All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have an SSL certificate .pem provided by my organization and I need to configure it in Splunk HF. Please assist with any document referrals or steps. I have already gone through the Splunk document... See more...
I have an SSL certificate .pem provided by my organization and I need to configure it in Splunk HF. Please assist with any document referrals or steps. I have already gone through the Splunk documentation below but had no luck https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/ConfigureandinstallcertificatesforLogObserver
Hello @tscroggins  I have a problem with your spl request because some results are truncated, with your help, i tested this : index=aws_app_corp-it_datastage earliest=-5d@d latest=@d | spath i... See more...
Hello @tscroggins  I have a problem with your spl request because some results are truncated, with your help, i tested this : index=aws_app_corp-it_datastage earliest=-5d@d latest=@d | spath input=_raw | search PROJECTNAME="*" INVOCATIONID="*" RUNMAJORSTATUS="*" RUNMINORSTATUS="*" | eval status=case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown") | eval tmp=JOBNAME."|".PROJECTNAME."|".INVOCATIONID."|".strftime(_time, "%Y-%m-%d %H:%M:%S") | eval date=strftime(_time, "%Y-%m-%d") | eval value=if(status=="Unknown", "Unknown", "start time: ".coalesce(strftime(strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), "").urldecode("%0a"). if(status=="In Progress", "Running", "end time: ".coalesce(strftime(strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), ""))).urldecode("%0a").status | xyseries tmp date value | eval tmp=split(tmp, "|"), Job_Name=mvindex(tmp, 0), Project_Name=mvindex(tmp, 1), Geographical_Zone=mvindex(tmp, 2) | fields - tmp | table Job_Name Project_Name Geographical_Zone * |search Geographical_Zone="EMEA" Job_Name="*" Project_Name="*" | fillnull value="Unknown" 1306 results With the first request I send you, index=aws_app_corp-it_datastage earliest=-5d@d latest=@d | spath input=_raw | eval StartTime=strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval EndTime=strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval Date=strftime(_time, "%Y-%m-%d") | eval Geographical_Zone=INVOCATIONID | eval Duration=round(abs(EndTime - StartTime)/60, 2) | eval Status = case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Completed", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown") | eval StartTimeFormatted=strftime(StartTime, "%H:%M:%S.%1N") | eval EndTimeFormatted=strftime(EndTime, "%H:%M:%S.%1N") | eval StartTimeDisplay=if(isnotnull(StartTimeFormatted), "Start time: ".StartTimeFormatted, "Start time: N/A") | eval EndTimeDisplay=if(isnotnull(EndTimeFormatted), "End time: ".EndTimeFormatted, "End time: N/A") | table JOBNAME PROJECTNAME Geographical_Zone _time Date RUNSTARTTIMESTAMP StartTimeDisplay RUNENDTIMESTAMP EndTimeDisplay Status | rename JOBNAME as Job_Name, PROJECTNAME as Project_Name |search Job_Name="*" Geographical_Zone="EMEA" Date="*" Project_Name="*" Status="*" |sort -Date | table Job_Name Project_Name Geographical_Zone Date StartTimeDisplay EndTimeDisplay Status | dedup Job_Name Project_Name Geographical_Zone Date StartTimeDisplay EndTimeDisplay Status 2352 results so it doesn't work because some failed jobs don't appear, for example
the query is not getting expected result,  i was runining for last 90 days but didnt get the result.   
Hey @Racer73b ! Found this one pretty frustrating myself.  There's lots of prior posts on the topic and I was able to eventually figure it out. You need to first create unique fields for your val... See more...
Hey @Racer73b ! Found this one pretty frustrating myself.  There's lots of prior posts on the topic and I was able to eventually figure it out. You need to first create unique fields for your value thresholds in your search.  See below example: | makeresults | eval ImpactLevel="45,55,85" | makemv delim="," ImpactLevel | mvexpand ImpactLevel | eval "Low Impact"=if('ImpactLevel'<50,'ImpactLevel',null()) | eval "Medium Impact"=if('ImpactLevel'>49 AND 'ImpactLevel'<80,'ImpactLevel',null()) | eval "High Impact"=if('ImpactLevel'>79,'ImpactLevel',null()) | fields - ImpactLevel Then, in your json, make those the fields you want to assign colors to and ensure that stackmode is set to stacked to ignore the nulls. ... "y": "> primary | frameBySeriesNames('Low Impact','Medium Impact','High Impact')", "seriesColorsByField": { "Low Impact": "#73BB8B", "Medium Impact": "#F1A657", "High Impact": "#dc4e41" }, "stackMode": "stacked" ... You will likely have to a little bit of tweaking to get it working the way you want but hopefully this gets you on your way.   Cheers!
feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info inputs.conf ... See more...
feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info inputs.conf  sourcetype = rsa:syslog my props.conf   I would like to change sourcetype base "admin", OR "system" depend on raw events. [rsa:syslog] TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype my transforms.conf [change_admin_sourcetype] DESK_KEY = MetaData:Sourcetype REGEX = \,\s+auddit\.admin FORMAT = sourcetype::rsa:admin [change_system_sourcetype] DESK_KEY = MetaData:Sourcetype REGEX = \,\s+auddit\.system FORMAT = sourcetype::rsa:system
sorry, it was my typo here. in my my transforms.conf is "\,\s+aduit\.admin thank you for catching that.
