Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About andrewtrobec
andrewtrobec
Motivator
Member since:
11-09-2016
a month ago
Community Statistics
| Posts | 336 |
| Solutions | 7 |
| Karma Given | 124 |
| Karma Received | 48 |
| Member Since | 11-09-2016 |
Activity Feed
- Got Karma for Can a Splunk search call a Python script to perform data manipulation?. 06-18-2025 07:40 AM
- Got Karma for Why does a user with user role not see images on a dashboard studio dashboard?. 06-11-2025 12:00 AM
- Karma Re: Change text panel position in dashboard studio for biwanari. 04-08-2025 10:53 AM
- Got Karma for Re: The Client forwarder management not showing the clients. 08-14-2024 09:02 AM
- Posted Re: The Client forwarder management not showing the clients on Deployment Architecture. 06-14-2024 08:24 AM
- Karma Re: The Client forwarder management not showing the clients for AAlhabba. 06-14-2024 08:23 AM
- Got Karma for When will emojis in dashboard dark mode work properly (still persists in 9.2.1)?. 06-03-2024 10:51 PM
- Posted When will emojis in dashboard dark mode work properly (still persists in 9.2.1)? on Dashboards & Visualizations. 05-22-2024 05:16 AM
- Tagged When will emojis in dashboard dark mode work properly (still persists in 9.2.1)? on Dashboards & Visualizations. 05-22-2024 05:16 AM
- Got Karma for Re: How can I avoid overwriting the local folder when reloading from my deployment server?. 05-02-2024 03:28 AM
- Got Karma for How can I avoid overwriting the local folder when reloading from my deployment server?. 05-02-2024 03:27 AM
- Posted Re: Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? on Getting Data In. 03-06-2024 09:17 AM
- Posted Re: Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? on Getting Data In. 03-06-2024 09:16 AM
- Karma Re: Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? for lucacaldiero. 03-06-2024 09:15 AM
- Posted Re: Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? on Getting Data In. 03-06-2024 03:00 AM
- Posted Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? on Getting Data In. 03-05-2024 11:09 AM
- Got Karma for Re: Why does updating a token with JavaScript not cause panels dependent on those tokens to refresh?. 01-03-2024 02:10 PM
- Posted Why does user with "power" role only see the "Search" option in the navigation menu and nothing else? on Splunk Enterprise. 12-13-2023 06:15 AM
- Posted Why is a sourcetype not being applied to a summary index that was migrated? on Getting Data In. 10-27-2023 07:38 AM
- Karma Re: Can Azure AD and Microsoft Entra be configured together on Splunk Enterprise? for isoutamo. 10-27-2023 06:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-14-2024
08:24 AM
1 Karma
Boy am I glad to have found this thread. Got my problem solved, thank you so much ❤️
... View more
05-22-2024
05:16 AM
1 Karma
Hello! Dark mode still does not work in Splunk Enterprise 9.2.1 when an emoji is in one of the visualizations, like a single for example. Here is run anywhere dashboard. Just set it do dark mode and it stops working. Remove the pizza and it works again. If you are in dark mode already and add the emoji then after initial save it will work, but after refreshing it reverts to light. If you don't like pizza then add an emoji of choice. <dashboard version="1.1" theme="light">
<label>pizza dark test</label>
<row>
<panel>
<single>
<search>
<query>| makeresults
| eval emoji="ciao🍕"
| table emoji</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
</dashboard> Thanks! Andrew
... View more
Labels
- Labels:
-
Classic dashboard
-
single value
03-06-2024
09:17 AM
Thank you for the feedback! I will take your suggestions into consideration!
... View more
03-06-2024
09:16 AM
Thanks Luca, this works! Appreciated!
