All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Everyone, I'm a bit of a newbie to splunk but I was wondering if anyone would be able to maybe give me some advice. I send a number of logs to my splunk index which are created by a python scrip... See more...
Hi Everyone, I'm a bit of a newbie to splunk but I was wondering if anyone would be able to maybe give me some advice. I send a number of logs to my splunk index which are created by a python script. One of the fields I have defined is "Completion Time" which contains the value of how long it took a certain job to complete. This value could range from hours to days and is shown in the following format: "2 days, 7:57:01" My plan was to use a dashboard which would tell me the meantime of how long it takes certain jobs to run. However I'm unsure if splunk has a way to interpret the values presented in this way. Can anyone maybe suggest if this is possible or would i be better altering the script to only show the time in hours? I know I probably could calculate this in splunk using the start and finish times of the jobs too but this seems like it would be more resource intensive. Would love to hear some advice from the experts. Note: I'd prefer to keep it in the same format as its easier for the user to read when they're looking at the logs for individual jobs.
We're a startup organization and currently have specific user accounts being used for our 5 different environments. Splunk is planned for installation in Environment 2, and this environment currently... See more...
We're a startup organization and currently have specific user accounts being used for our 5 different environments. Splunk is planned for installation in Environment 2, and this environment currently has 3 usernames with sudo permissions. Lets call them user1, user2, user3. Would it be possible to install and run Splunk as "user2" rather than the "splunk" user? I'm assuming that this would just involve changing ownership of the $SPLUNK_HOME directory to "user2", followed by sudo user2, and then executing the necessary commands to run/start/stop Splunk? I found this Splunk doc, but just wanted to confirm that my understanding about installing and running Splunk as a non-Splunk user is correct... https://docs.splunk.com/Documentation/Splunk/8.0.5/Installation/RunSplunkasadifferentornon-rootuser
Splunk DB Connect 3.3.1 - New database connection to MS SQL Server fails JRE  version - 8 JDBC Driver - 7.2.2 Task server connectivity - successful  connection type: MS-SQL Server Using MS Generi... See more...
Splunk DB Connect 3.3.1 - New database connection to MS SQL Server fails JRE  version - 8 JDBC Driver - 7.2.2 Task server connectivity - successful  connection type: MS-SQL Server Using MS Generic Driver With Kerberos Authentication Database installed on windows and SPlunk DB Connect app on Centos When creating new connection getting below error,   There was an error processing your request. It has been logged (ID b791b92d8b32a177).   2020-07-29 19:55:06.857 +0400 [dw-89 - POST /api/connections/status] ERROR io.dropwizard.jersey.errors.LoggingExceptionMapper - Error handling a request: b791b92d8b32a177 java.lang.NullPointerException: null at com.splunk.dbx.connector.logger.AuditLogger.replace(AuditLogger.java:50) at com.splunk.dbx.connector.logger.AuditLogger.error(AuditLogger.java:44) at com.splunk.dbx.server.api.service.database.impl.DatabaseMetadataServiceImpl.getStatus(DatabaseMetadataServiceImpl.java:159) at com.splunk.dbx.server.api.service.database.impl.DatabaseMetadataServiceImpl.getConnectionStatus(DatabaseMetadataServiceImpl.java:116) at com.splunk.dbx.server.api.resource.ConnectionResource.getConnectionStatusOfEntity(ConnectionResource.java:72) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:253) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:232) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:392) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:365) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:318) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) at io.dropwizard.jetty.NonblockingServletHolder.handle(NonblockingServletHolder.java:50) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) at io.dropwizard.servlets.ThreadNameFilter.doFilter(ThreadNameFilter.java:35) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) at io.dropwizard.jersey.filter.AllowedMethodsFilter.handle(AllowedMethodsFilter.java:47) at io.dropwizard.jersey.filter.AllowedMethodsFilter.doFilter(AllowedMethodsFilter.java:41) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) at com.splunk.dbx.server.api.filter.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at com.codahale.metrics.jetty9.InstrumentedHandler.handle(InstrumentedHandler.java:249) at io.dropwizard.jetty.RoutingHandler.handle(RoutingHandler.java:52) at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:54) at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:173) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:500) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) at java.lang.Thread.run(Unknown Source)     Can anyone let me know why this is causing this error?  
