All Topics

Top

All Topics

Hello, I have created a dashboard, it is public within my group. I want the end users to be able to open the main SPLUNK link and see all the teams dashboards. We have most of the dashboards linked t... See more...
Hello, I have created a dashboard, it is public within my group. I want the end users to be able to open the main SPLUNK link and see all the teams dashboards. We have most of the dashboards linked to the app but I dont know how to add the one I just did. Added a picutre. 
Hi, all. So, I'm using a timechart visualization (line graph) to display the number of events, by hour, over six weeks and using timewrap to overlay the weeks on top of each other, then showing the ... See more...
Hi, all. So, I'm using a timechart visualization (line graph) to display the number of events, by hour, over six weeks and using timewrap to overlay the weeks on top of each other, then showing the last two weeks along with a six week average in order to be able to spot anomalies at a glance. The problem I'm having is if I mouse over a data point from the current week it shows the appropriate date, but it still shows the same date if I mouse over the previous week's data point, too, or the week before that. For example, if I mouse over 12:00 on Wednesday for "latest_week," the tooltip will show "May 8th, 2024 12:00 PM." If I mouse over 12:00 on Wednesday for "1week_before," the tooltip still shows "May 8th, 2024 12:00 PM."  Is there any way to get the tooltip to show the proper date on the mouse-over? I know that's not going to work on the six week average, but it'd be nice with the current and previous weeks. It's a minor inconvenience, granted, but this is going into a dashboard for not-so-tech-savy customers and if I don't have to make them do math in their head we'll all be a lot better off. Here's my query, in case it'll help (and feel free to direct me toward something more efficient if I'm doing something stupid, you aren't going to hurt my feelings any):     | tstats count where <my_index> <data_field1> <data_field2> by _time span=1h prestats=t | timechart span=1h count by <data_field2> | rename <data_field2> as tot | timewrap 1w | addtotals | eval avg=round((Total/6),0) | table _time tot_1week_before tot_latest_week avg | rename avg as "6 Week Average" tot_latest_week as "Current Week" tot_1week_before as "Previous Week"      
Stopping splunkd is taking up to 6 minutes to complete.  We have a process that snapshots the instance and we are stopping splunkd prior to taking that snapshot.  Previously with v9.0.1 we did not ex... See more...
Stopping splunkd is taking up to 6 minutes to complete.  We have a process that snapshots the instance and we are stopping splunkd prior to taking that snapshot.  Previously with v9.0.1 we did not experience this; now we are on v9.2.1. While shutting down I am monitoring spklunkd.log and the only errors I am seeing has to do with the HFs.  'TcpInputProc [65700 tcp] - Waiting for all connections to close before shutting down TcpInputProcessor '. Has anyone else experienced something similar post upgrade?  
Hi All, This the query which i try to get status.But in the table its shows both error and success.PFA screenshot | eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error... See more...
Hi All, This the query which i try to get status.But in the table its shows both error and success.PFA screenshot | eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
How can i resolve this error  "Couldn't complete HTTP request: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure".  I keep getting this error on splunkforwarder when... See more...
How can i resolve this error  "Couldn't complete HTTP request: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure".  I keep getting this error on splunkforwarder when i run SPLUNK_HOME/splunk list monitor,  SPLUNK_HOME/splunk list inputstatus.
I am trying to compute the R-squared value of a set of measured values, to verify the performance or accuracy of a predictive model. But I can't figure out how to go about this or if Splunk has a fun... See more...
I am trying to compute the R-squared value of a set of measured values, to verify the performance or accuracy of a predictive model. But I can't figure out how to go about this or if Splunk has a function or command for this Thanks
I have a dashboard that I use when checking if a server is compliant.  It looks normal in the dashboard but when I export it as a PDF the last column gets moved to a new page.  I found this in ./etc/... See more...
I have a dashboard that I use when checking if a server is compliant.  It looks normal in the dashboard but when I export it as a PDF the last column gets moved to a new page.  I found this in ./etc/system/bin/pdfgen_endpoint.py DEFAULT_PAPER_ORIENTATION = 'portrait' What I can't find is a way of overriding the default to change it to landscape.  Does such a file exist?  If not, beyond changing the code, any ideas on how to get a landscape report so the final column will be on the same page? TIA Joe
Hello, I am currently working on building out a GUI for the software I work on and am looking for a way to query data from our Splunk instance to use in our front-end. I have looked at the documenta... See more...
