Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About BernardEAI
BernardEAI
Communicator
Member since:
08-27-2020
06-27-2023
Community Statistics
| Posts | 68 |
| Solutions | 5 |
| Karma Given | 131 |
| Karma Received | 9 |
| Member Since | 08-27-2020 |
Activity Feed
- Got Karma for Re: How to fix failure in app-inspect | check_for_supported_tls. 03-13-2024 03:26 AM
- Posted Re: How to fix failure in app-inspect | check_for_supported_tls on All Apps and Add-ons. 06-13-2023 06:43 AM
- Karma How to fix failure in app-inspect | check_for_supported_tls? for mbachhav. 06-13-2023 06:41 AM
- Karma Re: How to fix failure in app-inspect | check_for_supported_tls for JorgeSilentPush. 06-13-2023 06:41 AM
- Karma Re: How to fix failure in app-inspect | check_for_supported_tls for rmccullagh. 06-13-2023 06:41 AM
- Got Karma for Re: Splunk Machine Learning Tool kit: Error in 'fit' command: External search command exited unexpectedly.. 05-08-2023 06:35 AM
- Karma Re: Splunk Db Connect not working after installation (The Java Bridge server is *not running*) for mgarcia_splunk. 12-13-2022 07:25 AM
- Karma Re: Stats command returning no results if field does not exist. for MuS. 05-04-2022 06:59 AM
- Karma Re: In all my forms with post process search, the Export in CSV button is disabled. Is this expected behavior? for aldonnelley. 04-20-2022 11:53 PM
- Karma Re: Your maximum disk usage quota has been reached - WHat does this mean? for tlagatta_splunk. 03-29-2022 08:14 AM
- Karma Re: Digit limit to number data type in kvstore? for richgalloway. 03-23-2022 07:52 AM
- Posted Is there a limit to the number of digits for a number field in a kvstore? on Splunk Search. 03-23-2022 06:57 AM
- Karma Re: case: defaulting to "value" rather than NULL for sowings. 03-23-2022 05:12 AM
- Posted How to group by without aggregation? on Splunk Search. 02-28-2022 01:35 AM
- Karma Re: How to get session key in a search script (| script ) similar to the way a scripted input can? for supersleepwalke. 01-26-2022 05:50 AM
- Posted Multiclass classification with MLTK? on All Apps and Add-ons. 01-07-2022 01:32 AM
- Karma Re: Get current username from SplunkJS for Flynt. 11-12-2021 12:04 AM
- Karma Re: How to remove searchmanager ID in mvc.js after a search in Splunk? for yxie_splunk. 11-11-2021 11:56 PM
- Karma Re: How to Run a search using searchmanager (from javascript) when browser/tab closes? for harshpatel. 11-11-2021 11:56 PM
- Posted Re: Issue while updating Splunk custom command permission from UI on Dashboards & Visualizations. 11-04-2021 02:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-13-2023
06:43 AM
1 Karma
This worked for me, thanks a lot! Note: the extension of my certificate file was .crt by default. Also, once the certificate expires, you'll have to update this piece of code.
... View more
03-23-2022
06:57 AM
I have a kvstore that I am writing results of a search to. I have a field in the kvstore called ASC_IDX, and this is defined as a number. If I now write a large number (like 1647976533000037808725) to this field with outputlookup, I get the following number in the kvstore:
-9223372036854775808
This same number appears for all large number I'm trying to put into the kvstore.
Is there a limit to the number of digits for a number field in a kvstore?
... View more
Labels
- Labels:
-
fields
02-28-2022
01:35 AM
Hi
I'm trying to group items by a specific field, and get all the values returned (i.e. without aggregation). I have the following:
I'm trying to convert that to:
I have tried
| chart values(value) by field
| transpose header_field=field
However the values(value) only selects unique values - I'm looking for all values.
... View more
Labels
- Labels:
-
chart
01-07-2022
01:32 AM
Is it currently possible to do multiclass classification with any of the algorithms in the MLTK? I have investigated the RandomForestClassifier algorithm, which has multiclass functionality, but looking at the parameters available in the Splunk MLTK documentation (RandomForestClassifier ) I do not see any of the multiclass parameters being available (specifically n_classes_) - See also sklearn - RandomForestClassifier
... View more
Labels
- Labels:
-
other
11-04-2021
02:20 AM
Same issue on 8.1.4
... View more
11-03-2021
03:28 AM
Our app has a functionality where users can create alerts for specific events. Unfortunately the users do not have the rights to create saved searches (we are on a multi-tenant platform, so we cannot change user rights). The code for this is: var service = mvc.createService();
var mySavedSearches = service.savedSearches();
mySavedSearches.init(admin_service, {app:"APP", sharing:"app"});
// Create a saved search/report as an alert.
