Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all 47296 articles
Browse latest View live

How do I display a dropdown input as "Name" instead of "Value" ?

September 14, 2018, 1:00 pm
$
0
0
Hello, I added a dropdown input at the top of my dashboard with various time intervals to refresh each chart. Now, on the charts' subtitles, I would like to display that auto-refresh rate. The token for the dropdown input is $AutoRefresh$: Name: Value: 1 minute 1m 5 minutes 5m 10 minutes 10m 15 minutes 15m 30 minutes 30m In the subtitle I have: **This chart auto refreshes every $AutoRefresh$** This displays, for example, **5m** when I would like it to display **5 minutes**. Reading the documentation I am not seeing any "additions" to tokens, such as $AutoRefresh.Name$, etc. Is this possible to do?
Search

Splunk Add-on for Unix and Linux: Why are syslogs from Linux servers being returned as raw events?

September 14, 2018, 2:05 am
$
0
0
As I installed linux TA and app , received logs are in the form of raw event and they aren't indexed with this TA. Linux servers send logs to universal forwarder by syslog, and when i search in the related index, logs seem to be raw events, and field extraction hasn't happened. The TA is most downloaded in Splunkbase. What is the solution?

How do you display multiple column headers on a table?

September 14, 2018, 2:46 am
$
0
0
hello everyone I'd like to display multiple column headers on the table like the below image. I can create the table, but the problem is the column headers. It doesn't matter what color they are. I'd like to make just two rows as a column header. And, I'd like to make three groups on the first column header row. Please refer to attached image. I'm waiting for your information. Thank you in advance. ![alt text][1] [1]: /storage/temp/254934-multiple-column-headers.png

How do you execute a two pattern search where the first pattern host(is a field ) should be ignored on second pattern search?

September 14, 2018, 3:38 am
$
0
0
I was executing my search on a log file. This is the pattern i want to search ** END ABCD234** **hour>00** where this shouldn't be searched on several **host**(servers). The host that needs to be ignored can be identified by this pattern **"DISABLE" "END" hour>00** Here, hour is a field extracted from timestamp (Example:**01**:15:38- here 01 was extracted). Please let me know if more info needed.

Can you change/develop/tune/test indexing time transformations (props.conf) without restarting a Splunk instance?

September 14, 2018, 5:16 am
$
0
0
Hello Splunkers, Is there any way how to change/develop/tune/test indexing time transformations (props configurations) without need of restart of a Splunk instance? Thanks in advance! Afroditi

Where do I put props.conf

September 14, 2018, 2:12 pm
$
0
0
I am using the universal forwarder to monitor a directory for a csv file on a remote server. I have configured inputs.conf on the UF to monitor the dir. I am forwarding the data to a Heavy Forwarder which will then forward to an indexer cluster. I want to tell Splunk where to find the time field and header line using a source type in props.conf Which component in the distributed environment needs to have the source type configured? The UF, HF or indexer layer? Thanks

ROW_NUMBER() works in DBX 2.4.1 to create a rising column for DB input, but i cannot get it to work in DBX 3.1.3

September 14, 2018, 2:15 pm
$
0
0
The sql editor has the following:- Select srp_ordernum, srp_source, srp_hof_seqno, srp_seqno_in_hand_off, srp_entry_type, srp_entry_type_desc, srp_date, srp_initials, srp_surname, srp_location, srp_extn, srp_text, ROW_NUMBER() OVER (ORDER BY srp_date,srp_ordernum,srp_seqno_in_hand_off,srp_hof_seqno) Sequence_no FROM sword.service_request_progress WHERE srp_date > '01-Aug-2018' ORDER BY srp_date the SQL works in Batch mode but when i switch to rising column i get the error java.sql.SQLException: Invalid column index DBX 3.1.3 instructs me to use the Sequence_no in the WHERE but when i do i get an error java.sql.SQLSyntaxErrorException: ORA-00904: "SEQUENCE_NO": invalid identifier

In which component in the distributed environment should I configure props.conf?

September 14, 2018, 2:12 pm
$
0
0
I am using the universal forwarder(UF) to monitor a directory for a CSV file on a remote server. I have configured inputs.conf on the UF to monitor the dir. I am forwarding the data to a Heavy Forwarder which will then forward to an indexer cluster. I want to tell Splunk where to find the time field and header line using a source type in props.conf Which component in the distributed environment needs to have the source type configured? The UF, HF or indexer layer? Thanks
Search

ROW_NUMBER() works in DBX 2.4.1 to create a rising column for DB input, so why can't I get it to work in DBX 3.1.3?