Hi, I am new to AppDynamics and I am using 15 days trial version SAAS.  I am trying to install a java agent on the Ubuntu machine. I have downloaded the java configuration file from the wizard. ... See more...
Hi, I am new to AppDynamics and I am using 15 days trial version SAAS.  I am trying to install a java agent on the Ubuntu machine. I have downloaded the java configuration file from the wizard. I configured the controller-info.xml file accordingly. But, to load the java agent in JVM, could you please guide where I need to add the below one? (location) -javaagent:<agent_home>/javaagent.jar  Also, I am using tomcat7, could you please guild where should I add these arguments.   export CATALINA_OPTS="$CATALINA_OPTS -javaagent:<agent_home>/javaagent.jar" Once these two are configured, automatically the agents gets connected to the controller?  Thanks, Kiran ^ Posted edited by @Ryan.Paredez to improve the title of the post.     
Hello, I need to create a Splunk landing dashboard which contains urls to go to the individual dashboards.  And also from the individual dashboards i need to have link to go back to landing dashb... See more...
Hello, I need to create a Splunk landing dashboard which contains urls to go to the individual dashboards.  And also from the individual dashboards i need to have link to go back to landing dashboard This is for Splunk cloud. Please help with the code and example
As the title suggest I am using the same color codes for red/grey/green for both of the graphs but the Bar Chart is how the color looks, and the Area chart makes it...more transparent looking and a l... See more...
As the title suggest I am using the same color codes for red/grey/green for both of the graphs but the Bar Chart is how the color looks, and the Area chart makes it...more transparent looking and a lighter tint. How do I get the Area Chart color to be identical to the Bar Chart? Thanks in advance 
Hi, I am executing a right join on two searches. Unfortunately, both search results have the same field names. How can I rename the field of one search only, and not the other, in order to be abl... See more...
Hi, I am executing a right join on two searches. Unfortunately, both search results have the same field names. How can I rename the field of one search only, and not the other, in order to be able to display these values in a table? Example Search A: Order_id = 123 Operation = authorize Result = 200 Search B: Order_id = 123 Operation = secure Result = 200 I want to right join Search A to Search B in order to obtain: order_id authorize secure 123 200 200   Thanks!
Hi guys, can somebody help me to add data to this app, I get into the input configuration, but then I don't know how to fill those fields. Below you'll see the fields I need to fill: As you can ... See more...
Hi guys, can somebody help me to add data to this app, I get into the input configuration, but then I don't know how to fill those fields. Below you'll see the fields I need to fill: As you can see there are only three, so this is a simple configuration page, but I don't know the info I need to do this. I've looked for documentation but haven't found any. Can somebody give me a hand on this? Many thanks
I have a field that contains either 0 or 1 according to the state of a process. What command could I use to make a timechart or line graph over time that shows the binary state of the process? Basic... See more...
I have a field that contains either 0 or 1 according to the state of a process. What command could I use to make a timechart or line graph over time that shows the binary state of the process? Basically, if the process goes to 1, I want the line to stay at 1, and then as soon as it goes to 0, it instantly changes to 0 and stays at 0, and continue that behavior.  
Hello. After trying to configure an input for the Log Analytics TA ... Name = AZURESQL Interval = 300 Index = XXX Resource Group = XXX Workspace ID = XXX Subscription ID = XXX Tenant ID = XXX App... See more...
