×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
_JP
Contributor
Member since: ‎10-05-2023
‎08-26-2024
Community Statistics
Posts 108
Solutions 11
Karma Given 48
Karma Received 27
Member Since ‎10-05-2023
Activity Feed
Topics I've Started
View All

Re: Does Transaction work with append [ ... ] ?

by in Splunk Search
‎11-12-2023 03:07 PM
1 Karma
‎11-12-2023 03:07 PM
1 Karma
I had to re-think the way I was showing my job info in the UI as a orphaned Transaction could mean two different things.  i.e. 'running' start with no end message or multiple starts along with modifying my initial SPL to look for an aborted message when a failure occurred. It was quite a learning experience is I went through all different permutations of keeporphans=true/false keepevicted=true/false and then look at the ending transaction data. I did notice that closed_txn defaults to null and not 0 and had to write some code to make it default to 0. eval closed_txn = if ( isnull(closed_txn,0, closed_txn) search closed_txn=0 to find those transactions that only has a START log event... Thanks for all you input as it gave me a different perspective from the way I was looking at it.  I was also to rewrite some of my existing SPL to have fewer lines. ... View more

Re: Dropdown populated by search ok, now how to se...

by in Splunk Search
‎11-06-2023 03:17 PM
‎11-06-2023 03:17 PM
Not exactly what I was looking for.  I have the Label and Value mapped to field 1 as that is the user friendly value and unique.  I have field 2 which means nothing to my users and is a varied value field. The Label/Value combo feeds panel_A chart which works very well.  I have panel_B chart which I would like powered from field2 without having to create a second drop down with the same values.  Two for the price of one.   I am going to try and make the Label field a combo of the 2 and then set a token to a regex extraction from $Label which may just work.  But I feel it's janky and cheating.  I am hoping someone will have a much better idea. ... View more

Re: My splunk agent service runs as NT SERVICE/Spl...

by SplunkTrust in Getting Data In
‎11-03-2023 03:16 AM
‎11-03-2023 03:16 AM
https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller The section "about the least-privileged user" ... View more

Re: how to copy data from one index of one index c...

by SplunkTrust in Installation
‎11-02-2023 05:33 AM
‎11-02-2023 05:33 AM
Hi What is your "business issue/reason" which you are trying to solve? Maybe there is some other better/safer way to do it? r. Ismo ... View more

Re: Calculate duration sum of consecutive events w...

by SplunkTrust in Splunk Search
‎11-01-2023 08:49 AM
‎11-01-2023 08:49 AM
The typical approach to such case is to use streamstats to find last occurrence of different state than it is at given moment (using reset_on_change=t or reset_before/reset_after). That's probably your only reasonable approach since you need to "carry over" information from some events into other ones and this (along with the autoregress) is the command to do so. ... View more

Re: Send alerts data to new index using collect co...

by in Splunk Cloud Platform
‎10-31-2023 01:15 PM
‎10-31-2023 01:15 PM
Are you collecting events from a lot of different sourcetypes?  If you just have one sourcetype per alert can you pass it into the macro like you would other parameters? I configured a macro like the following: And then was able to use it like this: index=_internal earliest=-15m | stats count by component | `collect_macro(the_index=summary,the_sourcetype=special_sourcetype)`   And then in my summary index I saw stuff appear with the special_sourcetype instead of stash:         ... View more

Re: how do I check if a lookup table get updated w...

by in Security
‎10-31-2023 12:24 PM
‎10-31-2023 12:24 PM
This solved question seems to be what you're looking for:   Solved: How to get the Audit for Lookup files modification... - Splunk Community If you don't want any changes at all, and you're on a *nix system, can you deploy your lookup with read-only permissions on the file within the app? ... View more

Re: How to create a dropdown for a dashboard listi...

by in Splunk Dev
‎10-31-2023 11:54 AM
‎10-31-2023 11:54 AM
Based on your description it sounds like you are looking to utilize the drilldown actions for a visualization to change something on the existing page. While not exactly what you're doing, here's some posts around here  Solved: How to create a drill down from one panel to anoth... - Splunk Community Solved: Single value drilldown click to display and click ... - Splunk Community   Also a couple of external resources discussing how the tokens work: The Beginner’s Guide to Splunk Drilldowns With Conditions – Kinney Group Define Your Drilldown in Splunk: $click.value$ vs $click.value2$ – Kinney Group ... View more

