All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have been working with new inputs for a testing environment and I noticed that one point the Data Summary said that there are 10 events indexed with the earliest and latest event being 2 months ago... See more...
I have been working with new inputs for a testing environment and I noticed that one point the Data Summary said that there are 10 events indexed with the earliest and latest event being 2 months ago. At first I thought that the data indexed had been erased, but after checking some custom dashboards, executing searches, and checking the server's storage, all the data is still there. Why is the Data Summary not reflecting the reality of the amount of data indexed? It was working fine earlier in the day and the only changes I did were in inputs.conf and props.conf, I didn't change the configuration of the server or the indexes. Running 7.3.4 on a single-instance deployment.
We want to deliver app updates to Phantom automated via git, we do not want to upload a new app each time one is updated
Is there a way to add metrics via Splunk Add On Python Mod input? Python helper function documentation here (https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/PythonHelperFunctions... See more...
Is there a way to add metrics via Splunk Add On Python Mod input? Python helper function documentation here (https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/PythonHelperFunctions) doesn't specify adding a metric. Thanks.
I have the following two queries - index=_internal connection | timechart count by splunk_server index=_internal cooked connection | timechart count by splunk_server How can I overlay th... See more...
I have the following two queries - index=_internal connection | timechart count by splunk_server index=_internal cooked connection | timechart count by splunk_server How can I overlay them?
If say I have data from December to march in csv every 5 min , and no data from Marc to April.if say in month of nay i got correct data again. Now i want to compare count of success in this hour to s... See more...
If say I have data from December to march in csv every 5 min , and no data from Marc to April.if say in month of nay i got correct data again. Now i want to compare count of success in this hour to sane hour onw, two and three weeks back frim same date but un month of December say how to do ut
Hello Splunk Community, We are implementing splunk to integrate with palo alto firewalls. I have come across the following issues on Palo Alto add-on 6.0.2. Traffic Menu Item/drop down: we c... See more...
Hello Splunk Community, We are implementing splunk to integrate with palo alto firewalls. I have come across the following issues on Palo Alto add-on 6.0.2. Traffic Menu Item/drop down: we can see traffic data when running a splunk query but don't see a drop down for traffic and other day withing the Palo Alto app. Looking at some older deployments on youtube, that seems to be available. Can we get the same option in the newer version? Getting CPU/Palo Health data: How do we query that in splunk, is that part of syslog or snmp? Couldn't find an option to view CPU and other heath data in the add-on Query Palo Alto for live data: We need a dashboard that update every 5 minutes, that can grab running statistics. For example, NAT utilization, active clients connected to Global protect, etc. Basically have splunk run some commands in Palo to grab that data. Is there some documentation on how to achieve that?
Hi, I want to create button similar to export button which will provide diiferent options on click of button . with help of @niketnilay answer I am able to use below code but now I want collecti... See more...
Hi, I want to create button similar to export button which will provide diiferent options on click of button . with help of @niketnilay answer I am able to use below code but now I want collection of option in one button like export button- require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!'], function (_, $, mvc) { var objEditMenu=$("div.dashboard-header-editmenu"); if (objEditMenu!==undefined){ $('<a target="_blank" class="btn edit-btn anchor-right" style="float: right;margin-right: 10px;" href="https://google.com">Google</a>').insertAfter('div.dashboard-header-editmenu'); }; });
Hello. I currently have an existing dashboard where it receives data from a query using sql. I was wondering, how can I add another column above my existing table? Should I use a CSV file or in... See more...
