All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a field named '_@timestamp' in my data. When i search for this field, the result doesn't show up. May be because this is being treated as an internal field by Splunk. How to query for this fie... See more...
I have a field named '_@timestamp' in my data. When i search for this field, the result doesn't show up. May be because this is being treated as an internal field by Splunk. How to query for this field? index::<> | fields _@timestamp time Fields section resulted from 'search' only has time field but not _@timestamp
Hi everyone, I am ingesting csv files that contain information about views of certain web pages, These files are updated once a day. I need that when the file is updated take only the new eve... See more...
Hi everyone, I am ingesting csv files that contain information about views of certain web pages, These files are updated once a day. I need that when the file is updated take only the new events. Example: If the first file ends on day 20, for the second time it is updated I am no longer interested in seeing old events I just want splunk to take the values ​​from day 21. Will they have any idea how I can do it? Thank you
I want to open a search with the case number user clicked the attached table sample. Currently, my search is getting the ANI information dynamically from the form, but I want the drill-down to get AN... See more...
I want to open a search with the case number user clicked the attached table sample. Currently, my search is getting the ANI information dynamically from the form, but I want the drill-down to get ANI as well as the clicked CASE_NUMBER. Referring to the below given example, in the panel named: Caller Actions by Unique Cases and DNISs" , I want that if I click on CASE_NUMBER 46770533, the search should take search parameters like "CASE_NUMBER=46770533" AND "ANI=1234567890" (The one entered in the form above). Thanks in Advance.
Hi, I am developing a team dashboard for monitoring AWS servers, I was wondering is it possible to incorporate the AWS Availability RSS Feed into a Dashboard.  this would be from this group of RSS ... See more...
Hi, I am developing a team dashboard for monitoring AWS servers, I was wondering is it possible to incorporate the AWS Availability RSS Feed into a Dashboard.  this would be from this group of RSS Feeds, https://status.aws.amazon.com/ I can't see this documented anywhere. Thanks
Just adding the below stanza wuld be sufficient to disable a saved search in default/savedsearches.conf disabled = 1 How can I disable or enable a saved search in splunk from config side. Is... See more...
Just adding the below stanza wuld be sufficient to disable a saved search in default/savedsearches.conf disabled = 1 How can I disable or enable a saved search in splunk from config side. Is there any particullar location in savedsearches.conf I should be using that disabled stanza or I can use it anywhere under the saved search? By default if I don't provide the disabled stanza what would be the default value that saved search has?
Hi, I have been working on Splunk-Zipkin integration. What I have done so far are: Distributed tracing between Spring Boot(Cloud Sleuth) apps and Zipkin server : i could see span Id and T... See more...
Hi, I have been working on Splunk-Zipkin integration. What I have done so far are: Distributed tracing between Spring Boot(Cloud Sleuth) apps and Zipkin server : i could see span Id and Trace Id through Zipkin Connection between Spring Boot (Cloud Sleuth) apps and Splunk Enterprise (local) using HTTP Collector : I could see logs through Splunk But What I wanted to know is that if I can connect Zipkin and Splunk so that the flow will look like [ Spring boot Apps -> Zipkin -> Splunk] not [ Spring boot Apps -> Zipkin] [ Spring boot Apps -> Splunk] Is there any tutorial or documentation about this? Thank you
Hi, I configured my statsd deamon and splunk to the same instance, I configured the stats deamon on the port 8125. When I try to configure the UDP input on splunk I received this message: Pa... See more...
Hi, I configured my statsd deamon and splunk to the same instance, I configured the stats deamon on the port 8125. When I try to configure the UDP input on splunk I received this message: Parameter name: UDP port 8125is not available. why
I have a top level playbook that calls two playbooks, on that does some analysis and the second one that promotes the event to a case based on artifacts created by the first playbook and it does not ... See more...
