All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Dear Splunk community: So i have the following SPL that has been running fine for the last week or so however, all of a sudden i am getting the last unwanted column (Value) which i don't expect t... See more...
Dear Splunk community: So i have the following SPL that has been running fine for the last week or so however, all of a sudden i am getting the last unwanted column (Value) which i don't expect to get. Can you please explain, what i need to modify so that i don't get the last Value column?   <my serch> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2), "<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total   Here is what is see: Really appreciate your help on this! Thanks!    
Hello,    I need to create a single value panel that displays a countdown from today's date until a target date, how can I achieve this?  Right now I am using sample data and I added a field call... See more...
Hello,    I need to create a single value panel that displays a countdown from today's date until a target date, how can I achieve this?  Right now I am using sample data and I added a field called "GoLiveDate" to the data and put the target date in (which is in the future.) What I want to do is put a panel in that says something like "80 days until Go Live."  Then tomorrow it would say "79 days until Go Live" etc etc -  Is something like this possible?
I have 2 dates first_found: 2022-08-23T21:08:54.808Z last_fixed:2022-08-30T12:56:58.860Z I am trying to calculate the difference in days between (first-found - last_fixed) and dump the result i... See more...
I have 2 dates first_found: 2022-08-23T21:08:54.808Z last_fixed:2022-08-30T12:56:58.860Z I am trying to calculate the difference in days between (first-found - last_fixed) and dump the result in a new field called "remediation_days"  
I have some searches that do not appear to be enhancing properly using the asset_lookup_by_str lookup table. In this case, I'll use dvc, but it appears to be similar with the others like dest as we... See more...
I have some searches that do not appear to be enhancing properly using the asset_lookup_by_str lookup table. In this case, I'll use dvc, but it appears to be similar with the others like dest as well. I run a search, the enhancements don't seem to be happening. If I run a search using the lookup it works sometimes. I'll give a few examples Search 1: index=windows | lookup asset_lookup_by_str asset AS dvc OUTPUTNEW domain AS AAAAA  Result 1: I get AAAAA to have only 1 of our 5 domains Search 2:  index=windows host=[hostname] | lookup asset_lookup_by_str asset AS dvc OUTPUTNEW domain AS AAAAA  Result 2: AAAAA doesn't show up . Search 3:  | inputlookup asset_lookup_by_str Result 3: The lookup table appears to be filled in nicely. Including the domains missing from search 1. Search 4:  | inputlookup asset_lookup_by_str | search asset=[host] Result 4: The host searched in Search 2 is in the lookup table.  Based on this, I'd say not only should Search 2 have worked, but Search 1 should have had more results, and the automatic lookup as a whole should be working. Any ideas what could be happening? My only thought is maybe some sort of priority order that is overriding the enhancement feature. But that wouldn't explain it not working in the specific search.   
Below query, I have used and it is saving in output lookup format.   Lookupname - S1_installedtime Query - index=sentinelone |table installedAt agentComputerName agentDomain |search installedAt... See more...
Below query, I have used and it is saving in output lookup format.   Lookupname - S1_installedtime Query - index=sentinelone |table installedAt agentComputerName agentDomain |search installedAt!="Null" |dedup agentComputerName installedAt - This field is giving the installation time Now I want a query that compares with the lookup table(S1_installedtime) and gives a result if any new agentComputerName in the last 1-week.   Objective - Need a list of agentComputerName having SentinelOne installed in the last 7 days.
Hello, I have a few use cases to send data from SPLUNK to consumers in real time, and consumers have both Linux/Windows OS. Does SPLUNK has any options to do that? Or how would we do it? Any help w... See more...
Hello, I have a few use cases to send data from SPLUNK to consumers in real time, and consumers have both Linux/Windows OS. Does SPLUNK has any options to do that? Or how would we do it? Any help will be highly appreciated. Thank you so much.
Dear All, I have about 100 Splunk UFs at 7.0.1, 7.3.5, 8.1.5, 8.2.5 and 9.0.0.1 and they are NOT being managed by a Deployment Server. I need to get them all managed by a DS at v 9.0.1, so that I ca... See more...
Dear All, I have about 100 Splunk UFs at 7.0.1, 7.3.5, 8.1.5, 8.2.5 and 9.0.0.1 and they are NOT being managed by a Deployment Server. I need to get them all managed by a DS at v 9.0.1, so that I can manage my apps remotely and so that I can get around the latest DS security CVEs. What is the oldest Splunk UF that a DS 9.0.1 can manage? The latest version of the Forwarder compatibility document is not available (and it does not cover compatibility between DS and UFs, anyway). Lastly, if I were to deploy a 8.2 DS, then would I be able to control the 9.0.0.1 UF?
Hi, I'm trying to display only a value in one particular column, for instance represent one team for different status. This is what I've done so far: index=xxx | stats count by Team, status *m... See more...
Hi, I'm trying to display only a value in one particular column, for instance represent one team for different status. This is what I've done so far: index=xxx | stats count by Team, status *my expecting result is to have only one "DevOps" to represent team for different status displayed. Team        |     Status         | Count DevOps     Assigned           10                       Pending              5                       New                      2                       Resolved            1                         .......... Many thanks for any help
Dear All/Splunk Documentation Team, I am trying to get to read the Compatibility between forwarders and Splunk Enterprise indexers document in the Forwarder Manual for 9.0.1 Forwarders, but all I ge... See more...
