All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If you get this error during a search, it is likely because you have an automatic lookup configured which cannot resolve to a valid lookup file. I recommend searching for lookups with keywords like r... See more...
If you get this error during a search, it is likely because you have an automatic lookup configured which cannot resolve to a valid lookup file. I recommend searching for lookups with keywords like reply_code to see if it exists.
Hi @ITWhisperer Thanks for assisting in this matter. One additional request is Can i search from the json data/ request body as source.name=“My Recordings” and tabulate theaccessible_by.name. Please ... See more...
Hi @ITWhisperer Thanks for assisting in this matter. One additional request is Can i search from the json data/ request body as source.name=“My Recordings” and tabulate theaccessible_by.name. Please help me the splunk query. Thanks in Advance  
You could make a lookup containing the unix time when the API key expires, along with columns describing the key and where to renew it. Then you could make an alert in Splunk that checks if that unix... See more...
You could make a lookup containing the unix time when the API key expires, along with columns describing the key and where to renew it. Then you could make an alert in Splunk that checks if that unix time is X days away e.g. | inputlookup when_keys_expire.csv ``` 7*24*60*60 = 1 week worth of seconds ``` | where expirytime > (now() - 7*24*60*60) The downside to this is that you would have to manually set the lookup table separately when applying a new key.
My issue was with the 3 new internal indexes that Splunk Enterprise introduces. In short, my fix was to add the line  selectiveIndexing = true in the %SplunkHome%/etc/system/local/outputs.conf file. ... See more...
My issue was with the 3 new internal indexes that Splunk Enterprise introduces. In short, my fix was to add the line  selectiveIndexing = true in the %SplunkHome%/etc/system/local/outputs.conf file. Here is a link in the docs referring to this fix. Otherwise, I'm including the synopsis of the symptom/fix from the link I provided initially. Hope that helps. Resolution What causes symptom 1? Splunk Enterprise 9.2.0 introduces a scalable Deployment Server (DS) feature, which makes the DS tier more resilient and highly available. Under the hood, several new internal indexes are introduced to accommodate this feature: _dsphonehome _dsclient _dsappevent These indexes are defined in Splunk Enterprise 9.2.x by default. If your DS forwards its data to remote indexers and the indexers are running an older Splunk version, the latter will not have the above-mentioned indexes defined. This will result in the DS being unable to forward and search its DS/DC-related events. The DS's Forwarder Management UI is then unable to list the Deployment Clients (DCs), despite the clients phoning home without any issue.   Fix for symptom 1: The idea behind it is simple: As long as your DS can index its DS/DC events to the 3 indexes above and search them back, your clients should appear in the UI.   Steps: 1. Allow your DS to selectively index the phone home, client and app events to itself. This is especially applicable to on-prem DS that forwards data to Splunkcloud indexers, but it can be applied to a completely on-prem/cloud BYO environment as well.    Add the following parameters and values to the DS's outputs.conf file, followed by restarting the splunkd service. [indexAndForward] index = true selectiveIndexing = true   2. This step is applicable if your DS is forwarding its data to on-prem indexing tier and the indexers' version is older than 9.2.0:   Configure the 3 indexes mentioned earlier on your indexing tier. If your indexers are non-clustered, add the index definitions on each of them manually or using your preferred automation. If your indexers are clustered, push the index definitions from the Cluster Manager and enable replication (repFactor = auto) to benefit from cluster redundancy.   Sample indexes.conf configuration: [_dsphonehome] homePath = $SPLUNK_DB/_dsphonehome/db coldPath = $SPLUNK_DB/_dsphonehome/colddb thawedPath = $SPLUNK_DB/_dsphonehome/thaweddb # clustered indexers only # repFactor = auto [_dsappevent] homePath = $SPLUNK_DB/_dsappevent/db coldPath = $SPLUNK_DB/_dsappevent/colddb thawedPath = $SPLUNK_DB/_dsappevent/thaweddb # clustered indexers only # repFactor = auto [_dsclient] homePath = $SPLUNK_DB/_dsclient/db coldPath = $SPLUNK_DB/_dsclient/colddb thawedPath = $SPLUNK_DB/_dsclient/thaweddb # clustered indexers only # repFactor = auto   There is one additional step only if your DC sends its data to the indexers via an intermediate forwarder AND your intermediate forwarder's version is older than 9.2.x:   Add the following parameter and value to the intermediate forwarder's outputs.conf file, followed by a splunkd service restart. [tcpout] forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent)   At this point, the deployment clients should appear in the Forwarder Management UI > Clients tab.   Tips: If you still can't see the clients, run the following query on the DS and check whether it returns some events:  index=_ds*   If the query returns nothing and your DS is also a Distributed Monitoring Console instance, go to Settings >  Monitoring Console > Settings > General Setup. Locate your DMC (This instance) and click Edit > Edit Server Roles. Tick the Indexer role and click Save. Run the query again to confirm it is working.