... View more
03-06-2024
03:00 AM
Thank you @isoutamo for the response. Here is more accurate version of payload [
{
"Assigned to": "Jones, Francis",
"Cost": 3,
"Created date": "2024-02-28 12:52:18",
"Extraction date": "2024-03-02 13:51:00",
"ID": 12345,
"Initial Cost": 3,
"Location": "Sites",
"Path": "Sites\\FY1\\S3",
"Priority": 1,
"State": "In Progress",
"Status Change date": "2024-03-05 16:33:23",
"Tags": "Europe; Finance",
"Title": "Ensure correct routing of orders",
"Updated date": "2024-03-05 16:33:23",
"Warranty": false,
"Wave Quarter": "Q2 22",
"Work Item Type": "Request"
},
{
"Assigned to": "Jones, Francis",
"Cost": 3,
"Created date": "2024-02-28 18:59:18",
"Extraction date": "2024-03-05 16:31:00",
"ID": 12345,
"Initial Cost": 3,
"Location": "Sites",
"Path": "Sites\\FY1\\S3",
"Priority": 1,
"State": "In Progress",
"Status Change date": "2024-03-05 16:33:23",
"Tags": "Europe; Finance",
"Title": "Ensure correct routing of orders",
"Updated date": "2024-03-05 16:33:23",
"Warranty": false,
"Wave Quarter": "Q2 22",
"Work Item Type": "Request"
},
{
"Assigned to": "Jones, Francis",
"Cost": 3,
"Created date": "2023-01-28 18:59:18",
"Extraction date": "2023-02-05 16:31:00",
"ID": 12345,
"Initial Cost": 3,
"Location": "Sites",
"Path": "Sites\\FY1\\S3",
"Priority": 1,
"State": "In Progress",
"Status Change date": "2023-02-05 16:33:23",
"Tags": "Europe; Finance",
"Title": "Ensure correct routing of orders",
"Updated date": "2024-03-05 16:33:23",
"Warranty": false,
"Wave Quarter": "Q2 22",
"Work Item Type": "Request"
}
]
... View more
03-05-2024
11:09 AM
Hello, I need help with perfecting a sourcetype that doesn't index my json files correctly when I am defining multiple capture groups within the LINE_BREAKER parameter. I'm using this other questionto try to figure out how to make it work: https://community.splunk.com/t5/Getting-Data-In/How-to-handle-LINE-BREAKER-regex-for-multiple-capture-groups/m-p/291996 In my case my json looks like this [{"Field 1": "Value 1", "Field N": "Value N"}, {"Field 1": "Value 1", "Field N": "Value N"}, {"Field 1": "Value 1", "Field N": "Value N"}] Initially I tried: LINE_BREAKER = }(,\s){ Which split the events with the exception of the first and last records which were not indexed correctly due to the "[" or "]" characters leading and trailing the payload. After many attempts I have been unable to make it work, but based on what I've read this seems to be the most intuitive solution for defining the capture groups: LINE_BREAKER = ^([){|}(,\s){|}(])$ It doesn't work, but rather indexes the entire payload as one event, formatted correctly, but unusable. Could somebody please suggest how to correctly define the LINE_BREAKER parameter for the sourcetype? Here is the full version I'm using: [area:prd:json] SHOULD_LINEMERGE = false TRUNCATE = 8388608 TIME_PREFIX = \"Updated\sdate\"\:\s\" TIME_FORMAT = %Y-%m-%d %H:%M:%S TZ = Europe/Paris MAX_TIMESTAMP_LOOKAHEAD = -1 KV_MODE = json LINE_BREAKER = ^([){|}(,\s){|}(])$ Other resolutions to my problem are welcome as well! Best regards, Andrew
... View more
Labels
- Labels:
-
JSON
-
props.conf
-
sourcetype
12-13-2023
06:15 AM
Hello! I have a Splunk Enterprise 9.0.7 deployment. I have a local user with the "power" role. When connecting to the Search & Reporting app I can only see the Search option: Isn't "power" role able to access other app features? Expectation is to see what users with "admin" role see: What have I done wrong? Thank you and best regards, Andrew
... View more
- Tags:
- Navigation Menu
- power
Labels
10-27-2023
07:38 AM
Hello!
As part of data separation activities I am migrating summary indexes between Splunk deployments. Some of these summary indexes have been collected with sourcetype=stash, while others have their sourcetype set to a specific one, let's say "specific_st".
