All Topics

Top

All Topics

1.Please help me to add hover affect to a text box in glasstable ? 2. Please help me to add color coding based on value in a glasstable ?
Hi Team, Thanks for being there! I hope you all are doing great! I was working on the requirement to install and monitor Kubernetes using AppDyanamics  I have gone through the video from Cisco ... See more...
Hi Team, Thanks for being there! I hope you all are doing great! I was working on the requirement to install and monitor Kubernetes using AppDyanamics  I have gone through the video from Cisco U https://www.youtube.com/watch?v=RTzMJxzSa9I But I have a question. Do we not need a cluster agent as I don't seem to have used or taken the name of a cluster agent in the process? Could you help me with this?
Hi, I have a requirement to upgrade RHEL from version 7.9 to 8.X, and our infrastructure team is currently in the process of building a new set of servers running on RHEL 8.X. Consequently, I will n... See more...
Hi, I have a requirement to upgrade RHEL from version 7.9 to 8.X, and our infrastructure team is currently in the process of building a new set of servers running on RHEL 8.X. Consequently, I will need to migrate Splunk from the existing RHEL OS 7.9 to 8.X. Our Splunk architecture is on-premise and includes multiple Search Heads (SHs) in a cluster, Indexers in a cluster, and various other components. Has anyone here performed a migration from one OS to another version of the same OS before? Could I please get some guidelines on how to perform this, especially concerning clustered components?   I have checked the below steps: Stop Splunk Enterprise services Copy the entire contents of the $SPLUNK_HOME directory from the old host to the new host. Install Splunk Enterprise on the new host. Start Splunk Enterprise on the new instance. and specifically looking for the any additional steps that need to be performed, particularly for clustered components. Thank you. Kiran
We have a use case where we need to calculate the time difference between the maximum infotime (steptype="endNBflow") and infotime where steptype is "end payload". This particular message has 16 even... See more...
We have a use case where we need to calculate the time difference between the maximum infotime (steptype="endNBflow") and infotime where steptype is "end payload". This particular message has 16 events comprising request and response flows. Request flow ends with "end Payload" and response flow ends with steptype "end NB Flow". I have the below query: index="xyz" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd-35tr-6s9i4ewlp6h3" | rex field=_raw "\"APPID\"\:\s\"(?<appid>.*?)\"" | rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\"" | rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\"" | rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" | sort infotime | table appid,flowname, steptype, infotime How can I retrieve the value what I am looking for. Any guidance here would be much appreciated.      
I'm building dashboards in a Splunk app, using Splunk Enterprise 9.2.0.  I want to be able to run a query on a dashboard, based on my filters, time picker, etc. (with a Submit).  This, I know how to ... See more...
I'm building dashboards in a Splunk app, using Splunk Enterprise 9.2.0.  I want to be able to run a query on a dashboard, based on my filters, time picker, etc. (with a Submit).  This, I know how to do.  But, I need to be able to scroll down and do the exact same thing again below, so I can keep my original output up at the top.  I need to know how to basically do this sort of dashboard (all in the same dashboard) Fieldset 1 <Filters, Time-picker, Submit, etc> Panels for Fieldset 1 (charts, tables, etc.) ** Run the first one, keep that output, and then run the one below, while the other results remain the same Fieldset 2 (or duplicate) <Filters, Time-picker, Submit, etc> Panels for Fieldset 2 (charts, tables, etc.)   ...and if it's any different, how to keep drilling down to: Fieldset 3, Fieldset 4, and so on... Does anyone know how to do that, or is there a book/reference on that?  Thanks.
I have a strange issue, when i search for specific event in Splunk and I am looking for specific fields( ex field1, field2) i can not see them in selected fields and interested fields. But, when i r... See more...
I have a strange issue, when i search for specific event in Splunk and I am looking for specific fields( ex field1, field2) i can not see them in selected fields and interested fields. But, when i run the same query and table those fields , i can see them.  index=1234 sourcetype=4567 --> can not see those fields when this search is triggered. But when i add a table command with those field names in the search i can see the fields and the values for them.   index=1234 sourcetype=4567 | table field1, field2 --> this query i can see the fields.   Did any one face this issue ? We are on latest Splunk version 9.0.X..    
Hello all,    I have a dashboard with a field "id" that I want to add to the end of a custom URL that I have defined in the "interactions" on click section. My Goal is to have this field data adde... See more...
