All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I'm trying to understand the behavior of a basic query as the one below (I've ingested a JSON dataset):   index=main syswow64   This will return me many events as I got events with a... See more...
Hello, I'm trying to understand the behavior of a basic query as the one below (I've ingested a JSON dataset):   index=main syswow64   This will return me many events as I got events with a field path with a value of  c:\windows\syswow64\ws2_32.dll. Reading the documentation, I understood that not specifying a field will actually query the _raw field, so my first guess was that the above query is equivalent to   index=main _raw=syswow64    However the above does not return any event as opposed to    index=main _raw=*syswow64*   So I then thought that it was actually adding wildcards by default to perform the search on the _raw field, however the below seems to indicate that it does not:     # This will not return any event index=main yswow64 # This will return events index=main _raw=*yswow64*   So it looks like when not specifying any fields, I can actually search for "words", but I cannot when specifying a field name (ie. _raw= or path=). I'm not sure to understand the concept behind this. Can someone please explain the Splunk behavior and why is this happening? Also, which is the query that is the most optimized to search the existence of syswow64 for path between the two   index=main syswow64 # this might return more events if syswow64 word is existing in another field index=main path=*syswow64*     Thank you!
We have created the custom REST endpoints and its working in Splunk server 8.1.3.But same REST end point is not working another splunk server and it show "404 not found"
Hi Community, We are planning to integrate Solarwinds with Splunk cloud and ingest data from Solarwinds. We didn't find proper document to setup the integration. Can any one suggestion what is the ... See more...
Hi Community, We are planning to integrate Solarwinds with Splunk cloud and ingest data from Solarwinds. We didn't find proper document to setup the integration. Can any one suggestion what is the best approach to get Solarwinds data into Splunk cloud? Regards Eshwar
Hi Everyone, I have a dashboard which has pie chart , table and line chart etc. I want create a button so that i can export the dashboard as pdf with the content only i want. For example i want to ... See more...
Hi Everyone, I have a dashboard which has pie chart , table and line chart etc. I want create a button so that i can export the dashboard as pdf with the content only i want. For example i want to remove the drop downs and i want alter the font size etc. I know that this is not possible directly in Splunk. Is it possible using JavaScript. I m trying out JavaScript for the first time and need some inputs. How can i achieve this?   thanks in advance.  
Hey,  I am wondering how can we modify the below query/rule to exclude IPs that have been blocked by firewall.  orig_sourcetype="fortigate_utm".    Query:  | from datamodel:"Threat_Intellig... See more...
Hey,  I am wondering how can we modify the below query/rule to exclude IPs that have been blocked by firewall.  orig_sourcetype="fortigate_utm".    Query:  | from datamodel:"Threat_Intelligence"."Threat_Activity" | dedup threat_match_field,threat_match_value | `get_event_id` | table _raw,event_id,source,src,dest,src_user,user,threat*,weight | rename weight as record_weight | `per_panel_filter("ppf_threat_activity","threat_match_field,threat_match_value")` | `get_threat_attribution(threat_key)` | rename source_* as threat_source_*,description as threat_description | fields - *time | eval risk_score=case(isnum(record_weight), record_weight, isnum(weight) AND weight=1, 60, isnum(weight), weight, 1=1, null()),risk_system=if(threat_match_field IN("query", "answer"),threat_match_value,null()),risk_hash=if(threat_match_field IN("file_hash"),threat_match_value,null()),risk_network=if(threat_match_field IN("http_user_agent", "url") OR threat_match_field LIKE "certificate_%",threat_match_value,null()),risk_host=if(threat_match_field IN("file_name", "process", "service") OR threat_match_field LIKE "registry_%",threat_match_value,null()),risk_other=if(threat_match_field IN("query", "answer", "src", "dest", "src_user", "user", "file_hash", "http_user_agent", "url", "file_name", "process", "service") OR threat_match_field LIKE "certificate_%" OR threat_match_field LIKE "registry_%",threat_match_value,null()) | search (src=10.0.0.0/8 OR src=172.16.0.0/12 OR src=192.168.0.0/16)  
Hello, I'm trying to set up 2 peer nodes in my environment, however, every time I go and enable the peer node it gives me this error: Could not contact manager. Check that the manager is up, the mana... See more...
