All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Community! I am looking for a way to represent a status indicator with red, amber, green status indicator in Dashboard Studio.  My SPL pulls back information which is represented by a number how... See more...
Hi Community! I am looking for a way to represent a status indicator with red, amber, green status indicator in Dashboard Studio.  My SPL pulls back information which is represented by a number however this can be translated to a color using an eval case() function.  I just need to know how to import or utilise icons outside of the what splunk defaultly offer.
 I have two events with start and end process and i need to calculate the time difference between the start process and end process of id but the fields are not configured,  The data is like below: ... See more...
 I have two events with start and end process and i need to calculate the time difference between the start process and end process of id but the fields are not configured,  The data is like below: Start process: {"log":"[16:43:39.451] [INFO ] [] [c.c.n.m.a.n.a.b.i.DefaultNotificationAuthService] [] - Creating notification auth flow for idempotencyKey 8532923_default as entityId Qb4RmEiaR6-zp8FU8MsyQQ \n","stream":"stdout","docker":{"container_id":"cd1c24ba236b3aca14151619a174176957213d860408addfb964e6bd3ec04b81"},"kubernetes":{"container_name":"mms-au","namespace_name":"msaas-t5","pod_name":"mms-au-b-1-685f9fd75d-4bz87","container_image":"pso.docker.internal.cba/mms-au:2.3.1-0-1-5634ab725",} End process : {"log":"[16:43:39.876] [INFO ] [] [c.c.n.m.a.n.s.j.NotificationJMSProducer] [akka://MmsAuCluster/system/sharding/notificationAuthBpmn/5/Qb4RmEiaR6-zp8FU8MsyQQ_5/Qb4RmEiaR6-zp8FU8MsyQQ] - Submitting Enriched Notification for id 8532923 \n","stream":"stdout","docker":{"container_id":"cd1c24ba236b3aca14151619a174176957213d860408addfb964e6bd3ec04b81"},"kubernetes":{"container_name":"mms-au","namespace_name":"msaas-t5","pod_name":"mms-au-b-1-685f9fd75d-4bz87","container_image":"pso.docker.internal.cba/mms-au:2.3.1-0-1-5634ab725", Need to calculate time difference between the above 2 events called "Creating notification auth flow " and "Submitting Enriched Notification". Is this possible to do in splunk and if possible,how can we achieve it? Thanks in Advance
Can the Splunk Observability Cloud collects the Azure Managed Application metrics when we connected the Azure successfully?
Hi all, how can I change the top row highlighted columns background-color. With HTML, CSS ?    
Hello,   I've been using SPLUNK search REST API for a while now and just today i've run into the following issue.   When calling the services/search/jobs/{search_id} API i get back the proper... See more...
Hello,   I've been using SPLUNK search REST API for a while now and just today i've run into the following issue.   When calling the services/search/jobs/{search_id} API i get back the proper results with dispatchState: DONE and eventCount: 0 but I know for sure that there are results because I also tried running the same query from the Splunk UI and I do get results back.   Has anything changed since yesterday (since it was working), I don't think its user related because I tried with several users and got the same results.
@ITWhisper As per the Below Screenshot I want to add Custom time frame. Where user can able to select any time frame and compare the results. Please help to understand the logic.  
I have logs of the format... 2022-09-07T01:42:06.321624+00:00 micro.service 2867ce23-bdfd-48eb-ba5a-40e1e8a93987[[APP/PROC/WEB/0]] 159.203.190.66, 100.64.144.3 - - - [07/Sep/2022:01:42:06 +0000] "G... See more...
I have logs of the format... 2022-09-07T01:42:06.321624+00:00 micro.service 2867ce23-bdfd-48eb-ba5a-40e1e8a93987[[APP/PROC/WEB/0]] 159.203.190.66, 100.64.144.3 - - - [07/Sep/2022:01:42:06 +0000] "GET url HTTP/1.1" 404 125 ...and I want to extract a count of missing URLs by microservice.  I can get a count of microservice using... index=myIndex "404 125" | rex "^\S+\s(?<microService>\S+).*" | bucket _time span=day | stats count by microService ...but I would like to know how to add the url Any help appreciated  
How to count each log value separately? ("*error*","*info*","*warn*")
Hi peeps, We were fine tuning the Notable Event, and there were fields that were not showing any values. Those fields are the Risk Score, Risk Event and Risk Object. We have configure the value und... See more...
