About harryvdtol

harryvdtol · ‎07-30-2025

Thank you livehybrid Good to know. Regards, Harry

harryvdtol · ‎07-17-2025

Unfortunaly the number of results is not fixed it varies between 20 and 30. Going back to Classic, is somgthing i do not want. I am going to skip this panel Thanks everybody, Regards, Harry

harryvdtol · ‎07-16-2025

Hello, In Splunk i have a query that i use to show data with an xyseries. The output should be displayed as a Column-chart in "in Dashboard Studio" But when i save this dashboard i recieved this error "Dashboard Studio only supports Trellis layout for single value visualizations." This example query: | makeresults | eval Displayname="DSP10", Month="2505-06", duration=100 | append [ | makeresults | eval Displayname="DSP10", Month="2505-07", duration=200 ] | append [ | makeresults | eval Displayname="DSP20", Month="2505-06", duration=50 ] | append [ | makeresults | eval Displayname="DSP20", Month="2505-07", duration=90 ] | table Month Displayname duration | xyseries Month Displayname duration Are there any other options to display this in Studio in a Trellis layout as Column Chart of a Line? Regards, Harry

harryvdtol · ‎06-15-2025

Hi all, I think i have manged your's input I have made two examples and they do what i want | makeresults | eval tz="Summer" | eval PlanDate="15-06-2025T20:10:30" | eval PlanDate_utc=PlanDate . "Z" | eval PlanDate_utc_epoch=strptime(PlanDate_utc, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_utc_noepoch=strftime(PlanDate_utc_epoch, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_epoch=strptime(PlanDate, "%d-%m-%YT%H:%M:%S") | eval diff=PlanDate_utc_epoch-PlanDate_epoch | eval PlanDate_my_tz=PlanDate_epoch+diff | eval PlanDate_my_tz=strftime(PlanDate_my_tz, "%d-%m-%YT%H:%M:%S") | table tz PlanDate PlanDate_epoch PlanDate_utc_noepoch PlanDate_utc_epoch PlanDate_my_tz diff PlanDate_utc_noepoch | makeresults | eval tz="Winter" | eval PlanDate="31-10-2025T20:10:30" | eval PlanDate_utc=PlanDate . "Z" | eval PlanDate_utc_epoch=strptime(PlanDate_utc, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_utc_noepoch=strftime(PlanDate_utc_epoch, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_epoch=strptime(PlanDate, "%d-%m-%YT%H:%M:%S") | eval diff=PlanDate_utc_epoch-PlanDate_epoch | eval PlanDate_my_tz=PlanDate_epoch+diff | eval PlanDate_my_tz=strftime(PlanDate_my_tz, "%d-%m-%YT%H:%M:%S") | table tz PlanDate PlanDate_epoch PlanDate_utc_noepoch PlanDate_utc_epoch PlanDate_my_tz diff PlanDate_utc_noepoch Regards, Harry

harryvdtol · ‎06-15-2025

Hello, I have search for some old posting, but i did not find the proper answers. In Splunk i have a column date field that is named PlanDate and looks like this. 31-10-2025T20:10:30 The format is this: DD-MM-YYYYTHH:MM:SS But this field is in the wrong timezone. My timezone is Amsterdam. When summertime starts i need to add 2 hours to this field and in wintertime one hour. How do i do this? Can this be done at search time, or do i need to do this on index-time? I was thinking of making a lookup with daylight saving days for the next years, but i was hoping for a better solution Regards, Harry

harryvdtol · ‎05-28-2025

Hello, Hereby a new update on this case Some weeks ago we have upgraded Splunk to 941. After the upgrade we receive erros when executing Splunk commands like splunk show .. or btool Failed to calculate cpu count from cgroup location="V2:/sys/fs/cgroup:/user.slice/user-570057916.slice/session-9.scope:/sys/fs/cgroup:/user.slice/user-570057916.slice/session-9.scope:" Because the Splunk version 941 added support for cgroups V2, we removed the workaround. Since then the original issue is back: adhoc hanging of systemctl If anyone has the issue, i really would like to know. Regards, Harry

harryvdtol · ‎03-03-2025

Hello, I decided to let go on JSON file In stead i receive a simple txt file now, whcih works better Thank you for you help. Harry

harryvdtol · ‎02-25-2025

Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummers] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured - Input file [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}] Reagrds, Harry

harryvdtol · ‎02-25-2025

Hello, I am having trouble onboaring json array data. I read many contributions , but i still having troubles This is the json array input [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}] - My first attempt: i put a props.conf on the UF DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured The data was nicely split into separte json events, but the table command doubled the data. Like this issues https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tabling-the-events/m-p/587724 https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-with-INDEXED/td-p/188551?_ga=2.153916656.937356172.1646061092-893813366.1631658459 - Then i moved the props.conf into the index-cluster Now the _raw event is the same as the input array, and not splitted ito separated json events, like this I have to use spath commad during search as workaround. So I can workaround the issue, but I 'd rather import the data correctly Where do i go wrong? Any help is appreciated. Reagrds, Harry

harryvdtol · ‎02-20-2025

Hello, I am sorry. I tried many ways, but i was completly looking at examples that did not helped me This indeed solved the question. Thank you for your help. Harry

harryvdtol · ‎02-20-2025

Hello, Please help me with the following request I have a table output of several url's to PDF files For example this one https://janenpiet.domain.nl/sites/conten_sites/BOT/Parts%20%20documents/ADFM/Phonesrv/Highg%20Volume%20Phiones/ABCD%20Capture/60.%20Hardware/01.%20Scanners/Amsterdam/30/2025-01-20.pdf My request is as follows. When a user click on a link, it should open a new window that opens the PDF file. I notice that a simple drilldown does not work. Does anybody know how to do this? Reagrds, Harry

