All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

-I am running an alert which is not triggering email actions when using real-time option.   The alert is used to  search for hosts which have not sent logs in the last 5 minutes. -For example, I sh... See more...
-I am running an alert which is not triggering email actions when using real-time option.   The alert is used to  search for hosts which have not sent logs in the last 5 minutes. -For example, I shut down a host for testing and wait 5 minutes. I then manually use the search string and specify time frame (e.g. last 15 minutes)- I am able to obtain results. However,  even though the same search was configured in the form of an alert running in real time, it produces no results nor does it trigger an email. Here is the search I am using:     index=* | stats max(_time) as latest by host | eval recent= if(latest > relative_time(now(),"-5m"),1,0). realLatest = strftime(latest, "%Y-%M-%D %H%M%S") | fields - latest | where recent = 0 | rename host AS Host, realLatest AS "Latest Timestamp" | table Host, "Latest Timestamp"      
I posted my script in this thread and it's the sample script, just edited for my environment. It's been working fine for a long time until this issue arose.
Good afternoon, I am trying to show information from a csv which is static, but will be replaced as time goes on I awas wondering there was a way to make the CSV filenames a dropdown option in ... See more...
Good afternoon, I am trying to show information from a csv which is static, but will be replaced as time goes on I awas wondering there was a way to make the CSV filenames a dropdown option in an input which would correlate in the searches below in the dashboard.    For example Input dropdown values: july.csv august.csv   And the search would be | inputlookup $august.csv$ ...   Is this an option or is there a better way to do this?
I selected from time picker like 8/14/23 00:00:00 8/15/23 00:00:00
I'm trying to add an input within a canvas as is indicated here: https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/inputConfig#Inputs_in_the_canvas I have been dragging my in... See more...
I'm trying to add an input within a canvas as is indicated here: https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/inputConfig#Inputs_in_the_canvas I have been dragging my input to the canvas without luck. Then I found this video that shows a configuration option for in or above canvas: https://www.youtube.com/watch?v=eyXAa6xxrso However, on my dashboard, I do not have these options. Is there a configuration that I am missing?   Why am I unable to move my inputs to the canvas? Splunk Cloud Version: 9.0.2209.3
Hello All, I have seen this post (which is helpful) "How to get the on click marker gauge redirect to a dashboard?"   I would like to run a search instead of setting a variable ... See more...
Hello All, I have seen this post (which is helpful) "How to get the on click marker gauge redirect to a dashboard?"   I would like to run a search instead of setting a variable on a panel. Is this possible? The javascript writes the value to a $toke$ variable on a second panel. I would like to run a search - the filler gauge does not have an option for a drilldown. Yes - the easy way is to just click the search magnify glass.   Thanks, eholz1
Good question. Since Forwarder 9.0, the "least privilege mode" (run Splunk service as NON ROOT) is by default enabled, whereas Enterprise does not have such feature(yet?). Previously Forwarder and En... See more...
Good question. Since Forwarder 9.0, the "least privilege mode" (run Splunk service as NON ROOT) is by default enabled, whereas Enterprise does not have such feature(yet?). Previously Forwarder and Enterprise share same account `splunk`, so Forwarder creates a dedicated user `splunkfwd` since 9.0 to prevent user permission conflicts. Today it's very popular to install the Forwarder & Enterprise on the same instance - Install Forwarder in the base image(so that all dockerized instances are monitored by default) to monitor the platform internal metrics such as CPU, Memory, network resources, system files, etc, and install Enterprise to ingest data from external resources, or host indexing/search.  So this is just a default account change, just like the default user changed from LocalSystem to Virtual Account on Windows since Forwarder 9.1, as a security improvement.  
As we don’t know content of your script, we cannot really help you more. I propose that you try to find someone who knows enough Python and you look together what’s wrong in script and fix it.
Good to hear that this is working! BUT still you have this issue on your TZ definition on log file. If you ever get logs from TZ which has its xx:30 (like some Indian like -05:30) shift instead of fu... See more...
Good to hear that this is working! BUT still you have this issue on your TZ definition on log file. If you ever get logs from TZ which has its xx:30 (like some Indian like -05:30) shift instead of full hour, those will get a wrong UTC time on splunk.
The packet field appears to encoded or encrypted.  You would have to get with the vendor to determine how to make the field legible , if it can be done at all.  It's possible this is data straight of... See more...
The packet field appears to encoded or encrypted.  You would have to get with the vendor to determine how to make the field legible , if it can be done at all.  It's possible this is data straight off the wire and that you would need the SSL certificate to process the data - not something one can do in SPL.
We managed to resolve the the "type 28 / 500 internal server" Enterprise Security installation error by cleaning out /tmp.  
