All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes, the syntax was tested.  Here is test code you can try anywhere   index=_internal | stats count(eval(sourcetype IN ("splunkd_access", "splunkd_ui_access"))) as selective_with_IN count as all by... See more...
Yes, the syntax was tested.  Here is test code you can try anywhere   index=_internal | stats count(eval(sourcetype IN ("splunkd_access", "splunkd_ui_access"))) as selective_with_IN count as all by source   Result on my laptop instance is source selective_with_IN all /Applications/Splunk/var/log/splunk/health.log 0 5884 /Applications/Splunk/var/log/splunk/license_usage.log 0 2 /Applications/Splunk/var/log/splunk/metrics.log 0 45872 /Applications/Splunk/var/log/splunk/metrics.log.1 0 2 /Applications/Splunk/var/log/splunk/mongod.log 0 1 /Applications/Splunk/var/log/splunk/python.log 0 376 /Applications/Splunk/var/log/splunk/search_messages.log 0 1 /Applications/Splunk/var/log/splunk/splunkd.log 0 28780 /Applications/Splunk/var/log/splunk/splunkd_access.log 6068 6068 /Applications/Splunk/var/log/splunk/splunkd_ui_access.log 804 804 /Applications/Splunk/var/log/splunk/web_access.log 0 68 /Applications/Splunk/var/log/splunk/web_service.log 0 197 My version is 9.1. Using the syntax @bowesmana gives result in the same   index=_internal | stats sum(eval(if(sourcetype IN ("splunkd_access", "splunkd_ui_access"), 1, 0))) as selective_with_IN count as all by source    
@richgalloway  No luck!  But I confirm there is no other files and settings. Command used : index=vmware | stats count by sourcetype Currently syslog is ingesting via universal forwarder. Current ... See more...
@richgalloway  No luck!  But I confirm there is no other files and settings. Command used : index=vmware | stats count by sourcetype Currently syslog is ingesting via universal forwarder. Current configuration input.conf [monitor:///opt/syslog/vmware/10.149.xx.xx/*-syslog.log] disabled = false host_segment = 4 index = vmware-vclog sourcetype = vclog initCrcLength = 2048 Props.conf [source::/opt/syslog/vmware/10.149.xx.xx/*] TRANSFORMS-null= setnull [vclog] LINE_BREAKER = ([\r\n]+)\<\d+\>\d SHOULD_LINEMERGE = false transforms.conf [setnull] REGEX = ^\w+\W DESK_KEY = queue FORMAT = nullQueue
Hello All, I am trying to plot the count of events per day over a span of a week by using scatterplot matrix as the visualization to see if there is any linear relation observed. And I need to plot... See more...
Hello All, I am trying to plot the count of events per day over a span of a week by using scatterplot matrix as the visualization to see if there is any linear relation observed. And I need to plot 4 charts, one for each week of the month since there are restrictions on number of datapoints a single chart can publish. But, when I plot more than one chart, the dashboard breaks down and I start getting error: - Error rendering Scatterplot Matrix visualization Thus, I need your guidance to resolve the error. Thank you Taruchit
Which version of Splunk are you using (the makeresults command changed in version 9). The makeresults is only to create some example data to show you that the commands work.
Insight on my problem below is appreciated! I am using DB Connect to attempt to connect to a MSSQL database. When I Save/Edit the connection I get the following error from Splunkweb:   The drive... See more...
Insight on my problem below is appreciated! I am using DB Connect to attempt to connect to a MSSQL database. When I Save/Edit the connection I get the following error from Splunkweb:   The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:XXXXXXXXXXXXXXXXXX   And the following (combination) error from splunk_app_db_connect_server.log and splunk_app_db_connect_audit_server.log:   com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:XXXXXXXXXXXXXXXXXX ........................... Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237) at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1661) ... 99 common frames omitted Collapse   I have tried the following to resolve the problem with no luck: Added the following to the DB Connect Task Server JVM Options: -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" Added the following parameters to the JDBC url: encrypt=true;trustServerCertificate=true; I have also installed and attempted to run the DB Connect troubleshooting tool (ran using the following command: python3 -m troubleshooting_tools.start)   |----|----|----|----|----| | DB Connect | | Troubleshooting Tools | |----|----|----|----|----| Which tool do you want to use? 1. Troubleshoot Starts 2. Services Status 3. Troubleshoot Connections 4. Troubleshoot Inputs : 3 Troubleshoot Connections Splunk URL: localhost Splunk management port: 8089 Splunk username (Default value is <admin>): admin admin Splunk password: ******** Connection name: MY_CONNECTION Connector path: %PATH_TO_CONNECTOR_JAR% JDBC path: %PATH_TO_JDBC_DRIVER_JAR%   Which leads to the following output   An error occurred while trying to get the connection with the name : MY_CONNECTION. Error message: Data must be padded to 16 byte boundary in CBC mode   In addition, here is some information regarding my environment: OS Oracle Linux 9 Splunk Enterprise Splunk 9.1.0.2  Splunk DB Connect 3.14.1  Splunk DBX Add-on for Microsoft SQL Server JDBC 1.2.0  Manually installed additional Microsoft JDBC Driver 12.4 for SQL Server driver mssql-jdbc-12.4.1.jre11.jar ***The above errors are occurring for both Connection Types. JAVA openjdk 11.0.20
Please use btool to ensure no other files add settings for the sourcetype.   splunk btool --debug props list vclog | grep -v "system\/default"   What query created the output in the first screens... See more...
