All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @sdanayak  Does this work for you? |stats values(*) AS * by UniqueId    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution... See more...
Hi @sdanayak  Does this work for you? |stats values(*) AS * by UniqueId    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
@livehybrid Passed that error now, looked to be connectivity issue.    After resolving that issue, I am getting response as 401. Looks to be unauthorized error. I am passing the credentials in thi... See more...
@livehybrid Passed that error now, looked to be connectivity issue.    After resolving that issue, I am getting response as 401. Looks to be unauthorized error. I am passing the credentials in this format. Username =  '' Password = '' users_response = requests.get(f'https://<Controller URL>/controller/api/rbac/v1/users/5',auth=(username,password))   Do we need to include the Account name as well in the authentication?  
Sorry I missed the bit about the timeout - Are you running the python/curl from the same machine as the browser call? First thing that comes to mind is perhaps an egress/connection issue...  
Still not sure what you are expecting from this forum.
Hi @Casial06  I'd probably use a second stats to get the total number, you could use "| eventstats count as totalAccounts" if you want to keep the details of the accounts for your alert.  Did thi... See more...
Hi @Casial06  I'd probably use a second stats to get the total number, you could use "| eventstats count as totalAccounts" if you want to keep the details of the accounts for your alert.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Ana_Smith1  Do you get anything in the _internal logs from the add-on? Try something like the below as a starting point: index=_internal (ERROR OR WARN) "jira" This search will help identify a... See more...
Hi @Ana_Smith1  Do you get anything in the _internal logs from the add-on? Try something like the below as a starting point: index=_internal (ERROR OR WARN) "jira" This search will help identify any issues related to the Jira integration. Verify Network Connectivity: Ensure there's no network issue preventing Splunk from connecting to Jira. Check firewall rules and proxy settings if applicable. Are you running Splunk on-prem or Splunk Cloud? Test Jira API Connectivity: Use a tool like curl to test the Jira API connectivity using the token. This will help determine if the issue is with the token or the Splunk configuration. curl -u youremail@example.com:your_api_token https://your-company.atlassian.net/rest/api/3/myself For more detailed troubleshooting steps and configuration guidelines, refer to the Splunk Add-on for Jira Cloud documentation.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Error is reporting.
Can you or the customer change the application so it doesn't report the errors in the first place?
Hi @abhi  Your deploymentclient.conf stanza is incorrect, it must be "target-broker:deploymentServer" as below: [target-broker:deploymentServer] targetUri= <string> * The target URI of the deployme... See more...
Hi @abhi  Your deploymentclient.conf stanza is incorrect, it must be "target-broker:deploymentServer" as below: [target-broker:deploymentServer] targetUri= <string> * The target URI of the deployment server. * An example of <uri>: <scheme>://<deploymentServer>:<mgmtPort> For more details check out the deploymentclient.conf docs at https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Deploymentclientconf#:~:text=%5Btarget%2Dbroker%3AdeploymentServer,scheme%3E%3A//%3CdeploymentServer%3E%3A%3CmgmtPort%3E  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
<form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <init> <set token="rangeColors">"0x118832","0xd41f1f"</set> </init> ... See more...
<form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <init> <set token="rangeColors">"0x118832","0xd41f1f"</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="srStatus"> <label>Status</label> <choice value="1">solved</choice> <choice value="0">unsolved</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>solved=</valuePrefix> <delimiter> OR </delimiter> <default>0</default> <initialValue>1,0</initialValue> <change> <eval token="rangeColors">if(isnotnull(mvfind($form.srStatus$,"0")),"\"0x118832\",\"0xd41f1f\"","\"0x118832\",\"0x118832\"")</eval> </change> </input> </fieldset> <row> <panel> <title>MINOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_minor.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="minor">minor</set> <unset token="major"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>MAJOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_major.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="major">major</set> <unset token="minor"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>CRITICAL EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_critical.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="critical">critical</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>WARNING EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_warning.csv``` | search $srStatus$ | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="warning">warning</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="critical"></unset> </drilldown> </single> </panel> </row> <row> <panel> <title>MINOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=minor | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>MAJOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=major | stats count as Total by date</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>CRITICAL ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=critical | stats count as Total by date | appendpipe [ stats count | eval Message="No critical Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>WARNING ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=warning | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel depends="$minor$"> <title>Minor Events</title> <table id="sbc_minor_table"> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$major$"> <title>Major Events</title> <table id="sbc_alarm_table"> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$critical$"> <title>Critical Events</title> <table id="sbc_critical_table"> <search> <query>| inputlookup sbc_critical.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$warning$"> <title>Warning Events</title> <table id="sbc_warning_table"> <search> <query>| inputlookup sbc_warning.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
Hi @mriemri14  Is "default" an index that definitely exists? If not then the data might end up in main or whatever has been configured in the lastChanceIndex of indexes.conf. Its worth checking the... See more...
