Hi,
I need to list all the Source Server Details (Hosname and IP Address) including log paths & Log File names which are sending logs to Splunk environment. The following query doesn't fetch the ...
See more...
Hi,
I need to list all the Source Server Details (Hosname and IP Address) including log paths & Log File names which are sending logs to Splunk environment. The following query doesn't fetch the IP Address. Is there any better way to do it?
index=*
| stats values(source) as sources ,values(sourcetype) as sourcetype by host
Deployed splunk-connect-for-kubernetes in the cluster.
it seems logs from pods are not get forwarded to indexer.
1) logs from kubectl logs
2) logs within the pods - i used command kubectl ex...
See more...
Deployed splunk-connect-for-kubernetes in the cluster.
it seems logs from pods are not get forwarded to indexer.
1) logs from kubectl logs
2) logs within the pods - i used command kubectl exec -it /bin/bash to log in and check those logs but how can those logs get pushed to indexer?
Any help is appreciated and Thanks in advance!
I am getting 500 internal server error with below message when I try to access "manage app" or "data input"
File "C:\Program Files\Splunk\Python-3.7\lib\site-packages\cherrypy_cprequest.py", line...
See more...
I am getting 500 internal server error with below message when I try to access "manage app" or "data input"
File "C:\Program Files\Splunk\Python-3.7\lib\site-packages\cherrypy_cprequest.py", line 628, in respond
self._do_respond(path_info)
File "C:\Program Files\Splunk\Python-3.7\lib\site-packages\cherrypy_cprequest.py", line 687, in _do_respond
Help please
Hi All,
I am new to Splunk.. Here is my requirement.. I have pass log directory to forwarder. Now i want to read the logs and generate the alerts when log file contains "file(s) count is 2" or gre...
See more...
Hi All,
I am new to Splunk.. Here is my requirement.. I have pass log directory to forwarder. Now i want to read the logs and generate the alerts when log file contains "file(s) count is 2" or greater than 1. (condition is : File(s) count is greater than 1)
your help would be really appreciated.
Thanks in Advance.
Hi,
we are currently using https://github.com/splunk/splunk-library-javalogging to transport log message via hec from our cloudfoundry business applications to splunk. However we are facing some p...
See more...
Hi,
we are currently using https://github.com/splunk/splunk-library-javalogging to transport log message via hec from our cloudfoundry business applications to splunk. However we are facing some problem with that right now. It seems, that pull request #72 (https://github.com/splunk/splunk-library-javalogging/pull/72) will fix our problem.
What can we do, in order to get that pull request merged into the main version? Should we just raise a regular splunk case for this?
Thanks - Lorenz
Hi All,
I am new to Splunk.. Here is my requirement.. I have pass log directory to forwarder. Now i want to read the logs and generate the alerts when log file contains "file(s) count is 2" or gre...
See more...
Hi All,
I am new to Splunk.. Here is my requirement.. I have pass log directory to forwarder. Now i want to read the logs and generate the alerts when log file contains "file(s) count is 2" or greater than 1. (condition is : File(s) count is greater than 1)
your help would be really appreciated.
Thanks in Advance.
Can splunk search for different indexes that contain different fields, and present that data out in readable format?
I am trying to use one search that looks in index A, for specific fields, then...
See more...
Can splunk search for different indexes that contain different fields, and present that data out in readable format?
I am trying to use one search that looks in index A, for specific fields, then another search for index B, looking for different fields than are contained in index A.
This is in an attempt to give out a daily report that can give us a single email showing us different tables on a single email of:
cpu percentage
drive full percentage
status of an application (running/stopped)
etc.
Or is there perhaps a way that splunk can merge separate reports into one, and email it out in the message body?
I will continue looking, but any help is appreciated. thanks.
I am building an LSTM Auto encoder to detect anomalies in Time Series Data
In the Jupiter Lab environment , I am able to run my code and I am getting the expected result
When I try to run through...
