All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, I am struggling to add customized colours to the chart panel in the dashboard. Can any one please help on this. My dashborad panel query: <panel> <chart> <title> Response times more ... See more...
Hi All, I am struggling to add customized colours to the chart panel in the dashboard. Can any one please help on this. My dashborad panel query: <panel> <chart> <title> Response times more than 1000 ms by codes</title> <search> <query> index=avf-res-app code=all* OR code =ma21rt  source=*application* |eval ipl=code+"_"+host_ip  |stats avg(responseTime) as Avg_Rep by ipl, code |sort by Avg_Rep desc  |where Avg_Rep > 1000 |eval Avg_Rep = round(Avg_Rep, 2)</query> <earliest>-1d@d</earliest> <latest>now</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">collapsed</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY.abbreviation">auto</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">1</option> <option name="charting.layout.splitSeries.allIndeoendentYRanges">1</option> <option name="charting.legend.placement">none</option> <option name="referesh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.splitBy">code</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="charting.chart.columnSpacing">35<option> panel image: here as shown in the image there are multiple codes are displaying, i want to display each one in different colours.
Hi all, I am very new to Splunk and trying to learn it. Following is my JSON: {         TrainID=AA11           TrainData: [                                     {                             ... See more...
Hi all, I am very new to Splunk and trying to learn it. Following is my JSON: {         TrainID=AA11           TrainData: [                                     {                               ConnectingTrain: {                                                                 TR1: {                                                                             connectionTime: 59                                                                              TotalPassengers: 44                                                                          },                                                                     }                                    }                           ]            connectionTime : 38 } Here I want to print the value of connection time which is under TR1 and not the one that is a duplicate variable having a different value. Appreciate any pointers here.   Thanks, Chetan
We need to use HTML tags in alert email body, right now whatever the tag we pass, they are considered as text and displayed in the email as it is. As per below suggested solution we need to update ... See more...
We need to use HTML tags in alert email body, right now whatever the tag we pass, they are considered as text and displayed in the email as it is. As per below suggested solution we need to update sendemail.py file in splunk server. https://community.splunk.com/t5/Alerting/How-to-add-HTML-markups-to-alert-email/m-p/524453 Is there any other way to achieve this? Need help on this.
Hello everyone! I am trying to extract hostname from syslog-heading, and after trim it? Is it technically possible? My props.conf: [my_sourcetype] EXTRACT-host = my_regex_here SEDCMD-strip_headin... See more...
Hello everyone! I am trying to extract hostname from syslog-heading, and after trim it? Is it technically possible? My props.conf: [my_sourcetype] EXTRACT-host = my_regex_here SEDCMD-strip_heading = my_regex_here DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true This not working. It's extracting field without trimming heading, but together this not working.  
A, B good, color bad, color good, color   i want to change the B field in the first and third lines to a red background.   help bro~~
Hi Splunk community, I have a lookup containing a list of allowed departments as the following vendor allowed_departments F500 SADE/xxx,BTE,RAPH/NE C99 SADE/xxx,RAPH/MS ... See more...
Hi Splunk community, I have a lookup containing a list of allowed departments as the following vendor allowed_departments F500 SADE/xxx,BTE,RAPH/NE C99 SADE/xxx,RAPH/MS   I want to have a  field valid check if the field of department matches with any values in allowed_deparments of corresponding vendor. But for allowed_departments value ends with "xxx" will accept the department if department has the same prefix of that value For example: department of value "SADE/ER" will return Yes if allowed_departments contains "SADE/xxx"  Currently my SPL is like this     <my_search> | lookup my_lookup vendor OUTPUT allowed_departments | makemv delim="," allowed_departments | eval valid = if(match(allowed_departments, department), "Yes", "No") | fields - allowed_departments     Please advise if it is possible for Splunk to handle it. Thanks,
I have index that suddenly stoped indexing data. even after I entered crcSalt = <SOURCE> to the inputs.conf file data is not indexed anymore the logs continue to show the following error: "File... See more...
I have index that suddenly stoped indexing data. even after I entered crcSalt = <SOURCE> to the inputs.conf file data is not indexed anymore the logs continue to show the following error: "File will not be read, is too small to match seekptr checksum (file=<file_path>). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info." any idea how to resolve this issue?