Hello all,    I have a dashboard with a field "id" that I want to add to the end of a custom URL that I have defined in the "interactions" on click section. My Goal is to have this field data added to the end of my custom url and when clicked will load the exact page I need with that value at the end in the browser. This is what I have tried. I tried to add the "$click.value$" then also tried "=$click.value$" I also tried to put just "$id$" at the end. No results it just loads the URL with my addition as text (does not pull the actual value)             "eventHandlers": [                 {                     "type": "drilldown.customUrl",                     "options": {                         "url": "https://myURL.com/abcd/=$click.value$",                         "newTab": true
Is there way to change the permissions of all lookups in a app
Please help on the following: 1) Instead of values 2.8685303234545950 I want to restrict to 2 decimal places like 2.87 2) I want to append "%"  at the end of 2.87, like 2.87% index=MyPCF | field... See more...
Please help on the following: 1) Instead of values 2.8685303234545950 I want to restrict to 2 decimal places like 2.87 2) I want to append "%"  at the end of 2.87, like 2.87% index=MyPCF | fields server_instance cpu_percentage | timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0 Below is the current output I get: _time server1 sevrer3 server4 server5 2024-03-21 13:45:00 3.1049753795247880 2.6818978525900086 3.0970366478143334 2.6279363289367494 2024-03-21 13:46:00 2.9336478352933097 2.4579778020150926 2.9602531790679110 2.9074405642281490 2024-03-21 13:47:00 2.9608714340953393 2.5579155086951600 2.7920194409649772 3.2610313588043978 2024-03-21 13:48:00 3.5946875229937634 2.5006464331193965 3.1106486461269176 3.7073668015974173 2024-03-21 13:49:00 2.8303159134216944 3.5756938476048900 3.4757319466032990 2.9783098006952250 2024-03-21 13:50:00 3.0067950036354420 2.2524125280871740 3.0493445107055930 2.2877333705021860 2024-03-21 13:51:00 2.7526861431818790 2.5427731042748785 3.0946836167596232 2.7477304760698664 2024-03-21 13:52:00 3.4172636751835066 2.730991461075761 2.7698859629286040 2.6296901815909903 2024-03-21 13:53:00 2.5957496530754254 2.1086391909665694 2.6025759149116060 2.4142703772570730 2024-03-21 13:54:00 2.7321368209680920 2.5317849096196980 2.8368213301356677 3.0664957483386470
Hi,  I need an help with my windows security logs how we can create the lateral movement use case 
Hello world, I'm trying to use rex to rename the part of the strings below where it says "g0" to "GRN". So the output would read 01-GRN1-0, 01-GRN2-0etc. I have been unable to get it to work and any... See more...
Hello world, I'm trying to use rex to rename the part of the strings below where it says "g0" to "GRN". So the output would read 01-GRN1-0, 01-GRN2-0etc. I have been unable to get it to work and any guidance to point me in the right direction would be much appreciated. The rex statement in question: | rex field=ThisField mode=sed "s/g0/\GRN/g" Example strings: 01-g01-0 01-g02-0 01-g03-0
Hi, I am using multiple case conditions but the condition is not matching. In the third line of the code used AND condition for message=*End of GL* AND tracepoint=*Exception* .If the condition match... See more...
Hi, I am using multiple case conditions but the condition is not matching. In the third line of the code used AND condition for message=*End of GL* AND tracepoint=*Exception* .If the condition match make to success.In my case its showing both SUCCESS and ERROR in the table.     | eval Status=case( like('Status' ,"%SUCCESS%") ,"SUCCESS", like('message' ,"%End of GL-import flow%") AND like('tracePoint',"%EXCEPTION%") ,"SUCCESS", like('tracePoint',"%EXCEPTION%") AND like('priority' ,"%ERROR%"),"ERROR", like('Status',"%ERROR%"),"ERROR", like('priority',"%WARN%"),"WARN", like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN", like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "")      
Hoping someone can help as I'm relatively new to Splunk On-Call administration.  When our system sends an alert to multiple Splunk On-Call email addresses to contact and use multiple routing keys, th... See more...