// service.savedSearches().create(alertOptions, function (err, alert) {
mySavedSearches.create(alertOptions, function (err, alert) {
console.log("ALERT");
// Error checking.
if (err && err.status === 409) {
console.error("ERROR: A saved alert with the name '" + alertOptions.name +
"' already exists");
error(alertOptions.name);
return;
} else if (err) {
console.error("There was an error creating the alert:", err);
return;
}
// Confirmation message.
console.log("Created alert: " + alert.name);
}); When logged in as an admin user, the saved searches are created. However, when logged in as a normal user, the following error appears: User 'user' with roles { db_connect_user, user } cannot write: /nobody/APP/savedsearches/test_saved_search { read : [ admin, user ], write : [ admin ] }, export: app, removable: no, modtime: 1559130962.504602000 Would it be possible to create these saved searches as admin, by for instance creating a service with the admin user? How could I do this? I have tried: var service = mvc.createService({ owner: "admin" }) but this did not work.
... View more
Labels
- Labels:
-
authentication
09-01-2021
03:19 AM
Thanks @isoutamo I have tested this a bit and I do not get any searches that has ttl = 0. Maybe I just haven't encountered that case yet in my testing.
... View more
09-01-2021
02:30 AM
It turns out the Expired time is calculated by adding the ttl to start time of the search, plus the search duration. The search duration is the time the search takes to complete and display on screen. If there are many results and fields (as is the case with this search) the time to display on screen is significant. Therefor the Expired time is a bit more than: search start + search duration + ttl In any case, I discovered that I do not need to calculate size of the searches that have not expired yet, because only searches that have not expired yet are returned with the search: | rest /services/search/jobs | search author=<user> So I can just total the diskUsage field to get the total size of search artifacts for that user.
... View more
09-01-2021
01:47 AM
I'm working on calculating the storage space taken up by a specific user. I would like to calculate the total size of their search artifacts at any given time - we would like to see if they are hitting their storage limits regularly. This will indicate we need to increase the storage limit. I'm running this search to get the jobs for a specific user: | rest /services/search/jobs | search author=<user> The next thing to do would be to calculate the size of all jobs that have not expired yet. I can get the life of the search (ttl field) and when the search started (published field), and a sum of those should give the time the search expires. However, if I check the "Jobs" report, the "Expires" field does not correspond to what I calculate. There must be some additional factor involved in the calculation of the "Expired" field..?
... View more
Labels
- Labels:
-
fields
08-15-2021
11:31 PM
We have the same problem. We store a list of items in a row in the search that is used to create a pie chart. The end of the search looks as follows: | streamstats count as Count, values(ITEM_ID) as ITEM_list by DEPT
| dedup DEPT sortby -Count
| table DEPT, Count, ITEM_list The pie chart draws correctly, using DEPT as fields and Count as counts for the chart. In the drilldown, we set: <set token="ITEM_list">$row.ITEM_list$</set> The idea is to use the ITEM_list token in a subsequent search. This technique works perfectly with bar charts, but the drilldown for the pie chart does not set the token as required. I think this is a functionality that does not work in the pie chart.
... View more
07-30-2021
03:18 AM
@venkatasri thanks for the suggestion. I have tried getting the status of the saved search using an API call. I have run this API: /servicesNS/admin/<app_name>/saved/searches/<save_search_name>/history This returns a lot of the info on the search, but not the status!?!? I would have expected this would be in the data. Any idea if there is another endpoint that I can use that would have the status info? UPDATE: I managed to find an API call that would report on failed scheduled searches: | rest /servicesNS/-/<app_name>/search/jobs | search isFailed=1
| table label, published, messages.fatal This will work on our multi-tenant platform.
