All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Recently in the afternoons, we see high cpu spikes on the indexer cluster and some indexers reach 100% of cpu at some point. How can we detect what causes these spikes? Memory and indexer queues are ... See more...
Recently in the afternoons, we see high cpu spikes on the indexer cluster and some indexers reach 100% of cpu at some point. How can we detect what causes these spikes? Memory and indexer queues are just perfect.
So I will start with the details of my setup. I am running a single server instance on a network of ~300 endpoints. All of my systems are forwarding to a total of 4 indexes currently. I am using Splu... See more...
So I will start with the details of my setup. I am running a single server instance on a network of ~300 endpoints. All of my systems are forwarding to a total of 4 indexes currently. I am using Splunk (currently 7.2.6) strictly for audit collection and review. We have a requirement to send our audit data to our client for their collection requirements as this system is here to support our business with them. They are using RSA's NetWitness and want the data converted to syslog format over UDP. I have seen a few write-ups on this out there but I feel like they do not fit my situation close enough to trust them. So how do I send the data in the 4 relevant indexes to them in syslog format from my Splunk Enterprise server? Also, how do I set a limit on how much and how fast this forwarding would take place? I don't want to kill bandwidth just so they can warehouse data I am already storing. Thanks!
Hi, I am using one table in my dashboard. if possible I wanted to display one column values as tooltip to another column. basically in below table Threshold value need to be displayed as toolti... See more...
Hi, I am using one table in my dashboard. if possible I wanted to display one column values as tooltip to another column. basically in below table Threshold value need to be displayed as tooltip when mouse rollover on Alert_Destription or Issues_Count.
Howdy, I'm struggling with the following and hoping you can help. To summarize, I require a 'value' column, which is the left most column that contains all the possible values I have defined in an ev... See more...
Howdy, I'm struggling with the following and hoping you can help. To summarize, I require a 'value' column, which is the left most column that contains all the possible values I have defined in an eval statement. The values in this left most column are all the possible values that might be in the data. The other columns consist of all the possible status values that might be in the data. As an example Value Status1 Status2 Status3 Status4 Value1 Value2 Value3 Value4 Value5 All values and Status must be display, whether there is data in the index or not. For example, If I have this data. Value Status Value1 Status1 Value1 Status1 Value1 Status2 Value1 Status3 Value2 Status1 Value2 Status2 Value3 Status3 Value3 Status1 The the chart\table result should be as follows Value Status1 Status2 Status3 Status4 Value1 2 1 1 0 Value2 1 1 0 0 Value3 1 0 0 0 Value4 0 0 0 0 Value5 0 0 0 0 I've danced around this for a couple of days without any success. Looked up and tried all sorts of things without success. Any thoughts or help y'all might offer will be greatly appreciated. Thank you. PS: I'm really trying to not use joins in any way, so as to avoid the costs associated with it.
Good Morning I wanted to ask if i could get some assistance/clarification on setting up the Windows Host Information gathering function in Splunk not just for local hosts but remote hosts also, ... See more...
Good Morning I wanted to ask if i could get some assistance/clarification on setting up the Windows Host Information gathering function in Splunk not just for local hosts but remote hosts also, via the universal forwarder. I am trying to follow the following document but I am not clear on how to set things up with a remote server and the Universal forwarder: Splunk® Enterprise - Getting Data In- Monitor Windows host information located here: "https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/MonitorWindowshostinformation" In the section called Use Splunk Web to configure host monitoring subsection Select the input source It describes choosing the Local Windows host monitoring option. I have performed the steps outlined and indeed I am getting information from my Splunk server but it is not entirely clear in the documentation on how to perform this on remote servers. When going into Settings> data inputs> Forwarded Inputs (as opposed to local inputs) > Files and directories > New remote file and trying to setup a new data input there is no option to setup windows host information, it appears to be available under the local inputs only. I am sure I am missing something but I am not sure what that step is? Any guidance/information on how to set this up would be helpful Thank you Dan
I have a lookup and would like to extract the date for a time chart TIA
I have a lookup csv file which has the following data. Day Messages 12/02/2020 1571 12/02/2020 302 12/02/2020 1 What I want to do is read the Day colu... See more...
I have a lookup csv file which has the following data. Day Messages 12/02/2020 1571 12/02/2020 302 12/02/2020 1 What I want to do is read the Day column and then subtract the day from today's date to check if the difference is greater than 30. If the diff > 30 filter it out. I tried the following query and it doesn't work. | inputlookup messages_per_day.csv | eval today=strftime(now(), "%d/%m/%Y") | eval diff=today - Day
Hello. Has anyone tried the "Windows Remote Management"-App with NTLM and HTTP. I can connect to the client via PowerShell pssession, but the App gives me the Error "Bad HTTP request returned from Se... See more...
Hello. Has anyone tried the "Windows Remote Management"-App with NTLM and HTTP. I can connect to the client via PowerShell pssession, but the App gives me the Error "Bad HTTP request returned from Server" The error codes vary between 404,403, 407. Is there a dedicated log with more information or a config file with more options than the GUI? Thank you in advance!
Hello there There is a report, which shows some useful informations about some Application. Whatever. Now I want to declare in the the report the timerange (last week, example 03.02.2020 00;00 u... See more...
Hello there There is a report, which shows some useful informations about some Application. Whatever. Now I want to declare in the the report the timerange (last week, example 03.02.2020 00;00 until 10.02.2020 00:00). Or maybe there is possibility to declare the timerange in the description of the report, like a variable or something like that. Here is my string, maybe i can build in something: index=smsc tag=MPRO_PRODUCTION DATA="8000000400000000" OR "8000000400000058" | dedup DATA | chart count by SHORT_ID, command_status_code | search NOT ESME_RTHROTTLED=0 | eval "THROTTLING %"=(ESME_RTHROTTLED/(ESME_RTHROTTLED + ESME_ROK)*100) | sort - ESME_RTHROTTLED | head 15 Thanks for your help!