Hello. I currently have an existing dashboard where it receives data from a query using sql. I was wondering, how can I add another column above my existing table? Should I use a CSV file or include another query? The image below is what I am currently looking to do. This is what I currently have Below is the code only for my search. The next block of code after this is the full dashboard. var search1 = new SearchManager({ "id": "search1", "sample_ratio": null, "status_buckets": 0, "earliest_time": "-1h@h", // "earliest_time": "rt-3h", "search": "index=\"TEM_dashboard_main\" |eval displayValue=case(TestResult_Value == \"PASSED\", \"low\", TestResult_Value == \"FAILED\", \"severe\") \ |dedup Application_Name, TestCase_Value, SwimLane_Value, TestResult_Value |sort Application_Name, TestCase_Value \ |eval QA1 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA1\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA1\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA1\",\"NA\") \ |eval QA2 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA2\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA2\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA2\",\"NA\") \ |eval QA3 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA3\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA3\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA3\",\"NA\") \ |eval QA4 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA4\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA4\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA4\",\"NA\") \ |eval QA5 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA5\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA5\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA5\",\"NA\") \ |eval QA6 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA6\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA6\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA6\",\"NA\") \ |eval QA7 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA7\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA7\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA7\",\"NA\") \ |eval STG = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"STG\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"STG\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"STG\",\"NA\") \ |eval STG2 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"STG2\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"STG2\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"STG2\",\"NA\") \ |eval PVE = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"PVE\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"PVE\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"PVE\",\"NA\") \ |table Application_Name, TestCase_Value, QA1,QA2,QA3,QA4,QA5,QA6,QA7,STG,STG2,PVE |rename TestCase_Value AS \"Test Case\" |rename Application_Name AS \"Application Name\" \ |stats values(QA1) as QA1, values(QA2) as QA2,values(QA3) as QA3,values(QA4) as QA4,values(QA5) as QA5,values(QA6) as QA6,values(QA7) as QA7,values(STG) as STG,values(STG2) as STG2,values(PVE) as PVE by \"Application Name\", \"Test Case\" \ |eval QA1 = if((mvjoin(QA1, \",\") == \"low,severe\" OR mvjoin(QA1, \",\") == \"severe,low\"), \"elevated\", QA1) \ |eval QA2 = if((mvjoin(QA2, \",\") == \"low,severe\" OR mvjoin(QA2, \",\") == \"severe,low\"), \"elevated\", QA2) \ |eval QA4 = if((mvjoin(QA4, \",\") == \"low,severe\" OR mvjoin(QA4, \",\") == \"severe,low\"), \"elevated\", QA4) \ |eval QA5 = if((mvjoin(QA5, \",\") == \"low,severe\" OR mvjoin(QA5, \",\") == \"severe,low\"), \"elevated\", QA5) \ |eval QA6 = if((mvjoin(QA6, \",\") == \"low,severe\" OR mvjoin(QA6, \",\") == \"severe,low\"), \"elevated\", QA6) \ |eval QA7 = if((mvjoin(QA7, \",\") == \"low,severe\" OR mvjoin(QA7, \",\") == \"severe,low\"), \"elevated\", QA7) \ |eval STG = if((mvjoin(STG, \",\") == \"low,severe\" OR mvjoin(STG, \",\") == \"severe,low\"), \"elevated\", STG) \ |eval STG2 = if((mvjoin(STG2, \",\") == \"low,severe\" OR mvjoin(STG2, \",\") == \"severe,low\"), \"elevated\", STG2) \ |eval PVE = if((mvjoin(PVE, \",\") == \"low,severe\" OR mvjoin(PVE, \",\") == \"severe, low\"), \"elevated\", PVE) \ |eval QA3 = if((mvjoin(QA3, \",\") == \"low,severe\" OR mvjoin(QA3, \",\") == \"severe,low\"), \"elevated\", QA3)", "cancelOnUnload": true, "latest_time": "now", // "latest_time": "rt", "app": utils.getCurrentApp(), "auto_cancel": 90, "preview": true, "tokenDependencies": { }, "runWhenTimeIsUndefined": false }, {tokens: true, tokenNamespace: "submitted"}); Below is the full code for my current dashboard <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <title>TEM Availability Dashboard</title> <link rel="shortcut icon" href="/en-US/static/@3ECEA41E22B4B4609AFFF030685430A6A32B07C6FF726482FCEB90643E6F8043/img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="{{SPLUNKWEB_URL_PREFIX}}/static/build/css/bootstrap-enterprise.css" /> <link rel="stylesheet" type="text/css" href="{{SPLUNKWEB_URL_PREFIX}}/static/build/css/splunkjs-dashboard.css" /> <link rel="shortcut icon" href="{{SPLUNKWEB_URL_PREFIX}}/static/img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="/en-US/static/@f4c1eb50e0f3/css/build/bootstrap.min.css" /> <link rel="stylesheet" type="text/css" href="/en-US/static/@f4c1eb50e0f3/css/build/pages/dashboard-simple-bootstrap.min.css" /> <link rel="stylesheet" type="text/css" media="all" href="{{SPLUNKWEB_URL_PREFIX}}/static/app/search/dashboard.css" /> <!-- Contains custom icons: --> <!--<link rel="stylesheet" type="text/css" media="all" href="{{SPLUNKWEB_URL_PREFIX}}/static/app/search/custom.css" /> --> <meta name="referrer" content="never" /> <meta name="referrer" content="no-referrer" /> <style> .custom-text-value { font-size: 16px; margin: 55px auto; text-align: center; font-weight: bold; color: rgb(85, 85, 85); } .custom-text-value:before { font-family: "Splunk Icons"; font-style: normal; font-weight: normal; text-decoration: inherit; font-size: 110%; } .custom-result-value { font-size: 16px; margin: 55px auto; text-align: center; font-weight: bold; color: rgb(85, 85, 85); } .custom-result-value:before { font-family: "Splunk Icons"; font-style: normal; font-weight: normal; text-decoration: inherit; font-size: 110%; } .severe.custom-result-value:before { content: "\2297"; } .severe.custom-result-value { color: rgb(217, 63, 60); } .high.custom-result-value { color: rgb(245, 143, 57); } .high.custom-result-value:before { content: "\ECD4"; } .elevated.custom-result-value { color: rgb(247, 188, 56); } .elevated.custom-result-value:before { content: "\26A0"; } .low.custom-result-value { color: rgb(101, 166, 55); } .low.custom-result-value:before { content: "\ECD3"; } .guarded.custom-result-value { color: rgb(109, 183, 198); } .guarded.custom-result-value:before { content: "\0049"; } .custom-result-value.icon-only { font-size: 90px; } td.icon { text-align: center; } td.icon i { font-size: 30px; text-shadow: 1px 1px #aaa; } td.icon .severe { color: red; } td.icon .elevated { color: yellow; } td.icon .low { color: #006400; } .btn edit-export{ display: none; } </style> </head> <body class="simplexml preload locale-en" data-splunk-version="7.2.7" data-splunk-product="enterprise"> <!-- BEGIN LAYOUT This section contains the layout for the dashboard. Splunk uses proprietary styles in <div> tags, similar to Bootstrap's grid system. --> <header> <a aria-label="Screen reader users, click here to skip the navigation bar" class="navSkip" href="#navSkip" tabIndex="1">Skip Navigation ></a> <div class="header splunk-header"> <div id="placeholder-splunk-bar"> <a href="{{SPLUNKWEB_URL_PREFIX}}/app/launcher/home" class="brand" title="splunk > listen to your data">splunk<strong>></strong></a> </div> <div id="placeholder-app-bar"></div> </div> <a id="navSkip"></a> </header> <div class="dashboard-body container-fluid main-section-body" data-role="main"> <div class="dashboard-header clearfix"> <h2>TEM Availability Dashboard - Current hour </h2> </div> <div style="float: right;"> <input type="button" onclick="location.href='tem_search_ui_html?form.sTime.earliest=-24h%40h&form.sTime.latest=now';" value="Go to Search Screen" /> <input type="button" onclick="location.href='http://spwaitbussvs/ts/itbs/tem/Shared%20Documents1/Automation/QA%20Availability%20Dashboard%20issue%20tracker.xlsx';" value="Issue log" /> <input type="button" onclick="location.href='http://spwaitbussvs/ts/itbs/tem/Shared%20Documents1/Automation/TEM%20QA%20Availability%20Dashboard%20FAQ.docx';" value="FAQ" /> <p></p> </div> <div id="row1" class="dashboard-row dashboard-row1"> <div id="panel1" class="dashboard-cell" style="width: 100%;"> <div class="dashboard-panel clearfix"> <div class="panel-element-row"> <div id="element1" class="dashboard-element table" style="width: 100%"> <div class="panel-body"></div> </div> </div> </div> </div> </div> <div style ="padding-top: 2%"> <P> <p> <p><font color="#008000">Green</font>: Test case passed &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp <font color="#FFFF00>">Yellow</font> - At least 1 step failed&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp <font color="#FF0000>">Red</font>: All test steps failed &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp Blank: No test run. See TEM team for question(s) &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp NA: Test intentionally not run </div> </div> <!