Hello, I'm trying to set up 2 peer nodes in my environment, however, every time I go and enable the peer node it gives me this error: Could not contact manager. Check that the manager is up, the manager_uri=https://54.234.232.103:8089 and secret are specified correctly. I know that the security key is correct, port 8089 is open, I'm sure its the correct IP, and the peer replication port 9887 that I'm using is available. It's driven me crazy please help.
Hey folks, Did anyone ever faced a challenge on having hundreds of thousands of events stuck in phantom_retry kv store that are aged enough? I see in the logs that quite often Splunk complains abou... See more...
Hey folks, Did anyone ever faced a challenge on having hundreds of thousands of events stuck in phantom_retry kv store that are aged enough? I see in the logs that quite often Splunk complains about the size of phantom_retry and I would like to see/clean up that queue and move on from there. Any idea? I looked over the documents and there is no instruction on that matter. Also, if I do "| inputlookup phantom_retry_lookup" it returns nothing. Using the lookup editor app I can only see this empty as well. Any clue? Thanks!
I have ServiceNow developer instance. Can I integrate with my Splunk dev environment.    The Splunk Add on I am try in use is https://splunkbase.splunk.com/app/1928  
Hello all, I can not find any documentation about Event Service. Can someone provide me link for Event Service documentation? Have a general question what exactly Event Service is? How many nodes... See more...
Hello all, I can not find any documentation about Event Service. Can someone provide me link for Event Service documentation? Have a general question what exactly Event Service is? How many nodes for Event Services in cluster
Hello all! I have a question about the components of AppD. There are several components of AppD like - Controller, Agents, Tier, Nodes, etc., but a very important component is a database. Can some... See more...
Hello all! I have a question about the components of AppD. There are several components of AppD like - Controller, Agents, Tier, Nodes, etc., but a very important component is a database. Can someone provide me with information about what is the difference between AppD DataBase and AppD DataBase Agent? What DB Agent monitoring more? How does DataBase work? I know that documentation, placed here :  https://docs.appdynamics.com/appd/22.x/22.4/en/database-visibility But I assume this documentation has only information about DB Agent, or am I wrong? Thanks for your help!
I configured successfully the Add-On Microsoft Azure on my HFs for retrive dinamically and enrich my ES suite with users and groups from AAD but i can't find the way for retrive the group members. As... See more...
I configured successfully the Add-On Microsoft Azure on my HFs for retrive dinamically and enrich my ES suite with users and groups from AAD but i can't find the way for retrive the group members. As the KB microsoft the api for retriving it is separate from the other methods and should be "/members". Is it a lack of this connector from ms developers or is there a way for solve it? I found one more post for this topic but with no response.
Hi  We had a javascript and css created to acknowledge the errors in Splunk dashboard. Reference link is here https://community.splunk.com/t5/Dashboards-Visualizations/Need-help-in-applying-checkbo... See more...
