Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About harryvdtol
harryvdtol
Path Finder
Member since:
12-10-2021
11-19-2025
Community Statistics
| Posts | 32 |
| Solutions | 4 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 12-10-2021 |
Activity Feed
- Posted Re: sendmail to multiple users based on table output on Reporting. 11-19-2025 05:52 AM
- Posted Re: sendmail to multiple users based on table output on Reporting. 11-19-2025 05:52 AM
- Posted sendmail to multiple users based on table output on Reporting. 11-18-2025 10:25 PM
- Posted Re: Dashboard Studio Trellis on Column chart: alternative ? on Dashboards & Visualizations. 07-30-2025 09:56 PM
- Karma Re: Dashboard Studio Trellis on Column chart: alternative ? for livehybrid. 07-30-2025 09:56 PM
- Posted Re: Dashboard Studio Trellis on Column chart: alternative ? on Dashboards & Visualizations. 07-17-2025 12:16 AM
- Posted Dashboard Studio Trellis on Column chart: alternative ? on Dashboards & Visualizations. 07-16-2025 10:14 PM
- Posted Re: Daylight Saving issue column on Getting Data In. 06-15-2025 09:10 AM
- Posted Daylight Saving issue column on Getting Data In. 06-15-2025 06:10 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 05-28-2025 09:54 AM
- Posted Re: JSON array not onbaording as expected on Getting Data In. 03-03-2025 10:02 PM
- Posted Re: JSON array not onbaording as expected on Getting Data In. 02-25-2025 08:07 AM
- Posted JSON array not onbaording as expected on Getting Data In. 02-25-2025 06:13 AM
- Posted Re: Link to open PDF on a other website on Dashboards & Visualizations. 02-20-2025 11:13 PM
- Posted Link to open PDF on a other website on Dashboards & Visualizations. 02-20-2025 09:46 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 09-18-2024 02:25 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 08-08-2024 06:46 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 08-05-2024 11:30 PM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 08-01-2024 07:17 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 07-31-2024 09:52 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-19-2025
05:52 AM
I am going to do it in two steps Make an outputlookup for the data. And with another search inputlookup and this commanmd | inputlookup mytempdata.csv
| stats values(email) as email
| mvexpand email
| map search="
| inputlookup mytempdata.csv
| where match(email, \"^$email$\")
| sendemail
to=\"$email$\"
subject=\"My Subject\"
message=\"My Message\"
sendresults=true
inline=true
format=table
sendpdf=false
sendcsv=false
" maxsearches=100
... View more
11-18-2025
10:25 PM
Hello, I want to send multiple mails, based on the data in the seearch results. I have tried many posts, but i am still unable to get this working. For each email address i want to send an email. In my example i want to send 2 emails. This is my query example | makeresults
| eval kol1="line-1",kol2="line-1", email="j.doe@splunk.com"
| append [ | makeresults | eval kol1="line-2",kol2="line-2", email="j.doe@splunk.com" ]
| append [ | makeresults | eval kol1="line-3",kol2="line-3", email="j.doe@splunk.com" ]
| append [ | makeresults | eval kol1="line-1",kol2="line-1", email="p.doe@splunk.com" ]
| append [ | makeresults | eval kol1="line-2",kol2="line-2", email="p.doe@splunk.com" ]
| table kol1 kol2 email
| map search="|makeresults |sendemail to="$email$" from="me@sample.com" incline=true sendresults=true subject="test" message=$kol1$ $kol2$" The result is, that i a getting 5 emails, with a content of only kol1 as message I am thinking of alternatives, but that looks to complicated for now , like this... https://community.splunk.com/t5/Splunk-Cloud-Platform/Send-email-to-multiple-users-with-respective-data-based-on-the/m-p/704718 Is it somehow possible to do get this working? Regards, Harry
... View more
Labels
- Labels:
-
saved search
-
scheduled search
07-30-2025
09:56 PM
Thank you livehybrid Good to know. Regards, Harry
... View more
07-17-2025
12:16 AM
Unfortunaly the number of results is not fixed it varies between 20 and 30. Going back to Classic, is somgthing i do not want. I am going to skip this panel Thanks everybody, Regards, Harry
... View more
07-16-2025
10:14 PM