Hello, I am currently working on building out a GUI for the software I work on and am looking for a way to query data from our Splunk instance to use in our front-end. I have looked at the documentation here Splunk Design System as well as some code examples here GitHub - splunk/react_search_example, but I cannot find a straight forward answer for how to hook into our Splunk instance and query data from it. From the documentation and examples it seems like what I am trying to is definitely possible, I just can't figure out how.  Any help is greatly appreciated. Kevin
hello I need to determine the app name based on a lookup table for the SPL search below. the SPL search results has a field, called SQL, which has the sql syntax which contains one of the keywords i... See more...
hello I need to determine the app name based on a lookup table for the SPL search below. the SPL search results has a field, called SQL, which has the sql syntax which contains one of the keywords in a field of the lookup table. I am not sure if join, union, inputlookup, lookup and/or combination of where command will solve this puzzle. Any help is apreciated. the lookup file name is: lookup_weblogic_app.csv the lookup file sample values are: lk_wlc_app_short lk_wlc_app_name ART Attendance Roster Tool Building_Mailer Building Mailer SCBT Service Center Billing Tool SPL search results: SQL ''' as "FIELD",''Missing Value'' AS "ERROR" from scbt_owner.SCBT_LOAD_CLOB_DATA_WORK ''' as "something ",''Missing Value'' AS "ERROR" from ART_owner.ART_LOAD_CLOB_DATA_WORK from Building_Mailer_owner.Building_Mailer_ SPL final outcome desire: lk_wlc_app_short SQL scbt ''' as "FIELD",''Missing Value'' AS "ERROR" from scbt_owner.SCBT_LOAD_CLOB_DATA_WORK ATR ''' as "something ",''Missing Value'' AS "ERROR" from ART_owner.ART_LOAD_CLOB_DATA_WORK Building_Mailer from Building_Mailer_owner.Building_Mailer_
Hello,  I have just started to ingest some log files that are split up by lines e.g. -------- however for some reason Splunk is splitting the one log file into multiple events, can someone help me ... See more...
Hello,  I have just started to ingest some log files that are split up by lines e.g. -------- however for some reason Splunk is splitting the one log file into multiple events, can someone help me figure this out? example log attached. My input file is currently set as: [monitor://C:\ProgramData\XXX\XXX\CaseManagement*.log] disabled = 0 interval = 60 index = XXXXlogs sourcetype = jlogs Do I need a props file and if so what do I put in it?
I am trying to register for the splunk4Rookies , but not finding an option on the home page please suggest. Below are the steps i followed. I have received an email to register for a splunk4Rookies... See more...
I am trying to register for the splunk4Rookies , but not finding an option on the home page please suggest. Below are the steps i followed. I have received an email to register for a splunk4Rookies, The registration link is navigated to create account page, then to home page . there i did not find anything like splunk4Rookies.   please help me to register. Thanks,
Hello All, I have an LDAPsearch app installed in one of the onprem Heavy Forwarders and I need to index the search out put into an index we have created. Our IDX and SH are on splunk cloud. Would a... See more...
Hello All, I have an LDAPsearch app installed in one of the onprem Heavy Forwarders and I need to index the search out put into an index we have created. Our IDX and SH are on splunk cloud. Would appreciate all the suggestions Thanks in advance. Murali
I have a status field with two string values Dropped and Notdropped. If the value comes as Dropped, I want to show the background color as Green and if the value comes as Notdropped color should be g... See more...
I have a status field with two string values Dropped and Notdropped. If the value comes as Dropped, I want to show the background color as Green and if the value comes as Notdropped color should be green.  How can i achive in single card value in splunk studio. 
Hello, If possible, I need help on getting a Percentage of Uptime for a Transaction overtime.  I have a Search created that creates a Transaction, it's based on: startwith=Create endswith=Close k... See more...
