All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi in recent splunk versions this should work Login into cmd line to your SH sudo to splunk splunk package app <your app name> copy created spl file to the new server / your workstation and ins... See more...
Hi in recent splunk versions this should work Login into cmd line to your SH sudo to splunk splunk package app <your app name> copy created spl file to the new server / your workstation and install it as usually r. Ismo
I'm trying to create own Splunk (dashboard) queries for Okta data analysis. I'm having issues because a specific field has a space in the value and it's causing the dashboard to not be able to retrie... See more...
I'm trying to create own Splunk (dashboard) queries for Okta data analysis. I'm having issues because a specific field has a space in the value and it's causing the dashboard to not be able to retrieve data (when I know there is data). 3 other drop-down menus work fine (there is no spaces in the values there). My main suspicion that the reason of failure is because of that spaces.  I'm trying to transform the values and remove spaces, in the hope that would help.  I Found some recommendations online and examples of functions, but I'm not very experienced with Splunk, can anyone explain step by step how I could solve that issue? If the name of my field with issues is "actor.displayName"  (it has multiple spaces in the values). Examples found online: 1) | rex mode=sed field=A "s/ //g" 2) | eval nospace=trim(A) 3)| rex field=field1 "(?<newfield>\S+)" 4)|eval NewField=trim(OldField) Has anyone encountered this issue before? Thanks for help!
Hello Team, I'm using docker image of tomcat to deploy an spring boot app and configured the java agent as per instructions. All though I see the following message [AD Agent init] 02 Nov 2023 1... See more...
Hello Team, I'm using docker image of tomcat to deploy an spring boot app and configured the java agent as per instructions. All though I see the following message [AD Agent init] 02 Nov 2023 13:30:10,183 INFO JavaAgent - Started AppDynamics Java Agent Successfully. Right after that I see the following error. I replaced the first part of saas controller name to test to sanitise the original url. There's no proxy in my case. Not sure what is happening AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 ERROR ConfigurationChannel - Fatal transport error while connecting to URL [/controller/instance/0/applicationConfiguration]: java.net.UnknownHostException: https://test.saas.appdynamics.com : Name or service not known [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN ConfigurationChannel - Could not connect to the controller/invalid response from controller, cannot get initialization information, controller host [https://test.saas.appdynamics.com ], port[443], exception [Fatal transport error while connecting to URL [/controller/instance/0/applicationConfiguration]] [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN AgentErrorProcessor - Agent error occurred, [name,transformId]=[com.singularity.CONFIG.ConfigurationChannel - java.net.UnknownHostException,2147483647] [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN AgentErrorProcessor - 3 instance(s) remaining before error log is silenced [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 ERROR ConfigurationChannel - Exception: https://test.saas.appdynamics.com : Name or service not known java.net.UnknownHostException: https://test.saas.appdynamics.com : Name or service not known at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method) ~[?:1.8.0_212] at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:929) ~[?:1.8.0_212] at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1324) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName0(InetAddress.java:1277) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName(InetAddress.java:1193) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName(InetAddress.java:1127) ~[?:1.8.0_212] at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:112) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.13.jar:4.5.13] at com.singularity.ee.util.httpclient.SimpleHttpClientWrapper.executeHttpOperation(SimpleHttpClientWrapper.java:302) ~[appagent.jar:?] at com.singularity.ee.util.httpclient.SimpleHttpClientWrapper.executeHttpOperation(SimpleHttpClientWrapper.java:217) ~[appagent.jar:?] at com.singularity.ee.rest.RESTRequest.sendRequestTracked(RESTRequest.java:395) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.RESTRequest.sendRequest(RESTRequest.java:337) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.controller.request.AControllerRequest.sendRequest(AControllerRequest.java:129) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.controller.request.ABinaryControllerRequest.sendRequest(ABinaryControllerRequest.java:36) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.registerApplicationServer(ConfigurationChannel.java:1437) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.access$100(ConfigurationChannel.java:122) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel$UnregisteredConfigurationState.nextTransition(ConfigurationChannel.java:785) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.refreshConfiguration(ConfigurationChannel.java:555) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.XMLConfigManager$AgentConfigurationRefreshTask.run(XMLConfigManager.java:653) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.AgentScheduledExecutorServiceImpl$SafeRunnable.run(AgentScheduledExecutorServiceImpl.java:122) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[?:1.8.0_212] at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask$Sync.innerRunAndReset(ADFutureTask.java:335) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask.runAndReset(ADFutureTask.java:152) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.access$101(ADScheduledThreadPoolExecutor.java:119) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.runPeriodic(ADScheduledThreadPoolExecutor.java:206) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.run(ADScheduledThreadPoolExecutor.java:236) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.runTask(ADThreadPoolExecutor.java:694) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.run(ADThreadPoolExecutor.java:726) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
Hi what you already have in those servers? - UF - some Unix/Linux TAs - what kind of data it is collection - what logs it's collecting - how and in which user your UF is running (shouldn't run a... See more...
Hi what you already have in those servers? - UF - some Unix/Linux TAs - what kind of data it is collection - what logs it's collecting - how and in which user your UF is running (shouldn't run as root). r. Ismo
Hi what you found from SPLUNK_HOME/var/log/splunk/splunkd.log file? There should be mention why it didn't start. r. Ismo
Hi Splunk is not good to found something which is not existing Here is one blog post about it https://www.duanewaddle.com/proving-a-negative/ maybe it helps you. Other ideas could be found from ... See more...
Hi Splunk is not good to found something which is not existing Here is one blog post about it https://www.duanewaddle.com/proving-a-negative/ maybe it helps you. Other ideas could be found from these There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Some helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe r. Ismo
If you already have the search then click the "Save as" drop-down in the top-right corner of the window and choose "Alert".  The trigger condition is set in the lower part of the subsequent form.
Yes I have cross verified and all of the OS versions are supported for the Splunk version 9.0, as mentioned - here
Hi Team,   i have a basic search, where i need to alert when particular process name not available in raw data or last 15 minutes data. Plz suggest how to get the trigger.   Thanks, Vijay K.  
Hi maybe this gives you enough hints for your own issue? index=_internal sourcetype=splunkd* | timechart span=1m useother=f count as Count by sourcetype where stdev in top2 | untable _time sourcet... See more...
Hi maybe this gives you enough hints for your own issue? index=_internal sourcetype=splunkd* | timechart span=1m useother=f count as Count by sourcetype where stdev in top2 | untable _time sourcetype count1 | foreach "*" [ eval column_value=count1, column_name=sourcetype ] | fields - sourcetype count1 | predict column_value future_timespan=14 | filldown column_name | eval {column_name}=column_value, "prediction({column_name})"='prediction(column_value)', "lower95(prediction({column_name}))"='lower95(prediction(column_value))', "upper95(prediction({column_name}))"='upper95(prediction(column_value))' | eval _lower = "lower95(prediction(".column_name."))", _upper = "upper95(prediction(".column_name."))", _predicted = "prediction(".column_name.")" | fields - column_value column_name "prediction(column_value)" upper95* lower95* This is based on @kamlesh_vaghela's example and @VatsalJagani 's resolution for his issue. r. Ismo 
Hi why you are collecting those logs with syslog and especially with UDP? That way you will always lose some events time by time! Much better way is use UFs on those nodes and use it. Then it's much... See more...
Hi why you are collecting those logs with syslog and especially with UDP? That way you will always lose some events time by time! Much better way is use UFs on those nodes and use it. Then it's much easier to define which sourcetype which file are. r. Ismo
Hi What is your "business issue/reason" which you are trying to solve? Maybe there is some other better/safer way to do it? r. Ismo
Hi you should follow these instructions https://docs.splunk.com/Documentation/SSE/3.7.1/Install/InstallSSE If you have different version then select correct documentation based on your version. r.... See more...
Hi you should follow these instructions https://docs.splunk.com/Documentation/SSE/3.7.1/Install/InstallSSE If you have different version then select correct documentation based on your version. r. Ismo
Hi On windows node just define that input on inputs.conf like @gcusello told. There are examples on those documents.  If those files are on linux (restored e.g. from backups or something else) you ... See more...
Hi On windows node just define that input on inputs.conf like @gcusello told. There are examples on those documents.  If those files are on linux (restored e.g. from backups or something else) you could check it from this old post https://community.splunk.com/t5/Getting-Data-In/Ingesting-offline-Windows-Event-logs-from-different-systems/td-p/649419 r. Ismo
@PickleRick About this “relationship between this field”   i have three fields:  id, type, node(or module) 1-id is unique numeric field. 2-type is category of each transaction. 3-module is name... See more...
@PickleRick About this “relationship between this field”   i have three fields:  id, type, node(or module) 1-id is unique numeric field. 2-type is category of each transaction. 3-module is name of each module that transactions pass through it.   these fields exist on all lines and separate by “id” also each transaction has it’s own “type” each transactions might be several lines Here is the example: 16:30:53:002 moduleA:[C1]L[143]T[10]ID[123456] 16:30:54:002 moduleA:[C2]L[143]T[10]ID[123456] 16:30:59:002 moduleF:[C1]L[143]T[11]ID[123456] 16:30:60:002 moduleZ:[C1]L[143]T[11]ID[123456]   16:30:53:002 moduleB:[C1]L[143]T[20]ID[987654] 16:30:54:002 moduleD:[C2]L[143]T[20]ID[987654] 16:30:59:002 moduleE:[C1]L[143]T[21]ID[987654]   Expected output: flow                                                                 Id          T     C moduleA > moduleF > moduleZ     123456   11    1 moduleB > moduleD > moduleE     987654 21    1   FYI: latest value of T=11 important for me. FYI: C meant count of number of detected this flow.   FYI: like APM that draw trace of transaction need something like that without create graph just find rare transaction patterns or flow.   Any idea? Thanks
Hi To getting help you must 1st tell what you have on your splunk. Describe your log events, indexes etc. This is doable if/when you have suitable data in splunk. r. Ismo
Ok it's working for adding another table ID and also text is showing when I've added provided above "else" but I had to do a splunk website cache by adding _bump and refresh version http://<your ho... See more...
Ok it's working for adding another table ID and also text is showing when I've added provided above "else" but I had to do a splunk website cache by adding _bump and refresh version http://<your host and port>/en-US/_bump  
Hi As time format it taken from your language, you could change on your language on URL e.g. http://splunk-rh8:8000/en-US/app/search/search?  to http://splunk-rh8:8000/en-GB/app/search/search? o... See more...
Hi As time format it taken from your language, you could change on your language on URL e.g. http://splunk-rh8:8000/en-US/app/search/search?  to http://splunk-rh8:8000/en-GB/app/search/search? or something else which have "better" time format. r. Ismo 
Hi With recent Splunk versions there are also Ingest Actions and if you have any Splunk Cloud instance then you could use Splunk Edge Processor as a one excellent option. r. Ismo
Have you check that your OS is supported by splunk with your current Splunk version?