All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi All, I have the below json format. REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redempt... See more...
Hi All, I have the below json format. REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}", RESPONSE="{"body":{"model":{"isRedeemed":true,"transactionReferenceNumber":"6200754043","redeemType":"Original","redemptionFailureReasonType":null,"redemptionEquipmentMake":"Apple","redemptionEquipmentModel":"iPhone 14 Pro Max 128GB Deep Purple","redemptionEquipmentMemory":"128 GB","committedPrice":1,"additionalFees":0},"code":200,"messages":null,"isSuccess":true},"headers":{"connection":"close","content-type":"application/json;charset=utf-8","set-cookie":["AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899F8C6DFC23D16712EBB4CB423C132BEE67F4F3CB94A24AC7D3196B970C175CF4E9;PATH=/","AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899F8C6DFC23D16712EBB4CB423C132BEE67F4F3CB94A24AC7D3196B970C175CF4E9;PATH=/;SECURE;SAMESITE=None","visid_incap_968152=mMXe9betSnmAGjb6EkS6d8pCNGYAAAAAQUIPAAAAAACzpzJ8pi0eFle6ni7emEj9; expires=Fri, 02 May 2025 07:32:03 GMT; HttpOnly; path=/; Domain=.likewize.com","nlbi_968152=pTYgM3uDpkZMpK2uILjsZwAAAABT3d67R/8WtJ556QqTUFQd; path=/; Domain=.likewize.com","incap_ses_677_968152=NKgET8f8eCtwLRsU8y9lCcpCNGYAAAAAghYI7GnE7TXEfi+SGl0EKw==; path=/; Domain=.likewize.com"],"content-length":"354","server":"Jetty(9.4.45.v20220203)"}}", RETRYNO="0", ENDPOINT="https://apptium.freedommobile.ca/Activation.TradeUp", OPERATION="/FPC/Redemption/Redeem", METHOD="POST", CONNECTORID="0748a993-4566-48ae-9885-2a4dce9de585", CONNECTORNAME="Likewize", CONNECTORTYPE="Application", CONNECTORSUBTYPE="REST", STARTTIME="1714700999019", ENDTIME="1714701003106", RESPONSETIME="4087", SUCCESS="1", CLIENT="eportal-services", CREATEDDATE="2024-05-03 01:50:03", USERNAME="BMashiana@FreedomMobile.ca", SESSIONID="_dd9ad114-bb2b-4c7f-a7aa-cfc3b929f674", ACTIONID="6e9c5f97-27bc-42fb-b1d3-61a701e4a708", TRACKID="3618c3e3-9bd1-4acc-af6a-f71f31b9092c"   How do I retrieve the account number, channel code, serialNumber from REQUEST and transactionReferenceNumber from RESPONSE using splunk query. I have tried using spath and its not working out for me and displays a blank result. Please help asap. index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |table accountNumber
Hi @marco_massari11, at a first sight the regex isn't correct, what does it happen if you try to use it in search using the regex command? Ciao. Giuseppe
Hi all, I need to use SplunkDB connect to connect to a MongoDB on prem instance. I've installed Splunk DBX Add-on for MongoDB  but I understand that it works only with Atlas MongoDB and not with Mo... See more...
Hi all, I need to use SplunkDB connect to connect to a MongoDB on prem instance. I've installed Splunk DBX Add-on for MongoDB  but I understand that it works only with Atlas MongoDB and not with Mongo on prem installation. I tried to follow this suggestion https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-use-Splunk-DB-Connect-to-search-MongoDB/m-p/210569 but the format of stanza is  quite different.  I try to create a connection using the MongoDB Atlas Connection Type, I receive this error: Command failed with error 40324 (Location40324): 'Unrecognized pipeline stage name: '$sql' Any suggestion ? Fabrizio    
The users are still active in Active Directory, but have not logged in for some time. I would be happy to re-assign them, but there is no option for that in the " Orphaned Scheduled Searches, Reports... See more...
The users are still active in Active Directory, but have not logged in for some time. I would be happy to re-assign them, but there is no option for that in the " Orphaned Scheduled Searches, Reports, and Alerts" report. This is the crux of my problem. The items are not displayed in the Settings > All Configurations app, or report, or whatever it is called.
Got it thanks its working and latest correlationId .What time frequency the correlationId change.
Hi Team,   Could you please help me on below issue. I am using splunk App soar export for to push notable to Splunk phantom, but it was creating 2 same artifacts in one container, can you guide ho... See more...
Hi Team,   Could you please help me on below issue. I am using splunk App soar export for to push notable to Splunk phantom, but it was creating 2 same artifacts in one container, can you guide how can i avoid create multiple artifact in one container Thanks in advance
Just i want to show the latest correlationId and in your query its showing multiple correlationID and i just want show the count of enabled and disabled in pie chart.
If i remove stats line it will shows 0 events.Not showing any counts  
You don't need the stats values() line index="mulesoft" applicationName="scheduler" message="Upcoming :*" [search index="mulesoft" applicationName="scheduler" | stats latest(correlationId) as co... See more...
You don't need the stats values() line index="mulesoft" applicationName="scheduler" message="Upcoming :*" [search index="mulesoft" applicationName="scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where `content.currStatus`!="Interface has no entry found in object Store"|stats count by `content.currStatus`
Hello, I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) fo... See more...
