All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @SumitSharma , this app isn't certified for Splunk Cloud. In addition ths app doesn't seem to be free (I could be wrong about this!). anyway, you should consider this app as a custom app and mo... See more...
Hi @SumitSharma , this app isn't certified for Splunk Cloud. In addition ths app doesn't seem to be free (I could be wrong about this!). anyway, you should consider this app as a custom app and modify it to remove the part containing scripts that probably will block the upoad in Splunk Cloud. The app ins't accessible so I cannot be more detaied. Ciao. Giuseppe
Hi @Ram2, In the code you shared there are some missing parts. the, these aren't few hosts so I hint to use a lookup containing two columns: env host like the folowing: env host DEV amptams.d... See more...
Hi @Ram2, In the code you shared there are some missing parts. the, these aren't few hosts so I hint to use a lookup containing two columns: env host like the folowing: env host DEV amptams.dev.com DEV ampvitss.dev.com DEV ampdoctrc.dev.com SIT ampastdmsg.dev.com SIT ampmorce.dev.com SIT ampsmls.dev.com UAT ampserv.dev.com UAT ampasoomsg.dev.com SYS ampmsdser.dev.com SYS ampastcol.dev.com (remember to create also the Lookup Definition). in this way you could use in cascade two dropdown lists in this way: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="env"> <label>Environment</label> <choice value="*">All</choice> <prefix>env="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <search> <query> | inputlookup perimeter.csv | dedup env | sort env | table env </query> </search> </input> <input type="dropdown" token="host"> <label>Server</label> <choice value="*">All</choice> <prefix>host="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> | inputlookup perimeter.csv WHERE $env$ | dedup host | sort host | table host </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=app-index source=application.logs $env$ $host$ ( "Initial message received with below details" OR "Letter published correctley to ATM subject" OR "Letter published correctley to DMM subject" OR "Letter rejected due to: DOUBLE_KEY" OR "Letter rejected due to: UNVALID_LOG" OR "Letter rejected due to: UNVALID_DATA_APP" ) | rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over Application by Msgs | rename "Initial message received with below details" AS Income, "Letter published correctley to ATM subject" AS ATM, "Letter published correctley to DMM subject" AS DMM, "Letter rejected due to: DOUBLE_KEY" AS Reject, "Letter rejected due to: UNVALID_LOG" AS Rej_log, "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app | table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>  Ciao. Giuseppe
Thanks for your suggestion. I read your the link you provided. So, I can't outputlookup data to KVStore without building KVcollection first, correct? Should I create transform.conf and collectio... See more...
Thanks for your suggestion. I read your the link you provided. So, I can't outputlookup data to KVStore without building KVcollection first, correct? Should I create transform.conf and collection.conf? I don't have admin right.   search data | outputlookup kv_store_lookup   https://docs.splunk.com/Documentation/Splunk/9.2.1/Knowledge/ConfigureKVstorelookups https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Outputlookup
Do you get all 0 from this?   | makeresults format=csv data="Income, Rej_app, ATM, DMM, Reject, Rej_log< Rej_app ,,,,, ,,,,, ,,,,," | fillnull   This is what I get ATM DMM Income Rej_app ... See more...
Do you get all 0 from this?   | makeresults format=csv data="Income, Rej_app, ATM, DMM, Reject, Rej_log< Rej_app ,,,,, ,,,,, ,,,,," | fillnull   This is what I get ATM DMM Income Rej_app Rej_log< Rej_app Reject 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0  
Hi @ITWhisperer  The output is correct I want any one the result in my output.either  “file put successfully ” or “inbound file processed”.but it showing both right.so that I want to dedup.
Hello, We are trying to configure the authentication extensions for the Okta identity provider and below are the steps as per the Splunk documentation.Log into Splunk Platform as an administrator lev... See more...
Hello, We are trying to configure the authentication extensions for the Okta identity provider and below are the steps as per the Splunk documentation.Log into Splunk Platform as an administrator level user. From the system bar, click Settings > Authentication Methods. Click "Configure Splunk to use SAML". The "SAML configuration" dialog box appears. In the Script path field within the Authentication Extensions section of the "SAML configuration" dialog box , type in SAML_script_okta.py. In the Script timeout field, type in 300s. In the Get User Info time-to-live field, type in 3600s. Click the Script functions field. In the pop-up window that appears, click getUserInfo. Under Script Secure Arguments, click Add Input. In the Key field, type in apiKey. In the Value field, type in the API key for your IdP. Click "Add input" again. In the "Key" field, type in baseUrl. in the "Value" field, type in the URL of your Okta instance. Click Save. Splunk Cloud Platform saves the Okta configuration and returns you to the SAML Groups page.   Could anyone confirm whether these steps will work for the Splunk OnPrem too? or it is applicable for the Splunk Cloud?    Also, as per Step (In the Value field, type in the API key for your IdP.), we have to provide the API key for the Idp, our security team is asking what permission does the Okta API token needs? any thoughts? Please advice.    Thank you!    