Hi  We had a javascript and css created to acknowledge the errors in Splunk dashboard. Reference link is here https://community.splunk.com/t5/Dashboards-Visualizations/Need-help-in-applying-checkbox-in-splunk-table-and-saving-the-on/m-p/503603#M33311 It needs a feature "SELECT ALL" option at the top of the row to select all the errors in that particular page. So that we can acknowledge the errors at one instance. Current logic, we are clicking the tick box one by one before pressing the acknowledge button. Is it possible to append this logic in the existing JS without breaking current logic? Please refer the JS, XML and CSS attached CSS: /* The standalone checkbox square*/ .checkbox { width:0px; height:0px; border: 2px solid #000; display: inline-block; } /* This is what simulates a checkmark icon */ .checkbox.checked:after { content: ''; display: block; width: 2px; height: 7px; /* "Center" the checkmark */ position:relative; top:1px; left:-8px; border: solid black; border-width: 0 2px 2px 0; transform: rotate(45deg); } .checkbox, .radio { min-height: 12px; padding-left: 12px; } td.numeric, th.numeric { text-align: left; } #myTable tr.range-acked td { background-color: #82e566 !important; } #myTable tr.range-not-acked td { background-color: #ff0000b3 !important; } JS:   require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, TableView) { // Access the "default" token model var tokens = mvc.Components.get("default"); var selected_values_array = []; var submittedTokens = mvc.Components.get('submitted'); console.log("This is Multi-select table JS"); // Custom renderer for applying checkbox. var CustomRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { return _(['Tick']).contains(cell.field); }, render: function ($td, cell) { var cell_value = cell.value.split("|")[0]; var ack_value = cell.value.split("|")[1]; var ack_flag = ack_value !== ""; console.log(cell.value,ack_flag,ack_value); var div = (ack_flag ? $('<div>') :$('<div>').attr({ "id": "chk-number" + cell_value, "value": cell_value }).addClass('checkbox').click(function () { if ($(this).attr('class') === "checkbox") { selected_values_array.push($(this).attr('value')); $(this).removeClass(); $(this).addClass("checkbox checked"); console.log(selected_values_array); } else { $(this).removeClass(); $(this).addClass("checkbox"); var i = selected_values_array.indexOf($(this).attr('value')); if (i != -1) { selected_values_array.splice(i, 1); } console.log(selected_values_array); } })) var b = (ack_flag ? $td.addClass('range-cell').addClass('range-acked') : $td.addClass('range-cell').addClass('range-not-acked')); div.appendTo($td); } }); //List of table ID var sh = mvc.Components.get("myTable"); if (typeof(sh) != "undefined") { sh.getVisualization(function (tableView) { tableView.on('rendered', function() { console.log("Output 1"); setTimeout(function(){ // Apply class of the cells to the parent row in order to color the whole row tableView.$el.find('td.range-cell').each(function() { console.log("Output 2"); $(this).parents('tr').addClass(this.className); console.log(this.className); }); console.log("Output 3"); },100); }); // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRenderer()); tableView.table.render(); }); } // Disabling button while search is running var mysearch = mvc.Components.get('mysearch'); var mainSearch = mvc.Components.get('mainSearch'); var myrevertsearch = mvc.Components.get('myrevertsearch'); var myjirasearch = mvc.Components.get('myjirasearch'); mysearch.on('search:start', function (properties) { $("#mybutton").attr('disabled', true); }); mysearch.on('search:done', function (properties) { $("#mybutton").attr('disabled', false); mainSearch.startSearch(); }); myrevertsearch.on('search:done', function (properties) { console.log("Revert Search Done"); $("#myrevertbutton").attr('disabled', false); mainSearch.startSearch(); console.log("Main