All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Noone can tell you what _you_ need to monitor and what to look for - it depends on your environments, your use cases, your users and your work characteristics. You can look for inspiration here http... See more...
Noone can tell you what _you_ need to monitor and what to look for - it depends on your environments, your use cases, your users and your work characteristics. You can look for inspiration here https://research.splunk.com/
To answer your question: I would like to tell Splunk the color within the search, e.g.: timeline_bar_color=red index=windows sourcetype=Script:Foo  Searches are all I use of Splunk, creating dashbo... See more...
To answer your question: I would like to tell Splunk the color within the search, e.g.: timeline_bar_color=red index=windows sourcetype=Script:Foo  Searches are all I use of Splunk, creating dashboards is out of my scope. How can I make a feature request?
You can try this | rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)" which will look for all package names up to the last . and then extract the class name based on \w+ rather than ... See more...
You can try this | rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)" which will look for all package names up to the last . and then extract the class name based on \w+ rather than everything up to the final quote If your package or class names contain chars other than \w then adjust accordingly.
Hi, try this after your rex.   | rex field=ActionName "\.([^\.]+)\s*\("  
As @ITWhisperer and @bowesmana said, SPL is not a procedural language and does not provide code block.  I do understand the semantic clarity, and maintainability of a code block.  So, I am going to u... See more...
As @ITWhisperer and @bowesmana said, SPL is not a procedural language and does not provide code block.  I do understand the semantic clarity, and maintainability of a code block.  So, I am going to use the specifics in your sample to give a very silly "block". Obviously I have no idea what values are in field, group and groups.  So I made something up, with the constraint that group be numeric. field group groups 0 10 10 1 20 30 2 30 60 The following will read like a block:   | eval bingo = if(field == 1, mvrange(group, group+1), null()) | foreach bingo mode=multivalue [eval group = <<ITEM>> + 1, groups = groups . "," . <<ITEM>>]   and the output is equivalent to your block code field group groups 0 10 10 1 21 30,20 2 30 60 Is that code block? Not really.  Does it achieve semantic clarity?  Questionable.  But you are not repeating condition evaluation. Also, if maintainability is super important, you can also do something like   | tojson group groups | eval _raw = if(field == 1, json_set(_raw, "group", group + 1, "groups", groups . "," . group), _raw) | fields - group groups | spath   In a roundabout way, this has the true spirit of a code block. The above mock data is produced with the following:   | makeresults format=csv data="field, group 0, 10 1, 20 2, 30" | streamstats sum(group) as groups ``` data emulation above ```    
Hi all, we have a cluster on site1 that runs    "CentOS Linux release 8.2.2004 (Core)" on kernal "4.18.0-348.7.1.el8_5.x86_64 ". on all peers. and we would like to deploy the site2 cluster with RHEL... See more...
Hi all, we have a cluster on site1 that runs    "CentOS Linux release 8.2.2004 (Core)" on kernal "4.18.0-348.7.1.el8_5.x86_64 ". on all peers. and we would like to deploy the site2 cluster with RHEL 8 on all the cluster members. would that cause any problems with Splunk's functionality?        
Hi All, I have a raw message which contains Action name like below : CommBank.Api.PricingExtractor.Controllers.EventPublishController.PublishEventsToKafkaTopics (CommBank.Api.PricingExtractor) ... See more...
Hi All, I have a raw message which contains Action name like below : CommBank.Api.PricingExtractor.Controllers.EventPublishController.PublishEventsToKafkaTopics (CommBank.Api.PricingExtractor) which I  have extracted using below regular expression  rex field=message "ActionName\\\":\\\"(?<ActionName>[^\\\"]+)" Is there a way to extract only last part after "." and before "("   i.e "PublishEventsToKafkaTopics" just this I tried few ways but was getting error. Any help will be appreciated Thanks in advance
Hi Team, I am facing the same issue where i have performed splunk forwarder upgrade, while restarting i am getting below msg. Could anyone provide me a solution here, this is prod indexer server whi... See more...
Hi Team, I am facing the same issue where i have performed splunk forwarder upgrade, while restarting i am getting below msg. Could anyone provide me a solution here, this is prod indexer server which is also playing the role of deployment server.  error: splunkd is not running. Splunk> CSI: Logfiles. Checking prerequisites... Checking mgmt port [8089]: not available ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port. Would you like to change ports? [y/n]: n Exiting....    
  Hi Splunkers, I am currently working on creating custom alerts with JavaScript and am encountering issues with finding proper documentation. I reviewed some posts in the Splunk comm... See more...
  Hi Splunkers, I am currently working on creating custom alerts with JavaScript and am encountering issues with finding proper documentation. I reviewed some posts in the Splunk community that included documentation links, but many of those links are expired or removed. Could someone provide me with the current documentation links for creating custom alerts with JavaScript? Specifically, I am working with parameters like: 'action.email.sendresults': 1, 'action.email.message.alert': 'xxxxx', 'action.email.to': email, 'action.logevent.param.event': '{"session_id": $result.session_id$, "user": $result.user_name$}', 'action.logevent.param.index': index, 'alert.digest_mode': 0, 'alert.suppress': 1, Thanks, Sanjai  
Use case would be if a host is talks to a port it doesn’t usually talk on based on the baseline.  The timeframes in the question are arbitrary. Would start smart to test, and expand the timeframe for... See more...
