Activity Feed
- Posted Re: Only cell hightlight the percentage value for status=200 column on Dashboards & Visualizations. 04-30-2024 06:53 AM
- Posted Re: Only cell hightlight the percentage value for status=200 column on Dashboards & Visualizations. 04-30-2024 05:44 AM
- Posted Only cell hightlight the percentage value for status=200 column on Dashboards & Visualizations. 04-29-2024 11:28 PM
- Posted Re: Is it possible to display an external web page in Splunk like a html iframe? on Dashboards & Visualizations. 04-15-2024 08:35 PM
- Posted ingest_eval works on AIO instance but different results when applied at the HF tier on Getting Data In. 02-18-2024 03:33 PM
- Posted Re: dashboard studio column formatting array on Dashboards & Visualizations. 02-14-2023 04:43 AM
- Posted Re: dashboard studio column formatting array on Dashboards & Visualizations. 02-14-2023 01:21 AM
- Posted Why is dashboard studio column formatting array? on Dashboards & Visualizations. 02-13-2023 10:22 PM
- Karma Re: How to use Splunk App for Infrastructure to monitor server availability and send alert if one or more servers are down? for johnquinn. 06-05-2020 12:50 AM
- Karma Re: Splunk Add-on for NetApp Data ONTAP: Why doesn't a search that only uses source & source types not work unless i add an index? for dauren_akilbeko. 06-05-2020 12:50 AM
- Karma Re: How do you make a table of matching emails and duration between events and duration? for renjith_nair. 06-05-2020 12:50 AM
- Got Karma for What happened to all the Dashboards in the latest version of the App ?. 06-05-2020 12:50 AM
- Got Karma for What happened to all the Dashboards in the latest version of the App ?. 06-05-2020 12:50 AM
- Got Karma for Splunk Add-on for NetApp Data ONTAP: Why doesn't a search that only uses source & source types not work unless i add an index?. 06-05-2020 12:50 AM
- Got Karma for Re: How to differentiate different sourcetypes when ingesting from blob storage?. 06-05-2020 12:50 AM
- Karma Re: Upgrade from distributed to clustered environment retaining configurations and data? for traxxasbreaker. 06-05-2020 12:49 AM
- Karma Re: What are your Splunk t-shirt ideas? for Esky73. 06-05-2020 12:49 AM
- Karma Are there plans for Splunk to support Splunk Support for Azure Monitor Add-On? for scottpazelt. 06-05-2020 12:49 AM
- Karma Re: How to trigger an alert if status event is not indexed for 5 minutes? for gcusello. 06-05-2020 12:49 AM
- Karma Re: how to initially setup a summary index ? for ddrillic. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-30-2024
06:53 AM
Sorry no thats not the requirement.. only the row where status is 200 i only want to highlight the percentage cell and then change the colour depending on the percentage value status count percentage 200 3245 98 (only highlight this cell) 404 34 1 503 34 1 >75% = green >50 <74 = amber >50 = red
... View more
04-30-2024
05:44 AM
thanks @gcusello that was where i looked first but it applies to all fields in the column. My requirement is purely to highlight the percentage cell for status 200 thx
... View more
04-29-2024
11:28 PM
my table looks like so : I have been trying to update the table_cell_highlighting.js in the dashboard example app so that it only highlights the percentage cell for status=200 please point me in the right direction - thx status count percent 200 895 95.927117 404 14 1.500536 304 12 1.286174 303 12 1.286174
... View more
Labels
- Labels:
-
Classic dashboard
04-15-2024
08:35 PM
Hi Just curious - what are the security implications to think about enabling this. If used in conjunction with the trusted domain list in web-features.conf - we should be secure? Or is there something else?
... View more
02-18-2024
03:33 PM
I have syslog events being written to a HF locally via syslog-ng - these events are then consumed via file reader and the IP address in the log name is extracted as host. I now want to run an ingest_eval on the ip address and use a lookup to change the host If i run the cmd from search i get the required result: index=... | eval host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value") this replaces host with "host_value" I have this working on an AIO instance with the following config below: Now adding to HF tier : /opt/splunk/etc/apps/myapp/lookups/lookup.csv lookup has global access and export = system host,host_value 1.2.3.4, myhostname props.conf: [mysourcetype] TRANSFORMS-host_override = host_override transforms.conf: [host_override] INGEST_EVAL =host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value") When applied on the HF (restarted) i see some of the hostnames are changed to "localhost" the others remain unchanged (but this is due to the config not working OR the data coming from another HF with the test config not applied Any ideas - thx
... View more
Labels
- Labels:
-
transforms.conf
02-14-2023
04:43 AM
nope that removes the list formatting - desired output looks like this: host NAME STATE STATUS host Disk 0 Disk 1 Disk 2 Disk 3 Disk 4 Online Online Online Online Online Up Up Up Up Up
... View more
- Tags:
- Dashboard Studio
02-14-2023
01:21 AM
Thanks!, but the last stats command presents the data in list format as i want. if i remove that it doesnt give the desired output?
