All Topics

Top

All Topics

Hi, Previously in the Classic Dashboard designer you could use both the Input Name (now Called Label) and the value in a search. Is there a way to still do that in the new Designer? or store and call... See more...
Hi, Previously in the Classic Dashboard designer you could use both the Input Name (now Called Label) and the value in a search. Is there a way to still do that in the new Designer? or store and call more than 1 value per drop down? For example I have a Dashboard that checks log files for several programs to see if they are abnormally large, to indicate a problem. in the Classic designer it used the Filename as the Label and the Size it should be as the Value. I could call both in the search. If that is no longer possible is there a way to hold more than one Value in an Array or something? 
Running 9.0.x now, and I'm getting messages about kvstore issues on indexers, etc. I understand I can disable kvstore on some systems, but not all. Where do I need it upgraded to wiredTiger and wher... See more...
Running 9.0.x now, and I'm getting messages about kvstore issues on indexers, etc. I understand I can disable kvstore on some systems, but not all. Where do I need it upgraded to wiredTiger and where can I disable it? Search heads - enabled and upgraded to wiredTiger Enterprise security search head - enabled and upgraded to wiredTiger Cluster master - mmapv1 Indexers - mmapv1 Deployment server - mmapv1 Heavy forwarders - enabled and upgraded to wiredTiger
Hello -  Does the Splunk UF require .NET Framework to be installed in order to run on Windows servers? I am trying to determine if there are any .NET Framework dependencies for the Splunk Universal... See more...
Hello -  Does the Splunk UF require .NET Framework to be installed in order to run on Windows servers? I am trying to determine if there are any .NET Framework dependencies for the Splunk Universal Forwarder. Thanks! Joel B
Hello I upgraded from Splunk Enterprise 8.2.10 to 9.1.0.2. The values of the overview dashboard of the monitoring console are visible or not visible. Is it a bug or is there a way to fix it? I lo... See more...
Hello I upgraded from Splunk Enterprise 8.2.10 to 9.1.0.2. The values of the overview dashboard of the monitoring console are visible or not visible. Is it a bug or is there a way to fix it? I look forward to hearing from you.
Hello, there is a requirement to add mail hyperlink to the dashboard studio. I tried to give "mailto:abc.com " in the link to URL. but it is saying that provide the link is relative/ absolute path ... See more...
Hello, there is a requirement to add mail hyperlink to the dashboard studio. I tried to give "mailto:abc.com " in the link to URL. but it is saying that provide the link is relative/ absolute path only. Can someone help here.   Thanks Sudha A
Hi Team, I have two logs: ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 GfpEbncImpl - statusList detail with status UNBALANCED with description No Sour... See more...
Hi Team, I have two logs: ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 GfpEbncImpl - statusList detail with status UNBALANCED with description No Source Event found but Destination Event is present. I want to show data like this: phrase                                                                                filename                                                       description ebnc event unbalanced event occurred             TRIM.DEMO.D082623.T070035        No Source Event found but Destination Event is present. current query: index="abc" sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Unbalanced" please guide
Hi Team, I have below row logs: CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to create ... See more...
Hi Team, I have below row logs: CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to create one table like this phrase                                                                                        status                     description  CARS_HIERARCHY event published to ebnc                SUCCESS              "Event saved to database successfully. can someone help me with query. My current query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]"             
I am using below query to get search result and calculate the failure percentage but not getting the expected result.   index=dl* ("Error_MongoDB") | timechart span 1d count as Failure | appendcols... See more...
I am using below query to get search result and calculate the failure percentage but not getting the expected result.   index=dl* ("Error_MongoDB") | timechart span 1d count as Failure | appendcols [search index=dl* ("inserted Record") | timechart span=1d count as Success | eval (FailurePercentage = Failure/Sucess)*100 | field _time,Failure,Sucess,FailurePercentage   I am getting all the values except FailurePercentage. What could be the reason ?  
Hello, I'm not sure how to achieve this, or if it's possible.  I have a Column that I am using as a Status indicator in a table.  This is working, but, I would love to remove the # being displayed. ... See more...
Hello, I'm not sure how to achieve this, or if it's possible.  I have a Column that I am using as a Status indicator in a table.  This is working, but, I would love to remove the # being displayed.  Is there a way to either change the text color based on the same Threshold I am using to change the Cell color or maybe a way to just hide the values being displayed? Here's what I currently have in the Dashboard Source <format type="color" field="Monitor"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <format type="color" field="Count"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <drilldown>   Here's the column I am referring too.   Thank you for any help on this one, much appreciated Tom  
Hello everyone, I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add... See more...
Hello everyone, I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add a joiner in order to display a field from another search.  Since I did this, only the events that have values in the joiner field I used is displayed. I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used. Here's the Search I have created.  (I'm still learning all of the Search possibilities, so it might be ugly (integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | where closed_txn=0 | eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias) | stats values(*) as * by joiner | where alertAlias==x_86994_opsgenie_alert_alias | fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number | eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S") | rename alert.message AS "Branch" | rename "alertDetails.Alert Details URL" as "Source Link" | rename dv_number as Incident | table Created, Branch, "Source Link", Incident | sort by Created DESC   Thanks for any help on this one, Tom
Hello, I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to ren... See more...
