All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Extraction of Multiple events (URLS and IP addresses) from text files

by SplunkTrust in Splunk Search
‎11-02-2023 07:55 AM
‎11-02-2023 07:55 AM
Hi one way is move this to transforms.conf and use MV_ADD = 1 like in e.g. this https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181008 r... See more...
Hi one way is move this to transforms.conf and use MV_ADD = 1 like in e.g. this https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181008 r. Ismo

Re: Splunk dashboard drop-down menu has spaces in the values, causing the dashboard to not be able to retrieve data.

by SplunkTrust in Dashboards & Visualizations
‎11-02-2023 07:28 AM
1 Karma
‎11-02-2023 07:28 AM
1 Karma
Rather than trying to remove the spaces, why not consider wrapping the value in quotes where it is used $token_name|s$ https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Token_filters 

Need to list how many users who have disconnected 10 or more times per time selected

by in Splunk Enterprise
‎11-02-2023 07:26 AM
‎11-02-2023 07:26 AM
I can get total disconnects but can't seem to find a way to get total of how may users who disconnected 10 or more times.     Here is my search:   index=gbts-vconnection sourcetype=VMWareVDM_debug... See more...
I can get total disconnects but can't seem to find a way to get total of how may users who disconnected 10 or more times.     Here is my search:   index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=host2) OR host=Host1) earliest=$time_tok.earliest$ latest=$time_tok.latest$ | rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds  | rename IONS as "User ID" Device as "User Device" | convert timeformat="%m-%d-%Y" ctime(_time) AS date |timechart span=1d limit=0 , count  

Re: Upgrade Splunk from 8.2.6 to 8.2.12 or 9.0.6

by SplunkTrust in Installation
‎11-02-2023 07:13 AM
1 Karma
‎11-02-2023 07:13 AM
1 Karma
Hi as  "Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see... See more...
Hi as  "Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise." it's best to go to 9.0.6. Probably the biggest issue could be python2 if you are using it on some apps or modules. You could check that by  "Upgrade readiness app". Just ensure that it's running on your environment and give you a valid responses. Also you should read  https://lantern.splunk.com/Splunk_Platform/Product_Tips/Upgrades_and_Migration/Upgrading_the_Splunk_platform With those you should manage for updating the environment. Of course if you have distributed multisite environment with search head cluster and some enterprise apps then those instructions are not enough for any new admin. Then you should have some test environment and/or ask help from Splunk professional services or some other company which are concentrating to Splunk. r. Ismo

Re: Splunk HF Parallel Pipelines not balanced

by SplunkTrust in Monitoring Splunk
‎11-02-2023 06:55 AM
‎11-02-2023 06:55 AM
Hi much better option is use some real syslog server or SC4S to collect syslogs. And try to avoid use UDP as it always lost packets! * If the data source is streamed over TCP or UDP, such as syslog... See more...
Hi much better option is use some real syslog server or SC4S to collect syslogs. And try to avoid use UDP as it always lost packets! * If the data source is streamed over TCP or UDP, such as syslog sources, only one pipeline will be used. Based on that you cannot increase the UDP performance with adding pipelines. r. Ismo 

Re: Timechart

by in Dashboards & Visualizations
‎11-02-2023 06:45 AM
‎11-02-2023 06:45 AM
Thanks  

Re: Method to migrate an App including DashboardStudio to another server

by SplunkTrust in Installation
‎11-02-2023 06:44 AM
‎11-02-2023 06:44 AM
Hi in recent splunk versions this should work Login into cmd line to your SH sudo to splunk splunk package app <your app name> copy created spl file to the new server / your workstation and ins... See more...
Hi in recent splunk versions this should work Login into cmd line to your SH sudo to splunk splunk package app <your app name> copy created spl file to the new server / your workstation and install it as usually r. Ismo

Splunk dashboard drop-down menu has spaces in the values, causing the dashboard to not be able to retrieve data.

by in Dashboards & Visualizations
‎11-02-2023 06:43 AM
‎11-02-2023 06:43 AM
I'm trying to create own Splunk (dashboard) queries for Okta data analysis. I'm having issues because a specific field has a space in the value and it's causing the dashboard to not be able to retrie... See more...
I'm trying to create own Splunk (dashboard) queries for Okta data analysis. I'm having issues because a specific field has a space in the value and it's causing the dashboard to not be able to retrieve data (when I know there is data). 3 other drop-down menus work fine (there is no spaces in the values there). My main suspicion that the reason of failure is because of that spaces.  I'm trying to transform the values and remove spaces, in the hope that would help.  I Found some recommendations online and examples of functions, but I'm not very experienced with Splunk, can anyone explain step by step how I could solve that issue? If the name of my field with issues is "actor.displayName"  (it has multiple spaces in the values). Examples found online: 1) | rex mode=sed field=A "s/ //g" 2) | eval nospace=trim(A) 3)| rex field=field1 "(?<newfield>\S+)" 4)|eval NewField=trim(OldField) Has anyone encountered this issue before? Thanks for help!
Labels