Please let me know if you get an answer
Also, when I enter: | eval start_date=relative_time(now(), "-90d@d") | eval end_date=now() | where DATE >= start_date AND DATE <= end_date below the stats count command line at the end, t... See more...
Also, when I enter: | eval start_date=relative_time(now(), "-90d@d") | eval end_date=now() | where DATE >= start_date AND DATE <= end_date below the stats count command line at the end, the query does not filter my data 
Hey, Maybe this is a better example. |union index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx | search PLNF=* REN=INT OKELS="" | eval DATE = strftime(strptime(BADAT, "%Y%m%d"), "%Y-%m-%d")... See more...
Hey, Maybe this is a better example. |union index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx | search PLNF=* REN=INT OKELS="" | eval DATE = strftime(strptime(BADAT, "%Y%m%d"), "%Y-%m-%d") | stats count as example1 by FNHB FNPO DATE | eval SourceType="example 1" [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx PLNF=* REN=INT HTSZ=R OKELS="" EHUH=FIERY | eval DATE = strftime(strptime(BADAT, "%Y%m%d"), "%Y-%m-%d") | stats count as example2 by FNHB FNPO DATE | eval SourceType="example 2" ] [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx PLNF=* REN=INT HTSZ=R OKELS="" NOT EHUH=FIERY | eval DATE = strftime(strptime(BADAT, "%Y%m%d"), "%Y-%m-%d") | stats count as example3 by FNHB FNPO DATE | eval SourceType="example 3" ] | stats count(example1) as "example 1" count(example2) as "example 2" count(example3) as "example 3" by DATE I didn't quite understand how you were filtering the search fields on that second line  
Restart didn't help.  
Nope. Is it neccesary to restart splunkd?
Is the client set to restart itself when it downloads the app?
Hi @DavidHourani , I have a similar kind of requirement, but I have the hostnames coming in as IPs. There are too many IPs and difficult to add everything one by one and also, there is a possibil... See more...
Hi @DavidHourani , I have a similar kind of requirement, but I have the hostnames coming in as IPs. There are too many IPs and difficult to add everything one by one and also, there is a possibility some new IPs also come in at later point. Can I try something like [host::10.24.*] ? I tried it and seems not working. If it is not possible to use wildcard with IP for host based settings, what else would you suggest?   Thanks,
The Credentials used to connect the Splunk TA for Azure was set to expire in 6 months from now. I would like to get an alert created for that in Splunk so we can update this a week before it expires ... See more...
The Credentials used to connect the Splunk TA for Azure was set to expire in 6 months from now. I would like to get an alert created for that in Splunk so we can update this a week before it expires so it does not take us by surprise. I do not want to set a personal reminder just in case someone else is in the role by then. Thanks for your help.  
Hello All. I trying to build a straightforward dashboard for some executives. I am the only one on my team who uses and knows how to use Dashboard Studio. By default, I have the "ALL" option chosen b... See more...
Hello All. I trying to build a straightforward dashboard for some executives. I am the only one on my team who uses and knows how to use Dashboard Studio. By default, I have the "ALL" option chosen but upon choosing any other option from my multi-select input, I receive an error in my table, indicating that no search results have been returned. The only option that works is the "ALL" option. This also happens when I use the dropdown input. 
how can I make the Splunk agent collect the web Brower or network logs from Endpoint (windows, Linux) to the Splunk Server 
Hello I have a problem with Deployment Server. I would like to setup e-mail settings for all my Splunk servers using Deployment application. I have created Deployment server, I have created classess... See more...
Hello I have a problem with Deployment Server. I would like to setup e-mail settings for all my Splunk servers using Deployment application. I have created Deployment server, I have created classess and applicatoins I want to deploy.  Application is downloading to right servers. Application is very simple. I had created file "/opt/splunk/etc/deployment-apps/setSplunkCommonConfig/default/xxx_alert.actions.conf" with following content: [email] allowedDomainList = domain.com pdf.header_left = none pdf.header_right = none This application is downloaded to client and it is stored under "/opt/splunk/etc/apps/setSplunkCommonConfig" directory and file "xxx_alert.actions.conf" is there.  So distribution of aplication looks working fine. But there I have problem that settings from file "xxx_alert.actions.conf" are not applied on client. What am I doing wrong? Deploy server can copy files to which directories "/opt/splunk/etc/system/local" or "/opt/splunk/etc/system/default" or both? Than you for any hint.  
