All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have been attempting to contact support for several weeks now. I just need a license reset due to indexing too much data and to get a quote for increasing our current license to index more data. I'... See more...
I have been attempting to contact support for several weeks now. I just need a license reset due to indexing too much data and to get a quote for increasing our current license to index more data. I've tried calling every day but no answer, and submitting a case page keeps not going through whenever I hit submit. How am I supposed to get support when nothing works? 
Hi In my nav menu, i would like to  display a menu called "test" and when i click on i would to display other dashbords like below The probkem i have is that i created "test" like a dashboard so ... See more...
Hi In my nav menu, i would like to  display a menu called "test" and when i click on i would to display other dashbords like below The probkem i have is that i created "test" like a dashboard so when i click on it it open a dashboard and on the right i have an arrow with the link of other dashboard so how to click on "test" without opening a dashboard? thanks <!-- Use the view element to create a dashboard link --> <view name="dashboard1" /> <!-- Use the collection element to create a list of items --> <collection label="Menu name"> <!-- Add items to the list --> <view name="dashboard2" /> <view name="dashboard3" /> <!-- Add a nested list with items --> <collection label="Submenu name"> <view name="dashboard4" /> <view name="dashboard5" /> </collection> </collection>
Working on a splunk query to find login events that occur outside of the users' typical sign in times. I do not want to get an average of all users, just the upper and lower bounds of each individual... See more...
Working on a splunk query to find login events that occur outside of the users' typical sign in times. I do not want to get an average of all users, just the upper and lower bounds of each individual and then determine if a login event is an outlier   index=o365 sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoggedIn | eventstats avg("_time") AS avg stdev("_time") AS stdev | foreach UserID eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2)) | eval isOutlier=if('_time' < lowerBound OR '_time' > upperBound, 1, 0) | search isOutlier=1
After a searchable rolling restart that got stuck, I've restarted the CM in order to get out of the rolling restart. What was the solution recommended in the following question: Rolling restart hung ... See more...
After a searchable rolling restart that got stuck, I've restarted the CM in order to get out of the rolling restart. What was the solution recommended in the following question: Rolling restart hung on "Reassigning primaries"- H... - Splunk Community My indexer is still stuck in the status. How can I get the indexer back to status Up?
Hello Splunk Support, When I search in Splunk console. I got an issue as below:  Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Re... See more...
Hello Splunk Support, When I search in Splunk console. I got an issue as below:  Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK. And I'm using trial license. Could you please help me to troubleshoot? appreciate it.  
Greetings, Splunk user but newbie still.  I am building some searches to show AWS cloudwatch data averages per account. An example would be "Average CPUUtilization in account X during the past ... See more...
Greetings, Splunk user but newbie still.  I am building some searches to show AWS cloudwatch data averages per account. An example would be "Average CPUUtilization in account X during the past 30 days" I'm currently getting data per EC2 instance with the following search: index="aws" sourcetype="aws:cloudwatch" metric_dimensions="InstanceId=*" metric_name = CPUUtilization | table account_id metric_dimensions metric_name period Average But of course, this shows only average per instance; I want to roll that data up to the account level and get the average for all instances within an account.  I suspect "stats" is what I need to use, but a nudge in the right direction would greatly help.    
Hi I use an input text token in.my dashboard in order to retrieve spécifications numériques for a field It works but i would like the possibility to add >= before the number Ex: >=200 How todo pl... See more...
Hi I use an input text token in.my dashboard in order to retrieve spécifications numériques for a field It works but i would like the possibility to add >= before the number Ex: >=200 How todo please?
I am trying to generate/send a report that shows results from the 28th of the previous month to the 28th of the current month automatically, without using the time picker. Any help appreciated!
Hello, could you provide sample log formats for log4j sourcetype? Is it covered by Splunk addon for Tomcat? Thanks.
Hi I try to filter my table events from à dropdown list like this Owner=$owner$ The item syntax in the dropdown lis is like REM\A-AA228339 I tried with Owner="$owner$" but it doesnt works What i... See more...
Hi I try to filter my table events from à dropdown list like this Owner=$owner$ The item syntax in the dropdown lis is like REM\A-AA228339 I tried with Owner="$owner$" but it doesnt works What is wrong please?
Hello, I'm trying to make my dashboard more dynamic where the color of a panel can change based on the search results. For example, I want the panel to be green if no errors come in, and then if an e... See more...