Hi @gcusello , There are many host names like more than 80 host names from the mentioned search results. 
Hi @jtran9373  You have put "adudit" in your regex, not "audit" - is this typo in Splunk too or just on here? This might explain you issue. Please let me know how you get on and consider accepting ... See more...
Hi @jtran9373  You have put "adudit" in your regex, not "audit" - is this typo in Splunk too or just on here? This might explain you issue. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
We were told the following - Confluent Vendor has provided the Telemetry URL to configure in the Splunk's Open Telemetry collector to push the metrics from Confluent to Splunk.  Is this the right In... See more...
We were told the following - Confluent Vendor has provided the Telemetry URL to configure in the Splunk's Open Telemetry collector to push the metrics from Confluent to Splunk.  Is this the right Integration between Confluent and Splunk, meaning via the Open Telemetry Collector (OTEL)?
feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info inputs.conf ... See more...
feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.system.com.cd.etc info inputs.conf  sourcetype = rsa:syslog my props.conf   I would like to change sourcetype base "admin", OR "system" depend on raw events. [rsa:syslog] TRANSFORMS-change_sourcetype = change_admin_sourcetype, change_system_sourcetype my transforms.conf [change_admin_sourcetype] DESK_KEY = MetaData:Sourcetype REGEX = \,\s+adudit\.admin FORMAT = sourcetype::rsa:admin [change_system_sourcetype] DESK_KEY = MetaData:Sourcetype REGEX = \,\s+adudit\.system FORMAT = sourcetype::rsa:system   but it doesnt' work. thank you for your help.
That's what I thought.  Thank you for confirming.
Changing the name made it work. I had the same class names in the transforms that had different regex. I appreciate the assistance. 
Thanks Will, I`ve already configured the allow list, although you made a valid point and there`s a high chance that I`ve not listed all possible IPs - something I need to look at. I had another loo... See more...
Thanks Will, I`ve already configured the allow list, although you made a valid point and there`s a high chance that I`ve not listed all possible IPs - something I need to look at. I had another look at the firewall logs and found a field called vendor_action=server-rst - I would imagine this means the connection was reset by the server, although not entirely sure why.  
I presume you are trying to install Splunk Enterprise on a Windows machine? Have you considered setting up a WSL (Windows Subsystem for Linux) virtual machine and installing Splunk there? This might ... See more...
I presume you are trying to install Splunk Enterprise on a Windows machine? Have you considered setting up a WSL (Windows Subsystem for Linux) virtual machine and installing Splunk there? This might be easier than wrangling your anti-virus software!
Hi @tomapatan  You mentioned that there are no blocks on your internal firewall - are there multiple egress IPs that your connection can connect out on? Are all possible egress IPs allow-listed in S... See more...
Hi @tomapatan  You mentioned that there are no blocks on your internal firewall - are there multiple egress IPs that your connection can connect out on? Are all possible egress IPs allow-listed in Splunk Cloud for Mgmt port / API access to the SHs?  If you havent already, you can configure the allow list via: Splunk Web - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Admin/ConfigureIPAllowList ACS API - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ConfigureIPAllowList ACS CLI - https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Config/ACSCLI   Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @TheEggi98  That is very odd! Its not something I also see the same issue you are getting (Splunk returning 25920. I would suggest filing a support case (https://www.splunk.com/en_us/about-splun... See more...
Hi @TheEggi98  That is very odd! Its not something I also see the same issue you are getting (Splunk returning 25920. I would suggest filing a support case (https://www.splunk.com/en_us/about-splunk/contact-us.html#customer-support) and raise this so that a bug can be raised internally. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @vikashperiwal , there isn't any GUI bulk command to do this, the fastest way is to work on the metadata.local file. Ciao. Giuseppe
Hi fellow splunkers, recently i deployed WinPrintMon inputs to our printserver, to check driver versions and found out that splunk falsly calculated modulus. Tested in Enterprise 9.3.2 and 9.4.0 ... See more...
Hi fellow splunkers, recently i deployed WinPrintMon inputs to our printserver, to check driver versions and found out that splunk falsly calculated modulus. Tested in Enterprise 9.3.2 and 9.4.0 in the calculated version i found out, that the revision of a driver differs from the printmanagement on that printserver directly. i calculate the revision like that: version % pow(2,16) In my case the calculation translates to 17171305019303231 % 65536 splunk calculates 25920 which isn't correct, it is 25919
Hi @siemsplunk  Could you try that command again but use current_member_uri instead? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helpe... See more...
Hi @siemsplunk  Could you try that command again but use current_member_uri instead? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @Roy_9 , see if this old answer can help you.: https://community.splunk.com/t5/Splunk-Enterprise/Splunk-on-ARM-Achitecture/m-p/512005 if you don't find it in the download section, open a ticket ... See more...
Hi @Roy_9 , see if this old answer can help you.: https://community.splunk.com/t5/Splunk-Enterprise/Splunk-on-ARM-Achitecture/m-p/512005 if you don't find it in the download section, open a ticket to Splunk Support. Ciao. Giuseppe