September 14, 2018, 2:15 pm
$
0
0
The SQL editor has the following:- Select srp_ordernum, srp_source, srp_hof_seqno, srp_seqno_in_hand_off, srp_entry_type, srp_entry_type_desc, srp_date, srp_initials, srp_surname, srp_location, srp_extn, srp_text, ROW_NUMBER() OVER (ORDER BY srp_date,srp_ordernum,srp_seqno_in_hand_off,srp_hof_seqno) Sequence_no FROM sword.service_request_progress WHERE srp_date > '01-Aug-2018' ORDER BY srp_date The SQL works in Batch mode, but when i switch to rising column, I get the error java.sql.SQLException: Invalid column index DBX 3.1.3 instructs me to use the Sequence_no in the WHERE , but when i do i get the following error: java.sql.SQLSyntaxErrorException: ORA-00904: "SEQUENCE_NO": invalid identifier

How to find unique errors from cronjobs sent to syslog

September 14, 2018, 2:39 pm
$
0
0
I am trying to find all unique messages sent to syslog from specific machines splunk 6.6.8 using the following bash command I get what I want: grep -v "sendmail\|nrpe\|freshclam" /var/log/messages | cut -c27- |sort| uniq -c The following splunk search comes close, but cuts out some results host="srvr1" OR host="srvr2" NOT ( sendmail OR nrpe OR freshclam ) | dedup process As an example, I only get one of these lines instead of all three: ### init: Id "x" respawning too fast: disabled for 5 minutes ### init: Id "y" respawning too fast: disabled for 5 minutes ### init: Id "z" respawning too fast: disabled for 5 minutes Splunk will only return one of those lines. If I do a general search for the other two errors they are there in splunk, so they are captured. I tried a dedup on other fields, but so far "process" seems to be the best fit. Any suggestions?

Removing all duplicate events from a search

September 14, 2018, 2:55 pm
$
0
0
I have two indexes, A and B. Events are copied using the |collect command from Index A to index B. Later, I am trying to run a search for all results in index A that are not in index B. something like: index=A NOT index B However this does not remove an event that is in both indexes. Essentially what I am trying is a |join type=left outer. However it seems that splunk doesn't support that type of join. |Dedup seems to not recognize the events as duplicates either. I also tried using _cd as a unique identifier, however since that is tied to its location in the index, the two events have different _cd values preventing that from being used.

Splunk tcp listener limit

September 14, 2018, 3:04 pm
$
0
0
Hi , we have configured couple of bluecoats on tcp custom port on a HF. i see the data flowing in but the bluecoat admins frequently comment that they are recieving alerts for failed upload to splunk. My 1st guess is that the port exceed the buffer limit or has filled up queue. but how can i ensure there is no data loss? can we enable multiple listeners on a HF? We are to onboard more bluecoats to splunk through same HF, is there a limit to number of listeners we can configure on a HF? does it effect performance? Thanks, Shiv

Defining TZ value for Manual Host Extraction for syslog input

September 14, 2018, 3:15 pm
$
0
0
HI All, I have created a an inputs stanza for syslog input and created a manual host override using transforms. I try to change the TZ value per host but it is not working the same works fine, if used per sourcetype. Kindly suggest how to fix **Inputs.conf** [tcp://] sourcetype = **Props.conf** [host::ABC] TZ = UTC [host::DEF] TZ = Europe/London

How do I find unique errors from cronjobs sent to syslog?

September 14, 2018, 2:39 pm
$
0
0
I am trying to find all unique messages sent to syslog from specific machines Splunk 6.6.8 Using the following bash command, I get what I want: grep -v "sendmail\|nrpe\|freshclam" /var/log/messages | cut -c27- |sort| uniq -c The following Splunk search comes close, but cuts out some results: host="srvr1" OR host="srvr2" NOT ( sendmail OR nrpe OR freshclam ) | dedup process As an example, I only get one of these lines instead of all three: ### init: Id "x" respawning too fast: disabled for 5 minutes ### init: Id "y" respawning too fast: disabled for 5 minutes ### init: Id "z" respawning too fast: disabled for 5 minutes Splunk will only return one of those lines. If I do a general search for the other two errors, they are there in Splunk so they are captured. I tried a `dedup` on other fields, but so far "process" seems to be the best fit. Any suggestions?

