All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We have a dashboard, where we want to add few hosts in a drop down.  I tried using single host in a drop down its working, but when we add multiple hosts it showing syntax error(invalid attribute.) ... See more...
We have a dashboard, where we want to add few hosts in a drop down.  I tried using single host in a drop down its working, but when we add multiple hosts it showing syntax error(invalid attribute.) DEV amptams.dev.com ampvitss.dev.com ampdoctrc.dev.com SIT ampastdmsg.dev.com ampmorce.dev.com ampsmls.dev.com UAT ampserv.dev.com ampasoomsg.dev.com SYS ampmsdser.dev.com ampastcol.dev.com   Dashboard xml       <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Server"> <label>Env wise hosts</label> <choice value="amptams.dev.com">ENVINORMENT-DEV</choice> <choice value="ampastdmsg.dev.com">ENVINORMENT-SIT</choice> <choice value="ampserv.dev.com">ENVINORMENT-UAT</choice> <choice value="ampmsdser.dev.com">ENVINORMENT-SYS</choice>> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query>index=app-index source=application.logs $Server$ |rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" |chart count over Application by Msgs |rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app |table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>        
How did you apply fillnull?  Do you mean to say that the following doesn't give you 0 when the value is null? index=app-index source=application.logs |rex field= _raw "application :\s(?<Application... See more...
How did you apply fillnull?  Do you mean to say that the following doesn't give you 0 when the value is null? index=app-index source=application.logs |rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" |chart count over Application by Msgs |rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app |table Income Rej_app ATM DMM Reject Rej_log Rej_app |fillnull Income Rej_app ATM DMM Reject Rej_log Rej_app  
First, on thought process.  Splunk allows you to create additional field in event stream.  If you mark each day as "day -1", "day -2", etc., you can group earliest and latest by day. This is how to ... See more...
First, on thought process.  Splunk allows you to create additional field in event stream.  If you mark each day as "day -1", "day -2", etc., you can group earliest and latest by day. This is how to do that in Splunk   index=*XYZ" "Batchname1" earliest=-7d@d latest=-0d@d | eval dayback = mvrange(0, 7) | eval day = mvmap(dayback, if(_time < relative_time(now(), "-" . dayback . "d@day") AND relative_time(now(), "-" . tostring(dayback + 1) . "d@day") < _time, dayback, null())) | stats min(_time) as Earliest max(_time) as Latest by day | fieldformat Earliest = strftime(Earliest, "%F %T") | fieldformat Latest = strftime(Latest, "%F %T") | eval day = "day -" . tostring(day + 1)   The output looks like day Earliest Latest day -1 2024-04-23 00:01:00 2024-04-23 23:53:00 day -2 2024-04-22 09:29:00 2024-04-22 23:31:00 day -3 2024-04-21 14:29:00 2024-04-21 14:29:00 day -4 2024-04-20 00:01:00 2024-04-20 19:14:00 day -5 2024-04-19 01:13:00 2024-04-19 23:47:00 day -6 2024-04-18 00:01:00 2024-04-18 23:28:00 day -7 2024-04-17 00:01:00 2024-04-17 23:14:00 Two pointers: It doesn't seem to make sense to search in current day.  So I shifted search period to -0day@day.  If your requirement includes current day, you need to change latest as well as tweak the definition of day a little. Do not use earliest(_time); min(_time) is cheaper. The following is the emulation I use to test the above.   index = _audit earliest=-7d@d latest=-0d@d action=validate_token | timechart span=1m count | where count > 0 ``` emulation of index=*XYZ" "Batchname1" earliest=-7d@d latest=-0d@d ```    
Please find the query and sample logs, Issue is when there are no logs with any of the  Msgs, that coloumns are showing null, tried fill null command but not working. index=app-index source=applicat... See more...
