All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

i belive there's an issue with the website itself as i'm also not able to access it, give it sometime and try it later.
Contact Splunk Education (education_amer@splunk.com) for assistance.
I have an error doing my course in Splunk:   This application domain (https://education.splunk.com) is not authorized to use the provided PDF Embed API Client ID.
Adding to the valid points already raised by @gcusello , "changehost" is a name which is not very unlikely to repeat in other  apps so I'd check with btool whether something doesn't overwrite it by a... See more...
Adding to the valid points already raised by @gcusello , "changehost" is a name which is not very unlikely to repeat in other  apps so I'd check with btool whether something doesn't overwrite it by any chance. splunk btool transforms list changehost --debug That's one thing. Another one is - I'm never sure when you need to use WRITE_META and where you don't so I just to be on the safe side use it on all index-time extractions.  
Hi @Cheng2Ready  If you have a look in $SPLUNK_HOME/etc/system/default/savedsearches.conf - you can see some of the default values for items you're referring to, for example: action.email ... See more...
Hi @Cheng2Ready  If you have a look in $SPLUNK_HOME/etc/system/default/savedsearches.conf - you can see some of the default values for items you're referring to, for example: action.email = 0 action.populate_lookup = 0 action.rss = 0 action.script = 0 This ultimately means these arent configured, because if they were configured for a specific report/search/alert then the value would be updated to 1. Not all variables are alike - Developers who create and share their own alert actions might use different default values (e.g. blank instead of 0). Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @Cheng2Ready , you wave two ways: insert al the dates to excude in the lookup, in this case you can use the above search; insert in the lookup only the holydays and run something like this: yo... See more...
Hi @Cheng2Ready , you wave two ways: insert al the dates to excude in the lookup, in this case you can use the above search; insert in the lookup only the holydays and run something like this: your_search | eval date=strftime(_time,"%Y-%m-%d") | search NOT ( [ | inputlookup holidays.csv | fields date ] OR [ | inputlookup holidays.csv | eval date=strftime(strptime(date,"%Y-%m-%d")+86400)) | fields date ] | ... obviously in the lookup there must be a column called "date" and the format of the values must be "yyyy-mm-dd". Ciao. Giuseppe
Hi @boknows , it's correct to put the configurations in the local folder of your TA. What's the flow of your data? where do you receive data? these seem to be data received by syslog and ususlly t... See more...
Hi @boknows , it's correct to put the configurations in the local folder of your TA. What's the flow of your data? where do you receive data? these seem to be data received by syslog and ususlly they are received in an Heavy Forwarder, could you describe the flow of your data through the Splunk machines? In other words, I suppose that there's a syslog receiver, is it a Universal Forwarder or an Heavy Forwarder (a Splunk instance)? if it is an UF, between it and the Indexers, is there some other Splunk machine? if yes, it is an UF or an HF? At least if you're sure that there isn't any HF, put the add-on on the Indexers, otherwise on the first HF. Ciao. Giuseppe
@kiran_panchavat thank you! I followed the format of your search query and now I can see the data. Really appreciate your response and the education.
@swlf  HEC receives events via HTTP requests that may include a HEC token, channel identifier header, metadata, or event data formatted as raw text or JSON. https://docs.splunk.com/Documentation/Sp... See more...
@swlf  HEC receives events via HTTP requests that may include a HEC token, channel identifier header, metadata, or event data formatted as raw text or JSON. https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/FormateventsforHTTPEventCollector    The raw JSON is still stored in the _raw field. Try running a search like: Or, once you run the query you change your view from "List" to "Raw"        
@shashank9  Thanks for the update. It’s great that one of your Splunk receivers is now getting the logs as expected. Since the other receiver still isn’t showing data, I’d recommend a quick review o... See more...
@shashank9  Thanks for the update. It’s great that one of your Splunk receivers is now getting the logs as expected. Since the other receiver still isn’t showing data, I’d recommend a quick review of its configuration to see if there’s a missing or misconfigured detail. If the steps were helpful and you resolve the issue, feel free to accept the solution. Thanks again for your update!
I think there is an indexing delay in Splunk. I first index now shows the number of bytes indexed. But I still don't know where to find the raw data.  I've been navigating to the HEC page and clickin... See more...
I think there is an indexing delay in Splunk. I first index now shows the number of bytes indexed. But I still don't know where to find the raw data.  I've been navigating to the HEC page and clicking on the host which shows all the logs but not the raw data.
Hi @kiran_panchavat actually I accidentally terminated my ec2 instances in AWS and had to re launch them and re-install Splunk from scratch on all those instances and once I set them up and configure... See more...
Hi @kiran_panchavat actually I accidentally terminated my ec2 instances in AWS and had to re launch them and re-install Splunk from scratch on all those instances and once I set them up and configured the event routing to different Splunk receivers from my Heavy Forwarder I was able to see a specifc group of logs/events are sent to one of my Splunk receivers which is expected. I still could not see the data in my other Splunk receiver but I guess I just need to double check my configuration since it is working fine with one of the servers. Also, thank you for your time in guiding me through those steps to troubleshoot the issue.
@livehybrid this instance of Splunk Cloud was created yesterday. So all the events are new and from my test. My search is set to last 7 days by default. But none of the events have the data. If yo... See more...
@livehybrid this instance of Splunk Cloud was created yesterday. So all the events are new and from my test. My search is set to last 7 days by default. But none of the events have the data. If you see the raw event details in my second screenshot, it shows the format "json" but not the raw data.   Am I looking in the right place? 