harryvdtol · ‎09-18-2024

Hello everybody I want to confirm that the fix to Enable cgroup v2 on RHEL8 has solved the issue for us as well Regard, Harry

harryvdtol · ‎08-08-2024

Hi AndrewBurnett, Thank you for keeping me updated. I have send the link to our Linux colleagues, and will hear what they think of it. Harry

harryvdtol · ‎08-05-2024

We are on 9.2.2 but the issue started on 9.x

harryvdtol · ‎08-01-2024

Unfortunatly i cannot confirm because all the nodes are on Lnx-8

harryvdtol · ‎07-31-2024

I am running Red Hat Enterprise Linux release 8.10 (Ootpa)

harryvdtol · ‎07-30-2024

If you have any news, please update this post. We made a support call to Red Hat without any luck Hopefully its works for you

harryvdtol · ‎07-29-2024

Thank you , Good to hear that we are not the only one What Linux version are you running?

harryvdtol · ‎07-04-2024

Thanks fort the tips. As a workaround i made an override for the Splunk service, to receive a timeout after 4 minutes in stead of the default 6. We run it as root user, but concerning the sudoers file: this is something for me to investigate. Maybe it has something to do with rights, because other application on Linux do not have this behaviour

harryvdtol · ‎07-03-2024

Hi, Thank you for the response I am very sure that we fulfil these requirements. No ingestion takes palace, because there are no Splunk processes running. So to be clear, it is not Splunk that hangs, but the systemctl command to stop Splunkd.service. The Splunk processes has been stopped. But the systemtl command does not comes back in the prompt. I can see in splunkd.log that Splunk has stopped. "ps -ef splunk" : no splunk processes Regards, Harry

harryvdtol · ‎06-26-2024

Hello, Since a few months we are facing an issue with stopping Splunk on Red Hat Linux-rel8. We do "systemctl stop Splunkd" to stop the Splunk proces. In most cases Splunks stops and the systemctl prompts comes back. But sometimes (let say 1 out of 10) Splunk stops, but the systemctl prompt does not comes back. Then, after 6 minues (the timeout in the Splunkd.service) systemctl comes back In /var/log/messages i see this after 6 minutes. Splunkd.service: Failed with result 'timeout'. Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. In the splunkd.log i can see that Splunk has stopped. No Splunk proces is running. With "ps -ef | grep splunk" i can see that there a no Splunk processes running. "ps -ef | grep systemctl" i can see that systemctl is still running. It happens on Search cluster, index cluster, Heavy Forwarders etc. Splunk support says is it an Red Hat Linux issue and Red Hat points to Splunk. I wonder if we are the only one who is having this issue. Any remarks are appreciated. Regards, Harry

harryvdtol · ‎05-15-2023

Thank you Jeffland, Regards, Harry

harryvdtol · ‎05-10-2023

Hello, In the classic Dashboard you have the option to see the Job Inspector in the panels. I miss this option in Dashboard Studio. Does anybody know of this exist? I cannot find it. Regards,, Harry

harryvdtol · ‎05-02-2023

Hi, I have application data on a Windows node that sends data to a log file. The data is formatted as json. On the Windows node i have a UF running (9.0.4) I want to send this data to a metrics index, but i do not know if this is possible and how to format the inputs.conf For far i am unable to find any documentaion about this. Does anyone know if this is possble ? Regards, Harry

harryvdtol · ‎02-02-2023

Hello, I have installed the SCOM app (version 430) on my Splunk Heavy Forwarder (903) The Windows SCOM infrastructure exists of one managementgroup with 2 management servers. managementgroup = SC-PROD consisting of 2 management SC-PRD1 and SC-PRD2 The reason for this, is when server 1 is down, data is still collected thru the second node. I have configured the managemt servers in the Splunk SCOM app. I have only to option to connect to the management servers and not to a group. I connect with a URL , with a Service acount that exist on the server My problem is that i get double data, from both managemtn servers. I am looking for a smart way to connect, like a cluster Has anybody experience and advise in this scenario? Any advise is appriceated Regards, Harry

Posts	29
Solutions	3
Karma Given	1
Karma Received	0
Member Since	‎12-10-2021

Online Status	Offline
Date Last Visited	‎07-31-2025 01:02 AM

Dashboard Studio Trellis on Column chart: alternat...

Daylight Saving issue column

JSON array not onbaording as expected

Link to open PDF on a other website

systemctl stop Splunkd hangs

Does search inspect exist in Dashboard Studio?

Is it possible to log data to metrics index?

How to navigate SCOM add-on configuration?

How to filter on multiple events?

Visualize fields as percentage in pie chart

Re: Dashboard Studio Trellis on Column chart: alte...

Re: Dashboard Studio Trellis on Column chart: alte...

Dashboard Studio Trellis on Column chart: alternat...

Re: Daylight Saving issue column

Daylight Saving issue column

Re: systemctl stop Splunkd hangs

Re: JSON array not onbaording as expected

Re: JSON array not onbaording as expected

JSON array not onbaording as expected

Re: Link to open PDF on a other website

Link to open PDF on a other website

Re: systemctl stop Splunkd hangs

Re: systemctl stop Splunkd hangs

Re: systemctl stop Splunkd hangs

Re: systemctl stop Splunkd hangs

Re: systemctl stop Splunkd hangs

Re: systemctl stop Splunkd hangs

Re: systemctl stop Splunkd hangs

Re: systemctl stop Splunkd hangs

Re: systemctl stop Splunkd hangs

systemctl stop Splunkd hangs

Re: Does search inspect exist in Dashboard Studio?

Does search inspect exist in Dashboard Studio?

Is it possible to log data to metrics index?

How to navigate SCOM add-on configuration?

Are you a member of the Splunk Community?