Search Done"); }); myjirasearch.on('search:start', function (properties) { $("#myjirabutton").attr('disabled', true); }); myjirasearch.on('search:done', function (properties) { $("#myjirabutton").attr('disabled', false); mainSearch.startSearch(); }); $(document).ready(function () { //setting up tokens with selected value. $("#mybutton").on("click", function (e) { e.preventDefault(); tokens.set("mytoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); $("#mybutton").attr('disabled', true); }); $("#myrevertbutton").on("click", function (e) { e.preventDefault(); myrevertsearch.startSearch(); $("#myrevertbutton").attr('disabled', true); console.log("Hiee"); }); $("#myjirabutton").on("click", function (e) { e.preventDefault(); tokens.set("myjiratoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); $("#myjirabutton").attr('disabled', true); }); }); });   XML:     <form version="1.1" script="jiraselect.js" stylesheet="multiselect_color.css" hideEdit="true" isVisible="true" hideAppBar="true"> <label>Error Acknowledgment UI</label> <search id="ram_inst_search" ref="rpt_ram_institution"></search> <search id="mysearch"> <query> |inputlookup $dash$ | dedup ID | where ID IN ($mytoken$) | eval Ack=now(),Ack_time="UPD",Ack_By="$env:user_email$"+","+strftime(Ack,"%c") | outputlookup $dash$ append=True</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <search id="myjirasearch"> <query> |inputlookup $dash$ | dedup ID | where ID IN ($myjiratoken$) | eval Ack=now(),Ack_time="JIRA",Ack_By="$env:user_email$"+","+strftime(Ack,"%c") | eval Message_Text = "Update from SD to raise JIRA ticket - "+Message_Text | eval Message_Text= if(isnull(Ack_By) AND LIKE(Message_Text,"%Update from SD to raise JIRA%"),substr(Message_Text,39,len(Message_Text)),Message_Text) | outputlookup $dash$ append=True</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <search id="myrevertsearch"> <query> |inputlookup $dash$ | where ID = "$UnAckID$" | eval Ack="",Ack_time="",Ack_By="" | eval Message_Text= if(LIKE(Message_Text,"%Update from SD to raise JIRA%"),substr(Message_Text,39,len(Message_Text)),Message_Text) | outputlookup $dash$ append=True</query> </search> <!-- Information panel --> <fieldset submitButton="true" autoRun="false"> <input type="radio" token="dash" searchWhenChanged="true"> <label>Choose Current/Historic Data</label> <choice value="ram_error_ack_kv">Monthly</choice> <choice value="ram_error_ack_kv_bkup">Historic</choice> <default>ram_error_ack_kv</default> <initialValue>ram_error_ack_kv</initialValue> </input> <input type="time" token="time1" searchWhenChanged="true"> <label>Time Window</label> <default> <earliest>-2h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="inst" searchWhenChanged="true"> <label>Institution EMEA</label> <choice value="*">ALL</choice> <default>*</default> <fieldForLabel>Institution_name</fieldForLabel> <fieldForValue>Institution</fieldForValue> <search> <query>|inputlookup emea_institution_kv_data | join type=outer Institution [ | inputlookup institution_name.csv | sort institution_number | eval Institution=institution_number] | eval Institution_name=if(isnull(institution_name),substr(Institution,7,2)+" "+"Inst",institution_name) | table Inst_desc Institution Institution_name</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="ackby" searchWhenChanged="true"> <label>Acknowledged By</label> <choice value="*">ALL</choice> <default>*</default> <fieldForLabel>Ack_name</fieldForLabel> <fieldForValue>Ack_name</fieldForValue> <search> <query>|inputlookup acknowledged_names.csv</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="ackflag" searchWhenChanged="true"> <label>Acknowledged (Y/N)</label> <choice value="*">ALL</choice> <choice value="Yes">Yes</choice> <choice value="No">No</choice> <default>*</default> <initialValue>Yes</initialValue> </input> <input