Use case would be if a host is talks to a port it doesn’t usually talk on based on the baseline.  The timeframes in the question are arbitrary. Would start smart to test, and expand the timeframe for the baseline prior to fully implementing it.  
Hi @Kieffer87 , I am trying to setup similar ssl on the Splunk Heavy Forward for one of the Vmware application syslog. I have few queries on the above solution you have mentioned. 1. Do we need to h... See more...
Hi @Kieffer87 , I am trying to setup similar ssl on the Splunk Heavy Forward for one of the Vmware application syslog. I have few queries on the above solution you have mentioned. 1. Do we need to have a .cer file or .pem would do? 2.  In the .cer/.pem file do we need to include the private key details? 3. Regarding the cipherSuite, do we need to get this from the source application that encrypts the data? 4. We have other default [SSL] config on the same Splunk server so in that case assuming we should use the specific SSL attributes in the [tcp-ssl://<port>] stanza?
It is a true app already, but just needs a bit more info to make it visible. Take a look at app.conf - that is what controls visibility. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Ap... See more...
It is a true app already, but just needs a bit more info to make it visible. Take a look at app.conf - that is what controls visibility. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Appconf  
This requirement is too broad - what sort of anomalies are you trying to detect?
Short answer is no. Splunk SPL is not a procedural language (like some other languages). Essentially, the if function can be used to modify what is assigned by an eval command to a new or existing f... See more...
Short answer is no. Splunk SPL is not a procedural language (like some other languages). Essentially, the if function can be used to modify what is assigned by an eval command to a new or existing field in the event, although you can have multiple assignments in the same eval command e.g. | eval a=value1, b=value2
You can't do block ifs in Splunk, so you have to do all conditionals inside the | eval x=if(...) construct
There are a number of ways to achieve something like this. Uses a tab mechanism (using Splunk input type="link") to show groups of panels Use a small visualisation to show a "thumbnail" and then e... See more...
There are a number of ways to achieve something like this. Uses a tab mechanism (using Splunk input type="link") to show groups of panels Use a small visualisation to show a "thumbnail" and then expand the chart and remove other thumbnails when clicking on the chart These all generally work through panel dependency and tokens to hide or show certain panels. The tab approach simply uses a <change> element in the <input> to set and unset tokens that show or hide panels relating to that tab <input id="cascade_group" type="link" token="tab"> <label>Cascade</label> <choice value="l1">Tab 1</choice> <choice value="l2">Tab 2</choice> <default>l1</default> <change> <condition value="l1"> <unset token="show_l2"></unset> <set token="show_l1"></set> </condition> <condition value="l2"> <unset token="show_l1"></unset> <set token="show_l2"></set> </condition> </change> </input> Use the <row depends="$show_l1$> syntax to show rows/panels for l1 panels and the same for l2. And this is the thumbnail approach which if you click on the second thumbnail, expands to the chart below and removes the other thumbnails. This is done by setting the height attribute of the chart through a token set by drilldown, e.g. something like this (but a little more complext) <option name="height">$varietal_height$</option> <drilldown> <set token="varietal_height">800</set> <unset... tokens for other thumbnails> </drilldown> Go checkout the XML reference and read about tokens and depends  https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML  
Is it possible to action multiple operations in a single if condition, like what can be done in other languages? For example, in other scripting languages this can be done:   if(field==1){ gro... See more...
Is it possible to action multiple operations in a single if condition, like what can be done in other languages? For example, in other scripting languages this can be done:   if(field==1){ group=group+1; groups=groups+","+group; } else { //this is a comment, do nothing }   How can this be done in splunk?
I don't think you're going to find an easy option - the push is to move to DS. Depending on how complex your DS dashboards are I would suggest starting by just copying all the "query" elements in DS ... See more...
I don't think you're going to find an easy option - the push is to move to DS. Depending on how complex your DS dashboards are I would suggest starting by just copying all the "query" elements in DS JSON to an empty  <table>...</table> template so all your searches are there and then editing to change all the viz definitions, but that is going to be a manual process...  
Say I create a query that outputs (as a csv) the last 14 days of hosts and the dest_ports the host has communicated on. Then I would inputlookup that csv to compare the last 7 days of the same type ... See more...
Say I create a query that outputs (as a csv) the last 14 days of hosts and the dest_ports the host has communicated on. Then I would inputlookup that csv to compare the last 7 days of the same type of data. What would be simplest spl to detect anomalies?
You can't change Splunk's user interface - firstly how does Splunk know what "unpleasant" means. If you want to show a timeline, then create a dashboard and you can do that in the dashboard. See th... See more...
You can't change Splunk's user interface - firstly how does Splunk know what "unpleasant" means. If you want to show a timeline, then create a dashboard and you can do that in the dashboard. See this documentation https://docs.splunk.com/Documentation/Splunk/9.0.2/Viz/ChartConfigurationReference