All Topics

Top

All Topics

Hello all, I am going to upgrade to Splunk to version 9.1.x. Inside my app I use lot of  JS scripts . When im performing the jquery scan, I get the below errors messages : This /opt/splunk/... See more...
Hello all, I am going to upgrade to Splunk to version 9.1.x. Inside my app I use lot of  JS scripts . When im performing the jquery scan, I get the below errors messages : This /opt/splunk/etc/apps/biz_svc_insights/appserver/static/jQueryAssets/ExtHCJS.js is importing the following dependencies which are not supported or externally documented by Splunk.  highcharts This /opt/splunk/etc/apps/biz_svc_insights/appserver/static/node_modules/requirejs/bin/r.js is importing the following dependencies which are not supported or externally documented by Splunk.  requirejs logger Can anyone please help me on this error ? Any hints are appreciated. Kind regards, Rajkumar Reddi .
Hello, I am creating a dashboard (Simple XML) with a table panel as shown below: This is actually a dashboard for Telephony System and number of columns (and names, of course) will be changed b... See more...
Hello, I am creating a dashboard (Simple XML) with a table panel as shown below: This is actually a dashboard for Telephony System and number of columns (and names, of course) will be changed based on which agents are logged in at a time. For example, at 9 AM: Queue, Agent 1, Agent 4, Agent 9 at 3 PM: Queue, Agent 1, Agent 4, Agent 5, Agent 11 at 1 AM: Queue, Agent 5, Agent 9, Agent 11 Now, in this table panel, I want to replace 1 with Green Tick and 0 with Red Cross in all the columns.  Can you please suggest how this can be achieved? I have tried this using eval and replace but as columns are dynamic, I am unable to handle this. Thank you. Edit: Sample JSON Event: { AAAA_PMC_DT: 05-Dec-2023 13:04:34 Agent: Agent 1 Block: RTAgentsLoggedIn Bound: in Queue(s):: Queue 1, Queue 3, Queue 4, Queue 5, Queue 7, Queue 10 } SPL: index="telephony_test" Bound=in Block=RTAgentsLoggedIn _index_earliest=-5m@m _index_latest=@s | spath "Agent" | spath "Queue(s):" | spath "On pause" | spath AAAA_PMC_DT | fields "Agent" "Queue(s):" "On pause" AAAA_PMC_DT | rename "Queue(s):" as Queue, "On pause" as OnPause, AAAA_PMC_DT as LastDataFetch | eval _time=strptime(LastDataFetch,"%d-%b-%Y %H:%M:%S") | where _time>=relative_time(now(),"-300s@s") | where NOT LIKE(Queue,"%Outbound%") | sort 0 -_time Agent | dedup Agent | eval Queue=split(Queue,", ") | table Agent Queue | mvexpand Queue | chart limit=0 count by Queue Agent  
Hello, I'm integrating the .txt file in Splunk, however while integrating the file my events are breaking into single line not all events but many of them are breaking into single line. Attaching ... See more...
Hello, I'm integrating the .txt file in Splunk, however while integrating the file my events are breaking into single line not all events but many of them are breaking into single line. Attaching the log file in comments. Below is how my data is appearing on Splunk when I add this txt file into Splunk. Is there any way I can limit the starting and ending point of my event. I want my data to be started from @ID and ends on REMARK.    And if I use regex "(@ID[\s\S]*?REMARK[\s\S]*?)(?=@ID|$)" while adding the data, many of my logs are getting missing attaching the snapshot of it also. not sure how to resolve this issue,  if anyone can know how i can integrate this .txt file to get my event start from (@ID to REMARK)    
How to get a single table from this query having all the correlationId together in one table  
Hi, I want to integrate AppDynamics into my Xamarin Application. I created a trial Account with AppDynamics. Is it possible to create an iOS user Agent, through a Trial Account? I am unable to get ... See more...
Hi, I want to integrate AppDynamics into my Xamarin Application. I created a trial Account with AppDynamics. Is it possible to create an iOS user Agent, through a Trial Account? I am unable to get the EUM App-Key for my Trial Account.   Govind.
Hi Splunkers, I have a doubt about a custom app customization. For a customer, we created with Splunk Addon Builder a simple app to use as "container": every customization we perform, such as Correl... See more...
Hi Splunkers, I have a doubt about a custom app customization. For a customer, we created with Splunk Addon Builder a simple app to use as "container": every customization we perform, such as Correlation rules, reports and so on, is assigned to this app. So, in its first release, the app has no particular panel, features and so on; let's say that just "exist". To be clearer: if I login and open the app, what I see is  this: and that's totally fine, due we did not perform any kind of customizations. So now, the question is: if I want to include the search function inside this app, how I can achieve this? I mean, we want avoid, when when we need to perform a search, to go on Search and Reporting app; we would be able to perform searches inside our app. For now, we don't need panel with specific charts, based on particular query: we want simple to be able to use (if it is possible of course) the Search and Reporting app/its functionality inside our app.
