All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Need to use 2 time range pickers in a single query

by SplunkTrust in Splunk Search
‎10-26-2023 01:52 AM
‎10-26-2023 01:52 AM
Please share the raw JSON rather than a formatted version so volunteers can try out solutions. Please use a code block </> to paste the raw JSON into to preserve the formatting from the original event.

Re: HI Team we are facing disk storage warning on license master. Can you suggest if we can remove some DB files.

by in Splunk Enterprise
‎10-26-2023 01:34 AM
‎10-26-2023 01:34 AM
@inventsekar  Yes its a cluster envrioment. we have 6 indexers. we have single  SH.   Yes those files are taking upto 68 GB .

Re: Use Subsearch to insert commands

by in Splunk Search
‎10-26-2023 01:30 AM
‎10-26-2023 01:30 AM
I know that I can do index=abc [ | makeresults | addinfo | eval filter_t="earliest=".(info_min_time-60)." latest=".info_max_time | return fil... See more...
I know that I can do index=abc [ | makeresults | addinfo | eval filter_t="earliest=".(info_min_time-60)." latest=".info_max_time | return filter_t ] which literally becomes  index=abc earliest=1698301592.0 latest=1698301792.0  and I would like to use this behavior to dynamically define a command

Re: how users are deprovisioned from Splunk Cloud

by in Splunk Cloud Platform
‎10-26-2023 01:29 AM
‎10-26-2023 01:29 AM
@richgalloway in table i got empty column for  last_successful_login  

Re: Use Subsearch to insert commands

by SplunkTrust in Splunk Search
‎10-26-2023 01:22 AM
‎10-26-2023 01:22 AM
HI @duesser, when you use a subsearch, you run a search on the main search using the output (exactly the fields you have in return or in fields). What's your requirement? Ciao. Giuseppe

Splunk integration in AWs with HIPAA compliance

by in Splunk SOAR
‎10-26-2023 01:17 AM
‎10-26-2023 01:17 AM
Hi All, I am looking for solution to integrate Splunk in AWS with HIPAA compliance. How this is setup ? Is private link required for Hipaa complaince?

Use Subsearch to insert commands

by in Splunk Search
‎10-26-2023 01:12 AM
‎10-26-2023 01:12 AM
Hello, I would like to use a subsearch to literally paste a command into the SPL e.g.:     | makeresults [| makeresults | eval test="|eval t1 = \"hello\"" | return $test]     and for it to be ... See more...
Hello, I would like to use a subsearch to literally paste a command into the SPL e.g.:     | makeresults [| makeresults | eval test="|eval t1 = \"hello\"" | return $test]     and for it to be equivalent to     | makeresults | eval t1 = "hello"       Is this possible?
Labels

Images not visible

by in Dashboards & Visualizations
‎10-26-2023 12:46 AM
2 Karma
‎10-26-2023 12:46 AM
2 Karma
Hello, I've made a dashboard with dashboard studio and uploaded some images. The issue I'm facing is that these images are not visible to other users with other roles. They have the dashboard permiss... See more...
Hello, I've made a dashboard with dashboard studio and uploaded some images. The issue I'm facing is that these images are not visible to other users with other roles. They have the dashboard permission as well and can access it, the only issue is with images. How can I fix this?
Labels

Re: Cannot break for some events by lines

by in Splunk Search
‎10-26-2023 12:07 AM
‎10-26-2023 12:07 AM
I already tried the default sequence ([\r\n]+), as I wrote in the original post. After your suggestion, I checked it one more time, but I still see multiline events.

Re: Splunk Add-on for Salesforce - how to add a filter to the query

by in All Apps and Add-ons
‎10-25-2023 11:58 PM
‎10-25-2023 11:58 PM
@Gunnar Did you find any alternate solution? I have a similar problem and looking for a solution. 

Input playbook to app

by in Splunk SOAR
‎10-25-2023 11:47 PM
‎10-25-2023 11:47 PM
H, is there a way to turn an input playbook to an app? I have a playbook that gets an input, and does something. I am looking for a way to make it an app so there will be no need to activate anothe... See more...
H, is there a way to turn an input playbook to an app? I have a playbook that gets an input, and does something. I am looking for a way to make it an app so there will be no need to activate another playbook in order to make it work. also, it is a bit problematic to run a former playbook to activate the input playbook, because then I would have to edit the former playbook with the relevant input, while with app it would be much simpler    thank you in advance
Labels

Re: Help with Failed to remove alive token Error

by in Splunk Enterprise
‎10-25-2023 11:30 PM
‎10-25-2023 11:30 PM
Did you find a fix for that?

