All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@richgalloway I've tried this command it works. However if I need to filter out specific locations like AB AC and AD, sum their values to a new location let's say AM05. When I search for AM05 , it sh... See more...
@richgalloway I've tried this command it works. However if I need to filter out specific locations like AB AC and AD, sum their values to a new location let's say AM05. When I search for AM05 , it should display the summed value. If i search for AB, it should show the existing value. Is it possible? 
I have been struggling to create a dynamic dropdown in Splunk Dashboard studio. I have watched several video but I think they mostly talk about Classic Dashboards. I have also read the documentation ... See more...
I have been struggling to create a dynamic dropdown in Splunk Dashboard studio. I have watched several video but I think they mostly talk about Classic Dashboards. I have also read the documentation but it has been of no help. My Sample Problem is: A: B,C,D W: X,Y,Z I want to create two dropdowns. Dropdown1: A, W Dropdown 2:  If "A", then "B","C,"D" options If "B", then "X","Y,"Z" options I am unable to figure out how to do this. Any help will be much appreciated. Thank you all.  
HEC error 403 is a token problem.  Check that the sender is configured properly. https://docs.splunk.com/Documentation/Splunk/latest/Data/TroubleshootHTTPEventCollector#Possible_error_codes
what if ,it has more than 50k events index="aaam_devops_elasticsearch_idx" | search project = Einstein360_TicketsCreated_ElasticSearch_20210419 | search source.TransactionName ="ITGTicketCreated" |... See more...
what if ,it has more than 50k events index="aaam_devops_elasticsearch_idx" | search project = Einstein360_TicketsCreated_ElasticSearch_20210419 | search source.TransactionName ="ITGTicketCreated" | dedup id | timechart span=1d count as ITGTicketCreated | join max=0 _time [| search index="aaam_devops_elasticsearch_idx" | search project = Einstein360_TruckRollCreated_ElasticSearch_20210420 | search source.TransactionName = "Truck_Roll_Create_Result" | timechart span=1d dc(id) as TruckRollCreated] | stats values(ITGTicketCreated) as ITGTicketCreated values(TruckRollCreated) as TruckRollCreated by _time  
Hi @Anud  >>> example:  alert has trigger for the below data is 2:40 on your data list, i am not sure to find out where is the 2:40 at all.    ok, lets do like this. simply create a search for a ... See more...
Hi @Anud  >>> example:  alert has trigger for the below data is 2:40 on your data list, i am not sure to find out where is the 2:40 at all.    ok, lets do like this. simply create a search for a condition(either ID or Bill_ID) and count the results.  if you have results equal to zero, then on the alert condition, add your trigger condition.  Pls let me/us know if any questions, thanks.    PS - if any reply helped you, pls upvote/add karma points. if any reply solves your query, pls accept it as solution, thanks. 
Hi @pmantri10  The golden rule is - Good questions will receive Good answers!  from the subject i assume you want to list out all HEC inputs you have in your Splunk instance(either Splunk onprim or... See more...
Hi @pmantri10  The golden rule is - Good questions will receive Good answers!  from the subject i assume you want to list out all HEC inputs you have in your Splunk instance(either Splunk onprim or Splunk Cloud). if yes, then Pls go to Settings --- >  Data --- > Data inputs on this page, look for "HTTP Event Collector" (clickable link).. when you click on it, you will get the list of HEC inputs you have configured in your Splunk instance.    PS - if any reply helped you, pls upvote/add karma points. if any reply solves your query, pls accept it as solution, thanks. 
Hi @erikhill  may i know if the above reply solves your query, if not, pls let us know more details.  if yes, could you pls accept it as solution, thanks. 
Hi @Emre1  >>> i did a free trial 14 days for splunk You did a free trial of Splunk Cloud, right?   >>> If i want so access instance, it isnt even accessable on your email, did you get an email ... See more...
Hi @Emre1  >>> i did a free trial 14 days for splunk You did a free trial of Splunk Cloud, right?   >>> If i want so access instance, it isnt even accessable on your email, did you get an email from Splunk Cloud, to access the Splunk Cloud instance? did you click and login? if yes, pls share the screenshot.   
