All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hey guys, new to splunk and trying to figure some things out and hit a wall. I created a dropdown called 'down'. I used this field in the search criteria and its not filtering based on the value I se... See more...
Hey guys, new to splunk and trying to figure some things out and hit a wall. I created a dropdown called 'down'. I used this field in the search criteria and its not filtering based on the value I set in the drop down. Data is being pulled/returned but does not seem to be using the eval correctly. Any help would be greatly appreciated. Thanks!    Code is search:   source="plays.csv" host="DESKTOP-CU54MC0" sourcetype="csv" | apply "_exp_draft_275e108c50cd4522ac0479ad79873849" | `confusionmatrix("playType","predicted(playType)")` | eval down=$down$   I also cannot get it to restrict based on down in a search: source="plays.csv" host="DESKTOP-CU54MC0" sourcetype="csv" | apply "_exp_draft_275e108c50cd4522ac0479ad79873849" | `confusionmatrix("playType","predicted(playType)")`| eval down=1    
here is an example of the table.        X Y Z W A8 2       B12   7   5 C14 5       D24   2 3   Total 2*8+5*14 7*12+... See more...
here is an example of the table.        X Y Z W A8 2       B12   7   5 C14 5       D24   2 3   Total 2*8+5*14 7*12+2*24 3*24 5*24    What is the SPL (formula or command) for calculating the total number as listed in the table?      Thanks,    
Hi Everyone, When i am trying to update "Splunk App for Windows Infrastructure" the login screen where it asks to provide splunk.com credentials does not proceed further, i checked my credentials an... See more...
Hi Everyone, When i am trying to update "Splunk App for Windows Infrastructure" the login screen where it asks to provide splunk.com credentials does not proceed further, i checked my credentials and they seem to be correct.   any idea why i am unable to update the app? i am able to update other apps fine
Hi Splunkers,   I have the statistics for example Country.          Sites                                Stats USA.                   DC, NY                             4.8 China           ... See more...
Hi Splunkers,   I have the statistics for example Country.          Sites                                Stats USA.                   DC, NY                             4.8 China                  Beijing, Shanghai         5.2 India                    Mumbai, Delhi               6.2 Australia             Melbourne, Sydney     7.8 ….. let’s say I have 50 countries data there and I have to take a report for each country. How can I do it with out doing it manually for each country?  any advice?   
Hello Splunk Community, I'm trying to write a query to show me a chart (or table) for all hosts in my index in the last 45 min that haven't written a specific string to a log. The below query shows ... See more...
Hello Splunk Community, I'm trying to write a query to show me a chart (or table) for all hosts in my index in the last 45 min that haven't written a specific string to a log. The below query shows me that it has happened on a single host, but I want two columns in a table: column 1 showing the host name and column 2 showing how many times that string appeared in that log (including all the hosts with 0 times). Query so far: index="index" source="C:\\Windows\\System32\\LogFiles\\Log.log" "Detection!" earliest=-45m latest=now | stats count by host
Hi,   Does anybody now how to change the email in my account. My company is doing an email domain renewal and I need to change my email to a new email. Could you help me?
our app's addon's Inputs.config  the sourcetype is set to custom name and the index is set to default. shown in below image   In the Add_on install flow .. The UI drop down to pick indexes i... See more...
our app's addon's Inputs.config  the sourcetype is set to custom name and the index is set to default. shown in below image   In the Add_on install flow .. The UI drop down to pick indexes is showing fewer than what are available For example below shown indexes are not showing in the list.   The one difference I see is .. these indexes are created with App "_cluster_admin" the other are "search" ..  How do we enable search option in the available indexes ?  
Hi Team, I have one file CARS.HIERCTR for which I want to capture START and END DURATION I am using below query: ndex="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 | rex "\[(?<thre... See more...
Hi Team, I have one file CARS.HIERCTR for which I want to capture START and END DURATION I am using below query: ndex="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]" | transaction thread startswith="Reading Control-File /absin/CARS.HIERCTR." endswith="Completed Settlement file processing, CARS.HIER." | table duration But I am not getting any result Can someone guide me Starting Logger - 2023-08-29 00:26:20.256 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D082823.T001819 Ending logger - 2023-08-29 02:18:33.064 [INFO ] [Thread-34] FileEventCreator - Completed Settlement file processing, CARS.HIER.D082823.T020913 records processed: 135959 PLEASE GUIDE.
Hi, Previously in the Classic Dashboard designer you could use both the Input Name (now Called Label) and the value in a search. Is there a way to still do that in the new Designer? or store and call... See more...
Hi, Previously in the Classic Dashboard designer you could use both the Input Name (now Called Label) and the value in a search. Is there a way to still do that in the new Designer? or store and call more than 1 value per drop down? For example I have a Dashboard that checks log files for several programs to see if they are abnormally large, to indicate a problem. in the Classic designer it used the Filename as the Label and the Size it should be as the Value. I could call both in the search. If that is no longer possible is there a way to hold more than one Value in an Array or something? 
