers.   This is a new user type question running version 8. Thanks in Advance, Jim
Hello  I have two csv file:  1- all_services.csv  service a b c d e   2- up_services.csv service a b c d   ==> this means the service e is down  ==> what i want is t... See more...
Hello  I have two csv file:  1- all_services.csv  service a b c d e   2- up_services.csv service a b c d   ==> this means the service e is down  ==> what i want is to Generate an alert just once  to give me the service who is down  ( as long as the service is down i don't whant any other alert) If for example the service d is down I want to get an alert that contain only the service d (not d+ e)
I am trying to use the same drilldown link to toggle the function of setting and unsetting the same token.     Current Code <drilldown>    <condition>       <set token="arrangements_details">tru... See more...
I am trying to use the same drilldown link to toggle the function of setting and unsetting the same token.     Current Code <drilldown>    <condition>       <set token="arrangements_details">true</set>     </condition> </drilldown>   The idea - just need correct syntax <drilldown>    <condition match="$arrangements_details$=null">       <set token="arrangements_details">true</set>     </condition>    <condition match="$arrangements_details$=true">       <unset token="arrangements_details">true</unset>     </condition> </drilldown>   Any suggestions?
Hi Team, Could someone, please help me with the below Query to trigger an alert when CPU% of all processes greater than 90% But I'm getting below result with incorrect CPU% Could someone pleas... See more...
Hi Team, Could someone, please help me with the below Query to trigger an alert when CPU% of all processes greater than 90% But I'm getting below result with incorrect CPU% Could someone please help me with the correct Query to get the result if total of CPU processes is greater than 90%
I'm using the Splunk Add-on Builder app to create a splunk app. on the run /test page of AoB, as soon as I add in the line from cryptography.x509 import certificate_transparency it throws the error b... See more...
I'm using the Splunk Add-on Builder app to create a splunk app. on the run /test page of AoB, as soon as I add in the line from cryptography.x509 import certificate_transparency it throws the error below.As soon as I remove the line, base code from AoB immediate works but i need this cryptography to be avail Traceback (most recent call last):   File "C:\Splunk\etc\apps\TA-test\bin\pn_testtest_1598189382_409.py", line 14, in <module>     import input_module_pn_testtest_1598189382_409 as input_module   File "C:\Splunk\etc\apps\TA-test\bin\input_module_pn_testtest_1598189382_409.py", line 18, in <module>     import cryptography.x509   File "C:\Splunk\etc\apps\TA-test\bin\ta_test\cryptography\x509\__init__.py", line 7, in <module>     from cryptography.x509 import certificate_transparency ImportError: cannot import name certificate_transparency   I've added the paackages into the bin\ta_test folder: cffi asn1crypto six pycparser
I use props.conf setting for Azure json data that I push directly into Splunk via python REST API call (not via UF). It correctly separates events by my custom line breaker. However it still breaks ... See more...
I use props.conf setting for Azure json data that I push directly into Splunk via python REST API call (not via UF). It correctly separates events by my custom line breaker. However it still breaks jsons after \r or\n which I do not want. The documentation mentions, line breaking settings are only honored by Forwarders. However, the setting honored LINE_BREAKER, but not the MUST_NOT_BREAK_AFTER settings The props.conf is in an /app (not in system...) My data is nested json events, but in the values can be several \n or \r. [azurejson3] CHARSET = UTF-8 SHOULD_LINEMERGE = false KV_MODE = json LINE_BREAKER_LOOKBEHIND = 5000 LINE_BREAKER = (\<linebreaker\>)+ TRUNCATE = 0 MUST_NOT_BREAK_AFTER = [\r\n]+ MUST_NOT_BREAK_BEFORE = [\r\n]+ MAX_EVENTS = 60000 How can the breaking be prevented?  
Hello All, Is there any way to hide the panel ("search is waiting for input..") I've got a dashboard, in which , two panels are dependent  on the textbox input. When the dashboard loads for the fi... See more...
Hello All, Is there any way to hide the panel ("search is waiting for input..") I've got a dashboard, in which , two panels are dependent  on the textbox input. When the dashboard loads for the first time, my two panels will be  showing "search is waiting for input..." Here is my requirement : when the dashboard loads initially, my  textbox should be empty and i want to hide that warning message in panels instead display  "- -" in the panels  . I could make panel display with "- -" only if  i simply click/press enter on the textbox input after the initial dashboard with warning message . Any suggestions to directly display the panels(want to hide--> "search is waiting for input") "- -" without clicking/pressing enter on the textbox? Below image depicts how i need my dashboard  always without "search is waiting for input..." Dashboard initial view without"search is waiting input"
Hi , am trying to access :  curl -k https://localhost:8089/services/auth/login -d username=admin -d password=foobar https://localhost:8089/services/auth/login Getting error , could you please tel... See more...
Hi , am trying to access :  curl -k https://localhost:8089/services/auth/login -d username=admin -d password=foobar https://localhost:8089/services/auth/login Getting error , could you please tell me which credentials need to enter            
Looking for the approach for monitoring these devices where this UPS devices are running on Modbus.  Source is UPS power batteries  and destination is splunk
Can someone help me understand the services offered by SPLUNK? I'm new to this and our project is exploring to use this tool. This is urgent
I'm currently using the Splunk Add-on Builder, in python, how do i loop through the list of modular inputs  
My app is working fine with advanced xml but as per requirements of splunk 8.0 I have to shift to simple xml. This search works fine  <searchTemplate>| script base64 __EXECUTE__ "$input$" "$operatio... See more...
My app is working fine with advanced xml but as per requirements of splunk 8.0 I have to shift to simple xml. This search works fine  <searchTemplate>| script base64 __EXECUTE__ "$input$" "$operation$"</searchTemplate> where base64 refers to a python script path and it takes two arguments as input e.g "abc" "encode".  Output is displayed using <searchPostProcess> table answer | rename answer as Answer</searchPostProcess> If i replace <searchTemplate> and <searchPostProcess> with just <search>, the script is not executed and no results are displayed. Please help me figuring out how to accomplish get the desired output with <search>.
I want to trigger an alert if the same event happened formorethan 10 times in 10 minutes. But the condition for the event is not static. Example: index="seach" soursetype="was_debug" site="UK"  "RE... See more...
I want to trigger an alert if the same event happened formorethan 10 times in 10 minutes. But the condition for the event is not static. Example: index="seach" soursetype="was_debug" site="UK"  "RESP:ABC" But the ABC can be dynamic like BCD can appear for 10 times and an alert should trigger for BCD. How to acheive this in Splunk alerting. Currently i have an alert with Hardcoded ABC but there are a lot of valuesandi need to write a lot of alerts foreach of them and i want to make this in a single alert.
Hi all, If I mouseover any charts, the default background color of the "popup" is black and the text is white/other colors. However, that makes it quite difficult to read what the text is sometimes.... See more...
Hi all, If I mouseover any charts, the default background color of the "popup" is black and the text is white/other colors. However, that makes it quite difficult to read what the text is sometimes. Is there a way to change the background color to white and the white text to black? Similar to the "popup" when I mouseover a choropleth map? Thank you.
Hi, I have a command modular input, which calls a shell script. There is a curl HTTPS command in the script. I am able to run the curl command as well as the shell script successfully from a command... See more...
Hi, I have a command modular input, which calls a shell script. There is a curl HTTPS command in the script. I am able to run the curl command as well as the shell script successfully from a command prompt. But when being called through command modular, the curl's exit code is 0 only when I use http. When I change the curl url to https, it starts returning exit code 77.    I am still trying to improve my debugging skills. Any suggestion/guidance would be helpful  Thanks