Hello, I'm trying to make my dashboard more dynamic where the color of a panel can change based on the search results. For example, I want the panel to be green if no errors come in, and then if an error comes up, then it turns red. So far, I have set up a default value for the token and am able to change the token using a user input dropdown. So I can get the panel to change colors based on user input, but am unable to do so automatically when an error comes up. Your help is much appreciated! Here is the query I am using: index=index | eval $colorTest2$=case(payload.status=="400 BAD_REQUEST", "#d41f1f") | rename payload.status as statuscode | stats count by statuscode   Here is the code for the panel: {     "type": "splunk.column",     "dataSources": {         "primary": "ds_BaNWItWC_ds_A6hQFC1Q_ds_Aa7DGgzs_ds_DNwXAJTk_ds_FegrLP62"     },     "showProgressBar": false,     "showLastUpdated": false,     "title": "Status Codes Chart",     "options": {         "dataValuesDisplay": "all",         "seriesColors": [             "$colorTest2$"         ]     },     "eventHandlers": [],     "context": {} }   Here is the code for the dropdown input: {     "options": {         "items": [             {                 "label": "Green",                 "value": "#118832"             },             {                 "label": "Red",                 "value": "#d41f1f"             }         ],         "token": "colorTest2",         "selectFirstSearchResult": true     },     "title": "Color Picker Test",     "type": "input.dropdown" }
I have 2 requests here. I am trying to extract and create a new field from logs. Logs for request 1:     2023-06-30 02:36:32 [INFO] [c6ea0e48-e793-4c35-893e-ff1f253dbca0] {"method":"GET","p... See more...
I have 2 requests here. I am trying to extract and create a new field from logs. Logs for request 1:     2023-06-30 02:36:32 [INFO] [c6ea0e48-e793-4c35-893e-ff1f253dbca0] {"method":"GET","path":"/api/v2/organizations/infrastructure/workspaces","format":"jsonapi","status":200,"duration":377.88,"view":263.86,"db":65.86,"uuid":"c6ea0e48-e793-4c35-893e-ff1f253dbca0","remote_ip":"10.37.23.55, 10.218.136.20","request_id":"c6ea0e48-e793-4c35-893e-ff1f253dbca0","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","user":"iamtfeprdadmin","organization":"infrastructure","dd"     Here I want to extract & create a new field "status" Example: status=200   Request 2 Logs:     10.218.136.20 - - [30/Jun/2023:02:36:32 +0000] "GET /api/v2/runs/run-HtzBcKEKf8x75mVe/run-events?include=comment%2Cactor HTTP/1.1" 304 0 "https://terraform.srv.companyname.com.au/app/customer/workspaces/a01300-tfe-dev01-customer_infra_azure/runs/run-HtzBcKEKf8x75mVe" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"      Here I want to extract & create a new field "org" Example: org=customer (Result of the org is next to app. ie. companyname.com.au/app/customer) Please help
I wanted to know how I can calculate the average daily duration of the sessions
Hi all - is there a way for us to check/test connectivity across a list of assets from within a playbook? I was looking through the documentation and haven't found information that says it is possibl... See more...
Hi all - is there a way for us to check/test connectivity across a list of assets from within a playbook? I was looking through the documentation and haven't found information that says it is possible or not. I only see how to do it manually or with the rest api call app_status but no examples on how to use it within a playbook. Any help is appreciated!
Hi ,   I have a dashboard with has region specific data like APAC , EMEA , and NA. I want to setup the time range for each panel like for one panel it should be everyday between 5am to 10 am an... See more...
Hi ,   I have a dashboard with has region specific data like APAC , EMEA , and NA. I want to setup the time range for each panel like for one panel it should be everyday between 5am to 10 am and other panel like 12 pm to 5 pm. How can I achieve this please help.   Thanks in advance.
Hello, I'm trying to configure an ingestion of logs that are in UTC time. We are in Geneva and timezone is Europe/Zurich (=UTC+2), so, logs are displayed with the wrong date. For example, log inge... See more...
