All Topics

Top

All Topics

Hello. I wonder if the path of the splunk scheduling report exists. If the path exists, can I edit the splunk scheduling report there?
I know the KPI Search Schedule can only select items as mentioned in the picture. But in case I want the information to be displayed faster by set the Search Schedule KPI to less than 1 minute, is t... See more...
I know the KPI Search Schedule can only select items as mentioned in the picture. But in case I want the information to be displayed faster by set the Search Schedule KPI to less than 1 minute, is there a way to do this?   Or if not, what is the best way to display information on Glass Table in the fastest way? Because the information on the Glass Table has to wait for the KPI Search Schedule to complete their task while the raw data has been uploaded to Splunk before. This causes the Glass Table information to appear slower than the actual data (about 3 minutes according to my observations).   Thank you very much if anyone can help.    
I have a problem with dashboard studio that flicker when in FULL SCREEN mode from FIT size. Os : Windows 10 Splunk Version : 9.0.0 Browser : Firefox Screen Size : 22" Resolution : 1920 x 1080 L... See more...
I have a problem with dashboard studio that flicker when in FULL SCREEN mode from FIT size. Os : Windows 10 Splunk Version : 9.0.0 Browser : Firefox Screen Size : 22" Resolution : 1920 x 1080 Link :  splunk-flickering 
Hi There, I am running below query, base search | rename msg.message as "message", msg.customer as "customer" | stats count as Total, count(eval(isnull(msg.errorCode))) as Success, count(eval(isnot... See more...
Hi There, I am running below query, base search | rename msg.message as "message", msg.customer as "customer" | stats count as Total, count(eval(isnull(msg.errorCode))) as Success, count(eval(isnotnull(msg.errorCode))) as Error, eval(((Success/Total)*100)."%") as SuccessRate by customer and I am getting below error. Error in 'stats' command: The number of wildcards between field specifier '((Success/Total)*100).%' and rename specifier 'SuccessRate' do not match. Note: empty field specifiers implies all fields, e.g. sum() == sum(*). Can anyone please tell me where I am wrong? basically I want to calculate a percent of total successful events here. Thanks!!!
Hi, I want to use Splunk for logs for Heroku apps. How to integrate Splunk with Heroku. Can you please help me with implementation.
index=mail | dedup MessageTraceId | dedup MessageId | dedup subject | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_e... See more...
index=mail | dedup MessageTraceId | dedup MessageId | dedup subject | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | table RecipientDomain SenderAddress RecipientAddress Subject Received hi this 3 lines are not working for this query. Please help. | where mvcountRecipientAddress=1 | eval subject_count=mvcount(Subject) | sort - subject_count
I have a AIX 5.3 system for which I want to install Splunk forwarder Agent but I see on the Splunk website that Forwarder software is not available for this version of Operating system. Request y... See more...
I have a AIX 5.3 system for which I want to install Splunk forwarder Agent but I see on the Splunk website that Forwarder software is not available for this version of Operating system. Request you to let me know if you can provide me with old version of Splunk software from any Splunk repo which is compatible with AIX 5.3 OS.
Hello Splunkers!!   I want a list of dashboards and those dashboards are using saved searches & macros. How I can achieve those details by using rest command. So far I have tried the below one bu... See more...
Hello Splunkers!!   I want a list of dashboards and those dashboards are using saved searches & macros. How I can achieve those details by using rest command. So far I have tried the below one but not getting the exact result.   |rest /servicesNS/-/-/data/ui/views splunk_server=local |table author eai:acl.app id eai:data title  
{"Organization": "groupxyz.onmicrosoft.com", "MessageId": "<12345678>", "Received": "2023-03-13T01:56:22.9207071", "SenderAddress": "bca@bca.com", "RecipientAddress": "dlf@g.com", "Subject": "1231231... See more...
{"Organization": "groupxyz.onmicrosoft.com", "MessageId": "<12345678>", "Received": "2023-03-13T01:56:22.9207071", "SenderAddress": "bca@bca.com", "RecipientAddress": "dlf@g.com", "Subject": "12312312332231'", "Status": "Delivered", "ToIP": "111.1.11.1", "FromIP": "12.23.4.2.23232", "Size": 2022121 "MessageTraceId": "4f74644747749djhrhfbf", "Index": 0}   hi this is my raw data; how can i show it in a table in a nice format? index=mail , and please help RecipientDomain sender recipient subject Earliest Latest      
Hello How can I trigger an alert after checking the results for 3 minuets  So for example, if I want that the alert will trigger if count>1 , I would like to check for 3 minutes if count>1 and onl... See more...
Hello How can I trigger an alert after checking the results for 3 minuets  So for example, if I want that the alert will trigger if count>1 , I would like to check for 3 minutes if count>1 and only then raise the alert How can i do it ?
