Activity Feed
- Karma replace one backslash by double backslash for ryastrebov. 10-17-2024 05:50 AM
- Karma Re: replace one backslash by double backslash for manan_amin. 10-17-2024 05:50 AM
- Posted Re: How to replace backslash by double backslash using eval in search and props.conf on Splunk Enterprise. 10-17-2024 05:47 AM
- Karma Re: How to replace backslash by double backslash using eval in search and props.conf for manan_amin. 10-17-2024 05:47 AM
- Karma How to replace backslash by double backslash using eval in search and props.conf for jay. 10-17-2024 05:46 AM
- Posted Re: How can I get list of users from rest api ? on Getting Data In. 10-14-2024 11:35 AM
- Karma Re: How can I get list of users from rest api ? for egid_la. 10-14-2024 11:33 AM
- Karma How can I get list of users from rest api ? for egid_la. 10-14-2024 11:18 AM
- Posted Re: How to filter on KV Store lookup time-based fields using a time picker? on Splunk Search. 10-04-2024 07:06 AM
- Karma Re: How to filter on KV Store lookup time-based fields using a time picker? for woodcock. 10-04-2024 07:06 AM
- Karma How to filter on KV Store lookup time-based fields using a time picker? for nawneel. 10-04-2024 07:05 AM
- Posted Re: Following the "Create a custom Splunk view" tutorial, but I receive "Failed to load resource: the ser on Dashboards & Visualizations. 10-03-2024 04:31 AM
- Karma Why the error "Failed to load resource: the server responded with a status of 404" when following the tutorial? for faustf. 10-03-2024 04:31 AM
- Karma Re: Following the "Create a custom Splunk view" tutorial, but I receive "Failed to load resource: the server responded with a status of 404" error. How to fix? for keweizhang123. 10-03-2024 04:31 AM
- Karma Re: Following the "Create a custom Splunk view" tutorial, but I receive "Failed to load resource: the ser for jramos123. 10-03-2024 04:31 AM
- Posted Re: Splunk button javascript unset token on Dashboards & Visualizations. 09-19-2024 03:11 PM
- Karma Splunk button javascript unset token- Is there a method to unset the splunk's token after the page refresh? for maurobissante. 09-19-2024 03:09 PM
- Karma Re: How to reference the search time range for somesoni2. 09-13-2024 08:14 AM
- Posted Re: How to set the timestamp when using the collect command? on Knowledge Management. 09-03-2024 08:08 AM
- Karma Why am I getting error "File has no line endings" when trying to upload my lookup CSV file? for ashnet16. 09-03-2024 04:41 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 |
10-17-2024
05:47 AM
why 4 backslashes?
... View more
10-14-2024
11:35 AM
this worked for me | rest /services/authentication/current-context thanks!
... View more
10-04-2024
07:06 AM
worked for me. beautiful solution. thanks a lot
... View more
10-03-2024
04:31 AM
worked for me too! thanks!
... View more
09-19-2024
03:11 PM
hey guys, the depends thing on dashboards worked for me only when i did this trick. i'm not sure why. mvc.Components.get("default").unset("myToken");
mvc.Components.get("submitted").unset("myToken");
... View more
09-03-2024
08:08 AM
wow. my problem was this snippet works ONLY when i put "T" in the timeformat.
| eval _time=strptime(time2, "%Y-%m-%dT%H:%M:%S.%3N")
... View more
09-03-2024
12:03 AM
ok for me. i just put this line into my js: mvc.Components.get("default").unset("myToken"); thanks a lot.
... View more
06-20-2024
01:00 PM
Here's what I found (with the help of Perplexity engine) - saved me... : The fields_list in the transforms.conf stanza should match the column names in your CSV file.
... View more
10-06-2023
09:47 AM
Thanks a lot! It helped!
... View more
09-29-2023
05:52 AM
Thanks! Worked for me too!
... View more
09-29-2023
05:19 AM
hi, i guess i have the same issue. but with your suggestion, splunk will not start with systemd, for example. so, imho, there should other ways.
... View more
08-30-2023
12:37 PM
Works perfectly, thanks a lot
... View more
07-19-2023
01:13 AM
Thank you! Worked OK! I faced the same error. You helped a lot! 🙂
... View more
06-22-2023
02:46 AM
SOLVED 🙂 silly mistake actually. changed the macro to this: | eval myVal="--" | `myMacroRASHID2(myVal)`
... View more
06-22-2023
02:24 AM
hey guys,
i'm stuck with this macro problem, where i cannot run a savedsearch with a macro inside it.
