All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

This is a big problem considering that during the quarantine, I have pretty much worn each of my Splunk> t-shirts for at least three days each and they can now stand on their own. Thanks for your he... See more...
This is a big problem considering that during the quarantine, I have pretty much worn each of my Splunk> t-shirts for at least three days each and they can now stand on their own. Thanks for your help!
Trying to use the date option within splunk, it ignores what I choose and adds data from other days.,When I specify a date range it seems to ignore this and provide information for all items vs the d... See more...
Trying to use the date option within splunk, it ignores what I choose and adds data from other days.,When I specify a date range it seems to ignore this and provide information for all items vs the date I select.
When the connection to Splunk is lost, the "Disconnected from Splunk server" message appears and the backdrop obscures the page. Is there a way to dismiss this warning so that the content from the... See more...
When the connection to Splunk is lost, the "Disconnected from Splunk server" message appears and the backdrop obscures the page. Is there a way to dismiss this warning so that the content from the page can be viewed or copied? Manually deleting the element and trying to get the content out before the JavaScript puts it back is very frustrating.
I'm utilizing tokens on my dashboard to dynamicly generate date ranges for the header. This involved adding a panel that uses html. It works fine to run the tokens in the header of the dashboard ... See more...
I'm utilizing tokens on my dashboard to dynamicly generate date ranges for the header. This involved adding a panel that uses html. It works fine to run the tokens in the header of the dashboard but the tokens don't run when the dashboard is scheduled to delivery pdf <div id="custom_header"> <div id="custom_header_title"><h1>weekly report for analyst for week $earliest_time$ through $latest_time$</h1></div> </div> when the report is emailed via PDF it actually shows $earliest_time$ through $latest_time$ (ignores running the tokens)... Vs the dashboard that actually runs the tokens and showing the relative dates I believe this maybe a limitation in splunk looking at the doc but ask for someone confirm? And if there work around? https://docs.splunk.com/Documentation/Splunk/7.3.3/Alert/EmailNotificationTokens
Hi all, i have an issue where the left Y axis and the right Y axis (used in chart overlay) of the graph both axis number should work dynamically. Currently i am having issue where the left Y... See more...
Hi all, i have an issue where the left Y axis and the right Y axis (used in chart overlay) of the graph both axis number should work dynamically. Currently i am having issue where the left Y axis start with zero and second Y axis which is (% percentage) values sholuld also start at the same position of left y axis irrespective the X axis has negative values. I have tried setting the interval in the chart overlay and y axis but if make it static for other details it differs Image as below is there some way that both axis start at same position irrespective of negative values any dynamic token or something any guidance would help
Hi, I need to find a way to identify if a Splunk instance is a an HF/UF/Indexer?Deployer/Deployment Server etc. in an automated way. Is there a way to find out, by looking at file systems, uni... See more...
Hi, I need to find a way to identify if a Splunk instance is a an HF/UF/Indexer?Deployer/Deployment Server etc. in an automated way. Is there a way to find out, by looking at file systems, unique process/s, running commands, attributes passed on when splunk service/s start etc. on the system to identify the role of the server in Splunk? Thanks in advance!!!
In my dashboard, I have a tabular representation of a panel that shows some extracted value of the events in columns such as _time, address. Example : _time Address 03:34 https://www.rediff.com ... See more...
In my dashboard, I have a tabular representation of a panel that shows some extracted value of the events in columns such as _time, address. Example : _time Address 03:34 https://www.rediff.com 03:45 https://www.rediff.com 03:47 https://www.yahoo.com I enabled the drilldown option in the XLM editor so that when I click on row 1 it should redirect and open www.rediff.com etc.. I did this, but it won't work <drilldown> <link>$row.address$</link> </drilldown>
I have configured the Add-on to use the grid admin node but it will not collect data. I looked in the /opt/splunk/var/log/splunk/ta_netapp_sg_storagegrid_api_input.log and saw the call is made to htt... See more...
I have configured the Add-on to use the grid admin node but it will not collect data. I looked in the /opt/splunk/var/log/splunk/ta_netapp_sg_storagegrid_api_input.log and saw the call is made to https:////api/vNone/authorize this is incorrect and needs to be /api/v2/authorize instead. How is that changed?
I have a subsearch query that uses a wildcard keyword list as an inputlookup to find filenames that contain a keyword. I then rename the resulting filenames as keyword to do a reverse lookup to ou... See more...
