All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Everyone, I have 3 pie charts in a panel, showing agent statistics as follows: - 1st pie chart displays overall statistics split by analyst; - 2nd pie chart displays daily statistics split b... See more...
Hi Everyone, I have 3 pie charts in a panel, showing agent statistics as follows: - 1st pie chart displays overall statistics split by analyst; - 2nd pie chart displays daily statistics split by analyst ( | where shift="Day") - 3rd pie chart displays nightly statistics split by analyst ( | where shift="Night"). I've created a drilldown which works fine for the overall pie chart and it correctly displays the data in another panel based on the value of the slice.  To accomplish this I`ve created a token called "tokNames" and assigned an initial value of ALL *. <init> <set token="tokNames">*</set> </init> Drilldown for the Overall pie chart: <drilldown> <set token="tokNames">$click.value$</set> </drilldown> The problem starts with the daily and nightly pie charts - when I click on a name, it displays all the statistics of that particular agent, instead of showing only the daily or only the nightly statistics. Any assistance would be greatly appreciated. Thank you in advance. Toma.
I am getting an error on both of my indexers when they attempt to cluster to the master node   Search peer Splunkindex1 has the following message: failed to register with cluster master reason: ... See more...
I am getting an error on both of my indexers when they attempt to cluster to the master node   Search peer Splunkindex1 has the following message: failed to register with cluster master reason: failed method=POST path=/services/cluster/master/peers/?output_mode=json master=splunkmaster:8089 rv=0 gotConnectionError= 1 gotUnexpectedStatusCode=0 actual_response_code=502 expected_response_code=2xx staus_line="Error connecting: Winsock error 10061" socket_error="Winsock error 10061" remote_error=[event=addPeer status=retrying Add PeerRequest.... Does anyone have a solution for this? Thank you
Hi All, I am new to AppD. I recently deployed a DB agent for the oracle database running in a Linux machine. I am able to see the DB metrics, however, I am not able to see the hardware metrics. I h... See more...
Hi All, I am new to AppD. I recently deployed a DB agent for the oracle database running in a Linux machine. I am able to see the DB metrics, however, I am not able to see the hardware metrics. I have enabled the hardware monitoring in the collector as well. ( I have seen in the documentation that for Oracle by default it will show the hardware metrics). Even in the metric also not able to see the details. Can you please suggest what I am missing?
Hello, Myself and another gentleman have been tasked to integrate NSX-T TLS log forwarding to Splunk. Is there a list of exact instructions or a white paper showing how to accomplish this? Do we nee... See more...
Hello, Myself and another gentleman have been tasked to integrate NSX-T TLS log forwarding to Splunk. Is there a list of exact instructions or a white paper showing how to accomplish this? Do we need to have our purchasing folks reach out for support as well? Very respectfully, James
Hello All    I am currently using Ingest Action on a HF to route my data both on indexers and S3 bucket. I managed to create my ruleset and everything is working fine with data being successfully... See more...
Hello All    I am currently using Ingest Action on a HF to route my data both on indexers and S3 bucket. I managed to create my ruleset and everything is working fine with data being successfully sent to AWS but I can't access to the Ingest Action WebUI anymore. When I try to access it, I got the message Splunk is still initializing. Please retry later.   Does someone have an idea on how to fix this issue ?   Thanks
I have a dashboard that requires a dropdown in one of the lower panels of the page The selectFirstChoice option appears to be the cause of it as when it populates the page jumps down Anyway to wo... See more...
I have a dashboard that requires a dropdown in one of the lower panels of the page The selectFirstChoice option appears to be the cause of it as when it populates the page jumps down Anyway to work around this? Thanks
Want to create a Splunk alert for Servers traffic distribution. I have 100's of different type servers in each data center (like app servers, db servers etc.). I can create a dashboard and splunk ale... See more...
