All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone,  I'm working on Splunk Entreprise and on the Search & Reporting app.  I made many drop-down menu to filter my data.  I've a special field who can be "void" and with value.  How ... See more...
Hello everyone,  I'm working on Splunk Entreprise and on the Search & Reporting app.  I made many drop-down menu to filter my data.  I've a special field who can be "void" and with value.  How can I make include the void value on the drop-down menu's ?  Because when I select "*" on the drop-down menu Splunk return all the value of the field but I want to select the "void" value too. Thanks in advance!
I was looking for quite a long time but I'm still wondering whether or not the SAAS portfolio is covered by the Spanish ENS . I found that the cloud is ISO 27001 because does the hyperscalers support... See more...
I was looking for quite a long time but I'm still wondering whether or not the SAAS portfolio is covered by the Spanish ENS . I found that the cloud is ISO 27001 because does the hyperscalers supporting it (GCP/AWS) but the Signalfx doesn't seem to be within compliant regarding the use of customers certificates and the lack of native 2FA.
We are using perfmon and I have built some dashboards to show memory/cpu usage and alerts that trigger if each is going above a certain %, is there a way you can obtain the total memory assigned to a... See more...
We are using perfmon and I have built some dashboards to show memory/cpu usage and alerts that trigger if each is going above a certain %, is there a way you can obtain the total memory assigned to a server?  What I want to do is to be able to create a table from the total assigned memory and place it in the above dashboards so our testers know how much memory a server has without me manually creating a table with each stat in.
i need to change  a indexer for a data send by a universal forward, i've this data source_type="pippo" with sourcetype:"paperino" and index="pluto" so i need to send all of this data in another index... See more...
i need to change  a indexer for a data send by a universal forward, i've this data source_type="pippo" with sourcetype:"paperino" and index="pluto" so i need to send all of this data in another index like index="nino" i try with a props.conf and transforms.conf but it doesn't work
Hi team, I'm trying to send a curl request from my local machine to a Splunk server, but I'm encountering the following error. Have you come across this error before? I've found similar issues on st... See more...
Hi team, I'm trying to send a curl request from my local machine to a Splunk server, but I'm encountering the following error. Have you come across this error before? I've found similar issues on stackoverflow, but none of the solutions seem to work for me. I thought reaching out here might provide quick support in case anyone has experienced a specific issue related to this. Thank you in advance for your assistance. aaa.bbb@MyComputer-xxx ~ % curl https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXXX-XXXX-XXXX-XXXX-XXXX" -d '{"event": "cheesecake"}' --insecure Output: curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version Thanks
Hello, I have two saved searches saved in the same app in a SH with Enterprise Security: from Splunk ES Content Management section, one has type "Saved Search", the other has type "Correlation Sea... See more...
Hello, I have two saved searches saved in the same app in a SH with Enterprise Security: from Splunk ES Content Management section, one has type "Saved Search", the other has type "Correlation Search". Do you know what's the specific parameter (guess in the savedsearches.conf file) that is used in Splunk to distinguish between the two search types? Specifically, I would like to turn the Search1 to type "Correlation Search" as reported for search2. Thank you in advance, have a nice day!
Can I download the free trial on my Chromebook?
Hi,   I am trying to blacklist Windows Event ID 4769 from a particular User ID. Is this possible to be implemented.    I already added the following Blacklist but it didnt seem to work.  blackli... See more...
Hi,   I am trying to blacklist Windows Event ID 4769 from a particular User ID. Is this possible to be implemented.    I already added the following Blacklist but it didnt seem to work.  blacklist = EventCode="4769" User="Account Name"
Hello All, I have a dashboard with trellis layout in the panel. I need to drilldown based on the dynamic values for which trellis is generated. The challenge is out of three charts that trellis give... See more...
Hello All, I have a dashboard with trellis layout in the panel. I need to drilldown based on the dynamic values for which trellis is generated. The challenge is out of three charts that trellis gives, the drilldown works on two of them. On the third one, no action happens when I click over the chart.   <row> <panel> <title> <chart> <search> <query>index=... </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleratio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">collapsed</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.overlayFields">median_count</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">none</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">0</option> <option name="trellis.size">small</option> <drilldown> <link target="_blank">/xxx/yyy/zzz?test_Tok=$trellis.value$</link> </drilldown> </chart> </panel> </row>   The trellis gives vertical column charts arranged one after the other horizontally. Thus, your inputs to resolve the issue will be very helpful. Thank you Taruchit
Hi, I am using splunk enterprise 9.0.5.1 since about a month and have been experimenting with a dashboard (studio) for application insights. I am now trying to get nfs info in my dashboard, because... See more...
Hi, I am using splunk enterprise 9.0.5.1 since about a month and have been experimenting with a dashboard (studio) for application insights. I am now trying to get nfs info in my dashboard, because the nfs shares don't have logical names i have created a simple, small lookup csv with 2 fields app-name and nfs-name.  This is working fine : index=summary type=isilon_nfs-quota-alert (path="*appsdata*") | lookup apps-nfs.csv nfs-name as path output nfs-name as found, app-name as application | where isnotnull(found) | table path, found, application, quota it fetches all the nfs info from all the nfs'es in my apps-nfs.csv But.... I don't want the entire list... I want to use a filter in my apps-nfs.csv first on app-name and can't get that to work. Eventually i want to use the app-name token of my dashboard to filter but i can 't even get a simple search working. How do i filter app-name in the csv before fetching the nfs info, for instance with an IN list... app1, app2, app5, etc    
Hello. When I try to save experiment in Splunk machine learning toolkit smart forecasting, I get an error "Cannot validate experiment". Does anyone have a clue what this could be referring to? Maybe ... See more...