I have a subsearch query that uses a wildcard keyword list as an inputlookup to find filenames that contain a keyword. I then rename the resulting filenames as keyword to do a reverse lookup to output the keyword that matched the filename. The problem is I want to list out the filename and the keyword that matched in the filename... For example>>> index=foo sourcetype=bar [|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] | rename FileName as keyword | lookup keyword-list.csv keyword OUTPUT keyword as Matched | stats values(Matched) From this query my results are the keywords: (for example) *jedi* *sith* *falcon* Here are the FileName results containing the keyword index=foo sourcetype=bar [|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] | stats values(FileName) "D:/Rey Skywalker/jedi/report.pdf" "D:/Kilo Ren/sith/report.pdf" "E:/starship/falcon/rebel/report.pdg" I was requested to list both together in the results... like this *jedi* "D:/Rey Skywalker/jedi/report.pdf" *sith* "D:/Kilo Ren/sith/report.pdf" *falcon* "E:/starship/falcon/rebel/report.pdg" Any advice greatly appreciated, thank you!
How to monitor and alerting the "SMTP errors and reply codes" in Splunk. I need to monitor the list of Error Codes given in the link below. https://serversmtp.com/smtp-error/
I have CMDB imported from ServiceNow but i'm struggling to find a way to define services or applications and provide holistic insight into the service health and availability without ITSI module. ... See more...
I have CMDB imported from ServiceNow but i'm struggling to find a way to define services or applications and provide holistic insight into the service health and availability without ITSI module. For example, i have a list of 10 servers which make up "Service X", web front, db, app, etc. Relationship is defined in CMDB. How would i go about building the following: "Service X" health score - which is a combination of web front, db, app, etc server health scores. IE if one gets degraded it reduces overall score Visually diagram the relationship between the servers based on their relationship defined in CMDB. Is there any way to make use of CMDB data from ServiceNow without ITSI module?
Hi I am looking to be able to pull some different information out of an array that is being collected.  [Array (size 1): <?xml version="1.0" encoding="utf-8"?> <ValidationException inSyncReferenc... See more...
Hi I am looking to be able to pull some different information out of an array that is being collected.  [Array (size 1): <?xml version="1.0" encoding="utf-8"?> <ValidationException inSyncReferenceResolution="false" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > <creationDate>2020-05-19T06:36:50.196</creationDate> <typeCode>3</typeCode> <exceptionMessageCode>      <messageCode>43</messageCode>     <codeDomainName>ClaimReviewMessageCode</codeDomainName>     <messageDescription>Claim requires manual review because the provider is not         contracted</messageDescription>      <policyName>ReviewNonParProviderClaim</policyName> </exceptionMessageCode> </ValidationException> ] 1.the length of the array out using a getter chain.  I used the information below to try to pull the length but It keeps telling me it is invalid. getUrl().split(\.).length   2. the message code which in this example is "43" getURL.get(int/3).split().[1] Thanks
Hi What will be the best way to implement the below request ? We need to configure the some logs to be forwarded from Splunk to MCAS Server (Server in the same network like Splunk server ) Lo... See more...
Hi What will be the best way to implement the below request ? We need to configure the some logs to be forwarded from Splunk to MCAS Server (Server in the same network like Splunk server ) Logs should be forwarded in Syslog or FTP and based on a specific query
Hello, I am trying to use another field (LAST_FIXED_DATE) as _time in my log search. LAST_FIXED_DATE got dates from 2008, 2009.....2020. But I just want to find data for LAST_FIXED_DATE value fr... See more...
Hello, I am trying to use another field (LAST_FIXED_DATE) as _time in my log search. LAST_FIXED_DATE got dates from 2008, 2009.....2020. But I just want to find data for LAST_FIXED_DATE value from last 6 months. (example: Nov 2019 till April 2020) Below query is not working, and still shows me _time value from 2008. My query: main search .... | eval _time=strptime(LAST_FIXED_DATE,"%Y-%m-%d") | table _time Results what I see: 2008-06-30 2008-06-01 I just want _time to show values for last 6 months, and not back to 2008. I have tried adding earliest and latest, but then I get no results.
Interesting and weird thing with the Event Hub input. I have an Event Hub where the data is always almost exactly 24 hours behind. I created a capture to explore the data, and it is in the event hu... See more...
Interesting and weird thing with the Event Hub input. I have an Event Hub where the data is always almost exactly 24 hours behind. I created a capture to explore the data, and it is in the event hub with data and current time stamps. even if i create a new input, the add-on seems to immediately grab all the data, but only up to the last 24 hours, or 1 day ago. Sometimes it even falls a little behind so the time picker for 24 hours shows no results found. could it be mis-counting the timestamp or date? Maybe using a timezone thing? This is the only event hub doing this. is there a way to debug and see exactly which events are coming in and when?
