All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Everyone! I have a scenario to get a Date column from index1 in search1 and remove the rows with null values in Date column in  search2 on index2. I have column id common in both the indexes ... See more...
Hello Everyone! I have a scenario to get a Date column from index1 in search1 and remove the rows with null values in Date column in  search2 on index2. I have column id common in both the indexes Example : Search1: index="index1" sourcetype="st1" field1="abc" |table id1 Date1 Search2: index="index2" source="xyz" |????????? | eval Date2 =Date1 where id2 =id1 |......... Output: |table id2 Date2 where Date2 NOT NULL What's the best way to go about it?  Including both indexes at the start of the search is not feasible given the absurd size of the second index. Can anyone please help me here? Thank you in advance.
I am new to Splunk and am trying to learn via online tutorial. I cannot get the provided csv file to upload correctly. Splunk said the upload was successful, but when I search I do not get any event... See more...
I am new to Splunk and am trying to learn via online tutorial. I cannot get the provided csv file to upload correctly. Splunk said the upload was successful, but when I search I do not get any events. I have tried deleting cookies and cache, different browsers, incognito mode, and restarting splunk. I don't know what I am doing wrong. I have attachments for reference.
I have a dashboard with 2 panels.    1 st panel is  a bar chart whose data will populate based on 2nd panel (drilldown)   When I select data on 2nd panel with stats, graph is getting  filtered in... See more...
I have a dashboard with 2 panels.    1 st panel is  a bar chart whose data will populate based on 2nd panel (drilldown)   When I select data on 2nd panel with stats, graph is getting  filtered in 1st panel. Problem is when my 2nd panel data consists of regular expression like [[A-ZA-Z '\-\.\xC0-], my token in not able to hold this kind of data and is not showing results in 1st panel.    Please help to fix this issue.
I have a custom webhook which allows user to enter multiple inputs. Eg: NAME ID NODE I want to validate the entered input against a lookup. Eg: If the entered NODE is not present in the lookup ... See more...
I have a custom webhook which allows user to enter multiple inputs. Eg: NAME ID NODE I want to validate the entered input against a lookup. Eg: If the entered NODE is not present in the lookup do not proceed.   How can I achieve this ?  
I have developed a custom webhook which shows a drop down using the  splunk-search-dropdown. <splunk-search-dropdown name="action.msgbus.param.alertGroup" search="| inputlookup alert_group_lookup.c... See more...
I have developed a custom webhook which shows a drop down using the  splunk-search-dropdown. <splunk-search-dropdown name="action.msgbus.param.alertGroup" search="| inputlookup alert_group_lookup.csv " label-field="ALERT_GROUP" value-field="ALERT_GROUP"/> This populates the lookup in dropdown but does not allow me to write something in the drop down text box. Since my dropdown will have 10,000 values, I need the ability to search the drop down. Please help, what I need to change  
I need to check of the time tokens are numeric.  I used to use this and it worked, but suddenly my dashboard broke.   I initially had this inside my time selector filter, and it worked, until today... See more...
I need to check of the time tokens are numeric.  I used to use this and it worked, but suddenly my dashboard broke.   I initially had this inside my time selector filter, and it worked, until today. <eval token="anumber">if(isnum('earliest'),"true","false")</eval>   I also tried this, but it didn't work. <eval token="number">if(match('earliest',"^\d+"),"true","false")</eval>   It keeps evaluating to false. I get how a string to contain only numbers and it'd be a string, but this actually worked earlier.  How can I check whether a number or a string containing only numbers (and a decimal) to actually return true?
We recently upgraded from 6.5.4 to 6.6.0 as an interim step on our way to 7.3.6. We had about 12 realtime searches that triggered alerts that were working perfectly. right after the upgrade to 6.6.0 ... See more...
We recently upgraded from 6.5.4 to 6.6.0 as an interim step on our way to 7.3.6. We had about 12 realtime searches that triggered alerts that were working perfectly. right after the upgrade to 6.6.0 we get the error above and see that there is a 98% skip ratio in the Scheduler Activity dashboard. Splunk will not help us as this is an unsupported version but i need to get this foxed before i will be allowed to upgrade to the final, supported version. Here is the full event: 07-26-2020 16:59:00.318 -0400 INFO SavedSplunker - savedsearch_id="nobody;search;Route Flapping", search_type="scheduled", user="mvas**", app="search", savedsearch_name="Route Flapping", priority=default, status=skipped, reason="The maximum number of concurrent real-time scheduled searches on this instance has been reached", concurrency_category="real-time_scheduled", concurrency_context="saved-search_instance-wide", concurrency_limit=1, scheduled_time=1595797140, window_time=0 I understand the concurrency limit might be the culprit but have not been able to find how to fix it.