Hello, I'm trying to configure an ingestion of logs that are in UTC time. We are in Geneva and timezone is Europe/Zurich (=UTC+2), so, logs are displayed with the wrong date. For example, log ingested at 14:52 today is displayed in Splunk like this :     2023-07-05 12:52:40 ..     These logs are coming from a simple UF (Windows, UF version is 8.2.4). My Splunk environment is Linux (RedHat 8 / Splunk version is 9.0.4) As documented, I tried to add in a props.conf something like this :     [source::D:\path\to\file.log] TZ = Europe/Zurich     First I added it in the UF configuration. No effect. Then I tried to put it on indexers. No effect. I also tried to use the sourcetype name ([my_sourcetype] ) instead of the source path or replace the Europe\Zurich value with "TZ = UTC+2"... it didn't work any better. Help would be appreciated ! Thanks David
Hello Everyone, Thanks in advance! I have created a table view with select input Yes/No as Decision column, I am able to render the selected Yes/No in the view, but need to record the selection... See more...
Hello Everyone, Thanks in advance! I have created a table view with select input Yes/No as Decision column, I am able to render the selected Yes/No in the view, but need to record the selection made to in the view to the lookup I have created below view for reference. Below is my XML code <dashboard version="1.1" script="table_select.js" hideEdit="false" hideChrome="true"> <label>Checklist</label> <row> <panel> <table id="base_table"> <search id="bestMain"> <query>| makeresults count=10 | fields - _time | streamstats c as SRNo | eval Task="Task"." ".'SRNo' | eval Decision="" | fields SRNo Task Decision</query> <earliest>0</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </dashboard> JS used for the view. require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { return _(['Decision']).contains(cell.field); }, render: function($td, cell) { $td.html("<div ><select name='decision' id='cars'> <option value='No'>Select</option><option value='No'>No</option> <option value='Yes'>Yes</option></select> </div>") } }); //List of table IDs to add icon var tableIDs = ["base_table"]; for (i=0;i<tableIDs.length;i++) { var sh = mvc.Components.get(tableIDs[i]); if(typeof(sh)!="undefined") { sh.getVisualization(function(tableView) { // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRangeRenderer()); tableView.table.render(); }); } } });  
Hi All My idea is when a mouse is moved or hovered over the status indicator, a messages is display across the status indicator but I cant seem to make it work with Status Indicator. Any ideas or t... See more...
Hi All My idea is when a mouse is moved or hovered over the status indicator, a messages is display across the status indicator but I cant seem to make it work with Status Indicator. Any ideas or thought how can do this are appreciated? Here is my codeda   <viz type="status_indicator_app.status_indicator"> <title>Process Status</title> <search> <query>index=idxdflt sourcetype=process:application instance="chpid" alert!=hours_since_dbdbackup | stats latest(status) as status latest(value) as value by alert |eval icon = case(status="OK", "check-circle" , status="WARNING", "question-circle", status="CRITICAL", "exclamation-circle") |eval colour = case(status="OK", "#1FB312" , status="WARNING", "#F0A729" , status="CRITICAL", "#D41C0F") | table alert icon colour status value| stats last(status) last(icon) as icon last(colour) as colour by alert</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="height">40</option> <option name="refresh.display">progressbar</option> <option name="status_indicator_app.status_indicator.colorBy">field_value</option> <option name="status_indicator_app.status_indicator.fillTarget">text</option> <option name="status_indicator_app.status_indicator.fixIcon">warning</option> <option name="status_indicator_app.status_indicator.icon">field_value</option> <option name="status_indicator_app.status_indicator.precision">2</option> <option name="status_indicator_app.status_indicator.showOption">2</option> <option name="status_indicator_app.status_indicator.showTooltip">true</option> <option name="status_indicator_app.status_indicator.staticColor">#555</option> <option name="status_indicator_app.status_indicator.useColors">true</option> <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option> <option name="trellis.enabled">1</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">alert</option> </viz> Below is an example of what I want
I'm experiencing a data discrepancy issue in my Splunk dashboard where a CSV file seems to be getting skipped.  I receive the following error message: "Error in 'SearchParser': The search specifies ... See more...
I'm experiencing a data discrepancy issue in my Splunk dashboard where a CSV file seems to be getting skipped.  I receive the following error message: "Error in 'SearchParser': The search specifies a macro 'lookup_requirement_items' that cannot be found. Reasons include: the macro name is misspelled, you do not have..." I suspect that the skipped CSV file might be related to this data discrepancy issue. Has anyone encountered a similar problem or have any suggestions on how to troubleshoot this  Any help or insights would be greatly appreciated. Thank you!