All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, The Event Timeline Viz is well suited for some work I am doing for a customer to understand jobs/alerts. I have discovered that it appears to display based on Computer/Browser timezone a... See more...
Hello, The Event Timeline Viz is well suited for some work I am doing for a customer to understand jobs/alerts. I have discovered that it appears to display based on Computer/Browser timezone and NOT Splunk timezone settings in user preferences, which doesn't agree with everything else in Splunk and will be difficult/confusing to explain.  If I change my Splunk user preference timezone, and was surprised to find that the Event Timeline Viz does not change the displayed times. Other visualizations and Splunk time does change for the same search results. If I change my Computer timezone, Event Timeline viz does change how time is displayed and the "Now" line reflects that the new computer timezone.  I emailed the author but wanted to post here to see if anyone else had seen this issue and/or addressed it. Screenshot below was taken with Splunk UI set to Pacific/Honolulu time. The Now line aligns with computer timezone, not Splunk. Thanks in advance for the help. Ian
HI @yuanliu , Thanks for sharing query on this matter.   Have reviewed your query concern is like you have excluded the windows starting up event within 5 minutes but it how it will consider the... See more...
HI @yuanliu , Thanks for sharing query on this matter.   Have reviewed your query concern is like you have excluded the windows starting up event within 5 minutes but it how it will consider the specific "host". As per my understanding it should be host specific if single host got shutdown and got started up again within 5 minute should not trigger any alert.
No, I inserted my org-id
Sirt is the Organization name of my openAI account. on the organization Value I entered the organization id of my OpenAI account Splunk-Mdc is the name of the key I created for that and in th... See more...
Sirt is the Organization name of my openAI account. on the organization Value I entered the organization id of my OpenAI account Splunk-Mdc is the name of the key I created for that and in the API key value I inserted the key
It looks like time is displayed in this viz based on browser/computer timezone and not Splunk UI prefs.
Hello, I need to create a simple alert that would satisfy the below DOD STIG: SPLK-CL-000320 - Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Se... See more...
Hello, I need to create a simple alert that would satisfy the below DOD STIG: SPLK-CL-000320 - Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. We do not have a budget to buy the paid splunk security app. But we haveSPLUNK enterprise 9 installed.  Moreover, we are inside an intranet so attacks, if any, would be minimal. therefore, I would like to get any ideas of what would be considered an attack? for example I have the below ideas myself: 1. user logs in but is denied access for whatever reason. 2. user attempts to open a file he/she does not have rights to. I am experienced on splunk more than linux security so any help would be apreciated.    
Hang on, one of the questions is suddenly visible again. I don't know what this forum is doing at all: https://community.splunk.com/t5/Getting-Data-In/How-to-connect-OpenTelemetry-Java-agent-to-Splun... See more...
Hang on, one of the questions is suddenly visible again. I don't know what this forum is doing at all: https://community.splunk.com/t5/Getting-Data-In/How-to-connect-OpenTelemetry-Java-agent-to-Splunk-Collector-in/m-p/689993#M114821
In Splunk Answers. I can't link to the question because both questions have been removed. I don't know what else to do
sure! I am using Splunk>enterprise. This is my first time trying to install add on (cisco WSA). I go to Apps>Find More Apps and hit install which prompt me to a login page. I try my user and pass bu... See more...
sure! I am using Splunk>enterprise. This is my first time trying to install add on (cisco WSA). I go to Apps>Find More Apps and hit install which prompt me to a login page. I try my user and pass but it says your user or pass is incorrect. I have tried to change my password and retried but same result.    
So i figured out how to move past this. I had to find the msi product code for the previous 3 versions and then search the registry for them  one by one.  If they exist they will be in the registry u... See more...
So i figured out how to move past this. I had to find the msi product code for the previous 3 versions and then search the registry for them  one by one.  If they exist they will be in the registry under windows installer\"theproductcode" . This entry has neither splunk nor universal forwarder in the string so it was unfound prior to this. Once i deleted the previous entries, i was able to install the new version.
Hi @Cyner__  from the UF, are you able to ping the indexer? from the UF to indexer, is telnet working fine? telnet index:9997 .. is it working fine or not.. 
