Hi Struggled for 2-3 hours. Figured out the static folder needs to be placed out on the parent app folder rather than the appserver folder. Works fine with correct resolution PNG files. Thanks, L ... View more

Yes works with 7.0.0 as well. Thanks @arowsell ... View more

Did this bug just re-appear in Splunk 7? Not able to see the indexes in the role window anymore after the upgrade from 6.0.0 -> 7.0.0 ... View more

There is a solution to it https://answers.splunk.com/answers/73843/splunk-will-not-start-and-is-waiting-for-config-lock.html ... View more

Adding to Martin's point, you may as well create a scripted solution which will give you more flexibility. Moreover if you are just copying the sendemail.py to your own app it will not be overwritten upon upgrade but may malfunction upon the original sendemail.py structure change for on splunk instance. I have been following the same method for colors, font, resizing text + own scripted alerts. ... View more

Hi, Why dont you keep it simple? (host=xxx* "url1") AND (host=yyy* "url2") |eval execute_time2=case(host=yyy*,execute_time)| timechart span=30m p50(execute_time) AS xxx50 |appendcols [search host=yyy* "url2" | timechart span=30m p50(execute_time) AS xxx50, p50(execute_time2) AS yyy50] Thanks, L ... View more

Hi, What do you want to do with 7z files? Splunk does support reading compressed file, but what are the contents? There is a very easy way if doesn't read, just trigger the 7z exe to unzip the files to a location from where splunk can read them Thanks, L ... View more

Hi, The below link will help in resolving the issue. I have used DBConnect 1.2.2 with the patched jar file. http://sourceforge.net/p/jtds/bugs/725/?limit=10&page=1#7b2b Search for the text and link: Attachments jtds-1.3.1-v20140512.jar Thanks, L ... View more

Daniel the props.conf will have to be set up on the indexer not forwarder. They will get adjusted according to your config for the newer entries. you can modify anything for the indexed items or better re-index them. ... View more

Hi, Best way to troubleshoot is to check the splunkd.log files and see if you are making any mistake on the input stanza. Did u check the permission on the input files? they don't forward if splunk is not able to read them. so go to security tab and see who all are having the permission. Then give the necessary permissions. Thanks, L ... View more

Hi Eddel, Use the below one as an alert to get notified on your license Master. index=_internal source=*license_usage.log type=Usage earliest=-0d@d | stats sum(b) as tot | eval GB=tot/1024/1024/1024 |table host,GB| where GB > 4 OR Quicker | rest /services/licenser/pools|where stack_id="enterprise" |eval used_bytes=used_bytes/(1024*1024*1024)|table splunk_server,used_bytes|where used_bytes >4|eval used_bytes=used_bytes." GB"|rename used_bytes as "Usage" Thanks, L ... View more

why dont you just put endswith="complete" that should cover both the ending points. ... View more

I was refering to the script which is configured for a realtime alert. I personally feel there is not much use of a realtime alert. rather schedule it to run every minute or two. It will affect the performance for sure as the CPU core will be occupied. There is no best practice available currently but you will know this by experimenting in your test environment. ... View more

Adding to that, Don't configure the script for real time alerts, it will continuously trigger the script every minute irrespective of the results found or not. ... View more

Hi Sbeamro, i am not able to get the complete details as the symbols got omitted in your comment. But what i can understand is you want to include the alert subject in your SMS !? You can take advantage of the parameters which will supply you the values directly. Don't mention the $alert variable while mentioning the script file in the alert set up page. Please see the below argument values. ` Arg Environment Variable Value 0 SPLUNK_ARG_0 Script name` 1 SPLUNK_ARG_1 Number of events returned 2 SPLUNK_ARG_2 Search terms 3 SPLUNK_ARG_3 Fully qualified query string 4 SPLUNK_ARG_4 Name of report 5 SPLUNK_ARG_5 Trigger reason. For example, "The number of events was greater than 1." 6 SPLUNK_ARG_6 Browser URL to view the report. 7 SPLUNK_ARG_7 Not used for historical reasons. 8 SPLUNK_ARG_8 File in which the results for the search are stored. Contains raw results. ` ... View more

whats the query? or is it the dbinfo view throwing error? ... View more

whats the query? or is it the dbinfo view throwing error? ... View more

First try disabling the firewall. if not then ask your network team to look into it telnet IP_Add 8089 it has to be successful to make it work further ... View more

* * * * for every minute. Checking is the throttling is enabled. Emails i am not sure why it will not be triggered, is the mail client configured? Check in system Setting for email server and check the sendmail command manually if the email works. You can find all the info in splunk docs. ... View more

I am not able to delete any dashboard component while editing the view, is it me or is it broken? ... View more

Hello , If you are looking for getting the high values or want to group them to find out the machines there are several ways to do it. 1st: This will give you the values with their counts and percentage in the whole dataset source=CPU counter="% Proccessor Time" instance=_Total|top 5 Value by host 2nd: Use stats to get the values over a period of time source=CPU counter="% Proccessor Time" instance=_Total|stats avg(Value) as Usage by host|sort 5 -Value, host 3rd: Use timechart to get the trend source=CPU counter="% Proccessor Time" instance=_Total|timechart avg(Value) by host Thanks, L ... View more

Hello Boney, If realtime doesn't support then use the schedule alert like every minute. For alerting provide a condition as well. |dbquery "SystemLog" "Select * from Central_Log"|where Field > 5 similarly if you want to set alert for unsuccesful attempts then mention the condition as below. sourcetype=mysource "Unsuccessful"|stats count|where count=5 More Reference: http://docs.splunk.com/Documentation/Splunk/6.1.4/Alert/Setupalertactions Thanks, L ... View more

not that we can't set without the powershell addon. In interval we can specify a valid cron schedule for any input type. interval= 0 12 * * * ... View more