All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Data will not be indexed automatically after adding the add-on.  Inputs must be configured so the add-on knows where to find the data.  See https://docs.splunk.com/Documentation/AddOns/released/MSSec... See more...
Data will not be indexed automatically after adding the add-on.  Inputs must be configured so the add-on knows where to find the data.  See https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configure
Hi All , I am getting  the logs  from this query , But I need a query to get deviation of error count in two time periods index="prod_k8s_onprem_dii--prod1" "k8s.namespace.name"="abc-secure-dig-ser... See more...
Hi All , I am getting  the logs  from this query , But I need a query to get deviation of error count in two time periods index="prod_k8s_onprem_dii--prod1" "k8s.namespace.name"="abc-secure-dig-servi-prod1" "k8s.container.name"="abc-cdf-cust-profile" for this I need to consider volume of logs as well .  depending on deviation percentage I will decide , Need to promote deployment or  stop the deployment   
Well, that's a very good news And IMHO it's a good solution to be found in the future - get your data in order first Just leave the thread be.
I have a number of events in 2 category (CAT A and CAT B). There are successful events and failed events with different RESULT value. I need to calculate error percentage of a specific failed event (... See more...
I have a number of events in 2 category (CAT A and CAT B). There are successful events and failed events with different RESULT value. I need to calculate error percentage of a specific failed event (RESULT = 404) that occurs in only CAT B.  I need to segregate CAT A from calculation. Then the final result result should be: ( count(RESULT = 404) / count(CAT B) * 100 ) and plot for every 5 minutes. Please suggest.  
We recently added a TOS to our deployment. We have smart card auth enabled as well. When both are enabled at the same time and we select "OK" to agree to the terms nothing happens; prior to getting t... See more...
We recently added a TOS to our deployment. We have smart card auth enabled as well. When both are enabled at the same time and we select "OK" to agree to the terms nothing happens; prior to getting to the TOS screen we have already authenticated using the smart card. If we disable smart card auth and just allow UN/PW sign in we are able to accept the terms and continue on our merry way. If we disable the TOS and just have smart card auth enabled we are allowed to continue. What is (or is not) happening to where we can't have both enabled simultaneously. 
Yes that is me, I am sorry for the using two channels for the same question, after asking in the Slack I searched again about the issue on the web but could not find any previous questions. Therefore... See more...
Yes that is me, I am sorry for the using two channels for the same question, after asking in the Slack I searched again about the issue on the web but could not find any previous questions. Therefore I realized it could be better to ask here for future Splunk explorer. However eventually I was able to resolve the issue by editing my third party source code (not my Splunk UF) to produce valid formatted JSON messages. So problem is solved but not in conventional ways. For this reason I this think the question should be completely deleted in order to avoid future confusion. How can I remove this question completely?
Hi All, Data is not getting indexed after adding the conf
After rebuilding the docker image of DBConnect it requires a restart of the container in order to start showing data flowing.  Is there something I'm missing that is making me need to perform a resta... See more...
After rebuilding the docker image of DBConnect it requires a restart of the container in order to start showing data flowing.  Is there something I'm missing that is making me need to perform a restart of the app for it to work properly?
Hello Splunkers, I've created a custom role with very basic capabilities enabled. The capability "edit_own_objects" has been disabled. For some reason the user is able to clone reports as well as sa... See more...
Hello Splunkers, I've created a custom role with very basic capabilities enabled. The capability "edit_own_objects" has been disabled. For some reason the user is able to clone reports as well as save searches as reports. Also the user is able to access "New Report" button when clicking Settings->Searches,Reports,Alerts. I thought disabling edit_own_object capability would prevent the user from creating any objects, but it is not the case. I've made sure the user only has read access to the app as well. Any help of suggestions would be appreciated!   Thanks!
My target is not only show proper percentiles but also count elements in every precentile . So the first step I did is: index="oap" | stats perc25(tt) as P25, perc50(tt) as P50, ... See more...