-- END LAYOUT --> <script src="{{SPLUNKWEB_URL_PREFIX}}/config?autoload=1" crossorigin="use-credentials"></script> <script src="{{SPLUNKWEB_URL_PREFIX}}/static/js/i18n.js"></script> <script src="{{SPLUNKWEB_URL_PREFIX}}/i18ncatalog?autoload=1"></script> <script src="{{SPLUNKWEB_URL_PREFIX}}/static/build/simplexml/index.js"></script> <script type="text/javascript"> // <![CDATA[ // <![CDATA[ // // LIBRARY REQUIREMENTS // // In the require function, we include the necessary libraries and modules for // the HTML dashboard. Then, we pass variable names for these libraries and // modules as function parameters, in order. // // When you add libraries or modules, remember to retain this mapping order // between the library or module and its function parameter. You can do this by // adding to the end of these lists, as shown in the commented examples below. require([ "splunkjs/mvc", "splunkjs/mvc/utils", "splunkjs/mvc/tokenutils", "underscore", "jquery", "splunkjs/mvc/simplexml", "splunkjs/mvc/layoutview", "splunkjs/mvc/simplexml/dashboardview", "splunkjs/mvc/simplexml/dashboard/panelref", "splunkjs/mvc/simplexml/element/chart", "splunkjs/mvc/simplexml/element/event", "splunkjs/mvc/simplexml/element/html", "splunkjs/mvc/simplexml/element/list", "splunkjs/mvc/simplexml/element/map", "splunkjs/mvc/simplexml/element/single", "splunkjs/mvc/simplexml/element/table", "splunkjs/mvc/simplexml/element/visualization", "splunkjs/mvc/simpleform/formutils", "splunkjs/mvc/simplexml/eventhandler", "splunkjs/mvc/simplexml/searcheventhandler", "splunkjs/mvc/simpleform/input/dropdown", "splunkjs/mvc/simpleform/input/radiogroup", "splunkjs/mvc/simpleform/input/linklist", "splunkjs/mvc/simpleform/input/multiselect", "splunkjs/mvc/simpleform/input/checkboxgroup", "splunkjs/mvc/simpleform/input/text", "splunkjs/mvc/simpleform/input/timerange", "splunkjs/mvc/simpleform/input/submit", "splunkjs/mvc/searchmanager", "splunkjs/mvc/savedsearchmanager", "splunkjs/mvc/postprocessmanager", "splunkjs/mvc/simplexml/urltokenmodel", "splunkjs/mvc/tableview", "splunkjs/ready!" // Add comma-separated libraries and modules manually here, for example: // ..."splunkjs/mvc/simplexml/urltokenmodel", // "splunkjs/mvc/tokenforwarder" ], function( mvc, utils, TokenUtils, _, $, DashboardController, LayoutView, Dashboard, PanelRef, ChartElement, EventElement, HtmlElement, ListElement, MapElement, SingleElement, TableElement, VisualizationElement, FormUtils, EventHandler, SearchEventHandler, DropdownInput, RadioGroupInput, LinkListInput, MultiSelectInput, CheckboxGroupInput, TextInput, TimeRangeInput, SubmitButton, SearchManager, SavedSearchManager, PostProcessManager, UrlTokenModel // Add comma-separated parameter names here, for example: // ...UrlTokenModel, // TokenForwarder ) { var pageLoading = true; // // TOKENS // // Create token namespaces var urlTokenModel = new UrlTokenModel(); mvc.Components.registerInstance('url', urlTokenModel); var defaultTokenModel = mvc.Components.getInstance('default', {create: true}); var submittedTokenModel = mvc.Components.getInstance('submitted', {create: true}); urlTokenModel.on('url:navigate', function() { defaultTokenModel.set(urlTokenModel.toJSON()); if (!_.isEmpty(urlTokenModel.toJSON()) && !_.all(urlTokenModel.toJSON(), _.isUndefined)) { submitTokens(); } else { submittedTokenModel.clear(); } }); // Initialize tokens defaultTokenModel.set(urlTokenModel.toJSON()); function submitTokens() { // Copy the contents of the defaultTokenModel to the submittedTokenModel and urlTokenModel FormUtils.submitForm({ replaceState: pageLoading }); } function setToken(name, value) { defaultTokenModel.set(name, value); submittedTokenModel.set(name, value); } function unsetToken(name) { defaultTokenModel.unset(name); submittedTokenModel.unset(name); } // // SEARCH MANAGERS // //Can confirm that the search query works. var search1 = new SearchManager({ "id": "search1", "sample_ratio": null, "status_buckets": 0, "earliest_time": "-1h@h", // "earliest_time": "rt-3h", "search": "index=\"TEM_dashboard_main\" |eval displayValue=case(TestResult_Value == \"PASSED\", \"low\", TestResult_Value == \"FAILED\", \"severe\") \ |dedup Application_Name, TestCase_Value, SwimLane_Value, TestResult_Value |sort Application_Name, TestCase_Value \ |eval QA1 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA1\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA1\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA1\",\"NA\") \ |eval QA2 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA2\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA2\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA2\",\"NA\") \ |eval QA3 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA3\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA3\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA3\",\"NA\") \ |eval QA4 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA4\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA4\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA4\",\"NA\") \ |eval QA5 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA5\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA5\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA5\",\"NA\") \ |eval QA6 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA6\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA6\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA6\",\"NA\") \ |eval QA7 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"QA7\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"QA7\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"QA7\",\"NA\") \ |eval STG = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"STG\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"STG\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"STG\",\"NA\") \ |eval STG2 = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"STG2\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"STG2\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"STG2\",\"NA\") \ |eval PVE = case(like(TestResult_Value,\"PASSED\") AND SwimLane_Value==\"PVE\",\"low\",like(TestResult_Value,\"FAILED\") AND SwimLane_Value==\"PVE\",\"severe\", like(TestResult_Value,\"NA\") AND SwimLane_Value==\"PVE\",\"NA\") \ |table Application_Name, TestCase_Value, QA1,QA2,QA3,QA4,QA5,QA6,QA7,STG,STG2,PVE |rename TestCase_Value AS \"Test Case\" |rename Application_Name AS \"Application Name\" \ |stats values(QA1) as QA1, values(QA2) as QA2,values(QA3) as QA3,values(QA4) as QA4,values(QA5) as QA5,values(QA6) as QA6,values(QA7) as QA7,values(STG) as STG,values(STG2) as STG2,values(PVE) as PVE by \"Application Name\", \"Test Case\" \ |eval QA1 = if((mvjoin(QA1, \",\") == \"low,severe\" OR mvjoin(QA1, \",\") == \"severe,low\"), \"elevated\", QA1) \ |eval QA2 = if((mvjoin(QA2, \",\") == \"low,severe\" OR mvjoin(QA2, \",\") == \"severe,low\"), \"elevated\", QA2) \ |eval QA4 = if((mvjoin(QA4, \",\") == \"low,severe\" OR mvjoin(QA4, \",\") == \"severe,low\"), \"elevated\", QA4) \ |eval QA5 = if((mvjoin(QA5, \",\") == \"low,severe\" OR mvjoin(QA5, \",\") == \"severe,low\"), \"elevated\", QA5) \ |eval QA6 = if((mvjoin(QA6, \",\") == \"low,severe\" OR mvjoin(QA6, \",\") == \"severe,low\"), \"elevated\", QA6) \ |eval QA7 = if((mvjoin(QA7, \",\") == \"low,severe\" OR mvjoin(QA7, \",\") == \"severe,low\"), \"elevated\", QA7) \ |eval STG = if((mvjoin(STG, \",\") == \"low,severe\" OR mvjoin(STG, \",\") == \"severe,low\"), \"elevated\", STG) \ |eval STG2 = if((mvjoin(STG2, \",\") == \"low,severe\" OR mvjoin(STG2, \",\") == \"severe,low\"), \"elevated\", STG2) \ |eval PVE = if((mvjoin(PVE, \",\") == \"low,severe\" OR mvjoin(PVE, \",\") == \"severe, low\"), \"elevated\", PVE) \ |eval QA3 = if((mvjoin(QA3, \",\") == \"low,severe\" OR mvjoin(QA3, \",\") == \"severe,low\"), \"elevated\", QA3)", "cancelOnUnload": true, "latest_time": "now", // "latest_time": "rt", "app": utils.getCurrentApp(), "auto_cancel": 90, "preview": true, "tokenDependencies": { }, "runWhenTimeIsUndefined": false }, {tokens: true, tokenNamespace: "submitted"}); // // SPLUNK LAYOUT // $('header').remove(); new LayoutView({"hideSplunkBar": false, "hideAppBar": false, "hideChrome": false}) .render() .getContainerElement() .appendChild($('.dashboard-body')[0]); // // DASHBOARD EDITOR // new Dashboard({ id: 'dashboard', el: $('.dashboard-body'), showTitle: true, editable: true }, {tokens: true}).render(); // // VIEWS: VISUALIZATION ELEMENTS // var element1 = new TableElement({ "id": "element1", "count": 20, "drilldown": "cell", drilldownRedirect: true, "managerid": "search1", "el": $('#element1') }, {tokens: true, tokenNamespace: "submitted"}).render(); element1.on("click", function(e) { // Bypass the default behavior e.preventDefault(); window.open('tem_search_ui_html?appName=' + e.data["row.Application Name"] + '&testCase=' + e.data["row.Test Case"] + '&swimLane=' + e.data["click.name2"] + '&earliest=' + e.data.earliest + '&latest=' + e.data.latest, "_parent"); // Displays a data object in the console console.log("Clicked the table:", e.data); //console.log("Clicked the table:", e.data["click.value"]); //console.log("Clicked the table:", e.data["click.value2"]); }); // Initialize time tokens to default if (!defaultTokenModel.has('earliest') && !defaultTokenModel.has('latest')) { defaultTokenModel.set({ earliest: 'rt-1h', latest: 'rt' }); } // Define icons for the custom table cell var ICONS = { severe: "alert-circle", elevated: "alert", low: "check-circle" }; var colName = ""; mvc.Components.get('element1').getVisualization(function(tableView) { setTimeout(function() { tableView.on('rendered', function() { $("#element1 table thead th").removeClass("sorts").removeAttr("data-sort-key"); // Populate dictionary with values from table var tableRows = tableView.$el.find('tbody').children(); var tableHeaders = tableView.$el.find('th').children(); for (var iRow = 0, row; row = tableRows[iRow]; iRow++) { for (var jCol = 0, col; col = row.cells[jCol]; jCol++) { switch(jCol) { case 2: colName = "QA1"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=QA1&earliest=-24h@h&latest=now target=_blank>QA1</a>"); } break; case 3: colName = "QA2"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=QA2&earliest=-24h@h&latest=now target=_blank>QA2</a>"); } break; case 4: colName = "QA3"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=QA3&earliest=-24h@h&latest=now target=_blank>QA3</a>"); } break; case 5: colName = "QA4"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=QA4&earliest=-24h@h&latest=now target=_blank>QA4</a>"); } break; case 6: colName = "QA5"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=QA5&earliest=-24h@h&latest=now target=_blank>QA5</a>"); } break; case 7: colName = "QA6"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=QA6&earliest=-24h@h&latest=now target=_blank>QA6</a>"); } break; case 8: colName = "QA7"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=QA7&earliest=-24h@h&latest=now target=_blank>QA7</a>"); } break; case 9: colName = "STG"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=STG&earliest=-24h@h&latest=now target=_blank>STG</a>"); } break; case 10: colName = "STG2"; if (iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=STG2&earliest=-24h@h&latest=now target=_blank>STG2</a>"); } break; case 11: colName = "PVE"; if(iRow == 0){ tableHeaders.eq(jCol).html("<a href=temdashboard_html?SwimLane_Value=pve&earliest=-24h@h&latest=now target=_blank>PVE</a>"); } } var value = col.firstChild.data; col.field === "colName"; var icon = ""; var found = false; if(ICONS.hasOwnProperty(value)) { icon = ICONS[value]; found = true; } if (found){ //$(col).addClass("icon").html(_.template('<a href="tem_search_ui_html" target="_parent"><i class="icon-<%-icon%> <%-colName%>"></i></a>', { $(col).addClass("icon").html(_.template('<i class="icon-<%-icon%> <%-colName%>"></i>', { icon: icon, colName: value } )); } ($('td:contains("NA")').css("text-align","center")); ($('th:contains("QA1")').css("text-align","center")); ($('th:contains("QA2")').css("text-align","center")); ($('th:contains("QA3")').css("text-align","center")); ($('th:contains("QA4")').css("text-align","center")); ($('th:contains("QA5")').css("text-align","center")); ($('th:contains("QA6")').css("text-align","center")); ($('th:contains("QA7")').css("text-align","center")); ($('th:contains("QA8")').css("text-align","center")); ($('th:contains("STG")').css("text-align","center")); ($('th:contains("STG2")').css("text-align","center")); ($('th:contains("PVE")').css("text-align","center")); //($('.null').css({'background': '#006eaa', 'opacity': '15%' })); } } // Update table display tableView.render(); }) }, 100); }); submitTokens(); setTimeout("location.reload();", 600 * 1000); // // DASHBOARD READY // DashboardController.ready(); pageLoading = false; } ); // ]]> </script> </body> </html>
Hello, I am facing problems of disk usage in Splunk and I've been asked to stop logging certain kinds of logs. I have read about Blacklists and Whitelists in order to ignore files but I am not able t... See more...
