All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

HI @AMAN0113, if you didn't do any customization you can directly do you upgrade to tha latest version. You can update using the deployment method you have in use: Deployment Server o manually. On... See more...
HI @AMAN0113, if you didn't do any customization you can directly do you upgrade to tha latest version. You can update using the deployment method you have in use: Deployment Server o manually. Only one check: if you enabled inputs in local folder there will be no problem, if you enabled them in default folder (there's someone that does it), remember to enable the requested inputs. Ciao. Giuseppe
We have Splunk Add-on for Unix and Linux 8.2.0 installed and need to upgrade it to the latest version (8.10.0). Request someone to help if I can directly upgrade it to 8.10 or should there be an incr... See more...
We have Splunk Add-on for Unix and Linux 8.2.0 installed and need to upgrade it to the latest version (8.10.0). Request someone to help if I can directly upgrade it to 8.10 or should there be an incremental upgrade. IS there any feature that will be affected in my existing set-up due to the upgrade. Also, what are the steps that should be taken while I perform this so as to not lose any of my existing configs. Is there any documentation for this.
| rex "uriTemplate\":\"(?<uri>[^\"]+)"
HI  "citiuuid":"3faa9e6e-c66d-4e52-898e-207219e87d9a","uriTemplate":"/v1/security/onlineBanking/registrations/status","method":"GET","apiStartTimestamp":1694413789916,   I need to extract uriTempl... See more...
HI  "citiuuid":"3faa9e6e-c66d-4e52-898e-207219e87d9a","uriTemplate":"/v1/security/onlineBanking/registrations/status","method":"GET","apiStartTimestamp":1694413789916,   I need to extract uriTemplate  field  please help on this 
Hi As this sounds like you are asking answer for your course lab I just give pointers to you where you could find the answers. https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Enabl... See more...
Hi As this sounds like you are asking answer for your course lab I just give pointers to you where you could find the answers. https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Enableareceiver https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/WhatSplunkcanmonitor https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Aboutforwardingandreceivingdata I suppose that also your course material should give the answer what is missing/wrong on your configuration and how to debug it. On comment for security. You should never run UF as a root on source node. Also don't use root as a splunk's internal admin user and never use the same password than you have in OS level. r. Ismo
Hi as those are Splunk's own scripts and they should fix those by themselves, I said that the easiest way to get rid of those is just add e.g. this to your SPL | rex field=value "exited\s+with\s+co... See more...
Hi as those are Splunk's own scripts and they should fix those by themselves, I said that the easiest way to get rid of those is just add e.g. this to your SPL | rex field=value "exited\s+with\s+code\s+(?<exit_status>\d+)" ``` Add this one line ``` | where (script != ".$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" AND script != ".$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py") | stats first(started) as started, first(stopped) as stopped, first(exit_status) as exit_status by script, stanza r. Ismo 
@jabezds - Please check what is in line no. 13 of umbrella_dashboard_api_client.py file. I think that's what is causing this error.
Hello Noopur, Thank for your response. We tried the https://fra-ana-api.saas.appdynamics.com:443/_ping and it responded back pong as you suggested. So is it sill fine if we get posted error in logs... See more...
Hello Noopur, Thank for your response. We tried the https://fra-ana-api.saas.appdynamics.com:443/_ping and it responded back pong as you suggested. So is it sill fine if we get posted error in logs? BR, Abhiram
This is a very common question - there is no data in Splunk for d and e, so you need to tell Splunk that you want information about hosts it does not know about. The most normal way to do this is to... See more...
This is a very common question - there is no data in Splunk for d and e, so you need to tell Splunk that you want information about hosts it does not know about. The most normal way to do this is to create a lookup with your (5?) hosts in, e.g. my_hosts.csv host a b c d e  then do your search index=linux [ | inputlookup my_hosts.csv ] | timechart span=1week eval(avg(CPU) * avg(MEM)) BY host | appendcols [ | inputlookup append=t my_hosts.csv | eval {host}=0 | fields - host | stats max(*) as * ] | filldown which will make the time chart and then add columns for each of the missing hosts  
Hi @darphboubou , I haven't event samples so I cannot see the field in interesting fields panel, so, running the main search  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SM... See more...