I have a top level playbook that calls two playbooks, on that does some analysis and the second one that promotes the event to a case based on artifacts created by the first playbook and it does not appear to honor the Synchronous flag Playbook 1 Calls Playbook A that does some analysis Playbook A calls Playbook B based on some indicators to query Splunk for additional data and adds new artifacts. Calls Playbook C that will promote the event to a case and send out email notifications based on data in the artifacts' All the Playbook blocks have Synchronous turned on and yet the Playbook C runs immediately after Playbook A launches. Playbook C does not wait for Playbook A to finish . I've created some simple Playbooks to test Synchronous and it does not appear to exhilarate the behavior stated in the documentation: To set the called playbook to run in synchronous mode, click the Synchronous toggle. This makes the calling playbook wait for the called playbook to complete before continuing What am I missing ?
Hello, I would like to use the apps from aplura to monitor my network activities, such as authentication, network traffic and more. However, I didn't find any documentation that can help me wit... See more...
Hello, I would like to use the apps from aplura to monitor my network activities, such as authentication, network traffic and more. However, I didn't find any documentation that can help me with this configuration. Can you help me please?
I have loaded Splunk Connect For Syslog using Podman on a RHEL 7.x OS and wanted to know if we can get a bash shell with root privs to make some mods to better suite our specific needs?
This is really strange.I am seeing in the job manager that there are many jobs running with created at date 12/31/69 with runtime waiting and status running .I tried deleting those jobs but they kept... See more...
This is really strange.I am seeing in the job manager that there are many jobs running with created at date 12/31/69 with runtime waiting and status running .I tried deleting those jobs but they kept on coming back .How to resolve this issue .We dont have any real time searches running.I changed all of them to scheduled. Thanks in Advance
Hi I would like to schedule PDF Delivery from a Dahsboard but the link is unclickable My role role includes the schedule_search capability so I don't understand why I can't. Is their someth... See more...
Hi I would like to schedule PDF Delivery from a Dahsboard but the link is unclickable My role role includes the schedule_search capability so I don't understand why I can't. Is their something else to activate ? Thanks in advance for your helps PS : my email server is correctly configure --> The "sendemail" runs correctly in a querry
So I have a "complex search" on a dashboard with a search and a subsearch. I currently have two time pickers on said dashboard, but would like only one. The main search is looking at timepicker1 via... See more...
So I have a "complex search" on a dashboard with a search and a subsearch. I currently have two time pickers on said dashboard, but would like only one. The main search is looking at timepicker1 via token1, and the subsearch is looking at timepicker2 via token2. What I want to do is have the subsearch look at token1 and take 7 days off, so I can do a comparison. so "selectedtime-7d". Is something like this possible. I have done quite a bit of tinkering with no success. EX: index=logs appname=web earliest=$token1.earliest$ latest=$token1.latest$ | appendcols [search index=logs appname=web earliest=$token2.earliest$ latest=$token2.latest$] In theory for the subsearch I would like it to be something like [search index=logs appname=web earliest=($token1.earliest$-7d) latest=($token1.latest$-7d) ] Any way to make this happen?
Is there a way to remove the "Share arrow" (next to stop button - below a search) ? When a link is provided to other users they are able to see results (even if they do not have access to run the ... See more...
Is there a way to remove the "Share arrow" (next to stop button - below a search) ? When a link is provided to other users they are able to see results (even if they do not have access to run the search) Thanks!
Hello, I would like to request help. All searches that I do in my indexer, whether through search reporting or some dashboard, show the message "Could not load lookup = lookup_table". The searc... See more...
Hello, I would like to request help. All searches that I do in my indexer, whether through search reporting or some dashboard, show the message "Could not load lookup = lookup_table". The search is still being performed and this error only occurs in my indexer instance. How can I be solving this problem?
hi i would be able to add an icon in my nav menu which allows to open a link when i click on the icon is it possible please?? regards
Hi, I have lately seen an issue that some scheduled alerts that contain attachments seem to get emailed to me one hour later than scheduled. I assume this has to do with volume of the alerts and s... See more...
Hi, I have lately seen an issue that some scheduled alerts that contain attachments seem to get emailed to me one hour later than scheduled. I assume this has to do with volume of the alerts and searches scheduled but I haven't been to able to nail it down. When I look in the metadata for information about the delayed scheduled search it does show that it ran at the scheduled time, however the email alert often arrives exactly one hour later in my inbox. Has anyone experience with this kind of issue? Oliver
I am trying to fetch the logs Using Splunk App Microsoft Azure Add-on for Splunk used pull the logs from Azure AD. It is not fetching the logs and i received the below error This App is trying to ... See more...