Hello. After trying to configure an input for the Log Analytics TA ... Name = AZURESQL Interval = 300 Index = XXX Resource Group = XXX Workspace ID = XXX Subscription ID = XXX Tenant ID = XXX Application ID = XXX Application Key = XXX Log Analytics Query = AzureDiagnostics | where TimeGenerated > ago(5m) | where ResourceProvider == 'MICROSOFT.SQL' | where ResourceGroup contains 'XXX' | where Category == 'SQLSecurityAuditEvents' | where action_name_s !contains 'TRANSACTION' or action_name_s != 'AUDIT SESSION CHANGED' | project TimeGenerated, SubscriptionId, ResourceGroup, LogicalServerName_s, Resource, OperationName, server_instance_name_s, database_name_s, action_name_s, client_ip_s, host_name_s, server_principal_name_s, statement_s Start Date = 07/10/2020 09:00:00 Event Delay / Lag Time = 15 I received the following error message: 07-29-2020 10:17:40.828 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py" ERRORHTTPSConnectionPool(host='api.loganalytics.io', port=443): Max retries exceeded with url: /v1/workspaces/a49c6f91-5bf9-472f-bd14-746fd02d78f0/query (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f903746c890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',)) What is the best way to resolve this? Regards, Max
OK, here goes... I've got a row of hierarchy driven multiselect fields on multiple dashboards.  They are driven from a base search which pulls the employee listing, the input options autopopulate ba... See more...
OK, here goes... I've got a row of hierarchy driven multiselect fields on multiple dashboards.  They are driven from a base search which pulls the employee listing, the input options autopopulate based the selection of the previous input. (Pretty much how you'd expect to use an option like that.)  This works flawlessly. Now, if I try to pass token value from dashboard #1 to dashboard #2, (using the form.tokenname=xxx&form.tokenname=yyy method)  the names appear in the top level input however  only the individual values appear in the subsequent multiselect.  Their respective searches do not appear to run and all searches that are reliant on these inputs do not run.  When checking token values, the $form.token$ is populated but $token$ is not. I have also tried creating a token such as <set token="sup_default">XXX,YYY</set>  and passing that to dashboard #2 then using that token as the <default> for the input.  That too displays the values in the input field but nothing runs. Thoughts, Ideas?
Good morning, I am trying to generate an alert for productive applications when they are in "debug" mode The problem is that the logs are different.  when i search "index=wls sourcetype=wls_managed... See more...
Good morning, I am trying to generate an alert for productive applications when they are in "debug" mode The problem is that the logs are different.  when i search "index=wls sourcetype=wls_managedserver "debug" | stats count by host" logically it lists the hosts that meet the condition in debug mode. I would need to generate an alert to send me which hosts have the app in debug mode, but at the same time to send me only a trace of that search by email ó extract the fields but it is more difficult because they are different Host= W1422 Cluster= qa.3.3_man05 app= app.userdown or [appwork.consumer.serviceTaskExecutorBackedUpQueueConsumer- 149] log examples: ####<Jul 29, 2020 12:07:28 PM ART> <Notice> <Stdout> <W1422> <qa3.3_man05> <mq.task.executor-1> <<WLS Kernel>> <> <> <1596035248169> <BEA-000000> <2020/07/29 12:07:28.169 [DEBUG] [mq.task.executor-1] [appwork.consumer.serviceTaskExecutorBackedUpQueueConsumer- 149] - No hay mensajes en la cola> host = W1422 source = /logs/qa3_domain3/qa3.3_man05_yyyy-MM-dd.log sourcetype = wls_managedserver   ####<Jul 29, 2020 12:09:16 PM ART> <Notice> <Stdout> <W1522> <qa3.3_cl6_man01> <app.userdown> <<WLS Kernel>> <> <> <1596035356838> <BEA-000000> <[29/07/2020 12:09] DEBUG MonitoringManager.getSourceProcessor() -> Verificando processor para: javax.jms.ExceptionListener contra el tipo .persistence> host = W1522 source = /logs/qa3_domain3/qa3.3_cl6_man01p_yyyy-MM-dd.log sourcetype = wls_managedserver   ####<Jul 29, 2020 12:10:01 PM ART> <Notice> <Stdout> <W0188> <desa5.3_cl6_man01> <org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-7> <<WLS Kernel>> <> <> <1596035401281> <BEA-000000> <[29/07/2020 12:10] DEBUG SqlStatementLogger.logStatement() ->   if anyone can help me thanks
Frequently i am receiving high CPU Usage alerts with over 99% on all 3 indexers. I am unable to search any query. It shows waiting for quequed job to start. Please help me here. How to check the is... See more...
