All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello   please, I want to know if there is a way to display legends in the calendar heatmap application directly without requiring a mouseover on the rectangles (circles).
hi i am windows user  i am trying to install universal forwarders in ubuntu i am a windows user can anyone share like to download and steps please
I am trying to configure Splunk to read the aide.log file, which file(s) do I need to modify in Splunkforwarder  to get it to read the aide.log file.
Hi Team, I am using below query: [search index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced succes... See more...
Hi Team, I am using below query: [search index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True="✔" | bin _time span=1d | dedup _time | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True I want if there are no events than message "ebnc event balanced successfully" should not get displayed. Can someone guide me on that
Can someone suggest which type of storage is best for Splunk Cluster ? Is it Block storage or Object Storage.
 I want to extract the below contractWithCustomers and  contracts  using rex named as entity .  For ID 1349c1f4-989c-4ea5-94ca-25fc40f6aab8 -flow started put:\contractWithCustomers:application\json:... See more...
 I want to extract the below contractWithCustomers and  contracts  using rex named as entity .  For ID 1349c1f4-989c-4ea5-94ca-25fc40f6aab8 -flow started put:\contractWithCustomers:application\json:bmw-crm-wh-xl-cms-api-config For ID 1697108895 -flow started put:\contracts:application\json:bmw-crm-wh-xl-cms-api-config    
Hello, I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "dispositi... See more...
Hello, I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "disposition:2" and so on and I cant figure out how to change these values in the way that in chart/graph it will show "false positive" or "true positive". I found out a way to change name of column (rename as) but I cant find a way to change values itself and if I try to use same logic (rename disposition:1 as false positive) it doesnt make the trick. Could you point me in the correct direction, please? Thanks in advance
Hi All, I have created below query: search index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" | rex "TRIM\.CNX(CTR)?\.(?<TRIM_ID>\w+)" ... See more...
Hi All, I have created below query: search index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" | rex "TRIM\.CNX(CTR)?\.(?<TRIM_ID>\w+)" | transaction TRIM_ID startswith="Reading Control-File /absin/TRIM.CNXCTR." endswith="Completed Settlement file processing, TRIM.CNX." |eval StartTime=min(_time)|eval EndTime=StartTime+duration|eval duration_min=floor(duration/60) |rename duration_min as TRIM.CNX_Duration| table StartTime EndTime TRIM.CNX_Duration| sort +StartTime +EndTime]| fieldformat ProcessingStartTime = strftime(ProcessingStartTime, "%F %T.%3N")| fieldformat ProcessingEndTime = strftime(ProcessingEndTime, "%F %T.%3N")| table starttime EndTime I am not getting the correct time I am getting in below format: start time - 1697809010.604 EndTime - 1697809075.170 I want it in this format: StartTime - 2023-10-20 02:16:56.629 EndTime - 2023-10-20 02:19:57.554 Can someone help me here.  
Splunk Enterprise 9.0.5.1 Hello! I have to calculate the delta between two timestamps that have nanosecond granularity.  According to Splunk documentation nanoseconds are supported with either %9... See more...
Splunk Enterprise 9.0.5.1 Hello! I have to calculate the delta between two timestamps that have nanosecond granularity.  According to Splunk documentation nanoseconds are supported with either %9N or %9Q: https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Commontimeformatvariables When I try to parse a timestamp with nanosecond granularity, however, it stops at microseconds and calculates the delta in microseconds as well.  My expectation is that Splunk should maintain and manage nanoseconds. Here is a run anywhere:       | makeresults | eval start = "2023-10-24T18:09:24.900883123" | eval end = "2023-10-24T18:09:24.902185512" | eval start_epoch = strptime(start,"%Y-%m-%dT%H:%M:%S.%9N") | eval end_epoch = strptime(end,"%Y-%m-%dT%H:%M:%S.%9N") | table start end start* end* | eval delta = end_epoch - start_epoch | eval delta_round = round(end_epoch - start_epoch,9)       Is this a defect or am I doing something wrong? Thank you! Andrew
I am trying to setup a dashboard which gives me details like user's current concurrency settings & roles utilization , if someone has implemented this kind of dashboard please help
When I call: https://api.{REALM}.signalfx.com/v1/timeserieswindow with my access token as header: X-SF-TOKEN I receive: { "message": "API Error: 400", "status": 400, "type": "error" }   ... See more...