Dear All/Splunk Documentation Team, I am trying to get to read the Compatibility between forwarders and Splunk Enterprise indexers document in the Forwarder Manual for 9.0.1 Forwarders, but all I get is the generic "The topic you've asked to see does not apply to the most recent version" when it patently DOES apply: https://docs.splunk.com/Special:SpecialLatestDoc?t=Documentation/Forwarder/latest/Forwarder/Compatibilitybetweenforwardersandindexers but the latest version available is 8.2.5: https://docs.splunk.com/Documentation/Forwarder/8.2.5/Forwarder/Compatibilitybetweenforwardersandindexers Can this document be copied/updated for 8.2.6/7/8 and 9.x, please?  
Hi All If I apply a limits.conf for subsearch - maxout and searchresults - maxresultsrow for an app im deploying, will this update to limits overwrite the default for all apps or will this configur... See more...
Hi All If I apply a limits.conf for subsearch - maxout and searchresults - maxresultsrow for an app im deploying, will this update to limits overwrite the default for all apps or will this configuration only be applicable for the app i deploy it in  Basically, is all limits going to be changed or just that one application
Hi All, What is the use of  move_policy = sinkhole and on which scenario we will use batch (Batch will index the file and delete but in which application or server this should be used?) 
Good afternoon! I have six Heartbeat messages coming from the system. All messages from the chain are connected by one: "srcMsgId". Messages have a certain interval, if the interval between messages... See more...
Good afternoon! I have six Heartbeat messages coming from the system. All messages from the chain are connected by one: "srcMsgId". Messages have a certain interval, if the interval between messages is higher, that is, one message in a chain (out of six messages) is late, say six seconds (the normal interval is five seconds), then an alarm is triggered. Can you tell me how to do it? I tried something like this but it's not exactly what you need: index="bl_logging" sourcetype="testsystem-2" srcMsgId="rwfsdfsfqwe121432gsgsfgd80" | transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId | table _time srcMsgId Correlation_srcMsgId messageId duration eventcount | sort srcMsgId _time | streamstats current=f window=1 values(_time) as prevTime by subject | eval timeDiff=_time-prevTime | delta _time as timediff | where (timediff)>6 This will only show me the lagging message. Messages arrive one after another, so we can see their interval and, in theory, take this opportunity to create an alarm when the interval is increased. Please tell me how can I do this. Alas I don't selenium in splunk.  
| regex "message.message"="Total count XXXXXX: |Total rows YYYYYY: " | rex field="message.message" max_match=0 "^(?<msg1>[^:]*)\:(?<msg2>[^:]*)\:(?<msg3>[^:]*)\:(?<msg4>[^:]*)($|\{)" | eval dtonly=st... See more...
| regex "message.message"="Total count XXXXXX: |Total rows YYYYYY: " | rex field="message.message" max_match=0 "^(?<msg1>[^:]*)\:(?<msg2>[^:]*)\:(?<msg3>[^:]*)\:(?<msg4>[^:]*)($|\{)" | eval dtonly=strftime(_time, "%Y%m%d") | chart first(msg4) OVER dtonly BY msg3 I get the stats but not the visualization.   Thanks
Has anyone experience issues with Splunk AOB on Splunk version 9.0 not showing any outputs?  
Hi All , Is there any way to rename splunk saved searches and Dashboards with rest API?  Best Regards
Hi all, I am using Splunk Enterprise 8.1. Recently, we had configured alert actions as "Email notification action" and it works fine. Moreover, we would like to send those alert message to SYSLOG... See more...
Hi all, I am using Splunk Enterprise 8.1. Recently, we had configured alert actions as "Email notification action" and it works fine. Moreover, we would like to send those alert message to SYSLOG server. The manual said "script alert action is deprecated". Any other way to achieve it? Thanks.
Hello, i have a link list that works like a charm in use with highlights of selected option. However upon Dashboard load the link list will select its default value, however it will not highlight i... See more...
Hello, i have a link list that works like a charm in use with highlights of selected option. However upon Dashboard load the link list will select its default value, however it will not highlight it. Any chance to get that working?   Kind regards,   Mike
When editing a dashboard in source code, I add comments using <!-- -->,  but after saving the comments move location. It is not consistent -- they generally bunch together near the top, but sometimes... See more...
When editing a dashboard in source code, I add comments using <!-- -->,  but after saving the comments move location. It is not consistent -- they generally bunch together near the top, but sometimes others are left in place. This has been an issue for some time and is referenced here - https://community.splunk.com/t5/Dashboards-Visualizations/Commented-code-moves-in-splunk-Dashboard/m-p/498902  I have tried moving the comments within different stanzas (<row>, <panel>, etc), and also played with the tab levels in case that was involved, however have not had luck. It drives me batty. Has this been figured out? My Edits:     ... <!-- Some Comment --> <row> <!-- Another Comment --> <panel> ... ... </panel> </row> ...       Becomes:     ... ... <!-- Some Comment --> <!-- Another Comment --> <row> <panel> ... ... </panel> </row> ...          
I have two log generator sending logs to same index, how can we Trigger an alert when same type of error generated from both log generator
How to clear the quiz history to redo the quiz?