Frequently i am receiving high CPU Usage alerts with over 99% on all 3 indexers. I am unable to search any query. It shows waiting for quequed job to start. Please help me here. How to check the issue and resolve it.
Hi I'm trying to regex my way into this puzzle, let me explain my problem. event 1 (field 2) raw value = log:word1 log:word2 log:word3 event 2 (field 2) raw value = log:19 log:word4 or The va... See more...
Hi I'm trying to regex my way into this puzzle, let me explain my problem. event 1 (field 2) raw value = log:word1 log:word2 log:word3 event 2 (field 2) raw value = log:19 log:word4 or The value in field2 from the first event (raw value). log:word1 log:word2 log:word3 The value in field2 from the second event (raw value). log:19 log:word4 I want to extract these "log:" values into 3 fields. Something like field log1 , log2 and log3.  So I tried with this regex : ":(?<log1>\S*) log:(?<log2>\S*) log:(?<log3>\S*)" Works perfectly with event 1, but didn't work for event 2 because there or only 2 “log:” values. Can anybody tell me how to make this work?
Hi I'm trying to regex my way into this puzzle, let me explain my problem. event 1 (field 2) raw value = log:word1 log:word2 log:word3 event 2 (field 2) raw value = log:19 log:word4 or The val... See more...
Hi I'm trying to regex my way into this puzzle, let me explain my problem. event 1 (field 2) raw value = log:word1 log:word2 log:word3 event 2 (field 2) raw value = log:19 log:word4 or The value in field2 from the first event (raw value). log:word1 log:word2 log:word3 The value in field2 from the second event (raw value). log:19 log:word4 I want to extract these "log:" values into 3 fields. Something like field log1 , log2 and log3. So I tried with this regex  ":(?<log1>\S*) log:(?<log2>\S*) log:(?<log3>\S*)" Works perfectly with event 1, but didn't work for event 2 because there or only 2 “log:” values. Can anybody tell me how to make this work?
I have the following query to search results which contain a specific rest endpoint which has a UUID path parameter:     .... | regex requestURI="/baseurl/\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4... See more...
I have the following query to search results which contain a specific rest endpoint which has a UUID path parameter:     .... | regex requestURI="/baseurl/\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b     But it seems to be wrong. Error is :     Unknown search command '0'.     What is the mistake I am making here?
Good afternoon all, I likely am asking for the world here, but I'm a complete novice with JS and as such I'm falling apart with a challenge i've been presented with. Our Access Management team requi... See more...
Good afternoon all, I likely am asking for the world here, but I'm a complete novice with JS and as such I'm falling apart with a challenge i've been presented with. Our Access Management team require a means to streamline their review process and seeing as the current format is to send out CSV reports to individual line managers, of their team's accesses for them to review and respond via email (all manually btw), I suggested that we may be able to utilise splunk as some form of approval means. As such, we have two source files - one is the sailpoint access data and the other is a lookup file that permits for us to store an approval decision, date & time and any supporting notes. It's not pretty, I know, and for that I'm sorry - but it works (ish) and the team are very happy. As you can see from the xml - it presents the table data to the line manager and then they have dropdown options to approve or decline, then a notes section that's free text and then finally I am invoking those two tokens via a radio-button submit. It works (in as much it updates the lookup file with the resulting tokens, but then the dashlets that present the data either have to be manually refreshed or I invoke an auto-refresh to display the changes. The Challenge: To make this MUCH much cleaner, I would much rather it be that upon the approval selectiona and notes being selected, the line manager could then simply press a 'Submit' button that would populate the lookup file with the necessary token values and also refresh the dashboard. I have found a splunk answers topic as to a refresh button for the dashboard, but I'm unsure how I would have that button also update the lookup file with the token values?? I'd really appreciate some help everyone. I can only apologise for how ropey the following source code may look to you all! Source form:   <form> <label>Access Management Recertification</label> <description>A.M dashboard for user recertification</description> <!