All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,  I am looking for a property in CSS or Javascript or any tweaks directly in splunk , to stop the greying out of other bars when the mouse is hovered on each bars. It should not grey out, is... See more...
Hi,  I am looking for a property in CSS or Javascript or any tweaks directly in splunk , to stop the greying out of other bars when the mouse is hovered on each bars. It should not grey out, is there any property in splunk to stop this  I checked many blogs and other CSS but dint find any help . Can someone share some inputs if this is possible or not?
Hi,  I am looking for advice / documentation that specifically addresses SmartStore and local disk sizing for the searchable s3 cached data. For instance, how much disk space do you need for long h... See more...
Hi,  I am looking for advice / documentation that specifically addresses SmartStore and local disk sizing for the searchable s3 cached data. For instance, how much disk space do you need for long historical searches while maintaining disk space for daily saved searches?  Is there some sort of calculator for this or is it trial-n-error ? Looking for anyone with experience to share what worked and did not work, when sizing local disks for the SmartStore s3 caching. Thank you.
Hi Folks,   I am been trying to display latest time results. I have a logs where time stores under a custom field (Patch_date) and i want to display latest time result. I tried below but that doesn... See more...
Hi Folks,   I am been trying to display latest time results. I have a logs where time stores under a custom field (Patch_date) and i want to display latest time result. I tried below but that doesn't worked, base search |search Patch_date=latest(Patch_date) |table Patch_date,region,server,os_type,location base search |search Patch_date=latest($Patch_date$) |table Patch_date,region,server,os_type,location but unfortunately both dint worked.    Please support on achieving the required.   Thanks   
Linux Secure Technology Add-On will not auto-extract fields from Secure log? crated test monitor [monitor:///var/log/secure] index = linux sourcetype = linux_secure and just installed app - no a... See more...
Linux Secure Technology Add-On will not auto-extract fields from Secure log? crated test monitor [monitor:///var/log/secure] index = linux sourcetype = linux_secure and just installed app - no additional config
Hello, I have app and machine agents deployed on an Ubuntu EC2 instance and they are both successfully connected to AppDynamics. The AppDynamics Server has the SIM enabled and is successfully correl... See more...
Hello, I have app and machine agents deployed on an Ubuntu EC2 instance and they are both successfully connected to AppDynamics. The AppDynamics Server has the SIM enabled and is successfully correlation to the APM application. The problem is that when I go to the details view of the Server and scroll to the bottom I can see some AWS tags like: AWS|instance-type AWS|ami-id AWS|region AWS|security-group AWS|availability-zone however I am missing the AWS|resource-id tag which is listed in the documentation on the table under 'Amazon Web Services': https://docs.appdynamics.com/display/PRO45/Server+Tagging How can I get the resource-id displayed in AppDynamics?
Hi, I have my dashboard with two views --radio button View A View B View A has 2 panels and view B also has 2 panel and i have enabled drill down(Same drill down panel- Summary used by both views... See more...
Hi, I have my dashboard with two views --radio button View A View B View A has 2 panels and view B also has 2 panel and i have enabled drill down(Same drill down panel- Summary used by both views)    Case: When ever i am clicking on the values of panel - this are passed as token to dropdown in Summay Drilldown panel and i can see data in drill down panel.   Issue: when i am switching from View A to View B, i see summary dill down panel with previous values  filled in drop dropdown.. I want, when ever i switch from View A to View B, the summary drilldown should not appear by default and same viceversa.   I tried including the token in the drill down panel and same unseting in the radiobutton , but no luck
We have an SFTP server with logs saved. We want to integrate those logs with Splunk, but we can't install an universal forwarder in that server. What options do we have? Push data from the server? Pu... See more...
We have an SFTP server with logs saved. We want to integrate those logs with Splunk, but we can't install an universal forwarder in that server. What options do we have? Push data from the server? Pull that logs from the HF? Thank you
Im setting up a new DB connect. While creating inputs i could execute the SQL query and get results in Batch Mode. Where as when i execute the same query in Rising Column mode (which adds Order by cl... See more...