See more...
I am building an LSTM Auto encoder to detect anomalies in Time Series Data
In the Jupiter Lab environment , I am able to run my code and I am getting the expected result
When I try to run through search bar in Splunk, the below things are happening
1.Fit command is actually triggering the training and the model is getting generated. I could see the model in the Jupiter lab environment
2.When I apply the model, either the container is unresponsive for some time and then crashing or I am getting a shape error for the same data which worked in the Jupiter Lab
This is the command I am running
index=“test_50" | head 3000 | apply app:lstm_autoencoder
Could you please help me to resolve this issue. Any documentation on how the code interacts with Splunk Container will also help.
I am uploading a JSON file into a test index and I'm trying to set the timestamp for and prefix. The events in the JSON file always start as follows:
{'received': '2020-02-27 10:49:07', 'operator...
See more...
I am uploading a JSON file into a test index and I'm trying to set the timestamp for and prefix. The events in the JSON file always start as follows:
{'received': '2020-02-27 10:49:07', 'operator_id': None, 'sender':
I configured the Timestamp format as follows:
%Y-%m-%dT%H:%M:%S
and the Timestamp prefix as:
'(\d{4})-(\d{2})-(\d{2})\s(\d{2}:\d{2}:\d{2})'
and when I tab out of the field, I still get the message of, "No results found. Please change source type, adjust source type settings, or check your source file."
Is there something wrong with my format or prefix (or both)?
Thx
How would I go about adding a custom SMTP mail header to alert emails?
We are making use of SendGrid and I would like to be able to use their "category" feature to track emails related to different...
See more...
How would I go about adding a custom SMTP mail header to alert emails?
We are making use of SendGrid and I would like to be able to use their "category" feature to track emails related to different use cases.
Ideally I'd like NOT to customise the Python script used to send emails.
Hello,
I am running below search; daily (last 24h) .... which returns results and "outputlookup" results into a csv based on "xyz_NO_of_day"
Runs fine....if I am running such search on same day...
See more...
Hello,
I am running below search; daily (last 24h) .... which returns results and "outputlookup" results into a csv based on "xyz_NO_of_day"
Runs fine....if I am running such search on same day (i.e. close to midnight) but the source get inputs after midnight so I miss data and had to run such search next day..... i.e. running 04:30am following day
Running next day same search and setting it will return a file name based of the day (next-day)
So I like to run the search on next day.... i.e. running the search on day 09 @ 04:30am (search day before, which is day8) ... it should | eval filename=strftime(now(), "Application-license-usage-per_day_%d.csv") %d must be counted as the day before =8 not 9.
I tried without results to:
| outputlookup [ | stats count | eval filename=strftime(now(), "-1d", "Application-license-usage-per_day_%d.csv") | return $filename]
Do you have any idea how to fix it?
below is the initial search
index="application-license" sourcetype=application License_User_device=* License_feature_status="OUT" License_user=*
| eval License_feature_status=(License_feature_status)
| eval License_User_device=split(License_User_device,",")
| eval License_user=split(License_user,",")
| makemv delim="," License_user
| mvexpand License_user
| sort License_user
| dedup License_user
| stats list(License_user) as "User" list(License_User_device) as "Computer" count(License_feature_status) as "LicenseTaken" by _time
| outputlookup [ | stats count | eval filename=strftime(now(), "Application-license-usage-per_day_%d.csv") | return $filename]
Thanks in advance
I have link switcher to filter the data ,when I am selecting any particular option, token for the same is passing in the query of maps+.
query :index="indexA"|where TOTAL="$token$" |eval i...
See more...
I have link switcher to filter the data ,when I am selecting any particular option, token for the same is passing in the query of maps+.
query :index="indexA"|where TOTAL="$token$" |eval icon=if(Active=1,"building","car")| table latitude,longitude,icon,TOTAL
here I am passing token when user click on any button(please check image), when I am switching from button "A" to button B the result of button "A" is also visible on MAP until I refresh the Dashboard(Using F5).