-- Run only on Click on Submit --> <search base="baseQuery"> <query>$tokQueryOutputLookup$</query> </search> <fieldset submitButton="false" autoRun="false"></fieldset> <row> <panel> <table depends="$neverdisplay$"> <title>get a token</title> <search> <finalized> <set token="loggedinuser">$result.title$</set> </finalized> <query>| rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context splunk_server=local | rename username as title | fields title, realname]</query> <earliest>-60m</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table depends="$neverdisplay$"> <title>get a token</title> <search> <finalized> <set token="loggedinusername">$result.realname$</set> </finalized> <query>| rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context splunk_server=local | fields realname]</query> <earliest>-60m</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <title>Current Active Reviewer:</title> <html> <div class="custom-result-value"> <h1 style="font-size:200%;font-family:Arial"> <b>Name: </b>$loggedinusername$</h1> </div> <div class="custom-result-value"> <h1 style="font-size:200%;font-family:Arial"> <b>User ID: </b>$loggedinuser$</h1> </div> </html> <html> <title>Deadline</title> <div class="custom-result-value"> <h1 style="font-size:200%;color:red;font-family:Arial"> <b>Deadline Date:</b> </h1> <p style="font-size:150%;">$lvfs_deadline$</p> <h1 style="font-size:200%;color:green;font-family:Arial"> <b>Time Remaining: </b> </h1> <p style="font-size:150%;">$current_time$</p> </div> </html> <html> <ul> <li>If the above name and username is <b>not</b> you, please contact the Performance Monitoring team via <b> <a href="mailto:performancemonitoring@lv.com">email</a> </b>.</li> </ul> </html> </panel> <panel> <table depends="$neverdisplay$"> <title>Get Deadline</title> <search> <finalized> <set token="lvfs_deadline">$result.Deadline$</set> </finalized> <query>index=layer7 earliest=now | eval d2="2020-08-20 16:00" | dedup d2 | stats values(d2) as Deadline</query> <earliest>-1s</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table depends="$neverdisplay$"> <title>Get current Date</title> <search> <finalized> <set token="current_time">$result.diff1$</set> </finalized> <query>index=layer7 earliest=now | eval Today=strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | eval d2="2020-08-20 16:00:00.000" | eval d1="2020-08-19 15:00:00.000" | dedup d1 | eval it = strptime(Today, "%Y-%m-%d %H:%M:%S.%3N") | eval ot = strptime(d1, "%Y-%m-%d %H:%M:%S.%3N") | eval diff = tostring((ot - it), "duration") | eval diff1 = strftime((ot - it), "%d Days %H Hours %M Minutes") | table diff1</query> <earliest>-60m</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Employee Overview</title> <html> <style> .dashboard-panel h2{ background:#426a75 !important; color:white !important; text-align: center !important; font-weight: bold !important; border-top-right-radius: 15px; border-top-left-radius: 15px; } </style> </html> </panel> </row> <row> <panel> <single> <title>Number of employees</title> <search> <query>| inputlookup sailpoint_access_approvals.csv | search Manager="McDonald, Kelly" | stats count</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> <single> <title>Number Approved</title> <search> <query>| inputlookup sailpoint_access_approvals.csv | search Manager="$loggedinuser$" | appendcols [| inputlookup sailpoint_access_approvals_final.csv | search Manager="McDonald, Kelly" | rename Decision as decision_new | sort -approval_time | dedup "LV User ID"] | eval Decision=if(isnull(decision_new),"No Decision",decision_new) | search Decision="Approved" | stats count</query> <earliest>-24h@h</earliest> <latest>now</latest> <refresh>10s</refresh> <refreshType>delay</refreshType> </search> <option name="drilldown">none</option> <option name="rangeColors">["0xdc4e41","0x53a051"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> <single> <title>Number Declined</title> <search> <query>| inputlookup sailpoint_access_approvals.csv | search Manager="McDonald, Kelly" | appendcols [| inputlookup sailpoint_access_approvals_final.csv | search Manager="McDonald, Kelly" | rename Decision