Im setting up a new DB connect. While creating inputs i could execute the SQL query and get results in Batch Mode. Where as when i execute the same query in Rising Column mode (which adds Order by clause to the query) takes more time and i get query time out message. I suspect this is because  the initial query pulls entire records which is around 13 Million records Please suggest if there is any alternate method? Query im using : Select * from table_name where column_name1  LIKE %abc% AND column_name2 > ? ORDER BY column_name2 ASC TIA
I am having golang application and want to connect to AppDynamics. But when I am creating an application I am not able to find any machine agent for go lang application. Although they are providing g... See more...
I am having golang application and want to connect to AppDynamics. But when I am creating an application I am not able to find any machine agent for go lang application. Although they are providing go SDK. But I am not able to send data with the help of that.
Hi All, I'm quite new to Splunk and I have a question regarding the upgrade for the TA Widows. Our infra consist of a SH cluster, index cluster, and universal forwarders. At the moment the SH clust... See more...
Hi All, I'm quite new to Splunk and I have a question regarding the upgrade for the TA Widows. Our infra consist of a SH cluster, index cluster, and universal forwarders. At the moment the SH cluster has the TA version 5.0.1, indexers and universal forwarders have an old 4.8.4 version all seems to work just fine. I now need to upgrade the TA to the version 6 and here comes my questions. -  Would it be possible to still keep the old version and config on indexers and forwarders  ? From what I see most changes in v6 is the "merge" of the TA windows DNS and AD, for those change we need to copy indexes.conf and inputs.conf data from the DNS and AD app to the new TA Windows app. So if I'm correct if the indexer and forwarder still have the old apps the .conf file in those old app will still work and forward the logs right ? Am I missing other important changes that would need update or re-config ? - if I can keep the old version will it work if I upgrade the indexer to Splunk 8 ? the version 4.8.4 is clearly not officially supported on Splunk 8 but as the indexer only use the Inputs.conf I suppose it will work right ? And the same for the universal forwarders ? As I said I'm new to splunk so I maybe missed stuff... I want to keep those old version as I have a lot of stuff to do for the splunk 8 upgrade already so I'm trying to save time where I can and I will take care of this after the full upgrade to 8. Thanks !
Hi Hope you are well. Try to get telegram notifications going. So I did create a HTTP Request Template and it is working, but I can not get rid of the html formatting when I receive messages from te... See more...
Hi Hope you are well. Try to get telegram notifications going. So I did create a HTTP Request Template and it is working, but I can not get rid of the html formatting when I receive messages from telegram. Anyone got this working. Example of telegram messages: AppDynamics has detected a problem with DB Server <b>dbserver:3333</b>.<br><b>Databases Health</b> continues to violate with <b>critical</b>.<br>All of the following conditions were found to be violating<br>For DB Server <b>dbserver:3333</b>:<br>1) Condition 3<br><b>Slave_IO_Running's</b> value <b>1.00</b> was <b>within</b> baseline-based calculated value <b>1.00</b> by <b>1.00</b> standard deviation(s) <b>0.00</b> for the last <b>1</b> minutes.<br> Baseline used here is '<b>Daily Trend - Last 30 days</b>'. 11:24 Thanks Regards Nar
I am unable to download splunk certificate . My certificate got expired Can I still download it?
I am building application in which which click of button, custom script (python) is executed. In this image once we click Run Simulation button, it execute custom script (python). The issue is i... See more...
I am building application in which which click of button, custom script (python) is executed. In this image once we click Run Simulation button, it execute custom script (python). The issue is i am not able to see the progress on application/dashboard. I have to see console to see if execution is complete. Below is html panel on dashboard. <panel>      <html>       <button class="btn btn-default" id="run_search_btn">Run Simulation</button>     </html> </panel>   I want something like below :  This is screenshot from MLTK app. Once we click on "find cluster", it show status as "Running" (2nd screenshot below). How I can style my button to show such status in my custom script run?      
hello ervery: Scenario: In my case,I use daily search create DnsQueryLog.csv,record the domains inquired every day in this *csv file(Not repeating),And I hope to find a new query domain by comparin... See more...
