All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, We have created lookup definitions that use CIDR matching for IPV4 ips and is working as expected.  We are running into issues with IPV6. We are trying to create a lookup definition that doe... See more...
Hello, We have created lookup definitions that use CIDR matching for IPV4 ips and is working as expected.  We are running into issues with IPV6. We are trying to create a lookup definition that does a CIDR lookup on a IPV6 IP.  The lookup file uses CIDR notation.  One example from the file is: 2a02:4780:10::/44 The IP that should match is: 2a02:4780:10:5be5::1 The lookup definition is: CIDR(network)   Are IPV6 CIDR lookups supported?  If not, how can we do the lookup definition to satisfy the requrement? 
I have a customer asking why we have a link describing the new "features" for the version 4.0.3 if this version has never been released, we went from version 4.0.2 to 4.0.4. See the attached file.
Drill down with transpose not working as expected to fetch the row and colomn values, as its not giving me the accurate results, not sure if this is related to transpose. index=wso2 source="/opt/lo... See more...
Drill down with transpose not working as expected to fetch the row and colomn values, as its not giving me the accurate results, not sure if this is related to transpose. index=wso2 source="/opt/log.txt" "Count_Reportings" | fields api-rep rsp_time mguuid | bin _time span=1d | stats values(*) as * by _time, mguuid | eval onesec=if(rsp_time<=1000,1,0) | eval threesec=if(rsp_time>1000 and rsp_time<=3000,1,0) | eval threesecGT=if(rsp_time>3000,1,0) | eval Total = onesec + threesec + threesecGT | stats sum(onesec) as sumonesec sum(threesec) as sumthreesec sum(threesecGT) as sumthreesecGT sum(Total) as sumtotal by api-rep, _time | eval good = if(api-rep="High", sumonesec + sumthreesec, if(api-rep="Medium", sumonesec + sumthreesec, if(api-rep="Low", sumonesec, null()))) | eval per_call=if(api-rep="High", (good / sumtotal) * 100, if(api-rep="Medium" , (good / sumtotal) * 100, if(api-rep="Low" , (good / sumtotal) * 100, null()))) | eval per_cal=round(per_call,2) | timechart span=1d avg(per_cal) by api-rep | eval time=strftime(_time, "%Y-%m-%d") | fields - _time _span _spandays | fillnull value=0 | transpose 0 header_field=time column_name=APIs include_empty=true Below is the output for the above query, when i click on the 99.93 then need to pick GOOD and colomn header 2024-06-30 and pass it in the drilldown query When i click on 99.93 from colomn 2024-06-30 it gives me below output, its not giving me the row values as Good. Below are the drildown tokens. tokClickValue1 = $click.value$ tokClickName1 = $click.name$ tokClickValue2 = $click.value2$ tokClickName2 = $click.name2$ tokApi = $row.APIs$ i want token to fetch header and APIs values to pass it to drilldown query. 
If there are no errors in the Splunk logs relating to sending email then there must be something happening to the messages after they leave Splunk.  Check your Spam folder and any automatic actions y... See more...
If there are no errors in the Splunk logs relating to sending email then there must be something happening to the messages after they leave Splunk.  Check your Spam folder and any automatic actions you may have. Have you confirmed the alerts are firing?
Just upgraded to 9.2.2 on our heavy forwarder and had the same KV store errors. Our mongod.log displayed the same ssl errors. These steps worked perfectly! 
Thank you for posting your solution.  This was our problem after migration to RHEL9 and your solution fixed it.
I was hoping to get some help, in modifying the query above. I got an Index and a source type for my windows environment. I would like to see the following:  - Authentication PackagesName  = This lo... See more...
I was hoping to get some help, in modifying the query above. I got an Index and a source type for my windows environment. I would like to see the following:  - Authentication PackagesName  = This looks to shows the type of Authentication taking place like NTLM, Kerberos, MFA, etc.... I need this to show for each user  (Windows Authentication Technical Overview | Microsoft Learn) - Logon Type = used by Windows to shows successful login and failers logs like (4624, 4625, 4648) and should have a count related to the above attribute  (Windows Logon Scenarios | Microsoft Learn) - LogonProcessName = The process name for the authentication action taking place for the user  PS. The idea here it sees what Authentication action is taking place for each user so I can say yea there are using NTLM or Kerberos to access this host or resource. Thanks again Community!!!!
I have this most wired situation, where I use inputs.conf on the UF:       [monitor://C:\Users\xxx\OneDrive - xxx\xxx\Sources\On-Board\Splunk\test\eManager] disabled = 0 index = main sourcetype =... See more...
I have this most wired situation, where I use inputs.conf on the UF:       [monitor://C:\Users\xxx\OneDrive - xxx\xxx\Sources\On-Board\Splunk\test\eManager] disabled = 0 index = main sourcetype = el:PoC:eManager         On the HF (before Indexers) I use: props.conf       # For eManager PoC [el:PoC:eManager] INDEXED_EXTRACTIONS=JSON TIMESTAMP_FIELDS=timestampUtc TZ = UTC SHOULD_LINEMERGE = false AUTO_KV_JSON = false KV_MODE = none TRANSFORMS-sourcetype = change-eManagerSourcetype       transforms.conf       [change-eManagerSourcetype] SOURCE_KEY = MetaData:Sourcetype REGEX = (.*?) FORMAT = sourcetype::el:eManager DEST_KEY = MetaData:Sourcetype         Data get ingested, and it all look ok - EXCEPT when using  this search:       index=main source=*_8.* | rename _indextime as iTime | foreach *Time [ | eval <<FIELD>>=strftime(<<FIELD>>,"%Y-%m-%d %H:%M:%S") ] | stats latest(_time) AS _time count BY index sourcetype       I get this result:       index sourcetype _time count main el:eManager 2024-07-02 19:26:36.000 363 main el:eOperator 2024-06-06 14:02:02.986 198       And when adding sourcetype="el:eManager" or just sourcetype="*" I get this:       index sourcetype _time count main el:eOperator 2024-06-06 14:02:02.986 198         It like sourcetype is kind-of hidden, but not hidden after rename in transforms from: "el:PoC:eManager" to "el:eManager". I can search by index and source and show it, but not use sourcetype anymore in a direct search. Can anyone explain please?