Re: New! Splunkbase and Splunk Answers Integration

by in Product News & Announcements
‎10-31-2023 11:44 AM
‎10-31-2023 11:44 AM
@Anam & @GretchenFox    I wanted to follow up on the Top Karma Authors link on the main page.  It's not working in a different way now when I am logged in compared to what I reported above.  Instead of trying to show "News & Education" it is now trying to display karma for "Community" and doesn't display anything.  When logged out it displays the karma authors correctly for a category called "Splunk Community."  It seems like a hardcoded value that is incorrect. I have also cleared my cookies and tried again with the same behavior depending on if I am logged into the community or not. Here is a screenshot after clicking View All on the main page when logged out: Here is what clicking View All on the main page looks like when logged in:     ... View more

Re: DNS lookup failed for "$decideOnStartup": Host...

by SplunkTrust in Getting Data In
‎10-28-2023 01:09 AM
‎10-28-2023 01:09 AM
The error message says clearly "DNS lookup failed" which means that system resolver cannot determine reliably a hostname for the local IP. You can run some packet capture tool to verify what lookup exactly is performed at the start of the UF. ... View more

Re: Why is a sourcetype not being applied to a sum...

by SplunkTrust in Getting Data In
‎10-28-2023 01:03 AM
‎10-28-2023 01:03 AM
OK. You wrote that you copied the buckets between indexers. But what are the definitions on search-heads? Indexers handle index-time operations (which are obviously not performed if the data is already indexed) but your extractions are search-time so you should define them on SH-level. ... View more

Re: How do I find what host sending event to Splun...

by SplunkTrust in Getting Data In
‎10-28-2023 12:36 AM
‎10-28-2023 12:36 AM
While there are some use cases where you can have a host field set to a particular metadata value in case it's not specified with the event (as has been already said in this thread) it works by injecting the extracted metadata into one of the standard fields. In general there is no way to retain additional metadata with the event so if the sender specifies the host explicitly (and it's thus not generated by the input) Splunk has no way of keeping track of source ip/hostnames. The same in fact goes for any other input. If you're receiving data on a network port, unless you capture the source ip in host field (which might get extracted and overwritten later from the message body) you have no way of knowing the source address (that's one of the advantages of custom syslog receiving mechanisms. ... View more

Re: Add hostname to email subject line of splunk a...

by in Other Usage
‎10-27-2023 12:04 PM
‎10-27-2023 12:04 PM
Still a little confused. I have tried both the $host and $name token and neither work. My search sends an alert when any host reach a certain level of CPU utilization. At times there are multiple host that show in the search. when adding the token in the subject line it appears in the email sent as $host or $name. An email is triggered for each host but the goal is to have the host name and value in the subject line. ... View more

Re: How to get SVC Usage for Saved Searches and Ad...

by in Splunk Cloud Platform
‎10-27-2023 05:59 AM
‎10-27-2023 05:59 AM
I don't have access to this app.  I will ask an admin though. ... View more

Re: help with splunk query for getting current con...

by in Splunk Search
‎10-26-2023 11:57 AM
‎10-26-2023 11:57 AM
@_JP on current setting part i am kind of good with below query  | rest splunk_server=local /services/authentication/users | fields title, roles | mvexpand roles | append [ | rest splunk_server=local /services/authorization/roles | fields title srchDiskQuota rtSrchJobsQuota srchJobsQuota cumulativeSrchJobsQuota cumulativeRTSrchJobsQuota | rename title as roles] | stats values(srchDiskQuota) as srchDiskQuota, values(rtSrchJobsQuota) as rtSrchJobsQuota, values(srchJobsQuota) as srchJobsQuota, values(cumulativeSrchJobsQuota) as cumulativeSrchJobsQuota, values(title) as userid, values(cumulativeRTSrchJobsQuota) AS cumulativeRTSrchJobsQuota by roles | mvexpand userid | stats values(srchDiskQuota) as srchDiskQuota, values(rtSrchJobsQuota) as rtSrchJobsQuota, values(srchJobsQuota) as srchJobsQuota, values(cumulativeSrchJobsQuota) as cumulativeSrchJobsQuota,values(cumulativeRTSrchJobsQuota) AS cumulativeRTSrchJobsQuota by userid roles just want to get details on current utilization by user/role & more of search concurrency settings (resource utilization etc) ... View more

Re: how users are deprovisioned from Splunk Cloud

by in Splunk Cloud Platform
‎10-26-2023 01:29 AM
‎10-26-2023 01:29 AM
@richgalloway in table i got empty column for  last_successful_login   ... View more

Re: How to upgrade Splunk add-on for Windows is ve...

by Splunk Employee in All Apps and Add-ons
‎10-25-2023 07:38 AM
1 Karma
‎10-25-2023 07:38 AM
1 Karma
Thank you! This is really helpful. ... View more