These all seem to have the word ERROR in so just include that in your search
Hi, Could any one pls figure out from these below logs to achieve the use case like when we launch rdp,proxy from secretserver, we are seeing some drop in the connection eg. like look for error and ... See more...
Hi, Could any one pls figure out from these below logs to achieve the use case like when we launch rdp,proxy from secretserver, we are seeing some drop in the connection eg. like look for error and handshake in logs sample event for client 2024-01-12 05:03:37,391 [CID:] [C:] [TID:197] ERROR Thycotic.RDPProxy.CLI.Session.ProxyConnection - Error encountered in RDP handshake for client 192.168.1.1 - (null) System.Exception: Assertion violated: stream.ReadByteInto(bufferStream) == 0x03 at Thycotic.RDPProxy.ContractSlim.Assert(Boolean condition, String conditionStr, String actualStr) at Thycotic.RDPProxy.Readers.ConnectionRequestProvider.ReadConnectionRequest(Stream stream, AuthenticationState clientState) at Thycotic.RDPProxy.CLI.Session.ProxyConnection.<DoHandshakeAndForward>d__20.MoveNext() sample event for user 2024-01-12 05:02:11,920 [CID:] [C:] [TID:266] ERROR Thycotic.DE.Feature.SS.RdpProxy.EngineRdpProxySessionService - An error was encountered while attempt to fetch proxy credentials for user 'chrisbronet' - (null) another usecase is like the discovery process from ad to secretserver eg, scan ad and finds the local id creates the id and pwd in to the secret server. sample events: 1) 2024-01-11 23:39:36,183 [CID:] [C:] [TID:83] ERROR Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner - WMI (IIS) Unable to connect to xyzwin.abc.com with Exception System.Threading.ThreadAbortException: Thread was being aborted. at System.Management.IEnumWbemClassObject.Next_(Int32 lTimeout, UInt32 uCount, IWbemClassObject_DoNotMarshal[] apObjects, UInt32& puReturned) at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext() at Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner.<>c__DisplayClass10_0.<IsIisRunningWmi>b__0(Object x) - (null) 2) 2024-01-11 23:29:47,675 [CID:] [C:] [TID:PriorityScheduler Thread @ Normal] ERROR Thycotic.Discovery.Sources.Scanners.MachinePreDiscoveryTester - Could not connect to xyx.win.abc.com with port pre-check. Please open port(s) [135, 445] - (null) 3) 2024-01-11 23:32:32,163 [CID:] [C:] [TID:PriorityScheduler Elastic Thread @ Normal] ERROR Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner - Service Controller (IIS) Unable to connect to xyz.win.abc.com with Exception System.InvalidOperationException: Cannot open W3SVC service on computer 'xyz.win.abc.com'. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) ... 1 line omitted ... at System.ServiceProcess.ServiceController.get_Status() at Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner.IsIisRunningServiceController() - (null) Thankyou  
The thing is, we've had this existing setup for years and never had any issues. Therefore, I had hoped to do a like for like swap to the new host, to prevent any further complications of building out... See more...
The thing is, we've had this existing setup for years and never had any issues. Therefore, I had hoped to do a like for like swap to the new host, to prevent any further complications of building out more machines and making sure all hosts can connect, etc. However, I appreciate the replies and will try and implement some of these recommendations at least.
Here is one way to approach it <search first index> [search <second index> | rename child_file_id as file_id | dedup file_id] Here is another <first index> OR <second index> | rename child_file_id... See more...
Here is one way to approach it <search first index> [search <second index> | rename child_file_id as file_id | dedup file_id] Here is another <first index> OR <second index> | rename child_file_id as file_id | stats values(*) as * by file_id Given your vague requirements and lack of sample events, hopefully this will still match what you are attempting to do
Hi @nehamvinchankar, sorry, this is the check that all the servers are sending data. If you want the server list that sent data is easier, try this: | tstats count WHERE index=your_index BY host |... See more...
