Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Searc...
See more...
Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Search Head I have a PIDs of reaped splunkd processes and the question is how to get PID of splunkd for particular saved search from _internal index. Scheduler events have SID field like this: sid="scheduler_aS5zLnNva29sb3Y_czdfc2llbV9uZXR3b3Jr__RMD58313482a27867d57_at_1716903900_27923" Is the last part of SID (27923) a Linux process ID? Or maybe I can get PID from some other source?
Like the title says, I want to change the email address of my splunk.com account. Logging into splunk.com and navigating to My Dashboard, it is only possible to change the password but not the email ...
See more...
Like the title says, I want to change the email address of my splunk.com account. Logging into splunk.com and navigating to My Dashboard, it is only possible to change the password but not the email address. There are older forum posts which suggest to contact Splunk support. I wrote several emails but received no help. For any other website, changing the email address is a matter of seconds. Why is there no such option for splunk.com?
Hi All, I have a Splunk dashboard with dynamic token, Here a simplified example of my setup. In the dashboard $new_value$ and $env$ are dynamic token that user can select. I want to convert this pa...
See more...
Hi All, I have a Splunk dashboard with dynamic token, Here a simplified example of my setup. In the dashboard $new_value$ and $env$ are dynamic token that user can select. I want to convert this panel into report that can accommodate these dynamic values. Could you guide me how to achieve this ?.I need to understand. Any details steps or examples would be greatly appreciated. Base Query:
index=Test environment=$env$ applicationName=$new_value$
| stats values(content.InterfaceName) as InterfaceName values(content.payload) as payloadFile values(content.ErrorMsg) as errormsg values(content.Error) as error BY applicationName,correlationId
| table Status Timestamp InterfaceName ApplicationName CorrelationId
| search interfaceName=$new_interface$
Panel Query with dynamic tokens:
<search base="BankSearch">
<query>| where Status LIKE ("$countStatus$")|sort -Timestamp</query></search>
I have extracted this data with the stats command. The goal is to compare left timestamp (start time) of the second line with right timestamp of previous line (end time) and the condition will b...
See more...
I have extracted this data with the stats command. The goal is to compare left timestamp (start time) of the second line with right timestamp of previous line (end time) and the condition will be like this if (start next row > end previous row) 1:0; in this way I want to mark this lines with bool=1 if not bool=0 Please someone has some suggestion about how can I implement this? Thanks in advance
Hi, there are 72 links to scheduled splunk reports that I have to access and download the reports individually on a monthly basis. I would like to know if there are any faster ways to download them...
See more...
Hi, there are 72 links to scheduled splunk reports that I have to access and download the reports individually on a monthly basis. I would like to know if there are any faster ways to download them. Regards, Zijian
I am trying to install controller on v.24.4.0(latest).while installing getting below error: "Connection to [AppDynamics Controller Application Server] failed due to Controller I arations[[SC] EnumQ...
See more...
I am trying to install controller on v.24.4.0(latest).while installing getting below error: "Connection to [AppDynamics Controller Application Server] failed due to Controller I arations[[SC] EnumQueryServices Status: OpenService FAILED 1060: The specified service does not exist as an installed service"
Can the Universal Forwarder (UF) have a higher version than the Heavy Forwarder (HF) and Indexer (IDX)? Will this cause any impact? The reason is that HF and IDX cannot upgrade their ...
See more...
Can the Universal Forwarder (UF) have a higher version than the Heavy Forwarder (HF) and Indexer (IDX)? Will this cause any impact? The reason is that HF and IDX cannot upgrade their OS to meet the prerequisites for version 9.1.4, which requires Windows 2019. Can I proceed with the UF upgrade first? UF = 9.1.4 HF = 9.1.2 IDX = 9.1.2
Hello, Can anyone help me designing a panel in classic dashboard with multiple rows and columns with visualizations. Updated with the full page design, The problem i am facing is Each box i...
See more...
Hello, Can anyone help me designing a panel in classic dashboard with multiple rows and columns with visualizations. Updated with the full page design, The problem i am facing is Each box is set of panels with different visualizations. Is there any idea to code this as full page visualizaion.
hello. I am an engineer currently doing testing with splunk. We are configuring and testing APM and RUM. I am drawing an indicator using spring boot example. For APM, there is at least a 5-10 min...
See more...
hello. I am an engineer currently doing testing with splunk. We are configuring and testing APM and RUM. I am drawing an indicator using spring boot example. For APM, there is at least a 5-10 minute delay when viewing trace data. Additionally, RUM indicators are drawn at intervals of 15 seconds. Can these settings be configured in near real time? Please be sure to attach relevant materials.
Hey all,
I'm new to Splunk and only have basic knowledge of Python/Scripting and RegEx. I'm trying to build my hands-on skills right now by doing a job simulation on The Forage for the Commonwe...
See more...
