All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I have a dashboard with multiple filters. I have a "customer" and "subsidiary" filter. I want the "customer" filter to display corresponding companies depending on the selection of "subsidiary" fi... See more...
Hi I have a dashboard with multiple filters. I have a "customer" and "subsidiary" filter. I want the "customer" filter to display corresponding companies depending on the selection of "subsidiary" filter.  My query for the "customer" filter is as follow, currently it is showing all companies     index IN ("organization_a_company", "organization_b_company") | dedup name | fields name       For the "subsidiary" filter, it has a static input with      Name - Value ============ All - * OrgA - OrgA OrgB - OrgB       However, since the value of "subsidiary" is different from the actual index name. I need to perform eval case to map to corresponding indexes name. I tried something dynamic in "customer" filter like:     index IN ("organization_a", "organization_b") | eval $sub$ = "OrgA" <- the $sub$ token should come from the "subsidiary" filter, I am just testing here | eval filteredIndex = case($sub$ == "OrgA", "organization_a", $sub$ == "OrgB", "organization_b", 1=1, "organization_*") | search index IN ($filteredIndex$) | dedup name | fields name      but it didn't give any results. I tried follow the example here by using $$ but still no luck. And I don't think I can put the eval before the search right? but how can I make the index dynamic then. Thanks
Hi ,  Below is my raw data  { timestamp: 2023-09-10 Version:1 Kubernetes.namespace: X Kubernetes.node: Y App_id:12345 Host: server.ms.com Log:  21:46:32.268 [[Runtime].uber.471: [da... See more...
Hi ,  Below is my raw data  { timestamp: 2023-09-10 Version:1 Kubernetes.namespace: X Kubernetes.node: Y App_id:12345 Host: server.ms.com Log:  21:46:32.268 [[Runtime].uber.471: [dasda-dasf-fasfs-import-1.0.0].vmstats.com] INFO net.das.com - ProcessCPUload=2.39| SystemCPUload=2.55|Initial memory=1.00| Usedheapmemory=0.70|Maxheap memory=0.95|commited_memory=0.95 S_sourcetype=x Source=lkms } Now, If query as index=123 | table log --> I get the complete data in the log field but my aim to create a table with columns as  ProcessCPUload, SystemCPUload, Usedheapmemory, Maxheap memory, commited_memory with their respective values.  Could you help on how could I achieve this please
Hi friends.   I've followed de path to use UniversarForwarder app from my splunk cloud enviromen. But i have the next message: The TCP output processor has paused the data flow. Forwarding to h... See more...
Hi friends.   I've followed de path to use UniversarForwarder app from my splunk cloud enviromen. But i have the next message: The TCP output processor has paused the data flow. Forwarding to host_dest=inputs1.XXXX.splunkcloud.com inside output group splunkcloud_ from host_src=YYYYYY has been blocked for blocked_seconds=10. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. Learn more.   I've tested the communications to splunk cloud   splunkcloud.com:9997 splunkcloud.com:8000 splunkcloud.com:8089   And all are OK. My heavy forwarder is now skipping data. Is there something else I clould check out?    
Am trying a calculate the overall score in a panel for each Registration type. I want the box inside to the right. Is that possible?  I have added screenshot.
Does the 'Add-on for Atlassian JIRA Service Desk alert action' (https://splunkbase.splunk.com/app/4958) allow you to "auto-map" the varied values coming from the SplunkES alert to specific fields in ... See more...
Does the 'Add-on for Atlassian JIRA Service Desk alert action' (https://splunkbase.splunk.com/app/4958) allow you to "auto-map" the varied values coming from the SplunkES alert to specific fields in Jira?   As an example, we would like to auto map/populate  ${source_ip}$ to the 'Source IP' field in the Jira record. Thank you, Mike
I'm doing a main search of a sourcetype, then I need to join with a csv file using the inputlookup, both the main search and the subsearch have the `Name` column, but when sending the complete search... See more...