Hello, I am facing problems of disk usage in Splunk and I've been asked to stop logging certain kinds of logs. I have read about Blacklists and Whitelists in order to ignore files but I am not able to manage that. All my logs are in /opt/config/logs/splunk and the log I'd like to stop logging has a type "itoken-app.log". I checked in the splunkforwarder to see if these logs as well were there but they don't appear in that route. Please help in giving me any idea to stop the itoken logs to be in my logs in splunk. Thanks
hello splunkers! new to splunk and i am needing to extract a word from a message field. this is the message The Cluster Service service entered the running state. i want to extract "running sta... See more...
hello splunkers! new to splunk and i am needing to extract a word from a message field. this is the message The Cluster Service service entered the running state. i want to extract "running state" and use it to indicate a status of a server. thank you!
I'm new to Splunk Machine Learning Toolkit and still deciding what model and algorithm should be used in predicting system outages. It would be a big help if someone can assist me with my inquiries b... See more...
I'm new to Splunk Machine Learning Toolkit and still deciding what model and algorithm should be used in predicting system outages. It would be a big help if someone can assist me with my inquiries below. Thanks in advance! What are the pros and cons of each model and algorithm? What are the most popular models and algorithms being used in predicting system outages? Is it possible to use multiple data input criteria in machine learning? Example: Row1: Appdynamics business transaction error + Row2: SCOM memory utilization 95% spike Combination of Row1+2 = system outage
Hi, I'm wondering if it's possible to do an outer/left join two tables on two fields. I have two indexes with the following data: Index1: col1 col2 123 abc 456 def I... See more...
Hi, I'm wondering if it's possible to do an outer/left join two tables on two fields. I have two indexes with the following data: Index1: col1 col2 123 abc 456 def Index2: col1 col2 col3 123 abc xyz Desired results: col1 col2 col3 123 abc xyz 456 def Here's my search: index=index1 |join type=outer col1, col2 [search index=index2 |fields col1, col2, col3] |table col1, col2, col3 The results I get are inconsistent. It seems almost as if Splunk is going the outer join on the two columns independently, so I get more results than I need. If I remove the "type=outer", making it an inner join, I get the below results, so I know the join works for the inner: col1 col2 col3 123 abc xyz Thanks, AP
Hi Can someone help me in getting o/p over 1h interval along with Total requests count, Success count, Failure count I have written below query but am not getting the Total count as separate col... See more...
Hi Can someone help me in getting o/p over 1h interval along with Total requests count, Success count, Failure count I have written below query but am not getting the Total count as separate column for every 1h interval span index=dte_fios sourcetype=dte2_Fios FT=*FT | eval Interval=strftime('_time',"%d-%m-%Y %H:%M:%S") | eval Status=case(Error_Code=="0000","Success",1=1,"Failure") | timechart span=1h count by Status It is giving O/p as _time Success Failure 2020-04-20 05:00 120 90 I need O/P as _time Total Failure Success 2020-04-20 05:00 210 90 120
How to configure Splunk Add-on to be able to ingest govcloud logs for us-east region? Is this possible?
Hi all, I have already read several interesting questions regarding this topic. I'd like to verify which approach is better. This wiki entry really helps: https://wiki.splunk.com/Community:HowI... See more...
