The app's page in Splunkbase says compatible up to v 6.5
↧
Will TM Deep Security app work with Splunk Enterprise v 6.6 ?
↧
How can I set the y-axis on my bar chart to be in duration?
I have the following search:
....| stats sum(callduration) as "totalcallduration" by Companycalls
Currently my search give me the result in second. I'm trying to get this result convert to duration so that I could map it on my bar chart. Is there an option that splunk could map bar chart for duration like excel? I want to get it to look like this:
![alt text][1]
[1]: /storage/temp/209718-3.png
↧
↧
Why can't I delete my LDAP strategy?
Just wanted to run this one by the Splunk community to see if anyone else has experienced this before:
-Earlier this week, I attempted to delete my LDAP strategy on one of my Search Heads
-When I clicked delete, I got an error message. Something like "Error occurred attempting to remove BDC_AD: In handler 'LDAP-auth': Does not exist: /nobody/system/authentication/BDC_AD"
-When I check /opt/splunk/etc/system/local/authentication.conf - I don't see my strategy that I tried to delete showing up. However, that strategy **still appears** in the Splunk Web UI.
-Furthermore, now the service account I use to connect to LDAP keeps locking out, due to invalid credentials.
What could be causing this LDAP strategy to persist and lock out my service account??
Thanks!
↧
How do I get a sparkline to display as a pie chart?
I am attempting to use the `sparkline` functionality to display a pie chart in a table. My data has an `asset_type` ( `workstation|server|router|appliance|printer|etc`) and a `status` ( `up|down|unknown`). There are a large number of asset types, and they are subject to change/increase in number, so I don't just want to have a different panel for each type. I'd like to show a table with the asset type and a pie chart showing the `up|down|unknown` ratio. I can't seem to get the `sparkline` to only show the counts for the 3 distinct values of `status`, it seems to want to show those values 'over time' so my pie chart ends up with 8+ pieces, rather than 3. As `pie` is a supported option for a sparkline, and using `time` in a pie chart doesn't make any sense... I assume I'm missing something. I was trying the following:
` | chart sparkline(count(status)) AS trend by asset_type`
XML Options:
>
↧
indexer cluster topology across two datacenters
Hello,
I am implementing Splunk.
1 Search Head
An indexer cluster with 2 peers
1 Master Node
X Heavy Forwarders
I have to deploy them across 2 datacenters.
Which is the best way to distribute these objects o the datacenters?
Thank you very much.
↧
↧
Sorry for too many questions This is our environment
Sorry for too many questions
This is our environment
6 Splunk servers
1) splunk01 – Ad HOC Search head used for standalone searches
47.14 GB Physical Memory, 10 CPU Cores
2) splunk02 – Enterprise Security Search Head has Enterprise Security app installed on it.
125.75 GB Physical Memory, 24 CPU Cores
3) splunk03 – Indexer – Syslog plus Indexer server
62.75 GB Physical Memory, 24 CPU Cores
4) splunk04 – Indexer – Syslog plus Indexer server
62.75 GB Physical Memory, 24 CPU Cores
Below two Splunk servers are on a host that has several other VMs hosted on it.
5) splunk05 – License Master plus Indexer cluster master
7.64 GB Physical Memory, 4 CPU Cores
6) splunk06 – Deployment Server
3.7 GB Physical Memory, 2 CPU Cores
Question 1) Our indexers 3&4 are also Syslog servers with HD of 5tb each is it a best practice to have Indexers and Syslog servers on the same box?
Question 2) Our License master with its current RAM and CPU config as stated above is it enough to be a License master?
Question 3) Since our Syslog and indexer reside on the same box does that mean our HFs don't play any role in forwarding data?
Question 4) Can we install DMC on our license master?
↧
hostname variable in file path is this possible.
We are pushing out forwarders to over 200 servers this month. I intend to connect the forwarders to a deployment server and then push out the server.conf file using the below setup.
[general]
serverName = $HOSTNAME
Since there are so many servers I do not want to manually set the hostname for each server. This seems to work but when I got to edit the inputs.conf file we have to monitor a server.log file that has the hostname before it.
[monitor:///testarea/host1_server.log]
I have tried setting "host1" to "$HOSTNAME" and "`hostname`". All which return the actual we are trying to monitor
When doing a ls -ltr on /testarea/$HOSTNAME_server.log it returns /testarea/host1_server.log.
Is splunk able to do this?
↧
Best practice for HTML link paths in custom Splunk apps
I am building a Splunk app, and until now I have been constructing the paths for the stylesheet and script links in my HTML dashboards like so:
``
I have seen it done this way in the Splunk web framework toolkit, and the links do work when the app is installed on a SH under {{SPLUNK_HOME}}/etc/apps.
However, when I push the app out to an indexer cluster (resulting in it being installed under {{SPLUNK_HOME}}/etc/slave-apps), all the links to other files/stylesheets/scripts in the app's project folder break.... which of course destroys the entire UI for the app.
