All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @maniish.subramani, Can you share what instructions you are following and if there is a confusing step or where you are getting stuck?
Hi @steve.diaz, I'm going to look into the error you mentioned some more. You also seem to be running a VERY old version of AppDynamics. We are currently on 24.4.  Can you update AppDynamics to ... See more...
Hi @steve.diaz, I'm going to look into the error you mentioned some more. You also seem to be running a VERY old version of AppDynamics. We are currently on 24.4.  Can you update AppDynamics to a more modern version and see if you continue to have this problem? https://docs.appdynamics.com/appd/24.x/latest/en
This is probably an entry level question.  I have raw data that looks something like this: {"id": 99999, "type": "HOST", "timestamp": "2024-04-29T10:41:39.820Z", "entity": {"ipAddress": "1.1.1.1"}, ... See more...
This is probably an entry level question.  I have raw data that looks something like this: {"id": 99999, "type": "HOST", "timestamp": "2024-04-29T10:41:39.820Z", "entity": {"ipAddress": "1.1.1.1"}, "dataName": "Testing"} If I search for type="HOST" or entity.ipAddress="1.1.1.1" I get this entry in the results, but if I search for dataName="Testing" or even dataName=*, I get nothing.  What is different about this field?
Hello i read many topics on zulu time but i m not able to solde one i have a date in this way 2024-04-29T12:01:15.710Z i just want it  this way YYYY-MM-DD HH:MM:SS. i trie this eval latest_time = ... See more...
Hello i read many topics on zulu time but i m not able to solde one i have a date in this way 2024-04-29T12:01:15.710Z i just want it  this way YYYY-MM-DD HH:MM:SS. i trie this eval latest_time = strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z") and the result is that : 1714363262.904000  i really don't catch the proble! Thanks Laurent
In Splunk studio, I have a  Status field with the values DROPPED and NOT DROPPED. If I get Dropped the background color of the card should change into Green... If the field value is NOT DROPPED. It s... See more...
In Splunk studio, I have a  Status field with the values DROPPED and NOT DROPPED. If I get Dropped the background color of the card should change into Green... If the field value is NOT DROPPED. It should be Red. How can I achieve it in splunk studio.      Thanks
My Source is python. In WSDL I have 20 items . While am executing the query in splunk . I am getting all 20 items coming in single event. Though unable to extract the fields and show it's count. How ... See more...
My Source is python. In WSDL I have 20 items . While am executing the query in splunk . I am getting all 20 items coming in single event. Though unable to extract the fields and show it's count. How can i get all 20 items into individual events. How can i achieve it.    Thanks 
Is there any free alternative to this, as it went out of support? Many thanks.
May I ask if you're using this to track Exchange distribution group changes? Based on my testing, and thanks a lot for sharing your query, it generates a lot of events, because, even if you just rem... See more...
May I ask if you're using this to track Exchange distribution group changes? Based on my testing, and thanks a lot for sharing your query, it generates a lot of events, because, even if you just remove a member from a group, Exchange will remove and re-add the others... Has anyone found a way to work around this? Cheers!
Hi. I would thoroughly read this doc https://docs.splunk.com/Documentation/Splunk/9.1.4/Installation/AboutupgradingREADTHISFIRST I would make sure you migrate your kvstore before going to 9.x If yo... See more...
Hi. I would thoroughly read this doc https://docs.splunk.com/Documentation/Splunk/9.1.4/Installation/AboutupgradingREADTHISFIRST I would make sure you migrate your kvstore before going to 9.x If you aren't a member of Splunk's Slack usergroups instance, now is a good time to join. There's a Slack channel just for 9.x upgrade issues.  Good luck!
At this moment, all message responses come in less that 10 seconds. This okay. We want to create an alert, that  if eg, next happens: Time                                                           ... See more...