Hello, If possible, I need help on getting a Percentage of Uptime for a Transaction overtime.  I have a Search created that creates a Transaction, it's based on: startwith=Create endswith=Close keepevicted=true The events are coming from OpsGenie for when an alert is created and closed.  Is there anyway to take the time from either between Create/Close or Close/Create for a one week timeframe to obtain the percentage? Thanks for all of the help, let me know if any more details are needed. Tom    
Afternoon All i'd like some help please with some SPL logic that i just cant crack   I have data on some user in our Active Directory system and i am trying to: create a new column with actio... See more...
Afternoon All i'd like some help please with some SPL logic that i just cant crack   I have data on some user in our Active Directory system and i am trying to: create a new column with actions identify those who have no logged in for more than 61 days and is so the action should return "reset password" here's the part that i am having an issue with below. the first two lines are working as expected returning last_logon_total  day, month, year i have a new field i created called 'action' that i want to return a value in of those users who have not logged in for more than 61 days.. but i cant get the spl right. | eval epoch_lastLogonTimestamp_date = strptime(lastLogonTimestamp, "%Y-%m-%dT%H:%M:%S") | eval last_logon_total = strftime(epoch_lastLogonTimestamp_date, "%d/%m/%Y") | eval action = if(last_logon_total = relative_time(), "-61d@d", "reset password")   any ideas ?   Thanks Paula    
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For e... See more...
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For example the message contain multiple values like(success,processed,completed) then i want to label the corresponding file as success,if it contains like(failed,failure) i want to label as failure file.How to implement this using SPL query.Below query i tried but i am not getting properly.     index=mulesoft environment=DEV applicationName="Test" |stats values(content.FileName) as Filename1 values(content.ErrorMsg) as errormsg values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId | eval SuccessFileName=case(match(message, "File put Succesfully*|Successfully created file data*|Archive file processed successfully*|Summary of all Batch*|processed successfully for file name*|SUCCESS") AND not match(priority,"ERROR|WARN"),FileName1,1=1,null()) | eval FailureFileName=case(match(message,"Failed to process file:"),FileName1,1=1,null()) |table SuccessFileName FailureFileName Response correlationId      
Can anyone help me to provide the URL to download or steps of how to use Splunk AI. 
Hello Splunkers!!   I want to configure SSL certificate in Splunk so that my Splunk web URL communicate over https. To obtain "privKeyPath" in web.conf I have used below two commands. splunk ... See more...
Hello Splunkers!!   I want to configure SSL certificate in Splunk so that my Splunk web URL communicate over https. To obtain "privKeyPath" in web.conf I have used below two commands. splunk cmd openssl genrsa -aes256 -out SplunkPrivateKey.key 2048 splunk cmd openssl rsa -in SplunkPrivateKey.key -out splunk_key.key   To obtain "serverCert" in web.conf I have used below two commands. splunk cmd openssl x509 -in splunk.cer -out splunk.pem Note : splunk.cer  is with me ( Provided by organization so I am obtaining self signed certificate) [settings] enableSplunkWebSSL = 1 privKeyPath = D:\Splunk\etc\auth\mycert\splunk_key.key serverCert = D:\Splunk\etc\auth\mycert\splunk.pem I have used all the above commands and configure the certificate under the paths but still Splunk web is not working securely. Please suggest me any other modification or alteration I need to do ?  Thanks in advance !!
Can i monitor a file in search head?
Hi team, I had upgraded from 9.0.5 version to 9.1.2 and upgradation successfully completed, but splunk web page can't reach this page  window displayed. and verified the bin  directory E:\splunk\... See more...
Hi team, I had upgraded from 9.0.5 version to 9.1.2 and upgradation successfully completed, but splunk web page can't reach this page  window displayed. and verified the bin  directory E:\splunk\bin>openssl s_client -connect simdoowwww:443 WARNING: can't open config file: ::::::/openssl.cnf connect: No such file or directory connect:errno=0     web.conf   [settings] enableSplunkWebSSL = 1 privKeyPath =a $SPLUNK_HOME\etc\auth\custom\myServerPrivateKey.key serverCert = $SPLUNK_HOME\etc\auth\custom\gddjkowww.ap.kinely.com.pem httpport = 443     The above configuration  in back end system, but page can't read this page displayed please help me on that.