as decision_new | sort -approval_time | dedup "LV User ID"] | eval Decision=if(isnull(decision_new),"No Decision",decision_new) | search Decision="Declined" | stats count</query> <earliest>-24h@h</earliest> <latest>now</latest> <refresh>10s</refresh> <refreshType>delay</refreshType> </search> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0xdc4e41"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> <single> <title>Pending Approval</title> <search> <query>| inputlookup sailpoint_access_approvals.csv | search Manager="McDonald, Kelly" | appendcols [| inputlookup sailpoint_access_approvals_final.csv | search Manager="McDonald, Kelly" | rename Decision as decision_new | sort -approval_time | dedup "LV User ID"] | eval Decision=if(isnull(decision_new),"No Decision",decision_new) | search Decision="No Decision" | stats count</query> <earliest>-24h@h</earliest> <latest>now</latest> <refresh>10s</refresh> <refreshType>delay</refreshType> </search> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0xf8be34"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> </panel> </row> <row> <panel> <chart> <title>Approval Breakdown</title> <search> <query>| inputlookup sailpoint_access_approvals.csv | search Manager="McDonald, Kelly" | appendcols [| inputlookup sailpoint_access_approvals_final.csv | search Manager="McDonald, Kelly" | rename Decision as decision_new | sort -approval_time | dedup "LV User ID"] | eval Decision=if(isnull(decision_new),"No Decision",decision_new) | stats count by Decision</query> <earliest>-24h@h</earliest> <latest>now</latest> <refresh>10s</refresh> <refreshType>delay</refreshType> </search> <option name="charting.chart">pie</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> <html> <ul> <li>The above represents a breakdown of the current access recertifications for your team.</li> <li>Should any of the information above be incorrect, contact the Access Management team via <b> <a href="mailto:CIOAccessManagement@lv.com">email</a> </b>.</li> </ul> </html> </panel> <panel> <html> <ul> <li> <b>STEP 1:</b> Select the User ID of the employee you wish to review</li> <li> <b>STEP 2:</b> The employee access items will be displayed in the below panel, alongside the current decision and notes.</li> <li>Should any of the information above be incorrect, please contact <b> <a href="mailto:CIOAccessManagement@lv.com">HR</a> </b> to have the necessary items amended in HeRo.</li> </ul> </html> <table> <search> <query>| inputlookup sailpoint_access_approvals.csv | search Manager="McDonald, Kelly" | eval Decision=if(isnull(Decision),"No Decision",Decision) | append [| inputlookup sailpoint_access_approvals_final.csv | search Manager="McDonald, Kelly" | rename Decision as decision_new | sort -approval_time | dedup "LV User ID"] | eval Decision=if(isnull(decision_new),"No Decision",decision_new) | sort -approval_time, Decision | table "LV User ID", "Display Name", "Job Title", "Maternity Break", Decision | dedup "LV User ID" | sort -"LV User ID"</query> <earliest>-24h@h</earliest> <latest>now</latest> <refresh>2s</refresh> <refreshType>delay</refreshType> </search> <option name="count">30</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="user_id">$click.value2$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Selected User Review</title> <html> </html> <html> <ul> <li> <b>STEP 3:</b> Based upon the below information, select your decision from the drop down options.</li> <li> <b> <i>NOTE</i>:</b> You do <b>not</b> require to insert a comment if you are simply approving. If you are <b>declining</b> the existing access(es) then please ensure you include which items you require removed in the notes field.</li> <li> <b>STEP 4:</b> Once you are satisfied with your decision, select the <b>submit</b> button. You only need press this <b>once</b>, it will <b>not</b> remain selected.</li> <li> <b> <i>NOTE</i>:</b> Repeat the same steps for the next employee, be aware that your previous decision and notes remain until you amend them.