Hi @mriemri14  Is "default" an index that definitely exists? If not then the data might end up in main or whatever has been configured in the lastChanceIndex of indexes.conf. Its worth checking the _internal logs for any mention of message_trace - rather than specifically for the source containing message_trace, this is because if the Python file failed before it was able to create the log file then an error may present itself in a different log file. If this doesnt help then I would try some other search terms such as "error" and "microsoft" and then narrow down the results to the time when you expected the input to execute.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Do you use the Splunk Add-on for JIRA on a Splunk Enterprise instance or in your Splunk Cloud env? Have you verified the network connectivity?
1. Choose a custom index that exists for the input 2. Check this index and verify if data flow in 3. If not, check the internal logs of the instance where the addon is configured
Customer wants to suppress because of there are lot of events are creating noise, but also no any error shoing in Flow maps.    
So the UF is not phoning home  successfully and not popping up in the Clients tab on the DeploymentServer? Change your deploymentclient.conf on your UF stanza as below: [target-broker:deploymentSer... See more...
So the UF is not phoning home  successfully and not popping up in the Clients tab on the DeploymentServer? Change your deploymentclient.conf on your UF stanza as below: [target-broker:deploymentServer] targetUri = https://10.128.0.5:8089  
I have installed & configured  microsoft_o365_email_add_on_for_splunk but not getting log in splunk search. Please  help me how to fix it.          
I assumed your fields are already extracted. After some thought, actually the stats doesn't add anything here. It should be enough to just do the xyseries. As long as you have fields properly extract... See more...
I assumed your fields are already extracted. After some thought, actually the stats doesn't add anything here. It should be enough to just do the xyseries. As long as you have fields properly extracted.
Hello Team, I am configuring Splunk, but the UF (Universal Forwarder) details are not reflecting in the Deployment Server's client list. I have added the following stanza in the UF's `deployment... See more...
Hello Team, I am configuring Splunk, but the UF (Universal Forwarder) details are not reflecting in the Deployment Server's client list. I have added the following stanza in the UF's `deploymentclient.conf` file: ``` [deployment-client] clientName = UF phoneHomeIntervalInSecs = 60 [target-broker:deploy] targetUri = 10.128.0.5:8089 ``` (10.128.0.5 is the IP of the Deployment Server) And in the Deployment Server's `server.conf`, the following details are present: ``` [general] serverName = deploy pass4SymmKey = $7$k63bewtZlaVREpHJcD6fGt6hysZ/GvxJ0Tfq0BW5PhmF/qItBTzTA== [sslConfig] sslPassword = $7$boaNPEqR2Gmt9DQPKp9ZJ0iho9HdJFoRuxVZMwBu/q8g/v9ZKzsEvw== enableSplunkdSSL = false [lmpool:auto_generated_pool_download-trial] description = auto_generated_pool_download-trial peers = * quota = MAX stack_id = download-trial [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free [deploymentServer] disabled = false ``` And in the `serverclass.conf`, I have added the following details: ``` [global] [serverClass:uf_class] whitelist.0 = uf [serverClass:uf_class:app:forwarder_app] ``` Even after adding these details, the issue persists. Please suggest some solutions.
ok , so if both the options are checked then it all the panels should  be red , it will be green only if the count is 0 in the panel which means if the panel is showing 0. this is same if unsolved... See more...
ok , so if both the options are checked then it all the panels should  be red , it will be green only if the count is 0 in the panel which means if the panel is showing 0. this is same if unsolved option is only checked. If solved is checked then all the panels color should be green . Hope I am clear this time.
I have used the uniqueId and message in xyseries, but getting that error message for xyseries. I have 2 log events and both will have uniqueId in that event, now I want both log events to be in ... See more...
I have used the uniqueId and message in xyseries, but getting that error message for xyseries. I have 2 log events and both will have uniqueId in that event, now I want both log events to be in my result table only when they both have same value for uniqueId. While as per below query it brings even the logs events which do not have same uniqueId or matching message in them. index=finder_db AND (host="host1" OR host="host2") AND (("Wonder Exist here")  OR ("Message=Limit the occurrence" AND "FinderField=ZEOUS")) | table uniqueId, FinderField by uniqueId  | stats values(FinderField) as FinderField, values(FinderField) as FinderField by uniqueId   Host1 and host2 in this query is my servers name where these log would exist. I am searching 2 string in log events, one is "Wonder Exist here" and second is starting with Message=  and both log will have uniqueId which I want to match for both events and bring as 1 single row in result   Hope I am able to explain and thanks for help