we have created dashboard in splunk using tabs as per below URL and its perfectly working fine.
https://www.splunk.com/en_us/blog/tips-and-tricks/making-a-dashboard-with-tabs-and-searches-that-run-when-clicked.html
Dashboard was created in 7.0 version but recently splunk has been upgraded to 7.3. Since upgrade we have been facing issue with the tab focus. That means, when we click on any tab, a blue line is shown under the tab to know, user is on which tab but when user clicks on another tab, blue line remain on previous tab as well as comes on new tab. That means if user clicks on multiple tabs one by one then for each clicked tab there are blue lines which becomes confusing for user. Ideally, when user clicks on new tab, blue line(focus) should get removed from previous tab and should be always be on the latest clicked tab.
Issue seems to be either with tabs.css or tabs.js but we are unable to identify it. Can some one look into these two files from the above link and suggest what can be modified to rectify this error.
Thanks in advance!
↧
Tab Focus issue in dashboard
↧
Trigger alert on value from predict calculation
Hi,
I am trying to build an alert from the following query. The query collects the counters for memory usage, especially the free amount. It plots a time chart of the last 21 days and performs a prediction over the coming 14 days. The graph itself is perfect. It also shows in the prediction that in the next 14 days we run out of memory.
![alt text][1]
index=xxxxx host=xxxxx source="Perfmon:Memory" counter="Available MBytes"
| eval Value=(Value/1024)
| timechart span=1d avg(Value) as "Available MBytes", latest(host) as host, latest(counter) as counter
| lookup resource_thresholds.csv resource_name AS host, resource_metric AS counter OUTPUTNEW resource_threshold_warning,resource_threshold_critical
| eval Warning=resource_threshold_warning
| eval Critical=resource_threshold_critical
| predict "Available MBytes" as Prediction future_timespan=14
| eval Prediction = round(Prediction,0)
| fields - lower95(Prediction), upper95(Prediction) resource_threshold_warning resource_threshold_critical host counter
I want to run this as a scheduled alert (email, MS Teams) every night and be informed when the prediction hits 0 or lower somewhere in the future 14 days in this case.
For some reason I cannot seem to get my head around the logic here to trigger the alert. Any suggestions?
[1]: /storage/temp/285685-capture.png
↧
↧
App: Broken Hosts App for Splunk, servers are going down and coming up and then normally working fine after checked in Splunk site.
Hi,
Continuously getting Splunk forwarder service agent alerts in ticketing tool for every week. and then I tried to check-in Splunk site and it was showing as **server was not shut down or rebooted** means Splunk agent able to get logs then I need to close that request. like that, getting too many requests. what might be the issue of whether servers are restarting or Splunk agent issue? I have checked in Splunkd logs also but no error information. for some servers, I don't have privileges to check the logs.
please provide some error information as you know. which errors we can get for Splunk Universal Forwarder usually(send me some examples of errors).
can someone please suggest to me what I can do.
Thanks in Advance.
↧
First and Last event of Transaction
Hi, I am working on a query where I need to join some events using a transaction command in Splunk. Below is my query where I am joining a particular web service request with a response using a "requestID" and then extracting the data. Now what happens is if the response contains an error, it will again try and may be next time it gets success. requestID remains same here.
Right now this query is just using the 1st response event which it encounters and reported as error even if it is not.
How do i extract the last of the responses so that i get the updated data whether it resulted in an error or success.
index=temp ("SoapMessage" "GetCustomerRequest") OR ("SoapMessage" "GetCustomerResponse")
| rex field=_raw "\>(?[^\<]+)\<\/\w+?\:requestID\>"
| transaction requestID startswith="GetCustomerRequest" endswith="GetCustomerResponse" keepevicted=true
| search eventcount > 1
↧
Custom Source Type - Group by Column in TSV file
I have a TSV file im uploading into Splunk, I'd like to be able to group by a column in the file itself.
So far I'm using the Splunk Source Type UI to create the custom source type, used the field tab to label the columns and I'm missing the step to group by a column.
Can anyone please advise?
Screen shot shows the setup below, I'd like to group by Session
![alt text][1]
[1]: /storage/temp/284687-screen-shot-2020-03-09-at-91811-am.png
↧
↧
Splunk forwarder on Linux won't show login when required (and also not able to phone home)
I've installed the forwarder on Ubuntu and it did get the apps from the deployment server right after the install. But it does not get any updates - it cannot phone home. What the root cause is, I'm still not yet sure, but for some reason, whenever I type a command on the forwarder that requires you to provide a valid username/password nothing happens. The cli does not show the request for the **Splunk username:** as it does on any of the Windows forwarders we have installed.
I'm pretty sure I will solve the phone home issue if I can solve the issue with username/password not showing, but no luck yet doing that.
↧
How to hide/remove Create New Dashboard button only for user Role
How to hide and remove Create New Dashboard button only for user Role.
↧
disk space allocation for newly created index
will at the time of index creation the defined disk size allocated once. or it is allocated based on index utilization.
↧
How to know what buckets are frozen due to size
I got an alert that some of the indexes buckets have been freezed due to size.How to get the bucket details .I mean the date of the buckets that got frozen
↧
↧
multi text input for search with a date, source, and location dropdowns
I am currently working on a dashboard that will simplify the search for some of our office personnel who are not Splunk savvy. I am creating a dashboard that has three drop down and six text inputs in order to ensure they are getting the specific results they are looking for, however I am not sure if the code is working and why the submit button are not working. I am very new to XML and any help would be appreciated.
my code:
Splunk made simple
@d now choclates veggies cakes pies All Food food_name index=goodies source=$source_token$
| stats count by food_name @d now $user_tok$ $uid_tok$ $src_tok$ $dst_tok$ $junkfood_tok$ $snack_tok$ Panel 1
↧
What is the price for SPLUNK APP FOR VMWARE after the 60-DAY FREE TRIAL?