type="text" token="UnAckID" searchWhenChanged="true"> <label>Enter Un Ack ID</label> </input> <input type="text" token="error" searchWhenChanged="true"> <label>Type Error String here</label> <default></default> </input> </fieldset> <row> <panel> <html> <h3> <a href="https://de-splunk.1dc.com/en-US/manager/TA-omnipay-platform/admin/macros/error_skiplist?f_ns=TA-omnipay-platform&amp;uri=%2FservicesNS%2Fnobody%2FTA-omnipay-platform%2Fadmin%2Fmacros%2Ferror_skiplist&amp;action=edit&amp;ns=TA-omnipay-platform" target="blank"> <font color="blue">Click to Update Error Skip List</font> </a> </h3> <style> div.fieldset.dashboard-form-globalfieldset div.dashboard-element.html.dashboard-element-html { display: inline-block; } </style> <div> <input type="button" id="mybutton" value="Ack Selected Rows"/> <input type="button" id="myrevertbutton" value="Un Ack Entered Id"/> <input type="button" id="myjirabutton" value="Ack and Create Jira Ticket"/> <a href="https://de-splunk.1dc.com/en-US/app/TA-omnipay-platform/ram_error_dashboard" class="btn btn-primary" text-align="right">Refresh</a> </div> </html> </panel> </row> <row> <panel> <html> <div class="imgheader"> <div style="text-align: right;"> <h4> <a data-toggle="modal" data-target="#Help_modal"> <font color="blue">Help, information for this dashboard</font> </a> </h4> </div> </div> <style> #Help_modal.dropdown-menu { float: left; min-width: 421px; top: -1000% !important; left: 40% !important; } .close { text-align: right; border-radius: 1px 2px 2px 2px; <!--width: 30% !important; height: 600px !important;--> } pre { text-align: left; } .modal-footer { background: #ffe0 !important; padding: 1px 1px 1px 1px; } </style> <!--<div class="modal custom-modal-60 fade" id="Help_modal" tabindex="-1" role="dialog" aria-labelledby="Help_modal_Label">--> <div class="dropdown-menu other-menu shared-poptart close" id="Help_modal" tabindex="-1" role="dialog" aria-labelledby="Help_modal_Label"> <div class="modal-dialog" role="document"> <div class="modal-content"> <div class="modal-header"> <!--<button type="button" class="close" data-dismiss="modal" aria-label="Close"> <span aria-hidden="true"/> </button>--> <div style="text-align: left;"> <h4 class="modal-title" id="Help_modal_Label">Dashboard:</h4> </div> </div> <pre> <b>Dashboard Information</b> This dashboard is for acknowledging or unacknowledge errors <p> <b>For queries or feedback on this dashboard, mail to</b>:<b> </p> </pre> <!--<div class="modal-footer"> <button type="button" class="btn btn-default" data-dismiss="modal">Close</button> </div>--> </div> </div> </div> </html> </panel> </row> <row> <panel> <html> <style> <!--#test h2 { text-align: center !important; background-color: aliceblue; }--> .dashboard-body { padding: 2px 2px 2px 2px; <!--color: #3c444d;--> color: #ce8820; background-color: #ffffff; min-height: 500px; } .dashboard-row .dashboard-panel h2.panel-title { text-align: center !important; background-color: mistyrose; border: 1px solid black; font-size: 21px; font-weight: bold; padding: 12px 2px 12px 2px; margin: 2px 2px 2px 2px; } .dashboard-row .dashboard-panel .panel-head h3 { text-align: center !important; background-color: rgba(0, 164, 253, 0.37); } .dashboard-row .dashboard-panel .panel-body.html, .dashboard-row .dashboard-panel .panel-body.splunk-html { padding: 0px !important; } td.numeric, th.numeric { text-align: center !important; } .table td, .table th { text-align: left; color: black !important; border: 1px solid black !important; font-size: 13.5px; } label { font-weight: bold; } .table .sorts a { color: black; font-weight: 500; font-size: 14.3px; } .fieldset { margin-bottom: -17px; } .dashboard-header h1 { font-size: 30px; font-weight: 700; line-height: 76px; text-align: center; padding: 2px 2px 2px 2px; margin: 2px 2px 2px 2px; background-color: coral; color: #3c444d; } .dashboard-header { margin-bottom: 10px; min-height: 28px; background: chocolate; padding: 2px; } .dashboard-row .dashboard-cell { float: left; <!