Hello, In Splunk i have a query that i use to show data with an xyseries. The output should be displayed as a Column-chart in "in Dashboard Studio" But when i save this dashboard i recieved this error "Dashboard Studio only supports Trellis layout for single value visualizations." This example query: | makeresults
| eval Displayname="DSP10", Month="2505-06", duration=100
| append [
| makeresults
| eval Displayname="DSP10", Month="2505-07", duration=200 ]
| append [
| makeresults
| eval Displayname="DSP20", Month="2505-06", duration=50 ]
| append [
| makeresults
| eval Displayname="DSP20", Month="2505-07", duration=90 ]
| table Month Displayname duration
| xyseries Month Displayname duration Are there any other options to display this in Studio in a Trellis layout as Column Chart of a Line? Regards, Harry
... View more
Labels
- Labels:
-
chart
-
Dashboard Studio
06-15-2025
09:10 AM
Hi all, I think i have manged your's input I have made two examples and they do what i want | makeresults | eval tz="Summer" | eval PlanDate="15-06-2025T20:10:30" | eval PlanDate_utc=PlanDate . "Z" | eval PlanDate_utc_epoch=strptime(PlanDate_utc, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_utc_noepoch=strftime(PlanDate_utc_epoch, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_epoch=strptime(PlanDate, "%d-%m-%YT%H:%M:%S") | eval diff=PlanDate_utc_epoch-PlanDate_epoch | eval PlanDate_my_tz=PlanDate_epoch+diff | eval PlanDate_my_tz=strftime(PlanDate_my_tz, "%d-%m-%YT%H:%M:%S") | table tz PlanDate PlanDate_epoch PlanDate_utc_noepoch PlanDate_utc_epoch PlanDate_my_tz diff PlanDate_utc_noepoch | makeresults | eval tz="Winter" | eval PlanDate="31-10-2025T20:10:30" | eval PlanDate_utc=PlanDate . "Z" | eval PlanDate_utc_epoch=strptime(PlanDate_utc, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_utc_noepoch=strftime(PlanDate_utc_epoch, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_epoch=strptime(PlanDate, "%d-%m-%YT%H:%M:%S") | eval diff=PlanDate_utc_epoch-PlanDate_epoch | eval PlanDate_my_tz=PlanDate_epoch+diff | eval PlanDate_my_tz=strftime(PlanDate_my_tz, "%d-%m-%YT%H:%M:%S") | table tz PlanDate PlanDate_epoch PlanDate_utc_noepoch PlanDate_utc_epoch PlanDate_my_tz diff PlanDate_utc_noepoch Regards, Harry
... View more
06-15-2025
06:10 AM
Hello, I have search for some old posting, but i did not find the proper answers. In Splunk i have a column date field that is named PlanDate and looks like this. 31-10-2025T20:10:30 The format is this: DD-MM-YYYYTHH:MM:SS But this field is in the wrong timezone. My timezone is Amsterdam. When summertime starts i need to add 2 hours to this field and in wintertime one hour. How do i do this? Can this be done at search time, or do i need to do this on index-time? I was thinking of making a lookup with daylight saving days for the next years, but i was hoping for a better solution Regards, Harry
... View more
Labels
- Labels:
-
field extraction
-
props.conf
05-28-2025
09:54 AM
Hello, Hereby a new update on this case Some weeks ago we have upgraded Splunk to 941. After the upgrade we receive erros when executing Splunk commands like splunk show .. or btool Failed to calculate cpu count from cgroup location="V2:/sys/fs/cgroup:/user.slice/user-570057916.slice/session-9.scope:/sys/fs/cgroup:/user.slice/user-570057916.slice/session-9.scope:" Because the Splunk version 941 added support for cgroups V2, we removed the workaround. Since then the original issue is back: adhoc hanging of systemctl If anyone has the issue, i really would like to know. Regards, Harry
... View more
03-03-2025
10:02 PM
Hello, I decided to let go on JSON file In stead i receive a simple txt file now, whcih works better Thank you for you help. Harry
... View more
02-25-2025
08:07 AM
Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummers] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured - Input file [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}] Reagrds, Harry
... View more
02-25-2025
06:13 AM
