In HTML - how do I get the text to be on the right side of the button? (The white text) I have the following, but I am trying to get the text to be on the right of the button.     At the moment I use label of a table to add my message, but ideally i would like it to be on the right side of the button           <html rejects="$Config_path_token$"> <style>.btn-primary { margin: 5px 10px 5px 0; }</style> <a class="btn btn-primarys">Press to Download Congifuration File</a> </html> <table id="tbl1"> <title>Configuration File http://dell967srv.scz.murex.com:15022/public/mxres/common/launchermxmarketdataevaluation.mxres</title>            

Hello, I'm a bit new to Splunk and I'm trying to run a query that shows me users in Active directory that are still enabled but haven't logged in for past 30 days.  I've tried searching through varies post but none seem to be exactly what I'm looking for.  I may have overlooked it so If someone can point me in the right direction or provide a sample query to get me started I'd be very grateful. Thanks, Bob

My current search is: `index` | search source="Main Source" | fields identifier, status_label | chart count over identifier by status_label   My output statistics for this search looks like this Identifier | F1 | F2 | F3 | F4 | F5 ID_1          | 6   | 4    | 3    | 2   |   0 ID_2          | 0   | 3    | 7    | 9   |   4   I need to combine F1, F3, and F4 as Total_1 and F2 + F5 as Total_2 for each identifier. I only want my table to show Identifier, Total_1, and Total_2 Is this possible?

Hi team, I'm using a SAAS controller. I have so many duplicates users on my account management module, And I would find a way to detect the last status of them and to detect their activity logs. I want to delete the duplicate users from my account management module. Is there any solutions for this I need this ASAP. Thanks you in advance and I am very grateful for your help. Comment title edited for clarity and searchability. Claudia Landivar, Community Manager

Hello Guys. I use splunk cloud to monitor logs from Windows, Firewall, Office 365, etc. I recently got a message that splunk's license has expired, since then splunk has stopped receiving firewall logs. I updated the license and renewed the credentials, but I still don't receive the logs. And some of the error messages appear: "The TCP output processor has paused the data flow." Could someone help me please?  

I need to create a Splunk alert that will trigger when storage on /vi/vip_pdh/00d for a host reaches at least 90% capacity. index=A sourcetype=B   /vi/vip_pdh OR /var/log  earliest=-2h | eval UsePct=rtrim(UsePct,"%") | stats latest(UsePct) as UsePct by MountedOn host. Just a Slight correction, I want to monitor both /vi/vip_pdh and /var/log. Thanks!

I'm extremely new to Splunk and finding learning SPL very frustrating. I'm trying to look for windows log on events/ attempted log ons by leavers accounts after their last working day. How do i say where a specific field (the last working day) is before todays date.  The last working day field which I'm pulling from a separate index is in the following format "2020-02-28 00:00:00.0"    

Hello ALL, My deployment is UF ---->HF(local copy)----->indexer I would like to send logs from HF to indexer except some sourcetype, at the same time need to keep a local event copy of all forwarded logs from UF in HF. I have found a number of seemingly great answers and help pages for how to set this up with props.conf and transforms.conf but no luck. At what level do I need to change configuration HF or Indexer? please suggest how to achieve this. Thanks,

Hello colleagues When running the command (/opt/splunk/bin/splunk reload deploy-server -class Class_Name -debug) There was no such error before. Literally today got out with what it can be connected? Will setenv SPLUNK_CLI_DEBUG to "v". In check_and_set_splunk_os_user(): In env found *no* SPLUNK_OS_USER var. WARNING (cli_common) btool returned something in stderr: 'Will exec (detach=no): USER=root USERNAME=root PATH=/opt/splunk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/opt/splunk/bin PWD=/opt/splunk/etc/deployment-apps HOSTNAME=splunk-deployer SPLUNK_HOME=/opt/splunk SPLUNK_DB=/opt/splunkDBcold/DBdefault SPLUNK_SERVER_NAME=Splunkd SPLUNK_WEB_NAME=splunkweb PYTHONPATH=/opt/splunk/lib/python2.7/site-packages NODE_PATH=/opt/splunk/lib/node_modules LD_LIBRARY_PATH=/opt/splunk/lib LDAPCONF=/opt/splunk/etc/openldap/ldap.conf /opt/splunk/bin/splunkd btool web list

