All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi all, We are currently using Splunk v 7.2. I am integrating Splunk with OMI and seeing issues in configuring the state changes for Splunk alerts. I am looking if Splunk could send a All Clear... See more...
Hi all, We are currently using Splunk v 7.2. I am integrating Splunk with OMI and seeing issues in configuring the state changes for Splunk alerts. I am looking if Splunk could send a All Clear/ Resolved notification every time an alert triggers. This would be highly helpful to determine the state change and to track the tickets down. Please let me know if this feature is already available in Splunk or can be expected atleast in future releases.
Hi Splunkers, we have centralized syslog collector. Also many hosts deliver logs via UFs directly. The same index may contain data delivered from UFs and from syslog inputs. Also we have D... See more...
Hi Splunkers, we have centralized syslog collector. Also many hosts deliver logs via UFs directly. The same index may contain data delivered from UFs and from syslog inputs. Also we have DB connectors and APIs. Is it possible to divide data by type of input? Does Splunk have this kind of inspection?
I am currently monitoring a file that generates logs, but assigns the time in epoch format. Is there a way to transform/convert the epoch timestamp to a human readable format during index time? (I... See more...
I am currently monitoring a file that generates logs, but assigns the time in epoch format. Is there a way to transform/convert the epoch timestamp to a human readable format during index time? (I know there is a way to do this in a search query, but I would like to store the timestamp in a human readable format.) EDIT: The file I am monitoring is /root/.bash_history (I made system configuration changes to make sure that every command execution is stored immediately) and most of the time Splunk does a very good job at assigning timestamps to each command execution, but sometimes it will create one event with multiple commands and assigns one timestamp to all of them. So I decided to generate a timestamp that is appended to every command. The way they are listed in the file is as such: #1234567890 <command> Now, I've set the correct configuration in props.conf to ensure that every two strings is one event, but now I'm trying to assign the "1234567890" as the timestamp of the event and make sure it shows in human readable format for search results.
Hi, Dedup command gives recent unique values based on fields mention. I want to know these recent values are identified based on _time or _indextime? I could not find it is mentioned anywhere. Th... See more...
Hi, Dedup command gives recent unique values based on fields mention. I want to know these recent values are identified based on _time or _indextime? I could not find it is mentioned anywhere. Thanks,
Hi, I need help. My question is related to unused dashboards. Curently I have more than 2000 dashboard unused, I need a method to disable and delete from my Splunk Cluster. Did anyone apply ... See more...
Hi, I need help. My question is related to unused dashboards. Curently I have more than 2000 dashboard unused, I need a method to disable and delete from my Splunk Cluster. Did anyone apply a procedure to remove a large number of panels from the Splunk Cluster? wich steps I need to delete thats dashboards?
Folks, Can you help me please? I'm trying to restore buckets for the month of December 2019 on my Splunk instance. I followed the procedure described in this link: https://docs.splunk.com... See more...
Folks, Can you help me please? I'm trying to restore buckets for the month of December 2019 on my Splunk instance. I followed the procedure described in this link: https://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Restorearchiveddata But I can't do the restoration. bucket files are 4.2+. After countless attempts, I changed the bucket name and it still doesn't work. I stopped the indexer to restore the data and received the message below: fsck from util-linux 2.23.2 Usage: fsck.ext2 [-panyrcdfvtDFV] [-b superblock] [-B blocksize]                 [-I inode_buffer_blocks] [-P process_inode_size]                 [-l | -L bad_blocks_file] [-C fd] [-j external_journal]                 [-E extended-options] device Emergency help:  -p Automatic repair (no questions)  -n Make no changes to the filesystem  -y Assume "yes" to all questions  -c Check for bad blocks and add them to the badblock list  -f Force checking even if filesystem is marked clean  -v Be verbose  -b superblock Use alternative superblock  -B blocksize Force blocksize when looking for superblock  -j external_journal Set location of the external journal  -l bad_blocks_file Add to badblocks list  -L bad_blocks_file Set badblocks list
Hi Im a report, I am doing a basic count on a field | stats values(CycleCount00) as "Cycle count" by host when "Cycle count" result is > 300, I need to color the field in red when "Cycl... See more...
