All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What is the best approach for data visualization using tstats? I am new to using tstats, I moved away from using the regular search index because it speeds up the query process. for example making... See more...
What is the best approach for data visualization using tstats? I am new to using tstats, I moved away from using the regular search index because it speeds up the query process. for example making this query to show the vulnerabilities found on each ip   | tstats summariesonly=t dc(Vulnerability.signature) as vulnerabilities from datamodel=Vulnerability by Vulnerability.dest | sort -vulnerabilities | rename Vulnerability.dest as ip_address | table ip_address vulnerabilities   for example, first line from that query show ip 192.168.1.5 has 4521 vulnerabilities found then I also created another detail table to verify and show some other columns related to that ip (click ip and send token) but it shows a different amount of data (4638 events).   | tstats summariesonly=t count FROM datamodel=Vulnerability WHERE Vulnerability.destination="192.168.1.5" AND Vulnerability.signature="*" BY Vulnerability.destination, Vulnerability.signature, Vulnerability.severity, Vulnerability.last_scan, Vulnerability.risk_score, Vulnerability.cve, Vulnerability.cvss_v3_score, Vulnerability.solution | `drop_dm_object_name(Vulnerability)` | rename destination as ip_address | fillnull value="Unknown" ip_address signature severity last_scan risk_score cve cvss_v3_score solution | table ip_address signature severity last_scan risk_score cve cvss_v3_score solution   and I know this is related to the inaccuracy of the query, because if Ichange the "BY" parameter it will change the amount of data displayed too. how to make the data count of this query match the same output as the first query, but still display other fields even though they are empty.
The appendpipe effectively reprocesses the stats event returned by the first timechart, but in order to do this they have to be broken out of the chart format, which is what the untable does. The xys... See more...
The appendpipe effectively reprocesses the stats event returned by the first timechart, but in order to do this they have to be broken out of the chart format, which is what the untable does. The xyseries puts the events back into the chart format with the additional column for the count of nodes for each time period.
I've noticed a ton of "Unable to read in product version information" and "[HTTP 401] Client is not authenticated" errors lately in the splunk _internal logs. Has anyone else seen the same probl... See more...
I've noticed a ton of "Unable to read in product version information" and "[HTTP 401] Client is not authenticated" errors lately in the splunk _internal logs. Has anyone else seen the same problem? Is this something that should be ignored? Thanks
We are getting hundreds of these errors a day in the internal logs for orig_component="SearchOperator:rest" and for app="website_monitoring" Failed to fetch REST endpoint uri=https://127.0.0.1:80... See more...
We are getting hundreds of these errors a day in the internal logs for orig_component="SearchOperator:rest" and for app="website_monitoring" Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/data/inputs/web_ping?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API. I could not find anything pointing to that IP in our website_monitoring app. Could it be something configured to point to some local endpoint, is anyone else coming across this issue?   Thanks
Recently, I observed a message in Splunk Cloud (version 9.2.2403.105) stating, "Found an empty value in 'allowedDomainList' in alert_actions.conf." However, when I check the "Allowed Domain" setting ... See more...
Recently, I observed a message in Splunk Cloud (version 9.2.2403.105) stating, "Found an empty value in 'allowedDomainList' in alert_actions.conf." However, when I check the "Allowed Domain" setting in the UI by navigating to "Settings > Server settings > Email," it indicates "Leave empty for no restrictions." Despite this, I am still seeing the warning message.   #splunkcloud  #splunk
Hello Everyone ! I just in stalled Splunk ES trial on Ec2 and also tried on Digital Ocean instance. All goes well. But then I try to Sign -In after tpying creds it shows server error . Read multiple... See more...
Hello Everyone ! I just in stalled Splunk ES trial on Ec2 and also tried on Digital Ocean instance. All goes well. But then I try to Sign -In after tpying creds it shows server error . Read multiple discussions and threads tried applying som fix to web.conf but nothing works so far.  Grabbed some error logs from splunkf.log file and sharing here as well.  08-20-2024 15:26:55.179 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:55.379 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:55.579 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:55.779 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:55.979 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:56.183 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:56.383 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:56.583 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:56.783 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:56.983 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:57.183 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:57.383 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:57.583 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:57.783 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:57.987 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:58.187 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:58.387 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:58.587 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:58.787 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:58.987 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:59.187 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:59.387 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:59.587 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:59.791 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:26:59.991 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:27:00.191 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:27:00.395 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:27:00.595 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:27:00.795 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:27:00.999 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:27:01.199 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:27:01.399 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused 08-20-2024 15:27:01.599 +0000 WARN HttpClientRequest [55474 WebuiStartup] - Returning error HTTP/1.1 502 Error connecting: Connection refused
Sorry I don't understand this. What is the intent of the appendpipe and xyseries? The end result should be a timechart containing average of some measurement and a count of disctinct "nodes". 