I'm doing a main search of a sourcetype, then I need to join with a csv file using the inputlookup, both the main search and the subsearch have the `Name` column, but when sending the complete search through the api, it does not return the values correctly, but when I do the search manually in splunk it works correctly. import splunklib.client as client service = client.connect(host=host, port=port, username=user, password=password) search = '''search''' + '''index="aiops_main" sourcetype="scom_np" OR sourcetype="scom_p" type="*SQL*" AND (type="*AlwaysOn*" OR type="*Server Service Stopped*") | join type=left Name [| inputlookup maintenance_window.csv max=0 | eval Name=lower(Name) | table Name, maint_down_start_time, maint_down_end_time, change_ticket] | eval is_maintenance = if((alwayson_failovertime >= maint_down_start_time) AND alwayson_failovertime < maint_down_end_time,"true","false") | table Name, type, is_maintenance ''' kwargs_export = { "earliest_time": '1', "latest_time": "now", "search_mode": "normal", "exec_mode": "blocking", } # Create job and return results try: job = service.jobs.create(search, parse_only=False, **kwargs_export) print(time.strftime('\n%Y_%m_%d__%H:%M:%S')) print("...done!") except Exception as e: print("Trouble connecting to Splunk. Try again in a few seconds") raise e This error appears: "INFO: [subsearch]: Your timerange was substituted based on your search string" In short: the is_maintenance field when run manually in Splunk returns some lines as True, while running the same search in python returns all as False.  
I need to be able to list the changes made to firewall rules. It seems like a simple audit task that you should be able to do but unfortunately, I can't find the answer to my problem from these do... See more...
I need to be able to list the changes made to firewall rules. It seems like a simple audit task that you should be able to do but unfortunately, I can't find the answer to my problem from these documentations.  Does anyone know how to do this audit from splunk?  Palo Alto Networks App for Splunk | Splunkbase Palo Alto Networks Add-on for Splunk | Splunkbase
index="tbv" source="winevents" ComputerName="CSPV-MTL-GCS-GAME1" EventID=6013   The EventID=6013, it fetches the system uptime in seconds [example: The system uptime is 18 seconds.] in the Messag... See more...
index="tbv" source="winevents" ComputerName="CSPV-MTL-GCS-GAME1" EventID=6013   The EventID=6013, it fetches the system uptime in seconds [example: The system uptime is 18 seconds.] in the MessageString field.   Need help to add all the system uptime and show the Total value in hours.
I have two lookup table call lookup1.csv and lookup2.csv both has matching field call fullname. I want match my lookup1.csv to lookup2.csv and output the value not in the lookup1.csv byt in the look... See more...
I have two lookup table call lookup1.csv and lookup2.csv both has matching field call fullname. I want match my lookup1.csv to lookup2.csv and output the value not in the lookup1.csv byt in the lookup2.csv? | inputlookup lookup1.csv | search NOT [| inputlookup lookup.csv | field fullname] but this SPL displaying result found in the both look table. Is any way to do this in splunk?   ADDVANCE Thanks
Hi All, I have these two logs: 2023-08-09 10:31:57.853 [INFO ] [Thread-3] CollateralFileGenerator - Started generation of collateral Data file for type LENDING 2023-08-09 10:31:59.342 [INFO ] [Thr... See more...
Hi All, I have these two logs: 2023-08-09 10:31:57.853 [INFO ] [Thread-3] CollateralFileGenerator - Started generation of collateral Data file for type LENDING 2023-08-09 10:31:59.342 [INFO ] [Thread-3] CollateralFileGenerator - *****************************************SUCCESS in sending control file collateral files to ABS Suite!!!***************************************** I want to create a table structure where I want one column of _time in second column I want this two statements: Started generation of collateral Data file for type LENDING *****************************************SUCCESS in sending control file collateral files to ABS Suite!!!***************************************** And on third column I want one green tick if I receive these two logs If I don't receive these two logs I want red tick/ Can someone help me with query.
Dears, i have a problem with my dashboard using html inside the <row>. what i want to achieve is having 2  tabs so that when i click on each of them a different query will be executed. the problem is... See more...
Dears, i have a problem with my dashboard using html inside the <row>. what i want to achieve is having 2  tabs so that when i click on each of them a different query will be executed. the problem is that i have a  separate   html code in each of them and both links appear as active  regardless of the tab i select. i followed this tutorial: Splunk Dashboard Customization: Create Multiple Tabs Within A Single Dashboard - Splunk on Big Data my code is : <dashboard script="tabs.js" stylesheet="tabs.css"> <label>test</label> <row id="tabs"> <panel> <html> <ul id="tabs" class="nav nav-tabs"> <li class="active"> <a href="#" class="toggle-tab" data-elements="tab_Map" data-token="control_token_non_internal" style="color:orangered;font-weight: bolder;">tab1</a> </li> <li> <a href="#" class="toggle-tab" data-elements="tab_Tab2" data-token="control_token_non_internal" style="color:orangered;font-weight: bolder;">tab2</a> </li> </ul> </html> </panel> </row> <row id="tab_Map" > <panel > <html > <a href=...(ommiting this part)><button class="button">tab1</button> </row> and another row for the other tab. i get both buttons like below. i want to have only tab1 button when i click on tab1 , not both of buttons. any idea what am i missing  
Looking at the Terraform provider documentation, I do not fully understand how a user is deleted using the "splunk_authentication_users" resource.  Referenced here:  https://registry.terraform.io/p... See more...
