Hello,
I built a query in the edit or new connection for DB Connect v 3.x and it hangs at its "step 5" trying to execute Sql to review results and will not continue. The query works and its just querying a lot of data and taking forever to complete. If it times out, it fails and doesn't let me continue.
What do I need to do to force it past this "step 5" preview of results?
Thanks.
↧
How to bypass Data Preview in a new connection?
↧
How to use REGEX on the field names
For example.
Is there any way to convert this:
![alt text][1]
into this?
Don't care about the numbers but the value of the second column (new) is a substr of the previous headers. Of course there are many other different "Disks".
![alt text][2]
[1]: /storage/temp/255983-capture.jpg
[2]: /storage/temp/255984-capture1.jpg
↧
↧
Deleting an add-on created by Add-on builder: have you seen the following error?
Hi,
I removed an add-on manually by deleting the folder $SPLUNK_HOME/etc/apps/TA-myProject. But now, i'm having an issue when i try to import the same project. Here is the error message :
The 'TA-myProject' add-on project could not be imported because an add-on with this name already exists.
Could you please help ?
Many thanks in advance
↧
How do I change the title text on the tabs from default text to a custom text?
I want to change the title text on the tabs from, for example, "Login|Splunk" or "Dashboards | Splunk 7.1.2" to a text which I want, something like just "Login" or just "Dashboards." I also want to exclude the Splunk version details from being displayed on the title.
So, I have two questions:
—How do I change the title text on the tabs from default text to a custom text?
—How do I disable the Splunk version details being displayed on the tab title?
Is there a way that I achieve this?
Note: Found a similar question here - https://answers.splunk.com/answers/521061/how-to-change-bookmark-name-from-loginsplunk-to-na.html, but the answer provided was in Chinese.
↧
How do you display event monitoring data from my salesforce developer org?
I have done all the configurations required . I am trying to display the records from my salesforce developer org.
↧
↧
KV replication to indexers
Hi,
We have a KVstore being replicated to the indexers.
After replication to the indexers, where does the data store in the indexers,
what is path `/opt/splunk/var/lib/splunk/kvstore/` mean in the indexers ? we have changed
`SPLUNK_DB=/local/hot/` and there are two KVstore folders one in `/local/hot` and other in `/opt/splunk/var/lib/splunk/kvstore/ ??`
Is it safe to delete `/opt/splunk/var/lib/splunk/kvstore/` ?
Thanks
↧
What is the difference between ‘box add-on’ and ‘box app’?
There seem to be two downloadable installers for integrating with Box - ‘splunk add-on for box’ and ‘box app for splunk’. What is the difference between the two?
The add-on published date is much more recent,
thank you
↧
How to create a scheduled job time to find the run time of each of the searches?
I'm working w/ a similar issue as: https://answers.splunk.com/answers/512103/how-to-get-a-list-of-schedules-searches-reports-al.html
The addendum to that is I want to find the run time of each of the searches. I'm thinking perhaps there are too many searches running at the same time and is causing Splunk inner-connectivity issues.
It would be really nice to have a scheduled job time and the amount of time it took to run the last time (or several times).
↧
Is there an easy way to pair two events with the same sourcetype that have the same values in different fields?
I am looking for an elegant solution to the following problem:
I want to summarize data from two different events which have the same sourcetype/index/etc, but which have identical values in two different fields.
Event A:
sourcetype= foo
ComputerName=homepc
FileName=example.exe
PID=3333
PPID=2222
Event B:
sourcetype=foo
ComputerName=homepc
FileName=parent.exe
PID=2222
PPID=1111
I want to group data from both events into one summarized line like follows:
ComputerName......FileName...........PID.........ParentFileName.......PPID
homepc...................example.exe......3333.......parent.exe................2222
I have attempted to accomplish this via JOIN and it does seem to work, but I am aware this is not an ideal solution:
index=_internal sourcetype=foo
| table ComputerName FileName PID PPID
| rename FileName as Child_FileName, PID as Child_PID, PPID as Parent_PID
| join Parent_PID ComputerName
[ search index=_internal sourcetype=foo
| table ComputerName FileName PID
| rename FileName as Parent_FileName, PID as Parent_PID ]
If the sourcetypes in the two searches were different, I know I could easily accomplish this via a string of 'eval's and stats. Thanks for any suggestions!
↧
↧
How to use regex on the field names?
For example.
Is there any way to convert this:
![alt text][1]
into this?
Don't care about the numbers but the value of the second column (new) is a substr of the previous headers. Of course there are many other different "Disks".
![alt text][2]
[1]: /storage/temp/255983-capture.jpg
[2]: /storage/temp/255984-capture1.jpg
↧
Help with Statistics Visualization
Hi Team,
Need help with below usecase
I have application logs in which each event has below fields
**saleproductname HTTPStatus ResponseTime**
***Possible HTTPStatus*** values = 200 , 300 ,400 ,500
I need to do a visualization of statistics table which shows below details
**productname TotalCalls AvgResp HTTP2XXcalls HTTP2XXcalls(%) HTTP3XX HTTP3XXs(%) HTTP4XX HTTP4XX(%) HTTP5XX HTTP5XX(%)**
AirJordan 100 25.5 50 50 10 10 10 10 30 30
swiftrun 1000 55.5 500 50 100 10 100 10 300 30
I have tried various options using stats and chart but couldn't quite get as above.