Hi @thatusername  where? here in splunk community only? is it about any splunk app / addon?... did you add any links /URL's update us more details about what you posted.. then only we can understa... See more...
Hi @thatusername  where? here in splunk community only? is it about any splunk app / addon?... did you add any links /URL's update us more details about what you posted.. then only we can understand why it got denied
Building on what @inventsekar said, it is strongly recommended that every sourcetype have a props.conf stanza.  Splunk can guess about how to interpret your data, but using explicit instructions via ... See more...
Building on what @inventsekar said, it is strongly recommended that every sourcetype have a props.conf stanza.  Splunk can guess about how to interpret your data, but using explicit instructions via props.conf is more performant.  If you need to override default behavior, such as specifying a different time zone, props.conf is required.
Hi @Théophane_GUE .. pls update us what sourcetype name pls.  from UF, how do you send the logs?.. thru any apps/addons? or just inputs.conf?  
Hi @tdavison76  some more details pls..  is it cloud or on-prim? where do you see that red (we have a Red status for Ingestion Latency)...is it on any dashboard or is it on DMC  
Please note, we do not have any "props.conf" file available or configured in the server.  We are maintaining splunk configuration in only "inputs.conf" file.    Hi @shashankk .. more details pls... See more...
Please note, we do not have any "props.conf" file available or configured in the server.  We are maintaining splunk configuration in only "inputs.conf" file.    Hi @shashankk .. more details pls..  is it a dev/test environment or prod..  do you have Deployment server or not..  any reasons for not having a props.conf and only having inputs.onf that inputs.conf is on HF or indexer?... you use UF's or some applications send the logs to the monitored folders directly..
Hi All, I have a report running every 6 hour with below search query. This is fetching hourly availability of haproxy backends based on http response code as shown below. I need to accelerate this ... See more...
Hi All, I have a report running every 6 hour with below search query. This is fetching hourly availability of haproxy backends based on http response code as shown below. I need to accelerate this report, but I think the bucket section of the search is disqualifying this for report acceleration. Can someone help with modifying this search so that it can be accelerated or are there any other work arounds to do this to get the exact same table as shown?   index=haproxy (backend="backend1" OR backend="backend2") | bucket _time span=1h | eval result=if(status >= 500, "Failure", "Success") | stats count(result) as totalcount, count(eval(result="Success")) as success, count(eval(result="Failure")) as failure by backend, _time | eval availability=tostring(round((success/totalcount)*100,3)) + "%" | fields _time, backend, success, failure, totalcount, availability   _time backend success failure totalcount availability 2024-06-07 04:00 backend1 28666 0 28666 100.000% 2024-06-07 05:00 backend1 28666 0 28666 100.000% 2024-06-07 06:00 backend1 28712 0 28712 100.000% 2024-06-07 07:00 backend1 28697 0 28697 100.000% 2024-06-07 08:00 backend1 28678 0 28678 100.000% 2024-06-07 09:00 backend1 28714 0 28714 100.000% 2024-06-07 04:00 backend2 618 0 618 100.000% 2024-06-07 05:00 backend2 179 0 179 100.000% 2024-06-07 06:00 backend2 555 0 555 100.000% 2024-06-07 07:00 backend2 103 0 103 100.000% 2024-06-07 08:00 backend2 1039 0 1039 100.000%
Hi @reza ... moooore details please 1) Splunk cloud or onprim..  2) is it working fine previously and stopped working recently  or ...is this ur first time seeing this error 3) the error screensh... See more...
Hi @reza ... moooore details please 1) Splunk cloud or onprim..  2) is it working fine previously and stopped working recently  or ...is this ur first time seeing this error 3) the error screenshots will be of great help
When I have seen something similar with others, we ended up leveraging cname records within DNS to set aliases - similar to a macro that you would only have to change once at the source.  Do you thi... See more...
When I have seen something similar with others, we ended up leveraging cname records within DNS to set aliases - similar to a macro that you would only have to change once at the source.  Do you think that would be a viable solution within your environment? 
hello all, I have tried many times to install adds on but it does not accept my password which I know for sure is correct. I tried to reset password and try but same result. anybody have an idea how... See more...
hello all, I have tried many times to install adds on but it does not accept my password which I know for sure is correct. I tried to reset password and try but same result. anybody have an idea how to fix this?