My issue was with the 3 new internal indexes that Splunk Enterprise introduces. In short, my fix was to add the line  selectiveIndexing = true in the %SplunkHome%/etc/system/local/outputs.conf file. ... See more...
My issue was with the 3 new internal indexes that Splunk Enterprise introduces. In short, my fix was to add the line  selectiveIndexing = true in the %SplunkHome%/etc/system/local/outputs.conf file. Here is a link in the docs referring to this fix. Otherwise, I'm including the synopsis of the symptom/fix from the link I provided initially. Hope that helps. Resolution What causes symptom 1? Splunk Enterprise 9.2.0 introduces a scalable Deployment Server (DS) feature, which makes the DS tier more resilient and highly available. Under the hood, several new internal indexes are introduced to accommodate this feature: _dsphonehome _dsclient _dsappevent These indexes are defined in Splunk Enterprise 9.2.x by default. If your DS forwards its data to remote indexers and the indexers are running an older Splunk version, the latter will not have the above-mentioned indexes defined. This will result in the DS being unable to forward and search its DS/DC-related events. The DS's Forwarder Management UI is then unable to list the Deployment Clients (DCs), despite the clients phoning home without any issue.   Fix for symptom 1: The idea behind it is simple: As long as your DS can index its DS/DC events to the 3 indexes above and search them back, your clients should appear in the UI.   Steps: 1. Allow your DS to selectively index the phone home, client and app events to itself. This is especially applicable to on-prem DS that forwards data to Splunkcloud indexers, but it can be applied to a completely on-prem/cloud BYO environment as well.    Add the following parameters and values to the DS's outputs.conf file, followed by restarting the splunkd service. [indexAndForward] index = true selectiveIndexing = true   2. This step is applicable if your DS is forwarding its data to on-prem indexing tier and the indexers' version is older than 9.2.0:   Configure the 3 indexes mentioned earlier on your indexing tier. If your indexers are non-clustered, add the index definitions on each of them manually or using your preferred automation. If your indexers are clustered, push the index definitions from the Cluster Manager and enable replication (repFactor = auto) to benefit from cluster redundancy.   Sample indexes.conf configuration: [_dsphonehome] homePath = $SPLUNK_DB/_dsphonehome/db coldPath = $SPLUNK_DB/_dsphonehome/colddb thawedPath = $SPLUNK_DB/_dsphonehome/thaweddb # clustered indexers only # repFactor = auto [_dsappevent] homePath = $SPLUNK_DB/_dsappevent/db coldPath = $SPLUNK_DB/_dsappevent/colddb thawedPath = $SPLUNK_DB/_dsappevent/thaweddb # clustered indexers only # repFactor = auto [_dsclient] homePath = $SPLUNK_DB/_dsclient/db coldPath = $SPLUNK_DB/_dsclient/colddb thawedPath = $SPLUNK_DB/_dsclient/thaweddb # clustered indexers only # repFactor = auto   There is one additional step only if your DC sends its data to the indexers via an intermediate forwarder AND your intermediate forwarder's version is older than 9.2.x:   Add the following parameter and value to the intermediate forwarder's outputs.conf file, followed by a splunkd service restart. [tcpout] forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent)   At this point, the deployment clients should appear in the Forwarder Management UI > Clients tab.   Tips: If you still can't see the clients, run the following query on the DS and check whether it returns some events:  index=_ds*   If the query returns nothing and your DS is also a Distributed Monitoring Console instance, go to Settings >  Monitoring Console > Settings > General Setup. Locate your DMC (This instance) and click Edit > Edit Server Roles. Tick the Indexer role and click Save. Run the query again to confirm it is working.
In need of a workable universal forwarder that can be installed on Solaris 5.10 SPARC i think the latest version of 7.x should work but it's been taken off from download page 8.x didn't mention if... See more...
In need of a workable universal forwarder that can be installed on Solaris 5.10 SPARC i think the latest version of 7.x should work but it's been taken off from download page 8.x didn't mention if it will work on 10 so I am in need of someone to help me getting a 7.x universal forwarder for Solaris 10 SPARC
The link seems to be broken. What was the solution? Thanks.
Appreciated for the time you spent on it , it worked .
You should be able to search for the dashboard name(s) in the _audit index.