Hi all, I have already read several interesting questions regarding this topic. I'd like to verify which approach is better. This wiki entry really helps: https://wiki.splunk.com/Community:HowIndexingWorks (topic 4. Detail Diagram - UF/LWF to Indexer) Goal: Routing of the data to the indexer layer / specific indexer (Indexer S) Issue: First forwarder can't communicate with the indexer directly (e.g. security etc.) I see now two options. Option A: I perform nothing with the data on the first (or more) forwarders until I reach the forwarder connected to the IX layer. -> so to speak pass through the data "raw" Option B: I cook the data on the first forwarder and on following forwarders I configure the next "queue" to be "typingQueue". Which should enable the routing capability of each following forwarder in the line. See following picture below for details: Which approach seems more feasible? Thank you in advance for any hints and remarks. Ps. Good input was found here: https://answers.splunk.com/answers/463643/does-cooked-data-from-a-hf-forwarder-automatically.html https://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible.html https://answers.splunk.com/answers/548367/definitions-of-the-route-keys-and-queuenames-for-s.html
Hi Guys, I have one search query which is combining two Searches and giving results. But based on the conditions set in query, sometimes one field doesn't return any results, so in such case I ... See more...
Hi Guys, I have one search query which is combining two Searches and giving results. But based on the conditions set in query, sometimes one field doesn't return any results, so in such case I want other fields to also not return any results. I am using the following stats command to combine the results of two Searches - stats values(A) as A, values(B) as B, values(C) as C, values(D) as D by name So if in case 'D' is null(not returned any results) then i want all the other fields also to return NO results. Note - there are multiple values for A B C and D for one field "name". For example - name A B C D foo 1 2 3 4 5 6 7 10 13 12 14 In the above results I would be wanting that 5 6 7 should not be included in results since D has not returned any value. the problem is, when the above result are displayed in Splunk ,then the last result value for D i.e 14 is shifted up, so now the results are not accurate and it look likes below - name A B C D foo 1 2 3 4 5 6 7 14 10 13 12 What i want is name A B C D foo 1 2 3 4 10 13 12 14 Don't know whether this is possible or not as both are completely different searches with just one common field in them which is "name" Also if it helps, values for D is written in one Search and values for A B and C are return in other. Can someone please check on possibility for this ? Thanks in advance.
Good Morning Not sure if this is an answerable question. I am investigating using the Splunkbase "Splunk App for Windows Infrastructure" to gather resource information from our servers for mana... See more...
Good Morning Not sure if this is an answerable question. I am investigating using the Splunkbase "Splunk App for Windows Infrastructure" to gather resource information from our servers for management purposes. I like the interface and it is very informative for us. The one issue I have is we cannot connect our Splunk deployment to AD (Active Directory) because it is a managed solution exterior to our organization. We have access to our servers as needed, but the support infrastructure behind the servers is outside of our purview. That said, is there a way to edit the "Splunk App for Windows Infrastructure" so that the server information (names, etc.) is not extracted from AD, but maybe from a file? I am fairly new to Splunk so this is a bit of a learning curve. Thank you, Dan
Trying to connect two queries returning counts from two different searches. I would like to return as one row where it takes count of records_cycling and the count of records This is what... See more...
Trying to connect two queries returning counts from two different searches. I would like to return as one row where it takes count of records_cycling and the count of records This is what I was trying but when added the eval it only returned records_cycling value and nothing in other columns | dbxquery connection="searchDB" query="(SELECT count(1) AS records_cycling from get_work....." |append [| dbxquery connection="searchDB" query="select count(*) as records from validation "] | eval Difference = records - records_cycling | table records records_cycling difference Ideal results to return records | records_cycling | difference 5 2 3 4 2 2
I am running a query to find the list of users that received an email from a particular email address. This is working fine until I try to get more details by using Inputlookup. I want to use Inputlo... See more...
I am running a query to find the list of users that received an email from a particular email address. This is working fine until I try to get more details by using Inputlookup. I want to use Inputlookup to get more details about the users like their department, location, etc which can only be done through that. I need to pass the results from the search to get the other details. The search lists all the userids since I strip out the domain by using the regex. Here is my query: sourcettype=sendmail to=* [ search sourcetype=sendmail from=email@gmail.com | fields qid] | rex field=orig_recipient "(?[^@]+)" | dedup orig_recipient | inputlookup append=t identity_lookup_expanded where * identity=$orig_recipient$] | table orig_recipient dept email some other fields Any help would be appreciated!
Hi, We have problem with map display for mentioned dashboard. First of all it always start with centralized view on Australia only. Secondly continent names are displayed in German. How can we... See more...
Hi, We have problem with map display for mentioned dashboard. First of all it always start with centralized view on Australia only. Secondly continent names are displayed in German. How can we fix this? Any configuration parameter?