At this moment, all message responses come in less that 10 seconds. This okay. We want to create an alert, that  if eg, next happens: Time                                                                   message repose code 15:00:43                                                                              200 15:00:45                                                                              200 15:00:54                                                                              200 or Time                                                                   message repose code 15:00:43                                                                              200 15:00:55                                                                              200 15:00:56                                                                              200 So if 3 responses code 200 come with no error response between, and totally, they take more than 10 seconds.
"FileName":"" does not produce a null field, it produces a field with an empty string. This is what you are probably seeing. If you want to cope with this, you should set the FileName and filename fi... See more...
"FileName":"" does not produce a null field, it produces a field with an empty string. This is what you are probably seeing. If you want to cope with this, you should set the FileName and filename fields to null() if they are empty strings | eval FileName=if(FileName="", null(), FileName) | eval filename=if(filename="", null(), filename)
thanks @danspav ! that is very helpful!
Hello and thank you in advance for any insight. I am working on upgrading Splunk Enterprise from 8.2.3.2 to 9.1.4. I have been digging into the release notes and want to double-check I am not missing... See more...
Hello and thank you in advance for any insight. I am working on upgrading Splunk Enterprise from 8.2.3.2 to 9.1.4. I have been digging into the release notes and want to double-check I am not missing anything significant.  Has anyone had any issues upgrading from Splunk Enterprise 8.2.3.2 to 9.1.4? 
You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_parameters Try something like this: ... See more...
You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_parameters Try something like this: https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json&f=title&f=description
Thanks  VM.. got it working now ..
Hello,   I'm having problems using roles. I use this search, which gives me results via the admin role. [search index="idx_arv_ach_cas_traces" source="*orange_ach_cas_traces_ac_20*" nom_prenom_... See more...
Hello,   I'm having problems using roles. I use this search, which gives me results via the admin role. [search index="idx_arv_ach_cas_traces" source="*orange_ach_cas_traces_ac_20*" nom_prenom_manager="*" nom_prenom_rdg="*" cuid="*" ttv="*" (LibEDO="*") (LibEDO="*MAROC ANNULATION FIBRE INTERNET" OR LibEDO="*MAROC CTC ET PROSPECT" OR LibEDO="*MAROC CTC HOME" OR LibEDO="*MAROC HORS-PROD" OR LibEDO="*MAROC N1 ACH" OR LibEDO="*MAROC N2 ACH GESTION" OR LibEDO="*MAROC N2 ACH RECLAMATION" OR LibEDO="*MAROC N2 ACH RECOUVREMENT" OR LibEDO="*MAROC RECOUVREMENT SOSH" OR LibEDO="*MAROC GESTION MS") ((lib_origine="Appel Reco" OR "Appel Sortant" OR "BO Récla Recouv" OR "Correspondance Entrante" OR "Correspondance Sortante" OR "Courrier Ent Fidé" OR "Etask") OR (lib_motif="Contact Flash" OR "Contact non tracé" OR "Traiter une demande en N2" OR "Verbatim urgent") OR (lib_resultat="Client Pro" OR "Contact Flash" OR "Contact non tracé")) AND (cuid!="AUTOCPAD" AND cuid!="BTORCPAD" AND cuid!="COCOA01" AND cuid!="CRISTORC" AND cuid!="ECARE" AND cuid!="FACADE" AND cuid!="IODA" AND cuid!="MEFIN" AND cuid!="ND" AND cuid!="ORCIP" AND cuid!="ORDRAGEN" AND cuid!="PORTAIL USSD" AND cuid!="RECOU01" AND cuid!="SGZF0000" AND cuid!="SVI" AND cuid!="USAGER PURGE" AND cuid!