All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi @ All, i create a little app to set "updateCheckerBaseURL" value to "0". Then i copied it to "/opt/splunk/etc/deployment-apps" on Deployment Server and changed folder permissions to the splun... See more...
Hi @ All, i create a little app to set "updateCheckerBaseURL" value to "0". Then i copied it to "/opt/splunk/etc/deployment-apps" on Deployment Server and changed folder permissions to the splunk user. The app where deployed to the clients and "./splunk cmd btool web list settings" displays "updateCheckerBaseURL = 0", but the update notification where still there. If i set "updateCheckerBaseURL = 0" direct to "$SPLUNK_HOME/etc/system/local/web.conf", then the update notification where disabled. Please advise - Markus
How would I calculate the percentage increase/decrease, for indexes on a per-day basis? Thx
Hey All, We are planning on moving all of our UF's to the low priv mode install but I had a question. Our current UF's are on 7.2.4. and we are looking to upgrade very soon. We are also planni... See more...
Hey All, We are planning on moving all of our UF's to the low priv mode install but I had a question. Our current UF's are on 7.2.4. and we are looking to upgrade very soon. We are also planning on switching all of our UF's to low priv mode. My question is this: Can we upgrade the UF's to a more recent version and switch them to low priv mode at the same time? Can we run the installer to upgrade and switch to low priv mode without having to uninstall the UF first? Thanks, Andrew
journal errors: 2020-02-17 14:25:40,970 ERROR [5e4a9454e57f47298bc7d0] root:769 - Unable to start splunkweb 2020-02-17 14:25:40,970 ERROR [5e4a9454e57f47298bc7d0] root:770 - inconsistent use of ... See more...
journal errors: 2020-02-17 14:25:40,970 ERROR [5e4a9454e57f47298bc7d0] root:769 - Unable to start splunkweb 2020-02-17 14:25:40,970 ERROR [5e4a9454e57f47298bc7d0] root:770 - inconsistent use of tabs and spaces in indentation (HiddenSearchSwapper.py, lin$ Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py", line 132, in <module> from splunk.appserver.mrsparkle.controllers.top import TopController File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/top.py", line 27, in <module> from splunk.appserver.mrsparkle.controllers.admin import AdminController ... TabError: inconsistent use of tabs and spaces in indentation Upgrading from version 6 to 7 and the to 8. First upgrade seemed to when ok. Also lost figuring out if the service gets updated or /opt/splunk/splunk start should be used instead. Odd thin is that ./splunk cmd python --version returns: Python 2.7.17 but errors talk about python 3.7
Hi there, How can I clear all of the selected options in a multiselect with one click? Is there a way to make it "reset" the entire box if I want to? Thanks!
I have a query which extracts counts for last 30 days. But the dates are not in proper order in result. index = *** "search phrase" | stats count by date_mday | rename date_mday as Date If ... See more...
I have a query which extracts counts for last 30 days. But the dates are not in proper order in result. index = *** "search phrase" | stats count by date_mday | rename date_mday as Date If i make a search today for last 30 days, the result should be in the below order . 01/18, 19, 20 .......... 02/16,02/17.
HI I use the search below in order to count errors by Product and source TOTO (Source="Hang" OR Source="Error") | search Product=* | stats count as count by Product S... See more...
HI I use the search below in order to count errors by Product and source TOTO (Source="Hang" OR Source="Error") | search Product=* | stats count as count by Product Source But what I need is to display the colum like this : Product Hang Errors count I have tested with transpose but it doenst works thanks for your help
Hi there, I have a dropdown input and a multiselect input. I want whatever I select on the dropdown to be "added" to the multiselect input. EG - if i select car type "Tesla" from my dropdown -... See more...
Hi there, I have a dropdown input and a multiselect input. I want whatever I select on the dropdown to be "added" to the multiselect input. EG - if i select car type "Tesla" from my dropdown - i want it to then say "Tesla" in my multiselect. If i go back to the dropdown and select "ford", i want it to add that to the multiselect as well - so in the multiselect i would then have both cars listed. Anyone know how to achieve this with tokens? Thanks!
Splunk Query to check what is the Data retention set for hot/warm , cold for each index
Hi, It would be great if some out there has a better understanding of source typing than I could give us some help. We've recently moved from a setup whereby log insight sent logs to Syslog-NG, w... See more...
Hi, It would be great if some out there has a better understanding of source typing than I could give us some help. We've recently moved from a setup whereby log insight sent logs to Syslog-NG, which then passed the information to Splunk. This was source typed in to 91 different source types. We removed Log insight from the mix and the data now goes in to Splunk is is split in to over 300 source types. We would like the source types to be sync'ed with the previous source types. I've looked at the:- inputs.conf, props.conf and transforms.conf and they don't contain the source type we've been using for NSX logs. We are using the same HEC token number for the data coming in. We have script running but these aren't creating the source types in question It would be great to hear any thoughts on this. Rob
Is it possible to restrict some of the user/roles from running searches for all time ?
Hi, I am trying to build dashboard which will list performance stats for VMWare like CPU, Memory and Storage utlizations for oth linux and Windows machines. i used below SPL to fetch VMware eve... See more...