Hi, I have a written query which would result the details grouped by Month and ordered in the Month manner. Since I using xfields to process one of the columns, the query doesnt return the valu... See more...
Hi, I have a written query which would result the details grouped by Month and ordered in the Month manner. Since I using xfields to process one of the columns, the query doesnt return the value in the Month ordered. source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency | eval Month = case(Month==01, "Jan", Month==02, "Feb", Month==3, "Mar", Month==4, "Apr", Month==5, "May", Month==6, "Jun", Month==7, "Jul", Month==8, "Aug", Month==9, "Sep", Month==10, "Oct", Month==11, "Nov", Month==12, "Dec") | sort Year, Month |eval Month=Month + "-" + Year | eval xfields='CONTENT_PARTY_NAME'+":"+'DOCUMENT_TYPE' | chart P90(P90_E2E_Latency) as E2E_Latency by Month, xfields useother=f limit=10000 | transpose 20 header_field=Month, column_name=xfields | rex field=xfields "(?<CONTENT_PARTY_NAME>.+):(?<DOCUMENT_TYPE>.+)" | fields - xfields | table CONTENT_PARTY_NAME, DOCUMENT_TYPE, * Using table or fields doesnt display the columns in chronological order. Rather it displays the columns as CONTENT_PARTY_NAME, DOCUMENT_TYPE, APRIL-2020, FEB-2020 etc. How do i display the result as CONTENT_PARTY_NAME, DOCUMENT_TYPE, JAN-2020, FEB-2020 etc. Chronological order. I dont want to manually specify the column names. Please advise. Thanks
Hi, I have a query which displays the resultset as below, I would like to get the Module which has gone more than 2s in any of the month. In the above screenshot, I need DocumentExchange to ... See more...
Hi, I have a query which displays the resultset as below, I would like to get the Module which has gone more than 2s in any of the month. In the above screenshot, I need DocumentExchange to be resulted since it exceeded one of the month more than 2 s. How do I achieve this? I tried to do | foreach *2020 [convert num(<<FIELD>>) as <<FIELD>> | search <<FIELD>>>2] But this results Module which were more than 2s in all the three months. How do i rewrite the query so that it lists Module which exceeds 2s even in any one of the month? Please advise. Thanks using Max brings the max of fieldname and not the value
i have data on daily basis. Date Number day of the week 2019-05-02 52.55 thursday 2019-05-03 327.57 friday 2019-05-04 279.97 saturday 2019-05-05 266.87 sunday 201... See more...
i have data on daily basis. Date Number day of the week 2019-05-02 52.55 thursday 2019-05-03 327.57 friday 2019-05-04 279.97 saturday 2019-05-05 266.87 sunday 2019-05-06 374.41 monday 2019-05-07 301.24 tuesday 2019-05-08 373.11 wednesday i want to write 1 query which shows me the data as average for weekdays and average for weekends separately say in the above case the output should look like weekend : 273.42 weekday : 285.77 thanks in advance
Good morning all! I have a datasource that is valid JSON (I verified with python and jq). The entire event gets ingested, however a field that is at the tail end of the raw event does not show up in ... See more...
Good morning all! I have a datasource that is valid JSON (I verified with python and jq). The entire event gets ingested, however a field that is at the tail end of the raw event does not show up in interesting fields. Splunk is parsing it correctly because if I look at the event, the key and values have the necessary color code indicating that they are KV. I would say that my even has roughly 26k c chars in it and it is less than 1mb. I looked in limits.conf and found nothing valuable. Any help is much appreciated
I have a dynamic dropdown which shows values(the number of values will keep on changing in future). We have some panels (the number of panels also will keep on changing according to requirement). We ... See more...
I have a dynamic dropdown which shows values(the number of values will keep on changing in future). We have some panels (the number of panels also will keep on changing according to requirement). We have only token for ex,field1 for dynamic dropdown. The panels should hide and show based on the value selected in the dynamic dropdown. For ex., if i have 10 panels only 5 panels will be dependant on "test1" where "test1" is the value selected in the dropdown . So in this case i will be giving only dropdown token i.e "field1" for all the 10 panels,but how should i make the 5 panels display only when i select "test1" and other panels will be hidden. . So in this line what should be written inside the dollar symbol to make the panels display dynamically. Note: I don't need any js or css and i need only dynamic query. i have searched multiple links where none of that suits my scenario.