All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you, it worked.
Thank you, it worked.
Hi, the dnslookup is available in Splunk cloud; but not like in enterprise. You might be missing your internal network information on default. Since Splunk Cloud is not hosted in your own network a... See more...
Hi, the dnslookup is available in Splunk cloud; but not like in enterprise. You might be missing your internal network information on default. Since Splunk Cloud is not hosted in your own network anymore, the platform does not talk to your private DNS servers and therefor misses internal DNS information. 
@livehybrid  Thanks for your help on this regard,   Based on reviewing your response - i should be good to update my splunk universal forwarder from version 6.6.3 to splunk universal forwarder vers... See more...
@livehybrid  Thanks for your help on this regard,   Based on reviewing your response - i should be good to update my splunk universal forwarder from version 6.6.3 to splunk universal forwarder version 7.3.9 and then to version 8.0.10.  But the suggested approach is :  6.6.x 7.1.x 8.0 why to stick to 7.3.9  ?   can u also guide me how to get older version release downloadable links ? And with respect to fishbucket and migration changes, i don't see anything captured on the doc , even at the issues session. Could you please give a glimpse on the same . 
Here are the download links which may also help: 8.0.10: https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-Linux-x86_64.tgz https://d... See more...
Here are the download links which may also help: 8.0.10: https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-Linux-x86_64.tgz https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-linux-2.6-x86_64.rpm https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-linux-2.6-amd64.deb  7.3.9: https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-linux-2.6-x86_64.rpm https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-linux-2.6-amd64.deb https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-Linux-x86_64.tgz  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @AsmaF2025  Yes those documents are labelled Splunk Enterprise however the upgrade paths for UF and full enterprise install are the same due to shared components which require updating such as fi... See more...
Hi @AsmaF2025  Yes those documents are labelled Splunk Enterprise however the upgrade paths for UF and full enterprise install are the same due to shared components which require updating such as fishbucket and config migration etc. There is a lot more in common between UF and full enterprise install than people often think. The main obvious difference is that Enterprise includes Python and Mongo DB.  Nevertheless the upgrade paths are the same.      Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing.
Faced the same issue. Though it shows 401 Authorized, the search  in "_internal" index showed its a  "JsonWebToken validation failure". This happens mostly when you got Splunk cloud and there is a ma... See more...
Faced the same issue. Though it shows 401 Authorized, the search  in "_internal" index showed its a  "JsonWebToken validation failure". This happens mostly when you got Splunk cloud and there is a maintenance or restart happening. The API bearer token you/service account using may need a kick. So please try 'logout' (user from Splunk console) or expire it from Splunk and relogin/retry. Hopefully that will fix it.  For us, it was a suddent stoppage of 3 or 4 Tokens at same time which gave the hint
@livehybrid  Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x .Seems like , you are referring to Splunk Enter... See more...
@livehybrid  Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x .Seems like , you are referring to Splunk Enterprise upgradation. 
@livehybrid  / All,  Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x . ANd my current version of Splunk ... See more...
@livehybrid  / All,  Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x . ANd my current version of Splunk ENterprise is 8.2.7 which ll be upgradated next to version 9.0.x. Assuming , updating the Universal forwarder to 8.0.x will be compatible , for the splunk enterprise 9.x.x QA: 1.I can do straight upgrade from 6.6.3 to 8.0.x? 2.how do i get the older version UF packages , required tgz,rpm and msi . Request suggestions and guidance pls. 
Hi @AsmaF2025  According to the documentation we must install 7.1.x before upgrading to 8.0.x - See https://docs.splunk.com/Documentation/Splunk/8.0.10/Installation/HowtoupgradeSplunk#:~:text=and%20... See more...
