Is there any possible to change the color in column chart with specific count value
scenario:
We have coloumn chart, in the column chart we have multiple count values 1 to 20 this count regarding job failures but what we want is 1 to 10 count it should be in green and 10 to 20 count should be in red.
Team please help me out with this problem.
↧
How to change color code in column chart with specific count value
↧
replacement for token initialization tag before 6.5
Dear All
how can a token be initialized on form load for versions prior to 6.5, where tag "init" is yet not available?
best regards
Altin
↧
↧
How do I configure a custom logo on the login screen?
In the process of customizing the login screen in 7.1. Successfully changed the background and added text. But when I put a custom logo in the default directory:
E:\Splunk\etc\apps\search\appserver\static\logincustomlogo
and put this line in the web.conf in the [settings] stanza:
loginCustomLogo = "logincustomlogo\mylogo.png"
I get a broken link. The link address shows as:
https://splunkserver:8000/en-
US/static/@undefined/app%2Fsearch%2F%22logincustomlogo%5Cmylogo.png%20%22
What am I doing wrong?
Thanks!
↧
Custom search command not found error
We have created a new custom command to parse user agents in request and response. It works perfectly in my local instance. But when I deploy in a distributed environment, we are facing below error. It works when I use `script uaparser fieldname` on my search head but not with `uaparser fieldname`. I have deployed this on all search heads, Do I need to deploy on indexers as well?
[nw-splunkindx-201.dqs.test.com] Search Factory: Unknown search command 'uaparser'.
[nw-splunkindx-202.dqs.test.com] Search Factory: Unknown search command 'uaparser'.
↧
Used vs Available licence
I have below search against a particular heavy index which lists its daily volume consumed.
index=_internal source=*license_usage.log type=Usage | eval totalMB = b/1024/1024 | eval totalGB = totalMB /1024 | rename idx as index | search index="xxx-xxx" | timechart span=1d sum(totalGB) by index
_time xxx-xxx
------------------------------------
date 200GB
I want above query tweaked to compared the daily usage against 1000GB and list the output like below
_time xxx-xxx Total %Used
---------------------------------------------------------------------------------------------
date 200GB 1000GB 20%
Thanks,
Laks
↧
↧
How to only see duplicates?
I have two profile settings, they both shouldn't be on at the same time. I am trying to see which devices have both of these profiles, to generate a list.
index=nitro_apps
| rex "^[^,\n]*,(?P[^,]+)[^,\n]*,(?P[^,]+)(?:[^ \n]* ){4}(?P[^,]+),(?P[^,]+),\w+,(?P[^,]+),\d+,(?P\d+),(?P[^,]+)[^,\n]*,(?P\w+)"
| search location=*
| eval Old_Status=if('Profile'="11.0.0.0",if(Installed="Yes","true","FAIL"),"")
| eval New_Status=if('Profile'="12.0.0.0",if(Installed="Yes","true","FAIL"),"")
| eval LD_Status=if('Old_Status'="true", if(New_Status="true","PASS","FAIL"),"")
| where 'LD_Status'=="PASS"
| stats list(MacAddress) as duplicates, dc(MacAddress) as DupCount by location
Any idea why I am not able to see the devices with both profile settings applied?
↧
Can you help me filter out wineventlog eventcode 4656 account names in transforms.conf?
I am trying to figure out how to filter out account names that end in $ for the 4656 event codes. i am currently using the following in transforms.conf:
REGEX = (?ms)(.*EventCode=4656.*)(Subject:.*Account Name:(\s*\w+\$)
DEST_KEY = queue
FORMAT = nullQueue
I have tried multiple combinations of the above and it never filters out.
↧
How to pass the output of first search to the subsearch in the same index
I have a index="summary" where it captures both success connections and Error connections.
I need to get the connection ID for those Error connections and with the output of this search (connection ID) need to subsearch in the same index to get the source IP.
CONNID value is the list. foreach CONNID need to pass to the subsearch.
I used this query:
index=summary sourcetype=ldap_log eventtype=nix_errors | fields CONNID | rename CONNID As cid | map search="search index=summary sourcetype=ldap_log ID=$con_id$ src_ip"
it returns null value, but when i executed separately it works.
↧
How to get data from two indexes?