="VAL01") | eventstats sum(total) as "Nbre_de_tracages" by lib_origine | top "Nbre_de_tracages" lib_origine | sort - "Nbre_de_tracages" | head 5 | streamstats count as row_number | search row_number=1 | return lib_origine] nom_prenom_manager="*" nom_prenom_rdg="*" cuid="*" ttv="*" (LibEDO="*") (LibEDO="*MAROC ANNULATION FIBRE INTERNET" OR LibEDO="*MAROC CTC ET PROSPECT" OR LibEDO="*MAROC CTC HOME" OR LibEDO="*MAROC HORS-PROD" OR LibEDO="*MAROC N1 ACH" OR LibEDO="*MAROC N2 ACH GESTION" OR LibEDO="*MAROC N2 ACH RECLAMATION" OR LibEDO="*MAROC N2 ACH RECOUVREMENT" OR LibEDO="*MAROC RECOUVREMENT SOSH" OR LibEDO="*MAROC GESTION MS") ((lib_origine="Appel Reco" OR "Appel Sortant" OR "BO Récla Recouv" OR "Correspondance Entrante" OR "Correspondance Sortante" OR "Courrier Ent Fidé" OR "Etask") OR (lib_motif="Contact Flash" OR "Contact non tracé" OR "Traiter une demande en N2" OR "Verbatim urgent") OR (lib_resultat="Client Pro" OR "Contact Flash" OR "Contact non tracé")) AND (cuid!="AUTOCPAD" AND cuid!="BTORCPAD" AND cuid!="COCOA01" AND cuid!="CRISTORC" AND cuid!="ECARE" AND cuid!="FACADE" AND cuid!="IODA" AND cuid!="MEFIN" AND cuid!="ND" AND cuid!="ORCIP" AND cuid!="ORDRAGEN" AND cuid!="PORTAIL USSD" AND cuid!="RECOU01" AND cuid!="SGZF0000" AND cuid!="SVI" AND cuid!="USAGER PURGE" AND cuid!="VAL01") | stats sum(total) as "nb_tracages" by cuid lib_origine | sort -nb_tracages | head 5 When I use another role, the first part of the search works, but not the second. The search on : nom_prenom_manager="*" , ... doesn't give any results, whereas with the admin role, it does. I can't modify the query because I don't have rights to it, but I have to play with the roles. I'd like to point out that the manager_last_name field is obtained via an automatic lookup. But there's no problem with specific rights for the admin role. I've tried everything, but I can't find a solution, please have an idea.  
Hey @SplunkExplorer , As you mentioned, it indeed is a permission issue. The lookup might be created within the search app context and the permission might not be shared to access the lookup within ... See more...
Hey @SplunkExplorer , As you mentioned, it indeed is a permission issue. The lookup might be created within the search app context and the permission might not be shared to access the lookup within different app context. You can update the permission of the KO to be shared globally and it should resolve your concern.   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.
Hello! You are not required to use data models or CIM compliance in correlation searches, so that isn't the issue here. Just to verify: If you copy/paste this exact search into a regular search bar, ... See more...
Hello! You are not required to use data models or CIM compliance in correlation searches, so that isn't the issue here. Just to verify: If you copy/paste this exact search into a regular search bar, it will find results? If that is the case, here's what I would check: - Is it looking back the same amount of time? Make sure your correlation search is using the same look back as your manual search. - Are you executing the search within the Enterprise Security app when you are testing? If not, try it there. If the results don't return within the Enterprise Security app but they do within a different app, it could be a permissions/sharing setting for field parsings.
This seems to be a known issue with 9.1. As you can see a minimum privileged user splunkfwd is automatically created. Reference : SPL-242093, SPL-242240 (https://docs.splunk.com/Documentation/Splunk... See more...
This seems to be a known issue with 9.1. As you can see a minimum privileged user splunkfwd is automatically created. Reference : SPL-242093, SPL-242240 (https://docs.splunk.com/Documentation/Splunk/9.1.0/ReleaseNotes/KnownIssues) Workaround - https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installleastprivileged    
I'm marking this as the solution since it makes my search nearly instant.  Though join might not be optimal, this change is sufficient for my needs at the moment, thanks a lot @PickleRick and also @... See more...
I'm marking this as the solution since it makes my search nearly instant.  Though join might not be optimal, this change is sufficient for my needs at the moment, thanks a lot @PickleRick and also @ITWhisperer for the time and effort spent.  Much appreciated!