Hi Im a report, I am doing a basic count on a field | stats values(CycleCount00) as "Cycle count" by host when "Cycle count" result is > 300, I need to color the field in red when "Cycle count" result is between 200 and 300, I need to color the field in orange when "Cycle count" result is < 200, I need to color the field in green what is the better way to do this? I have also tried this it doesnt let me to user greater or lower than... <format type="color" field="Cycle count"> <colorPalette type="minMidMax" maxColor="#31A35F" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> Ithought about the rangemap command but I dont succeed to use it is anybody cant help me please?
I have dynamic columns on the table, and based on my previous question i am able to get one of the column as "Today" , thanks to help from community. Now out of all these columns which are dynam... See more...
I have dynamic columns on the table, and based on my previous question i am able to get one of the column as "Today" , thanks to help from community. Now out of all these columns which are dynamic, only "Today" column should be enabled for drilldown. i see there are ways to do this, but since columns are dynamic , except the "Today" column, i need help to fix this..
Hello all, I'm trying to setup the following retention policy: 15 days of events to be searchable (hot/warm/cold - it doesn't matter) + 15 days of data to be frozen (archived). So always I woul... See more...
Hello all, I'm trying to setup the following retention policy: 15 days of events to be searchable (hot/warm/cold - it doesn't matter) + 15 days of data to be frozen (archived). So always I would like to have 30 days of data (of course 15 days should be thaw out first if I want to use them). So for example: Events/data from 01.01.2020 till 15.01.2020 to be frozen (archived), the data from 16.01.2020 till 31.01.2020 to be searchable. And of course this will shift day by day. I've read a lot for frozenTimePeriodInSecs, maxHotSpanSecs, maxHotIdleSecs and etc. but I'm very confused if my scenario can be achieved with these parameters. Please note that I'm trying to accomplish this scenario WITHOUT any dependency if the size for buckets, indexes and etc. My architecture is: 10-15 windows hosts sending some logs to 1 Splunk indexer (7.1.4). Thank you in advance!
Hello, I have managed to locate the jobs within the Job Manager through the following search: | rest /services/search/jobs The only problem is that I cannot find the Created at column ... See more...
Hello, I have managed to locate the jobs within the Job Manager through the following search: | rest /services/search/jobs The only problem is that I cannot find the Created at column on the Job Manager within the result set. There is an Updated column, but this value is sometimes in the past, specifically for saved searches. Where can I find the data that I'm looking for? Thanks! Andrew
Hi, I have an index with events such as: CITY , TICKET, CREATION_DATE, OTHER METADATA FIELDS Paris , 0001, 01 jan 2020, ....... ... See more...
Hi, I have an index with events such as: CITY , TICKET, CREATION_DATE, OTHER METADATA FIELDS Paris , 0001, 01 jan 2020, ....... Rome, 0002, 03 jan 2020, ....... Paris, 0003, 05 jan 2020, ....... Berlin, 0004, 08 jan 2020, ....... Berlin, 0006, 09 jan 2020, ....... Paris, 0003, 05 jan 2020, ....... Rome, 0002, 03 jan 2020, ....... Rome, 0009 , 10 jan 2020, ....... Paris, 0007, 07 jan 2020, ....... Berlin, 0006 , 09 jan 2020, ....... I'd like to see which CITIES have more than 2 different tickets within 14 days; so i'd like to get all the events, with all its metadata, ordered by CITY, with different TICKET from the previous one (the previous in CREATION_DATE) , with the additional info about the difference in days from the previous ticket (DAYS_DIFF); with these added conditions: only if DAYS_DIFF is < 14 AND the number of different TICKET, grouped by CITY, is > 2. The first event by city has to be listed as well, with a "-" in the DAYS_DIFF field. So in my case: only Paris has 3 different TICKET, each with DAYS_DIFF <14. ok! Berlin and Rome have only 2 different TICKET . Not listed! Desiderata result: CITY, TICKET, CREATION_DATE , DAYS_DIFF , OTHER METADATA FIELDS Paris, 0001, 01 jan 2020 , - , ..... Paris, 0003, 05 jan 2020 , 5 , .... Paris , 0007, 07 jan 2020 , 2 , .... How can I achieve this result? I've tried with streamstats: I have the correct results, but listed by rows with n-ples CITY, OLD_EVENT, NEW_EVENT ,DAYS_DIFF ; I'd like to have the above visualization instead. Thanks in advance.
