All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am using a web tool, scconverter.net , to download and save SoundCloud tracks for offline listening. I want to ensure that the tool operates efficiently and without errors. How can I set up Splunk ... See more...
I am using a web tool, scconverter.net , to download and save SoundCloud tracks for offline listening. I want to ensure that the tool operates efficiently and without errors. How can I set up Splunk to track the usage, performance metrics, and any potential issues with this web tool? Specifically, I am interested in: Monitoring the number of downloads per day. Tracking error rates and response times. Setting up alerts for any performance degradation. What data should I collect, and how can I visualize it in Splunk? Any advice on configuring the necessary inputs and dashboards would be appreciated.
Any update? This issue still persists in 9.1.x version (and I assume in 9.2.x also because there is no information in release notes/fixed issues). Now it's very difficult to control the execution of ... See more...
Any update? This issue still persists in 9.1.x version (and I assume in 9.2.x also because there is no information in release notes/fixed issues). Now it's very difficult to control the execution of scripts. [script://] input has this feature implemented, but [powershell://] don't. * NOTE: when you specify a cron schedule, the input does not run the script on start-up.  
Sound like a case for dedup, based on that you can optionally also place the devices into a lookup file and also use that. (You can then use that SPL in your drop down menu which is what I suspect yo... See more...
Sound like a case for dedup, based on that you can optionally also place the devices into a lookup file and also use that. (You can then use that SPL in your drop down menu which is what I suspect you want to do) See the examples and if that meets what you want to do. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Dedup#Examples 
Lets say I have created two custom metrics i.e Counter and Timer using Micrometer in Spring boot 3. These metrics are exposed via /actuator/metrics and /actuator/prometheus endpoints. I have AppDyna... See more...
Lets say I have created two custom metrics i.e Counter and Timer using Micrometer in Spring boot 3. These metrics are exposed via /actuator/metrics and /actuator/prometheus endpoints. I have AppDynamics enabled for my application and no where I can see the custom metrics I created. There is a section called Metrics Browser, which does not show or display the custom metrics. How can I view these metric details on AppDynamics for my Spring boot 3 app.
Thank you for the reply. I will have to make it from scratch Thankfully, the SPL remains the same!
Mixing OS types is not recommended, that said CentOS and RHEL are mostly aligned and it should work, and you want to ensure the kernel level is supported.  BUT if you don’t follow best practices, you... See more...
Mixing OS types is not recommended, that said CentOS and RHEL are mostly aligned and it should work, and you want to ensure the kernel level is supported.  BUT if you don’t follow best practices, you then take the risk, in terms of something not working due to OS specific configuration/libraries, package management/file systems/performance etc. Most Enterprise’s standardise, so they have baseline OS config as standard, and ensure that the hardware and software requirements are met for Splunk. There is a table here of the kernels level support https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/Systemrequirements#Supported_Operating_Systems 
Hi, I want to create alert based on file received. Everyday at randomly we used to receive files. ex. file name: file_20240613_1222_100.xml Here I can extract Date:20240613 and CompanyId: 1222 ... See more...
Hi, I want to create alert based on file received. Everyday at randomly we used to receive files. ex. file name: file_20240613_1222_100.xml Here I can extract Date:20240613 and CompanyId: 1222 I need create alert which should run for every 30 mins to check if any file arrived. If any file detected it should check both 'Date' and 'CompanyId' with last 30 days files received. If suppose there is any filename in last 30 days with same 'Date' and 'CompanyId' in the filename then it should trigger any email alert. Base search: index=wealth | search transform-file | search ace_message | rex field=_raw "inputFileName: (?<inputFileName>.*?)," | rex field=_raw "outputFileName: (?<outputFileName>.*?)," | rex field=inputFileName "file\_\d+\_(?<CompanyId>\d+)\_" | rex field=inputFileName "file\_(?<Date>\d+)\_" | table inputFileName,outputFileName, CompanyId, Date This will search for last 30 mins and see if any new file arrived , but I am not sure how to check the same fields for last 30 days filename. Can someone  help !
Hello everyone, Due to the high number of identical devices, I would like to be able to select which devices should be displayed via a dropdown. Has anyone done this before and can possibly give me ... See more...
Hello everyone, Due to the high number of identical devices, I would like to be able to select which devices should be displayed via a dropdown. Has anyone done this before and can possibly give me the procedure and the code? Many thanks and best regards Alex
Hi Naresh There are 2 possible scenarios here. 1. There is no traffic, meaning no load 2. There might be an issue with the agent itself. Sometimes there are certain limits being reached by the ... See more...
Hi Naresh There are 2 possible scenarios here. 1. There is no traffic, meaning no load 2. There might be an issue with the agent itself. Sometimes there are certain limits being reached by the agent which stop monitoring from being tracked. The easiest way to check is to look at the agent logs, to see if specifi limits are being breached.
Noone can tell you what _you_ need to monitor and what to look for - it depends on your environments, your use cases, your users and your work characteristics. You can look for inspiration here http... See more...
Noone can tell you what _you_ need to monitor and what to look for - it depends on your environments, your use cases, your users and your work characteristics. You can look for inspiration here https://research.splunk.com/
To answer your question: I would like to tell Splunk the color within the search, e.g.: timeline_bar_color=red index=windows sourcetype=Script:Foo  Searches are all I use of Splunk, creating dashbo... See more...
To answer your question: I would like to tell Splunk the color within the search, e.g.: timeline_bar_color=red index=windows sourcetype=Script:Foo  Searches are all I use of Splunk, creating dashboards is out of my scope. How can I make a feature request?