Hey all,
I'm new to Splunk and only have basic knowledge of Python/Scripting and RegEx. I'm trying to build my hands-on skills right now by doing a job simulation on The Forage for the Commonwealth Bank In the first part of the simulation we're required to pull multiple sets of data to create a dashboard with different charts to show fraud attempts by various data sets. The one I'm stuck on is we're asked to pull a chart on "Which gender performed the most fraudulent activities and in what category?" I'm trying to use:
sourcetype="fraud_detection.csv" fraud="1" gender="F'" gender="M'"
| stats count values(fraud) values(age) by category
but the search only accepts one gender argument, either gender="F'" or "M'", for some reason. I've tried using gender="M'" AND gender="F'", gender="F'" + gender="M'", gender="F' + M'" but I can't quite figure it out. I've looked into joining data but I'm not sure that's the solution I'm after? Any help would be appreciated.
Hi Team, Please let me know how to add a color to time format as below. Below one is not matching with the requirement. <colorPalette type="expression">if(strptime(value,"%H:%M:%S")>"25200", "#A...
See more...
Hi Team, Please let me know how to add a color to time format as below. Below one is not matching with the requirement. <colorPalette type="expression">if(strptime(value,"%H:%M:%S")>"25200", "#A2CC3E", "#F58F39")</colorPalette> Time expecting this color in Time field 25-05-2024 19:06 Red 25-05-2024 22:10 Red 25-05-2024 22:16 Red 26-05-2024 06:50 Green 26-05-2024 06:52 Green 26-05-2024 11:50 Green 26-05-2024 11:52 Green 27-05-2024 07:09 Red 27-05-2024 07:10 Red 27-05-2024 11:52 Green 27-05-2024 11:57 Green Thanks in Advance!
Hi, I'm trying to join two lookups based on the name field. Here's what i have,
|inputlookup abc.csv
|table name published
|lookup def.csv name as name OUTPUT releaseyear
When i run thi...
See more...
Hi, I'm trying to join two lookups based on the name field. Here's what i have,
|inputlookup abc.csv
|table name published
|lookup def.csv name as name OUTPUT releaseyear
When i run this, i get a multiple values in the field. How to get rid of these multiple values and ensure only one value per field? Thanks!
Hi, I was able to receive notifications and alerts from AppDynamics in my Zabbix and Grafana (Minerva) console. I wanted to know if it is possible to integrate metrics between AppDynamics and Minerva...
See more...
Hi, I was able to receive notifications and alerts from AppDynamics in my Zabbix and Grafana (Minerva) console. I wanted to know if it is possible to integrate metrics between AppDynamics and Minerva and generate a Dashboard for each application.
Hi, I am completely new to splunk and have to parse field that looks like this: params="['field1: value1', 'field2: value2', 'field3: value3']" (note spaces after colons) - I have to extract field1,...
See more...
Hi, I am completely new to splunk and have to parse field that looks like this: params="['field1: value1', 'field2: value2', 'field3: value3']" (note spaces after colons) - I have to extract field1, field2, field3 to be searchable - can you help with what query should I write?
I have a splunk query which returns these 2 set of events. 1) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : NO_DOCUMENTS_FOUND -> 2) domain_name="abc" microservic...
See more...
I have a splunk query which returns these 2 set of events. 1) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : NO_DOCUMENTS_FOUND -> 2) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : GUID_EXPIRED my vtest.csv lookup looks like below: domain_name; microservice_name; message abc; test; NO_DOCUMENTS_FOUND
I am using the below query to exclude 1st set of events. I have created WILDCARD(message) match_type
| lookup vtest message OUTPUT message as exclude_message
| search NOT (exclude_message="*")
But it is not working, and I don't get any fields in "exclude_message" as well. kindly help.
Hello friends, last week we updated a few apps based on feedback from the Upgrade Readiness App. Admittedly, the apps were forgotten about for about a year. Yet, we are receiving e-mail notificati...
See more...
Hello friends, last week we updated a few apps based on feedback from the Upgrade Readiness App. Admittedly, the apps were forgotten about for about a year. Yet, we are receiving e-mail notifications about deprecated jQuery or python version for given apps. Since all the apps are "Built by Splunk Inc.", I have a feeling this should not be the case. Is it safe to [Dismiss App Alert] in the Upgrade Readiness App? Will the alert re-appear after the next scan?
Based on documentation, and posts (Who do saved scheduled searches run as? and Question about "run as" (Owner or User ) for saved searches), a saved search configured to "run as" owner, should run w...
See more...
Based on documentation, and posts (Who do saved scheduled searches run as? and Question about "run as" (Owner or User ) for saved searches), a saved search configured to "run as" owner, should run with permissions that the owner of the search has. However, I have two saved searches that do not work that way. Specifically, the searches use indexes that I (the owner) has access to but other user roles do not. The difference that I can think of is that my searches are in a Splunk Cloud instance, and my users authenticate using SAML against a IdP on premise. Any insights would be much appreciated!