So jumping into this search  question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/save... See more...
So jumping into this search  question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/saved/searches splunk_server=local | search disabled=0 |table title, disabled, action.hangout_chat_alert, action.email I came a across the question of there is any documentation on what the 1, 0 or Blank means? on some of the fields . I have this alert that only has HangoutChat alert setup when I run this query below It shows title disabled=0  action.hangout_chat_alert=0 and action.email=0 I'm confused as to why email and hangout are returning the value 0 shouldn't it be like. disabled = 0 is returning me all alerts that are active and 1 is alerts that are actually disabled. title disabled=0  action.hangout_chat_alert=0 and action.email=blank my understanding with the 1 , 0 , and blank is 1 is enabled 0 is disabled and blank is that it was not setup with that action. Now on the original post you can see Mr @woodcock is explaining below that alert.track=1 means its a alert and 0 means its a report. with all the other ones I don't believe it works the same . is there a documentation that has this topic covered? and how does my alert above fall into with action.email=0 even though I clearly have not set that action with my alert.  only hangoutchat as the action.   ALL APPS: |rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule Search app only: |rest/servicesNS/-/search/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule  
Thank You. I discovered the options with the custom property before.  But as I understand it is static mapping.  I can add custom property not to dimension but to the particular value of this dimen... See more...
Thank You. I discovered the options with the custom property before.  But as I understand it is static mapping.  I can add custom property not to dimension but to the particular value of this dimension. Am I right? Lets suppose, I have 3 databases with the azure_resource_id like: /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE1 /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE2 /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE3 To use custom property I need to choose particular value /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE1 in the Metric Metadata and add new custom property DBNAME=THE_NAME_OF_DATABASE1. The same I need to do for the second and the third database. After that I can use custom property DBNAME in the chart only for these three databases. But I need to have ability make correlation between any /SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE_N and THE_NAME_OF_DATABASE_N without N addition of custom property. Please could You answer this?      
Hi @swlf  Whilst its showing as 0 bytes, it does show that there are 11 events in your index?  Try doing a search for all-time on that index (since there is only 11 events) to confirm if this is/is... See more...
Hi @swlf  Whilst its showing as 0 bytes, it does show that there are 11 events in your index?  Try doing a search for all-time on that index (since there is only 11 events) to confirm if this is/isnt the data you are expecting? It could be that the 0 Bytes shown just a rounding error given the small number of events! Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
I'm not seeing any Karpenter logs show up. We're using very basic deployment of Splunk Otel Chart. Any advice on whats needed to get Karpenter logs to show up ?
You can set a custom property such as 'the_name_of_the_database' and map it to a current dimension's name/value pair. You can do this in settings -> metric metadata. In your case, you would likely ke... See more...
You can set a custom property such as 'the_name_of_the_database' and map it to a current dimension's name/value pair. You can do this in settings -> metric metadata. In your case, you would likely key off of "DatabaseResourceId=/SUBSCRIPTIONS/FULL_ID_OF_SUBSCRIPRTION/RESOURCEGROUPS/RESOURCE_GROUP_NAME/PROVIDERS/MICROSOFT.SQL/SERVERS/THE_NAME_OF_SQL_SERVER/DATABASES/THE_NAME_OF_DATABASE" and then set a custom property of "the_name_of_the_database=THE_NAME_OF_THE_DATABASE". To get started, search for 'DatabaseResourceId' in the metric metadata. Metric Metadata: https://docs.splunk.com/observability/en/metrics-and-metadata/metrics-finder-metadata-catalog.html You may also want to leverage the SignalFlow promote() function (depending on what you want to do with that custom property). You can filter/search without using promote() but if you want to display the_name_of_the_database on a chart, you'll likely need to use promote(). https://dev.splunk.com/observability/docs/signalflow/methods/promote_stream_method/    
Hi @Cievo - please can you reference the documentation relating to "enableSplunkdSidechannel"? This isnt something that I am familiar with. @kiran_panchavat The information on "you must download the... See more...
Hi @Cievo - please can you reference the documentation relating to "enableSplunkdSidechannel"? This isnt something that I am familiar with. @kiran_panchavat The information on "you must download the ACS Open API 3.0 specification" is incorrect in relation to this? This does not relate to the question and is not a requirement for using ACS?  @stevensk Whilst I'm not able to give the answer you might want, I do not believe its possible to see a per-source breakdown for data received from HEC. I have tried this in the past and it led nowhere, however hopefully someone here might be able to shine more light on it. You can see metrics in "index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector" which will give info at per-HEC-token level - however there arent logs which combine a metric for HEC Token and source. The only other way to approach this would be to improve segregation with your HEC tokens so that you can maybe search specific indexes/sourcetype/sources for data you know comes from a specific HEC token, OR add a custom field into the HEC payload which you can then use to determine the metrics you need (this is what I ended up doing!) Good luck Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi! This is my first time using Splunk and I am on the free tiral version. I setup an HEC token and ran a test on Windows following this command:   curl -k https://prd-p-n38b3.splunkcloud.com:8088/... See more...
Hi! This is my first time using Splunk and I am on the free tiral version. I setup an HEC token and ran a test on Windows following this command:   curl -k https://prd-p-n38b3.splunkcloud.com:8088/services/collector -H "Authorization: Splunk 78c2aexx-xxxx-xxxxx-xxxx-xxxxx869e53" -d "{\"sourcetype\": \"event\", \"event\": \"Test message\"}"    While the events are being generated, I see 0 bytes. What am I doing wrong? I also see the events in the HEC logs but no data.