1. i have a savedsearch like this:
.... | eval param1="777" | `myMacro("$param1$")`
2. myMacro is configured like this:
eval mySqlQuery="select * from myTable where someField like ".$param1$." and otherField=='abc' "
3. i doesn't work. main error i face is this:
Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'mySavedSearch': Error while replacing variable name='param1'. Could not find variable in the argument map..
The closest info i've found is this (which works perfectly in the shown example, but not in my case - and i don't understand why):
https://community.splunk.com/t5/Knowledge-Management/How-do-I-make-macro-arguments-get-parsed-as-fields-instead-of/m-p/416938
i mean, i tried many options with macro and savedsearch configuration (with $-s and "-s), unsuccessfully so far.
P.S. maybe this is important: i try to run a savedsearch, and the guys in the link above just run a search (which i tried as well - and it's OK). anyway, i don't know how to fix my savedsearch scenario...
... View more
05-14-2023
02:21 AM
thank you. 100% my case.
... View more
03-21-2023
09:29 AM
excellent. this is exactly what's important. i'd also add this: there's No difference between "left join" and "left OUTER join". ref. https://stackoverflow.com/questions/406294/left-join-vs-left-outer-join-in-sql-server
... View more
01-30-2021
08:32 AM
Here's the source from docs: https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/RunSplunkasadifferentornon-rootuser In section "Run Splunk Enterprise as a different or non-root user": It says: "On *nix based systems, you can run Splunk Enterprise as a user other than root. This is a Splunk best practice and you should configure your systems to run the software as a non-root user where possible."
... View more
01-28-2021
12:13 AM
Hello Rich! (I don't have the problem, but I'm preparing to move some old index data, and I read this page. That's why I'm asking, disturbed a little bit.) If I'm correct the quick remedy is to remove back those new folders I placed in db storage of my new Splunk server. I mean its bad to have the instance down. But how can I avoid the collision? Maybe by appropriate naming of new buckets or directories?
... View more
01-27-2021
02:33 PM
Hey guys, could you please help and clarify this paragraph from the docs: https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/MigrateaSplunkinstance “When you copy individual bucket files, you must make sure that no bucket IDs conflict on the new system. Otherwise, Splunk Enterprise does not start. “ I’m not quite sure how this can happen?
... View more
- Tags:
- Splunk Enterprise
Labels
- Labels:
-
administration
01-18-2021
12:03 PM
(under the link) Thanks a lot. Uninstall an app or add-on To remove an installed app from a standalone Splunk platform installation: (Optional) Remove the app or add-on's indexed data. Typically, the Splunk platform does not access indexed data from a deleted app or add-on. However, you can use the Splunk CLI clean command to remove indexed data from an app before deleting the app. See Remove data from indexes with the CLI command. Delete the app and its directory. The app and its directory are typically located in $SPLUNK_HOME/etc/apps/<appname>. You can run the following command in the CLI: ./splunk remove app [appname] -auth <username>:<password> You may need to remove user-specific directories created for your app or add-on by deleting any files found here: $SPLUNK_HOME/etc/users/*/<appname> Restart the Splunk platform.
... View more
- Tags:
- remove splunk app
11-22-2020
01:48 PM
Hey guys, How to catch=handle alert's results in another monitoring alert=rule? There's probably a way with Alet Manager, buy I hope there's a better\general method. Splunk Enterprise 8, Linux Red Hat\CentOS. Thanks in advance.
... View more
- Tags:
- Handle results
Labels
- Labels:
-
scheduled search
11-21-2020
07:31 AM
Hey guys, Solved long time ago. This is standart: passing smth like JSON thru REST API is just passing a string parameter for a custom Python script (when calling via REST API a search like " | myScript arg1=\"aaa\" arg2=\"bbb\" "
... View more
09-09-2020
02:01 AM
hi, i think i can give an answer for one indexer, i.e. non-clustered (as i don't see the answer here). a. for TCP inputs: just resize (up\down) the max volume (and you will not lose date and the size will be changed) b. for dbinputs: * resize up = just change max size to lager value * resize down = CAUTION (since you can lose all data in case you do it the wrong way) step 1: stop dbinput step 2: change max index size to a lesser value step 3: refresh the indexer via UI (.../debug/refresh) step 4 (optional): check that you didn't lose your data step 5: enable back you dbinput, and check your data again
... View more
08-19-2020
04:34 AM
Hello Ismo, one question: am i correct that i can install several add-ons on the same Splunk server?
... View more