Please find the query and sample logs, Issue is when there are no logs with any of the  Msgs, that coloumns are showing null, tried fill null command but not working. index=app-index source=application.logs |rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" |chart count over Application by Msgs |rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app |table Income Rej_app ATM DMM Reject Rej_log Rej_app   Sample logs: 2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Initial message received with below details: Application:Login Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -12 Code partition: 4 2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter published correctley to ATM subject: Application:Success Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -1 Code partition: 10 2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter published correctley to DMM subject: Application:normal-state Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -1 Code partition: 6   2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter rejected due to: DOUBLE_KEY: Application:error-state Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -1 Code partition: 4   2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter rejected due to: UNVALID_LOG: Application:Debug Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -18 Code partition: 2   2024-01-24 11:21:55,123 [app-product-network-thread | payments_acoount_history_app_hjutr_12nj567fghj5667_product] INFO STREAM_APPLICATION - Timestamp:2024-01-24 11:21:55,123 Letter rejected due to: UNVALID_DATA_APP: Application:logout Code name: payments_acoount_history_app_hjutr_12nj567fghj5667_product Code offset: -4 Code partition: 0
Hi, Our application uses log4j2 logging framework. We are trying to send log signals created by Otel Logs SDK to Splunk cloud platform. Instead of fileReceiver, we want to send these over HTTP. We... See more...
Hi, Our application uses log4j2 logging framework. We are trying to send log signals created by Otel Logs SDK to Splunk cloud platform. Instead of fileReceiver, we want to send these over HTTP. We are using HTTP Event Collector to send the log records to Splunk Cloud. Our configuration for HEC exporter in OTEL Collector is: exporter: splunk_hec/logs: token: "<token>" endpoint: "https://<host>:8088/services/collector/raw" source: "otel" index: "logs" disable_compression: false tls: insecure_skip_verify: true service: pipelines: logs: receivers: [ otlp ] processors: [ batch] exporters: [ splunk_hec/logs] We do see the events being received at Splunk Cloud Platform, but we are not able to query the log data itself. Can someone guide if this is correct way ? or guide to correct resource. Thanks!
Your regex seems pretty OK. You could try to simplify it a bit (the character class is not needed if you want just one character, slashes don't need escaping and {1,} can be replaced by +)  so you co... See more...
Your regex seems pretty OK. You could try to simplify it a bit (the character class is not needed if you want just one character, slashes don't need escaping and {1,} can be replaced by +)  so you could do something like this: (?:/[^/]*)+/(\w*) But you can simplify it even further (?:.*)/(\w*) You could take one thing into account though - a valid hostname can contain a dash which is not included in \w. Also, depending on your environment, if it's a FQDN, it can contain dots.  
Hi. We just upgraded from 9.0.6 to 9.1.4 and are seeing these same warnings. Do we know that this was fixed in 9.1.4?
I have changed my appserver/static/javascript directory and the setup page that reffers to it does not update. I tried to uninstall the add-on, restart Splunk server, but it does not change... plea... See more...
I have changed my appserver/static/javascript directory and the setup page that reffers to it does not update. I tried to uninstall the add-on, restart Splunk server, but it does not change... please help me figure out what do I miss...  this is my setup page dashboard (./javascript/setup_page.js is the file I changed without any effects <dashboard isDashboard="false" version="1.1"            script="./javascript/setup_page.js"            stylesheet="./styles/setup_page.css"            hideEdit="true"            hideAppBar="true" >       <label>Setup Page</label>     <row>         <panel>             <html>                 <div id="main_container"></div>             </html>         </panel>     </row> </dashboard>
Don't you mean | rename licenseGB as GB
Hi, I am having troubles with providing the correct regex to extract the hostname from the file location. The file structure looks like this  /var/log/syslog/splunk-lb/ise/switch01.log I need only ... See more...
Hi, I am having troubles with providing the correct regex to extract the hostname from the file location. The file structure looks like this  /var/log/syslog/splunk-lb/ise/switch01.log I need only the switch01 as hostname but splunk add switch01.log. The regex i use is (?:[\/][^\/]*){1,}[\/](\w*) Any idea how to modify the regex to match only switch01? thanks Alex  
I am trying below blogs to use Splunk Cloud Trial version in SAP Cloud Integration. However, I am getting below error when trying to call Splunk Cloud Trial version url https://<hostname>.splunkclo... See more...