Running 9.0.x now, and I'm getting messages about kvstore issues on indexers, etc. I understand I can disable kvstore on some systems, but not all. Where do I need it upgraded to wiredTiger and wher... See more...
Running 9.0.x now, and I'm getting messages about kvstore issues on indexers, etc. I understand I can disable kvstore on some systems, but not all. Where do I need it upgraded to wiredTiger and where can I disable it? Search heads - enabled and upgraded to wiredTiger Enterprise security search head - enabled and upgraded to wiredTiger Cluster master - mmapv1 Indexers - mmapv1 Deployment server - mmapv1 Heavy forwarders - enabled and upgraded to wiredTiger
Hello -  Does the Splunk UF require .NET Framework to be installed in order to run on Windows servers? I am trying to determine if there are any .NET Framework dependencies for the Splunk Universal... See more...
Hello -  Does the Splunk UF require .NET Framework to be installed in order to run on Windows servers? I am trying to determine if there are any .NET Framework dependencies for the Splunk Universal Forwarder. Thanks! Joel B
Hello I upgraded from Splunk Enterprise 8.2.10 to 9.1.0.2. The values of the overview dashboard of the monitoring console are visible or not visible. Is it a bug or is there a way to fix it? I lo... See more...
Hello I upgraded from Splunk Enterprise 8.2.10 to 9.1.0.2. The values of the overview dashboard of the monitoring console are visible or not visible. Is it a bug or is there a way to fix it? I look forward to hearing from you.
Hello, there is a requirement to add mail hyperlink to the dashboard studio. I tried to give "mailto:abc.com " in the link to URL. but it is saying that provide the link is relative/ absolute path ... See more...
Hello, there is a requirement to add mail hyperlink to the dashboard studio. I tried to give "mailto:abc.com " in the link to URL. but it is saying that provide the link is relative/ absolute path only. Can someone help here.   Thanks Sudha A
Hi Team, I have two logs: ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 GfpEbncImpl - statusList detail with status UNBALANCED with description No Sour... See more...
Hi Team, I have two logs: ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 GfpEbncImpl - statusList detail with status UNBALANCED with description No Source Event found but Destination Event is present. I want to show data like this: phrase                                                                                filename                                                       description ebnc event unbalanced event occurred             TRIM.DEMO.D082623.T070035        No Source Event found but Destination Event is present. current query: index="abc" sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Unbalanced" please guide
Hi Team, I have below row logs: CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to create ... See more...
Hi Team, I have below row logs: CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to create one table like this phrase                                                                                        status                     description  CARS_HIERARCHY event published to ebnc                SUCCESS              "Event saved to database successfully. can someone help me with query. My current query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]"             
I am using below query to get search result and calculate the failure percentage but not getting the expected result.   index=dl* ("Error_MongoDB") | timechart span 1d count as Failure | appendcols... See more...
I am using below query to get search result and calculate the failure percentage but not getting the expected result.   index=dl* ("Error_MongoDB") | timechart span 1d count as Failure | appendcols [search index=dl* ("inserted Record") | timechart span=1d count as Success | eval (FailurePercentage = Failure/Sucess)*100 | field _time,Failure,Sucess,FailurePercentage   I am getting all the values except FailurePercentage. What could be the reason ?  
Hello, I'm not sure how to achieve this, or if it's possible.  I have a Column that I am using as a Status indicator in a table.  This is working, but, I would love to remove the # being displayed. ... See more...
Hello, I'm not sure how to achieve this, or if it's possible.  I have a Column that I am using as a Status indicator in a table.  This is working, but, I would love to remove the # being displayed.  Is there a way to either change the text color based on the same Threshold I am using to change the Cell color or maybe a way to just hide the values being displayed? Here's what I currently have in the Dashboard Source <format type="color" field="Monitor"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <format type="color" field="Count"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <drilldown>   Here's the column I am referring too.   Thank you for any help on this one, much appreciated Tom  
Hello everyone, I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add... See more...
Hello everyone, I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add a joiner in order to display a field from another search.  Since I did this, only the events that have values in the joiner field I used is displayed. I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used. Here's the Search I have created.  (I'm still learning all of the Search possibilities, so it might be ugly (integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | where closed_txn=0 | eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias) | stats values(*) as * by joiner | where alertAlias==x_86994_opsgenie_alert_alias | fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number | eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S") | rename alert.message AS "Branch" | rename "alertDetails.Alert Details URL" as "Source Link" | rename dv_number as Incident | table Created, Branch, "Source Link", Incident | sort by Created DESC   Thanks for any help on this one, Tom
Hello, I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to ren... See more...
Hello, I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to rename to windows server, all linux versions and distributions to linux and so on for example: operating-system                                    |    OS Microsoft Windows 10                          | Windows OS Microsoft Windows 8                             | Windows OS Linux                                                              | Linux Microsoft Windows Server 2019       | Windows Server Microsoft Windows Server 2012       | Windows Server CentOS                                                         | Linux Ubuntu                                                          | Linux Microsoft Windows Server 2016      | Windows Server
How to detect fail password on Splunk?