Appreciate your help, thank you!
↧
Is there a simple way to source version, in github, a Splunk add-on project?
Hi,
I've been working on an add-on that i created using Splunk add-on builder.
I would like to save the source code (data sources, python and shell) in Github so i can manage the versioning
Is there a simple way to do this ?
Thanks
↧
Can you help me with my KVstore replication to indexers?
Hi,
We have a KVstore being replicated to the indexers.
After replication to the indexers where is the data stored in the indexers?
What does path `/opt/splunk/var/lib/splunk/kvstore/` mean in the indexers ?
We have changed...
`SPLUNK_DB=/local/hot/` and there are two KVstore folders one in `/local/hot` and other in `/opt/splunk/var/lib/splunk/kvstore/ ??`
Is it safe to delete `/opt/splunk/var/lib/splunk/kvstore/` ?
Thanks
↧
↧
Can you help me with my statistics table?
Hi Team,
I need help with the below use case.
I have application logs in which each event has below fields
**saleproductname HTTPStatus ResponseTime**
***Possible HTTPStatus*** values = 200 , 300 ,400 ,500
I need to do a visualization of a statistics table which shows the below details:
**productname TotalCalls AvgResp HTTP2XXcalls HTTP2XXcalls(%) HTTP3XX HTTP3XXs(%) HTTP4XX HTTP4XX(%) HTTP5XX HTTP5XX(%)**
AirJordan 100 25.5 50 50 10 10 10 10 30 30
swiftrun 1000 55.5 500 50 100 10 100 10 300 30
I have tried various options using stats and chart but I couldn't quite get it as above.
Appreciate your help, thank you!
↧
Moving to use mcollect - Error in 'mcollect' command: Must specify a valid metric index
My query before was doing outputcsv and then I had a monitoring input stanza to upload it to my metrics index.
I then took out the outputcsv command and started using mcollect.
Not sure why the metrics index is not valid when it was receiving metrics from a different method.
.... | mcollect index=metrics-index
And on my indexes.conf, the settings is configured to be metrics:
[metrics-index]
datatype = metric
![alt text][1]
[1]: /storage/temp/254901-untitled.png
↧
Why is my search using "mcollect" command causing the following error: "Error in 'mcollect' command: Must specify a valid metric index"
In my query before, I was using the `outputcsv` search command, and then I had a monitoring input stanza to upload it to my metrics index.
I then took out the `outputcsv` command and started using `mcollect`.
Not sure why, but the metrics index is not valid when it recieved metrics from a different method.
.... | mcollect index=metrics-index
And on my indexes.conf, the settings is configured to be metrics:
[metrics-index]
datatype = metric
![alt text][1]
[1]: /storage/temp/254901-untitled.png
↧
Why does my Splunk Web interface stop responding after a few hours?
Hello Splunkers,
I seem to be having an issue where the web interface stops responding after a few hours. I then must issue "splunk restart" to bring it back but it stops working again after awhile. It is still indexing during that time. It's just that the web interface will not respond until I restart Splunk.
Thanks in advance. Other info below.
Splunk status when it is not working shows: "Splunkd: Running (pid ###)"
After Splunk restarts, it shows the same thing with a different PID number.
Splunkd is the only thing it lists in either case.
After the restart is complete the the web interface works just fine. For awhile.
OS: Win 10 Pro
↧
↧
Regarding splunk account lockout for users
Hi.. as all my splunk projects are using LDAP for login, this issue never occurred to me..
1. if we configure splunk's local authentication system and create users, and when the users type wrong password for multiple times, will their account get locked out?
2. For all kinds of users (normal, power, admin) users as well?!?!
3. with any login systems(splunk's own authentication/LDAP/etc), does splunk records the users login/logouts/lockouts, password failures?!?!
↧
compare field results to counts
Hi
I have three communication types: Start, Update, Restore.
Each Event can have multiple communication types to multiple prems.
I am trying to declare success if the number of restore messages sent is equal or greater to the number of Start messages.
Event 486 would be a success and 393, 404 and 406 would fail.
EVENT_ID type prem
393 restore 434
393 start 474
404 restore 21
406 start 10
406 restore 19
486 restore 1
486 start 1
<<| transaction source, EVENT_ID
| rex "^(?[^,]+),(?[^,]+),(?
[^,]+),(?[^,]+),(?[^,\r\n]*)"
| rex field=source "(?[^-]*)_18"
| rex "premisecount:\s(?\d+)"
| rex field=source "(?[^_]*).csv"
| stats count sum(premisecount) by EVENT_ID,type | rename "sum(premisecount)" as prem ]
|table ,EVENT_ID, type, prem>>
↧
Struggling with setting up Forwarder to Indexer SSL Comms
Initially I had started to set up Forward-to-indexer SSL setup using self signed certificate. However, I was getting the below error on the indexer in the Splunkd log,
ERROR TcpInputProc - Error encountered for connection from src=192.168.14.10:49497. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Thinking that I may have followed the process incorrectly, I resorted to setup the SSL using Splunk Default certs. however, I am still getting the same error.
I have tried changing the SSLversions to "* ,-ssl2" but retracted and kept the default which is tls1.2
I am using Splunk version 7.1.2 on both Indexer and UF.
Please advise.
↧