Looking at the Terraform provider documentation, I do not fully understand how a user is deleted using the "splunk_authentication_users" resource.  Referenced here:  https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/authentication_users I also looked through the provider source and examples and could not make heads or tales out of it: https://github.com/splunk/terraform-provider-splunk  as well as the REST API: https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#authentication.2Fusers   Any help is appreciated!  Thanks, Chris
I am currently using a drill down which refreshes a graph in the same page, now I want to create a click elsewhere in the chart which brings the drilldown back to default values. Could someone help w... See more...
I am currently using a drill down which refreshes a graph in the same page, now I want to create a click elsewhere in the chart which brings the drilldown back to default values. Could someone help with this? Basically, its a pie chart with drilldown to a tabular view. Clicking on one of the pie changes the tabular view based on which pie is clicked. Now, I want to create some thing which can take me back to the default view i.e. all the values in pie chart and all the values in tabular form.
I have a JSON event like this:      { ...otherfields..., "fields": { "id1": 123, "id2": 456, "id3": 789, ... }, ...otherfields... }      I want to extract some key-value pairs from ... See more...
I have a JSON event like this:      { ...otherfields..., "fields": { "id1": 123, "id2": 456, "id3": 789, ... }, ...otherfields... }      I want to extract some key-value pairs from the "fields" object, i.e., I want to see the extracted fields in the "interesting fields" section. For example, if I only want to extract id1 and id3, I should use      eval new_id1 = mvindex(fields.id1, 0) eval new_id3 = mvindex(fields.id3, 0)      , right? Or is there another efficient way but not to use Foreach? I am new to the Splunk syntax so would appreciate any help. 
hello im new to learning splunk and asked about simple sample dataset logs i can practice on and someone suggested bots v3. I managed to download the dataset but it says that it require a lot of soft... See more...
hello im new to learning splunk and asked about simple sample dataset logs i can practice on and someone suggested bots v3. I managed to download the dataset but it says that it require a lot of software (splunkbase apps/adds-on) now i really not that familiar with what are these apps/adds-on i just wanted to download a dataset to practice on. the issue im encountering is that whenever i click the download button it just keeps loading the page and wont let me download the apps! is it necessary to download these apps to actualy start analysing the dataset? this is all new to me and i could not find any tutorials on how to download it only walkthroughs. 
How can i add my search time range in my table title?  Code:  <title>Search from &lt;$SelectTime.earliest$&gt; to &lt;$SelectTime.latest$&gt;</title> OutPut: Search from <1691971200> to <16920576... See more...
How can i add my search time range in my table title?  Code:  <title>Search from &lt;$SelectTime.earliest$&gt; to &lt;$SelectTime.latest$&gt;</title> OutPut: Search from <1691971200> to <1692057600>
How to change the size & colors for labels in dashboard studio?
Hi, We want to monitor the Health of the API's using the Analytics Custom event schema.  To achieve this we have created the schema using postman and published the data to the event schema we hav... See more...
Hi, We want to monitor the Health of the API's using the Analytics Custom event schema.  To achieve this we have created the schema using postman and published the data to the event schema we have created.  But, how we can replicate this for monitoring the API Performance. Can you please let us know how can we achieve this. Thanks, Vijay. 
Hi team  Is it possible to configure alert trigger actions via the splunk-sdk (nodejs) for a Splunk Add-On ? . I like to  add the slack-alert action . Is there any way to do this by rest api or... See more...
Hi team  Is it possible to configure alert trigger actions via the splunk-sdk (nodejs) for a Splunk Add-On ? . I like to  add the slack-alert action . Is there any way to do this by rest api or via official sdk     
Attached snapshot for reference.     As well as how to reduce the table size to small one