I am trying to fetch the logs Using Splunk App Microsoft Azure Add-on for Splunk used pull the logs from Azure AD. It is not fetching the logs and i received the below error This App is trying to query an endpoint that is available for Azure AD and not for B2C for polling the logs. Please suggest if anyone configured.
Hi, We have nearly 50 columns and we want to extract the count for each column based on condition and represent in bar chart. below is the query which we are using in Splunk. As its taking tim... See more...
Hi, We have nearly 50 columns and we want to extract the count for each column based on condition and represent in bar chart. below is the query which we are using in Splunk. As its taking time and causing performance issues, Please suggest us the way to optimize it. index="roche_aid3" "Appl ID"!=blank | eventstats count("Appl ID") | append [search index="roche_aid3" "Appl ID"=blank | rename "Appl ID" as "Appl Count" |eventstats count("Appl Count")] | append [search index="roche_aid3" "Appl Name"!=blank |eventstats count("Appl Name")] | append [search index="roche_aid3" "Appl Name"=blank | rename "Appl Name" as "Appl Name1" |eventstats count("Appl Name1")] | append [search index="roche_aid3" "Appl Description"!=blank |eventstats count("Appl Description")] | append [search index="roche_aid3" "Appl Description"=blank | rename "Appl Description" as "Appl Desctn" | eventstats count("Appl Desctn")] | append [search index="roche_aid3" "Appl Size"!=blank |eventstats count("Appl Size")] | append [search index="roche_aid3" "Appl Size"=blank| rename "Appl Size" as "Appl Size1" | eventstats count("Appl Size1")] |append [search index="roche_aid3" "Service Level"!=blank |eventstats count("Service Level")] | append [search index="roche_aid3" "Service Level"=blank | rename "Service Level" as "Service Level1" | eventstats count("Service Level1")] |append [search index="roche_aid3" "Lifecycle Stage"!=blank |eventstats count("Lifecycle stage")] |append [search index="roche_aid3" "Lifecycle Stage"=blank |rename "Lifecycle Stage" as "Lifecycle Stage1" |eventstats count("Lifecycle Stage1")] |append [search index="roche_aid3" "Geographic Scope"!=blank | eventstats count("Geographic Scope")] | append [search index="roche_aid3" "Geographic Scope"=blank |rename "Geographic Scope" as "Geographic Scope1"| eventstats count("Geographic Scope1")] |append [search index="roche_aid3" "Line Of Business"!=blank |rename "Line Of Business" as "LOB"| eventstats count("LOB")] |append [search index="roche_aid3" "Line Of Business"=blank |rename "Line Of Business" as "LOB1"| eventstats count("LOB1")] | append [search index="roche_aid3" "Business Function"!=blank | eventstats count("Business Function")] | append [search index="roche_aid3" "Business Function"=blank |rename "Business Function" as "Business Function1" | eventstats count("Business Function1")] | append [search index="roche_aid3" "Business Criticality"!=blank | eventstats count("Business Criticality")] | append [search index="roche_aid3" "Business Criticality"=blank | rename "Business Criticality" as "Business Criticality1"| eventstats count("Business Criticality1")] | append [search index="roche_aid3" "Parent Org"!=blank | eventstats count("Parent Org")] | append [search index="roche_aid3" "Parent Org"=blank | rename "Parent Org" as "Parent Org1" | eventstats count("Parent Org1")] | append [search index="roche_aid3" "Appl Category"!=blank | eventstats count("Appl Category")] |append [search index="roche_aid3" "Appl Category"=blank | rename "Appl Category" as "Appl Category1" | eventstats count("Appl Category1")] | append [search index="roche_aid3" "Appl Group"!=blank | eventstats count("Appl Group")] | append [search index="roche_aid3" "Appl Group"=blank | rename "Appl Group" as "Appl Group1" | eventstats count("Appl Group1")] | append [search index="roche_aid3" "Appl Subtype"!=blank |eventstats count("Appl Subtype")] | append [search index="roche_aid3" "Appl Subtype"=blank | rename "Appl Subtype" as "Appl Subtype1" |eventstats count("Appl Subtype1")] |append [search index="roche_aid3" "Service Model"!