Hi, I have  StartTime,EndTime "2023-12-05 05:30:00.0000000","2023-12-05 08:00:00.0000000" "2023-12-05 08:00:00.0000000","2023-12-05 09:30:00.0000000" "2023-12-05 10:28:00.0000000","2023-12-05 13:... See more...
Hi, I have  StartTime,EndTime "2023-12-05 05:30:00.0000000","2023-12-05 08:00:00.0000000" "2023-12-05 08:00:00.0000000","2023-12-05 09:30:00.0000000" "2023-12-05 10:28:00.0000000","2023-12-05 13:30:00.0000000" I need to visualize a column chart, with 3 columns (in this case) with height 1 (y axis). The width of the first column is between "2023-12-05 05:30:00.0000000","2023-12-05 08:00:00.0000000", second one between "2023-12-05 08:00:00.0000000","2023-12-05 09:30:00.0000000", the third between "2023-12-05 10:28:00.0000000","2023-12-05 13:30:00.0000000". The x axis should be the time. Attached example. Any idea, please?
Hi All ,   Hope you are doing good . I have been preparing for Splunk power user and admin certification. i have no hands on experience in Splunk so i want to test my self before spending money on ... See more...
Hi All ,   Hope you are doing good . I have been preparing for Splunk power user and admin certification. i have no hands on experience in Splunk so i want to test my self before spending money on exams. so kindly help me if any one have the dumps of the exam or practice tests or blueprint of exam for 2023 Dec. Thanks in advance , this will help me a lot 
Does anyone know why we are getting such errors for our few DB inputs?? Is there a setting somewhere to increase the number of HECs on this HF for DBX usage.
I am querying a change in a value each week over last 4 weeks. Ineed to know the value from the week before the search window to work out the change correctly. index=ind sourcetype=src (type=instrum... See more...
I am querying a change in a value each week over last 4 weeks. Ineed to know the value from the week before the search window to work out the change correctly. index=ind sourcetype=src (type=instrument) earliest=-5w@w+1d latest=@w+1d | bucket _time span=7d | stats max(reading) as WeekMax by _time | streamstats current=f last(WeekMax) as LastWeekMax | eval WeekDelta = WeekMax - LastWeekMax | eval WeekDelta = if(WeekDelta < 0, 0.000000, WeekDelta) | table _time, WeekMax, WeekDelta I don't want to show the time for the week before the query (-5th week). Any tips on how to change this query to only show results for last 4 weeks but still calculating the change correctly?   Thanks
I basically have the exact same question as https://community.splunk.com/t5/Dashboards-Visualizations/How-to-have-a-panel-use-an-offset-from-a-time-picker/m-p/351003.   BUT I need to actually chang... See more...
I basically have the exact same question as https://community.splunk.com/t5/Dashboards-Visualizations/How-to-have-a-panel-use-an-offset-from-a-time-picker/m-p/351003.   BUT I need to actually change the value in the timerange picker token. E.G. if i select a timerange of "last 4 hour" and my modification is to add an hour, than the $token_time.earliest$ should not be  "-4h" but "-5h".
Even though I am providing accurate inputs, the Speakatoo API is not working as expected for me. Seeking assistance to resolve this issue.
Hi,  I want to schedule one splunk alert , please let me know if below option is possible: When the first alert received for xxx error  then query should check if this is the first occurance of an... See more...
Hi,  I want to schedule one splunk alert , please let me know if below option is possible: When the first alert received for xxx error  then query should check if this is the first occurance of an error in last 24 hours  if yes then Alert email can be triggered  If the error is not first occurance then may be based on threshold we should only send one email for more than 15 failures in an  hour or so. 2nd point is basically set up splunk alert for xxx error , threshold: trigger when count>15 in last 1 hour. 1st point is for , when 1st occurrence of error came , it will not wait for count>15 and 1 hr , it will immediately trigger an email.   Please help on this.
Hi SMEs, Hope you are doing great, i am curious to know how to check the daily data consumption (GB/Day) from a specific Heavy Forwarder using Splunk search when there are multiple HFs are there in ... See more...
Hi SMEs, Hope you are doing great, i am curious to know how to check the daily data consumption (GB/Day) from a specific Heavy Forwarder using Splunk search when there are multiple HFs are there in the deployment. thanks in advance
Please help me to get the time format for the below string in props.conf. I am confused with the last three patterns (533+00:00)   2023-12-05T04:21:21,533+00:00   Thanks in advance.