Hi @nehamvinchankar, sorry, this is the check that all the servers are sending data. If you want the server list that sent data is easier, try this: | tstats count WHERE index=your_index BY host | table host Ciao. Giuseppe
Hi @Anud, let me understand: you have data every hour but you want to trigger an alert if there's a delay more than 10 minutes between events, is this correct? In this case, you could run something... See more...
Hi @Anud, let me understand: you have data every hour but you want to trigger an alert if there's a delay more than 10 minutes between events, is this correct? In this case, you could run something like this: index=your_index | timechart count span=10m | stats count AS checks | where checks<6 you should run this alert every hour to have 6 checks every hour. Ciao. Giuseppe
Read the docs for your environment But seriously - what are you looking for? Addresses for Cloud inputs? On which of your local HFs/indexers are HEC inputs configured? What tokens do you have con... See more...
Read the docs for your environment But seriously - what are you looking for? Addresses for Cloud inputs? On which of your local HFs/indexers are HEC inputs configured? What tokens do you have configured?
Dears, Need assistance with a Splunk query to retrieve data from two sources: source X and source Y. I want to match records where child_file_id in source Y matches file_id in source X and retrieve ... See more...
Dears, Need assistance with a Splunk query to retrieve data from two sources: source X and source Y. I want to match records where child_file_id in source Y matches file_id in source X and retrieve the combined data. How can I achieve this?   So, in my source X, specifically Stealer_* there are records, each of which includes a file_id, which is illustrated as 3382 in my example.     So, when I search for file_id, I find 6 events, all structured similarly but with different values, all sharing the same file_id. In another source, I have data related to source X. To establish connections between them, I use child_file_id as a relational identifier, similar to a database key. As depicted in the screenshot below, you can see that the child_file_id corresponds to the same file_id in the first source."         How can I construct a Splunk query to achieve this? Specifically, I want to retrieve the entire result set in a single query and table. In this query, the data from source 2 (child_file_id) should be duplicated in each event from the first source, creating a unified result.   Final output  something like this  srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field2,srouce_field2 BR.
Hi @tscroggins , Thanks for the hint. Yes, confirmed, the appLogo.png (appLogo_2x.png) - which is allowed to be a bit larger (wider) in size than appIcon*.png - automatically "disables" displayin... See more...
Hi @tscroggins , Thanks for the hint. Yes, confirmed, the appLogo.png (appLogo_2x.png) - which is allowed to be a bit larger (wider) in size than appIcon*.png - automatically "disables" displaying of the label. And this is kind of "ok". So this is also my (ugly) workaround now:  I created appLogo(_2x).png files which have an "embedded" textual element that is the label (or app name) that I want to have visible for users in the upper right corner. But when I remove the "appLogo*.png" files from the "static/" folder - why is THEN the label from app.conf not displayed ?? It should be, right ? Along with the small appIcon. I would really prefer to display the text label instead of the cumbersome appLogo.png containing text on it.
Hello i need your help,   i did a free trial 14 days for splunk, about a hour ago. If i want so access instance, it isnt even accessable, like gray-mode. Should i just wait or did i something wro... See more...
Hello i need your help,   i did a free trial 14 days for splunk, about a hour ago. If i want so access instance, it isnt even accessable, like gray-mode. Should i just wait or did i something wrong?   Thanks for your help
Hi, I still have no 100% working workaround. I tried to create an Alert on my search head> when the subscription failed, triggering a curl script to disable - re-enable the inputs. I learned two imp... See more...
Hi, I still have no 100% working workaround. I tried to create an Alert on my search head> when the subscription failed, triggering a curl script to disable - re-enable the inputs. I learned two important things there: Order you should disable the webhook, then the subscription input then the call record input. Enable the webhook, and enable the subscription. This will update the subscription, but sometimes doesn't work correctly -  in this case,  you should clear the KV store first - and the webhook is Exit! So you should disable the webhook again, enable it then enable the call record input.  This method above, if you do manually solving the issue all the time. But the second thing: Scripted disable/enable works 50-50%. Seems the call record is not correctly reset by the script. so currently, I have an alert to myself: "Go monkey and reset it manually"
How to find endpoints of our Splunk instance