All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Petermann You have tried to piggy-back your question onto someone else's solved question without a clear indication as to how your question is related. Since this is already marked as solved, it is ... See more...
@Petermann You have tried to piggy-back your question onto someone else's solved question without a clear indication as to how your question is related. Since this is already marked as solved, it is less likely to receive the attention you might wish. You would be better off starting your own question, clearly stating your usecase, providing sample data (anonymised as minimally as possible, of course), showing what your expected output would be, what you have tried, what errors/messages you are getting, and state why this is not what you want.
What is it that you are trying to achieve (because you have tagged timechart and stats for example, but are not doing any stats based on time)?
Hi @ajmach343  You need to perform an aggregation using stats count before you can use the count field in an eval statement. The count field is generated by aggregation commands, not available direc... See more...
Hi @ajmach343  You need to perform an aggregation using stats count before you can use the count field in an eval statement. The count field is generated by aggregation commands, not available directly during the eval processing of individual events. index=index sourcetype=sourcetype log_type=type hostname=host | stats count | eval Status=case(count > 0, "Green", count == 0, "Red") The stats count command counts the number of events matching your initial search criteria for the specified host within the selected time range. The result is a single row containing the count field. Then, the eval command uses the case function to check the value of this count field and assign "Green" or "Red" to the Status field accordingly Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I am looking to make a "pulse" dashboard for a host on my network, it will pulse green up when up and red when down. so far I have: index=index sourcetype=sourcetype log_type=type hostname=host | ... See more...
I am looking to make a "pulse" dashboard for a host on my network, it will pulse green up when up and red when down. so far I have: index=index sourcetype=sourcetype log_type=type hostname=host | eval logs=case(count>0, "1", count=0, "2")  | eval Status=case(Logs=1, "Green", Logs=2, "Red") I believe there is an error in the case line with the count. I have to be missing something.  any insight would be helpful!
That's not exactly right. The httpout uses the same port as "ordinary" HEC input and uses the same token-based authorization but the data is sent using a S2S-over-HTTP protocol. It's not the same as... See more...
That's not exactly right. The httpout uses the same port as "ordinary" HEC input and uses the same token-based authorization but the data is sent using a S2S-over-HTTP protocol. It's not the same as normal /event endpoint uses. So while you indeed can use it in situations when normal "unknown" protocol connectivity is disallowed so that you can leverage HTTP proxy support and such, it's in no way a standard HTTP POST-based data pushing method. So the answer to @sudha_krish is no - you can't use httpout output to send data out to a non-Splunk HTTP server. BTW, there is no "headers" parameter for any Splunk outputs, let alone httpout one.
As far as I remember, if your timestamp contains a timezone information and it is properly parsed from the timestamp, the TZ setting is not used. And rightly so! After all you're specifying the point... See more...
As far as I remember, if your timestamp contains a timezone information and it is properly parsed from the timestamp, the TZ setting is not used. And rightly so! After all you're specifying the point in time unambigously so why should Splunk try second-guessing you by adjusting it by artificially added TZ information? If your sources report "the same" timestamp in two different timezones they are effectively reporting two different timestamps and Splunk behaviour is correct. You should fix your sources to report the same timestamp (referencing to the same "absolute" timestamp after TZ-based correction is applied).
Hi All, Which Capability do i assign to Splunk user to upload image in Dashboard Studio
I found the reason for the problem. MySQL v5.7 uses system timezone → 2025-04-29T11:42:01.532704+01:00 MySQL v8.0 uses system timezone → 2025-04-29T11:42:01.532704+02:00 I can't explain the differ... See more...
I found the reason for the problem. MySQL v5.7 uses system timezone → 2025-04-29T11:42:01.532704+01:00 MySQL v8.0 uses system timezone → 2025-04-29T11:42:01.532704+02:00 I can't explain the difference because the timestamps are specified the same in both versions Anyways, I tried to fix this, by setting the timezones by TZ= in props.conf of forwarder and indexer. But no success    
How to understand: "report_to_map_through_indexes", I tried to built a macro but got server error  or shall it become a custom command? or how tp implement?
HI I'm trying to run a search via CLI from federated Splunk instance > Splunk cloud. Everything is configured correctly and I have access to all indexes that on Splunk Cloud from Federated Instance... See more...
HI I'm trying to run a search via CLI from federated Splunk instance > Splunk cloud. Everything is configured correctly and I have access to all indexes that on Splunk Cloud from Federated Instance  via web interface But when I'm trying to check connection via CLI on Federated Search instance splunk display app -uri https://<splunk cloud uri>:8089 I get this error:  argument uri is not supported by this handler splunk Also, while trying to execute a search from Federated Search: splunk search "index="some remote index on splunk cloud" | head 10" I'm getting the following error: ERROR: Unknown error for indexer: <splunk cloud>. Search results may be incomplete. If this occurs frequently , check on the peer.   Please assist 
Good Day @livehybrid  Yes, It helped. Some research with Browser Dev Tools shows that all posibilities (login to splunk base, downloading, login to splunk) are inside the main domain: *.splunk.com... See more...