Hi  I am still confused about ITSI entity management and best practices after taking the training.  Can someone enlighten me on this? Here is an example to motivate my confusions.   Suppose  I plan... See more...
Hi  I am still confused about ITSI entity management and best practices after taking the training.  Can someone enlighten me on this? Here is an example to motivate my confusions.   Suppose  I plan to create 2 services that monitor health of a web server,  the first one called A focuses on IT metrics such as error rates, response times etc;  the second one called B focuses on the VM OS performances such as cpu and memory etc.  As I have imported all splunk forwarders as entities.   The server is already there as an entity E1 which has an alias hostname=web01. Now, in the IIS/apache logs,  the server can be found by "host=web01"; In the OS performance logs,  the server can be found by "host=web-host'; My question is what is best practices to manage entities in this case.  1. Should I have created 2 other entities with different aliases?  That is the second one E2 which has alias "hostname=web01"  and E3 which has alias "host=web-host".    2. Or should I somehow normalize the data such that there is only 1 entity.   If so, how?         
I have developed an App for Splunk Enterprise. Have can I make the application compatible with Splunk Cloud and allow users to install my app in Splunk Cloud? Link to app  https://splunkbase.splunk... See more...
I have developed an App for Splunk Enterprise. Have can I make the application compatible with Splunk Cloud and allow users to install my app in Splunk Cloud? Link to app  https://splunkbase.splunk.com/app/5037/
Hi Splunk Team, I have created an alert where i am checking the process status for two host in that alert in every 15 minutes. need to suppress the alerts for next two hours for each server respect... See more...
Hi Splunk Team, I have created an alert where i am checking the process status for two host in that alert in every 15 minutes. need to suppress the alerts for next two hours for each server respectively once generated. Lets just say, if alert generated for server A, it throws the alert and suppress it for next two hours for server A but not for server B or vice versa. In mean time if process fro server B goes down, i should get an alert  in the search query I am using " stats count by host COMMAND _time ". and in Suppress results containing field value, I have given host, will that helps for my case. Thanks, Sushant 
Hi Friends, Has anyone used a Universal forwarder to forward logs to a HEC instance? My ask is similar to the one in the thread below https://community.splunk.com/t5/Getting-Data-In/Universal-For... See more...
Hi Friends, Has anyone used a Universal forwarder to forward logs to a HEC instance? My ask is similar to the one in the thread below https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-6-4-0-to-HEC/td-p/364436 Any inputs on how to accomplish this will be greatly appreciated. Have a good one and keep safe! Rachael    
Looking for answers on the following (with regards to the distributed search): 1.) An explanation on how the distributed search works. 2.) Explanation on roles of the Search Head and Search Peers (... See more...
Looking for answers on the following (with regards to the distributed search): 1.) An explanation on how the distributed search works. 2.) Explanation on roles of the Search Head and Search Peers (as it pertains to the distributed search). 3.) How to configure a distributed search group  4.) How to list search head scaling options. Thank you in advance. -KB   
Hi All, I'm using a query to get the total total count of  a field ( different error messages ) . Here is the search and stats being displayed: index=sp_dev  "ProductHandler" | rex field=message... See more...
Hi All, I'm using a query to get the total total count of  a field ( different error messages ) . Here is the search and stats being displayed: index=sp_dev  "ProductHandler" | rex field=message "operation\\\":\\\"(?<ErrorMessage>[A-Za-z]+)\\\""| stats count(ErrorMessage) as TotalErrors TotalErrors xxxx Now I want to alert a trigger , when  the error count  is "0" If I use :   index=sp_dev  "ProductHandler" | rex field=message "operation\\\":\\\"(?<ErrorMessage>[A-Za-z]+)\\\""| stats count(ErrorMessage) as TotalErrors | where TotalErrors=0 It is not giving me  result as "0" , rather than "No Results Found" . If  I use "where TotalErrors>0" I see the results. So question is , how can I convert   the  "No Results Found"  to  value as "0" Thanks, DD    
I want to include datacenter name in the end of the pdf name. for example : myalert_datacenter1.pdf Where can I do such configuration? thanks!
