All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This could be a number of things as to why your not getting any results.  With Splunk you should be able to see the fields in the fields side bar provided you have access to the index (permission... See more...
This could be a number of things as to why your not getting any results.  With Splunk you should be able to see the fields in the fields side bar provided you have access to the index (permissions) and the data has been onboarded correctly and fields are extracted. Run index="firewall" and see of you get data and then you should find the sourcetype associated with the data you want to search.   Example  index="firewall" sourcetype=<Add your sourcetype here> | table host, src_addr, dest_addr Note: The fields your interested based on your data may be different - so look at the left fields side bar.  If you  cant get anything, it may be that you don't have permissions to see that firewall index/data or the data has not been onboarded correctly    
The first thing about dashboards is that you should create draw out a design, what data, fields, and what kind of layout, table, chart, timechart, forms etc.   Then create a prototype dashboard base... See more...
The first thing about dashboards is that you should create draw out a design, what data, fields, and what kind of layout, table, chart, timechart, forms etc.   Then create a prototype dashboard based on that and refine it until you have the results.  Why not try and create the dashboards, have a look here there a several examples  https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Createnewdashboard  Even better if you run through this tutorial - by the end of the week you should be able to create some of you own dashboard.  https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchTutorial/WelcometotheSearchTutorial    These are very simple examples of different ways to present your data and put them into a dashboard.  This shows just a table for the fields of interest to you:. index="wireless_retail" source="CPS.cpsLog" | fields ID, Date, Level, Logger, Message | table Date, ID, Level, Message   This shows how many events by Level field index="wireless_retail" source="CPS.cpsLog" | fields ID, Date, Level, Logger, Message | stats count by Level, ID, message   This shows using time period for Level by ID index="wireless_retail" source="CPS.cpsLog" | fields ID, _time, Date, Level, Logger, Message | timechart span=1h count by Level by ID You can also download this app and use the many great examples here  https://splunkbase.splunk.com/app/1603   
the below are two different drop down list as we have different host and index. Based on the index selection i do set/unset -show/hide - can we make as single query with single drop down list  based... See more...
the below are two different drop down list as we have different host and index. Based on the index selection i do set/unset -show/hide - can we make as single query with single drop down list  based on the value of the dropdownlist which is visible?     1) index=aaa (source="/log/test.log" $host1$ ) | rex field=name "(?<DB>[^\.]*)" | rename DB AS "Database" | table Database | dedup Database 2) index=bbb (source="/log/test.log" $host2$ ) | rex field=name "(?<DB>[^\.]*)" | rename DB AS "Database" | table Database | dedup Database      if ddl1 is visible fetch the value and pass to $host1$ to the  query if ddl2 is visible fetch the value and pass $host2$ to the query or based on the drop down list value selected can we set value and pass to query to avoid multiple queries for only differnt host/index?
I am looking to write a simple search that tells me if a host or hosts are reaching out to a specific IP address.  So far I have  index="firewall" host=hostname src_addr=x.x.x.x dest_addr=x.x.x.x ... See more...
I am looking to write a simple search that tells me if a host or hosts are reaching out to a specific IP address.  So far I have  index="firewall" host=hostname src_addr=x.x.x.x dest_addr=x.x.x.x When I run this it doesn't come back with anything.  Should I be searching under my domain instead?  I would like for it to be lined up like below,   Hostname | source IP | destination IP
Our Splunk instance is currently setup as a deployment server. All our clients have the Universal Forwarder installed and setup as deployment clients, phoning home to the server to get their neces... See more...
Our Splunk instance is currently setup as a deployment server. All our clients have the Universal Forwarder installed and setup as deployment clients, phoning home to the server to get their necessary apps. Under the "Forwarder Management" page of the Distributed Environment settings, can see all 20 of our clients and their respective host name and IP address actively talking with the server by phoning home and getting apps deployed... However, when I go to the Monitoring Console's, "Forwarders: Deployment" page, only 6 of the 20 Universal Forwarders are showing as installed and active? Sure we're messing up one of the many different config files somewhere but not sure which one...
Hello, Is there any way to add a Custom Logo in place of the Splunk Logo in an exported PDF? I am on Splunk Cloud not Enterprise so Im not sure if I can access a static folder to use with server s... See more...
Hello, Is there any way to add a Custom Logo in place of the Splunk Logo in an exported PDF? I am on Splunk Cloud not Enterprise so Im not sure if I can access a static folder to use with server settings > email settings > PDF report settings. Alternatively Ive tried just adding an image to the dashboard but even after having it appear (using embedded base64), the image does not appear when exported to PDF. Any guidance or alternatives would be appreciated.
Hi, I have a raw data as below, with the fields "ID, Date, Level, Logger, Message which needs to be dsiplayed in a dashboard.  index="wireless_retail" source="CPS.cpsLog" Level="ERROR", Logger="Uti... See more...