Hi All  Problem description: Search Head physical memory utilization increasing 2% per day Instance deployment: Running Splunk Enterprise Splunk version 9.0.3 using 2 Search Heads un-clustered wi... See more...
Hi All  Problem description: Search Head physical memory utilization increasing 2% per day Instance deployment: Running Splunk Enterprise Splunk version 9.0.3 using 2 Search Heads un-clustered with the main SH with this issue has allocated 48 CPU Cores | Physical Mem 32097 MB | Search Concurrency 10 | CPU usage 2% | Memory usage 57% | Linux 8.7 It is used to search across a cluster of 6 indexers. I've had Splunk look into it who reported this could be due to an internal bug fixed in 9.0.7 and 9.1.2(Jira SPL-241171 ). The actual bug fix is by the following Jira: SPL-228226: SummarizationHandler::handleList() calls getSavedSearches for all users which use a lot of memory, causing OOM at Progressive A workaround to change the limits.conf in the form of do_not_use_summaries = true did not fix the issue. splunkd server process seem to be the main component increasing it's memory usage over time. Splunk process restart seems to lower and restart the memory usage but trending upwards at a slow rate.   If anyone could share a similar experience so we can validate the Splunk support solution of upgrading to 9.1.2 based on the symptoms described above it would be appreciated. Thanks    
Hi Team, We're encountering a problem with the Incident Review History tab in Splunk ES. Clicking on Incident Review, then a specific notable (like 'Tunnelling Via DNS'), followed by History and cli... See more...
Hi Team, We're encountering a problem with the Incident Review History tab in Splunk ES. Clicking on Incident Review, then a specific notable (like 'Tunnelling Via DNS'), followed by History and clicking 'View all review activity for this Notable Event', results in an empty history being displayed for all the notables. Any leads on this would be highly appreciated. Note : Recently, we have upgraded to Splunk ES to 7.1.2 from 7.0.0 Regards VK18 
When I apply ingest actions and I specify host field and put in the IP address, it works fine but when I try to use _raw and for instance; filter on Teardown ICMP connection , it shows the affected... See more...
When I apply ingest actions and I specify host field and put in the IP address, it works fine but when I try to use _raw and for instance; filter on Teardown ICMP connection , it shows the affected events but when I check hours or days later, it still ingests the messages filtered by using the _raw as the field.    
I'm using current Cloud Splunk: It appears the older "Splunk Add-on for AWS" can stream in Cloudwatch log-group data through Inputs > Custom Data Type > Cloudwatch Logs. This asks for a comma separa... See more...
I'm using current Cloud Splunk: It appears the older "Splunk Add-on for AWS" can stream in Cloudwatch log-group data through Inputs > Custom Data Type > Cloudwatch Logs. This asks for a comma separated log-groups to feed of of and presumably setups up ingest for them. Data Manager has a Cloudwatch Logs section,  but it appears to only cover AWS Cloudtrail AWS Security Hub Amazon Guard Duty IAM Access Analyzer IAM Credential support Metadata (EC2, IAM, Network ACLs, EC2 sec groups) Am I just missing something in Data Manager, does it support ingesting Cloudwatch log-groups? Should I use "Splunk Add-On for AWS"? Should forgo both and instead use the splunk log driver with the container tasks as per https://repost.aws/knowledge-center/ecs-task-fargate-splunk-log-driver (posted a year ago) Thank you!
I'm trying to have a timechart showing the count of events by a category grouped by week. The search time is controlled by a radio button on the dashboard with options from 1w - 12 weeks with the end... See more...
I'm trying to have a timechart showing the count of events by a category grouped by week. The search time is controlled by a radio button on the dashboard with options from 1w - 12 weeks with the end date set to @w. I then have a drilldown that shows a table with more info about each event for that category in that time range. mysearch .... | dedup case_id | timechart span=1w count by case_category The chart looks fine but when I click on certain sections to load the drilldown, much more data appears than was suggested by the count in the timechart. For instance, looking at Nov 19-25, in the timechart it shows 26 events, but when I go to the drilldown it shows 61. When I open the drilldown search in Search, the issue seems to involve expanding the time range beyond one week. If I change the range from Nov 19-25 to Nov 19-27, the data from Nov 22-24 is either erased or reduced. Nov 19-25 stats count results: Nov 19: null Nov 20: 8 Nov 21: 14 Nov 22: 19 ** Nov 23: 20 ** Nov 24: 1 ** Nov 25: null Nov 19-28 stats count results: Nov 19: null Nov 20: 8 Nov 21: 14 Nov 22: 5 ** Nov 23: null ** Nov 24: null ** Nov 25: null Nov 26: null Nov 27: 35 Nov 28: 1