When I call: https://api.{REALM}.signalfx.com/v1/timeserieswindow with my access token as header: X-SF-TOKEN I receive: { "message": "API Error: 400", "status": 400, "type": "error" }   The same happens when I add parameters to request: https://api.{REALM}.signalfx.com/v1/timeserieswindow?query=sf_metric:"jvm.cpu.load"&startMs=1489410900000&endMs=1489411205000   Am I missing something?
Absolute imports: from utils import get_log Relative imports: from .utils import get_log This import line is in  splunk/etc/apps/my_app/bin/myapp.py path of utils                   splunk/etc/... See more...
Absolute imports: from utils import get_log Relative imports: from .utils import get_log This import line is in  splunk/etc/apps/my_app/bin/myapp.py path of utils                   splunk/etc/apps/my_app/bin/utils.py
Hi Team, I am using below query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" |... See more...
Hi Team, I am using below query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True when I selecting last 7 days its showing multiple columns . I want the value to be displayed according to drop down selected like last 7 days last 30 days. Can someone please guide me here
I am extracting these three values and if there is any empty value in any of the fields, it returns as no result. How i replace the blank values with NA in the rex statements   | rex field=Addtion... See more...
I am extracting these three values and if there is any empty value in any of the fields, it returns as no result. How i replace the blank values with NA in the rex statements   | rex field=AddtionalData "Business unit:(?<BusinessUnit>[^,]+)" | rex field=AddtionalData "Location code:(?<Locationcode>[^,]+)" | rex field=AddtionalData "Job code :(?<Jobcode>[^,]+)" | stats count by  BusinessUnit Locationcode Jobcode | fields - count
Hi All, I am looking for solution to integrate Splunk in AWS with HIPAA compliance. How this is setup ? Is private link required for Hipaa complaince?
Hello, I would like to use a subsearch to literally paste a command into the SPL e.g.:     | makeresults [| makeresults | eval test="|eval t1 = \"hello\"" | return $test]     and for it to be ... See more...
Hello, I would like to use a subsearch to literally paste a command into the SPL e.g.:     | makeresults [| makeresults | eval test="|eval t1 = \"hello\"" | return $test]     and for it to be equivalent to     | makeresults | eval t1 = "hello"       Is this possible?
Hello, I've made a dashboard with dashboard studio and uploaded some images. The issue I'm facing is that these images are not visible to other users with other roles. They have the dashboard permiss... See more...
Hello, I've made a dashboard with dashboard studio and uploaded some images. The issue I'm facing is that these images are not visible to other users with other roles. They have the dashboard permission as well and can access it, the only issue is with images. How can I fix this?
H, is there a way to turn an input playbook to an app? I have a playbook that gets an input, and does something. I am looking for a way to make it an app so there will be no need to activate anothe... See more...
H, is there a way to turn an input playbook to an app? I have a playbook that gets an input, and does something. I am looking for a way to make it an app so there will be no need to activate another playbook in order to make it work. also, it is a bit problematic to run a former playbook to activate the input playbook, because then I would have to edit the former playbook with the relevant input, while with app it would be much simpler    thank you in advance
Hi, How we can apply the color for the respective fields in this dashboard. source code : <title>Top Web Category blocked</title> <search> <query>index=es_web action=blocked host= * sourcetype= ... See more...
Hi, How we can apply the color for the respective fields in this dashboard. source code : <title>Top Web Category blocked</title> <search> <query>index=es_web action=blocked host= * sourcetype= * | stats count by category | sort 5 -count</query> <earliest>$time_range_token.earliest$</earliest> <latest>$time_range_token.latest$</latest> </search> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart">bar</option> <option name="charting.backgroundColor">#00FFFF</option> <option name="charting.fontColor">#000000</option> <option name="charting.foregroundColor">#000000</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"online-storage-and-backup":0x333333,"unknown":0xd93f3c,"streaming-media":0xf58f39,"internet-communications-and-telephony":0xf7bc38,"insufficient-content":0xeeeeee}</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form> output: need a different  colors for all the fields, how we can achieve this  thanks
I need your support in finding a way to integrate web apps hosted in the Azure cloud with Splunk. As i tried using many add-ons from Splunk base but I did not find this option so please if anyone kno... See more...
I need your support in finding a way to integrate web apps hosted in the Azure cloud with Splunk. As i tried using many add-ons from Splunk base but I did not find this option so please if anyone knows how to integrate to get the logs, let me know. Thank you all.