Hello, I am having trouble onboaring json array data. I read many contributions , but i still having troubles This is the json array input [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}] - My first attempt: i put a props.conf on the UF DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured The data was nicely split into separte json events, but the table command doubled the data. Like this issues https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tabling-the-events/m-p/587724 https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-with-INDEXED/td-p/188551?_ga=2.153916656.937356172.1646061092-893813366.1631658459 - Then i moved the props.conf into the index-cluster Now the _raw event is the same as the input array, and not splitted ito separated json events, like this I have to use spath commad during search as workaround. So I can workaround the issue, but I 'd rather import the data correctly Where do i go wrong? Any help is appreciated. Reagrds, Harry
... View more
Labels
- Labels:
-
props.conf
02-20-2025
11:13 PM
Hello, I am sorry. I tried many ways, but i was completly looking at examples that did not helped me This indeed solved the question. Thank you for your help. Harry
... View more
02-20-2025
09:46 AM
Hello, Please help me with the following request I have a table output of several url's to PDF files For example this one https://janenpiet.domain.nl/sites/conten_sites/BOT/Parts%20%20documents/ADFM/Phonesrv/Highg%20Volume%20Phiones/ABCD%20Capture/60.%20Hardware/01.%20Scanners/Amsterdam/30/2025-01-20.pdf My request is as follows. When a user click on a link, it should open a new window that opens the PDF file. I notice that a simple drilldown does not work. Does anybody know how to do this? Reagrds, Harry
... View more
Labels
- Labels:
-
Classic dashboard
09-18-2024
02:25 AM
Hello everybody I want to confirm that the fix to Enable cgroup v2 on RHEL8 has solved the issue for us as well Regard, Harry
... View more
08-08-2024
06:46 AM
Hi AndrewBurnett, Thank you for keeping me updated. I have send the link to our Linux colleagues, and will hear what they think of it. Harry
... View more
07-30-2024
09:49 PM
If you have any news, please update this post. We made a support call to Red Hat without any luck Hopefully its works for you
... View more
07-29-2024
11:03 PM
Thank you , Good to hear that we are not the only one What Linux version are you running?
... View more
07-04-2024
06:29 AM
Thanks fort the tips. As a workaround i made an override for the Splunk service, to receive a timeout after 4 minutes in stead of the default 6. We run it as root user, but concerning the sudoers file: this is something for me to investigate. Maybe it has something to do with rights, because other application on Linux do not have this behaviour
... View more
07-03-2024
10:32 PM
Hi, Thank you for the response I am very sure that we fulfil these requirements. No ingestion takes palace, because there are no Splunk processes running. So to be clear, it is not Splunk that hangs, but the systemctl command to stop Splunkd.service. The Splunk processes has been stopped. But the systemtl command does not comes back in the prompt. I can see in splunkd.log that Splunk has stopped. "ps -ef splunk" : no splunk processes Regards, Harry
... View more
06-26-2024
11:49 PM
Hello, Since a few months we are facing an issue with stopping Splunk on Red Hat Linux-rel8. We do "systemctl stop Splunkd" to stop the Splunk proces. In most cases Splunks stops and the systemctl prompts comes back. But sometimes (let say 1 out of 10) Splunk stops, but the systemctl prompt does not comes back. Then, after 6 minues (the timeout in the Splunkd.service) systemctl comes back In /var/log/messages i see this after 6 minutes. Splunkd.service: Failed with result 'timeout'. Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. In the splunkd.log i can see that Splunk has stopped. No Splunk proces is running. With "ps -ef | grep splunk" i can see that there a no Splunk processes running. "ps -ef | grep systemctl" i can see that systemctl is still running. It happens on Search cluster, index cluster, Heavy Forwarders etc. Splunk support says is it an Red Hat Linux issue and Red Hat points to Splunk. I wonder if we are the only one who is having this issue. Any remarks are appreciated. Regards, Harry
... View more
Labels
05-15-2023
08:24 AM
Thank you Jeffland, Regards, Harry
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-19-2025
05:50 AM
|
