All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @tkwaller1  Just a small tweak to the SPL you already have, to use search NOT (current-context) and rename username to eai:acl.owner instead of user. This would filter out all the ones which the ... See more...
Hi @tkwaller1  Just a small tweak to the SPL you already have, to use search NOT (current-context) and rename username to eai:acl.owner instead of user. This would filter out all the ones which the current user owns. | rest splunk_server=local /servicesNS/-/-/data/ui/views | search NOT [| rest /services/authentication/current-context splunk_server=local | fields + username | rename username as eai:acl.owner] | rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table Dashboard eai:acl.owner If you just want to see all views which the user can access, then this will be any which are returned from the REST call | rest splunk_server=local /servicesNS/-/-/data/ui/views | rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table App Dashboard eai:acl.owner Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @KJ10  Thanks for your response, ultimately its going to be hard to identify the best approach to this without having the code, but I would suggest determining how its currently written and then ... See more...
Hi @KJ10  Thanks for your response, ultimately its going to be hard to identify the best approach to this without having the code, but I would suggest determining how its currently written and then checking out the best-practices for the approach taken. Typically there are 3 ways to create a Splunk app: Splunk Add-on builder UCC Framework (my preference) Custom Python  I'd start by looking at the common code between the 5 existing modules and find where you can put a loop to loop over the the different endpoint (presumably?) that you need to query so that you combine the inputs. Be sure to update the source/sourcetype accordingly for each of the iterations so that your data doesnt end up in one big source/sourcetype and hard to separate between the 5 types. If you're able to share the code on here (anonymised if required) then I might be able to tailor the help but please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will 
Hi The reason why this isn't working is that spunk didn't manage that volume as you haven't there any hot/warm or cold index spaces. When you have moved buckets into frozen state then splunk didn't ... See more...
Hi The reason why this isn't working is that spunk didn't manage that volume as you haven't there any hot/warm or cold index spaces. When you have moved buckets into frozen state then splunk didn't count those anyhow. Only thing what is looking with those is that your cold to frozen script will return zero when splunk has called it. If it's not zero then it didn't remove that bucket from cold volume. If you want to look other space/volumes/fs mountpoints you must use e.g. Splunk Add-on for Unix and Linux | Splunkbase or other inputs which just run df for that. r. Ismo
@RSS_STT wrote: split function proving error. I'm not sure what to make of that, but take it you get an (undescribed) error with the code I provided.  I found a missing argument so please try... See more...
@RSS_STT wrote: split function proving error. I'm not sure what to make of that, but take it you get an (undescribed) error with the code I provided.  I found a missing argument so please try the revised SPL.
Simple search but Im having issues nailing down what I want to see. This search returns all the views the logged in user owns. | rest splunk_server=local /servicesNS/-/-/data/ui/views | rename auth... See more...
Simple search but Im having issues nailing down what I want to see. This search returns all the views the logged in user owns. | rest splunk_server=local /servicesNS/-/-/data/ui/views | rename author as user| search [| rest /services/authentication/current-context splunk_server=local| fields + username | rename username as user] | rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table Dashboard I would like to have it show all the views the logged in user has access to instead, not just the ones that are owned. Thanks for the help
HI Team  Can someone please help me to find how we can fetch the status of the application A1 having 5 jobs (Job1 , Job2 , Job3 , Job4 , Job5) running every day.  Status of Application : This needs... See more...
