All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Data Summary is not showing host at all even I already added UDP with ip address on port 514.
Hi Guys, In my scenario i need show error details for correlation id .There are field called tracePoint="EXCEPTION" and message field with PRD(ERROR): In some cases we have exception first after th... See more...
Hi Guys, In my scenario i need show error details for correlation id .There are field called tracePoint="EXCEPTION" and message field with PRD(ERROR): In some cases we have exception first after that the transaction got success.So at that time i want to ignore the transaction in my query.But its not ignoring the success correlationId in my result   index="mulesoft" applicationName="s-concur-api" environment=PRD (tracePoint="EXCEPTION" AND message!="*(SUCCESS)*")|transaction correlationId | rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.ErrorType as Error content.errorType as errorType content.errorMsg as ErrorMsg content.ErrorMsg as errorMsg | eval ErrorType=if(isnull(Error),"Unknown",Error) | dedup CorrelationId |eval errorType=coalesce(Error,errorType)|eval Errormsg=coalesce(ErrorMsg,errorMsg) |table CorrelationId,Timestamp, applicationName, locationInfo.fileName, locationInfo.lineInFile, errorType, message,Errormsg | sort -Timestamp    
The reason why your subsearch is taking a long time is _probably_ due to the volume of hosts, because using a large X=Y OR A=B OR C=D expression in the search can be very slow to get parsed and setup... See more...
The reason why your subsearch is taking a long time is _probably_ due to the volume of hosts, because using a large X=Y OR A=B OR C=D expression in the search can be very slow to get parsed and setup, hence the lookup option can often be the better option. The second way is fundamentally on a different planet to your concept of the previous search. Using join in itself is limited and using join+inputlookup is a completely wrong way to use lookups. The lookup command is designed to enrich data with results from a lookup. If a result cannot be found in the lookup, you will not get results from the lookup and you can validate that state. Have you tried it?
How are you using the token in your search?
I changed ulimits to 64000 ulimit -n 64000 and I realized I had THP still enabled on the CentOS 7 VM it is on so i disabled it and rebooted the VM. vim /etc/default/grub  added transparent_huge... See more...
I changed ulimits to 64000 ulimit -n 64000 and I realized I had THP still enabled on the CentOS 7 VM it is on so i disabled it and rebooted the VM. vim /etc/default/grub  added transparent_hugepage = never echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag I also enabled auto start for splunk. /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 1 I then rebooted. reboot After doing that and the reboot the searches started to work correctly and stopped erroring out. Hopefully this thread can help someone else who has this weird problem!
The installation instructions for this app seem to refer to a "TA_genesys_cloud" app, while this app is named "genesys_cloud_app". However there does not seem to be a TA for genesys cloud in Splunkba... See more...
The installation instructions for this app seem to refer to a "TA_genesys_cloud" app, while this app is named "genesys_cloud_app". However there does not seem to be a TA for genesys cloud in Splunkbase. There are .SPL files in the source github repo at https://github.com/SplunkBAUG/CCA though. Perhaps those are worth looking at. EDIT: Note that you should be cautious of .SPL files that are hosted on third party sites. SPL files that are hosted on SplunkBase go through an inspection process, whereas you're on your own if you install files from third-party sources. I recommend inspecting the contents of the file and determining how it works before installing it in your Splunk environment.
Hi,  I have a simple dropdown with 3 options All, AA and BB. When I select AA/BB I am getting correct results however when I select "All" it says "No search results returned". Not sure where I am d... See more...
Hi,  I have a simple dropdown with 3 options All, AA and BB. When I select AA/BB I am getting correct results however when I select "All" it says "No search results returned". Not sure where I am doing wrong, can anyone help me solving this issue.    "input_iUKfLZBh": { "options": { "items": [ { "label": "AA", "value": "AA" }, { "label": "BB", "value": "BB" }, { "label": "All", "value": "*" } ], "token": "Config_type", "defaultValue": "AA" }, "title": "Select Error Type", "type": "input.dropdown" }  
I tried that one. I have a debian test system, and downloaded the x64 Debian package from https://download.oracle.com/java/17/latest/jdk-17_linux-x64_bin.deb . Used dpkg to install, and it made a dir... See more...
I tried that one. I have a debian test system, and downloaded the x64 Debian package from https://download.oracle.com/java/17/latest/jdk-17_linux-x64_bin.deb . Used dpkg to install, and it made a dir at /usr/lib/jvm/jdk-17-oracle-x64/ . However, providing this path to the DB-connect app still failed to reset the task server. Then I tried using "apt install default-jre". It created the folder "/usr/lib/jvm/java-17-openjdk-amd64" along with links in the "/usr/lib/jvm/" directory. For some reason the splunk DB connect app would not accept "/usr/lib/jvm/java-17-openjdk-amd64" (failed to reset task server), but it did accept "/usr/lib/jvm/java-1.17.0-openjdk-amd64/" and successfully restarted the task server. Unless you have a strong reason to use a specific JDK, I recommend trying different ones until you get one which works.
Thank you kindly ... this worked perfectly.