I have kvstore which generate the data by API.  when I use | lookup  mylookup id output data - its working I want to convert it to automatic lookup in some index, but its not working. any idea ... See more...
I have kvstore which generate the data by API.  when I use | lookup  mylookup id output data - its working I want to convert it to automatic lookup in some index, but its not working. any idea why?
Good Morning I'm trying to download splunk and start it on my terminal but I keep getting this error code:  Exception: <class 'PermissionError'>, Value: [Errno 13] Permission denied: '/opt/splunk/e... See more...
Good Morning I'm trying to download splunk and start it on my terminal but I keep getting this error code:  Exception: <class 'PermissionError'>, Value: [Errno 13] Permission denied: '/opt/splunk/etc/system/local/eventtypes.conf.tmp' PermissionError: [Errno 13] Permission denied: '/opt/splunk/etc/system/local/eventtypes.conf.tmp'   please help!
Hello Splunkers!!   I have two fields AND I want to concatenate both the fields. Location : 3102.01.03 element : S82(=3102+LCC60-550S5) And I want a result : 3102.01.03.S82(=3102+LCC60-550S5)  ... See more...
Hello Splunkers!!   I have two fields AND I want to concatenate both the fields. Location : 3102.01.03 element : S82(=3102+LCC60-550S5) And I want a result : 3102.01.03.S82(=3102+LCC60-550S5)   I have tried Location.".".element but it is not working properly. Please suggest me a fic workaround.  
Hello Splunkers!!   I have below value  S000081(=00003102+LCC000060-0000550S00003) I want to replace above value with S81(=3102+LCC60-550S3) Means wherever digit 0 is four times I want to remov... See more...
Hello Splunkers!!   I have below value  S000081(=00003102+LCC000060-0000550S00003) I want to replace above value with S81(=3102+LCC60-550S3) Means wherever digit 0 is four times I want to remove those digits.   thanks in advance
Hello All, We are not able to access some saved searches through ODBC splunk connector while we can access some saved searches. I guess it is to do with the permissions of the saved searches (repor... See more...
Hello All, We are not able to access some saved searches through ODBC splunk connector while we can access some saved searches. I guess it is to do with the permissions of the saved searches (report) in Splunk. We tried giving all the accesses to the report, but still it doesn't return any result in QLiksense (reporting tool) using Splunk ODBC.    
Hi, I am new to Splunk and have very little knowledge. I am seeking help for following use case: Query1 gives process data, Query 2 gives container data, Query 3 gives container image data, Query 4... See more...
Hi, I am new to Splunk and have very little knowledge. I am seeking help for following use case: Query1 gives process data, Query 2 gives container data, Query 3 gives container image data, Query 4 gives container tags data. The way data is joined is: query 2 and query3 is joined based on image id param. The resultant data is then joined with query 4 using container id param. This resultant is then joined with Query 1 using pid param. To make matter more complex, data from different hosting env such as DC, private cloud, public cloud needs to be joined but problem is some field names are different and needs to be mapped before that. E.g. query 1 will give process data for DC, private cloud, public cloud but not all fields are same. Hence, query 1 can't be directly use to query all three hosting env in one go. Right now, I run query 1 for all hosting env separately and then append data. I am hitting 50k records limit with join. I went through multiple previous posts and all suggested using stats & avoid using join and append. Example uses two data sources which is not sufficient in my case: https://community.splunk.com/t5/Splunk-Search/How-to-join-large-tables-with-more-than-50-000-rows-in-Splunk/m-p/152136 https://community.splunk.com/t5/Splunk-Search/Large-scale-join-between-two-sourcetypes/m-p/549019#M155748 https://community.splunk.com/t5/Splunk-Search/How-to-compare-fields-over-multiple-sourcetypes-without-join/td-p/113477    How stats will look like in this case?  Looking for answer like this: https://community.splunk.com/t5/Splunk-Search/Large-scale-join-between-two-sourcetypes/m-p/549065/highlight/true#M155761       
I am unable to receive my Splunk ID for certification exam registration.
Hi All, I want to create alert notification on Exe time(ms) , I am not able to see option to create it. Please see snapshot for more info.
I am playing with the  "add data" uploading a csv file. In the set source type screen I am trying to find how to use one of the fields to set the _time value.  The field content is the following "10.... See more...
I am playing with the  "add data" uploading a csv file. In the set source type screen I am trying to find how to use one of the fields to set the _time value.  The field content is the following "10. Hour Jan 1, 2022" Using the advance settings "Timestamp fields" <Field Name> does not seem to work.    any suggestions.