HI Team  Can someone please help me to find how we can fetch the status of the application A1 having 5 jobs (Job1 , Job2 , Job3 , Job4 , Job5) running every day.  Status of Application : This needs to be extracted using the query attached below:  Planned : If current time is less than the expected time of JOB1  OK-Running :  If Current time is between the expected time of JOB1 and expected time of JOB5 + Status of all the JOBs is either OK  or PLANNED KO-FAILED : if Current time is between the expected time of JOB1 and expected time of JOB5 + Status of any the 1 JOBs is either KO.  Query used today to fetch the status of each job in the application:  index = ABC ( TERM(JOB1) OR TERM(JOB4) OR TERM(JOB2) OR TERM(JOB3) OR TERM(JOB5) OR TERM(JOB6) OR TERM(JOB7) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | stats max(Date_of_reception) as Date_of_reception max(ENDED_TIME) as ENDED_TIME max(STARTED_TIME) as STARTED_TIME max(ABEND_TIME) as ABEND_TIME by JOBNAME | inputlookup append=t ESES_Job_MIFID_PPE.csv | stats values(*) as * by JOBNAME | eval DAY_OF_WEEK = strftime(strptime(Date_of_reception, "%d/%m/%Y"), "%A") ,today = strftime(1743030000, "%Y-%m-%d") , TO_DAY = strftime(strptime(today, "%Y-%m-%d"), "%A") , Diff=ENDED_TIME-STARTED_TIME | rename STARTED_TIME as START_TIME1 , ENDED_TIME as END_TIME1 , ABEND_TIME as ABEND_TIME1 | eval diff_time = tostring(Diff , "duration"), diff_time_1=substr(diff_time,1,8) , START_TIME = Date_of_reception." ".strftime((START_TIME1),"%H:%M:%S") , END_TIME = Date_of_reception." ".strftime((END_TIME1),"%H:%M:%S") , END_TIME2 = strftime((END_TIME1),"%H:%M:%S") , ABEND_TIME = Date_of_reception." ".strftime((ABEND_TIME1),"%H:%M:%S") , ABEND_TIME2 = strftime((ABEND_TIME1),"%H:%M:%S") , EXPECTED_TIME = exp_time , DEADLINE_TIME = high_dl2 ```EXPECTED_TIME_run = Date_of_reception." ".EXPECTED_TIME, EXPECTED_TIME_run = strptime(EXPECTED_TIME_run, "%d/%m/%Y %H:%M:%S") , TimeDiff=EXPECTED_TIME_run-now() , EXP_TIME_norun = if (TO_DAY = "Friday" , exp_time2 , exp_time1) ,EXPECTED_TIME_norun = today + " " + EXP_TIME_norun, EXPECTED_TIME_norun = strptime(EXPECTED_TIME_norun, "%Y-%m-%d %H:%M:%S") , TimeDiff_norun =EXPECTED_TIME_norun-now() , Time_Diff=now() - strptime(START_TIME, "%d/%m/%Y %H:%M:%S") ``` | eval STATUS = if(isnotnull(END_TIME2) AND (END_TIME2 <= ABEND_TIME2),"ABEND", if(isnotnull(END_TIME2) AND (END_TIME2 <= DEADLINE_TIME),"OK", if(isnotnull(END_TIME2) AND (END_TIME2 > DEADLINE_TIME),"BREACHED", if(isnull(END_TIME2) AND isnull(START_TIME1) AND (TimeDiff_norun > 300),"PLANNED", if(isnull(END_TIME2) AND isnull(START_TIME1) AND isnull(TimeDiff) AND (TimeDiff_norun < -600) AND (TimeDiff_norun >= -1800),"JOB NOT STARTED YET", if(isnull(END_TIME2) AND isnull(START_TIME1) AND isnull(TimeDiff) AND (TimeDiff_norun < -1800),"JOB DID NOT EXECUTED", if(isnull(END_TIME2) AND isnotnull(START_TIME1) AND (Time_Diff>600),"FAILED", if(isnull(END_TIME2) AND isnotnull(START_TIME1) and (TimeDiff<=600),"RUNNING", if( isnull(END_TIME2) AND isnull(START_TIME1) AND JOBNAME IN ("$JOB3" ) , "OK-Interest file is received" , if( isnull(END_TIME2) AND isnull(START_TIME1) AND JOBNAME IN ("$JOB6") , "OK-Mifid 2 file is received" , if( isnotnull(END_TIME2) AND isnotnull(START_TIME1) AND JOBNAME IN ("$JOB3" ) , "KO-Interest file Not received" , if( isnotnull(END_TIME2) AND isnotnull(START_TIME1) AND JOBNAME IN ("$JOB6") , "KO-Mifid 2 file Not received" , "WARNING")))))))))))) | rename diff_time_1 as EXECUTION_TIME | sort Order | table Application,JOBNAME,Description, EXPECTED_TIME , DEADLINE_TIME , START_TIME , END_TIME ,EXECUTION_TIME, STATUS | fillnull value="-"  
Hi @tshah5  I noticed you have ServiceClass=com.mongodb.jdbc.MongoDriveri Is that a typo "i" on the end of that?  Let us know if you still experience the issue after updating that. Please let me ... See more...