=blank | eventstats count("Service Model")] |append [search index="roche_aid3" "Service Model"=blank |rename "Service Model" as "Service Model1" | eventstats count("Service Model1")] |append [search index="roche_aid3" "Degree of Customization"!=blank | rename "Degree of Customization" as "Customization" | eventstats count("Customization")] |append [search index="roche_aid3" "Degree of Customization"=blank |rename "Degree of Customization" as "Customization1" |eventstats count("Customization1")] |append [search index="roche_aid3" "Security Category"!=blank | eventstats count("Security Category")] |append [search index="roche_aid3" "Security Category"=blank | rename "Security Category" as "Security Category1" |eventstats count("Security Category1")] |append [search index="roche_aid3" "Technology Stack"!=blank | eventstats count("Technology Stack")] |append [search index="roche_aid3" "Technology Stack"=blank |rename "Technology Stack" as "Technology Stack1"|eventstats count("Technology Stack1")] |append [search index="roche_aid3" "Install type"!=blank | eventstats count("Install type")] | append [search index="roche_aid3" "Install type"=blank |rename "Install type" as "IT" | eventstats count("IT")] |append [search index="roche" "H_W Platform Version"!=blank |rename "H_W Platform Version" as "H_W"|eventstats count("H_W")] | append [search index="roche_aid3" "H_W Platform"=blank |rename "H_W Platform" as "H_W Platform1"| eventstats count("H_W Platform1")] | append [search index="roche_aid3" "OS Platform Version"!=blank | rename "OS Platform Version" as "OS" |eventstats count("OS")] | append [search index="roche_aid3" "OS Platform Version"=blank |rename "OS Platform Version" as "OS1"| eventstats count("OS1")] | append [search index="roche_aid3" "Active Users"!=blank |eventstats count("Active Users")] | append [search index="roche_aid3" "Active Users"=blank |rename "Active Users" as "Active Users1" | eventstats count("Active Users1")] |append [search index="roche_aid3" "Ticket Count_Last 12 Months!=blank" | rename "Ticket Count_Last 12 Months" as "Ticket" |eventstats count("Ticket")] | append [search index="roche_aid3" "Ticket Count_Last 12 Months=blank" | rename "Ticket Count_Last 12 Months" as "Ticket1" |eventstats count("Ticket1")] | append [search index="roche_aid3" "CR_Last 12 Months"!=blank | rename "CR_Last 12 Months" as "CR" | eventstats count("CR")] | append [search index="roche_aid3" "CR_Last 12 Months"=blank | rename "CR_Last 12 Months" as "CR1"|eventstats count("CR1")] | append [search index="roche_aid3" "Help Facilities _ Documentation"!=blank | rename "Help Facilities _ Documentation" as "Documentation" |eventstats count("Documentation")] |append [search index="roche_aid3" "Help Facilities _ Documentation"=blank |rename "Help Facilities _ Documentation" as "Documentation1"| eventstats count("Documentation1")] Regards, GJ
Hi, I have created a bar chart that shows in my case example data on the CPU usage of a device with two overlays for inbound and outbound traffic. When a certain combination of values is e... See more...
Hi, I have created a bar chart that shows in my case example data on the CPU usage of a device with two overlays for inbound and outbound traffic. When a certain combination of values is exceeded I want to place an annotation to highlight this. As shown in this example. What I cannot seem to get rid off are the orange annotations that seem to be placed when the condition is not matched. The search is as follows. In this I am evaluating and updating the label and the category. <search type="annotation"> <query>index="bla" | timechart span=1m avg(inPercentUtil) as inPercentUtil avg(Percent_CPULoad) as Percent_CPULoad | eval critical=if(inPercentUtil>65 AND Percent_CPULoad>90,"Yes","No") | eval annotation_category=case(critical="Yes","Critical") | eval annotation_label=case(critical="Yes","Insert_Message") </query> What should I do to stop the orange markers from showing? I don't even specify a color for the annotations. <option name="charting.annotation.categoryColors">{"Critical":"0xe60000"}</option>