Re: Bare Bones Splunk

by SplunkTrust in Installation
‎10-24-2023 07:03 PM
1 Karma
‎10-24-2023 07:03 PM
1 Karma
Nice document @_JP ... thanks for sharing.    the trouble with newbies is that, they want one person to hold their hands and walk with them together.(literally).  If we say "I can only show you the door, you only should decide and walk thru it(the great Morpheus)", still they want us to walk with them (holding their hands). !!! ... View more

Re: Can multiple wildcards be used in serverclass....

by in Splunk Search
‎10-24-2023 11:43 AM
‎10-24-2023 11:43 AM
Thanks @_JP.  My goal was to account for servers in two data centers with identical names except the 2nd character which designates the datacenter and avoid having to maintain separate host files for each data center. I know the trailing wildcard works, I just wasn't sure if adding a wildcard at the beginning or in the middle would work.  ... View more

Re: Issue with the splunk reload deploy-server

by in Deployment Architecture
‎10-24-2023 08:58 AM
‎10-24-2023 08:58 AM
A couple of things: - What user are you running this command as, and what user is Splunk installed as? - Are you in a bash?  If you don't quote your credentials correctly then they won't get expanded: Solved: Getting error "Could not look up HOME variable. Au... - Splunk Community   ... View more

Re: Splunk Head command

by SplunkTrust in Splunk Search
‎10-24-2023 01:09 AM
‎10-24-2023 01:09 AM
@SplunkSN  as @richgalloway says, the head command does not limit the columns/fields retrieved, it simply takes the first n results, so in your timechart case, it will return the earliest 15 rows of your timechart, so effectively 15 rows of 15 minute spans. if you want to control the highest count of the dest_domain, you can use a where clause in the timechart, like this | timechart span=15m count by dest_domain usenull=f useother=f where count in top10 which will show you the 10 dest_domain values that have the highest count.   ... View more

Re: Run a custom script

by in Splunk Enterprise
‎10-23-2023 10:13 AM
‎10-23-2023 10:13 AM
The old way of just running a python script as an alert action was deprecated a while back.  It was a really simple, "run script and here's the search data."  That way is old and busted...so it is not around anymore.   The new hotness is Custom Alert Actions.  You can create one that runs your python.  There's some more setup/configuration so it is registered with the system and more effort goes into packaging it up as an official configuration in Splunk (official as in you made it for your environment...). Here is a previous discussion on this topic, too. ... View more

Re: Developing reliable searches dealing with even...

by in Luxembourg User Group
‎10-20-2023 08:44 AM
2 Karma
‎10-20-2023 08:44 AM
2 Karma
In regard to your questions: Would such an event produce an alert, regardless of _time, if the search relies on DM/tstats? If an event comes in late (i.e. _indextime is way after _time), as long as you search over those events based on _time after it was indexed (aka the time picker or using earliest/latest criteria), then you would still find that data with your query. Would it be better instead to use the _index_earliest / _index_latest approach? Not sure if it is necessarily better, but I have typically tried to solve things looking at the _time data first, and if there is a lot of indexing lag happening then that is indicative of something that needs to be addressed in the overall observability architecture and accounted for. Is there a better and/or simpler approach? I'm not sure if this is the best way...but one way. 🙂 Based on what I understand I would probably split this into two separate alerts.  It also sounds like this is a pretty critical situation you want to keep an eye on.   1.  The alert for the file hash, running every 15m, but I would make the lookback more than just 15m.  If an event comes in late that was missed by the last run of this alert then even if _indextime is now, _time should be back then when you missed it.  So if you're looking back farther each execution of the schedule, you'd still catch the "new" event that showed up late if you're basing things off _time.  2. A second alert can be created that watches the spread of _time and _indextime for that data/sourcetype/source/host/whatever.  I've done this before in critical situations as a pre-warning that "stuff could be going bad." You could keep track of a long-term and short-term median of that _indextime-_time difference.  If you summarize this (or, since it is so simple even just throw it in a lookup) you can include this info in the alert for #1 as a "We didn't find anything bad...but things might be heading in that direction based on index delay..." ... View more

Re: Filtering events using a lookup table

by SplunkTrust in Splunk Search
‎10-20-2023 01:02 AM
1 Karma
‎10-20-2023 01:02 AM
1 Karma
Have you looked up Create a CSV lookup definition?  You can define a field as match type CIDR.  The question is extremely vague.  If you want concrete help, illustrate mock data, desired results, and explain the logic between data and desired results. ... View more

Re: Embracing Diversity: Creating Inclusive Learni...

by Splunk Employee in Training & Certification Blog
‎10-19-2023 01:09 PM
1 Karma
‎10-19-2023 01:09 PM
1 Karma
Joni! Your Splunk ERG Team is amazing and I've learned so much from the content and resources you all have been sharing. It's great to know that this type of accessibility continues to be a priority for us in Splunk Education too!   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-26-2024 06:06 PM