Hello everyone,  I got several fields in search result (name, ip_src). Now I have lookup with 2 columns: name subnet name1 10.10.10.1/24 name2 10.20.10.1/24 ... See more...
Hello everyone,  I got several fields in search result (name, ip_src). Now I have lookup with 2 columns: name subnet name1 10.10.10.1/24 name2 10.20.10.1/24 name3 10.20.10.1/24   I need firstly find by name corresponding subnet (for example I got in search result "name1" in field name, there is subnet 10.10.10.1/24) and next compare if src_ip of this name matches subnet. Thank you for your help in advance
Hi all, I am trying to run a basic search where I am trying to print table based on where and like() condition. But its not working. Following is a query. It is always showing 0 results. index="t... See more...
Hi all, I am trying to run a basic search where I am trying to print table based on where and like() condition. But its not working. Following is a query. It is always showing 0 results. index="traindetails" sourcetype=* | eval trainNumber="1114" | eval train2 = A_BCD_1114_EFG | where like(train2,"%$trainNumber$%") | table trainNumber,train2 I also tried following but no luck. | where like(train2,"%"+$trainNumber$+"%") can someone please help? Thanks
I have an add on for unix and linux downloaded on my monitored servers and the data is sent to my indexers. In the Unix:Service sourcetype the time that is wrriten is 3.5 hours delayed, meanwhile t... See more...
I have an add on for unix and linux downloaded on my monitored servers and the data is sent to my indexers. In the Unix:Service sourcetype the time that is wrriten is 3.5 hours delayed, meanwhile the time that is wrriten in the event itself is the correct time. Can someone help please and know how to fix it???
  Hi, For the MLTK app on Splunk, I need to change the number of distinct values for logistic regression, based on my data. However, when I try and configure these settings, the followi... See more...
  Hi, For the MLTK app on Splunk, I need to change the number of distinct values for logistic regression, based on my data. However, when I try and configure these settings, the following button is greyed out:     Why would this be and how can I resolve this please? Thanks,
I started mucking around with Splunk at home since I was going to be responsible for it at work and I kinda like it so I setup a single instance at the house to monitor my network traffic. Most thing... See more...
I started mucking around with Splunk at home since I was going to be responsible for it at work and I kinda like it so I setup a single instance at the house to monitor my network traffic. Most things are fine but for some reason for a couple of days, it went bonkers to the tune of >4GB! WOW. I get Splunk not wanting people to use it for free when they have really big - even lab -networks but I have like 5 or 6 vms and a couple of Pis. The issue is that I can't do any searches to see who is sending the data so that I can stop it. Is there a simple way to reset the number of exceeds so that I can troubleshoot what's sending all the data and turn it off?
Hello Splunkers / @DavidHourani  We have a single site indexer cluster with 2 Indexers which are having storage issues so we decided to apply below parameters. We are currently on Splunk version 8.... See more...
Hello Splunkers / @DavidHourani  We have a single site indexer cluster with 2 Indexers which are having storage issues so we decided to apply below parameters. We are currently on Splunk version 8.1.7 1. tsidxWritingLevel = 4 2. enableTsidxReduction = true 3. timePeriodInSecBeforeTsidxReduction = 7890000 The issue here is from cluster Master i can see RF/SF is not met and 1 of the IDX is in Automatic-detention mode, so in this scenario what challenges will i face if above parameters are enabled for all the existing indexes. Splunk docs doesn't tell much about RF/SF with these parameters.
Hi all, To give a problem background, I am trying to run a map command inside a search to get some values. THE JSON I am trying to access (sample below) has nested JSONs where I only need to read a... See more...