I want to know What is the price for SPLUNK APP FOR VMWARE after the 60-DAY FREE TRIAL?
I checked splunkbase and this is the answer
THE SPLUNK APP FOR VMWARE IS AVAILABLE FOR A 60-DAY FREE TRIAL. If you wish to use the Splunk App for VMware beyond the trial, please contact your Splunk sales person.
↧
Why doesn’t the Archive Processor verify if there are new unread events within my archive file?
In my use-case my source log (tailed by a monitor input stanza) is being archived once a day at midnight and the resulting archive file is tailed by the same input stanza and the the original source log is being deleted. What I noticed is, if the splunk instance monitoring that source goes down while new events are still being written to the source log and if the splunk instance comes back up again only after the original file has been archived and the source log deleted, then the Archiving processor doesn’t verify if any new unread events can be found within the archive which the Tailreader couldn’t read (as during that time the splunk instance was down), please check following example:
02-05-2020 12:53:00.442 +0000 INFO ArchiveProcessor - Handling file=/etc/ArchiveFolder/sourcelog5.log.gz
02-05-2020 12:53:00.443 +0000 INFO ArchiveProcessor - reading path=/etc/ArchiveFolder/sourcelog5.log.gz (seek=0 len=784)
02-05-2020 12:53:00.499 +0000 INFO ArchiveProcessor - Archive with path="/etc/ArchiveFolder/sourcelog5.log.gz" was already indexed as a non-archive, skipping.
02-05-2020 12:53:00.499 +0000 INFO ArchiveProcessor - Finished processing file '/etc/ArchiveFolder/sourcelog5.log.gz', removing from stats
02-05-2020 13:01:31.503 +0000 INFO WatchedFile - Will begin reading at offset=12392 for file='/etc/ArchiveFolder/sourcelog5.log.gz'.
Based on the documentation:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/Howlogfilerotationishandled
I would understand that both the Tailing and the Archiving processor should behave the same, but apparently that is not the case here. I also did the complementary test and extracted again the source log within the archive and at that point the Tailing processor realises that there are effectively still some new unread events and it it will start ingesting those at that stage. Why is the Archiving processor missing those new unread events?
↧
Table coloring with Mutli-value Fields
Guys, have one old Splunk 6.1.4 instance that I cannot decommission for a while (won't go into details :| ). I was looking at customizing the field colors some of my simple XML generated tables using the tables examples here `https://splunkbase.splunk.com/app/1603/` but this example works only for single value fields and mine are multi-value. Anyone have an example for mutli-value fields? I'm a JavaScript noob!
↧
↧
Make panels dynamically adjust based on screen size to keep layout the same
I would like to keep this layout regardless of screen size
![alt text][1]
when I go to a smaller screen it adjusts to this:
![alt text][2]
how can I fix its layout so I does not change layout on different screens
TIA
[1]: /storage/temp/285695-view1.png
[2]: /storage/temp/285696-view-2.png
↧
Make panels dynamically adjust based on screen size to keep layout the same
I would like to keep this layout regardless of screen size
![alt text][1]
when I go to a smaller screen it adjusts to this:
![alt text][2]
how can I fix its layout so I does not change layout on different screens
TIA
[1]: /storage/temp/285695-view1.png
[2]: /storage/temp/285696-view-2.png
↧
Make panels dynamically adjust based on screen size to keep layout the same
I would like to keep this layout regardless of screen size
![alt text][1]
when I go to a smaller screen it adjusts to this:
![alt text][2]
how can I fix its layout so I does not change layout on different screens
TIA
[1]: /storage/temp/285695-view1.png
[2]: /storage/temp/285696-view-2.png
↧
Trace a value in Splunk / data lineage
Hi,
is there a way to trace the origin of a specific value in Slunk? Currently I am trying to figure out with eventtype, lookup or eval is setting a tag and a field value for some events in Splunk. I used the btool the figure out, if the are some evals. But they do not apply. I found some lookups, but these do not contain the value I am looking for.
A code trace or data lineage function would be very helpfull sometimes.
Does anyone know a function in Splunk or an app for this?
Thank you.
↧
↧
How to search events happened before a particular statement in the log file
Hi All,
I am looking for a way to display the events which appeared before a particular error is written into the log files (for that particular error there is a configured alert).
That's the alert:
index=**** message="*Interface Broker Configuration Service error: No result retrieved from config service*"
First I tried with localize but was not able to get a result, only this one:
![alt text][1]
[1]: /storage/temp/285688-localize.jpg
And I don't know exactly how to filter the events which are written in the same log 5s or 10 s earlier before the error message occurs.
Another option was the combination of eval + map based on other questions posted on Splunk community but Splunk was not able to return a value:
| eval starttime=_time-180 | eval endtime=_time+1 | map search="search index=* earliest=$starttime$ latest=$endtime$"
Do you have any suggestions?
Cheers,
Konstantin
↧
wget link for barracuda app
i am trying to find out the wget link for Barracuda WAF/ADC Add-on for Splunk
but not able to find it :(
below add-on
https://splunkbase.splunk.com/app/3776/
↧
Populate Table with Previously Formatted Search Results
Hello,
I'm starting this post with a shoutout to @niketnilay because I used one of his post as the basis for my dashboard. However, input from any/all Splunkers out there is appreciated.
Here is my code, modified from niketnilay's post. [How to show table result in one page/ table modification][1]
Show Table Results in One Page
|
↧