Hi @AsmaF2025  According to the documentation we must install 7.1.x before upgrading to 8.0.x - See https://docs.splunk.com/Documentation/Splunk/8.0.10/Installation/HowtoupgradeSplunk#:~:text=and%20release%20notes.-,Upgrade%20paths%20to%20version%208.0,-The%20following%20table Personally I have achieved this upgrade directly previously however it has been discussed on here before that there are a bunch of different things such as fishbucket etc which get upgraded along the way and therefore you should follow the documented upgrade path.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
I have abunch of Splunk universal forwarder which runs on the version 6.6.3 - Linux machines. Im looking forward to upgrade them to 8.0.x .  Am i good enough todo the straight upgrade from 6.6.3 t... See more...
I have abunch of Splunk universal forwarder which runs on the version 6.6.3 - Linux machines. Im looking forward to upgrade them to 8.0.x .  Am i good enough todo the straight upgrade from 6.6.3 to 8.0.x? and my splunk Enterprises are in the version of 8.2.7 . As i next plane, we will also be updating the splunk enterprises to 9.x.x series. if  i go ahead, and update Splunk enterprise to version 9.0 , i hope UF with 6.6.3 is not compatible with 9.0 as per the official doc.  QA: 1.I can do straight upgrade from 6.6.3 to 8.0.x? 2.how do i get the older version UF packages , required tgz,rpm and msi . Request suggestions and guidance pls.  #universalforwarder6.6.3 #universalforwarder8.0.x #Linux #upgradation
@msatish  You need to rebuild the forwarder asset table in the CMC for it to update properly. Go to CMC > Forwarders > Forwarder Monitoring Setup > Rebuild Forwarder Assets Refer the below doc... See more...
@msatish  You need to rebuild the forwarder asset table in the CMC for it to update properly. Go to CMC > Forwarders > Forwarder Monitoring Setup > Rebuild Forwarder Assets Refer the below docs:  Use the Forwarder dashboards - Splunk Documentation Solved: monitoring console triggered alerts - missing forw... - Splunk Community Solved: Why is our universal forwarder not visible in the ... - Splunk Community
I need the same functionality like in Studio  -  "Select matched" . As we have established, there is no feature parity between Dashboard Studio and SimpleXML.  All you can do is to emulate an effe... See more...
I need the same functionality like in Studio  -  "Select matched" . As we have established, there is no feature parity between Dashboard Studio and SimpleXML.  All you can do is to emulate an effect.  Let me repeat: there are a million ways to do this.  Details will depend on your desires, data characteristics, and how token will be used.  In the following sample dashboard, the user can enter a string of text to "match" some element in the list displayed in the upper right box.  The result is used to populate a token named $group_tok$.  This token is then used in search in the bottom "Results" panel. (Again, index=_internal is used as example source data.) <form version="1.1" theme="light"> <label>"Select matches"</label> <description>https://community.splunk.com/t5/Splunk-Search/Multiselect-filter-Select-all-matches-in-classic-dashboard/m-p/745537#M241480, but only use matches</description> <fieldset submitButton="false"></fieldset> <row> <panel> <input type="text" token="group_string" searchWhenChanged="true"> <label>type a string to match group</label> <default></default> </input> </panel> <panel> <table> <search> <query>| tstats count where index=_internal by PREFIX(group=) | search "group=" = "*$group_string$*" | stats values(group=) as matches</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <done> <set token="group_tok">$result.matches$</set> </done> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <title>$group_tok$</title> <event> <title>Results</title> <search> <query>index=_internal group IN ($group_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> </event> </panel> </row> </form> Play with it and adapt to your use case.
Newly installed Universal forwarders on windows servers are forwarding logs to Splunk Cloud but newly installed forwarders name is not coming up in forwarders list in Cloud Monitoring Console. What... See more...
Newly installed Universal forwarders on windows servers are forwarding logs to Splunk Cloud but newly installed forwarders name is not coming up in forwarders list in Cloud Monitoring Console. What could be the reason?
it is working fine , but when i am refreshing the entire dashboard unsolved color becomes opposite meaning the panel which is showing green shows red and other panels are showing green .  