Re: Extract multiple groups (rex), key/value pairs comma separated

by SplunkTrust in Splunk Search
‎10-25-2023 11:27 PM
2 Karma
‎10-25-2023 11:27 PM
2 Karma
Hi @ejwade, you should already have these extractions because usually Splunk identifies the groups fieldname=fieldvalue. Anyway, please try this regex: name\=\"(?<name>[^\"]*)\",value\=\[*\"(?<val... See more...
Hi @ejwade, you should already have these extractions because usually Splunk identifies the groups fieldname=fieldvalue. Anyway, please try this regex: name\=\"(?<name>[^\"]*)\",value\=\[*\"(?<values>[^\"]*) that you can test at https://regex101.com/r/PEszES/1 Ciao. Giuseppe

Charting fields code for the dashboard

by in Dashboards & Visualizations
‎10-25-2023 11:22 PM
‎10-25-2023 11:22 PM
Hi, How we can apply the color for the respective fields in this dashboard. source code : <title>Top Web Category blocked</title> <search> <query>index=es_web action=blocked host= * sourcetype= ... See more...
Hi, How we can apply the color for the respective fields in this dashboard. source code : <title>Top Web Category blocked</title> <search> <query>index=es_web action=blocked host= * sourcetype= * | stats count by category | sort 5 -count</query> <earliest>$time_range_token.earliest$</earliest> <latest>$time_range_token.latest$</latest> </search> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart">bar</option> <option name="charting.backgroundColor">#00FFFF</option> <option name="charting.fontColor">#000000</option> <option name="charting.foregroundColor">#000000</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"online-storage-and-backup":0x333333,"unknown":0xd93f3c,"streaming-media":0xf58f39,"internet-communications-and-telephony":0xf7bc38,"insufficient-content":0xeeeeee}</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form> output: need a different  colors for all the fields, how we can achieve this  thanks
Labels

Re: Co-locate the deployment server with other splunk HF

by SplunkTrust in Deployment Architecture
‎10-25-2023 11:21 PM
‎10-25-2023 11:21 PM
Hi @VK18, this is a precise requirement from Splunk related to the fact that the HF could have overloading managing more tham 50 clients and its normal job as HF. Probably you see that CPUs and RAM... See more...
Hi @VK18, this is a precise requirement from Splunk related to the fact that the HF could have overloading managing more tham 50 clients and its normal job as HF. Probably you see that CPUs and RAM aren't overloaded on this HF, but they could be with relevant impact on your log ingestion because DS and HF use very muche the network interface and managing 100 clients is heavy for that server's network interface. In addition, you spoke of 100 clients not few more than 50, so I'd avoid to use both the roles in the same machine. If it's mandatory for you this architecture, give more resources (CPUs and RAM to that server and analyze the network activity because this could be the bottleneck. As last consideration, if you'll have problems on that server, this will be the first annotation from Splunk Support. Ciao. Giuseppe

Integrating web apps in azure to splunk

by in Getting Data In
‎10-25-2023 10:06 PM
‎10-25-2023 10:06 PM
I need your support in finding a way to integrate web apps hosted in the Azure cloud with Splunk. As i tried using many add-ons from Splunk base but I did not find this option so please if anyone kno... See more...
I need your support in finding a way to integrate web apps hosted in the Azure cloud with Splunk. As i tried using many add-ons from Splunk base but I did not find this option so please if anyone knows how to integrate to get the logs, let me know. Thank you all.
Labels

Re: Having timestamp at the end of json entry - cannot view other fields

by in Splunk Search
‎10-25-2023 09:57 PM
‎10-25-2023 09:57 PM
Well, the time comes in OK, so it obviously found the correct timestamp. Without the confoiguration I  get some of the fields in the json but not the timestamp. With the configuration I only get the ... See more...
Well, the time comes in OK, so it obviously found the correct timestamp. Without the confoiguration I  get some of the fields in the json but not the timestamp. With the configuration I only get the timestamp. Of course, If I move the timestamp to the beginning, then I get the correct mappings... but I don't want to do that.

Co-locate the deployment server with other splunk HF

by in Deployment Architecture
‎10-25-2023 09:00 PM
‎10-25-2023 09:00 PM
Hi All, We have approximately 100 Splunk Universal Forwarders (UFs) installed at a remote site, and we're interested in setting up a Heavy Forwarder (HF) at that location to forward the data to the ... See more...
Hi All, We have approximately 100 Splunk Universal Forwarders (UFs) installed at a remote site, and we're interested in setting up a Heavy Forwarder (HF) at that location to forward the data to the indexers from the UFs. Additionally, we plan to deploy the deployment server on the same virtual machine (VM). Based on the documentation, it appears that a deployment server can be co-located with another Splunk Enterprise instance as long as the deployment client count remains at or below 50. We would like to better understand the rationale behind this limitation of 50 clients and why it is not possible to manage more than 50 clients by adding another component of Splunk Enterprise ?   Regards VK
Labels

Extract multiple groups (rex), key/value pairs comma separated

by in Splunk Search
‎10-25-2023 08:37 PM
‎10-25-2023 08:37 PM
I'm looking for the regular expression wizards out there. I need to do a rex with two capture groups: one for name, and one for value. I plan to use the replace function, and throw everything else aw... See more...
I'm looking for the regular expression wizards out there. I need to do a rex with two capture groups: one for name, and one for value. I plan to use the replace function, and throw everything else away but those two capture groups (e.g., "\1: \2"). Here are some sample events. name="Building",value="Southwest",descendants_action="success",operation="OVERRIDE" name="Building",value=["Northeast","Northwest"],descendants_action="failure",operation="OVERRIDE" name="Building",value="Southeast",descendants_action="success",operation="OVERRIDE" name="Building",value="Northwest" name="Building",value="Northwest",operation="OVERRIDE" So far I just have this. ^name=\"(.*)\",value=\[?(.*)\]? Any ideas?
Labels

Re: Splunk Universal Forwarder not starting after rebooting

by in Splunk Enterprise
‎10-25-2023 08:05 PM
1 Karma
‎10-25-2023 08:05 PM
1 Karma
Finally, it works! Thank you very much.