Hi, I am trying to build dashboard which will list performance stats for VMWare like CPU, Memory and Storage utlizations for oth linux and Windows machines. i used below SPL to fetch VMware events. index=vmware-perf sourcetype= vmware:perf:cpu Sample Event: 1/7/20 9:44:00.000 AM moid uuid instance samp_int p_summation_cpu_costop_millisecond p_average_cpu_totalCapacity_megaHertz p_average_cpu_reservedCapacity_megaHertz p_summation_cpu_used_millisecond p_average_cpu_usagemhz_megaHertz p_average_cpu_usage_percent p_average_cpu_latency_percent p_summation_cpu_ready_millisecond p_summation_cpu_wait_millisecond p_average_cpu_utilization_percent p_average_cpu_demand_megaHertz p_summation_cpu_swapwait_millisecond p_average_cpu_coreUtilization_percent p_summation_cpu_idle_millisecond p_average_cpu_readiness_percent host-81 b5250000-0100-0000-0000-00000000000d 46 20 54 0.27 0.72 0.8 9971 host-81 b5250000-0100-0000-0000-00000000000d 47 20 4 0.02 0.42 0.8 9971 host-81 b5250000-0100-0000-0000-00000000000d 44 20 28 0.14 0.54 1.35 9949 host-81 b5250000-0100-0000-0000-00000000000d 45 20 74 0.36 1.13 1.35 9949 Show all 50 lines but i could not identofy CPU related fields here. Please Suggest
Hi Please find the below Sample Data. In My above Data, there is a series of QueueNames (A, B, C, D, E) which will be indexed for every 5 mins into Splunk with Message_In_Queue value and Snap... See more...
Hi Please find the below Sample Data. In My above Data, there is a series of QueueNames (A, B, C, D, E) which will be indexed for every 5 mins into Splunk with Message_In_Queue value and Snapshot as time. There are RiskpointValue, ThresholdTime, MailID which are constant never change. Alert Condition I need to generate the alert if Message_In_Queue Value is continuously greater then RiskpointValue in that ThresholdTime. Example: For Queue Name "A" Need to check the Last 10mins If you see the QueueName A contains ThresholdTime as 10 mins and RiskpointValue is 1000. so for QueueName "A" we need to check the last 10 mins snapshots and compare the Message_In_Queue with RiskpointValue. if it is greater then in all the Snapshots we need to give an alert to the user(a@gmail.com). Similarly: For Queue Name "B" Need to check the Last 5mins For Queue Name "C" Need to check the Last 15mins For Queue Name "D" Need to check the Last 20mins Please help me on how to achieve this dynamic case?
Hi all, can i use Hunk App for MongoDB” to connect to mongoDB replica set? How? Thank you G.
Hello, I have this data which I want to extract to fields : 230.00 36.220 00000111 1 07 103442 07:15 06/01/20 95 ‰† 05 ˆ˜‹€˜™‰ 040000 0005326100352697670 ... See more...
Hello, I have this data which I want to extract to fields : 230.00 36.220 00000111 1 07 103442 07:15 06/01/20 95 ‰† 05 ˆ˜‹€˜™‰ 040000 0005326100352697670 00000001 00050001 6.350 0000000000000000000 2914908 2 00 411 1 I have unknown number of spaces at the beginning and unknown number of spaces in between fields... can someone help with the regex so I can extract the data in the props.conf file ? Thanks Ran
I have two fields total_size and size_used How can I calculate %used and output as a new field %used TIA
Hi all, I need to connect to a dashbaord using enable_insecure_login; I have root endpoint configured as "/splunk". I have 2 Search heads and I need to use a load balancer like https://myloadb... See more...
Hi all, I need to connect to a dashbaord using enable_insecure_login; I have root endpoint configured as "/splunk". I have 2 Search heads and I need to use a load balancer like https://myloadbalancer/splunk/it-IT/account/insecurelogin?return_to=%2Fit-IT%2Fapp%2Fsearch%2Fsearch?loginType=splunk&username=myusername&password=mypwd However the browser "remove" the root endpoint from the url so login does not work. Any suggestions? Thank you Giorgio
I am trying to set 2 tokens based on field and match but I think if 1st condition is matched, 2nd is not evaluated so please suggest the correct method of doing this. The following is what I tried ... See more...
I am trying to set 2 tokens based on field and match but I think if 1st condition is matched, 2nd is not evaluated so please suggest the correct method of doing this. The following is what I tried <condition field=field1> <set token="clicked_field">field1</set> </condition> <condition match="$row.field1$==value1"> <set token="temp" >"v1 v2"</set> </condition>
As I asked, if I setup a blacklist to deny some logs, does the dropped logs still occupy the license quota?
Apologies if this has been asked before - or if the answer is all too obvious... Where is the TRUNCATE setting for sourcetype="web_ping:response" , for "website monitoring" app? Just updated th... See more...
Apologies if this has been asked before - or if the answer is all too obvious... Where is the TRUNCATE setting for sourcetype="web_ping:response" , for "website monitoring" app? Just updated the app to the latest release (2.9.1) which adds "Save the response body" option and it seems the response is truncated at 1,000 characters. Thanks!