Hi all, To give a problem background, I am trying to run a map command inside a search to get some values. THE JSON I am trying to access (sample below) has nested JSONs where I only need to read and derive value for the matched block. But as of now, my table command prints 3 rows instead of one (one row for each nested  JSON). I would like to print only the matching JSON block and ignore the other. I think rex and spath will be required here but it was still printing 3 rows as the final output but I need to print only 1 row. Not sure how to use them correctly to get the results. Please help. my sample search: Index=Dummy X.id=AA11 | eval version=X.version | eval connTrain=X.conTrainId----(value is TR2) | map Index=ABC Y.TrainID=AA11 Y.version=$version$ Sample JSON is given below. In this case, I need to only access TR2 (second block) and print its time and passenger value. In real-time, there can be only 1 JSON block or many and matching block can be at any location in case of multiple blocks. { TrainID=AA11 "TrainData": [ { "ConnectingTrain": { "TR1": { "connectionTime": "59", "TotalPassengers": "44", }, "TR2": { "connectionTime": "33", "TotalPassengers": "47", }, "TR3": { "connectionTime": "51", "TotalPassengers": "27", } } } ] }
Hi, In place of count I want to show the server name, And change color based on condition if count is >250. I referred many links and docs but could not achieve what I wanted  index = webs... See more...
Hi, In place of count I want to show the server name, And change color based on condition if count is >250. I referred many links and docs but could not achieve what I wanted  index = webss sourcetype = webphesst earliest= -1d latest=now | where HTTP=500 | stats count by host | eval color=if(count>=250, "#dc4e41", "#65a637"), icon=if(count>=250, "times-circle", "check-circle")
Hi All,   How to get user details associated with 'aadUserId' field in logs from 'Microsoft Graph Security API Add-On for Splunk'. Does https://splunkbase.splunk.com/app/3757have to be installed ... See more...
Hi All,   How to get user details associated with 'aadUserId' field in logs from 'Microsoft Graph Security API Add-On for Splunk'. Does https://splunkbase.splunk.com/app/3757have to be installed to get the user name/user email ID?
Hello Guys,  I am getting confused about this below query,  can anyone help me to understand it. Actually in the search query there is "AND" commands with the same Field name, I am not getting to... See more...
Hello Guys,  I am getting confused about this below query,  can anyone help me to understand it. Actually in the search query there is "AND" commands with the same Field name, I am not getting to know how the "AND" command works here for same field. If its a "OR" command then the query will check for both the values, but where as coming to "AND" command how does it works in the same field name. Can someone help me out regarding this.... index=* source="WinEventLog:Microsoft-Windows-PowerShell/Operational" AND ((EventCode="800" AND EventData="*-ItemProperty*" AND EventData="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND EventData="*DsrmAdminLogonBehavior*") OR (EventCode="4103" AND Payload="*-ItemProperty*" AND Payload="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND Payload="*DsrmAdminLogonBehavior*") OR (EventCode="4104" AND ScriptBlockText="*-ItemProperty*" AND ScriptBlockText="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND ScriptBlockText="*DsrmAdminLogonBehavior*")) Thanks in advance......
I have 1 table having current date when in maintenance and another is last date when it started and looking new value with difference of 2 date without Join.
Good day,   how to group results of a same filed value into one fileld value from below table i have a field box-name and in the multiple value of same  how can i group same value into one va... See more...
Good day,   how to group results of a same filed value into one fileld value from below table i have a field box-name and in the multiple value of same  how can i group same value into one value  as below table for same value in BOX_NAME field how can i keep as one value   i am using search to table the results    index=indexname sourcetype=sourename | eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | table BOX_NAME,JOB_NAME,JOB_GROUP,REGION,TIMEZONE,STATUS,Currenttime,STATUS_TIME,LAST_START,LAST_END,NEXT_START,DAYS_OF_WEEK,EXCLUDE_CALENDAR,RUNTIME,Actualstarttime,Job_start_by,START_SLA,AVG_RUN_TIME   BOX_NAME JOB_NAME JOB_GROUP REGION TIMEZONE STATUS PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY PNC-JAWS-USCA-ORDER-TCA-INBOUND-60ZIP JAWS   Central SUCCESS PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY PNC-JAWS-USCA-ORDER-TCA-INBOUND-040INF JAWS   Central SUCCESS PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY PNC-JAWS-USCA-ORDER-TCA-INBOUND-080DEL JAWS   Central SUCCESS PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY PNC-JAWS-USCA-ORDER-TCA-INBOUND-010ARC JAWS   Central SUCCESS PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY PNC-JAWS-USCA-ORDER-TCA-INBOUND-025FW JAWS   Central SUCCESS    
Hi Is it planned to release an option to use  "AWS roles anywhere" for the integration ? See link: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html