Hello, I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) for a specific path. Baiscally I created a server class for the inputs.conf deployment, adding this: ###### OS Logs ###### [WinEventLog://Security] disabled = 0 index = windows_tmp followTail=true start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = (EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)) renderXml=false     I already tested the regex in regex101 https://regex101.com/r/LIaMnU/1 and it seems working fine, but in Splunk I'm receiving all the events as the whitelist is not applied. Am I missing something?    
Hi @splunky_diamond , you can use the parameter maxQueueSize in outputs.conf. about the location,, I'm not sure, but it should be in the $SPLUNK_HOME/var/run/spunk let me know if I can help you mo... See more...
Hi @splunky_diamond , you can use the parameter maxQueueSize in outputs.conf. about the location,, I'm not sure, but it should be in the $SPLUNK_HOME/var/run/spunk let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated Ciao. Giuseppe
Here's a query that will find most KOs owned by inactive users.  You may want to enhance it to also look for lookups.  Of course, change the '90' to whatever value you deem to be 'inactive'. | rest ... See more...
Here's a query that will find most KOs owned by inactive users.  You may want to enhance it to also look for lookups.  Of course, change the '90' to whatever value you deem to be 'inactive'. | rest splunk_server=local /servicesNS/-/-/admin/directory | fields title eai:acl.app eai:acl.owner eai:type eai:acl.sharing | rename eai:acl.* as * | where (owner!="nobody" AND owner!="admin") | search [| rest splunk_server = local /servicesNS/-/-/admin/users | fields title last_successful_login | eval lastLogin = if(isnull(last_successful_login) OR last_successful_login=0,"never", strftime(last_successful_login, "%c")) | eval idleDays = round((now()-last_successful_login)/86400,0) | where (idleDays > 90 OR lastLogin = "never") | fields title | rename title as owner | format]
Hi @ITWhisperer  The query which is working but i need total counts of enabled and disabled in the output .Now its showing  1 for enabled and 1for disabled.But the event is getting 79    index="... See more...
Hi @ITWhisperer  The query which is working but i need total counts of enabled and disabled in the output .Now its showing  1 for enabled and 1for disabled.But the event is getting 79    index="mulesoft" applicationName="scheduler" message="Upcoming :*" [search index="mulesoft" applicationName="scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |stats values(content.currStatus) as currStatus by correlationId|where currStatus!="Interface has no entry found in object Store"|stats count by currStatus There are 79 events in this 74 is enabled and 5 are disabled .The values enabled and disabled from currstatus field.  
Tell Splunk which field to extract from by using the in option. EXTRACT-service = [^:]+:[^:]+:(?<service>.+)$ in source  
Hi @karthi2809 , if currStatus has values enabled or disabled, please try something like this: "content.currStatus"="*" content.currStatus!="Interface has no entry found in object Store" | rename c... See more...
Hi @karthi2809 , if currStatus has values enabled or disabled, please try something like this: "content.currStatus"="*" content.currStatus!="Interface has no entry found in object Store" | rename content.currStatus AS currStatus | stats count(eval(currStatus="enabled"))AS enabled_count count(eval(currStatus="disabled"))AS disabled_count last(currStatus) AS last_currStatus BY correlationId) In addition one hint: add always the index containing these events: you'll have a faster search and you'll be sure to take events. Ciao. Giuseppe
Use the below as an example, using both props and transforms,  change to your sourcetype that you are using and if it works, change your group names if desired.  Props.conf [my_sourcetype] REP... See more...
Use the below as an example, using both props and transforms,  change to your sourcetype that you are using and if it works, change your group names if desired.  Props.conf [my_sourcetype] REPORT-my_service = extract_service Transforms.conf [extract_service] SOURCE_KEY = source REGEX = [^:]+:(?<my_service>.+)$ FORMAT = my_service::$1
Thank you very much for your reply, @gcusello ! I have some questions to your post, where can I configure for how long UF stores the logs when the connection is interrupted? Also how can I know th... See more...
Thank you very much for your reply, @gcusello ! I have some questions to your post, where can I configure for how long UF stores the logs when the connection is interrupted? Also how can I know the location of where UF stores these logs, is it some file within the add-on? And finally, what's the capacity of that file/those files, where the logs will be stored in this scenario before the connection to Splunk machine is re-established? 
Try something like this "content.currStatus"="*" [search <your index> | stats latest(correlationId) as correlationId | table correlationId | format] | where currStatus!="Interface has no entry found... See more...
Try something like this "content.currStatus"="*" [search <your index> | stats latest(correlationId) as correlationId | table correlationId | format] | where currStatus!="Interface has no entry found in object Store"|stats count by currStatus
It looks like the app was not re-packaged properly on the Linux box.  Perhaps an extra directory level was added.
Hi All, JAVA App Agent is not showing in Tier and Node also in app agent logs I can see following message. [AD Thread Pool-Global1] 02 May 2024 21:21:31,149 INFO DynamicRulesManager - The config di... See more...
Hi All, JAVA App Agent is not showing in Tier and Node also in app agent logs I can see following message. [AD Thread Pool-Global1] 02 May 2024 21:21:31,149 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:21:55,817 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:21:55,832 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:22:55,833 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:22:55,848 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:23:55,849 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:23:55,866 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:25:53,942 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:25:58,948 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:30:53,887 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:35:53,895 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:40:53,906 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:45:53,910 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:49:56,265 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:49:56,279 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:50:53,910 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:50:56,280 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:50:56,295 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:51:56,296 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:51:56,309 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:52:56,310 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) Regards, Mandar Kadam