hello ervery: Scenario: In my case,I use daily search create DnsQueryLog.csv,record the domains inquired every day in this *csv file(Not repeating),And I hope to find a new query domain by comparing these domains every day. Problem: Now I have DnsQueryLog.csv  contains 8,038 domains ,and I confirmed that data can be displayed using  the following command: | inputlookup DnsQueryLog.csv And I use the following command wnat find some new query domain today, sourcetype="isc:bind:query" | stats count(query) by query | sort - count | fields query | search NOT [| inputlookup DnsQueryLog.csv] But it's not work,In this test, the number of domains queried today is equal to the data in the csv file, which is also 8,038 , My understanding is that if it runs correctly, the number of search data should be 「0」,But it shows 8038 records, which confuses me .Can someone help me confirm which part I am doing wrong? p.s I have confirmed that the domain name in the csv file is the same as the query result.(8,038) The csv field name is the same as the output field of the query result. Sincere thanks
Hi, I just installed the "App for REST Lookup" https://splunkbase.splunk.com/app/4253/ on my Splunk 8 SH. The details talk about a setup screen but I do not see any. But I see loads of error in th... See more...
Hi, I just installed the "App for REST Lookup" https://splunkbase.splunk.com/app/4253/ on my Splunk 8 SH. The details talk about a setup screen but I do not see any. But I see loads of error in the log:   07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" raise RuntimeError('Failed to parse transport header: {}'.format(header)) 07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" File "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 866, in _read_chunk 07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" metadata, body = self._read_chunk(ifile) 07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" File "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 658, in _process_protocol_v2 07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" Traceback: 07-30-2020 09:47:43.591 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/DBData/bin/dbdata.py" RuntimeError at "/opt/splunk/etc/apps/DBData/bin/splunklib/searchcommands/search_command.py", line 866 : Failed to parse transport header: U_i7UanLSoQNucQe9p8fvoPRxcC3dy_WKnCtgqt1_gVhrVCwyDW_z2yXBPu7xZbJXJQh6P^q0_gVSO4Ni9MF_nifVBNrTYwDkdk2ND3RqlJQxM4BDyz1^8pFfo0     Has anyone used that App with Splunk 8? thx afx
In my data i am getting multiple dates for single id.i need only recent date for each date.how can i remove other dates.please refer screenshot Thank you in advance renuka
I've sat up monitoring of WinPrintMon on some Windows servers. The input using the WinPrintMon stanza, as described here, works just fine. The problem is that when the logs are parsed, the timezone a... See more...
I've sat up monitoring of WinPrintMon on some Windows servers. The input using the WinPrintMon stanza, as described here, works just fine. The problem is that when the logs are parsed, the timezone as written in the logs are not recognized and included. That is, the logs clearly says "GMT" after the timestamp, but Splunk ignores that and assumes the timestamp is in the local timezone. Adding a props.conf on the indexer with correct timezone parsing (TIME_FORMAT = <strptime> + %Z) does nothing, but I assume this is because of the way Windows monitoring works, were the fields are actually extracted on the UF, if I understand correctly. I can't find any good documentation on this though. I tried adding a props.conf timezone parsing on the UF as well, but that also didn't help. Unfortunately I can't provide the configuration files I've used here. Any idea on how to troubleshoot/solve this?
Hi all. I'm running into something weird. After drilldown the Single Value panel, I am creating a dashboard that displays table data. After drilldown, More Page feed will be appear than the search... See more...
Hi all. I'm running into something weird. After drilldown the Single Value panel, I am creating a dashboard that displays table data. After drilldown, More Page feed will be appear than the search results. Another dashboards can works properly, but for some reason only one dashbaord can not work. When I go to the page, I get back that there are no results.   When you search, only the search results are displayed. Is it a bug? Thank you for helping me.
  There are 3 indexer, In which CPU usage is 99.77, 99.72, 99.61 respectively.  Data is not getting indexed. any possible solution for this to resolve and troubleshoot?   Looking forward quick help
Hi, I am trying out Splunk Cloud for an integration with a third-party application using the HTTP Event Collector. I have created the Token and made the required configurations. But I am unable t... See more...
Hi, I am trying out Splunk Cloud for an integration with a third-party application using the HTTP Event Collector. I have created the Token and made the required configurations. But I am unable to send any data to the HEC. I'm using POST to send data, to this endpoint: https://input-prd-p-<redacted>.splunkcloud.com:8088/services/collector I have noticed there is no Global Setting option available in the trial version. Could that be a reason? Any information regarding is will be helpful. Thanks in advance.