--background-color: darkslategrey; --> } .results-table { color: black; } .SimpleResultsTable table.simpleResultsTable { white-space:pre-line; } #myTable tr.range-acked td { background-color: #82e566 !important; border: 1px solid black; } #myTable tr.range-not-acked td { background-color: #ff6363 !important; border: 1px solid black; } .modal-header .close { top: 20px; right: -220px; margin-top: -2px; position: unset; background-color: none; border: 1px solid transparent; color: #5c6773; -webkit-box-shadow: none; box-shadow: none; text-decoration: none; text-shadow: none; -webkit-transition: background .2s,border .2s,-webkit-box-shadow .2s,-webkit-text-decoration .2s; transition: background .2s,border .2s,-webkit-box-shadow .2s,-webkit-text-decoration .2s; transition: background .2s,border .2s,box-shadow .2s,text-decoration .2s; transition: background .2s,border .2s,box-shadow .2s,text-decoration .2s,-webkit-box-shadow .2s,-webkit-text-decoration .2s; -webkit-filter: none; filter: none; } </style> </html> <table id="myTable"> <search id="mainSearch"> <query>|inputlookup $dash$ | rename "Package_Name,Procedure_Name,File_Name,Host_Name" AS Package_Name_Procedure_Name_File_Name_Host_Name | search `error_skiplist` | dedup ID | eval fields=split(Ack_By,",") | eval Ack_name=mvindex(fields,0) | eval Ack_name = if(isnotnull(Ack_name),Ack_name,"NA") | eval ack_flag=if(isnotnull(Ack_By),"Yes","No") | search Institution=$inst$ Platform="EMEA" Ack_name=$ackby$ ack_flag=$ackflag$ Message_Text="*$error$*" | eval _time=strptime(Date_Time,"%d-%m-%Y %H:%M:%S") | convert mstime(_time) AS ms_time | addinfo | where ms_time &gt;= info_min_time AND ms_time &lt;= info_max_time | eval Ack=if(isnull(Ack_time),"",Ack_time) | eval Tick=ID."|".Ack | eval "Program_ID Program_Name" = Program_ID+","+Program_Name | makemv delim="," "Program_ID Program_Name" | makemv delim="," Package_Name_Procedure_Name_File_Name_Host_Name | makemv delim="," Ack_By | rex max_match=100 field=Message_Text "(?&lt;split__regex&gt;.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as Message_Text | table Tick ID ms_time Institution Date_Time Ack Ack_By Ack_time "Program_ID Program_Name", Program_Run_ID Package_Name_Procedure_Name_File_Name_Host_Name Message_Text email | sort 0 - ms_time | eval skip_ram_user=if(like(Package_Name_Procedure_Name_File_Name_Host_Name,"%RAM%"),1,if(like(Package_Name_Procedure_Name_File_Name_Host_Name,"%ram%"),1,0)) | where skip_ram_user != 1 | fields - email Ack ms_time Ack_name Ack_time skip_ram_user</query> <earliest>$time1.earliest$</earliest> <latest>$time1.latest$</latest> <refresh>2m</refresh> <refreshType>delay</refreshType> </search> <option name="count">25</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">true</option> <drilldown> <condition field="*"></condition> </drilldown> </table> </panel> </row> <row depends="noshow"> <panel> <html> <style> .input-dropdown { min-width: 190px !important; width: 190px !important; max-width: 170px !important; } .splunk-dropdown .select2-container { min-width: 190px !important; width: 190px !important; max-width: 170px !important; } .input-text { min-width: 190px !important; width: 190px !important; max-width: 170px !important; } .input-text &gt; input[type="text"] { min-width: 190px !important; width: 190px !important; max-width: 170px !important; } </style> </html> </panel> </row> </form>      
I have the following source path which I am monitoring..I want splunk to use the _time from the source file. /a/host*/ads/stdout.230621-125941 Thanks in Advance
Hello Team I am having a Dashboard created with below Table output. The table is having a dynamic column names (in Date format) Output as below: TestMQ 2023-06-23 2023-06-22 2023-06-21 ... See more...