The data is very simple, here is one event:
2023-06-10-12:43:00;FRONT;GBX;OK
The sourcetype is set as follows:
[specific_st]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d-%H:%M:%S
TZ = UTC
category = Custom
pulldown_type = 1
disabled = false
SHOULD_LINEMERGE = false
FIELD_DELIMITER = ;
FIELD_NAMES = "TIMESTAMP_EVENT","SECTOR","CODE","STATUS"
TIMESTAMP_FIELDS = TIMESTAMP_EVENT
After collecting on the source Splunk instance, I run the search on the summary index and the fields are extracted correctly. After migrating the index to the new Splunk instance, the sourcetype does not seem to work and the fields are not extracted. The event correctly lists the sourcetype as "specific_st".
To migrate I copied the db folder via SCP from source indexer (single) to target indexer which is part of a cluster. I made sure to rename any buckets and when I brought the indexer back up the index was correctly recognized and replicated. The sourcetype is located on all indexers as well as the search head.
Has anybody had this problem before? Do I maybe need to update the sourcetype in some way?
Thank you and best regards,
Andrew
... View more
Labels
- Labels:
-
index
-
indexer
-
props.conf
10-27-2023
06:39 AM
@anatolvd This gets the job done, I didn't think of that! Thank you!
... View more
10-26-2023
06:30 AM
Splunk Enterprise 9.0.5.1 Hello! I have to calculate the delta between two timestamps that have nanosecond granularity. According to Splunk documentation nanoseconds are supported with either %9N or %9Q: https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Commontimeformatvariables When I try to parse a timestamp with nanosecond granularity, however, it stops at microseconds and calculates the delta in microseconds as well. My expectation is that Splunk should maintain and manage nanoseconds. Here is a run anywhere: | makeresults
| eval start = "2023-10-24T18:09:24.900883123"
| eval end = "2023-10-24T18:09:24.902185512"
| eval start_epoch = strptime(start,"%Y-%m-%dT%H:%M:%S.%9N")
| eval end_epoch = strptime(end,"%Y-%m-%dT%H:%M:%S.%9N")
| table start end start* end*
| eval delta = end_epoch - start_epoch
| eval delta_round = round(end_epoch - start_epoch,9) Is this a defect or am I doing something wrong? Thank you! Andrew
... View more
Labels
- Labels:
-
eval
10-18-2023
03:32 AM
Hello! Can Azure AD and Microsoft Entra ID be configured simultaneously on a Splunk Enterprise instance? Is this a stupid question? Thanks! Andrew
... View more
Labels
10-11-2023
03:19 AM
Hello! According to ITSI documentation (https://docs.splunk.com/Documentation/ITSI/4.17.1/Configure/KVPerms) there is a KV store called "maintenance_calendar" that contains maintenance window details. I need to run some searches on the schedules, but I cannot access the data in the KV store due to the error: Is it possible to achieve what I am looking to do? Thank you and best regards, Andrew
... View more
Labels
08-04-2023
09:38 PM
This works for me too, nice one! @D2SI I would suggest this being the solution.
... View more
07-21-2023
12:23 AM
Apologies for the delayed response, I needed time to explore and test. In the end the issue was that the source was sending to /events endpoint and not /raw. After updating everything starting working correctly! Thank you so much for the support! I am accepting this as the answer because it provides multiple approaches, of which redirecting to /raw worked.
... View more
07-14-2023
05:24 AM
I need to find that out, but thank you for bringing this up! Am I to assume that it would be best to send to /services/collector/raw? Thanks!
... View more
07-14-2023
05:10 AM
Thank you for the response! I have this same setup with a very similar payload and it works no issues. Also, when the data comes into the HEC it parses the whole timestamp with the exception of the milliseconds for the timestamp. So for example the _time for the example above is: manual upload: 2023-07-12 10:17:32.432 HEC: 2023-07-12 10:17:32.000 One thing about the timestamp format is that it has 7 decimal places and not 6, but I am parsing %6N. I'm not sure if this would have any bearing. I hope this helps!
