Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About man03359
man03359
Communicator
Member since:
05-24-2023
05-19-2025
Community Statistics
| Posts | 75 |
| Solutions | 3 |
| Karma Given | 9 |
| Karma Received | 3 |
| Member Since | 05-24-2023 |
Activity Feed
- Karma Re: Creating service account in splunk to re-assign the orphaned knowledge object for livehybrid. 04-11-2025 02:06 AM
- Posted Creating service account in splunk to re-assign the orphaned knowledge object on Getting Data In. 04-09-2025 10:42 PM
- Posted Acknowledge an alert in Trackme on All Apps and Add-ons. 01-23-2025 06:09 AM
- Posted Re: Getting "Searches Delayed" warning in the splunk ES (cloud)search head on Splunk Cloud Platform. 11-20-2024 06:04 AM
- Posted Re: Getting "Searches Delayed" warning in the splunk ES (cloud)search head on Splunk Cloud Platform. 10-24-2024 12:32 PM
- Karma Re: Getting "Searches Delayed" warning in the splunk ES (cloud)search head for PickleRick. 10-23-2024 05:30 AM
- Posted Re: Getting "Searches Delayed" warning in the splunk ES (cloud)search head on Splunk Cloud Platform. 10-22-2024 12:35 PM
- Posted Getting "Searches Delayed" warning in the splunk ES (cloud)search head on Splunk Cloud Platform. 10-21-2024 03:42 AM
- Posted Re: Pros and cons / Prerequisite of deploying Splunk Trackme App in on-prem instance on All Apps and Add-ons. 08-26-2024 04:57 AM
- Posted Pros and cons / Prerequisite of deploying Splunk Trackme App in on-prem instance on All Apps and Add-ons. 08-24-2024 11:46 PM
- Posted Re: Token not binding with the dropdown on Splunk Dashboard on Dashboards & Visualizations. 07-22-2024 08:54 PM
- Posted Token not binding with the dropdown on Splunk Dashboard on Dashboards & Visualizations. 07-22-2024 10:31 AM
- Posted Re: Splunkd services are not starting on boot-start on Security. 07-18-2024 12:10 AM
- Posted Splunkd services are not starting on boot-start on Security. 07-17-2024 07:38 AM
- Posted Hardware Specification for deploying single instance splunk enterprise on microsoft azure VM (ubuntu) on All Apps and Add-ons. 06-25-2024 10:03 AM
- Posted Build a clustered environment in Prod on Alerting. 05-29-2024 04:42 AM
- Posted Re: Best Practices for Building A Clustered Environment? on Alerting. 05-27-2024 03:18 AM
- Posted Re: filter using where command with AND & OR operators. on Splunk Search. 04-24-2024 05:09 AM
- Karma Re: filter using where command with AND & OR operators. for scelikok. 04-24-2024 05:09 AM
- Posted Re: filter using where command with AND & OR operators. on Splunk Search. 04-24-2024 04:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-09-2025
10:42 PM
Hi, I am a splunk admin and we are re-assigning the orphaned knowledge object to my name as a temporary solution. I need to create a service account so that I can assign the orphaned knowledge objects to that account. I am doing it for the first time. Could some one please specify what roles and capacities I should assign. Also is it the same process to create a service account same as how we create a local user in splunk like Settings > Users > Create User ps. I am on splunk cloud | version: 9.3
... View more
Labels
- Labels:
-
sourcetype
01-23-2025
06:09 AM
Hi, We have installed track-me in our splunk cloud for log and host monitoring. I have setup alerts for few sourcetype tracking if no logs reports to splunk for an hour. Now, what I want to understand is, if an alert has been triggered and the issue has been taken care, how do we acknowledge the alert. I am unfamiliar with the UI of the trackme. My version is: 2.1.7 The one I have make in circle is no of alerts which has triggered. If lets say the issue is fixed for one of the sourcetype. But the number is still showing as 4. Could some one please explain.