This error told that your DNS service cannot found it for that name. You should fix it first and then check if UF works after that.
When you are enabling splunk boot start (please check exact syntax from docs) as systemd managed version, splunk create systemd config file into /etc/systemd/system. Its name is Splunk’s.service or s... See more...
When you are enabling splunk boot start (please check exact syntax from docs) as systemd managed version, splunk create systemd config file into /etc/systemd/system. Its name is Splunk’s.service or something similar. You could change this if needed/wanted by splunk-launch.conf. As I earlier said, when you are running that “splunk enable boot-start ….” as a root, it creates systemd conf file with standard values based on your host current physical attributes. If you want to restrict memory usage just decrease that memory parameter. I suppose that this restricts the Splunk’s memory usage.
We got the same error for all the members of the cluster.  When it occurred, we had to restart Splunk on each member. 
I'm passing a bucket path and getting this error now. Replaced some path values to hide internal names and bucket name. bash-4.2$ /opt/splunk/bin/splunk cmd "/opt/splunk/bin/python" "/opt/splunk/etc... See more...
I'm passing a bucket path and getting this error now. Replaced some path values to hide internal names and bucket name. bash-4.2$ /opt/splunk/bin/splunk cmd "/opt/splunk/bin/python" "/opt/splunk/etc/peer-apps/archive_app/coldToFrozen.py" "/opt/splunk/var/lib/splunk/indexname/db/db_string" Traceback (most recent call last):    File "/opt/splunk/etc/peer-apps/archive_app/coldToFrozen.py", line 51, in <module>       handleOldBucket(bucket, files) NameError: name 'handleOldBucket' is not defined
Update: Privileged downloads must be requested via the support portal.
Hello @kamal.rath, Since the Community did not jump in, you can reach out to AppD Support. How do I submit a Support ticket? An FAQ  If you decide to do that, can you please share any learnings f... See more...
Hello @kamal.rath, Since the Community did not jump in, you can reach out to AppD Support. How do I submit a Support ticket? An FAQ  If you decide to do that, can you please share any learnings from that as a reply to this thread. 
Hello Friends, here is my snipped of inputs.conf tog et you an idea or may be mistaked on my end ?? again thank you for your help ------------------ This is my snip of inputs.conf # cat inputs.c... See more...
Hello Friends, here is my snipped of inputs.conf tog et you an idea or may be mistaked on my end ?? again thank you for your help ------------------ This is my snip of inputs.conf # cat inputs.conf [perfmon://CPU] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time instances = * interval = 30 mode = single object = Processor _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0 index=uat [perfmon://Memory] counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes interval = 30 mode = single object = Memory _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:Memory disabled = 0 index=uat [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 10 renderXml=true sourcetype = WinEventLog:Application index=uat [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 10 renderXml=true blacklist1 = EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)" blacklist3 = EventCode="4624" Message="An account was successfully logged on" blacklist4 = EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%" blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." #whitelist = 1101, 1104, 4616, 4657, 4697 sourcetype = WinEventLog:Security index=uat [WinEventLog://System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 10 renderXml=true sourcetype = WinEventLog:System index=uat [WinEventLog://Setup] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest renderXml=true sourcetype = WinEventLog:Setup index=uat [monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf dissabled = 0 index = _internal
Hi @Blessy.Helen Mathew, Since this got no reply from the community, you can try contacting AppD Support. How do I submit a Support ticket? An FAQ 
Hi @Hemnaath, here, you can find the latest version (7.0.0): https://docs.splunk.com/Documentation/AddOns/released/AWS/Releasenotes?_gl=1*x0j3gx*_ga*OTc5MjcyOTc3LjE2ODY5ODEzNDg.*_ga_GS7YF8S63Y*MTY5M... See more...
Hi @Hemnaath, here, you can find the latest version (7.0.0): https://docs.splunk.com/Documentation/AddOns/released/AWS/Releasenotes?_gl=1*x0j3gx*_ga*OTc5MjcyOTc3LjE2ODY5ODEzNDg.*_ga_GS7YF8S63Y*MTY5MzIzNjMxMi4xNjUuMS4xNjkzMjM4MTYwLjAuMC4w*_ga_5EPM2P39FV*MTY5MzIzNjI5MC4yODcuMS4xNjkzMjM4MTYxLjAuMC4w&_ga=2.237100681.821286860.1692543785-979272977.1686981348&_gac=1.57004760.1693210375.Cj0KCQjwi7GnBhDXARIsAFLvH4ll56r7e9by3rn-eGJ4TTl27Zaz5Z020GdxkWHFSFpu81Fzu6Nd8pwaAvpnEALw_wcB but there isn't any previous version. Anyway, it's a Splunk Supported App, so you can open a ticket to Splunk Support. Ciao. Giuseppe