i have a dynamic column which is bascially today's date, but the column name is 05-02-2020 for example. i would like to change this column name to "Today" unfortunately the output of the query i... See more...
i have a dynamic column which is bascially today's date, but the column name is 05-02-2020 for example. i would like to change this column name to "Today" unfortunately the output of the query i am getting this column name like the date... can you suggest a way to rename this column name which is dynamic for each day as "Today" if i try , |rename "05-02-2020" as Today it works, but the date changes tomorrow....
I need to display an image to be in the centre of two panels in a dashboard in Splunk Cloud. unlike splunk enterprise this is proving to be impossible even with hosting it on google. Anyway to upl... See more...
I need to display an image to be in the centre of two panels in a dashboard in Splunk Cloud. unlike splunk enterprise this is proving to be impossible even with hosting it on google. Anyway to upload the image or call a http page
Hi, I have 2 Splunk servers with Splunk App DB Connect installed - version 3.1.3 on both. Teradata driver is the same on both as well (terajdbc4.jar v15). All next steps are done in GUI - I have c... See more...
Hi, I have 2 Splunk servers with Splunk App DB Connect installed - version 3.1.3 on both. Teradata driver is the same on both as well (terajdbc4.jar v15). All next steps are done in GUI - I have created an identity. When trying to set up a connection to the db server, from one Splunk server it is successful, but from the second one not. There is an error message: There was an error processing your request. It has been logged (ID a306ca754260b3d5). going further, in splunk_app_db_connect_server.log I have found this ID: 2020-02-06 11:21:30.135 +0100 [dw-78 - POST /api/connections/status] ERROR io.dropwizard.jersey.errors.LoggingExceptionMapper - Error handling a request: a306ca754260b3d5 java.lang.NoClassDefFoundError: Could not initialize class com.teradata.tdgss.jtdgss.TdgssManager The db host is accessible from both Splunk servers directly. I have updated the Teradata driver to the latest version on not working one, but it did not help, the error is still the same. Can anyone advise, why is that? What else can be different between these two Splunk servers that one works fine with this specific db server and the second not? Thank you in advance, Przemek
I configured a drilldown through the GUI. The search is something like this: index=* "message.Origin"=TEST source="/opt/mulesoft/logs/something.log" OR source="/opt/mulesoft/logs/somethingelse.... See more...
I configured a drilldown through the GUI. The search is something like this: index=* "message.Origin"=TEST source="/opt/mulesoft/logs/something.log" OR source="/opt/mulesoft/logs/somethingelse.log" OR source="D:\\Log\\anything.json" | stats values(a.b) AS ab ,values(c.d) as cd count(eval('logger' ="nl.logger,answers")) as "Start ",count(eval(logger ="n.questions. HTTP status: 200.")) as "questions" by message.MessageId, | where ‘questions’ <1 when i click the panel to drilldown chrome opens a blank page and nothing else happens. When I look in the source I see this: <drilldown> <link target="_blank">search?q=index=*%20%22message.Origin%22=TEST%20source=%22/opt/mulesoft/logs/ something.log %22%20OR%20source=%22/opt/mulesoft/logs/ somethingelse.log %22%20OR%20source=%22D:%5C%5CLog%5C%5Canything.json %22%20%0A%7C%20stats%20%20values(a.b)%20AS%ab%20,values(c.d)%20as%20cd%20count(eval('logger'%20=%22 nl.logger,answers........... ( etc etc etc) I anomised the search due to security reasons, in IE the drilldown works just fine, also other drilldowns work in Chrome. I dont understand what is going wrong
As you can see in the picture there is 2 value (ChargeInProgress & Charging) which I know they are same (but whit the different name), So I wish to Sum the percentage of this two value and ren... See more...