Hi @tshah5  I noticed you have ServiceClass=com.mongodb.jdbc.MongoDriveri Is that a typo "i" on the end of that?  Let us know if you still experience the issue after updating that. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @uagraw01  Some interesting info at https://docs.splunk.com/Documentation/Splunk/latest/data/Specifyinputpathswithwildcards if you havent already seen it. On Windows, if you specify the [monitor... See more...
Hi @uagraw01  Some interesting info at https://docs.splunk.com/Documentation/Splunk/latest/data/Specifyinputpathswithwildcards if you havent already seen it. On Windows, if you specify the [monitor://C:\Windows\foo\bar*.log] stanza in the inputs.conf file, Splunk Enterprise translates the path into this: [monitor://C:\Windows\foo\] whitelist = bar[^\\]*\.log$ In Windows, allow list and deny list rules don't support regular expressions that include backslashes. Use two backslashes (\\) to escape wildcards. This means [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\*.csv] becomes [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\] whitelist = [^\\]*\.csv$ Im wondering if this whitelist is being overwritten somehow, have you specified any whitelist? It might be worth trying the following input to see if this works, basically explicitly setting the whitelist to what its expecting. [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\] whitelist = [^\\]*\.csv$ Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will  
Very helpful  it is set to stream XML so I guess that is the issue and I need to either find a way to deal with it or modify the setting which as you mentioned looks easier said than done.   
A year after, well, better late than never unfortunately, I didn't found a solution to this case, so I just moved on  
This is likely due to permissions. The sc_admin role has the permissions. I can probably be handed out more granularly too.
I have installed splunk dbx forwarder in 1 of my VM. Now when I am trying to create connection with MongoDB, I am getting this error (Our MongoDB uses certs and key for authentication and not user... See more...
I have installed splunk dbx forwarder in 1 of my VM. Now when I am trying to create connection with MongoDB, I am getting this error (Our MongoDB uses certs and key for authentication and not username and password): No suitable driver found for jdbc:mongo://<host>:<port>/?authMechanism=MONGODB-X509&authSource=$external&tls=true&tlsCertificateKeyFile=<path to cert key pair>&tlsCAFile=<path to ca cert> Diagnosis: No compatible drivers were found in the 'drivers' directory. Possible resolution: Copy the appropriate JDBC driver for the database you are connecting to in the 'drivers' directory.   Splunk DBX Add-on for MongoDB : 1.2.0 List of Mongo drivers tried:  mongodb-driver-core-4.10.2.jar  mongojdbc4.8.3.jar  splunk-mongodb-jdbc-1.2.0.jar mongodb-driver-sync-4.10.2.jar  ojdbc8.jar          UnityJDBC_Trial_Install.jar mongodb-jdbc-2.2.2-all.jar   mongo-java-driver-3.12.14.jar   mongodb-driver-core-5.2.1.jar mongodb-driver-sync-5.2.1.jar But getting the same version each time. Splunk_dbx forwarder version:  Splunk 6.4.0 Mongo db version : 7.0.14 ---------------------------------------------------------- This is the db_connection_types.conf: [mongo] displayName = MongoDB jdbcDriverClass = com.mongodb.jdbc.MongoDriver ServiceClass = com.mongodb.jdbc.MongoDriveri jdbcUrlFormat = jdbc:mongo://<host:port>,<host:port>,<host:port>/?authMechanism=MONGODB-X509&authSource=$external&tls=true&tlsCAFile=<path to ca file>&tlsCertificateKeyFile=<path to cert and key file> useConnectionPool = false port = 10924 ssl = true sslMode = requireSSL sslCertificatePath = <path to file> sslCertificateKeyPath = <path to file> sslAllowInvalidHostnames = false authSource = $external tlsCipherSuite = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"    
Basically we are taking same cred in all 5 data input. So I want to combine them and segregate using performance and inventory data using 2 different time intervals. Yes existing 5 inputs are Py... See more...