Hello. When I try to save experiment in Splunk machine learning toolkit smart forecasting, I get an error "Cannot validate experiment". Does anyone have a clue what this could be referring to? Maybe I need permissions to be able to do that?
Hi There, I have noticed that the cloud monitoring console is reporting a critical bucket. I only have one and have attached a screenshot. The small % is 100.  Unfortunately, I am not certain as to... See more...
Hi There, I have noticed that the cloud monitoring console is reporting a critical bucket. I only have one and have attached a screenshot. The small % is 100.  Unfortunately, I am not certain as to what this really means and whether it is something to worry about or not. Any help would be appreciated, Jamie
I have this lookup I want the total count when the timeval is latest. (in this case 2023) any solution
I am tasked to do the application upgrades on splunk & also to find out the applications which are not being used much so we can uninstall them & save some cost around it.  Can someone help me with ... See more...
I am tasked to do the application upgrades on splunk & also to find out the applications which are not being used much so we can uninstall them & save some cost around it.  Can someone help me with the desired steps to upgrade the applications in splunk across regions & also how can i list down the apps which are not being used.
I have a use case where I want to setup Splunk Alerts for certain Exception events. I have already defined standard Error messages for these individual Exceptions. Below is a sample use case: Except... See more...
I have a use case where I want to setup Splunk Alerts for certain Exception events. I have already defined standard Error messages for these individual Exceptions. Below is a sample use case: Exception Event 1:                                  Exception Event 2: Standard Error Message 1                  Common Message Common Message In the above use case, when Exception Event 1 happens, it outputs 2 messages to the Log (Standard Error Message 1 and Common Message). When Exception Event 2 happens, it only outputs the Common Message to the log. For defining Splunk Alert for the Event 1, I want to ensure that I am checking the 2 counts of search results matching both the Message 1 and Common Message to ensure that both these searches return the same results count for a given time period. Is it possible to achieve this type of Splunk query using eval and If statement? My objective is to ensure that I am able to accurately identify scenario for the Exception Event 1 occurring where both the messages would be output to the logs in the same count.        
Want to hide time picker options like real-time, presets for specific some roles, and admin should see all of them. I am able to hide for all users only with css, but I need to hide for specific use... See more...
Want to hide time picker options like real-time, presets for specific some roles, and admin should see all of them. I am able to hide for all users only with css, but I need to hide for specific user roles.  Thanks in advance.
Hello All, I have created an Scheduled Alert which is tend to run once in every day and alert has a splunk query with sendemail command. I set an alert to send a link to view results and alert de... See more...
Hello All, I have created an Scheduled Alert which is tend to run once in every day and alert has a splunk query with sendemail command. I set an alert to send a link to view results and alert details but when the alert is triggered i am receiving an email but only the results that returns from the search but i don't see the link to results even though i configured while setting up the alert. Can someone assist me on this?
Hello Team, I have got few queries regarding Logs Monitoring in AppDynamics. 1.Where are logs stored in AppDynamics SaaS controller when enabled through Log Analytics? 2.How is the storage managem... See more...
Hello Team, I have got few queries regarding Logs Monitoring in AppDynamics. 1.Where are logs stored in AppDynamics SaaS controller when enabled through Log Analytics? 2.How is the storage management done for logs? 3.Also what is the retention period for the logs and can it be modified? Thanks
Hi Community People. Our team has stood up a new instance of Splunk, and we have deployed out some cool new apps. One issue I have run into however is that there seems to be a weirdness in how the a... See more...
Hi Community People. Our team has stood up a new instance of Splunk, and we have deployed out some cool new apps. One issue I have run into however is that there seems to be a weirdness in how the app is expecting the data. Specifically, the predefined queries (some using macros) seem to not work, unless there is an index specified. Is there an explanation behind this?           sourcetype=[some preconfigured type from the app] | stats count by someField <===doesn't seem to work index=someIndex sourcetype=appDefinedSourceType | stats count by someField <===this works          
    Hi, I have a dashboard with time picker and a dummy search to transform relative timestamps to absolute timestamps:   <search> <query>| makeresults</query> <earliest>$time.earliest$</ear... See more...
    Hi, I have a dashboard with time picker and a dummy search to transform relative timestamps to absolute timestamps:   <search> <query>| makeresults</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <progress> <eval token="timeEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> <eval token="timeLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> </progress> </search>   Next, I have a chart querying something using the timepicker from the form. Per default, the chart will automatically adjust the X-Axis to the results found, not the entire searched timespan. I want to change this behavior and tried setting chart.axisX to the absolute timestamp values, but it doesn't seem to work. Is there something that I am missing?   <chart depends="$timeEarliest$,$timeLatest$"> <search> <query>... | chart count OVER _time BY some_field</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.axisX.minimumNumber">$timeEarliest$</option> <option name="charting.axisX.maximumNumber">$timeLatest$</option> <option name="charting.chart">column</option> </chart>