As you can see in the picture there is 2 value (ChargeInProgress & Charging) which I know they are same (but whit the different name), So I wish to Sum the percentage of this two value and rename it as X and showi it in the table next to other values, I have try this : "Set status * for charging point" | rex "charging point\s*(?P<charging_point>.*)" | rex "Set status\s*(?P<status>.*?,*)\s" | eventstats sum(ChargeInProgress,Charging) as X | dedup charging_point | top limit=20 status | fields status, percent but not works, and same result : status percent Idle 71.397640 SuspendedEV 11.518077 Charging 9.131379 ChargeInProgress 4.996529 Preparing 1.456150 SuspendedEVSE 0.547640 Error 0.442961 Finishing 0.386764 Unavailable 0.122310 NotMonitored 0.000551 I would like to see this as a result status percent Idle 71.397640 X 14.127908 SuspendedEV 11.518077 Preparing 1.456150 SuspendedEVSE 0.547640 Error 0.442961 Finishing 0.386764 Unavailable 0.122310 NotMonitored 0.000551
Hello, we are using timeline in an embedded Report which is enclosed into a html-page calling several embedded reports. For every other report I can define the size of the report panel. Only the si... See more...
Hello, we are using timeline in an embedded Report which is enclosed into a html-page calling several embedded reports. For every other report I can define the size of the report panel. Only the size of the timeline report always stays the same. When first searching splunk.answers I found a hint that this could be a bug in timeline style-sheet, but sorry cannot find it again. It showed that in the stylesheet the height is set fix to 130, as far as I remember. I also tried to file a case at splunk, but it seems I do not get the rights to do so (although I am in contact with splunk gb). Can somebody else who might have the same problem or is able to confirm this behavior file a case for this? Or maybe there is already a solution an I just could not find it. Thanks
I am trying to on board data from Azure AD and O365 to Splunk cloud. I have both the Splunk add-on for Microsoft Cloud services and the Splunk add-on for Microsoft Office 365 installed on the IDM. ... See more...
I am trying to on board data from Azure AD and O365 to Splunk cloud. I have both the Splunk add-on for Microsoft Cloud services and the Splunk add-on for Microsoft Office 365 installed on the IDM. I am in the process of configuring the Azure portal but looking at the docs (O365 and MS cloud Services) both point to MS docs (MS O365 and MS cloud Services) and the process described over there is not exactly what is described on the Splunk Docs. More specifically I am not sure if I need a "redirect URL" as stated in the MS docs and also I am not sure where to find that. It looks like it might be needed for O365 and there was a way to get it through the MS cloud Services add-on however this has since been updated and it's no longer there and O365 data should be forwarded from the O365 add-on which doesn't provide it either. I managed to write down a few steps for both Azure and O365 configuration on the Azure portal but I am looking for some feedback on if I am understanding everything correctly and if this is al that is needed to be done. Here are the steps:
Hello, is there simple way how to have everything generated from Dynamic Search selected? I'm searching for MachineName from one source, which is same as host value from different source, used ... See more...
Hello, is there simple way how to have everything generated from Dynamic Search selected? I'm searching for MachineName from one source, which is same as host value from different source, used in table search, so I can't use * in variable. Regards, jan
Hi We are leveraging Multi Cloud Cost Management Add on for Azure Cloud Cost Management in current Add on it allows conversion between GBP and USD but would like to know how we can enable USD to... See more...
Hi We are leveraging Multi Cloud Cost Management Add on for Azure Cloud Cost Management in current Add on it allows conversion between GBP and USD but would like to know how we can enable USD to INR and INR to USD conversion in Current Add on. Appreciate if i can get any help with respect to same. I heard from Splunk Sales representative that this is Beta version ,hence would be great if we can enable this functionality in latest release. Regards, Shweta