Splunkers, I am attempting to use the Splunk Operator for Kubernetes with the MapR filesystem.  The pods fail with the following error: STDERR: homePath='/opt/splunk/var/lib/splunk/audit/db' of in... See more...
Splunkers, I am attempting to use the Splunk Operator for Kubernetes with the MapR filesystem.  The pods fail with the following error: STDERR: homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.\ Validating databases (splunkd validatedb) failed with code '1' --- I have created a splunk user on my MapR cluster with uid and gid of 41812 to match that of the splunk user in the pod (I am only trying to get a License Master to come up right now). I can see the PV and the PVC created on the MapR cluster and I see the temporary files being created, so I don't know why things are failing.  Any help is greatly appreciated.  Thanks! [splunk@ip-10-20-1-148 db]$ ll total 0 -rw------- 1 splunk splunkgroup 0 Jul 27 16:27 test.Aeftef -rw------- 1 splunk splunkgroup 0 Jul 27 16:44 test.CG68oO -rw------- 1 splunk splunkgroup 0 Jul 27 16:29 test.cptS7n -rw------- 1 splunk splunkgroup 0 Jul 27 16:32 test.eG1WdX   On a side note, I had to create splunkgroup with GID of 41812 and could not name it "splunk" in my AD due to a user already being named "splunk".  Hope that is not an issue because technically, the LM POD user is splunk(41812) for the uid, gid, and group.
Hi all, I am pulling events in alerts and seeing a gap between _time and _indextime. Around 535 seconds average difference. I have 2 questions 1) What is the best practice approach to match these f... See more...
Hi all, I am pulling events in alerts and seeing a gap between _time and _indextime. Around 535 seconds average difference. I have 2 questions 1) What is the best practice approach to match these field values to each other? So have the results of    _time = _indextime   2) Is this time delay a sign of other things to investigate in the pipeline?   Per this post https://community.splunk.com/t5/Getting-Data-In/Time-difference-practical-values-between-event-time-and-index/m-p/312606#M58588 this is a rather significant time difference. 
I have a field called Availability and the field values are like 98.32 % and I want them to be converted as decimal numbers like "0.9832" please help
Hi all. I am new to using splunk. I am trying to be able to extract data from a log for the last 15 minutes. I try to generate the alert, every time an implementation of "Weblogic AdminServer" is ma... See more...
Hi all. I am new to using splunk. I am trying to be able to extract data from a log for the last 15 minutes. I try to generate the alert, every time an implementation of "Weblogic AdminServer" is made on the different hosts we have with splunk I would need to know who made it, host, application and cluster. I used raw to extract it but it didn't work index=wls sourcetype=wls_adminserver  host=EWL1522 user=<torrelia> app= consumer cluster=homo3.8_cl1 ####<Jul 24, 2020, 4:27:27,117 PM ART> <Info> <J2EE Deployment SPI> <EWL1522> <AdminServer> <[ACTIVE] ExecuteThread: '48' for queue: 'weblogic.kernel.Default (self-tuning)'> <torrelia> <> <4e1f868c-178a-4316-8cc0-a631e22c8aee-0014f65f> <1595618847117> <[severity-value: 64] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-260121> <Initiating start operation for application,consumer#1.0 [archive: null], to homo3.8_cl1 .> anyone who can help me thanks.
I have a python custom search command that generates a plot i.e. plot.png. The custom command writes the image file to the app's /appserver/static/images folder. A dashboard displays plot.png so an a... See more...
I have a python custom search command that generates a plot i.e. plot.png. The custom command writes the image file to the app's /appserver/static/images folder. A dashboard displays plot.png so an analyst can make changes to the custom search command's arguments. The custom search command is run again and the image file, plot.png, is overwritten in the apps static images folder. Is there a way to have the updated image display, in a production environment, without restarting Splunk and reloading the page?
Hello,  I need help please.  For purchases field, I want to display that prices equal to  200. And for sales field, display all.  index=main sourcetype="*" action=purchase OR action=sales Can yo... See more...
Hello,  I need help please.  For purchases field, I want to display that prices equal to  200. And for sales field, display all.  index=main sourcetype="*" action=purchase OR action=sales Can you help me please ? send me a documentation or advice please ?  Thanks in advance for your help.