Good day everyone,
i am dealing with an issue that i haven't been able to find an answer for so far. here is the problem:
I have two indexes collecting data; one index collects from DHCP which have Client_IP address that has been assigned to a machine and the other index is DNS which collects Clients internet queries. DNS index have the same "Client_IP" field. now i want to be able to take the Client_IP from the DNS search; find the hostname found in DHCP and create a table that includes time, Client_Name "from DHCP index" and Client_IP that matches the time of DNS query. DHCP data needs to have the closest time to the DNS query since DHCP can assign the same IP to a different client.
really appreciate any help with this issue.
Thanks,
↧
↧
How do I pass the output of first search to the subsearch in the same index?
I have an index="summary" where it captures both success connections and error connections.
I need to get the connection ID for those Error connections and with the output of this search (connection ID) need to subsearch in the same index to get the source IP.
CONNID value is the list. For each CONNID need to pass to the subsearch.
I used this query:
index=summary sourcetype=ldap_log eventtype=nix_errors | fields CONNID | rename CONNID As cid | map search="search index=summary sourcetype=ldap_log ID=$con_id$ src_ip"
It returns null value, but when i executed separately it works.
↧
What is the best practice of mounting the archiving paths
we have four indexers and we want to add archiving path, what is the best solution to do so
Is it by creating 4 different file mount (one for each indexer) or having one file mount accessible by all indexers.
note: we are using SAN storage
↧
Multiselect choice value dynamic from token
Dear All
Is it possible to have the value of one choice value of a multi-select dynamic, from a token, ex initialized on the form.
in the
Choice1 Choice2 Choice3
replace the third Choice with:Choice3
where token1 is a variable that has been initialized on top of the form.
"value"
↧
Tracking the amount of time Searches are Queued
Throughout the day, Splunk runs its internal processes and users run their queries. As the day hits its peak, searches sometime queue up (due to what I believe resources in the SHC being totally consumed).
Is there a way to track how many searches queue throughout the day and for how long they remain queued until they execute (or are abandoned by the user)?
↧
↧
Visibility of dashboard by role based in a single app
I have a list of dashboards available in a single app called "myproject"
Now I want to make it visible based on the roles.
I already created a set of users who can see the particular data based on their access but I need like the dashboard itself should visible based on the access only in splunk bar.
Thanks in advance,
Purush
↧
Is there a way to track the amount of time searches are queued in Splunk?
Throughout the day, Splunk runs its internal processes and users run their queries. As the day hits its peak, searches sometime queue up (due to what I believe resources in the SHC being totally consumed).
Is there a way to track how many searches queue throughout the day and for how long they remain queued until they execute (or are abandoned by the user)?
↧
Is it possible to compare equality of two fields at the root search without using | search, | where, or | eval?
I'm trying to work around the limitations of data model root searches not supporting pipes.
Is there any way to do see if fieldX=fieldY at the root search level or does Splunk always treat the "fieldY" as a string?
↧
What is the best practice for mounting the archiving paths?
We have four indexers and we want to add an archiving path. What is the best solution to do this?
Is it by creating 4 different file mounts (one for each indexer) or having one file mount accessible by all indexers.
note: we are using SAN storage
↧
↧
How do I change the color code in a column chart with a specific count value?
Is there any possible to change the color in column chart with specific count value?
scenario:
We have a column chart. In the column chart, we have multiple count values 1 to 20. This count is regarding job failures but what we want is that 1 to 10 count should be in green and 10 to 20 count should be in red.
Team please help me out with this problem.
↧
Why is my custom command to parse user agents in request and response returning the following " Search Factory: Unknown search command 'uaparser'" error?
We have created a new custom command to parse user agents in request and response. It works perfectly in my local instance. But when I deploy in a distributed environment, we face the below error. It works when I use `script uaparser fieldname` on my search head but not with `uaparser fieldname`. I have deployed this on all search heads, Do I need to deploy on indexers as well?
[nw-splunkindx-201.dqs.test.com] Search Factory: Unknown search command 'uaparser'.
[nw-splunkindx-202.dqs.test.com] Search Factory: Unknown search command 'uaparser'.
↧
Can you help me with my join query?
I'm having trouble with a join query. It doesn't work with the inner or left join, although I can see the event from the left join, but without the fields from the other source.
Let's say IDX_A contains an url and srcip. I want to join the srcip from IDX_A with the dest_ip from IDX_B. Here's a sample of the join query I'm trying to do:
index=IDX_A url = "http://some.url"
| rename srcip as dest_ip
| join dest_ip [search index=IDX_B]
I can confirm the main query and the subsearch, return results when executed separately, however, the join returns 0 results.
Any idea why this doesn't work? Seems pretty straight forward to me, but I can't get it to work.
I saw some similar previous posts, but none of them were helpful for me.
↧