Hi @darphboubou , I haven't event samples so I cannot see the field in interesting fields panel, so, running the main search  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" which fields do you have in Interesting Fields panel? Choose the ones to use for stats searches: e.g. if you want the number for user or for host, you could run something like: index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | stats count BY user or  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | chart count OVER user BY host then choose the fields to display in a table search: index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | table _time host user domain action ... As I said the most valuable job is to know what to search, then you can learn how to search in Splunk using the Search Tutorial. Saving these searches in different dashboard's panels, you'll have your dashboard, to monitor your Use Case Ciao. Giuseppe
@isoutamo  sorry for the late response. I am not sure on that part, I guess they use this -  "hybrid public key Encryption". I did install Decrypt2 on Splunk but not sure how that works.   
 if the search result of "past days count=0 and today count>0" then trigger another search to show count >0 log as _time field1 _raw Yes, that's exactly what a subsearch can do. index=... earli... See more...
 if the search result of "past days count=0 and today count>0" then trigger another search to show count >0 log as _time field1 _raw Yes, that's exactly what a subsearch can do. index=... earliest=-3d@d [search index=... earliest=-3d@d | bin _time span=1d@d ``` Calculates the count for a field by day ``` | stats count by field _time ``` Now calculate today's value and the total ``` | stats sum(eval(if(_time=relative_time(now(), "@d"),count, 0))) as today sum(count) as total by field ``` And set a field to be TRUE or FALSE to alert ``` | where today > 0 AND total - today == 0 | fields field] This use of subsearch is very inefficient.  Efficiency aside, I highly doubt if raw events is of value in an E-mail alert if today's finding are going to be more than a couple of events. If I am to receive an alert like this, I would rather it simply tells me which fields are triggering this behavior so I can go back to a search window or a dashboard or a report to review event details.  If I really want a little more in the E-mail itself, aggregation of a handful of most concerned fields.  If there are going to be only a couple of events to ever satisfy the criteria, you can use an alternative to produce an ordered list of _raw - provided it is really desirable by recipients. index=... earliest=-3d@d | bin _time span=1d@d ``` Calculates the count for a field by day ``` | stats count list(_raw) as _raw by info _time ``` Now calculate today's value and the total ``` | stats list(_raw) as _raw sum(eval(if(_time=relative_time(now(), "@d"),count, 0))) as today sum(count) as total by info ``` And set a field to be TRUE or FALSE to alert ``` | where today > 0 AND total - today == 0 This way, you don't need to run two searches sequentially. BTW, last time I used field name "info" in place of "field".  This is corrected.  
Hi Splunkers Need some help with a timechart query please. index=linux host IN (a,b,c,d,e) | timechart span=1week eval(avg(CPU) * avg(MEM)) BY host This works well if there is atleast an event ... See more...
Hi Splunkers Need some help with a timechart query please. index=linux host IN (a,b,c,d,e) | timechart span=1week eval(avg(CPU) * avg(MEM)) BY host This works well if there is atleast an event per host. But I wanted to show zero value when there are no events for a particular host. Is that possible? eg: I have events only for a,b,c but still wanted to show zero for d and e hosts. 
@Akmal57  I think you should remove numbering before stats. Can you please try this?   YOUR SEARCH |rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)" |stats values(ip) as ip by hostname     My Samp... See more...
@Akmal57  I think you should remove numbering before stats. Can you please try this?   YOUR SEARCH |rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)" |stats values(ip) as ip by hostname     My Sample Search :   | makeresults | eval _raw="hostname,ip_addr Host A,1) 10.0.0.0 Host A,2) 10.10.10.1 Host A,3) 10.0.0.2 Host B,1) 192.1.1.1 Host B,2) 172.1.1.1" | multikv forceheader=1 | table hostname,ip_addr |rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)" |stats values(ip) as ip by hostname           I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
I have asset management data that i need to create weekly reports. When i make query for the data like query below: index=a sourcetype=b stats values(ip_addr) as ip by hostname Result: host... See more...