My target is not only show proper percentiles but also count elements in every precentile . So the first step I did is: index="oap" | stats perc25(tt) as P25, perc50(tt) as P50, perc75(tt) as P75 by oper It gives me expected values for each percentile - the first part is ready. Then I figured out something like | where tt>P75 | stats values(P75) count by oper It adds additional column but only with data from one (75th) percentile. But how to prepare a query which returns count for each Percentil ?  
Hey all I am taking input over TCP by having this in my inputs.conf   [tcp://1.2.3.4:123] connection_host = ip index = index1 sourcetype = access_combined   My question is, can I have the same p... See more...
Hey all I am taking input over TCP by having this in my inputs.conf   [tcp://1.2.3.4:123] connection_host = ip index = index1 sourcetype = access_combined   My question is, can I have the same port send data to multiple indexes? Ie. without opening additional ports on my firewall, can I have another host send data to the same port but land in a different index? I tried adding this   [tcp://5.6.7.8:123] connection_host = ip index = index2 sourcetype = access_combined   but that just stopped the ingestion altogether. Thanks.
Hi @sintjm , I’m a Community Moderator in the Splunk Community. This question was posted 8 years ago, so it might not get the attention you need for your question to be answered. We recommend tha... See more...
Hi @sintjm , I’m a Community Moderator in the Splunk Community. This question was posted 8 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
to make it clear about the existing condition. There is a list of hostname & ip that have different owner, also null owner and by default the hostname dropdown only show list hostname that have owner... See more...
to make it clear about the existing condition. There is a list of hostname & ip that have different owner, also null owner and by default the hostname dropdown only show list hostname that have owner value, and not show the hostname that doesnt have owner. How to refine this? Following is the related capture: and this for the search output:
Hi Team, Our Splunk environment, including Search Heads, Indexers, and CM, is hosted in the cloud and managed by Splunk Support. We manage our Deployment Master and Heavy Forwarder servers, which ar... See more...
Hi Team, Our Splunk environment, including Search Heads, Indexers, and CM, is hosted in the cloud and managed by Splunk Support. We manage our Deployment Master and Heavy Forwarder servers, which are hosted in Azure. We are ingesting logs from both Windows and Linux servers via Splunk Universal Forwarder. For some time, we have been ingesting IIS logs from all Windows machines, defining the sourcetype based on the application and environment. For instance, logs from an application server named "xyz" have a sourcetype of "xyz:iis:prod." However, our internal SOC team has identified that data parsing for these IIS logs is not occurring, and it needs to be addressed immediately without changing the host or sourcetype information. Currently, when the sourcetype is set to "iis," fields are auto-extracted, but when a different sourcetype is used, field extraction does not happen. I need to ensure that field extraction for Microsoft IIS logs works correctly while keeping the sourcetype unchanged. How can this be achieved?
hey a little years late but I'm just wondering if you changed the timestamp into epoch time before using the transaction command?
hey a little years late but I'm just wondering if you changed the timestamp into epoch time before using the transaction command 
you didn't say to drop the "g" at the end. of course your suggestion helped but not fully.
I am also facing the issue I can see my splunk home directory is  /opt/splunkforwarder.  I tried to change it via splunk-launc.conf but is not working. How to change the home directory to /opt/splu... See more...
I am also facing the issue I can see my splunk home directory is  /opt/splunkforwarder.  I tried to change it via splunk-launc.conf but is not working. How to change the home directory to /opt/splunk   @isoutamo 
This is worked.   Finally, I done this and solved 502 error (Include Server Error show after search) with AWS ALB. Set the same value (60 seconds) for busyKeepAliveIdleTimeout and Connection idle... See more...
This is worked.   Finally, I done this and solved 502 error (Include Server Error show after search) with AWS ALB. Set the same value (60 seconds) for busyKeepAliveIdleTimeout and Connection idle timeout of ALB. Disabled HTTP/2 on ALB SHC of Splunk 7.3.3 and 8.2.8 both worked.   I also found and verified this can solve error 502 of ALB. NLB -> ALB of Target Group Default value for busyKeepAliveIdleTimeout and Connection idle timeout of ALB. No need change any timeout settings. Ref. https://repost.aws/ja/knowledge-center/alb-static-ip