Hi peeps, We were fine tuning the Notable Event, and there were fields that were not showing any values. Those fields are the Risk Score, Risk Event and Risk Object. We have configure the value under the Risk Analysis Tab.  Please assist us on this. Thank you.
  In the above, I am comparing the last 15m data to the current week's 15m data. And I am getting good results.     But here in the same search when I am using the filter search Dev... See more...
  In the above, I am comparing the last 15m data to the current week's 15m data. And I am getting good results.     But here in the same search when I am using the filter search Device_Type="mobile", I am not getting the last week of data in graph. Please help me out for this.    
Hello, I have a monthly report that produce a table like this Violation list Employee month A 8-2022 B 8-2022   I want to add a counter to count for consecutiv... See more...
Hello, I have a monthly report that produce a table like this Violation list Employee month A 8-2022 B 8-2022   I want to add a counter to count for consecutive occurrences. For example: In September report (9-2022) - employee A violated, his counter increase to 2 - employee B don't violate, don;t show up in report - employee C violated, first time show up on report, his counter is 1 In October report (10-2022) - employee A violated again, his counter increase to 3 - employee B violated again, but don't show up on September report, his counter reset to 1. - employee C violated again, his counter increase to 2 I want the end table to look like this Employee month Counter A 10-2022 3 B 10-2022 1 C 10-2022 2 Since the report was a outputlookup csv, I don't think I can use streamstat, Can anyone suggest a way to do this.
Is there a way to add a horizontal reference line to a boxplot chart. The chart uses the Machine Learning Toolkit custom visualization boxplot chart and features multiple box plots next to each other... See more...
Is there a way to add a horizontal reference line to a boxplot chart. The chart uses the Machine Learning Toolkit custom visualization boxplot chart and features multiple box plots next to each other. I would like to add a line to show when boxplot's whisker crosses over a threshold line, but there is very little customization using the UI for the visualization. Is there some way to add this line to this type of plot using the XML source in the dashboard editor?
I have a Bash script on our deployment server. The directory tree and the inputs.conf file: bin bash_script.sh local inputs.conf app.conf The inputs.conf file: [script://./bin/bash_scr... See more...
I have a Bash script on our deployment server. The directory tree and the inputs.conf file: bin bash_script.sh local inputs.conf app.conf The inputs.conf file: [script://./bin/bash_script.sh] interval = -1 I restart the deployment server. I then check one of the servers I have this app deployed to: index="_internal" bash-script sourcetype=splunkd host="specific-hostname" message from "/opt/splunkforwarder/etc/apps/bash_script/bin/bash_script.sh" /bin/sh: 1: /opt/splunkforwarder/etc/apps/bash_script/bin/bash_script.sh: Permission denied That path and file does exist on the destination server. What am I missing?
I am trying to add a percentage to the total row generated by addcoltotals. I would like to show the total percentage of successes for a search using top. addcoltotals seems to only perform a sum and... See more...
I am trying to add a percentage to the total row generated by addcoltotals. I would like to show the total percentage of successes for a search using top. addcoltotals seems to only perform a sum and doesn't calculate total percentage properly, so leaving "%" off the percentage values would result in it becoming 120 in the final cell. Currently generated table: user Total Successful Total Failed Total Calls Success Percentage Maynard 2 3 5 40.00% Keenan 8 2 10 80.00% TOTALS 10 5 15   Ideally the currently empty cell would display 66.67%. Query:   search string | top 0 countfield=Count percentfield=Percent status by user | eventstats sum(eval(if(match(status, "2\d{2}"), Count, 0))) as success by user | eventstats sum(eval(if(match(status,"[45]\d{2}"), Count, 0))) as fail by user | eventstats sum(Count) as total by user | eval percent_success = round((success)/(total)*100, 2)."%" | stats values(success) as "Total Successful" values(fail) as "Total Failed" values(Total) as "Total Calls" values(percent_success) as Success Percentage by user | addcoltotals labelfield=user label=TOTALS   The ."%" prevents the addcoltotals from summing the values, leaving the bottom right cell blank.   Is there a way to override the sum functionality of addcoltotals? Or is there a way to manually add a row to a table generated by stats where I can just calculate the values manually? Would it be possible to overwrite just the empty cell with a percentage calculation I do myself?  