I have asset management data that i need to create weekly reports. When i make query for the data like query below: index=a sourcetype=b stats values(ip_addr) as ip by hostname Result: hostname        ip Host A            1) 10.0.0.0                           2) 10.10.10.1                           3) 10.0.0.2 Host B            1) 192.1.1.1                           2) 172.1.1.1 i wanted the result not include the numbering in front of the ip address. Please assist on this. Thank you.
 if the search result of "past days count=0 and today count>0" then trigger another search to show count >0 log as _time field1 _raw
Hi i am kinda new to Splunk and I'm having this trouble  `A script exited abnormally with exit status: 1" input=".$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py"... See more...
Hi i am kinda new to Splunk and I'm having this trouble  `A script exited abnormally with exit status: 1" input=".$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py"` I have 1 Master sever(Cluster Master, SHC Deployer, License Master), 3 search heads(clustered) 3 indexers(clustered) 1 heavy forwarder i've run below command that I found on a web ``` | rest /services/admin/inputstatus/ModularInputs:modular%20input%20commands splunk_server=local count=0 | append [| rest /services/admin/inputstatus/ExecProcessor:exec%20commands splunk_server=local count=0] | fields inputs* | transpose | rex field=column "inputs(?<script>\S+)(?:\s\((?<stanza>[^\(]+)\))?\.(?<key>(exit status description)|(time closed)|(time opened))" | eval value=coalesce('row 1', 'row 2'), stanza=coalesce(stanza, "default"), started=if(key=="time opened", value, started), stopped=if(key=="time closed", value, stopped) | rex field=value "exited\s+with\s+code\s+(?<exit_status>\d+)" | stats first(started) as started, first(stopped) as stopped, first(exit_status) as exit_status by script, stanza | eval errmsg=case(exit_status=="0", null(), isnotnull(exit_status), "A script exited abnormally with exit status: "+exit_status, isnull(started) or isnotnull(stopped), "A script is in an unknown state"), ignore=if(`script_error_msg_ignore`, 1, 0) ``` and I got this result  exit_status 1 and 114 how do i get rid of this errors?  Thank you in advance.
Not really on a cluster map after geostats, because you can't split by City and IP. However, you can use the Maps+ app, which has way way more options for customisation https://splunkbase.splunk.com... See more...
Not really on a cluster map after geostats, because you can't split by City and IP. However, you can use the Maps+ app, which has way way more options for customisation https://splunkbase.splunk.com/app/3124 You wouldn't then use geostats, but stats count by City, ip and then in the maps+ app you can configure all sorts of things, such as map layers, HTML tooltips and so on. The app has a number of good examples of how to use it.
Hi @linaaabad  The Splunk App for Salesforce is a search head app containing views and dashboards shared by a Splunk community member as a starting point for other users, like yourself, to get a h... See more...
Hi @linaaabad  The Splunk App for Salesforce is a search head app containing views and dashboards shared by a Splunk community member as a starting point for other users, like yourself, to get a head start at looking at and understanding the SF event data.  Splunk would have no interest in providing a search head app for Salesforce as they are not experts in the Salesforce data.  Being limited to only using Splunk produced apps will only slow down any development in understanding the SF data. Having said that, an app is just an archive file containing configuration in flat text files - *.conf file and *.xml files for dashboards/views.  You do not have to install the app to be able to view these files, simply download the app and open the archive file using your favored utility, e.g. zip on Windows or tar on *nix and look at these types of  files under the default folder.  If you are not very experienced in Splunk then it will be a confusing place to start, however. Alternatively, if there is a test system you could install the app you could look at the configuration via the Web UI and copy what you want to your other system. Hope that helps a little bit.   
Is it possible to get the Search Strings or Source code from the Splunk App for Salesforce???? Anyone have the App and can provide the source code/search.?  We installed the Splunk Add on for Salesf... See more...
Is it possible to get the Search Strings or Source code from the Splunk App for Salesforce???? Anyone have the App and can provide the source code/search.?  We installed the Splunk Add on for Salesforce with doesn't have any dashboards, we can not install the Splunk App for Salesforce because it's not supported by Splunk... Suggestions, Help PLEASE!