... View more
Labels
- Labels:
-
troubleshooting
11-20-2024
06:04 AM
Hi, The issue has re-occurred. I modified few of the scheduled searches running on All time, staggered the cron etc. and it helped for a while. From past few days, the error for the delayed search has increased upto 15000(+). Could you please me resolve this permanently 😞 Also is there any query I can use to find out which all searches are getting delayed. I am using this one- index= _internal sourcetype=scheduler savedsearch_name=* status=skipped
| stats count BY savedsearch_name, app, user, reason
| sort -count Can someone please help me out with this. @PickleRick @richgalloway
... View more
10-24-2024
12:32 PM
Hi @PickleRick @richgalloway My number of delayed search has increased upto 5000plus. I did some investigation and using this command- index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count by reason I see the error "The maximum number of concurrent historical scheduled searches on this cluster has been reached" has 2000 plus count. Two solution to fix this that I have understood is- 1. Staggering the searches that are causing the error by modifying the cron schedule and change the frequency. 2. to increase the search concurrency limit under limits.conf (pls feel free to correct if I am wrong) Since I am on splunk cloud, I understand I don't have access to limits.conf. What I want to ask is I see an option under Settings>Server Settings> Search Preference>Relative concurrency limit for scheduled searches which is set as 60 for my system. Will increasing this setting help, if yes, to what value is it safe to increase. Please help, I am stuck in this problem from some days 😞
... View more
10-22-2024
12:35 PM
Hi @richgalloway , Apologies, this might be silly question but I am fairly new to Splunk. I want to understand, is this delayed error message because of only scheduled searches, or ad-hoc searches also contributes to the error. I have few scheduled searches running on "All time" , this could be the cause of delayed search? Should I reduce the timeframe of these searches. Also, there are many schedules searches all running at a cron of every 5 mins, do I need to change them as well. Thanks in advance.
... View more
10-21-2024
03:42 AM
Hi Hi Team, I am getting the below error message on my splunk ES search head. Is there any troubleshooting I can perform on the splunk web to correct this. Please help. PS. I don't have access to the backend.
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
08-26-2024
04:57 AM
Can someone pls help me with it @gcusello
... View more
08-24-2024
11:46 PM
Hi Team, Hope this message finds you well. I have a new splunk on-premise instance and we are planning to implement Splunk Trackme app on our SHC to monitor any data latency, missing data etc. for our instance. I read through few docs (https://trackme.readthedocs.io/en/latest/deployment.html) that says it is resource consuming. I want to understand if it will impact our license consumption apart from CPU and memory post deployment. Also do we need any separate license for the splunk track-me. What are cons of it. Pls reply soon, thanks in advance 🙂
... View more
Labels
- Labels:
-
administration
-
configuration
-
installation
07-22-2024
08:54 PM
@richgalloway It is still not working , here is the xml code of my input- <input type="multiselect" token="field2">
<label>field2</label>
<choice value="*">All</choice>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>Sub_Competency</fieldForLabel>
<fieldForValue>Sub_Competency</fieldForValue>
<search>
<query>| inputlookup cyber_q1_available_hours.csv
| rename "Sub- Competency" as Sub_Competency
| dedup Sub_Competency
| table Sub_Competency</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input> XML code of main search <query>| inputlookup cyber_q1_available_hours.csv
| rename "Sub- Competency" as Sub_Competency
| search Sub_Competency IN ("$sub_competency$")
| eval split_name=split('Resource Name', ",")
| eval first_name=mvindex(split_name,1)
| eval last_name=mvindex(split_name,0)
| eval Resource_Name=trim(first_name) . " " . trim(last_name)
| stats count,values(Sub_Competency) as Sub_Competency values(Competency) as Competency values("FWD Looking Util") as FWD_Util values("YTD Util") as YTD_Util by Resource_Name
| search Competency="$selected_competency$"
| table Resource_Name, Competency, Sub_Competency,FWD_Util,YTD_Util
|sort FWD_Util</query>
... View more
07-22-2024
10:31 AM
Hi All, I'm trying to build a dashboard that will take input from a dropdown field and perform a search based on the item selected from the dashboard. I have two inputs, one dropdown and one multiselect. I am passing two tokens, one $competency$ for dropdown and $sub_competency$ for multiselect. My token sub_competency is not syncing with the dashboard. I am adding like this | search Sub_Competency="$sub_competency$" | inputlookup cyber_q1_available_hours.csv