How did you apply fillnull?   |fillnull value=0 Do you mean to say that the following doesn't give you 0 when the value is null? yes
We have a dashboard, where we want to add few hosts in a drop down.  I tried using single host in a drop down its working, but when we add multiple hosts it showing syntax error(invalid attribute.) ... See more...
We have a dashboard, where we want to add few hosts in a drop down.  I tried using single host in a drop down its working, but when we add multiple hosts it showing syntax error(invalid attribute.) DEV amptams.dev.com ampvitss.dev.com ampdoctrc.dev.com SIT ampastdmsg.dev.com ampmorce.dev.com ampsmls.dev.com UAT ampserv.dev.com ampasoomsg.dev.com SYS ampmsdser.dev.com ampastcol.dev.com   Dashboard xml       <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Server"> <label>Env wise hosts</label> <choice value="amptams.dev.com">ENVINORMENT-DEV</choice> <choice value="ampastdmsg.dev.com">ENVINORMENT-SIT</choice> <choice value="ampserv.dev.com">ENVINORMENT-UAT</choice> <choice value="ampmsdser.dev.com">ENVINORMENT-SYS</choice>> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query>index=app-index source=application.logs $Server$ |rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" |chart count over Application by Msgs |rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app |table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>        
How did you apply fillnull?  Do you mean to say that the following doesn't give you 0 when the value is null? index=app-index source=application.logs |rex field= _raw "application :\s(?<Application... See more...
How did you apply fillnull?  Do you mean to say that the following doesn't give you 0 when the value is null? index=app-index source=application.logs |rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" |chart count over Application by Msgs |rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app |table Income Rej_app ATM DMM Reject Rej_log Rej_app |fillnull Income Rej_app ATM DMM Reject Rej_log Rej_app  
First, on thought process.  Splunk allows you to create additional field in event stream.  If you mark each day as "day -1", "day -2", etc., you can group earliest and latest by day. This is how to ... See more...
First, on thought process.  Splunk allows you to create additional field in event stream.  If you mark each day as "day -1", "day -2", etc., you can group earliest and latest by day. This is how to do that in Splunk   index=*XYZ" "Batchname1" earliest=-7d@d latest=-0d@d | eval dayback = mvrange(0, 7) | eval day = mvmap(dayback, if(_time < relative_time(now(), "-" . dayback . "d@day") AND relative_time(now(), "-" . tostring(dayback + 1) . "d@day") < _time, dayback, null())) | stats min(_time) as Earliest max(_time) as Latest by day | fieldformat Earliest = strftime(Earliest, "%F %T") | fieldformat Latest = strftime(Latest, "%F %T") | eval day = "day -" . tostring(day + 1)   The output looks like day Earliest Latest day -1 2024-04-23 00:01:00 2024-04-23 23:53:00 day -2 2024-04-22 09:29:00 2024-04-22 23:31:00 day -3 2024-04-21 14:29:00 2024-04-21 14:29:00 day -4 2024-04-20 00:01:00 2024-04-20 19:14:00 day -5 2024-04-19 01:13:00 2024-04-19 23:47:00 day -6 2024-04-18 00:01:00 2024-04-18 23:28:00 day -7 2024-04-17 00:01:00 2024-04-17 23:14:00 Two pointers: It doesn't seem to make sense to search in current day.  So I shifted search period to -0day@day.  If your requirement includes current day, you need to change latest as well as tweak the definition of day a little. Do not use earliest(_time); min(_time) is cheaper. The following is the emulation I use to test the above.   index = _audit earliest=-7d@d latest=-0d@d action=validate_token | timechart span=1m count | where count > 0 ``` emulation of index=*XYZ" "Batchname1" earliest=-7d@d latest=-0d@d ```    
Please find the query and sample logs, Issue is when there are no logs with any of the  Msgs, that coloumns are showing null, tried fill null command but not working. index=app-index source=applicat... See more...
Please find the query and sample logs, Issue is when there are no logs with any of the  Msgs, that coloumns are showing null, tried fill null command but not working. index=app-index source=application.logs |rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" |chart count over Application by Msgs |rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app |table Income Rej_app ATM DMM Reject Rej_log Rej_app   Sample logs: 2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Initial message received with below details: Application:Login Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -12 Code partition: 4 2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter published correctley to ATM subject: Application:Success Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -1 Code partition: 10 2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter published correctley to DMM subject: Application:normal-state Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -1 Code partition: 6   2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter rejected due to: DOUBLE_KEY: Application:error-state Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -1 Code partition: 4   2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter rejected due to: UNVALID_LOG: Application:Debug Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -18 Code partition: 2   2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter rejected due to: UNVALID_DATA_APP: Application:logout Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -4 Code partition: 0
Hi, Our application uses log4j2 logging framework. We are trying to send log signals created by Otel Logs SDK to Splunk cloud platform. Instead of fileReceiver, we want to send these over HTTP. We... See more...