Want to create a Splunk alert for Servers traffic distribution. I have 100's of different type servers in each data center (like app servers, db servers etc.). I can create a dashboard and splunk alert for specific set of servers. But here I want to create this dashboard and splunk alert on basis of datacenter. So how I can create this type of requirement ?  Per host wise, below query I written for reference, But data center wise all hosts can i put it in one query and write ?  index=* | where host like "ANCLOPR%" | bin span=5m _time | stats count BY _time host | eventstats sum(count) as total by _time | eval percent = count / total*100 | chart values(percent) by _time host usenull=f useother=f limit=100      
Time door Fruit Count 11/11/2022 04:36:07 112 APPLE 14 11/11/2022 04:10:00 111 PEAR 8 11/11/2022 03:01:02 111 PEAR 119 11/11/2022 02:41:49 111 PEAR 82 10/11/2022 21:41:18 111 PEAR 26 10/11/2022... See more...
Time door Fruit Count 11/11/2022 04:36:07 112 APPLE 14 11/11/2022 04:10:00 111 PEAR 8 11/11/2022 03:01:02 111 PEAR 119 11/11/2022 02:41:49 111 PEAR 82 10/11/2022 21:41:18 111 PEAR 26 10/11/2022 18:11:16 111 PEAR 12 10/11/2022 01:36:15 111 Orange 5 i want to plot timechart graph with count of fruits for each door 
Hey, I have a big base search  and I want to add a condition in the search that would remove/ filter out Asset_State if either Development or "Pre-Production" ONLY IF     Asset_Environment!="PKI Of... See more...
Hey, I have a big base search  and I want to add a condition in the search that would remove/ filter out Asset_State if either Development or "Pre-Production" ONLY IF     Asset_Environment!="PKI Offline" Status="2. At the moment, this is the line in the query I have for this: .......| if(Asset_Environment!="PKI Offline" Status="2, search NOT (Asset_State!="Development" OR Asset_State!="Pre-Production") |.... Syntactically, I know this is incorrect .... can someone please help??? Many thanks as always!!!
Hi guys, I have an issue with the Enterprise Security APP where I try to add a new Event Attributes (user) that is correctly populated and available in the event (in the Contributing Events search)... See more...
Hi guys, I have an issue with the Enterprise Security APP where I try to add a new Event Attributes (user) that is correctly populated and available in the event (in the Contributing Events search) and in the datamodel, but it is not showed in the Incident Review table. It seems that It can be an error with the alias of the field because in the data raw we see that the field name is "userPrincipalName" but in the Interesting Field we have "user" (the field that is now showed in the Incident Review table). We also tried adding the userPrincipalName field to the Event Attributes but also this field is not populated. How can we show that field in the table? Thanks, Mauro   
I know that Forwarders 6.x are out of support and that from the documentation they are not compatible with Indexer 9.x, but does anyone knows if a Light Forwarder is able to communicate and send even... See more...
I know that Forwarders 6.x are out of support and that from the documentation they are not compatible with Indexer 9.x, but does anyone knows if a Light Forwarder is able to communicate and send events to an Indexer 9.x? Thanks!
Hi Folks,   I have quick architectural question, do think is a good idea set an architecture with a ES search head on aws cloud and the indexer on - premise? thanks for your reply  
Hi, I am doing the sending alert if a machine has no activity in the span = 1h. I configure to send it each hour. The thing is if the machine has no activity at 7:00, it will send the alert every... See more...
Hi, I am doing the sending alert if a machine has no activity in the span = 1h. I configure to send it each hour. The thing is if the machine has no activity at 7:00, it will send the alert every hour (7h, 8h, 9h, etc) saying the same message that the machine has no activity at 7:00 Is anyway to send it once if the message is always the same (in this case, machine has no activity at 7:00). If the machine is restarted, it has activities from 10:00 - 15:00, then it downs, I will receive an alert saying that machine has no activity at 15:00)   Thanks in advanced.
Hello, I put them in context before showing the query. I have a splunk that I test on it to see the query results because I don't have access to the splunk that has the data. I have a query that ... See more...