| rename "Sub- Competency" as Sub_Competency
| search Sub_Competency="$sub_competency$"
| eval split_name=split('Resource Name', ",")
| eval first_name=mvindex(split_name,1)
| eval last_name=mvindex(split_name,0)
| eval Resource_Name=trim(first_name) . " " . trim(last_name)
| stats count,values(Sub_Competency) as Sub_Competency values(Competency) as Competency values("FWD Looking Util") as FWD_Util values("YTD Util") as YTD_Util by Resource_Name
| search Competency="$selected_competency$"
| table Resource_Name, Competency, Sub_Competency,FWD_Util,YTD_Util
|sort FWD_Util Need some urgent help on this. Thanks in advance 🙂
... View more
Labels
- Labels:
-
Classic dashboard
-
drilldown
-
panel
-
token
07-18-2024
12:10 AM
@TheLawsOfChaos , The Linux is a redhad. And I have already created a user called splunk, so under this path - cd /opt/splunk/bin/ I am running this command - sudo ./splunk enable boot-start. I am able to manually start the services using- sudo ./splunk start
... View more
07-17-2024
07:38 AM
Hi All, Hope this message finds you well. I have installed splunk on-prem on a linux box as a splunk user and have given proper permissions. The azure VM gets shutsdown automatically at around 11 pm everyday and there is no auto start. For time being we are manually starting the VM. My problem here is while installing the splunk instance, I have run the command enable boot-start and it was successful but the splunkd services does not start on its own. Can anyone please suggest what can be done to fix it? Thanks in advance 🙂
... View more
Labels
- Labels:
-
login
-
permissions
06-25-2024
10:03 AM
Hello, Hope this message finds you all well. I have moved to the role of Splunk admin recently and I need to install Splunk enterprise package (single instance) for lab purpose. Further, splunk enterprise security and Splunk soar app will be installed on the same server as well. The lab is just for the demo and some RND purpose and the daily ingestion will be less than 100 mb. I have the license and the Enterprise security package from my previous lab setup. Needed some suggestion with what vCPU, storage and RAM I should proceed with. Thanks in advance 🙂
... View more
Labels
05-29-2024
04:42 AM
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered environment but haven't setup yet. Could you please guide me how can I start. Like what type of knowledge/ information gathering need to do with the client or customer before head. Also if there is any procedure/ order of components to follow. It will be really helpful for me. Thanks in advance
... View more
05-27-2024
03:18 AM
Hi @woodlandrelic , Hope this message finds you well. I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch. I have the basic understanding of a clustered environment but haven't setup yet. Could you please guide me how can I start. Like what type of knowledge/ information gathering need to do with the client or customer before head. Also if there is any procedure/ order of components to follow. It will be really helpful for me. Thanks in advance 🙂
... View more
04-24-2024
05:09 AM
@scelikok Yes I tried out with - |where AA IN ('00','10') AND BB IN ('00','10') But it was not giving any output, but the second one did worked :0 Thanks 🙂
... View more
04-24-2024
04:59 AM
Nevermind! I was able to get the desired output by using - | where (AA ="00" OR AA="10") OR (BB="00" OR BB="10")
... View more
04-24-2024
04:30 AM
I have two fields (lets say.) AA and BB, I am trying to filter our results where AA and BB = 00 OR 10 using something like this - index="idx-some-index" sourcetype="dbx" source="some.*.source"
| where (AA AND BB)== (00 OR 10) But I am getting error as Error in 'where' command: Type checking failed. 'AND' only takes boolean arguments. I have also tried - index="idx-some-index" sourcetype="dbx" source="some.*.source"
| where AA =(00 OR 10) AND (BB=(OO OR 10)) But I am getting same error as Type checking failed. 'OR' only takes boolean arguments. Please help!
... View more
04-23-2024
06:26 AM
1 Karma
@richgalloway It worked 🙂 thanks a lot 🙂
... View more
04-23-2024
04:15 AM
I have two queries which is giving me two tables, naming Distributed & Mainframe as below - Distributed- index=idx-esp source="*RUNINFO_HISTORY.*"
| rename STATUS as Status "COMP CODE" as CompCode APPL as ScheduleName NODE_GROUP as AgentName NODE_ID as HostName CPU_TIME as CPU-Time
| eval epoc_end_time=strptime(EndTime,"%Y-%m-%d %H:%M:%S")
| eval epoc_start_time=strptime(StartTime,"%Y-%m-%d %H:%M:%S")
| eval UpdatedTime=if(isnull(epoc_end_time),_indextime,epoc_end_time)