I would go with foreach as @livehybrid does, but the code could be simpler. |foreach * [eval <<FIELD>> = if(match(<<FIELD>>, "(?i)widget") OR "<<FIELD>>" == "my_field_42", <<FIELD>>, null())] Usi... See more...
I would go with foreach as @livehybrid does, but the code could be simpler. |foreach * [eval <<FIELD>> = if(match(<<FIELD>>, "(?i)widget") OR "<<FIELD>>" == "my_field_42", <<FIELD>>, null())] Using the same emulation, you get my_field1 my_field_2 my_field_23 my_field_42   AwesomeWidget69   your mom     Widgets are cool Look, a widget!       your widget
What should happen if the data is my_field_1 = "hello world" my_field_23 = "goodbye my friend" ... my_field_42 = "Look, a widget!" i.e. widget ONLY appears in the field you want to ignore
It seems like things are moving under your feet - the syntax of your log message has changed from your original example, which had the text StandardizedAddressService, now it's StandardizedAddress. ... See more...
It seems like things are moving under your feet - the syntax of your log message has changed from your original example, which had the text StandardizedAddressService, now it's StandardizedAddress. Note that if you create a regex to extract the fields, and the message changes, it will break the extraction. It would be useful, when you say you have errors - to show what you tried and what the result was, otherwise it's almost impossible to come up with some solution. So, on these assumptions. a) you have a JSON object after FROM: {} b) another JSON object after RESULT:  1 | {} - is "1" a fixed value or variable? Note that your example does NOT show valid JSON for the result. It is missing a comma after the Longitude value before the F - not sure if that is a typo or in your data. 97.999,"Longitude":-97.999"F Assuming it is a typo then your search should be this Your base data search goes here... ``` This line extracts the from and result JSON objects from your msgTxt field ``` | rex field=msgTxt "FROM:\s*(?<from>.*) RESULT:[^{]*(?<result>.*)" ``` This extracts the JSON from each of those objects ``` | spath input=from | spath input=result ``` and this makes the field names a bit more sensible ``` | rename AddressDetails{}.* as Result.*, WarningMessages{} as Result.WarningMessages | table Latitude Longitude *.Latitude *.Longitude Result.WarningMessages If you reply to these, please post your code in code blocks, so that it's easy to read
You didn't answer how long your search is running for - I didn't mean the time range, I mean the amount of time the search takes to run. Also, see the other questions. I'm suggesting you split out t... See more...
You didn't answer how long your search is running for - I didn't mean the time range, I mean the amount of time the search takes to run. Also, see the other questions. I'm suggesting you split out the searches just to experiment if both are giving the correct count when run individually in the dashboard AND in a manual search. If you shorten the time window do the results then work. You will need to provide more detail. Look at the search job properties and look at result count and scanCount.    
Hi @shawngsharp  Further to my last post, you could also use: |foreach * [eval field_matches = mvappend(field_matches, if(match(<<FIELD>>, "(?i)widget"), "<<FIELD>>", null()))] | eval field_matches... See more...
Hi @shawngsharp  Further to my last post, you could also use: |foreach * [eval field_matches = mvappend(field_matches, if(match(<<FIELD>>, "(?i)widget"), "<<FIELD>>", null()))] | eval field_matches=mvfilter(NOT match(field_matches,"my_field_42")) | where field_matches!="" Where your string match is inside the match statement, this works by looking in each field and then creating a multi-value field of all the fields which match, then removing my_field_42 and searching where there is one or more fields that match.   |makeresults format=csv data="my_field1, my_field_2, my_field_23, my_field_42 \"hello world\",\"AwesomeWidget69\",\"\",\"your mom\" \"hello world\",\"\",\"Widgets are cool\",\"Look, a widget!\" \"hello world\",\"\",\"Some value here\",\"your widget\"" |foreach * [eval field_matches = mvappend(field_matches, if(match(<<FIELD>>, "(?i)widget"), "<<FIELD>>", null()))] | eval field_matches=mvfilter(NOT match(field_matches,"my_field_42")) | where field_matches!=""  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing