just add role , it might work : /opt/splunkforwarder/bin/splunk edit user admin -password $PASSWORD -role admin -auth admin:changeme ... View more

You can contact Education_AMER@splunk.com for support on this. Please provide them splunkID etc. they will connect and resolve the issue. ... View more

Error 255 : This is usually happens when the remote is down/unavailable; or the remote machine doesn't have ssh installed; or a firewall doesn't allow a connection to be established to the remote host or could be your host key verification failed. ... View more

check out your connectivity , seems like have an issue ... View more

Do you have issue with Error code=255 or scheduling an alert ? Try changing the trigger action to "For each result" ... View more

You can check out two option : 1. Check the permissions on your stored credential objects. They must be shared either globally or within the slack_webhook_alert app. 2.checkpointer-from where you are trying to access ... View more

@pgadhari try with html code to manage the size of panels , ... panel { font-family: arial, sans-serif; border-collapse: collapse; width: 100%; } ... ... View more

@cheriemilk , by-clause will make this resolve. check out field by SFDC , this makes results vary as you have added "by SFDC" . Thats the reason event count does not match stats count. Try removing the "by SFDC " from your search query , it fetch the results. https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Stats by-clause Syntax: BY Description: The name of one or more fields to group by. You cannot use a wildcard character to specify multiple fields with similar names. You must specify each field separately. The BY clause returns one row for each distinct value in the BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set. hope this is useful. ... View more

@sanjeev543 , It looks like your dispatch directory is full and asking you to cleanup some. You can navigate to /var/opt/splunk/var/run/splunk/dispatch for cleanup old files one from directories ... View more

you can add dashboard option through making an edit to navigation menus. here is the path to make the changes: Goto your app ->settings->userinterface->Navigation Menus->default -> add below entries here is example : hope it will resolve the issue. ... View more

when you search for sourcetype=example , it will fetch all sourcetype which has example as suffix or prefix . like sourcetypes one_example or example_two will be displayed ... View more

example : (warn OR error) NOT fail* Retrieves all events containing either “warn” or “error”, but not those that have “fail”, “fails”, “failed”, failure”, etc. example 2 : sourcetype=syslog [search login error | return user] here, search command, like all commands, can be used as a subsearch—a search whose results are used as an argument to another search command. Subsearches are enclosed in square brackets. For example, to find all syslog events from the user that had the last login error, use the following command: sourcetype=syslog [search login error | return user] hope it gives some help to your query ... View more

@golcondar , Sometime email ID would have an issue with exchange servers which does not allow to recieve any emails. Just my 2 cents here : try adding - @exchange.domain.com For xample - First.lastname@exchange.org.com , where org could be your organizational name ... View more

@jiaqya - This might be useful to you : https://answers.splunk.com/answers/356892/how-to-eliminate-old-reports-and-dashboards.html ... View more

Yes, you can check this in "Inspect Job" for related execution costs. ... View more

'zoom to select' will allow you to show only selected events for particular interval you applied 'zoom to select'. likewise 'Zoom-out' search will also re-execute as per applied selection. ... View more

you can enable search assistant mode that would allow you auto populate option: https://docs.splunk.com/Documentation/Splunk/7.3.3/Search/Usingthesearchassistant OR You can go to /etc/apps/user-prefs/default/user-prefs.conf : Check for search assistant, below i have compact mode [general] search_syntax_highlighting = 1 search_assistant = compact ... View more

@trojan_81 If you good with above , please accept the answers. thanks ... View more

you can enable search assistant mode that would allow you auto populate option: https://docs.splunk.com/Documentation/Splunk/7.3.3/Search/Usingthesearchassistant OR You can go to /etc/apps/user-prefs/default/user-prefs.conf : Check for search assistant, below i have compact mode [general] search_syntax_highlighting = 1 search_assistant = compact ... View more

HI, You can look into Authorize.conf for these - srchIndexesDefault = _internal srchIndexesAllowed= _internal if still issue persist , You can look for something in splunkd.log that can help tell you where the problem is by using ERROR keyword. CLI- grep ERROR $SPLUNK_HOME/var/log/splunk/splunkd.log ... View more

It could be if you might have use these lines : aFile.writelines('{"value":"1970-01-01 00:00:00.00","appVersion":"3.1.4","columnType":93,"timestamp":"1970-01-01T00:00:00.000+11:00"}') you want to read this https://answers.splunk.com/answers/516111/splunk-db-connect-v3-automated-programmatic-creati.html#answer-516112 ... View more