... View more
02-13-2023
10:22 PM
I'm looking to add some column formatting to some table in dashboard studio - but the option is greyed out saying the column is an array, why is this ? and can i re-factor my search to make it work?
index=test AND host="test" sourcetype=test | stats latest(state) latest(status) by host name state status | stats list(name) as NAME list(state) as STATE list(status) as STATUS by hos
... View more
Labels
- Labels:
-
Dashboard Studio
05-28-2020
06:44 AM
Hi @DalJeanis
why do you use eventstats in the 3 query as opposed to stats like the 2nd query ?
thx
... View more
03-18-2020
10:50 PM
am i missing something with how dbconnect works ?
i have dbc on a HF and if i create a search that creates a lookup - that lookup will reside on the HF - there is no mechanism that moves it into the SHC so it can be used ?
Similarly i can't run a | dbxquery from the shc - right ?
gratzi
... View more
02-26-2020
12:13 PM
With this app:
No collectd req
https://splunkbase.splunk.com/app/4856/
Why would it show processes started in the past over a 15m window ?
Gratzi.
... View more
02-25-2020
05:21 PM
Is it possible to monitor whether processes are running using metrics data and SAI ?
I want to push out a config via UF to say monitor these X processes - and alert should any of them stop ?
gratzi
... also - i have a single UF reporting to Splunk - my SAI "Overview" dashboard - looks like this (last 15 mins)
UPTIME(h:m:s)
top 10547 root 0 0.2 00: 00: 00
top 10817 root 0 0.2 00: 00: 00
top 11789 root 0 0.2 00: 00: 00
top 13036 root 0 0.2 00: 00: 00
top 14295 root 0 0.2 00: 00: 00
top 17779 root 0 0.1 4+18: 58: 48
What is this telling me - i only have one instance of top running - which shows as 4days+ - where are all the other pids coming from?
ps -ef | grep -i top
root 17779 24995 0 Feb21 pts/1 00:03:02 top
root 30528 26798 0 12:27 pts/0 00:00:00 grep --color=auto -i top
#
... View more
10-21-2019
03:37 PM
looks to be a security app logging to this dir with no cleanup script
... View more
10-20-2019
11:29 PM
I have 23000 (yes 000) directories in /opt/splunk/var/tmp/data
I can't find info in docs as to what this is - how best to find out ?
each directory has files in such as :
part-00000.gz
part-00001.gz
part-00002.gz
part-00003.gz
part-00004.gz
part-00005.gz
... View more
- Tags:
- splunk-enterprise
07-17-2019
03:05 AM
1 Karma
OK i went with creating several inputs but use the 'blob list' section to only ingest that log :
Input1:
Bloblist = filetypeA.logs
sourcetype = mscs:storage:blob:fileA
Input2:
Bloblist = filetypeB.logs
sourcetype = mscs:storage:blob:fileB
and so on ..
... View more
06-25-2019
08:36 PM
hi ..thanks.
I only have one container with all my logs in .
The only thing i can think of is sourcetype overrides - so i label my input with : mscs:storage:blob:logs
And then identify each sourcetype (as each log has a different name convention) using regex and sourcetype overrides on the HF where the MSCS app is installed.
Unless there is a better way?
gratzi
... View more
06-24-2019
07:24 PM
I have some blob storage and in there are different files that I need to ingest and apply different source types to.
eg.
some are error.log files
some are web access logs
some are other logs
How do I do this ?
Gratzi.
... View more
06-12-2019
03:04 AM
hi .. yep all expected data is in the right index and searchable from SHC
... View more
06-10-2019
06:07 AM
It's working fine in an AIO scenario ..
Moved to a cluster and the monitors are running on the Heavy Forwarder and populating my indexes however nothing populating the app on the Search Head Cluster.
All my inputs are on the HF.
I feel I'm missing a silly step - please help!
gratzi.
