Hi All,
Just wondering if DB Connect will work with SQL 2017?
The latest supported driver is Microsoft JDBC Driver for SQL Server version 4.2. On the download page for the driver, SQL 2017 is not listed as a supported version (it works with SQL 2008 - 2016).
↧
DB Connect support for SQL 2017?
↧
Frozen data is not deleted automatically
I have these settings for my index
maxTotalDataSizeMB = 100000
coldPath = C:/colddb
homePath = C:/db
coldToFrozenDir = C:/frozendb
thawedPath = C:/thaweddb
data is not deleted as it moves to forzendb.
forzendb is now 128GB.
not sure why this is not working as expected.
Thanks
↧
↧
Storage calculations for clustered indexers
When I installed this app in a clustered environment. The numbers for storage used do not match that shown by DMC(monitoring console).
This app only seems to be showing disk usage numbers from a single indexer. So storage cost is way off.
Or am i missing something?
↧
Display hostname in login screen dynamically
Hi fellow Splunkers,
I need to display the servername or hostname in the login screen, without using a static value.
In older versions of splunk it was allowed to pull the value from a variable within web.conf as follows:
login_content =
But unfortunately that doesn't work anymore, I assume it might be related to elevated privileges requirements.
**I saw a post refering to a similar issue:**
This is about using cherrypy inside
$SPLUNK_HOME\share\splunk\search_mrsparkle\templates\account\login.html
But that page doesn't seem to read my changes, so this is frustrating.
https://answers.splunk.com/answers/102985/reference-to-web-conf-in-login-html.html
It crossed my mind that this could be done by reading the splunk box /etc/hostname but I'm not sure if that would be possible to set under web.conf though some magincal JS
Any ideas and help is appreciated!
//Santiago
↧
subscribing to dashboards in splunk
can i subscribe to a dashboard in splunk ? looking for this option..
↧
↧
SA modular input powershell is directing data to default main indexer?
Hi All,
i tried using SA_modular_input_powershell app and i gave windows index in inputs.conf as index = windows.
when i didn't gave any index, the data is going to default main index. But when i gave index = windows or something the data is not getting generated.
what might be the reason.
ex:
[powershell://DriverInfo]
script = . "C:/Program Files/SplunkUniversalForwarder/etc/apps/SA-ModularInput-PowerShell/bin/DriverVersion.ps1"
interval = 14400
index = windows
sourcetype = Powershell
Thank you.
↧
How to display the time field
In one of the search queries, I am displaying the Latest and Oldest value of a field. Please refer the below sample query:
index=main source = xyz earliest=-6mon
| stats last(size) as "Latest", first(size) as "Old"
In the above query, I am considering the last 6 months of data and trying to get the latest & oldest value of the field 'size'. I would like to display these values with their respective date or timestamp.
Could anyone please help me on this.
↧
Rearrange columns
Hi,
I have a timechart result with two columns as shown in the 1st screenshot.
Hour column contain a count for each hour. I want to rearrange this table as shown in the "result" screenshot
![alt text][1]
![alt text][2]
[1]: /storage/temp/250687-hour.png
[2]: /storage/temp/250686-result.png
↧
How to cluster "SMS messages" ? how to do the Grouping of text messages based on the sms content?
I have a CSV file with fields mentioned below:
Updated Date, SMSMessage,Sender,SMS Date,userID
The SMSMessage field contains various textual messages. I want to group the similar messages together in a cluster.
Also, I have already used the "cluster" command in splunk. Have been able to group them to an extent, but still not satisfied.
I want to know if there is a better and more sophisticated method (maybe ML Algo) to enable text message clustering?
↧
↧
Can i use data input for a csv file which is already a lookup file?
Would there be any issues in adding in a csv files as a data input(files monitoring) that is already a lookup file?
I want to do this because searching the inputlookup table is **really slow**, and setting up custom alerts based on the inputlookup tables doesn't seem to be yielding any alerts (see: [https]://answers.splunk.com/answers/656957/custom-alert-based-on-inputlookup-table-not-sendin.html)
So just wondering if there is any value in the above proposed move and if there would any potential repercussions if i want to remove the index afterwards?
↧
Converting field date into week values
Good Day all, I have a query, I am uploading a CSV regularly onto splunk. Since its uploaded in a random time, splunk time does not apply here. The CSV actually have a field which has all the dates in them in DD-MM-YYYY format. My intention is to make a dashboard which is able to filter based on weeks 1-4 for events. Is there a method to determine what week the dates fall under i.e 4/01/2017 falls to week one, 10/4/2017 falls in week 2 etc? I know it might be a long shot, but is this a possibility?