Basically we are taking same cred in all 5 data input. So I want to combine them and segregate using performance and inventory data using 2 different time intervals. Yes existing 5 inputs are Python based modinputs. This in our custom app.  
Yes, that's the expected behavior. Instead, after entering the cert and key info, I'm redirected to a 404 error page (where it's supposed to display the input page.) thanks for the response.
Hi @luizlimapg Thank you for the response. Upon launching the app for the first time, I got prompted to enter the cert and private key, which I did. After this process, it is supposed to take me t... See more...
Hi @luizlimapg Thank you for the response. Upon launching the app for the first time, I got prompted to enter the cert and private key, which I did. After this process, it is supposed to take me to an input page so I can fill in the rest of the information generated on the CyberArk side. However, the Input page is showing a 404 Error stead. I have removed and reinstalled this app a few times with no success. The server I'm having this issue is running Splunk Enterprise version 9.3.2. I installed this app on an older version of Splunk Enterprise, version 9.2.3, and got the expected inputs screen. So, I'm wondering if it's a versioning info. I don't want to downgrade Splunk Enterprise to test this. I plan to upgrade the problematic server to 9.4.1 later anyway (for other reasons too.) Any more thoughts on this? Thanks again.
Hi @stei-f  Its very odd that this would only affect the SH, especially as any outbound connection from the monitoring console shouldnt be impacted by the change to the MC Server name. From Monitor... See more...
Hi @stei-f  Its very odd that this would only affect the SH, especially as any outbound connection from the monitoring console shouldnt be impacted by the change to the MC Server name. From Monitoring Console, if you go to Settings->General Setup - What does this screen look like? Do you see the remote SHs in there?   
values() sorts (and dedups) - use the list() function (which neither sorts nor dedups) |makeresults |eval token_id="c75136c4-bdbc-439b"|eval doc_no="GSSAGGOS_QA-2931"|eval key=2931|eval keyword="DK-... See more...
values() sorts (and dedups) - use the list() function (which neither sorts nor dedups) |makeresults |eval token_id="c75136c4-bdbc-439b"|eval doc_no="GSSAGGOS_QA-2931"|eval key=2931|eval keyword="DK-BAL-AP-00613" |append [| makeresults |eval token_id="c75136c4-bdbc-439b"|eval doc_no="GSSAGGOS_QA-2932"|eval key=2932|eval keyword="DK-Z13-SW-00002"] |append [| makeresults |eval token_id="c75136c4-bdbc-439b"|eval doc_no="GSSAGGOS_QA-2933"|eval key=2933|eval keyword="DK-BAL-AP-00847"] | stats list(key) as key list(keyword) as keyword list(doc_no) as doc_no by token_id | eval row=mvrange(0,mvcount(doc_no))| mvexpand row| foreach doc_no keyword key [| eval <<FIELD>>=mvindex(<<FIELD>>,row)]|fields - row  
Hi @KJ10  Can I ask, why are you looking to consolidate the inputs? I presume the existing 5 inputs are Python based modinputs? Is this in a custom app or something from Splunkbase? Let me know an... See more...
Hi @KJ10  Can I ask, why are you looking to consolidate the inputs? I presume the existing 5 inputs are Python based modinputs? Is this in a custom app or something from Splunkbase? Let me know and I will see if I can work out how best to help. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi Team, How to combine multiple data input into one, basically I am having 5 different data inputs where I am taking same data from User. How to combine all data input into one data input. I want ... See more...
Hi Team, How to combine multiple data input into one, basically I am having 5 different data inputs where I am taking same data from User. How to combine all data input into one data input. I want One data input where I will internally run 2 different data type with different polling interval. Is this possible with python SDK and How?     Different polling intervals for “performance” and “inventory” data
split function proving error.