... View more
05-20-2019
12:10 AM
Trying to replicate thresholds from a legacy tool in ITSI that are configured over time periods
How would you create a KPI which alerts if CPU is over 95% for 15 minutes?
gratzi
... View more
04-15-2019
08:15 AM
I have a syslog file and none of the default sourcetypes give me what i want - so i have:
any advice on best approach for props.conf
Apr 15 16:54:01 HOSTNAMEX Group CfgSrvc: hd[0]: cfgcore: WritePhase2(Security,system,security.authentication.accounts[0].adminaccount.failedlogincount) value update "9234" => "9235"
Apr 15 16:54:01 HOSTNAMEX Group CfgSrvc: hd[0]: cfgcore: callback DynamicValidate(Security,"807847",system,{security[0].authentication[0].accounts[0].adminaccount[0].failedlogincount[0]/local,"9235"},"PlatCfgS/5/01-0"[17])
Apr 15 16:54:01 HOSTNAMEX Group Security: hd[0]: SecurityService: login login failed, increment # of failed logins
Apr 15 16:54:01 HOSTNAMEX Group Security: hd[0]: SecurityService: login login failed, setLoginResult 6
Apr 15 16:54:01 HOSTNAMEX Group Security: hd[0]: SecurityService: If loginSuccess is false (
Apr 15 16:54:01 HOSTNAMEX Group Security: hd[0]: SecurityService: LocalAuthenticator::login, role 3 loginSuccess 0
Apr 15 16:54:01 HOSTNAMEX Group Security: hd[0]: SecurityService: SecurityServiceLoginRequest(): username: admin
Apr 15 16:54:01 HOSTNAMEX Group logcat: hd[0]: UAppSvcs(2132): (legacyapi) API:OUT:Password:
Apr 15 16:54:01 HOSTNAMEX Group logcat: hd[0]: UAppSvcs(2132): (legacyapi) API:OUT: -- password failed, retry --
gratzi
... View more
- Tags:
- splunk-enterprise
03-07-2019
01:49 AM
At this time if i run this over 4 months the x axis shows Month, day - all i want to see is month.
And can this search be improved ?
gratzi
index=response source=responsetimes
| table _time, ACTION_TIME
| sort - ACTION_TIME
| convert rmcomma(ACTION_TIME)
| eval ACTION_TIME = (ACTION_TIME/1000)
| timechart avg(ACTION_TIME) as "Average" span=1d
| append [search index=response source=responsetimes
| table _time, ACTION_TIME
| sort - ACTION_TIME
| convert rmcomma(ACTION_TIME)
| eval ACTION_TIME = (ACTION_TIME/1000)
| eventstats p5(ACTION_TIME) as top5perc
| where ACTION_TIME < top5perc
| timechart avg(ACTION_TIME) as "Top 5%" span=1d]
| append [search index=response source=responsetimes
| table _time, ACTION_TIME
| sort - ACTION_TIME
| convert rmcomma(ACTION_TIME)
| eval ACTION_TIME = (ACTION_TIME/1000)
| eventstats p95(ACTION_TIME) as bottom5perc
| where ACTION_TIME > bottom5perc
| timechart avg(ACTION_TIME) as "Bottom 5%" span=1d]
| timechart first(*) as *
... View more
- Tags:
- splunk-enterprise
02-25-2019
04:05 PM
We are using a lot of indexed time _json sourcetypes on our heavy forwarder for file inputs and HTTP event collector.
Would it be recommended to move to search time field extraction ?
What would the steps be from the heavy forwarder to the search head cluster ?
gratzi
... View more
02-12-2019
10:18 PM
OK so its not supported - but have a handfull of servers that i'd like to get a fwd on ..
installed the latest version for 2000 5.0.18 - its talking to the IDX but seeing a few errors for the DS :
02-13-2019 01:11:07.396 -0500 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
host = win2000 source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
13/02/2019
17:10:50.827
02-13-2019 01:10:50.827 -0500 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
host = win2000 source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
13/02/2019
17:06:13.201
02-13-2019 01:06:13.201 -0500 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
host = win2000 source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
13/02/2019
17:06:18.328
02-13-2019 01:06:18.328 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after 60 seconds.
host = win2000 source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
13/02/2019
17:06:25.208
02-13-2019 01:06:25.208 -0500 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
host = win2000 source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd
IS this because the old UF uses TLS 1.0 wheres as we are now on TLS 1.2
This looks similar to :
https://answers.splunk.com/answers/713063/if-i-upgrade-to-splunk-enterprise-70-can-i-recieve.html
Is it possible ?
Gratzi
... View more
- Tags:
- splunk-enterprise
02-07-2019
09:14 PM
2 Karma
Hi Some of the dashboards are missing from the previous versions
Billing, Azure AD & the nice Topology feature ?
Can these be re-added ?
Or access to the previous versions as i over wrote it?
gratzi
... View more