↧
Timestamp - edit to one day previously
I have a report running in SPLUNK on a daily basis. The timestamp for this report is the "Report Date" field (i.e. today). However, the events are actually from the previous day.
Therefore am I able to run a calculation either in the config file or at search time for ("Report Date"-1d@d). This would then mean the events are timestamped for the correct day.
Thanks in advance.
↧
Why is the search result still duplicate after the indexer cluster failure is repaired?
hey guys
I have a single site cluster contain 5 peer node 、4 search header 、1 cluster master 、1 deploye.
there are 3 peers and 1 sh were down for some reason at midnight,until this morning . peers and search restored are normal.all data is searchble、search factor is met and replication factor is met and remove all excess bukets.
before the cluster failure repair, the search results have no duplication events,
when the cluster failure occurs, the search results have a large number of errors and repeated events,
The phenomenon of duplicate events is still happening after the cluster failure repaired.
Why is the search result still duplicate after the indexer cluster failure is repaired? What should I do to working normally?
↧
↧
how to search same event occur four times in five minutes
i got a mission from my manager, search the the same account login failure event occur four times in per five minutes , could you please help me or give me some suggestion ? thanks a lot, from a beginner.
↧
Scripted input throws "FormatMessage was unable to decode error (193), (0xc1)"
Splunk universal forwarder Scripted input cannot run perl script. whereas if i try to execute the same script with "Splunk cmd" it works perfectly.
Below is the error message noticed in the Splunk var log:
05-14-2018 23:05:44.994 -0700 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\SplunkUniversalforwarder\etc\apps\search\bin\Test.pl"" FormatMessage was unable to decode error (193), (0xc1)
Any comments/help on this.
↧
Phantom APPs can not be set.
I want to link Phantom and Splunk, but if I enter rest API and save it an error will be output.
The content of the error is
"Could not communicate with Phantom server "https://10.13.255.27": [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)".
Could you give me some advice?
I'm sorry in my poor English, thank you.
↧
Splunk PowerShell Modula Input always returns fallback result
Hello Community,
I have setup a PowerShell modular input; executing a script every 5 minutes.
Running the script on the splunk (enterprise) server in PS ISE - I get the following output:
host :
Server_IP :
Page_Return_Code : 200
Page_Return_Message : OK
Page_Execution_Time : 1800
Page_Login_Result : Good
source : PowerShell/Connectivity
I can assume, the script itself is working fine.
Calling the same from splunk, I get:
host=""
Server_IP=""
Page_Return_Code="-1"
Page_Return_Message="DOWN"
Page_Execution_Time="2222"
Page_Login_Result="Bad"
source="PowerShell/Connectivity"
Question 1)
Executing the script via splunk modular input, why do I get the opposite result? Do I need to tell the input someplace, to execute the script always on the splunk server?
Question 2)
How to I get splunk to automatically separate the 'Event' into fields?
Snippets from the PS script (server and IP values have been omitted):
# Definition of the Splunk return object
$SplunkObject = [PSCustomObject]@{
host = '
Server_IP = ''
Page_Return_Code = ''
Page_Return_Message = ''
Page_Execution_Time = ''
Page_Login_Result = ''
source = "PowerShell/Connectivity"
}
.....
# Return values to Splunk Event Adapter
Write-output $SplunkObject
↧
↧
How to set different host values on one udp port
Hi
I want to set different host value on udp 514 .
Events host values equals their IPs, so I want to change it to hostnames.
I configured the inputs.conf as below:
[udp://1.1.1.1:514]host = SWITCHconnection_host = dnssourcetype = syslog-Switch[udp://2.2.2.2:514]host = FIREWALLconnection_host = dnssourcetype = syslog-FIREWALL
The sourcetype values change, but host values do not.
↧
What is the performance impact of converting a Splunk SimpleXML Dashboard to a Splunk HTML Dashboard
Basically i would like to know if converting a dashboard to its HTML equivalent will decrease the load time of the dashboard or improve it.
↧
Default home screen dashboard for all users
Is there any way to set a dashboard as "Home Dashboard" for all users...?
I mean something equivalent to,
user-prefs.conf
[general]
eai_app_only = False
eai_results_per_page = 25
display.page.home.dashboardId = /servicesNS/-/my_app/data/ui/views/my_dashboards
that applies for all users
↧