I am trying below blogs to use Splunk Cloud Trial version in SAP Cloud Integration. However, I am getting below error when trying to call Splunk Cloud Trial version url https://<hostname>.splunkcloud.com:8088/services/collector/event   Error:  java.net.ConnectException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target   I tried adding the Root certificate in my keystore but still get same error. Also, when trying to add the url to Cloud Connector (after adding root certificate in keystore), I get handshake error.   Is there a way to resolve this ?   Blogs https://community.sap.com/t5/technology-blogs-by-members/splunk-part-1-sap-apim-logging-monitoring/ba-p/13444151 https://community.sap.com/t5/technology-blogs-by-members/splunk-part-2-sap-cpi-mpl-logging/ba-p/13446064    
Correct I configured a linux host with a Splunk Enterprise installation (not Universal Forwarder) and configured it to retrieve deployment configurations from a second server
When we go to look at the UI sometimes, it says the app is missing so the UI is unavailable. When it does let us look at the UI, we can't create anything because the app is missing. I was under the i... See more...
When we go to look at the UI sometimes, it says the app is missing so the UI is unavailable. When it does let us look at the UI, we can't create anything because the app is missing. I was under the impression from the documents that it's created the second you open that UI so unsure what is going on.
| tstats count WHERE index=_internal _index_earliest=-1h _index_latest=now Just set your time range for the search to be greater than the expected delay * earliest_time = -1d@d * latest_time = +... See more...
| tstats count WHERE index=_internal _index_earliest=-1h _index_latest=now Just set your time range for the search to be greater than the expected delay * earliest_time = -1d@d * latest_time = +60d@d 
Certainly, you can edit the app code by cloning the app into a draft and then editing the carbonblack_connector.py file.
Thanks, somehow I didn't see anywhere this step. My errors are gone, now waiting for data to show up on the indexer. 
Hello @danspav , Is there a listing of all the different charting options?  I've tried to use what are some of the possible names for the different charting types.  Some worked and some didn't.  I'm ... See more...
Hello @danspav , Is there a listing of all the different charting options?  I've tried to use what are some of the possible names for the different charting types.  Some worked and some didn't.  I'm sure there's some that I've missed as well.     Is there an option where I can also switch from a chart to a table?  TIA   The following work <choice value="line">Line Chart</choice> <choice value="column">Bar Chart</choice> <choice value="area">Area</choice> <choice value="bar">Bar</choice> <choice value="pie">Pie</choice> <choice value="scatter">scatter</choice> <choice value="bubble">bubble</choice>   The following DIDN'T work <choice value="box-plot">boxplot</choice>. <choice value="histogram">histogram</choice> <choice value="horizon">horizon</choice> <choice value="scatterline">scatterline</choice>  
Hi all -  I am a Splunk Novice, especially when it comes to writing my own queries.  I have created a Splunk Query that serves my first goal:  calculate elapsed time between 2 events.   Now, goa... See more...
Hi all -  I am a Splunk Novice, especially when it comes to writing my own queries.  I have created a Splunk Query that serves my first goal:  calculate elapsed time between 2 events.   Now, goal #2 is to graph that over a time period (i.e. 7 days).  What is stalling my brain is that these events happen every day - in fact, they are batches that run on a cron schedule, so they better be happening every day!  So I am unable to just change the time preset and graph this, because I am using earliest and latest events to calculate beginning and end.  Here is my query to calculate duration:    index=*XYZ" "Batchname1" | stats earliest(_time) AS Earliest, latest(_time) AS Latest | eval Elapsed_Time=Latest-Earliest, Start_Time_Std=strftime(Earliest,"%H:%M:%S:%Y-%m-%d"), End_Time_Std=strftime(Latest,"%H:%M:%S:%Y-%m-%d") | eval Elapsed_Time=Elapsed_Time/60 | table Start_Time_Std, End_Time_Std, Elapsed_Time Any ideas on how to graph this duration over time so I can develop trend lines, etc?  Thanks all for the help! 
Thanks @deepakc 
It could be a n umber of things as to why the data is not coming through or not showing. 1.Whatever your monitoring does it have read permissions? 2.Check for typos' (index name etc) You can als... See more...
It could be a n umber of things as to why the data is not coming through or not showing. 1.Whatever your monitoring does it have read permissions? 2.Check for typos' (index name etc) You can also check the internal logs for clues index=_internal sourcetype=splunkd host=neo log_level=INFO component=WatchedFile | table host, _time, component, event_message, log_level | sort - _time   What is the output of this command - it shows whats being monitored (Assuming its a linux host) /opt/splunk/bin/splunk list inputstatus   Are you able to show us your inputs.conf and describe what you are trying to monitor?