Hi, I have a raw data as below, with the fields "ID, Date, Level, Logger, Message which needs to be dsiplayed in a dashboard.  index="wireless_retail" source="CPS.cpsLog" Level="ERROR", Logger="Utils.Helpers.LogHelper". Can someone help me with this dashboard creation for this ID="39090", Date="2024-05-07 14:12:53.313", Thread="4", Level="ERROR", Logger=".Utils.Helpers.LogHelper", Message="UserName: abc Location:  Sales Channel: GW_STORE Error in Path: /pap/getcpsinput Raw Url: /pap/getcpsinput User Name: Error: System.Data.Entity.Core.EntityException: An error occurred while starting a transaction on the provider connection. See the inner exception for details. ---&gt; System.Data.SqlClient.SqlException: Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. ---&gt; System.ComponentModel.Win32Exception: The wait operation timed out --- End of inner exception stack trace --- at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParserStateObject.ReadSniError(TdsParserStateObject stateObj, UInt32 error) at System.Data.SqlClient.TdsParserStateObject.ReadSniSyncOverAsync() at System.Data.SqlClient.TdsParserStateObject.TryReadNetworkPacket() at System.Data.SqlClient.TdsParserStateObject.TryPrepareBuffer() at System.Data.SqlClient.TdsParserStateObject.TryReadByte(Byte&amp; value) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean&amp; dataReady)
Hello! My trial reached the end, how can I activate the Lite version? Thank you.
Just incase anyone stumbles upon this thread, I just got done trying to get the OpsGenie App for Splunk working and integrated but they stopped fully supporting that app back in Splunk Version 7.1, A... See more...
Just incase anyone stumbles upon this thread, I just got done trying to get the OpsGenie App for Splunk working and integrated but they stopped fully supporting that app back in Splunk Version 7.1, Anything newer and this won't work.  https://jira.atlassian.com/browse/OPSGENIE-1178
@tlmayesSorry for the misunderstanding, it is an unsupported add-on.      
I realize this, since it clearly states created by "Splunk Works".  My question was not directed at Splunk, since this is a "community" board (and Splunk Works is a pseudonym for "Splunk (but we don'... See more...
I realize this, since it clearly states created by "Splunk Works".  My question was not directed at Splunk, since this is a "community" board (and Splunk Works is a pseudonym for "Splunk (but we don't support it)".  Finally, the "download link" is marked "Download Restricted", and when selected responds with "Request Access, Splunk Employees only"
Hi, I just installed the TA-tenable add-on and was going to configure it; however, when I get to the account configuration it does not matter what account type I use, I always get "Error in processi... See more...
Hi, I just installed the TA-tenable add-on and was going to configure it; however, when I get to the account configuration it does not matter what account type I use, I always get "Error in processing the request". Has anyone seen this before? If so, what is the fix?
@danielbb  Warm and cold buckets can be copied safely while Splunk is running. You don’t necessarily need to stop Splunk to perform the cold data migration.  Refer the below link:  https://communi... See more...
@danielbb  Warm and cold buckets can be copied safely while Splunk is running. You don’t necessarily need to stop Splunk to perform the cold data migration.  Refer the below link:  https://community.splunk.com/t5/Deployment-Architecture/How-to-migrate-data-of-cold-and-thawed-path-to-different/m-p/580124 
@fabrizioalleva  Connecting Splunk DB Connect to an on-premises MongoDB instance requires some additional steps compared to using MongoDB Atlas. To connect to your on-premises MongoDB, you’ll need ... See more...
@fabrizioalleva  Connecting Splunk DB Connect to an on-premises MongoDB instance requires some additional steps compared to using MongoDB Atlas. To connect to your on-premises MongoDB, you’ll need the MongoDB JDBC driver. You can download it from https://unityjdbc.com/download.php?type=mongodb  . Make sure to obtain the mongodb_unityjdbc_full.jar from the installation folder. Then, you can configure a JDBC Connection https://unityjdbc.com/mongojdbc/setup/mongodb_jdbc_splunk_dbconnect_v3.pdf  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.  
OK so extract it then filter the events | where isnotnull(Memory)
@danielmtz Check the below links for more information.  https://community.splunk.com/t5/Splunk-Dev/Developer-License-request-form-not-working/m-p/669697  I hope this helps, if any reply helps you, ... See more...
@danielmtz Check the below links for more information.  https://community.splunk.com/t5/Splunk-Dev/Developer-License-request-form-not-working/m-p/669697  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@verizonrap2017  I'm not sure what you're looking for; are you looking for Splunk components or the default indexes in Splunk? Please use the links provided below for reference.  https://docs.splun... See more...
@verizonrap2017  I'm not sure what you're looking for; are you looking for Splunk components or the default indexes in Splunk? Please use the links provided below for reference.  https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Aboutmanagingindexes   https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/ComponentsofaSplunkEnterprisedeployment   I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@tlmayes  The Insights App for Splunk (IA4S) at https://splunkbase.splunk.com/app/7186  is a developer app, not a Splunk-supported app. Check out the link below for further details. https://dev.sp... See more...
@tlmayes  The Insights App for Splunk (IA4S) at https://splunkbase.splunk.com/app/7186  is a developer app, not a Splunk-supported app. Check out the link below for further details. https://dev.splunk.com/enterprise/docs/releaseapps/splunkbase/optionsforsubmittingcontent/#Support-content 
Coming in here, years later, to document this for anyone who comes across it. The pagerduty app requires that the user who owns the alert must have, at a minimum, the list_storage_passwords capabi... See more...
Coming in here, years later, to document this for anyone who comes across it. The pagerduty app requires that the user who owns the alert must have, at a minimum, the list_storage_passwords capability. Almost certainly this was the issue here.
Hi @Gustavo.Marconi. Thank you for sharing the solution!