Hello Team I am having a Dashboard created with below Table output. The table is having a dynamic column names (in Date format) Output as below: TestMQ 2023-06-23 2023-06-22 2023-06-21 2023-06-20 2023-06-19 2023-06-18 2023-06-17 2023-06-16 And so on - till 30 days MQ.NAME 5.03 17.04 25.75 19.82 32.14 56.81 10.91 85.14 .... My requirement is to color code these values based on the threshold condition as "[<60 = Green] | [>85 = Red] | [>60 AND <85 = Amber]" I am new to Splunk and still learning. Kindly suggest how this can be achieved i.e. to modify the dynamic Column values based on the Threshold conditions. @ITWhisperer
Hi Team ,   Has anyone worked on finding out unused dashboards or alerts in Splunk . Can you please assist me . Thanks in Advance
Do we have any facility in the Splunk that we can achieve the High availability or Disaster recovery features in the Splunk. if yes, please share the documents for this.  Your response will be appre... See more...
Do we have any facility in the Splunk that we can achieve the High availability or Disaster recovery features in the Splunk. if yes, please share the documents for this.  Your response will be appreciated.!!!
Hello Everybody!  First thanks for your time to help me. I have a cluster environment, with: 3 - Sh's 231 232 233 4 - Hf's 223  This HF is an old server that was used in the environment... See more...
Hello Everybody!  First thanks for your time to help me. I have a cluster environment, with: 3 - Sh's 231 232 233 4 - Hf's 223  This HF is an old server that was used in the environment when it was not yet clustered, this HF is the core, reciving all data [UF's,DB Connect,Scripts etc] we keep it because we have some Windows Server 2003 with UF's installed that need to report the data and for that we need an HF with an older version  238 ( This is the HF with problem  ) 239 244 3 - IDX 234 235 236 Perfect, our cluster environment is new, so all HF's (238,239,244) is a blank installation, today I'm transferring all running Scripts on 223 to 238, but I'm with a problem, I have some scripts running to get data and transfer to 238 thorught HTTPEventCollector, these scripts are also running on 238. The problem is: I run the script, I don't get any error, I can see in the logs that the HTTPColector received the event, but when I do a search in the SH's I can't see the data, only after a time like 5-10 minutes after sending the data they appear in the SH, with the exact _time when the script was run. This problem is only with 238.  239 244 and 223 work very well. I did a simple script to send data for all HF's in the same time:   Simple Script to Test Executing the script:   Events on SH (does not show event sent to 238) Events on SH Confirmation on 238 HF that received the data After 5-10 minutes: The test data sending to 238 is now showing, but with 5-10 miuntes later. What possible solutions I have already tried: Restart Splunk and the server Create a new token Executing the script on other server like 239 244 223 Look for some log in the indexers or HF I'm really starting to run out of ideas for how to solve this problem, does anyone have any ideas? Thanks in advance!      
Hello,   I have a search that I n     index="" host= sourcetype=csv source=C:\\.......\.csv | dedup CR_ID | table CR_SubmitDate CR_LMC PVER_SpecificationFreeze | eval LMC_Requested = case(matc... See more...
Hello,   I have a search that I n     index="" host= sourcetype=csv source=C:\\.......\.csv | dedup CR_ID | table CR_SubmitDate CR_LMC PVER_SpecificationFreeze | eval LMC_Requested = case(match(CR_LMC, "Yes"),"yes") | search LMC_Requested="yes" | eval LMC_Planned = case(CR_SubmitDate > PVER_SpecificationFreeze, "True") | search LMC_Planned="True" | chart count by LMC_Requested, LMC_PLanned     eed to count the values that matches "Yes". But the way I did is making conflict somewhere. How do I make a clean match that does not male problems with the chart?
Hi, I have configured an alert to send email to users who has crossed a specific metric value. I have enabled email alert action and I want to attach a word document to the email alert which contai... See more...
Hi, I have configured an alert to send email to users who has crossed a specific metric value. I have enabled email alert action and I want to attach a word document to the email alert which contains steps for troubleshooting. How can I achieve this? Please help. Thanks in advance.
Hi I am looking for a Splunk exploitation folder related to Splunk dashboards and alerts Is anybody have an example to share please? Rgds