Java agent unable to connect to saas controller

by in Splunk AppDynamics
‎11-02-2023 06:39 AM
‎11-02-2023 06:39 AM
Hello Team, I'm using docker image of tomcat to deploy an spring boot app and configured the java agent as per instructions. All though I see the following message [AD Agent init] 02 Nov 2023 1... See more...
Hello Team, I'm using docker image of tomcat to deploy an spring boot app and configured the java agent as per instructions. All though I see the following message [AD Agent init] 02 Nov 2023 13:30:10,183 INFO JavaAgent - Started AppDynamics Java Agent Successfully. Right after that I see the following error. I replaced the first part of saas controller name to test to sanitise the original url. There's no proxy in my case. Not sure what is happening AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 ERROR ConfigurationChannel - Fatal transport error while connecting to URL [/controller/instance/0/applicationConfiguration]: java.net.UnknownHostException: https://test.saas.appdynamics.com : Name or service not known [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN ConfigurationChannel - Could not connect to the controller/invalid response from controller, cannot get initialization information, controller host [https://test.saas.appdynamics.com ], port[443], exception [Fatal transport error while connecting to URL [/controller/instance/0/applicationConfiguration]] [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN AgentErrorProcessor - Agent error occurred, [name,transformId]=[com.singularity.CONFIG.ConfigurationChannel - java.net.UnknownHostException,2147483647] [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN AgentErrorProcessor - 3 instance(s) remaining before error log is silenced [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 ERROR ConfigurationChannel - Exception: https://test.saas.appdynamics.com : Name or service not known java.net.UnknownHostException: https://test.saas.appdynamics.com : Name or service not known at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method) ~[?:1.8.0_212] at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:929) ~[?:1.8.0_212] at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1324) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName0(InetAddress.java:1277) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName(InetAddress.java:1193) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName(InetAddress.java:1127) ~[?:1.8.0_212] at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:112) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.13.jar:4.5.13] at com.singularity.ee.util.httpclient.SimpleHttpClientWrapper.executeHttpOperation(SimpleHttpClientWrapper.java:302) ~[appagent.jar:?] at com.singularity.ee.util.httpclient.SimpleHttpClientWrapper.executeHttpOperation(SimpleHttpClientWrapper.java:217) ~[appagent.jar:?] at com.singularity.ee.rest.RESTRequest.sendRequestTracked(RESTRequest.java:395) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.RESTRequest.sendRequest(RESTRequest.java:337) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.controller.request.AControllerRequest.sendRequest(AControllerRequest.java:129) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.controller.request.ABinaryControllerRequest.sendRequest(ABinaryControllerRequest.java:36) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.registerApplicationServer(ConfigurationChannel.java:1437) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.access$100(ConfigurationChannel.java:122) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel$UnregisteredConfigurationState.nextTransition(ConfigurationChannel.java:785) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.refreshConfiguration(ConfigurationChannel.java:555) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.XMLConfigManager$AgentConfigurationRefreshTask.run(XMLConfigManager.java:653) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.AgentScheduledExecutorServiceImpl$SafeRunnable.run(AgentScheduledExecutorServiceImpl.java:122) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[?:1.8.0_212] at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask$Sync.innerRunAndReset(ADFutureTask.java:335) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask.runAndReset(ADFutureTask.java:152) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.access$101(ADScheduledThreadPoolExecutor.java:119) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.runPeriodic(ADScheduledThreadPoolExecutor.java:206) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.run(ADScheduledThreadPoolExecutor.java:236) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.runTask(ADThreadPoolExecutor.java:694) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.run(ADThreadPoolExecutor.java:726) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
Labels

Re: Monitoring Root Account on Linux Server

by SplunkTrust in Alerting
‎11-02-2023 06:38 AM
‎11-02-2023 06:38 AM
Hi what you already have in those servers? - UF - some Unix/Linux TAs - what kind of data it is collection - what logs it's collecting - how and in which user your UF is running (shouldn't run a... See more...
Hi what you already have in those servers? - UF - some Unix/Linux TAs - what kind of data it is collection - what logs it's collecting - how and in which user your UF is running (shouldn't run as root). r. Ismo

Re: The Splunkd Services are not working after starting/restarting the services and it is getting stopped, tried several

by SplunkTrust in Monitoring Splunk
‎11-02-2023 06:35 AM
‎11-02-2023 06:35 AM
Hi what you found from SPLUNK_HOME/var/log/splunk/splunkd.log file? There should be mention why it didn't start. r. Ismo