So the question is this: what is the correct way to set up the paths for script/stylesheet links in HTML dashboards that is robust enough to handle both traditional deployment on a SH, and deployment to an indexer cluster via a cluster-bundle? So far, I actually haven't figured out any paths to resources within the app's project folder that resolve successfully on the indexer cluster.
Any help/suggestions are much appreciated.
↧
sorting a csv into rows
I have data which looks like the following:
[000003074859, 000003075752, 000003224575, 000003228286, 000003235217, 000003246379, 000003246434, 000003246725, 000003246934, 000003248574]
[0010242946, 0002363081, 000006459131, 0010275565, 000000430019, 000000465470, 000000465546, 000003228900, 000003616661, 000003648249]
I would like to:
1) Remove the brackets and commas
2) Change the csv into one row per entry
3) dedup
So, the final data would look like:
000003074859
000003075752
000003224575
....................
Thank you very much in advance
↧
↧
Is there a way to combine field values from different events?
Basically I am trying to see if there is a way to do an eval to grab a field value from two different events. For example lets say I have:
Application=Chrome Note=this is an application
Application=Chrome Note=this is an application2
So I want to see if there is a way to make a new field where Application=Chrome that combines the two notes together into another field. so it'd add a field that is like Newnote=this is an application this is an applcation2.
↧
transforms terminology
May I know the difference between writing transforms stanza in props.conf in different ways
Ex:
**transforms-xyz = transforms1, transforms2**
[in this case to my knowledge transforms2 executed first and the remaining events go to transforms2]
**AND**
**transforms-xyz=transforms1
tranforms-abc=transforms2**
↧
Adding static vertical lines to a scatter plot
Hello, right now I have a scatter plot of duration vs. size and i want to make 2 vertical lines at different values of duration. Any idea how to go about this? Note: This is not being plotted using the _time field at all. Thanks in advance!
↧
how to change background color for single values trellis by label, not by value
I have some trellis to single value visualization, but i need to change the background color for each trellis depending on label, not the value.
For example, this code changes the background-color if the trellis's label is "dbx_health_metrics"
if ()$(".viz-facet").first().first().text() == 'dbx_health_metrics') {
$(".viz-facet").first().last().css('background-color', '#000');
}
my problem is: when I execute JS in the dashboard, the search status is: in process, there fore the JS cant change the background-color because the object doesn't exist yet in the moment of execution
↧
↧
how to remove provider in conf indexes ?
i try to remove a provider named BigBox but splunk don't permiss me
i tryied first to delete it from indexes.conf, but i get some error when i try to restart splunk that let the splunk down.
after i tryied to remove it by the setting/virtual indexes and i get this message:
Object id=provider:BigBox cannot be deleted in config=indexes.
i don't understand why and how can i delete this provider
NB : there is no indexes using it
↧
F5 Analytics App - HTTP Unauthorized 401 and Member Key: "Invalid Authorization"
Hi All,
I'm trying to get the F5 Analytics App running on our Splunk Enterprise server:
https://splunkbase.splunk.com/app/3161/
I've got two way communication going between the F5 load balancer and the Splunk server, however there is nothing visible in the Splunk F5 Analytics App. There doesn't seem to be any data populating from the load balancers. I can see using Wireshark on the Splunk server that they are communicating on the correct addresses/ports, but the Splunk server returns this error:
![alt text][1]
[1]: /storage/temp/211579-splunk-error.jpg
Where can I edit settings on the server to correct this error?
Any help appreciated!
Thanks!
↧
Where does batch search write temp files?
I am seeing this error on panels:
[indexer01] Streamed search execute failed because: Error in 'BatchSearch': The search failed. Unable to write temp files to disk.
Where is it trying to write? (Yes, it's Windows and I know that Windows permissions suck.)
↧
What are the minimum capabilities to log into Splunk and view a pre-scheduled dashboard?
I'd like to grant a user access to a dashboard. He does not need to run searches, just view a dashboard I created with pre-scheduled searches populating the panels.
↧
↧
What's the difference between these two transforms stanzas in props.conf?
May I know the difference between writing transforms stanza in props.conf in different ways
Ex:
**transforms-xyz = transforms1, transforms2**
[in this case to my knowledge transforms2 executed first and the remaining events go to transforms2]
**AND**
**transforms-xyz=transforms1
tranforms-abc=transforms2**
↧
Splunk says I don't have permission to remove provider, BigBox, from indexes.conf
I tried to remove a provider named BigBox but Splunk says I don't have permission.
I tried first to delete it from indexes.conf, but I get some error when I try to restart Splunk that let the Splunk down.
After I tried to remove it by the setting/virtual indexes I got this message:
Object id=provider:BigBox cannot be deleted in config=indexes.
I don't understand why and how can I delete this provider?
NB : there is no indexes using it
↧
Can I create a substring from this string with two timestamps?
I was just looking up the eval substr function in splunk and was wondering if it is possible to get a substring from 0 to a character. basically I have a field that contains two times with a message:
Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT
I basically want to get a substring and grab from the beginning to GMT and set it into a new field Message1 then grab the rest in another substring and put that into message two.
Message1= hello 8/30/2017 01:32:00 GMT
Message2= goodbye 8/30/2017 01:33:00 GMT
↧