All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I want to run an Enrichment playbook inside a custom function. Looking to pass in a list of devices and call the playbook each time passing in a single deviceId at a time. What is the best way to do ... See more...
I want to run an Enrichment playbook inside a custom function. Looking to pass in a list of devices and call the playbook each time passing in a single deviceId at a time. What is the best way to do this?
I am getting error messages WARNING: web interface does not seem to be available! I just install the Splunk on my Mac.
Right, I have to say I agree with you there and would recommend voting on these Ideas in order to raise awareness of the limitation.  e: to expand on that - the issue with even the solution I mentio... See more...
Right, I have to say I agree with you there and would recommend voting on these Ideas in order to raise awareness of the limitation.  e: to expand on that - the issue with even the solution I mentioned is that you would need to retroactively apply the *.meta access control approach to each existing and future secret on your deployment in order to actually address the use case  in the OP. 
I am trying to make a query which will give me the result of unique file names with month in column and a time span of 1 hour in row. Below is my query : index="app_cleo_db" origname="GEAC_Payroll*... See more...
I am trying to make a query which will give me the result of unique file names with month in column and a time span of 1 hour in row. Below is my query : index="app_cleo_db" origname="GEAC_Payroll*" | rex "\sorigname=\"GEAC_Payroll\((?<digits>\d+)\)\d{8}_\d{6}\.xml\"" | search origname="*.xml" | eval Date = strftime(_time, "%Y-%m-%d %H:00:00") | eval DateOnly = strftime(_time, "%Y-%m-%d") | transaction DateOnly, origname | timechart count by DateOnly But it is giving me an output with date as well as timestamp in the row like below: _time 2023-12-02 2023-12-03 2023-12-02 00:00:00 8 0 2023-12-02 00:30:00 0 0 2023-12-02 01:00:00 0 7 2023-12-02 01:30:00 0 0 2023-12-02 02:00:00 6 0 2023-12-02 02:30:00 0 0 2023-12-02 00:00:00 2 0 2023-12-03 00:30:00 0 5 2023-12-03 01:00:00 0 0 2023-12-03 01:30:00 0 20 2023-12-03 02:00:00 0 0 2023-12-03 02:30:00 34 0   I want the result to look like below _time 2023-12-02 2023-12-03 00:00:00 0 0 01:00:00 0 0  02:00:00 0 0 03:00:00 0 0
In my case, I forgot to enable listening on my indexers. (You'll need to do this on any heavy forwarders forwarders as well).  /opt/splunk/bin/splunk enable listen 9997
I see, I tried with different variables but _raw seems to hold all vital data in all cases, mabe I'm not doing something right, perhaps the part that is not in json format is the output inside the "s... See more...
I see, I tried with different variables but _raw seems to hold all vital data in all cases, mabe I'm not doing something right, perhaps the part that is not in json format is the output inside the "stdout" variable.   EDIT: Here's the event in log format   { [-] cluster_id: cluster_id kubernetes: { [+] } log: { [-] caller: caller_here dc: dc_here flow: flow_here host: gatling_worker_here jobId: jobid_here level: info projectName: project_name_here stdout: { "Componente" : "componente_here", "channel" : "channel_here", "timestamp" : "timestamp_here", "Code" : "code_here", "logId" : "logid_here", "service" : "service_here", "responseMessage" : "responsemessage_here", "flow" : "flow_here", "log" : "log_here"} } time: time_here }   stdout is the issue it seems
Thanks for your response. I have received this error message along with the results.  Search results might be incomplete! This can occur if the peer unexpectedly closes or resets the connection dur... See more...
Thanks for your response. I have received this error message along with the results.  Search results might be incomplete! This can occur if the peer unexpectedly closes or resets the connection during a planned restart. Try running your search again. 
You should have complete results based on your description and a couple of assumptions:   I am assuming that you are connecting to a remote Splunk instance (probably a Search Head (SH) - aka the Sp... See more...
You should have complete results based on your description and a couple of assumptions:   I am assuming that you are connecting to a remote Splunk instance (probably a Search Head (SH) - aka the Splunk website), and you are not running Splunk locally on your computer.  In that case, you would have complete results.  Your computer does not have to stay connected to a Splunk SH for a background search to complete properly.
Hi @Rinku.singh, Was there any part of the documentation that was confusing? I can share this with the Docs team to see if they can clarify anything. 