</li> </ul> </html> </panel> </row> <row> <panel> <input type="dropdown" token="decision_button" searchWhenChanged="true"> <label>Decision</label> <choice value="Approved">Approve</choice> <choice value="Declined">Decline</choice> </input> <input type="text" token="lvfs_note"> <label>Supporting Notes</label> <prefix>"</prefix> <suffix>"</suffix> <default>*</default> </input> <input type="checkbox" token="tokPushResultsToCSV"> <label></label> <choice value="submit">Submit Decision</choice> <change> <condition value="submit"> <set token="tokQueryOutputLookup">| outputlookup test.csv</set> <unset token="form.tokPushResultsToCSV"></unset> </condition> <condition> <unset token="tokQueryOutputLookup"></unset> </condition> </change> <delimiter> </delimiter> </input> <table> <search id="baseQuery"> <query>| inputlookup sailpoint_access_approvals.csv | search "LV User ID"=$user_id$ | appendcols [| inputlookup sailpoint_access_approvals_final.csv | search "LV User ID"=$user_id$ | rename Decision as decision_new | sort -approval_time | dedup "LV User ID"] | eval Decision=if(isnull(decision_new),"No Decision",decision_new) | table "Display Name", "LV User ID", Manager, "Maternity Break", "Job Title", "User Access(es)", Decision, Notes | dedup "LV User ID"</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>2s</refresh> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <table depends="$neverdisplay$"> <title>Employee Access Decision</title> <search> <progress> <condition match="$job.resultCount$=0"> <unset token="tokShowOutput"></unset> </condition> <condition> <set token="tokShowOutput"></set> </condition> </progress> <query>| inputlookup sailpoint_access_approvals.csv | search "LV User ID"="$user_id$" | eval token="$tokQueryOutputLookup$" | eval Decision="$decision_button$" | eval Notes=$lvfs_note$ | appendcols [ search index=layer7 earliest=-0s | stats latest(_time) as current_time by index | eval approval_time=strftime(current_time, "%Y-%m-%d %H:%M:%S") | table approval_time] | table "Display Name", "LV User ID", Manager, "Maternity Break", "Job Title", "User Access(es)", Decision, Notes, approval_time | outputlookup append=true sailpoint_access_approvals_final.csv</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="count">10</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  
Hello Splunkers, need a solution. My organisation have Splunk ES 7.2.1 on AWS environment. Having 4 AWS Splunk Instances (Search Head, Deployment Server, Indexer 1 and Indexer 2) which is in the cl... See more...
Hello Splunkers, need a solution. My organisation have Splunk ES 7.2.1 on AWS environment. Having 4 AWS Splunk Instances (Search Head, Deployment Server, Indexer 1 and Indexer 2) which is in the cluster. Right now we are accessing URL https://win-splksearch.com:8000 So now the users want to access Splunk from public URL https://splunk.organisation.com For this, I have gone through some stuff and changed the server name in the web console, server.conf and web.conf but no use. Can anyone suggest what have to do to change the localhost URL to public URL to access Splunk anywhere?
Hi , I have been getting this warning event on one of my  Splunk instance (Role - Deployment Server + License Master) Architecture is as below-  Deployement Server > HF1 and HF2 > Indexers ... See more...
Hi , I have been getting this warning event on one of my  Splunk instance (Role - Deployment Server + License Master) Architecture is as below-  Deployement Server > HF1 and HF2 > Indexers error-  Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been block for X seconds. This will probably stall the data flow towards indexing and other outputs. Review the receiving system’s health in the Splunk Monitoring Console. It is probably not accepting data. Can you please help how this can be resolved. 
I have events which are transactions. I've extracted a field from these events which are the site they come from. Basically, I want to make a bar graph/timechart/chart that shows the duration of each... See more...
I have events which are transactions. I've extracted a field from these events which are the site they come from. Basically, I want to make a bar graph/timechart/chart that shows the duration of each of these transactions, separated by the site they come from. I don't want to use the avg() or sum() or max() options for a chart/timechart because I want every event to appear on the graph, I don't want to only show the max() for each site. I've tried a timechart using "cont=false" but that didn't work because it still automatically grouped certain events together. I've tried "stats count by Site, duration", and while that works, it still shows the count bars on the graph, and I don't want that, and it also doesn't group them according to time (even if I use "| sort -_time")