... View more
07-28-2021
11:01 PM
We have a number of saved searches (configured as alerts) that make use of custom search commands we wrote. It can happen that those custom commands fail to execute. This would cause the saved search to fail with an error message, which can be seen if you would run the search in the Splunk UI. We would like alerts to be triggered if this happens to the saved search. In the Alert configuration, this type of trigger is not an option. Is there any way we can get an alert triggered when one of our saved searches fails with an error? PS: we are running our app on a multi-tenant platform, so we do not have access to the internal logs, thus we cannot run a search like: index=_internal sourcetype=scheduler status!=success
| table _time search_type status user app savedsearch_name
... View more
Labels
- Labels:
-
saved search
-
scheduled search
07-27-2021
03:13 AM
1 Karma
Thanks @venkatasri On our DEV server this would be easy to solve, I could change the max_rows_per_query parameter in limits.conf. On our production environment, we are tenants on a multi-tenant platform, so we do not have access to the configuration files. The approach I took here is to make use of the skip parameter that is available in the query function. I can then have a loop that runs through the entire kv store by incrementing the skip parameter: while end == False:
data_list = collection.data.query(skip=skip_tracker)
if len(data_list) != 0:
for item in data_list:
# perform action on entry in kv store (delete, update etc.)
skip_tracker += 50000
else:
end = True More details on the query function here: https://github.com/splunk/splunk-sdk-python/blob/13f07cd08f8b2017c1cdafc2fbc75673013dc713/splunklib/client.py#L3633
... View more
07-27-2021
01:14 AM
I'm trying to delete specific items from our kv store by using a python custom command. I retrieve the kv store with the following command: collection = self.service.kvstore[collection_name] I then retrieve all the entries in the kv store with: data_list = collection.data.query() This works correctly, however only 50000 of the entries are returned. Is there a parameter I can pass to query() to remove the limit of 50000? Thanks!
... View more
07-22-2021
02:24 AM
@atayarani_impri This problem typically occurs when the name of the custom command does not match the name defined in the sendemail.py file. I encountered this when I made a copy of the default sendemail.py file to make our own custom sendemail command. I named the new command newsendemail (with the file newsendemail.py). In the file newsendemail.py, there is a piece of code: sendemailRegex = r'\|\s*sendemail'
if (re.findall(sendemailRegex, searchToRun)):
parameters['input-search'] = re.split(sendemailRegex, searchToRun)[0]
parameters['et'] = jsonJob.get('earliestTime')
parameters['lt'] = jsonJob.get('latestTime')
else:
raise PDFException("Can't attach PDF - ssName and pdfViewID unavailable") This is where that error is generated. For us, I had to change the r'\|\s*sendemail' part to r'\|\s*newsendemail' The regex is searching for 'sendemail' in the search query, but the name of the custom command has been changed to 'newsendemail', so the regex needs to be updated. The error occurs if the regex does not find anything in the search query.
... View more
07-21-2021
05:52 AM
I have loaded a SSL Certificate on our development server (Splunk 8.1.4). I added the following to the server.conf file (based on the Splunk docs on what to add to the web.conf file): [sslConfig] enableSplunkdSSL = 1 privKeyPath = $SPLUNK_HOME/etc/auth/mycerts/splunk.key serverCert = $SPLUNK_HOME/etc/auth/mycerts/splunk.pem After restarting Splunk, I found a problem with the kvstors, and after investigating I found that mongod did not restart (running ./splunk _internal call /services/server/info |grep -i kvstore returned <s:key name="kvStoreStatus">failed</s:key>) Running this search in Splunk: index=_internal sourcetype=mongod returns this error: [main] cannot read certificate file: /opt/splunk/etc/auth/mycerts/splunk.key error:0906D06C:PEM routines:PEM_read_bio:no start line I cannot determine why this error is being generated.
... View more
Labels
- Labels:
-
configuration
06-09-2021
07:42 AM
I found the answer to the question: the "dispatch.ttl" can be configured in the "Advanced Edit" of the saved search.
... View more
06-09-2021
07:34 AM
I'm trying to accurately control the lifetime of the search artifacts of a saved search. I have set the "Expiry" time to 30 mins in the saved search, but if I check the artifacts in the "Jobs" view, the expiry of the search is 2 hours after start. Looking at the savesdearches.conf I see the item "alert.expires = 30m" in the saved search stanza. I have also seen the item "dispatch.ttl" in the Spunk documentation for savedsearches.conf, where it states: dispatch.ttl = <integer>[p]
* Indicates the time to live (ttl), in seconds, for the artifacts of the
scheduled search, if no actions are triggered. According to that the life of the artifacts is controlled by this parameter. What does alert.expires control? Is there a way to set dispatch.ttl via the UI?