If you have multiple panels, you are probably going to have to use multiple tokens <html> <style> #single1 text { fill: $colour1$ !important; } </style> </html> | eval _colour=if(final_status ="O... See more...
If you have multiple panels, you are probably going to have to use multiple tokens <html> <style> #single1 text { fill: $colour1$ !important; } </style> </html> | eval _colour=if(final_status ="OK","Green","Red") | fields final_status _colour</query> <earliest>-15m</earliest> <latest>now</latest> <done> <set token="colour1">$result._colour$</set> </done> <html> <style> #single2 text { fill: $colour2$ !important; } </style> </html> | table status _colour</query> <earliest>@d</earliest> <latest>now</latest> <done> <set token="colour2">$result._colour$</set> </done>
Hi @vid1 , you have to configure three items in /etc/rsyslog.conf: in the MODULES section: module(load="imudp") # needs to be done just once or  module(load="imtcp") # needs to be done just once... See more...
Hi @vid1 , you have to configure three items in /etc/rsyslog.conf: in the MODULES section: module(load="imudp") # needs to be done just once or  module(load="imtcp") # needs to be done just once depending on the protocol you're using. then, in TEMPLATES  section: template(name="tmpl-paloalto" type="string" string="/var/log/remote/%fromhost%/paloalto/%HOSTNAME%/paloalto_%$YEAR%-%$MONTH%-%$DAY%_%$HOUR%.log") this string must be modified based on the path and the name of the files that must be written. At least the rule to implement: ruleset(name="writeRemoteData" queue.type="fixedArray" queue.size="250000" queue.dequeueBatchSize="4096" queue.workerThreads="4" queue.workerThreadMinimumMessages="60000") { # network - paloalto if $HOSTNAME == "10.10.10.10" then { action(type="omfile" ioBufferSize="64k" flushOnTXEnd="off" asyncWriting="on" dynafile="tmpl-paloalto" DirCreateMode="0770" FileCreateMode="0660" template="fmt_default") stop } this is the most important and difficoult part to implement, because you have to implement all your rules. Ciao. Giuseppe
1. This search is not proper SPL. The quotes don't add up so it's not obvious if you're quoting whole search or indeed have unneeded quotes in it. 2. Are you sure you're not forgetting about escapin... See more...
1. This search is not proper SPL. The quotes don't add up so it's not obvious if you're quoting whole search or indeed have unneeded quotes in it. 2. Are you sure you're not forgetting about escaping quotes in your string containing search? 3. On Splunk's side, back around 8.0 or even a bit after that the order of arguments with bin and timechart was important. You needed to put the "span=12h" as the first parameter immediately after the command. With sufficiently modern Splunk version it's more lenient to just placing the span parameter almost anywhere.
Yes, i need configuration rsyslog or syslog-ng on the Linux server
Hi @vid1 , are you speaking of output configuration on NAS or syslog input Configuration on SC4S? About NAS, I cannot help you, you should search in the NAS Management menu. About SC4S, I don't li... See more...
Hi @vid1 , are you speaking of output configuration on NAS or syslog input Configuration on SC4S? About NAS, I cannot help you, you should search in the NAS Management menu. About SC4S, I don't like it, I prefer to configure rsyslog (or syslog-ng) for receiving and then inputs on UF. Ciao. Giuseppe
Depends on what you mean by latency. If it's a pure network-level latency you mean then it's up to you to verify what latency you have between those environment. And no architecting can overcome that... See more...
Depends on what you mean by latency. If it's a pure network-level latency you mean then it's up to you to verify what latency you have between those environment. And no architecting can overcome that. But of course in terms of egress data, if you just set many different environments in different clouds as peers for a single SH(C), you'll get a lot of traffic since each time your search hits a centralized command it will have to send all results it has so far to the SH layer.
that add on as not working .we can logs collect from syslog server  but i don't know how to configure 
Hi @vid1 , check if the Dell PowerScale Add-On for Splunk (https://splunkbase.splunk.com/app/2689) is the correct one for you. Otherwise you have to create your own custom add-on. Ciao. Giuseppe
NAS (powerscale storage logs)  we  need syslog configuration in HF .how to config syslog in our hf
Hi @vid1 , what's your NAS technology? is there ad Add-On for it in apps.splunk.com? if yes, install it on the Forwarder and on the Search Head. Ciao. Giuseppe
Hi @gowthammahes , if you want to limit the time access for some users, you can apply a limit to the role of these users. Ciao. Giuseppe
Hello Everyone, I have a requirement that the data can be searchable upto last 30 days in search page. But the index retention period is 90 days. Basically it should allow the user to search only be... See more...
Hello Everyone, I have a requirement that the data can be searchable upto last 30 days in search page. But the index retention period is 90 days. Basically it should allow the user to search only between last 30 days events and if it is required then allow the user to search for 90 days.  Is there any configuration available to make the data searchable and not searchable in splunk. Thanks in advance
we need a NAS logs integration to splunk but i dont know how to integrate .We have SC4s container. can anyone help on this