Hello, I put them in context before showing the query. I have a splunk that I test on it to see the query results because I don't have access to the splunk that has the data. I have a query that shows me the result of these two hostnames, but I need this same result but on all hostnames, not just these two.   I have 2 queries. The first query gets me the results of the two teams, although I don't know if it does it because I have the data inserted (I can't find it by index) or it puts them because I use the makeresults (I read that it works in cache and the data doesn't have to be). |makeresults | eval EventCode="20", hostname="wdv01ssps,DESCASSOAW01", error_code="0x80070003 0x80004004"|makemv delim="," hostname | makemv delim=" " EventCode|makemv delim=" " error_code | mvexpand EventCode |mvexpand hostname |mvexpand error_code|table hostname EventCode error_code   I'd like to use the latter as it's easier for me to display results from hostname, in this case it's called ComputerName. How can I do to show all ComputerName with these same filters? index=sistemi sourcetype="wineventlog" TaskCategory="Windows Update Agent" AND EventCode IN (20, 27) | eval day_of_week = lower(strftime(_time, "%A")) | eval date_string = strftime(_time, "%Y-%m-%d") | eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday",1,null()) | search Weekend=1 | stats count by Message EventCode ComputerName date_string | stats list(Message) by ComputerName date_string EventCode It may simply not be possible to list all the computer names without listing them one by one. Thanks.
Hi All, How do I get this screen for eval? Regards Suman P.
Hi community, I have 2 data sources, 1 from a csv to get the list of district (include number of population according to each district). Other sources come from PostgreSQL. The common info is the d... See more...
Hi community, I have 2 data sources, 1 from a csv to get the list of district (include number of population according to each district). Other sources come from PostgreSQL. The common info is the district. After a lookup csv, I have the list of district, for ex 6 districts. Knowing that 5 districts have the equivalent population (ex 500), another district has only 100 people living there. I want to do the span later, to count the activities of each district and send an alert if there is no activity of a district. But the difficulty is the span is not the same amongs all the districts.  I want to let span =1 day for 5 districts which have 500 people, and 5 days for the district with 100 population.  In a same search, can I do a case or if else to separate 2 cases? Here is what I'm doing: |dbxquery connection="database" query=" SELECT * FROM table" |lookup lookup.csv numero OUTPUT DISTRICT |eval list_district = "1,2,3,4,5,6" |eval split_list_district= split(list_district,",") |mvexpand split_list_district |where DISTRICT=split_list_district |eval _time=strptime(time_receive,"%Y-%m-%dT%H:%M:%S.%N") |eval _comment="Can we do something here to separate 2 cases" |bin _time span=1h |chart sum(count_activity) as count by _time DISTRICT ......
       
Hi, I have a question on 'fields' please.    sourcetype=* status IN ("200", "400","500") | fields -status | stats count by status   The SPL is not removing the 'status' from the output whil... See more...
Hi, I have a question on 'fields' please.    sourcetype=* status IN ("200", "400","500") | fields -status | stats count by status   The SPL is not removing the 'status' from the output while the below one is removing. Why isn't the first working?   sourcetype=* status IN ("200", "400","500") | fields - status | stats count by status   Regards Suman P.
Hi Community, I have 2 mvfields, how can I search for all the values in the first mvfield to all the values in the second mvfield? index=animals  | eval all_animals = mvappend('animal1', 'anim... See more...
Hi Community, I have 2 mvfields, how can I search for all the values in the first mvfield to all the values in the second mvfield? index=animals  | eval all_animals = mvappend('animal1', 'animal3', 'animal3') | table id_animals all_animals id_animals all_animals 001 dog goat cow 002 tiger lion 003 parrot snake boar   index=pets  | eval all_pets = mvappend('pet1', 'pet2') | table id_pets all_pets id_pets all_pets A1 parrot mouse A2 dog cat   result: id_animals animals id_pets 001 dog cat mouse A2 002 tiger lion NO MATCH 003 parrot snake A1