Hi Team, I am getting error notification on Deployer, i have checked with pass4SymmKey there encrytion is same for deployer and License Master, and there is no change in password. KIndly assist t... See more...
Hi Team, I am getting error notification on Deployer, i have checked with pass4SymmKey there encrytion is same for deployer and License Master, and there is no change in password. KIndly assist to resolve the error. we are running with 6.5.0, Before upgrade i need to remove all error notification.
Hi, is the viable to install the AWS AddOn and SAI 2.0.2 on a standalone Enterprise instance? According to documentation SAI 2.0.2 cannot work with the AWS AddOn to monitor AWS events. But can th... See more...
Hi, is the viable to install the AWS AddOn and SAI 2.0.2 on a standalone Enterprise instance? According to documentation SAI 2.0.2 cannot work with the AWS AddOn to monitor AWS events. But can they coexist on the same instance if AWS App and AWS AddOn are used for monitoring AWS and SAI 2.0.2 is used to monitor Windows and Linux servers?
Hello, I am using smart pdf export app (https://splunkbase.splunk.com/app/4030/) . when I am trying to export my dashboard, it stuck and won't generate pdf. My dashboard has 3-4 tables and couple... See more...
Hello, I am using smart pdf export app (https://splunkbase.splunk.com/app/4030/) . when I am trying to export my dashboard, it stuck and won't generate pdf. My dashboard has 3-4 tables and couple of charts. I have also increased row count in limits.conf. limits.conf [pdf] max_rows_per_table = 50000 Tried with different browser as well but no luck. Is there anything we can do here ?
HI All , Could you please help me in getting the query to get red hat linux version on the all UF , i have checked many splunk answers the query uses metrics logs and i got only the version of th... See more...
HI All , Could you please help me in getting the query to get red hat linux version on the all UF , i have checked many splunk answers the query uses metrics logs and i got only the version of the splunk and os as Linux , but not the actual linux version on the host .
Hi, We have a custom template for PDF documents, And we wanted to print / download dashboard in the same internal template. is there any way that we can export the dashboard as PDF from Splunk ... See more...
Hi, We have a custom template for PDF documents, And we wanted to print / download dashboard in the same internal template. is there any way that we can export the dashboard as PDF from Splunk in our PDF template / format thanks
I've a multiselect. <label>Grade</label> <default>9,6,7</default> <fieldForLabel>grade_name</fieldForLabel> <fieldForValue>grade_name</fieldForValue> <search> <query/> </search> ... See more...
I've a multiselect. <label>Grade</label> <default>9,6,7</default> <fieldForLabel>grade_name</fieldForLabel> <fieldForValue>grade_name</fieldForValue> <search> <query/> </search> <initialValue>9,6,7</initialValue> </input> I want to pass these selected values in a where clause: ] |inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ("$grade_name$") The above query is not working. I can't move the where next to lookup as I'm doing it on the eventstats field.
Hi, I have built a lookup table, definition & automatic lookup. I've set the definition to; Min Matches - 1 Max Matches - 1 Default Matches - None The additional lookup fields appear i... See more...
Hi, I have built a lookup table, definition & automatic lookup. I've set the definition to; Min Matches - 1 Max Matches - 1 Default Matches - None The additional lookup fields appear in the appear data as expected with 1 result having the value of "None". However, when I click the "None" value it appears as no results found. If I then add a wildcard value before the "*None", the one result in question appears. Has anyone else come across same issue? Thanks
Hello Splunkers, I am using | stats count by X, Y at the end of my query. X has 4 possible values and so does Y resulting in 16 different combinations. I need a count of 0 for each combination tha... See more...
Hello Splunkers, I am using | stats count by X, Y at the end of my query. X has 4 possible values and so does Y resulting in 16 different combinations. I need a count of 0 for each combination that doesn't exist. I am trying | appendpipe [| stats count by X, Y | where count = 0] to get additional rows with 0 count but it is not working. Can someone please help me get additional rows in the table with 0 count?
Hello all, I have a requirement where i want to get data from multiple files which has different indexes and combine the results into a single table. I tried using all possible ways using appendcol... See more...
Hello all, I have a requirement where i want to get data from multiple files which has different indexes and combine the results into a single table. I tried using all possible ways using appendcols , nested search etc. can anyone please help me in doing this?
My dashboard has multiple panels, One particular panel contains a linechart indicating avg response time spanned by 5 min. I want to be able to click any point in the line chart and it should sho... See more...
My dashboard has multiple panels, One particular panel contains a linechart indicating avg response time spanned by 5 min. I want to be able to click any point in the line chart and it should show me the associated events in that same panel responsible for generating that point. Basically I want to be able to drill down and see the resulting events in the same place/panel itself. Is it doable in Splunk?
In my dashboard, a table panel which have the percentage of a metric for each month is displayed. Below is the query details: <Base search> | stats avg(metric_perc) as Metric over Period by Host ... See more...
In my dashboard, a table panel which have the percentage of a metric for each month is displayed. Below is the query details: <Base search> | stats avg(metric_perc) as Metric over Period by Host Below are the results of my search query: Sl.No, Period, host1, host2, host3 1 Jan 36 52 64 2 Feb 43 69 66 : : 12 Dec 26 45 58 I want to highlight only the maximum the values of each host for each period. [Note: Here host1, host2 and host3 are not column names they are values of the column called Host. As I used the keyword over , I got the above table representation with the combination of 3 fields such as Metric, Period and Host] Could someone help me in finding how can I highlight or color code only the maximum value of Metric for each host and period.