You can try this | rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)" which will look for all package names up to the last . and then extract the class name based on \w+ rather than ... See more...
You can try this | rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)" which will look for all package names up to the last . and then extract the class name based on \w+ rather than everything up to the final quote If your package or class names contain chars other than \w then adjust accordingly.
Hi, try this after your rex.   | rex field=ActionName "\.([^\.]+)\s*\("  
As @ITWhisperer and @bowesmana said, SPL is not a procedural language and does not provide code block.  I do understand the semantic clarity, and maintainability of a code block.  So, I am going to u... See more...
As @ITWhisperer and @bowesmana said, SPL is not a procedural language and does not provide code block.  I do understand the semantic clarity, and maintainability of a code block.  So, I am going to use the specifics in your sample to give a very silly "block". Obviously I have no idea what values are in field, group and groups.  So I made something up, with the constraint that group be numeric. field group groups 0 10 10 1 20 30 2 30 60 The following will read like a block:   | eval bingo = if(field == 1, mvrange(group, group+1), null()) | foreach bingo mode=multivalue [eval group = <<ITEM>> + 1, groups = groups . "," . <<ITEM>>]   and the output is equivalent to your block code field group groups 0 10 10 1 21 30,20 2 30 60 Is that code block? Not really.  Does it achieve semantic clarity?  Questionable.  But you are not repeating condition evaluation. Also, if maintainability is super important, you can also do something like   | tojson group groups | eval _raw = if(field == 1, json_set(_raw, "group", group + 1, "groups", groups . "," . group), _raw) | fields - group groups | spath   In a roundabout way, this has the true spirit of a code block. The above mock data is produced with the following:   | makeresults format=csv data="field, group 0, 10 1, 20 2, 30" | streamstats sum(group) as groups ``` data emulation above ```    
Hi all, we have a cluster on site1 that runs    "CentOS Linux release 8.2.2004 (Core)" on kernal "4.18.0-348.7.1.el8_5.x86_64 ". on all peers. and we would like to deploy the site2 cluster with RHEL... See more...
Hi all, we have a cluster on site1 that runs    "CentOS Linux release 8.2.2004 (Core)" on kernal "4.18.0-348.7.1.el8_5.x86_64 ". on all peers. and we would like to deploy the site2 cluster with RHEL 8 on all the cluster members. would that cause any problems with Splunk's functionality?        
Hi All, I have a raw message which contains Action name like below : CommBank.Api.PricingExtractor.Controllers.EventPublishController.PublishEventsToKafkaTopics (CommBank.Api.PricingExtractor) ... See more...
Hi All, I have a raw message which contains Action name like below : CommBank.Api.PricingExtractor.Controllers.EventPublishController.PublishEventsToKafkaTopics (CommBank.Api.PricingExtractor) which I  have extracted using below regular expression  rex field=message "ActionName\\\":\\\"(?<ActionName>[^\\\"]+)" Is there a way to extract only last part after "." and before "("   i.e "PublishEventsToKafkaTopics" just this I tried few ways but was getting error. Any help will be appreciated Thanks in advance
Hi Team, I am facing the same issue where i have performed splunk forwarder upgrade, while restarting i am getting below msg. Could anyone provide me a solution here, this is prod indexer server whi... See more...
Hi Team, I am facing the same issue where i have performed splunk forwarder upgrade, while restarting i am getting below msg. Could anyone provide me a solution here, this is prod indexer server which is also playing the role of deployment server.  error: splunkd is not running. Splunk> CSI: Logfiles. Checking prerequisites... Checking mgmt port [8089]: not available ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port. Would you like to change ports? [y/n]: n Exiting....    
  Hi Splunkers, I am currently working on creating custom alerts with JavaScript and am encountering issues with finding proper documentation. I reviewed some posts in the Splunk comm... See more...
  Hi Splunkers, I am currently working on creating custom alerts with JavaScript and am encountering issues with finding proper documentation. I reviewed some posts in the Splunk community that included documentation links, but many of those links are expired or removed. Could someone provide me with the current documentation links for creating custom alerts with JavaScript? Specifically, I am working with parameters like: 'action.email.sendresults': 1, 'action.email.message.alert': 'xxxxx', 'action.email.to': email, 'action.logevent.param.event': '{"session_id": $result.session_id$, "user": $result.user_name$}', 'action.logevent.param.index': index, 'alert.digest_mode': 0, 'alert.suppress': 1, Thanks, Sanjai  
Use case would be if a host is talks to a port it doesn’t usually talk on based on the baseline.  The timeframes in the question are arbitrary. Would start smart to test, and expand the timeframe for... See more...
Use case would be if a host is talks to a port it doesn’t usually talk on based on the baseline.  The timeframes in the question are arbitrary. Would start smart to test, and expand the timeframe for the baseline prior to fully implementing it.  
Hi @Kieffer87 , I am trying to setup similar ssl on the Splunk Heavy Forward for one of the Vmware application syslog. I have few queries on the above solution you have mentioned. 1. Do we need to h... See more...
Hi @Kieffer87 , I am trying to setup similar ssl on the Splunk Heavy Forward for one of the Vmware application syslog. I have few queries on the above solution you have mentioned. 1. Do we need to have a .cer file or .pem would do? 2.  In the .cer/.pem file do we need to include the private key details? 3. Regarding the cipherSuite, do we need to get this from the source application that encrypts the data? 4. We have other default [SSL] config on the same Splunk server so in that case assuming we should use the specific SSL attributes in the [tcp-ssl://<port>] stanza?