Is there any way I can refresh this dashboard using some token or any other way. I have also tried SearchWhenChanged=True but it is not working for me .
The same logic is working fine in Splunk 7.2.4 . Is this known issue for this version(splunk 6.6.3).
Please help me to find solution for this.
In an multi-site cluster Splunk replicates the data to the remote site, but doe Splunk also replicate the index information or is indexing left up to the remote site indexer? Also, does Splunk repli...
See more...
In an multi-site cluster Splunk replicates the data to the remote site, but doe Splunk also replicate the index information or is indexing left up to the remote site indexer? Also, does Splunk replicate raw data or compressed data?
I was not aware of the existence of Splunk Ideas until I saw another post reference it in another thread.
Splunk ideas allows community users to propose (and vote) on 'ideas' or feature requests f...
See more...
I was not aware of the existence of Splunk Ideas until I saw another post reference it in another thread.
Splunk ideas allows community users to propose (and vote) on 'ideas' or feature requests for future development by Splunk. If you already have an answers account, you too can submit your ideas and vote for ideas you would like to see potentially included in future releases.
I think this is another great way for the Splunk Community to help shape the product we use, and I think users should be encouraged to submit suggestions and review other peoples proposals.
I had completely missed any announcement of this feature, so am posting here in the hope that others might also discover this community offering. (I'm not a Splunker - just an answers member who thinks this could use more visibility)
An overview of the ideas process is documented here: https://docs.splunk.com/Documentation/Community/latest/community/SplunkIdeas
Or jump straight in, and submit your suggestions, and vote on others here: https://ideas.splunk.com/ideas
If you have submitted an "idea", please feel free to post an "answer" below to promote your fresh idea, and encourage others to consider/vote for it.
Moderators: Would it be possible to feature this post for a few days so that it gets some visibility?
I have 3 panels in the same row in my dashboard. My requirement is that if I click 1st panel the 2nd and 3rd panel should be blurred or in other words click functionality should not be enabled. How t...
See more...
I have 3 panels in the same row in my dashboard. My requirement is that if I click 1st panel the 2nd and 3rd panel should be blurred or in other words click functionality should not be enabled. How to do that? Help me out please..
I'm trying to eliminate results below a threshold with dc and it's not working. I only want to show versions that have at least 10 users. Here's some of what I've tried:
Syntax error
index = ...
See more...
I'm trying to eliminate results below a threshold with dc and it's not working. I only want to show versions that have at least 10 users. Here's some of what I've tried:
Syntax error
index = data | timechart span=1w dc(userid) as Users by version where Users > 10
Only get 1 result back for a version "OTHER"
index = data | timechart span=1w dc(userid) as Users by version where dc > 10
No results
index = data | timechart span=1w dc(userid) as Users by version | where Users > 10
index = data | timechart span=1w dc(userid) as Users by version | where version > 10
Nothing is filtered (count and dc are clearly different values)
index = data | timechart span=1w dc(userid) as Users by version where Users > 10 where count > 10
Thanks
I am trying to set up a dropdown on over 90000 unique values. But all the values are not coming in the dropdown. why this is happening? Are there any limitations?
How to run a saved search for every 2 minute in 30 minutes interval (i.e) it should run at 2.02, 2.32, 3.02, 3.32. I tried this 2/30 * * * *, but it is showing as invalid format
Hi, I have Universal Forwarder on my Windows XP machine. I enabled the boot-start upon installation but upon rebooting the machine, splunk forwarder is not running and it needs to start manually. Doe...
See more...
Hi, I have Universal Forwarder on my Windows XP machine. I enabled the boot-start upon installation but upon rebooting the machine, splunk forwarder is not running and it needs to start manually. Does anyone encounter this type of problem and do you have solutions for this. Thanks!