| eval DurationSecs=floor(UpdatedTime - epoc_start_time)
| eval Duration=tostring(DurationSecs,"duration")
| eval Source=if(like(source,"%RUNINFO_HISTORY%"),"Control-M","ESP")
| dedup Source ScheduleName ScheduleDate AgentName HostName JobName StartTime EndTime
| table ScheduleDate JobName StartTime EndTime Duration
| sort 0 - Duration
| head 10 Mainframe- index=idx-esp source="*RUNINFO_HISTORY.*" DATA_CENTER=CPUA JOB_ID="0*"
| eval epoc_end_time=strptime(EndTime,"%Y-%m-%d %H:%M:%S")
| eval epoc_start_time=strptime(StartTime,"%Y-%m-%d %H:%M:%S")
| eval UpdatedTime=if(isnull(epoc_end_time),_indextime,epoc_end_time)
| eval DurationSecs=floor(UpdatedTime - epoc_start_time)
| eval Duration=tostring(DurationSecs,"duration")
| table ScheduleDate JOB_MEM_NAME StartTime EndTime Duration
| sort 0 - Duration
| head 10 I am trying to append both the tables into one, using something like this - index=idx-esp source="*RUNINFO_HISTORY.*"
| rename STATUS as Status "COMP CODE" as CompCode APPL as ScheduleName NODE_GROUP as AgentName NODE_ID as HostName CPU_TIME as CPU-Time
| eval epoc_end_time=strptime(EndTime,"%Y-%m-%d %H:%M:%S")
| eval epoc_start_time=strptime(StartTime,"%Y-%m-%d %H:%M:%S")
| eval UpdatedTime=if(isnull(epoc_end_time),_indextime,epoc_end_time)
| eval DurationSecs=floor(UpdatedTime - epoc_start_time)
| eval Duration=tostring(DurationSecs,"duration")
| eval Source=if(like(source,"%RUNINFO_HISTORY%"),"Control-M","ESP")
| dedup Source ScheduleName ScheduleDate AgentName HostName JobName StartTime EndTime
| table ScheduleDate JobName StartTime EndTime Duration
| sort 0 - Duration
| head 50
| append
[search index=idx-esp source="*RUNINFO_HISTORY.*" DATA_CENTER=CPUA JOB_ID="0*"
| eval epoc_end_time=strptime(EndTime,"%Y-%m-%d %H:%M:%S")
| eval epoc_start_time=strptime(StartTime,"%Y-%m-%d %H:%M:%S")
| eval UpdatedTime=if(isnull(epoc_end_time),_indextime,epoc_end_time)
| eval DurationSecs=floor(UpdatedTime - epoc_start_time)
| eval Duration=tostring(DurationSecs,"duration")
| table ScheduleDate JOB_MEM_NAME StartTime EndTime Duration
| sort 0 - Duration
| head 50] The issue is I am trying to add a column named "Log_Source" at the start which tells either Distributed or Mainframe for its corresponding result. I am not sure how to achieve it. Pls help.
... View more
Labels
- Labels:
-
calculated field
-
field extraction
02-28-2024
10:25 PM
@gcusello So it means if we set the search retention period as 90 days under here- It is stays at hot, warm, and cold during those 90 days and post 90 days rolls to frozen bucket?
... View more
02-28-2024
07:15 PM
Hi, I am starting with splunk admin and is confused about one topic. It might be silly. While creating an index, we get the option to set the Searchable Retention (in days), I have read from the documents that splunk has 4 bucket, hot, warm, cold, and frozen. My question is suppose I have set it as 90 days, while this 90 days period will the data be in hot bucket for the entire 90 days and will roll to frozen after 90 days period is over. Also how different is setting 90 days under the Searchable Retention and setting this below- [main]
frozenTimePeriodInSecs = 7,776,000 Please explain. Thanks in advance.
... View more
Labels
- Labels:
-
indexer
02-08-2024
10:24 AM
@richgalloway It worked, thanks a lot 🙂 Also, could you please explain it to me, or is there any docs I may refer to?
... View more
02-06-2024
06:19 AM
Hi All, I have a field called summary in my search - Failed backup of the transaction log for SQL Server database 'model' from 'WSQL040Q.tkmaxx.tjxcorp.net\\MSSQLSERVER'. I am creating this search for service-now alert and I am sending this summary field value under comments in ServiceNow. I need it to break in two lines like this - Line1-Failed backup of the transaction log for SQL Server database 'model' from Line2-'WSQL040Q.tkmaxx.tjxcorp.net\\MSSQLSERVER'. How do I implement this in my Search? Thanks In Advance!
... View more
- Tags:
- other
01-31-2024
07:07 AM
Hi, I have an output like this - Location EventName ErrorCode Summary server1 Mssql.LogBackupFailed BackupAgentError Failed backup.... server2 Mssql.LogBackupFailed BackupAgentError Failed backup.... Now I am trying to combine all the values of Location, EventName, ErrorCode and Summary into one field called "newfield" , lets say using a comma "," or ";" I am trying this command - | eval newfield= mvappend(LocationName,EventName,ErrorCode,summary) but the output it is giving is - server1 Mssql.LogBackupFailed BackupAgentError Failed backup.... Output I am expecting is - server1,Mssql.LogBackupFailed,BackupAgentError,Failed backup
... View more
- Tags:
- other
Labels
- Labels:
-
eval
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-19-2025
06:16 AM
|
Karma given to