Please use btool to ensure no other files add settings for the sourcetype.   splunk btool --debug props list vclog | grep -v "system\/default"   What query created the output in the first screenshot?
Hello Everybody We've installed Splunk 9.1.1 OnPrem and now, unfortunately the Browser Icon Changer App will not work. Message: HTML Dashboards are no longer supported. In Splunkbase, Version ... See more...
Hello Everybody We've installed Splunk 9.1.1 OnPrem and now, unfortunately the Browser Icon Changer App will not work. Message: HTML Dashboards are no longer supported. In Splunkbase, Version 9.1 is listed as supported. Did we anything wrong? BR, Martin
Hi everyone, Please advise is it possible to GET a particular service Health score with a simple Rest API call (for example using a Postman app)? Tried to find it in https://docs.splunk.com/Documen... See more...
Hi everyone, Please advise is it possible to GET a particular service Health score with a simple Rest API call (for example using a Postman app)? Tried to find it in https://docs.splunk.com/Documentation/ITSI/4.17.0/RESTAPI/ITSIRESTAPIreference#ITOA_Interface but no success.
Hi Gautam My company uses a few Trend Micro products and let me tell you the data ingestion can be a JOURNEY! I did remember in my struggle to get XDR data in that I saw documentation from Tren... See more...
Hi Gautam My company uses a few Trend Micro products and let me tell you the data ingestion can be a JOURNEY! I did remember in my struggle to get XDR data in that I saw documentation from Trend Micro on sending data to syslog.  Connect to Splunk - Network Security | Trend Micro Cloud One™ Documentation I hope this helps out or at least gets ya started in the right direction Good Luck! Kelly
I am getting different sourcetype name in my logs. But I want the sourcetype name as per conf file. Below are the screenshots of input.conf, props.conf & transforms.conf . Props & Transforms ... See more...
I am getting different sourcetype name in my logs. But I want the sourcetype name as per conf file. Below are the screenshots of input.conf, props.conf & transforms.conf . Props & Transforms   Inputs      
I ran from search prompt bar but nothing was returned for result set - is there a specific way to use 'makeresults' syntax?
We have a SEDCMD masking a field that correctly masks data as shown in the event however in the expanded info on the event it is not masked.  Anyone seen this before?  Working with Proofpoint logs. 
Have you found a solution for this? I'm experiencing the same thing, and I made sure that the fields we provided in the Risk Analysis Adaptive response Action is a valid field that is being presented... See more...
Have you found a solution for this? I'm experiencing the same thing, and I made sure that the fields we provided in the Risk Analysis Adaptive response Action is a valid field that is being presented in the correlation search results. In fact, I'm using the same fields as variables in the title of the notable event. But nothing is populating in Incident review for Risk Score, Risk Event, and Risk Object.
Hello, How can I use Splunk to run a report for all DFS users who logged into VPN last week, 9/11-9/15 I'll need to be able to view the usernames. We have a Cisco environment. Thank you Anthony
Maybe not a common TA or app, but Splunk App for Stream uses kvstore. Found this out recently doing some troubleshooting. So on stream servers make sure in server.conf to set [kvstore] disabled = f... See more...
Maybe not a common TA or app, but Splunk App for Stream uses kvstore. Found this out recently doing some troubleshooting. So on stream servers make sure in server.conf to set [kvstore] disabled = false
Hello All I was able to solve this issue, I was digging on cURL capabilities and the answer is cURL -K configFile. Below is how it works: First suppose you require to send an extremely long quer... See more...
Hello All I was able to solve this issue, I was digging on cURL capabilities and the answer is cURL -K configFile. Below is how it works: First suppose you require to send an extremely long query to Splunk API from your app or script with your cURL command (SPL search command in my case 121852 chars) 1. curl command curl -K query.spl --noproxy '*' -H "Authorization: Splunk myTOKEN" https://mySearchHEAD:8089/servicesNS/admin/search/search/jobs  ### --noproxy '*' it is optional and depends on your network setup 2. Your config file query.spl content and synaxis  [someUser@algunServidor:~/myDirectorio]$ more query.spl -d exec_mode=oneshot   ## this can be normal -d output_mode=json       ## this can be xml or csv -d "search=| search index=myIndex sourcetype=mySourcetype _raw=*somethingIamLooking for* field1=something1 field2=something2 .... fieldN=somethingN earliest=-1h latest=now"   ### really important to pay attention to the quotes in red above you need them to make it work.  I hope this help someone    
Hi, is there a query to list all the queries that time out in Splunk Cloud? Thank you  Kind regards Marta
Change the timerange of both panel to some historical time for which your summary index will have data. E.g. earliest=-24h latest=-2m@m. This way your summary will have some data summarized and your ... See more...
Change the timerange of both panel to some historical time for which your summary index will have data. E.g. earliest=-24h latest=-2m@m. This way your summary will have some data summarized and your drilldown search will only look at raw data for summarized data time-range only.
Thank you for the suggestion. Best regards Marta
Hi, This forum is specific to "Splunk Observability Cloud" which includes products like APM, RUM, IM, Synthetics... You'll get better replies if you post your question to the "Splunk Search" section... See more...
Hi, This forum is specific to "Splunk Observability Cloud" which includes products like APM, RUM, IM, Synthetics... You'll get better replies if you post your question to the "Splunk Search" section (https://community.splunk.com/t5/Splunk-Search/bd-p/splunk-search)