Hey all, Can someone help me out with a JSON related question! Many many thanks! I have a JSON arrays field in this format results=<200 OK OK, { "tnPortingActivityInProgress" : "N", "avai... See more...
Hey all, Can someone help me out with a JSON related question! Many many thanks! I have a JSON arrays field in this format results=<200 OK OK, { "tnPortingActivityInProgress" : "N", "availableActions" : [ { "accountAction" : "Restart", "actionAvailable" : "N", "actionNotAvailableReason" : "Account is Active" }, { "accountAction" : "Multi-AP Salable", "actionAvailable" : "Y" }, { "accountAction" : "Seasonal Suspend", "actionAvailable" : "Y" } ], "transactionId" : "1234567" } ,[]> I would love to parse the json array into this format.  transactionId aaccountAction    actionAvailable  actionNotAvailableReason 1234567 Restart N Account is Active 1234567 Multi-AP Salable Y   1234567 Seasonal Suspend                   Y     I have tried a query like this. As you can see, the data is stacked in the same row right now, which is not working in my case  as I have no idea what actionAvailable & actionNotAvailableReason for what accountActions.  And also, the search is not working either if we do like this.   
I have this query that gets current CURRENT_OUT counts by DISTRICT index=<my index> sourcetype=oracle:query source=<source> | fields DISTRICT, OUT_CUSTS | where _time>relative_time(now(),"-5m") | s... See more...
I have this query that gets current CURRENT_OUT counts by DISTRICT index=<my index> sourcetype=oracle:query source=<source> | fields DISTRICT, OUT_CUSTS | where _time>relative_time(now(),"-5m") | stats sum(OUT_CUSTS) as CURRENT_OUT by DISTRICT | table DISTRICT, CURRENT_OUT | sort by DISTRICT This works to get current counts because the db source is updated every 5 minutes in splunk DB connect.  I get a nice table of CURRENT_OUT by DISTRICT. Is is possible to expand this to add a peak value for CURRENT_OUT over, say, the last 24 hours, while still including the current CURRENT_OUT value in the table as well?  I'm looking at the bin command but I can't put it together.  Once I expand my timeframe for my query, I'm bringing back way too much data an overinflating the current CURRENT_OUT  values for each DISTRICT.  Thanks  
I created a column chart and I want to add a line on the y-axis as the upper limit that increases by 300 every 6 hours (pink line in image attached). How would I do this? -->Is there an option dis... See more...
I created a column chart and I want to add a line on the y-axis as the upper limit that increases by 300 every 6 hours (pink line in image attached). How would I do this? -->Is there an option display line I can add in dashboard under my chart code?  
Hello, My Splunk environment is integrated with Active Directory for Logins per DoD STIG Requirement.  However one of the Active Directory STIGs requires AD accounts to be disabled if not logged in... See more...
Hello, My Splunk environment is integrated with Active Directory for Logins per DoD STIG Requirement.  However one of the Active Directory STIGs requires AD accounts to be disabled if not logged in the past 30 days.  And it does not seem that logging in via Splunk notifies AD that the user has logged in.  Please help as I have certain users that only login via the Splunk UI and every month AD is disabling their accounts. Thanks David
We are using 8.2.3 with SHC and multisite indexer clustering. We have some mismatch on key business data and we need to delete and reload some data from the summary index only for a few days. The... See more...
We are using 8.2.3 with SHC and multisite indexer clustering. We have some mismatch on key business data and we need to delete and reload some data from the summary index only for a few days. The below search returns data which is wrong and to be deleted. Search:  index=INDEXNAME sourcetype=stash source=SOURCENAME datasource="DATASOURCENAME" host=HOSTNAME But when I add "| delete" for the search above.  It deletes 0 events and no error. This worked a few months ago but not today so I reckon there's no config issues, like capability and deleteIndexesAllowed has been configured for the index already.
Some KOs are not found on the GUI > Settings > Searches, Reports and alerts > "search" with its name. The version  we currently operate is 8.2.1 and SH Clustered. This happens quite frequently for ... See more...
Some KOs are not found on the GUI > Settings > Searches, Reports and alerts > "search" with its name. The version  we currently operate is 8.2.1 and SH Clustered. This happens quite frequently for mostly the alerts we make changes to the search strings.