Hello, I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to rename to windows server, all linux versions and distributions to linux and so on for example: operating-system                                    |    OS Microsoft Windows 10                          | Windows OS Microsoft Windows 8                             | Windows OS Linux                                                              | Linux Microsoft Windows Server 2019       | Windows Server Microsoft Windows Server 2012       | Windows Server CentOS                                                         | Linux Ubuntu                                                          | Linux Microsoft Windows Server 2016      | Windows Server
How to detect fail password on Splunk?
Hi, I have a Splunk Enterprise installation composed of 3 clustered indexers. I need to forward all the events received on the 9997 port to an external system. Data must be indexed locally but al... See more...
Hi, I have a Splunk Enterprise installation composed of 3 clustered indexers. I need to forward all the events received on the 9997 port to an external system. Data must be indexed locally but also sent to this external system. I can't do this operation directly from universal forwarders because of network restrictions. Is there a way to achieve this goal on indexers side?
Automatically detect how metrics across services impact resources and users New APM Detectors help engineering teams simplify alert creation and effectively detect abnormalities in traffic patterns... See more...
Automatically detect how metrics across services impact resources and users New APM Detectors help engineering teams simplify alert creation and effectively detect abnormalities in traffic patterns. In one step Splunk APM users can create detectors within the context of familiar capabilities like service map, tag spotlight, and APM’s landing page. Additionally, teams can now create detectors based on request rate to understand abnormalities in traffic patterns. Instantly simplify & automate browser test creation The new Synthetic Monitoring Chrome Scripts Importer captures precise user actions and complex user flows across multiple pages to replicate interactions and generate test scripts that cover various scenarios and user journeys. By simplifying and automating browser test creation, engineering teams can ensure tests resemble actual user experiences and gain a more reliable understanding of functionality and performance.  Easily reconstruct end-user actions and behavior  RUM Session Replay allows users access to video reconstructions that showcases end-user actions and behavior of a web application. By quickly being able to reproduce issues with detail-rich performance metrics and a waterfall view of the user session, users will be able to better understand their customer’s journey so they can debug issues faster and reduce MTTR in-context. Try it Today To learn more about generating tests, read our Chrome Scripts Importer documentation.  To learn more about controlling service data OOTB, read more here.  For insight into accessing video reconstructions of your user experience, read the documentation here. 
Hello Everyone, I have setup a SPLUNK OTEL COLLECTOR sidecar container along with my application container in AWS ECS Fargate to send APM traces to Splunk Observability Cloud. Everything seems work... See more...
Hello Everyone, I have setup a SPLUNK OTEL COLLECTOR sidecar container along with my application container in AWS ECS Fargate to send APM traces to Splunk Observability Cloud. Everything seems working but I was trying to add some container health check to see if my sidecar container is healthy or not, I have added a basic script that should always pass the checks. I have tried running script/command after login in to a container and they are working perfectly fine but When I configure them as Part of my healthcheck they are failing.  Image: quay.io/signalfx/splunk-otel-collector:latest Command using for healthcheck:  "/usr/lib/splunk-otel-collector/agent-bundle/bin/curl -f http://localhost:13133 || exit 1"   Has anyone faced this issue before, please help.   Thanks
Hi, I have a data with the following dates under the field "Warranty_End_Date" Warranty_End_Date Manufacturer 4/1/2026 Lenovo 4/8/2026 Lenovo 1/9/2026 Acer 4/1... See more...
Hi, I have a data with the following dates under the field "Warranty_End_Date" Warranty_End_Date Manufacturer 4/1/2026 Lenovo 4/8/2026 Lenovo 1/9/2026 Acer 4/1/2025 Apple 19/7/2023 Acer 4/1/2026 Acer 4/4/2026 HP 8/1/2028 Lenovo 10/1/2022 Lenovo 4/1/2026 Apple 4/1/2026 Apple 4/1/2026 Lenovo 4/1/2026 Lenovo 4/1/2026 Lenovo 4/3/2026 Lenovo 4/3/2026 Lenovo I want to create a new field with the similar values wrt Warranty_End_Date Tried the command eval WarEnd = case("Warranty_End_Date" = "*2026", "2026", 1=1, "NA") and similarly for other years but got no proper output
Good day The following problem: I load data into Splunk once a week. However, not always on the same day. I now want to show a trend to last week on a dashboard, but the span option must fit to the... See more...
Good day The following problem: I load data into Splunk once a week. However, not always on the same day. I now want to show a trend to last week on a dashboard, but the span option must fit to the day. Is there a way that the span option automatically adjusts to the next date where there is data? Or do you have another suggestion how I can solve the problem? Currently, if the span does not fit exactly, I have an increase of 100%. My current search query is very basic: index=test CVSS_v3_Severity=$severity_tok$ Operating_System_Generation=$os_dd_tok$ | dedup CVE | timechart span=7d count Thanks in advance and best regards Nico
Hi. i have a search a show a graphchart for 14 months. If i change the timepicker it still shows 14 months for some reason. As you can see  in the picture, the time picker says 30 days, but the gr... See more...