looks like this is the issue https://community.splunk.com/t5/Splunk-Search/Unable-to-access-Metrics-Indexes/m-p/516204
Continuation... as I said, received mail once but later then, stopped receiving mail. Please help me on this further. Thanks
Same issue. were you able to get solution for this ? 
I see your point.  It’s not necessarily 1 big file.  The files are do share a base name, but is then automatically appended with the Unix time in the file name.  But to your point, I could rea... See more...
I see your point.  It’s not necessarily 1 big file.  The files are do share a base name, but is then automatically appended with the Unix time in the file name.  But to your point, I could reach out to the SysAdmins if they could have the file names be associated by network device family, and then append with the Unix time.  Or create a sub directory in that path named for each network device family.   A little more granular, but I’m not sure what they can do on their end. 
Hi Sir, thanks for your valuable suggestions. I tried the below SPL  index=_internal "sendemail" I received 1 event with details like "Sending email" (As I said already, I received an alert mail to... See more...
Hi Sir, thanks for your valuable suggestions. I tried the below SPL  index=_internal "sendemail" I received 1 event with details like "Sending email" (As I said already, I received an alert mail to my mailbox once and after that it stopped sending mail).   
Your best bet is going to be deciding which labels you want to set on certain containers. After that, you can set Label Permissions so roles don't have View permissions on labels they shouldn't see o... See more...
Your best bet is going to be deciding which labels you want to set on certain containers. After that, you can set Label Permissions so roles don't have View permissions on labels they shouldn't see or be assigned to.
If splunk hangs and there are timeout issues, it could be a number of things, what I have seen in the wild , is this normally relates to performance or the undelying storage system and the amount of ... See more...
If splunk hangs and there are timeout issues, it could be a number of things, what I have seen in the wild , is this normally relates to performance or the undelying storage system and the amount of ingest that may and can cause these types of issues.  Timeouts could relate to the network, whats the latency like between the Splunk instances.  How much volume of data are you ingesting, can the Splunk instances handle this? https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Summaryofperformancerecommendations 1. Check that your CPU/MEM, DIsk I/O meets the requirments, if thats ok then its something else that needs investigation.  #Reference hardware https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Referencehardware 2. Check that THP has been disabled - plenty of topics on this on google and this community https://docs.splunk.com/Documentation/Splunk/9.2.1/ReleaseNotes/SplunkandTHP 3. Check that ulimits has been configured again, plenty of topics on this on google and this community Check ulimits have been configured
Why not provide a better summary of your issues, so the Splunk community can then respond. It’s much better to a summary your Splunk environment, what you are trying to do, what have you done to trou... See more...
Why not provide a better summary of your issues, so the Splunk community can then respond. It’s much better to a summary your Splunk environment, what you are trying to do, what have you done to troubleshoot and provide any errors in logs. (Also redact and sensitive information).
This is most likley not possible due to security risks
It seems like you're looking to pull browser and mail syslog data in Splunk, but you're facing several problems. To clarify your request: you want to know the correct method to track users who have v... See more...
It seems like you're looking to pull browser and mail syslog data in Splunk, but you're facing several problems. To clarify your request: you want to know the correct method to track users who have visited specific websites and made changes, correct?
- Recently AppDynamics has joined with Cisco to provide user identity (sign-in credentials) capabilities for all SAAS AppDynamics-based products and services. Users whose passwords are verified by th... See more...
- Recently AppDynamics has joined with Cisco to provide user identity (sign-in credentials) capabilities for all SAAS AppDynamics-based products and services. Users whose passwords are verified by the AppDynamics Identity Platform (not user accounts that sign in using their company’s SSO credentials) will be moved to the Cisco Customer Identity platform (id.cisco.com) for verification. - Every need to follow few steps mentioned in transition documents to see to help in successful login to controller.User to follow instructions mentioned in Documents below. User to follow instructions mentioned in Documents below. - https://community.appdynamics.com/t5/Knowledge-Base/AppDynamics-Identity-is-changing-to-Cisco-Identity/ta-p/53076
Hi @tuts , debug your situation: are you sure that the routes between endpoints and the syslog receiver are open? did you configured the syslog receiver as described in the above documentation (i... See more...
Hi @tuts , debug your situation: are you sure that the routes between endpoints and the syslog receiver are open? did you configured the syslog receiver as described in the above documentation (inputs)? did you disabled the local firewall on the Splunk receiver? For syslog, instead of the syslog receiving inside Splunk (Splunk Network Inputs) I hint to use an rsyslog receiver that writes syslogs on a file and then with Splunk you can read these files Ciao. Giuseppe