Add the prestats option to the tstats command.  That will format the results for timechart to use. | tstats prestats=t count where index IN (index1, index2, index3) by _time , host | where match(hos... See more...
Add the prestats option to the tstats command.  That will format the results for timechart to use. | tstats prestats=t count where index IN (index1, index2, index3) by _time , host | where match(host,"^.*.device.mycompany.com$") | timechart count by host  
Hi All,   I have a Splunk search query executing the in the background(used Send to background option) while this is running my VPN got disconnected and after sometime I have reconnected to VPN and... See more...
Hi All,   I have a Splunk search query executing the in the background(used Send to background option) while this is running my VPN got disconnected and after sometime I have reconnected to VPN and the query is still runing in the background. My question is does it gives me complete results or any incomplete results?   Thanks
Hi ate you sure that you have events on that time on those indexes? Another option is that saved search which are collecting those events haven’t run. See more https://docs.splunk.com/Documentation/... See more...
Hi ate you sure that you have events on that time on those indexes? Another option is that saved search which are collecting those events haven’t run. See more https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/LicenseUsageReportViewexamples r. Ismo
I added data to the SPL because I don't have your data indexed in my Splunk.  Since you have the data indexed, you can skip that part of my example query.  You may need to change the spath command ar... See more...
I added data to the SPL because I don't have your data indexed in my Splunk.  Since you have the data indexed, you can skip that part of my example query.  You may need to change the spath command argument to match your events.
Hi when you are using package manager like yum or dpkg, the installation add user splunk and change ownership of files to that user. To give access to local files you could grant access by setfacl ... See more...
Hi when you are using package manager like yum or dpkg, the installation add user splunk and change ownership of files to that user. To give access to local files you could grant access by setfacl per file or recursively by directory. r. Ismo
If you use an installer (as opposed to expanding a tarball) then the user was created for you and all files were given to that user. To be able to read local files, check out this document: https://... See more...
If you use an installer (as opposed to expanding a tarball) then the user was created for you and all files were given to that user. To be able to read local files, check out this document: https://docs.splunk.com/Documentation/Forwarder/9.1.2/Forwarder/Installleastprivileged . It's written for forwarders, but may work for Splunk Enterprise, as well.  If it doesn't work then you'll need to change file permissions or add user 'splunk' to a group that has read access to the file(s).
You might check out https://splunkbase.splunk.com/app/2949 "Meta Woot!". It's not nearly as robust or customizable compared to TrackMe, but it appears to be a simpler alternative that shows latenc... See more...
You might check out https://splunkbase.splunk.com/app/2949 "Meta Woot!". It's not nearly as robust or customizable compared to TrackMe, but it appears to be a simpler alternative that shows latency and lag. 
I like to use WinSCP for transferring files between Windows and Linux systems.
The process for upgrading standalone and distributed Splunk installation is the same.  For distributed environments, there is a prescribed upgrade order.  See https://docs.splunk.com/Documentation/Sp... See more...
The process for upgrading standalone and distributed Splunk installation is the same.  For distributed environments, there is a prescribed upgrade order.  See https://docs.splunk.com/Documentation/Splunk/9.1.2/Installation/HowtoupgradeSplunk and https://docs.splunk.com/Documentation/Splunk/9.1.2/Installation/UpgradeyourdistributedSplunkEnterpriseenvironment
This is an area where I feel Splunk is severely lacking. It would be great if there was a mechanism for sharing one password with a group of users without having to give out list_storage_passwords... See more...
This is an area where I feel Splunk is severely lacking. It would be great if there was a mechanism for sharing one password with a group of users without having to give out list_storage_passwords, then retroactively update all of our apps to limit access. We have custom SPL commands that require passwords to be entered on a setup screen. We cannot give everyone list_storage_passwords, so the ability to use these commands is limited to our admins. Edit: Just saw the ideas links. Added my Vote.
@richgalloway , I'm aiming to upgrade my Splunk Enterprise on the deployment server, but I'm uncertain whether it's configured as standalone or distributed. How can we verify this and proceed with t... See more...
@richgalloway , I'm aiming to upgrade my Splunk Enterprise on the deployment server, but I'm uncertain whether it's configured as standalone or distributed. How can we verify this and proceed with the upgrade accordingly? Additionally, does the upgrade process differ between standalone and distributed setups?