Hi. i have a search a show a graphchart for 14 months. If i change the timepicker it still shows 14 months for some reason. As you can see  in the picture, the time picker says 30 days, but the graph still shows 14 months. What gives? Also, is there a way to display a trendline on the graph? If i use the | trendline sma10(Cores) or the like, it changes the graph instead of just showing a linear line
Hi Splunk Experts. I've a table with multiple fields, based on a click I've created a token to get a value of it. I need to pass this token's value to a Textbox of an another panel. Is it Possible. ... See more...
Hi Splunk Experts. I've a table with multiple fields, based on a click I've created a token to get a value of it. I need to pass this token's value to a Textbox of an another panel. Is it Possible. Please advice!!
  Dataframe row : {"_c0":{"0":"deleted_count","1":"18","2":"8061","3":"0","4":"366619","5":"2","6":"1285","7":"2484","8":"1705","9":"1517","10":"12998","11":"13","12":"57","13":"0","14":"0","15":"0... See more...
  Dataframe row : {"_c0":{"0":"deleted_count","1":"18","2":"8061","3":"0","4":"366619","5":"2","6":"1285","7":"2484","8":"1705","9":"1517","10":"12998","11":"13","12":"57","13":"0","14":"0","15":"0","16":"0","17":"1315","18":"0","19":"0","20":"0","21":"0","22":"0","23":"410973","24":"18588725","25":"0","26":"0","27":"0","28":"0","29":"25238"},"_c1":{"0":"load_date","1":"2023-08-28","2":"2023-08-28","3":"2023-08-28","4":"2023-08-28","5":"2023-08-28","6":"2023-08-28","7":"2023-08-28","8":"2023-08-28","9":"2023-08-28","10":"2023-08-28","11":"2023-08-28","12":"2023-08-28","13":"2023-08-28","14":"2023-08-28","15":"2023-08-28","16":"2023-08-28","17":"2023-08-28","18":"2023-08-28","19":"2023-08-28","20":"2023-08-28","21":"2023-08-28","22":"2023-08-28","23":"2023-08-28","24":"2023-08-28","25":"2023-08-28","26":"2023-08-28","27":"2023-08-28","28":"2023-08-28","29":"2023-08-28"},"_c2":{"0":"redelivered_count","1":"0","2":"1","3":"0","4":"0","5":"0","6":"0","7":"204","8":"0","9":"0","10":"0","11":"0","12":"0","13":"0","14":"0","15":"0","16":"0","17":"0","18":"0","19":"0","20":"0","21":"0","22":"0","23":"0","24":"9293073","25":"0","26":"0","27":"0","28":"0","29":"0"},"_c3":{"0":"table_name","1":"pc_dwh_rdv.gdh_ls2lo_s99","2":"pc_dwh_rdv.gdh_spar_s99","3":"pc_dwh_rdv.cml_kons_s99","4":"pc_dwh_rdv.gdh_tf3tx_s99","5":"pc_dwh_rdv.gdh_wechsel_s99","6":"pc_dwh_rdv.gdh_revolvingcreditcard_s99","7":"pc_dwh_rdv.gdh_phd_s99","8":"pc_dwh_rdv.gdh_npk_s99","9":"pc_dwh_rdv.gdh_npk_s98","10":"pc_dwh_rdv.gdh_kontokorrent_s99","11":"pc_dwh_rdv.gdh_gds_s99","12":"pc_dwh_rdv.gdh_dszins_s99","13":"pc_dwh_rdv.gdh_cml_vdarl_le_ext_s99","14":"pc_dwh_rdv.gdh_cml_vdarl_s99","15":"pc_dwh_rdv.gdh_avale_s99","16":"pc_dwh_rdv.gdh_spar_festzi_s99","17":"pc_dwh_rdv_gdh_monat.gdh_phd_izr_monthly_s99","18":"pc_dwh_rdv.gdh_orig_sparbr_daily_s99","19":"pc_dwh_rdv.gdh_orig_terming_daily_s99","20":"pc_dwh_rdv.gdh_orig_kredite_daily_s99","21":"pc_dwh_rdv.gdh_orig_kksonst_daily_s99","22":"pc_dwh_rdv.gdh_orig_baufi_daily_s99","23":"pc_dwh_rdv_creditcard.credit_card_s99","24":"pc_dwh_rdv_csw.fkn_security_classification_s99","25":"pc_dwh_rdv_loan_appl.ccdb_loan_daily_s99","26":"pc_dwh_rdv_loan_appl.leon_loan_monthly_s99","27":"pc_dwh_rdv_loan_appl.nospk_loan_daily_s99","28":"pc_dwh_rdv_partnrdata.fkn_special_target_group_s99","29":"pc_dwh_rdv_talanx.insurance_s99"}}