... View more
- Tags:
- saved search
Labels
- Labels:
-
other
06-08-2021
10:32 PM
I'm trying to get some more info on an alert condition. Is there any way to include the search warning information in an alert? I would like to see this info in the alert email that is generated.
... View more
Labels
- Labels:
-
alert action
-
alert condition
06-03-2021
11:32 PM
1 Karma
I have been trying to get this right for a while. I used to make use of this format: <eval token="earliest_epoch">if(isnum($p2_period.earliest$),$p2_period.earliest$,relative_time(now(),$p2_period.earliest$))</eval> I had that code in a dummy search that would run when I hit the "Submit" button, and in the <change> tag for the time input. This seemed to work well, until it stopped working (we upgraded to Splunk 8 from 7 and I think this is when it stopped working. This is reported here as well, the problem revolves around the isnum check: https://community.splunk.com/t5/Splunk-Enterprise/xml-Check-if-a-value-is-a-number/m-p/554255#M5996 ) I eventually decided to go over to javascript to solve this. I now have the following code in the "submit" event (gets triggered on the "Submit" button click): service.oneshotSearch("| makeresults | eval time=\"" + earliest_time + "\" \
| append [ | makeresults | eval time=\"" + latest_time + "\"] \
| eval time_e = if(isnum(time),time,relative_time(now(),time))" , {
output_mode: "JSON"
}, function (err, results) {
if (err) {
console.error(err);
} else {
earliest_time_e = results.results[0]['time_e']
console.log(earliest_time_e );
latest_time_e = results.results[1]['time_e']
console.log(latest_time_e );
var now_time_e = Math.round(Date.now()/1000)
var diff_time_e = now_time_e - earliest_time_e
//set any tokens needed
mvc.Components.getInstance('submitted').set('earliest_time_e',earliest_time_e );
// rest of code.......
}
}}); The oneShotSearch executes this type of search (this one adds an eval to produce a 2 week plus and 2 week minus time as well): | makeresults | eval time=1620079200
| append [ | makeresults | eval time=1622671200]
| eval time_e = if(isnum(time),time,relative_time(now(),time))
| eval time_min_2w = relative_time(time_e,"-2w")
| eval time_plus_2w = relative_time(time_e,"+2w") In this way you can to any type of time manipulation and set your tokens, allowing a lot of flexibility.
... View more
06-03-2021
04:18 AM
@weidertc I'm seeing the same thing. It used to work for me as well, now it has stopped working. We upgraded to Splunk 8.1.0 from Splunk 7 recently, it might have something to do with this..? UPDATE: I described the approach I took to address this here: https://community.splunk.com/t5/Splunk-Search/Convert-timepicker-token-to-epoch-time-for-eval-regardless-of/m-p/425185/highlight/false#M121916
... View more
06-01-2021
07:36 AM
Hi javiergn Can you maybe give some technical detail on why subsearches are expensive in terms of performance? Is the performance cost simply equal to doing that search on its own?
... View more
05-11-2021
03:28 AM
This solution worked for me, thanks! Details on the replicate = true flag is here: https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/Collectionsconf
... View more
04-30-2021
12:13 AM
I'm trying to set up some HTTP Origins for which to return Access-Control-Allow-* (CORS) headers. According to the Splunk documentation, I need to add these to the [httpServer] stanza of the server.conf file, under the crossOriginSharingPolicy heading. I'm getting a problem when the url has a slash in it, like: https://address.test.frontend.aws.cloud/network Splunk raises an error during server start, with the following message: ValueError: invalid literal for int() with base 10 I think the issue is due to the slash in the url, I tested removing the /network part and the server started fine.
... View more
- Tags:
- server.conf
Labels
- Labels:
-
authentication
04-28-2021
06:55 AM
After getting stuck with this problem for many hours, I have also determined that the tstats latest command does not support milliseconds. It seems the milliseconds are recoded in the tsidx file (in the _time field), however when we make use of the tstats latest command, the records are only searched on second resolution, not millisecond. The result is that numerous of our events that occur in the same second (at different milliseconds) and considered to have occurred simultaneously, resulting in inconsistent results for the latest command.
... View more
- Tags:
- tstats latest
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-27-2023
05:12 AM
|
Karma from
Karma given to