Good Day @livehybrid  Yes, It helped. Some research with Browser Dev Tools shows that all posibilities (login to splunk base, downloading, login to splunk) are inside the main domain: *.splunk.com So allowing by domain to splunk.com should be ok.   Kind Regards.
Sourcetype is "cisco:sfw:estreamer" and i am using with default app settings .
Hi @yssplunker  Please could you confirm the sourcetype of your data? Looking in the app, most of the sourcetypes have TRUNCATE=0 which means they shouldnt be truncated, although not all of them! P... See more...
Hi @yssplunker  Please could you confirm the sourcetype of your data? Looking in the app, most of the sourcetypes have TRUNCATE=0 which means they shouldnt be truncated, although not all of them! Please let me know which sourcetype you are having with and I'll check that specifically.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @sudha_krish  httpout sends Splunk2Splunk (S2S) data but over HTTP (HEC) rather than typical S2S port 9997, is this what you are trying to achieve?  It is intended that this is used when you are... See more...
Hi @sudha_krish  httpout sends Splunk2Splunk (S2S) data but over HTTP (HEC) rather than typical S2S port 9997, is this what you are trying to achieve?  It is intended that this is used when you are not able to send data to a remote Splunk instance using typical S2S.  As @gcusello has said, if you want to send to a non-Splunk system you should look into using syslog output which will send the raw data rather than Splunk-parsed S2S data.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @dipali  Im unable to download the app to check, but it sounds like there could be knowledge objects within the app which are not readable by the User role due to their RBAC/Metadata configuratio... See more...
Hi @dipali  Im unable to download the app to check, but it sounds like there could be knowledge objects within the app which are not readable by the User role due to their RBAC/Metadata configuration. Please check within the metadata/default.meta (and local.meta if you have made changes) to see what the different permissions are - feel free to share the contents here so we can walk through it.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
If you want for value to contain only those two values, you could modify @bowesmana 's solution like so | makeresults | fields - _time | eval value=split("ABC","") | where mvcount(value)=2 | search ... See more...
If you want for value to contain only those two values, you could modify @bowesmana 's solution like so | makeresults | fields - _time | eval value=split("ABC","") | where mvcount(value)=2 | search value=A AND value=C
Hi @livehybrid, Thanks for your response. Yes it is JSON structured data but there is not data like data -> vulnerability -> severity. How can i send you root cause analysis data? sample data :... See more...
Hi @livehybrid, Thanks for your response. Yes it is JSON structured data but there is not data like data -> vulnerability -> severity. How can i send you root cause analysis data? sample data : {"timestamp":"2025-04-29T12:44:53.812+0600","rule":{"level":5,"description":"Systemd: Service exited due to a failure.","id":"40704","firedtimes":4,"mail":false,"groups":["local","systemd"],"gpg13":["4.3"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"debian-pc","ip":"192.168.11.XX"},"manager":{"name":"ubuntu"},"id":"1745909093.11585380","full_log":"Apr 29 06:44:53 proxmox systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE","predecoder":{"program_name":"systemd","timestamp":"Apr 29 06:44:53","hostname":"proxmox"},"decoder":{"name":"systemd"},"location":"journald"}
Yes, you should edit your Entity Search by implementing a new Info field like "location" which is filled ie by rex.
Hi @sudha_krish , I'm not sure that's possible to forward logs to a third party using http, the usual way is syslog as described at https://docs.splunk.com/Documentation/SplunkCloud/9.3.2411/Forward... See more...
Hi @sudha_krish , I'm not sure that's possible to forward logs to a third party using http, the usual way is syslog as described at https://docs.splunk.com/Documentation/SplunkCloud/9.3.2411/Forwarding/Forwarddatatothird-partysystemsd Anyway, http requires to use a token, did you created a token in the receiver? did you enabled it? did you passed it ot your output' Ciao. Giuseppe
I want to forward the logs to third party server from heavy forwarder over http. Here is my outputs.conf [httpout] defaultGroup = otel_hec_group [httpout:otel_hec_group] #server = thirdparty... See more...
I want to forward the logs to third party server from heavy forwarder over http. Here is my outputs.conf [httpout] defaultGroup = otel_hec_group [httpout:otel_hec_group] #server = thirdparty_server:8443 uri = http://thirdparty_server:8443 useSSL = false sourcetype = hf_to_otel disabled = false sslVerifyServerCert = false headers = {"Host": "hf_server", "Content-Type": "application/json"} timeout = 30 but i don't receive logs in third party server and i don't find any error in splunkd logs aswell. @SplunkSE