Hi, Our application uses log4j2 logging framework. We are trying to send log signals created by Otel Logs SDK to Splunk cloud platform. Instead of fileReceiver, we want to send these over HTTP. We are using HTTP Event Collector to send the log records to Splunk Cloud. Our configuration for HEC exporter in OTEL Collector is: exporter: splunk_hec/logs: token: "<token>" endpoint: "https://<host>:8088/services/collector/raw" source: "otel" index: "logs" disable_compression: false tls: insecure_skip_verify: true service: pipelines: logs: receivers: [ otlp ] processors: [ batch] exporters: [ splunk_hec/logs] We do see the events being received at Splunk Cloud Platform, but we are not able to query the log data itself. Can someone guide if this is correct way ? or guide to correct resource. Thanks!
Your regex seems pretty OK. You could try to simplify it a bit (the character class is not needed if you want just one character, slashes don't need escaping and {1,} can be replaced by +)  so you co... See more...
Your regex seems pretty OK. You could try to simplify it a bit (the character class is not needed if you want just one character, slashes don't need escaping and {1,} can be replaced by +)  so you could do something like this: (?:/[^/]*)+/(\w*) But you can simplify it even further (?:.*)/(\w*) You could take one thing into account though - a valid hostname can contain a dash which is not included in \w. Also, depending on your environment, if it's a FQDN, it can contain dots.  
Hi. We just upgraded from 9.0.6 to 9.1.4 and are seeing these same warnings. Do we know that this was fixed in 9.1.4?
I have changed my appserver/static/javascript directory and the setup page that reffers to it does not update. I tried to uninstall the add-on, restart Splunk server, but it does not change... plea... See more...
I have changed my appserver/static/javascript directory and the setup page that reffers to it does not update. I tried to uninstall the add-on, restart Splunk server, but it does not change... please help me figure out what do I miss...  this is my setup page dashboard (./javascript/setup_page.js is the file I changed without any effects <dashboard isDashboard="false" version="1.1"            script="./javascript/setup_page.js"            stylesheet="./styles/setup_page.css"            hideEdit="true"            hideAppBar="true" >       <label>Setup Page</label>     <row>         <panel>             <html>                 <div id="main_container"></div>             </html>         </panel>     </row> </dashboard>
Don't you mean | rename licenseGB as GB
Hi, I am having troubles with providing the correct regex to extract the hostname from the file location. The file structure looks like this  /var/log/syslog/splunk-lb/ise/switch01.log I need only ... See more...
Hi, I am having troubles with providing the correct regex to extract the hostname from the file location. The file structure looks like this  /var/log/syslog/splunk-lb/ise/switch01.log I need only the switch01 as hostname but splunk add switch01.log. The regex i use is (?:[\/][^\/]*){1,}[\/](\w*) Any idea how to modify the regex to match only switch01? thanks Alex  
I am trying below blogs to use Splunk Cloud Trial version in SAP Cloud Integration. However, I am getting below error when trying to call Splunk Cloud Trial version url https://<hostname>.splunkclo... See more...
I am trying below blogs to use Splunk Cloud Trial version in SAP Cloud Integration. However, I am getting below error when trying to call Splunk Cloud Trial version url https://<hostname>.splunkcloud.com:8088/services/collector/event   Error:  java.net.ConnectException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target   I tried adding the Root certificate in my keystore but still get same error. Also, when trying to add the url to Cloud Connector (after adding root certificate in keystore), I get handshake error.   Is there a way to resolve this ?   Blogs https://community.sap.com/t5/technology-blogs-by-members/splunk-part-1-sap-apim-logging-monitoring/ba-p/13444151 https://community.sap.com/t5/technology-blogs-by-members/splunk-part-2-sap-cpi-mpl-logging/ba-p/13446064    
Correct I configured a linux host with a Splunk Enterprise installation (not Universal Forwarder) and configured it to retrieve deployment configurations from a second server
When we go to look at the UI sometimes, it says the app is missing so the UI is unavailable. When it does let us look at the UI, we can't create anything because the app is missing. I was under the i... See more...
When we go to look at the UI sometimes, it says the app is missing so the UI is unavailable. When it does let us look at the UI, we can't create anything because the app is missing. I was under the impression from the documents that it's created the second you open that UI so unsure what is going on.