Hello, I have logs like :  samples={'xxxxxxx' : {'111' :{'222' :{'333'}}}}{'yyyyyyy'{'444'}}{'zzzzzzz'} I need to take all words to one field like ;  my field : 'xxxxxxx','yyyyyyy','zzzzzzz' Thank you,

My UF configured with deployment server 8089 and with HF 9997 both are not connecting troubleshoot steps performed:   1. disabled iptables firewall 2. all servers in same subnet there is no network firewall issue i believe 3. configured outputs.conf under opt/Splunkforwarder/etc/system/local       [root@gcpas-d-sial02 ~]# tail -f /opt/splunkforwarder/var/log/splunk/splunkd.log 09-08-2022 05:41:22.535 +0000 WARN TcpOutputProc [13177 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=10.236.65.143 inside output group HF from host_src=gcpas-d-sial02 has been blocked for blocked_seconds=34900. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. 09-08-2022 05:41:28.180 +0000 INFO DC:DeploymentClient [13138 PhonehomeThread] - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected 09-08-2022 05:41:28.180 +0000 INFO DC:PhonehomeThread [13138 PhonehomeThread] - Attempted handshake 2910 times. Will try to re-subscribe to handshake reply 09-08-2022 05:41:32.336 +0000 WARN AutoLoadBalancedConnectionStrategy [13178 TcpOutEloop] - Raw connection to ip=10.236.65.143:9997 timed out 09-08-2022 05:41:40.180 +0000 INFO DC:DeploymentClient [13138 PhonehomeThread] - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected 09-08-2022 05:41:52.180 +0000 INFO DC:DeploymentClient [13138 PhonehomeThread] - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected 09-08-2022 05:41:52.247 +0000 WARN AutoLoadBalancedConnectionStrategy [13178 TcpOutEloop] - Raw connection to ip=10.236.65.143:9997 timed out 09-08-2022 05:41:54.623 +0000 WARN HttpPubSubConnection [13137 HttpClientPollingThread_A4B05094-DB53-4495-B31D-853E566CE7E0] - Unable to parse message from PubSubSvr: 09-08-2022 05:41:54.623 +0000 INFO HttpPubSubConnection [13137 HttpClientPollingThread_A4B05094-DB53-4495-B31D-853E566CE7E0] - Could not obtain connection, will retry after=43.540 seconds. 09-08-2022 05:42:04.180 +0000 INFO DC:DeploymentClient [13138 PhonehomeThread] - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected ^X09-08-2022 05:42:12.104 +0000 WARN AutoLoadBalancedConnectionStrategy [13178 TcpOutEloop] - Raw connection to ip=10.236.65.143:9997 timed out

Query: |tstats avg(PREFIX(prtime)) as avg(prtime) where index=xdf  source=sdsf TERM(pght=eff) OR TERM(pght=dfrg) OR TERM(pght=iojb) by PREFIX(pght=)  _time span=1m |rename pght= as Pght this query is working fine and getting the results in below format: Pght               _time                                         avg(prtime) eff                 2022-09-07 13:00:00               40.667889889 dfrg             2022-09-07 13:01:00                75.678 iojb              2022-09-07 13:02:00               54.765423   but i want the results  in below format _time                                               eff                                    dfrg                         iojb                2022-09-07 13:00:00             40.667889889           75.678                  80.87656 2022-09-07 13:01:00            34.879                           64.897                    66.8765 2022-09-07 13:02:00           67.989                             89.09876             67.985   please let me know how to do this.