Hoping someone can help as I'm relatively new to Splunk On-Call administration.  When our system sends an alert to multiple Splunk On-Call email addresses to contact and use multiple routing keys, the system only uses the first routing key in the list of recipients and drops everything else.  For example, if I sent an email to 00000000+RoutingKey1@alert.victorops.com; 00000000+RoutingKey2@alert.victorops.com Splunk On-Call will create an alert for RoutingKey1 but no alerts are created for RoutingKey2. Is there an Alert Rule syntax that will extract these so it creates alerts for both? Thanks.
Ciao a tutti, dato che il nostro splunk non è collegato in rete, volevo sapere se era possibile usare vt4splunk in modalità offline
Linux, RHEL 8.9. Splunk 9.2.0.1   Had a forwarder manager running (for years) with 2,000+ clients connecting. Did the upgrade from 9.1 to 9.2.0.1 and now have "No clients phoned home."   No... See more...
Linux, RHEL 8.9. Splunk 9.2.0.1   Had a forwarder manager running (for years) with 2,000+ clients connecting. Did the upgrade from 9.1 to 9.2.0.1 and now have "No clients phoned home."   No firewall or selinux issues are noted.   Getting gazillions of: 03-21-2024 09:59:59.050 -0500 WARN AutoLoadBalancedConnectionStrategy [8459 TcpOutEloop] - Current dest host connection 10.14.8.107:9997, oneTimeClient=0, _events.size()=20, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0, _lastHBRecvTime=Thu Mar 21 09:59:45 2024 is using 18446604244100536835 bytes. Total tcpout queue size is 512000. Warningcount=301   Funny thing is, that's the only "error" (warning) I have. it otherwise looks like it's seeing clients:   03-21-2024 09:59:15.468 -0500 INFO PubSubSvr [842449 TcpChannelThread] - Subscribed: channel=tenantService/handshake/reply/carmenw2pc/A265FEF1-4A37-4D58-90ED-AD1142694F05 connectionId=connection_10.14.72.83_8089_blah.domain.edu_blah_A265FEF1-4A37-4D58-90ED-AD1142694F05 listener=0x7f2c78d44000
Hi, I am working on prototype on the splunk dashboards, where having 30 + panels. The dashboard panels is basically between upstream and downstream data/volume comparison.  Client would like to se... See more...
Hi, I am working on prototype on the splunk dashboards, where having 30 + panels. The dashboard panels is basically between upstream and downstream data/volume comparison.  Client would like to see the arrow marks or any line between the panels as to show connects. please could you share the XML source reference? Thanks, Selvam.    
Hello, how to convert number to string using tostring function? I tried using tostring function, but the result is still number See below.   Thank you!! | makeresults | eval num = 1 | eval var_t... See more...
Hello, how to convert number to string using tostring function? I tried using tostring function, but the result is still number See below.   Thank you!! | makeresults | eval num = 1 | eval var_type = typeof('num') | eval num2 = tostring(num) | eval var_type2 = typeof('num2')    
Hi, we have just installed the aruba networks add-on splunk, and I would like to have the dashboards that can be created from this add-on, also,  how can i get a table with SNR values vs AP vs user... See more...
Hi, we have just installed the aruba networks add-on splunk, and I would like to have the dashboards that can be created from this add-on, also,  how can i get a table with SNR values vs AP vs users, Thx    
Hi,  I am trying implement custom app using add-on builder. I am running a rest call and getting error as  Error: python ERROR HTTPSConnectionPool(host='*', port=*): Max retries exceeded with ur... See more...
Hi,  I am trying implement custom app using add-on builder. I am running a rest call and getting error as  Error: python ERROR HTTPSConnectionPool(host='*', port=*): Max retries exceeded with url: /*(Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at *>: Failed to establish a new connection: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions')) I have tried adding "verify=False" in python script but its not helping  response = str ((requests.get(url, data = body, auth=(user, password))).text,verify=False) Any idea what else could be an issue and how to fix it. ?
I have a use case where I'm trying to collect events from a federated search. I can run and search results using the federated index, but when I try to add a collect command to collect the results to... See more...
I have a use case where I'm trying to collect events from a federated search. I can run and search results using the federated index, but when I try to add a collect command to collect the results to a local index I get the following error: "No results to summary index." The search works but automatically returns no results when I try to collect. I've leveraged a workaround by using a makeresults with dummy data followed by an append with a subsearch, that contains my federated search and that collects fine, but now I'm limited by subsearch constraints. Anyone run into this issue? Workaround:   | makeresults | eval test="a" | fields - _time | append [ index=federated:testindex | head 1 ] | collect index=mysummaryindex