All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Does the account running Splunk have permission to delete the files?  Are there any messages in splunkd.log about the files?
Hi, I have a problem excluding or including only entries that contain specific String values in the msg field. For example, there are two (maybe more) definite String values contained in the msg fie... See more...
Hi, I have a problem excluding or including only entries that contain specific String values in the msg field. For example, there are two (maybe more) definite String values contained in the msg field: 1. "GET /ecc/v1/content/preLoginBanners HTTP/1.0" 2. "GET /ecc/v1/content/category/LegalTerms HTTP/1.0" I need 3 statements like the following: 1. Include ONLY 1 above in the msg field. 2. Include ONLY 2 above in the msg field. 3. Exclude 1 and 2 above to determine if there are more unknown values in the msg field.  I imagine I will be using thistype of  logic more on other output fields as time goes on. I am new to this and I am using the XML-based AdHoc Search input/output form. Any help is greatly appreciated!  
Use the where command to filter out results with empty fields. | where isnotnull(user_agent) AND user_agent!=""
Hello, I am trying to find a command that will allow me to create a table and only display values. when using the user agent field in my table, there are some values that are null. I only want value... See more...
Hello, I am trying to find a command that will allow me to create a table and only display values. when using the user agent field in my table, there are some values that are null. I only want values to display. 
The datetime_udp.xml file doesn't exist on the indexer(s).  Double-check the add-on.  Consider re-installing it.  If it's still a problem, contact Splunk Cloud support or the add-on vendor.
Hi @isoutamo and others, There is some additional information about the vulnerabilities posted above. We are utilizing docker splunk for our docker http event collector, so that we can send logs fro... See more...
Hi @isoutamo and others, There is some additional information about the vulnerabilities posted above. We are utilizing docker splunk for our docker http event collector, so that we can send logs from our Kubernetes clusters to splunk Within that docker image, we are pulling in [1] 8.2.5 or [2] 9.0.5. We use twistlock to report vulnerabilities from our image and all of those vulnerabilities are being pulled from the docker splunk image tags mentioned below. We were wondering is there a process for Splunk to fix those vulnerabilities that were mentioned? If there is a process, can you take us through how that process works? Thanks and we look forward to talking with you.   [1] https://github.com/splunk/docker-splunk/tree/8.2.5 [2] https://github.com/splunk/docker-splunk/tree/9.0.5  
Hello @hyeji , have you been able to evolve this issue? I'm also having the same problem, obviously, I'm trying to run this add-on on version 9.2 of Splunk, I applied python future to the code and m... See more...
Hello @hyeji , have you been able to evolve this issue? I'm also having the same problem, obviously, I'm trying to run this add-on on version 9.2 of Splunk, I applied python future to the code and managed to overcome several compatibility issues between python 2 and 3, but I still couldn't run the add-on. If you have any status of this you will be very welcome.    
Hi, I have seen a aggregration issue for one of my source type cisco, how can I fix this issue  in my splunk cloud ? 12-06-2023 17:42:27.004 +0000 ERROR AggregatorMiningProcessor [82698 merging_0... See more...
Hi, I have seen a aggregration issue for one of my source type cisco, how can I fix this issue  in my splunk cloud ? 12-06-2023 17:42:27.004 +0000 ERROR AggregatorMiningProcessor [82698 merging_0] - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "/opt/splunk/etc/peer-apps/Splunk_TA_cisco-ise/default/datetime_udp.xml": No such file or directory - data_source="/syslog/nac/ise.log", data_host="ise-xx", data_sourcetype="cisco:ise:syslog" Thanks...  
Thanks a lot for the response, I tried multiple options, but none of them is working. 
Thank you very much, working perfect as intended
Hi, Can you help me with where I can download the Splunk forwarder 6.3 rpm package.
Try this | timechart span=1d count by location
@ITWhisperer  I have included _time in my search, and the results are still the same.  
| stats count by fieldX | where count > 10 Set your alert to run over the past 60 minutes e.g. earliest=-60m then trigger if there are any results.
Chained search simply operate on the events in the pipeline left from the previous search in the chain.
I think you may have been told this before but if you want a time element in your visualisation, it needs to be in your results table. Your search is removing the _time field (or not including it). Y... See more...
I think you may have been told this before but if you want a time element in your visualisation, it needs to be in your results table. Your search is removing the _time field (or not including it). You need to rework your search accordingly.
@ITWhisperer Thats also not workng. See the below events from the search and want the expected visualization.  
Is there any mechanism to monitor a salesforce URL beyond single sign on. We try to setup using Splunk website monitoring. this app directly monitoring single sign on page and not actual page. Please... See more...
Is there any mechanism to monitor a salesforce URL beyond single sign on. We try to setup using Splunk website monitoring. this app directly monitoring single sign on page and not actual page. Please suggest a method to monitor an URL beyond single sign on.  Thanks.           
For example: If "fieldX" has many possible values(ex. 1 2 3 4 a b c d ...) we want to have Splunk send an alert email whenever any of these values are seen more than 10 times in 60mins.   Does anyo... See more...
For example: If "fieldX" has many possible values(ex. 1 2 3 4 a b c d ...) we want to have Splunk send an alert email whenever any of these values are seen more than 10 times in 60mins.   Does anyone know a search that will work for this? Thanks in advance!
Do you need to return output from one section of a chain search to another, like when writing a function in a programming language I've assumed that a chained search would, as a user, act in a simil... See more...
Do you need to return output from one section of a chain search to another, like when writing a function in a programming language I've assumed that a chained search would, as a user, act in a similar fashion to concatenating both searches, but with a really DRY efficiency - so superb use for dashboarding as often the material being presented shared a common subject. There are certain queries I am running that break when used in a chained order - am I missing some kind of return function needed?