Re: Trigger condition

by SplunkTrust in Alerting
‎11-02-2023 06:17 AM
1 Karma
‎11-02-2023 06:17 AM
1 Karma
Hi Splunk is not good to found something which is not existing Here is one blog post about it https://www.duanewaddle.com/proving-a-negative/ maybe it helps you. Other ideas could be found from ... See more...
Hi Splunk is not good to found something which is not existing Here is one blog post about it https://www.duanewaddle.com/proving-a-negative/ maybe it helps you. Other ideas could be found from these There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Some helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe r. Ismo

Re: Trigger condition

by SplunkTrust in Alerting
‎11-02-2023 06:17 AM
‎11-02-2023 06:17 AM
If you already have the search then click the "Save as" drop-down in the top-right corner of the window and choose "Alert".  The trigger condition is set in the lower part of the subsequent form.

Re: Unsual behavior with search events

by in Splunk Enterprise
‎11-02-2023 06:17 AM
‎11-02-2023 06:17 AM
Yes I have cross verified and all of the OS versions are supported for the Splunk version 9.0, as mentioned - here

Trigger condition

by in Alerting
‎11-02-2023 06:00 AM
‎11-02-2023 06:00 AM
Hi Team,   i have a basic search, where i need to alert when particular process name not available in raw data or last 15 minutes data. Plz suggest how to get the trigger.   Thanks, Vijay K.  
Labels

Re: How to apply predict command on multiple fields returned by timechart command?

by SplunkTrust in Splunk Search
‎11-02-2023 06:00 AM
‎11-02-2023 06:00 AM
Hi maybe this gives you enough hints for your own issue? index=_internal sourcetype=splunkd* | timechart span=1m useother=f count as Count by sourcetype where stdev in top2 | untable _time sourcet... See more...
Hi maybe this gives you enough hints for your own issue? index=_internal sourcetype=splunkd* | timechart span=1m useother=f count as Count by sourcetype where stdev in top2 | untable _time sourcetype count1 | foreach "*" [ eval column_value=count1, column_name=sourcetype ] | fields - sourcetype count1 | predict column_value future_timespan=14 | filldown column_name | eval {column_name}=column_value, "prediction({column_name})"='prediction(column_value)', "lower95(prediction({column_name}))"='lower95(prediction(column_value))', "upper95(prediction({column_name}))"='upper95(prediction(column_value))' | eval _lower = "lower95(prediction(".column_name."))", _upper = "upper95(prediction(".column_name."))", _predicted = "prediction(".column_name.")" | fields - column_value column_name "prediction(column_value)" upper95* lower95* This is based on @kamlesh_vaghela's example and @VatsalJagani 's resolution for his issue. r. Ismo 

Re: Change sourcetype in index

by SplunkTrust in Splunk Enterprise
‎11-02-2023 05:38 AM
‎11-02-2023 05:38 AM
Hi why you are collecting those logs with syslog and especially with UDP? That way you will always lose some events time by time! Much better way is use UFs on those nodes and use it. Then it's much... See more...
Hi why you are collecting those logs with syslog and especially with UDP? That way you will always lose some events time by time! Much better way is use UFs on those nodes and use it. Then it's much easier to define which sourcetype which file are. r. Ismo

Re: how to copy data from one index of one index cluster to other index of another index cluster

by SplunkTrust in Installation
‎11-02-2023 05:33 AM
‎11-02-2023 05:33 AM
Hi What is your "business issue/reason" which you are trying to solve? Maybe there is some other better/safer way to do it? r. Ismo

Re: Splunk Security Essentials

by SplunkTrust in Splunk Enterprise Security
‎11-02-2023 05:28 AM
‎11-02-2023 05:28 AM
Hi you should follow these instructions https://docs.splunk.com/Documentation/SSE/3.7.1/Install/InstallSSE If you have different version then select correct documentation based on your version. r.... See more...
Hi you should follow these instructions https://docs.splunk.com/Documentation/SSE/3.7.1/Install/InstallSSE If you have different version then select correct documentation based on your version. r. Ismo

Re: define input.conf

by SplunkTrust in Getting Data In
‎11-02-2023 05:23 AM
‎11-02-2023 05:23 AM
Hi On windows node just define that input on inputs.conf like @gcusello told. There are examples on those documents.  If those files are on linux (restored e.g. from backups or something else) you ... See more...
Hi On windows node just define that input on inputs.conf like @gcusello told. There are examples on those documents.  If those files are on linux (restored e.g. from backups or something else) you could check it from this old post https://community.splunk.com/t5/Getting-Data-In/Ingesting-offline-Windows-Event-logs-from-different-systems/td-p/649419 r. Ismo