... View more
07-14-2023
04:50 AM
Hello! I have a JSON payload whose _time field gets parsed no issue when I perform a manual upload, but when that same payload comes in through a HEC with the same sourcetype then it doesn't parse the milliseconds. Sample payload: {"flowid":"dc59cf7376370faadfb89764e1896a1b","id":23431,"action":"upload","request":"","response":"{\"success\":false,\"correlation_id\":\"00-dc59cf7376370faadfb89764e1896a1b-d23cff8d675709d1-01\",\"status_code\":\"401\",\"message\":\"Request unsuccessful. The following errors were found.\",\"errors\":[{\"code\":\"E_TECHNICAL\",\"value\":\"A technical error prevented the success of the request.\"}]}","midid":"","dest":"","type":"GET","requesttime":"2023-07-12T10:17:32.4327504Z","externaltime": null,"externalresponsetime": null,"middlewaretime":"2023-07-12T10:17:32.4327504Z","logtime":"2023-07-12T10:17:32.6039773","globaltime":"2023-07-12T10:17:32.4333085","responsetime":"2023-07-12T10:17:32.4364843"} Sourcetype: [json_sourcetype] SHOULD_LINEMERGE = false TIME_PREFIX = \"logtime\"\:\" TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N TZ = UTC TRUNCATE = 0 MAX_TIMESTAMP_LOOKAHEAD = 0 KV_MODE = json Has anybody faced this issue before? What could the problem be? Thank you and best regards, Andrew
... View more
- Tags:
- hec
- json
- sourcetype
Labels
- Labels:
-
HTTP Event Collector
-
JSON
-
props.conf
-
sourcetype
03-29-2023
09:15 AM
@Gr0und_Z3r0 Thanks for the support, much appreciated. I ensured that all rest related capabilities were enabled, unfortunately still no dice. What I did discover, though, was that I can list the licenser services no problem: I can even call some of them. For example I can list the usage: I'll continue to investigate and update if I find anything. Best regards, Andrew
... View more
03-29-2023
05:15 AM
@Gr0und_Z3r0 Thanks again for the response. I did not have that capability enabled for "admin" role, but after enabling it still didn't solve 😕 I tried debug/refresh as well, but no luck. Regards, Andrew
... View more
03-29-2023
03:14 AM
Thanks again @Gr0und_Z3r0. I am running Splunk 8.2.6. Also, I am running the search on the Search Head that is not used as License Manager. I also have the same permissions for admin role: Any other ideas? Thanks! Andrew
... View more
03-28-2023
10:18 AM
@Gr0und_Z3r0 Thank you for the response! Unfortunately this command does not return any results. I am running it as local administrator in the search app. Am I missing something? Thanks!
... View more
03-28-2023
08:02 AM
Hello All, I am also facing issues post upgrade. When trying to save via web UI after specifying to not save a backup I get the error "The lookup file could not be saved". One of the best apps for Splunk has effectively become useless 😞 Is this being investigated at all? Thanks! Andrew
... View more
03-28-2023
02:27 AM
Hello! My objective is to put the license expiry on a dashboard. I read some older posts that state I can call a REST endpoint, but those seem to be out of date as the functionality is no longer available. What is the recommended way in 2023 to retrieve license expiry information so that it can be displayed on a dashboard? I don't want to have to revert to storing a fixed value in a lookup... 🙂 Thank you and best regards, Andrew
... View more
Labels
- Labels:
-
data
-
inputs.conf
03-08-2023
08:03 AM
Thanks for the input @PickleRick
... View more
- Tags:
- t
03-08-2023
08:02 AM
1 Karma
@Tom_Lundie Thank you again for the response, I appreciate you taking the time. I updated the sourcetype, deployed it, both problems solved: timestamp is no longer multivalue with "none" value and _time is associated correctly to the epochms value in the payload! Before making the change I ran the tstats search you provided and it returned value "none". After I made the change and ran it again the value was null. Then I tabled the results as before and the multivalue is no longer there (I also added timestamp_human and index_time to provide additional understanding): Thank you so much for the suggestions. Accepting your response as the answer, specifically the sourcetype. Best regards, Andrew
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
