Need to create a dashboard
Hi, I'm able to get the count for NumberFormatException but the NumberFormatException is displayed in separate column. Please verify the screenshot. You will be able to understand. I need to move the...
View ArticleSplunk user unable to access datamodel data.
Users are unable to access data from a dashboard. We are using a datamodel to create that dashboard. We have enable read access for this dashboard and datamodel but not to the raw data index. Please...
View ArticleHow do I change the value of a field if a condition occurs?
Hi community! I'm using Splunk Entreprise to create dashboards with my client's ServiceNow incident information. 1. My company ***only look at tickets from assignment_group A***. 2. So, I have a...
View Articleuniversal forward different domain from where the Splunk is running
When installing the universal forward into a trusted domain, do I need to add account from domain A into domain B? The instructions for universal forward is saying a domain user account is needed so I...
View Articlelog file size Vs license size per day by specific index
Hi, I have one forwarederand one (IDX+SH). I am ingesting few hundreads of .txt files from HWF to one specific index. Now I want to know what log file size actually it has indexed per day vs what...
View ArticleSplunk DB Connect Connection is invalid
Hello everyone, I am trying to configure a connection for MSSQL version 2008, however the DB connect message is Connection is invalid / (No detail). I have already tested the account and it works in...
View ArticleBundle reload is in progress. Waiting for all peers to return the status.
My splunk environment is: 1 Search Head 1 Deployment Server (Master Node) 2 Indexers (Cluster) I tried to implement retention policy to delete more than 365days old data in indexer, so i implement the...
View Articleprops.conf timestamp clarification
I have json data that can vary greatly in size with the timestamp field coming at the end of each event. I'm able to parse all the timestamps correctly using the config TIME_PREFIX="timestamp":+ except...
View Articlesubtract meterRead from Yesterday’s meterRead
My electric meter sends a number but I want to subtract the current from the number an hour ago, so I can chart the usage for each hour. My search: source="/home/we/plex/movies/meter.elec" _time=*...
View Articledb_connect query works but does not store in index
We have a query running as an input in db_connect. The query itself is successful, (takes about 30 seconds to run) we have our query timeout set to 300 seconds just to ensure it would run. Once we set...
View ArticleHow to reduce space between 2 panels aligned vertically ?
I have 2 panels - one with Horseshoe meter and the other with status indicator. Horseshoe meter shows value in percentage, while status indicator shows in number which is detailed. I have aligned both...
View Articlecan we make a field to _time and pass values through earliest / latest in splunk
can we make a field to _time and pass values through earliest / latest or through Time range button ?
View ArticlePerfmon:CPU timestamp
Hello! I'm trying to change the timestamp (_time) from Perfmon:CPU before index, to use my Splunk Heavy Forwarder date instead of the original event timestamp. The Perfmon:CPU _raw is: 05/07/2020...
View ArticleRename a field Value in a lookup file?
I have a lookup file called template.csv and it has field values, I want to rename a field value with another say mango to banana. how can we do ? Also If I want to replace the field values in 2...
View Articlehow to implement ssl in outputs.conf
More than 70% of forwarding destinations have failed. Ensure your hosts and ports in outputs.conf are correct. Also ensure that the indexers are all running, and that any SSL certificates being used...
View ArticleWhat happens if you leave SmartStore?
If I have data in S3 for SmartStore, what happens to that index data if I decide to stop using SmartStore? Will that data go back to the local storage on our indexers? Do we just lose everything in...
View ArticleHow to set up shared datamodels
We have a SHC of three members & 1 Enterprise Security. Prior to 8.0 each were running their own datamodels. Now that shared datamodel summaries is possible, I would like to set this up to reduce...
View ArticleSAI doesn't show any alert in Alerts tab
We have SAI installed on a Searchhead (SH), and Add-ons are installed on a Indexer (IDX) and a HeavyForwarder (HF) in a distributed system. The Add-ons on the IDX created 3 indexes which are...
View Articlejoin multiple searches into field values
I would like to create Cache_Hit, Cache_Miss and Revalidate_Hit based on the below and doisplay them in the pie graph with percentages and count values Cache_ Hit is when the field...
View ArticleSend an alert if process is not running in linux
Hi - I need to create an alert where if a process is not running in a linux server , then it should send out an alert : Below query is giving me correct results of all the processess running in a...
View Article