check permission issue in log files splunkd ... mongod logs Check file ownership and permission for server.pem, server.key ... View more

it's difficult to answer as there is no one single approach.   best practice is.... lift and shift of config's and apps local.    ... View more

hi, we are on 8.2.3.3, try increasing your cache size in web.conf, that should fix it, increase it to almost 3x your current config    let me know if that helps ... also disable THP if using linux ... View more

hi @gcusello , thanks, we are using Splunk Enterprise, custom page it is then,   would you be able to share source or snippet ? ... View more

try restarting all the search heads 1 by 1, looks like it's unable to get in sync with all.    and after this check, if the captain is being assigned and this search head took part in the election. ... View more

hi there, according to the docs When you work with forwarders to send data to Splunk Cloud, you must download an app that has the credentials specific to your Splunk Cloud instance. You install the forwarder credentials app on your universal forwarder, heavy forwarder, or deployment server, and it lets you connect to Splunk Cloud. If everything is correct try following steps: try doing telnet to the cloud instance from your splunk forwarder telnet <IP> <port> telnet 192.168.1.1 9997   and/or on your forwarder server run following commands /splunkforwarder/bin/splunk list forward-server   ( if all settings okay, it should come under Active forwards else Configured but inactive forwards) /splunkforwarder/bin/splunk show deploy-poll    ( will show the deployment server configured) /splunkforwarder/bin/splunk list monitor  (will list the files that splunk is watching)   also try doing tail or scan the end lines of splunkforwarder splunkd logs /splunkforwarder/var/log/splunk/splunkd.log   Ps: in windows you can use cmd to run splunk CLI commands, instead / use \ for paths. ... View more

😊 ... View more

Hi @impurush  This seems to works. 1) For use in token in email header or body, create a version of the field you want with an underscore as a prefix (e.g., | eval _fieldA = fieldA). You will use this field in the token -- e.g., $result._fieldA$. 2) Use 'fields' command instead of 'table' command. (I thought I had to use 'table' command to order the fields as I wanted in the email output. But 'fields' seems to work for that purpose as well.) Be sure to include the underscore-prefixed version of the field you want (e.g., "_fieldA") to use as token. (I just put it at the end.) Because it is prefixed with underscore, it won't show up in email table output.   credits: wryanthomas source: https://community.splunk.com/t5/Alerting/I-am-sending-a-table-in-mail-as-an-alert-but-I-want-to-hide-some/m-p/406467  ... View more

hi,  get the email id as a column in result lets say email, and in the TO field of alert pass it as a token   "  $result.email$  "   The same can be achieved in search using sendemail in search.     cheers! ... View more

Hi @vinitpathri  List all the names of indexes     | eventcount summarize=false index=* index=_* | dedup index | fields index​ 2. List all the saved searches alerts        | rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | table title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search​     3. Compare the search field with the index field by joining these two outputs and running a search command.   Did I get your requirement correct? if yes then I can think of creating a join to give  you desired result 🤔 ... View more

Hi @gaok123    Please try running following search:   index=account_Information | table account_number cell_number after this, you can manipulate your records 🙂    Upvote if it helps 😊 !!    ... View more

Hi @mariamathewtel      | makeresults | eval _raw="Incidents Status Resolved_Date Closed_Date INC001 Assigned INC001 Assigned INC001 Resolved 1/5/2020 2/5/2020 INC001 Closed 1/5/2020 2/5/2020 INC002 Assigned INC002 Resolved 8/5/2020 INC002 Resolved 8/5/2020 INC002 Closed 8/5/2020 10/5/2020 INC003 Assigned INC003 Pending INC004 Assigned INC004 Assigned INC004 Assigned INC004 Resolved 15/05/2020 INC004 Closed 15/05/2020 22/05/2020 INC004 Closed 15/05/2020 22/05/2020" | multikv forceheader=1 | table Incidents Status Resolved_Date Closed_Date | search Status != "Resolved" AND Status != "Closed"     Hint: If the query is not returning any result in the table command(2nd last line) remove the spaces..they are getting recognized as <tab>, manually give space.  I believe this resolves your part to display only the cases which are not resolved and closed.   Please accept this as answer if it works for you  ... View more

hi mariamathewtel,   You can try implementing JavaScript on the Closed date column, and the output be saved to a lookup since you cannot change the already indexed data. Check you this link for JS implementation of the text box: How to add a textbox as a cell in a Splunk table ... View more

hi manikanthkoti, you can limit the number of concurrent searches by, modifying limits.conf. but for limiting the number of users concurrently, I don't think there is any implementation as such from Splunk side. You can do a limit on your server itself. That is limiting the number of connections, but that's a long shot. F5 LTM/APM coupled with iRule to limit concurrent sessions. how-to-limit-the-number-of-concurrent-sessions-from-a-client-on-a-vs ... View more

  My table cannot have big headers, that's why I didn't use xyseries. Colors, for now, are doing the work of distinguishing  Moreover, I was thinking of adding another bar on top, but splunk's internal js and css are not allowing my table to go beyond 100% of the page, hence I cannot expand my other table to cover all the columns.   Total Columns as of now 25. out of which Market and the market unit is frozen. ... View more

in my case, there is a table with 25 columns, I have frozen the first two columns using CSS, and used legends color codes to distinguish data. But, as we keep on adding columns need to define a common group for them.   Let's Say for example : column A1,B1,C1  denote geographic details. column D1.E1,F1 denotes the stats for Income (mean, median,mode) column G1,H1 depicts the population ( 5 years ago, present)   all these require a common header.   I am open to showing these headers as separate panels and link both the tables. ... View more

Although this seems correct since you are changing the operating system, better try on poc or test instance.  since some settings in windows os and Linux are different.   Refer to the docs https://docs.splunk.com/Documentation/Splunk/8.0.4/Installation/MigrateaSplunkinstance  ... View more

Hey there,    For alerts, reports, dashboards: these files are stored in respective app folder in etc/apps/xxx   By default, scheduled searches alerts are typically stored in the search app unless while creating you define to another application.   You can tar.gz your existing windows etc/apps folder and untar in your Linux environment. ... View more

Hello everyone,  I tried doing the same, but unable to do so, can someone provide a guided approach. @niketn @nplamondon @jkat54  @to4kawa @martin_mueller  ... View more