How do you remove all duplicate events from a search?

September 14, 2018, 2:55 pm
$
0
0
I have two indexes, A and B. Events are copied using the `|collect` command from Index A to index B. Later, I am trying to run a search for all results in index A that are not in index B. Something like: index=A NOT index B However this does not remove an event that is in both indexes. Essentially what I am trying is a `|join type=left outer`. However it seems that Splunk doesn't support that type of join. `|Dedup` seems to not recognize the events as duplicates either. I also tried using _cd as a unique identifier, however since that is tied to its location in the index, the two events have different _cd values preventing that from being used.
Search

Is there a limit to the number of TCP listeners we can configure on a Heavy Forwarder (HF)?

September 14, 2018, 3:04 pm
$
0
0
Hi , We have configured a couple of Bluecoats on TCP custom ports on a HF. i see the data flowing in but the Bluecoat admins frequently comment that they are receiving alerts for failed upload to Splunk. My 1st guess is that the port is exceeding the buffer limit or has filled up its queue. But how can I ensure there is no data loss? Can we enable multiple listeners on a HF? We are to onboard more Bluecoats to Splunk through the same HF. Is there a limit to the number of listeners we can configure on a HF? Does it affect performance? Thanks, Shiv

Defining time zone (TZ) value for Manual Host Extraction for syslog input

September 14, 2018, 3:15 pm
$
0
0
HI All, I have created an inputs stanza for syslog input and created a manual host override using transforms. I tried to change the TZ value per host but it is not working. However, it works fine, if used per source type. Kindly suggest how to fix **Inputs.conf** [tcp://] sourcetype = **Props.conf** [host::ABC] TZ = UTC [host::DEF] TZ = Europe/London

tstats with eval not working on particular field

September 14, 2018, 5:23 pm
$
0
0
hi, I am trying to combine results into two categories based of an eval statement - Original Query (returns the results fine, but slow for large amount of results and extended time frame) - index=enc sourcetype=enc type=trace source=*123456*| eval Call = if(app_type="API", "sdk", "non-sdk") | stats count by Call Tried the following with tstats (None of them work, meaning displays 0 results) - | tstats count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=* | `drop_dm_object_name("Enc")` | eval Call=if(app_type=="API", "sdk","non-sdk") | stats sum(count) by Call AND | tstats count from datamodel=Enc where sourcetype=enc-trace Enc.type=TRACE Enc.cid=1234567 | `drop_dm_object_name("Enc")` | eval sdk=if(app_type="API",count,0), non-sdk=if(app_type!="API",count,0) | stats sum(sdk) as SDK, sum(non-sdk) as NON-SDK appreciate help and ideas from Splunkers. Thanks

count events from a radio button choice issue

September 15, 2018, 12:15 am
$
0
0
Hello I use the code below in order to display the events corresponding to these event code index="windows" sourcetype="wineventlog:*" "SourceName=Application Error" (EventCode=1000 OR EventCode =1001 OR EventCode =1002 OR EventCode =1 OR EventCode =2) | dedup _time|table _time host EventCode Type Message The code returns 4 events I want to do the same thing from a radio button choice index="windows" sourcetype="wineventlog:*" "SourceName=Application Error" (EventCode=1000 OR EventCode =1001 OR EventCode =1002 OR EventCode =1 OR EventCode =2 EventCode=$EventCode$ ) | stats dc(EventCode) But it returns me only 1 event but normally with the selection I make on the radio button i should have 4 events What i have to do please?? THANKS

Field dont displayed in report

September 15, 2018, 1:23 am
$
0
0
Hello I want to display the field "chemin d’accès de l’application défaillante" in my report from the code below index="windows" sourcetype="wineventlog:*" "SourceName=Application Error" Type="Critique" OR Type="Avertissement" OR Type="Erreur" faillante | dedup _time SourceName | table _time SourceName Chemin d’accès de l’application défaillante | stats count by SourceName | sort - count limit=10 But this field doesnt displaying... What I have to do for being able to use this field? Is it possible to do a "field extract" like we can do in a log? could you help me please??
Viewing all 47296 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>