Hi @wberkowicz  Can you try with powershell with refernece to following post.  https://community.splunk.com/t5/Installation/Handy-commands-for-uninstalling-SplunkUniversalForwarder-from/m-p/542... See more...
Hi @wberkowicz  Can you try with powershell with refernece to following post.  https://community.splunk.com/t5/Installation/Handy-commands-for-uninstalling-SplunkUniversalForwarder-from/m-p/542627
IME, \r and \n don't always work in Splunk regexes.  To match any text that might include newlines, try [\s\S]+. EventCode=4103[\s\S]+\s+Files\\SplunkUniversalForwarder\\bin\\splunk-powershell\.ps1
Hi @Manasa_401  response  provided by @richgalloway , will work.   https://localhost:8000/en-US/account/login?loginType=splunk In addition to rich reponse. if your existing URL contains 8000... See more...
Hi @Manasa_401  response  provided by @richgalloway , will work.   https://localhost:8000/en-US/account/login?loginType=splunk In addition to rich reponse. if your existing URL contains 8000 number keep that as well. sometimes it might be issue with  language en-us or en-gb , kindly try with  language for URL with SAML auth
Are you trying to configure the SSL certificate for Splunk web, such that accessing Splunk through HTTPS will use your cert? If so, how do the SSL stanzas look on your server.conf and/or web.conf?
My Episodes didn't have any "Impacted entities" until I enabled the correlation search "Service Monitoring - Entity Degraded"
My Episodes didn't have any "Impacted entities" until I enabled the correlation search "Service Monitoring - Entity Degraded"
Which bit don't you understand? How to set up a submit button, or how to have a panel search execute if a token changes? Your panel search could be a hidden panel whereby the search uses outputlooku... See more...
Which bit don't you understand? How to set up a submit button, or how to have a panel search execute if a token changes? Your panel search could be a hidden panel whereby the search uses outputlookup as I suggested.
I'm trying to remove some Windows events from being ingested ... example below: The regex I've tried in both Ingest Actions and the old method works both at regex101 and in my SPL index=win* ... See more...
I'm trying to remove some Windows events from being ingested ... example below: The regex I've tried in both Ingest Actions and the old method works both at regex101 and in my SPL index=win* EventCode=4103 Message=*Files\\SplunkUniversalForwarder* | regex "EventCode=4103(.|\r|\n)+\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1" Yet, when I configure an ingest action ruleset, nothing gets removed. [_rule:ruleset_WinEventLogSecurity:filter:regex:ft7j3fkn] INGEST_EVAL = queue=if(match(_raw, "EventCode=4103(.|\\r|\\n)+\\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1"), "nullQueue", queue) STOP_PROCESSING_IF = queue == "nullQueue" same goes for trying to do it "the old way" [drop_4103_splunkpowershell] DEST_KEY = queue REGEX = EventCode=4103(.|\r|\n)+\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1 FORMAT = nullQueue   04/04/2024 07:02:28 PM LogName=Microsoft-Windows-PowerShell/Operational EventCode=4103 EventType=4 ComputerName=redacted User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-PowerShell Type=Information RecordNumber=1258288151 Keywords=None TaskCategory=Executing Pipeline OpCode=To be used when operation is just executing a method Message=CommandInvocation(Start-Sleep): "Start-Sleep" ParameterBinding(Start-Sleep): name="Milliseconds"; value="200" Context:         Severity = Informational         Host Name = ConsoleHost         Host Version = 5.1.17763.5576         Host ID = 222d8490-3c1f-486d-94ed-47f91e59da32         Host Application = powershell.exe -command $input |C:\Program` Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1 C:\Program` Files\SplunkUniversalForwarder e20c0be00a8583fe         Engine Version = 5.1.17763.5576         Runspace ID = 87084a50-365f-409b-aed6-d666c6c6b2b         Pipeline ID = 1         Command Name = Start-Sleep         Command Type = Cmdlet         Script Name = ....... 
Thanks @ITWhisperer for the prompt reply.  I don’t understand how a csv file would be generated on the click of a submit button in a dashboard. Can you please elaborate more.   the user selections... See more...
Thanks @ITWhisperer for the prompt reply.  I don’t understand how a csv file would be generated on the click of a submit button in a dashboard. Can you please elaborate more.   the user selections would be 1. Time range and click submit.  the panel will show the results for a query which runs for the selected time range.  now the question is how can I export it to a csv automatically. And later on use this csv for different visualisation in a dashboard panel
The outputlookup command has a create_context option which can be set to user to create user-specific versions of the lookup (csv) file. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Se... See more...
The outputlookup command has a create_context option which can be set to user to create user-specific versions of the lookup (csv) file. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Outputlookup  
I tried several different prior versions.  Splunk only accepts the single msi that was used to install and that is not available: splunk-7.0.1-2b5b15c4ee89-x64-release.msi I will need to manually st... See more...
I tried several different prior versions.  Splunk only accepts the single msi that was used to install and that is not available: splunk-7.0.1-2b5b15c4ee89-x64-release.msi I will need to manually start surgical removal of the prior version.   Definitely a negative when trying Splunk.