All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi there, i am new to this community but i want to understand how to purchase splunk ITSI , i already splunk Enterprise  license(purchased from aws marketplace) and free both . long back i have us... See more...
Hi there, i am new to this community but i want to understand how to purchase splunk ITSI , i already splunk Enterprise  license(purchased from aws marketplace) and free both . long back i have used splunk itsi for free with enterprise license but it need some auth and saying my user is not listed in autorized list while downloading ITSI please do help me for the same 
Hi @anissabnk, As a quick workaround in a classic dashboard, you can use colorPalette elements with type="expression" to highlight cells if the cell value also includes the status: <dashboard versi... See more...
Hi @anissabnk, As a quick workaround in a classic dashboard, you can use colorPalette elements with type="expression" to highlight cells if the cell value also includes the status: <dashboard version="1.1" theme="light"> <label>anissabnk_table</label> <row depends="$hidden$"> <html> <style> #table1 th, #table1 td { text-align: center !important } </style> </html> </row> <row> <panel> <table id="table1"> <search> <query>| makeresults format=csv data=" _time,HOSTNAME,PROJECTNAME,JOBNAME,INVOCATIONID,RUNSTARTTIMESTAMP,RUNENDTIMESTAMP,RUNMAJORSTATUS,RUNMINORSTATUS,RUNTYPENAME 2025-01-20 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-19 20:18:25.0,,STA,RUN,Run 2025-01-19 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-18 20:18:25.0,2025-01-18 20:18:29.0,FIN,FWF,Run 2025-01-18 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-17 20:18:25.0,2025-01-17 20:18:29.0,FIN,FOK,Run 2025-01-17 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-16 20:18:25.0,2025-01-16 20:18:29.0,FIN,FWW,Run 2025-01-16 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-15 20:18:25.0,2025-01-15 20:18:29.0,FIN,HUH,Run " | eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S.%Q") | search PROJECTNAME="*" INVOCATIONID="*" RUNMAJORSTATUS="*" RUNMINORSTATUS="*" | eval status=case(RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown") | eval tmp=JOBNAME."|".INVOCATIONID | eval date=strftime(strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%Y-%m-%d") | eval value=if(status=="Unknown", "Unknown", "start time: ".coalesce(strftime(strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), "").urldecode("%0a").if(status=="In Progress", "Running", "end time: ".coalesce(strftime(strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), ""))).urldecode("%0a").status | xyseries tmp date value | eval tmp=split(tmp, "|"), Job=mvindex(tmp, 0), Country=mvindex(tmp, 1) | fields - tmp | table Job Country *</query> </search> <option name="drilldown">none</option> <option name="wrap">true</option> <format type="color"> <colorPalette type="expression">case(like(value, "%Unknown"), "#D3D3D3", like(value, "%Successful Launch"), "#90EE90", like(value, "%Failure"), "#F0807F", like(value, "%Completed with Warnings"), "#FEEB3C", like(value, "%In Progress"), "#ADD9E6")</colorPalette> </format> </table> </panel> </row> </dashboard> There may be arcane methods for formatting cells without using JavaScript or including the status in the value, but I don't have them readily available.
It is often much easier for volunteers to provide answers (particularly to search/SPL questions) if you post sample events in their raw format so that we can attempt to simulate your situation and de... See more...
It is often much easier for volunteers to provide answers (particularly to search/SPL questions) if you post sample events in their raw format so that we can attempt to simulate your situation and design solutions to meet your needs. We do not have the benefit of access to your data so you need to give us something to work with.
I'll keep this question open another day or so. I'm thrilled I managed to solve the issue, but I'll admit......the solution isn't exactly as clean and efficient as I'd like it. If anyone smarter than... See more...
I'll keep this question open another day or so. I'm thrilled I managed to solve the issue, but I'll admit......the solution isn't exactly as clean and efficient as I'd like it. If anyone smarter than me wants to propose a better soltion, I'm happy to hear it.
Sorry I wasn't clear enough. There are two shared fields: mac_add and ip_add. However, I need to be able summarize by the Session_ID field. Because the field isn't shared, I first summarize by mac... See more...
Sorry I wasn't clear enough. There are two shared fields: mac_add and ip_add. However, I need to be able summarize by the Session_ID field. Because the field isn't shared, I first summarize by mac_add and ip_add in the first stats command. Then in the second, I summarize by Session_ID. The issue is that the time field becomes a multi-value field with the time stamps for each of the events summarized rather than a unique timestamp for each Sesion_ID. Mhmm....maybe I can mvzip a Session_ID and it's time field together to keep  the pair together between stats and split them apart further down the pipeline.... --------------------- The answer to that question is YES! I can do exactly that, and it fixes the problem. What I did was use mvzip to combine the Session_ID and time for into a new field session_time after the first stats command. Then, after the second stats summarizing by the Session_ID field, I split apart the session_time field with mvexpand to get individual events pairing a session time with its time. I then used rex to split that pair into two new fields, a session and time field. Finally, a dedup to clean out the duplicates, and it was done! This is the command now. (index=indexA) OR (index=indexB) | rex field=text "AuditSessionID (?<SessionID>\w+)" | rex field=pair "session-id=(?<SessionID>\w+)" | eval time_{index}=strftime(_time,"%F %T") | eval ip_add=coalesce(IP_Address, assigned_ip), mac_add=coalesce(upper(src_mac), upper(mac)) | eval auth=case(CODE=45040, "True", true(), "False") | stats values(host_name) as hostname values(networkSwitch) as Switch values(switchPort) as Port values(auth) as Auth values(SessionID) as Session_ID values(time_indexA) as time by mac_add, ip_add | eval session_time=mvzip(Session_ID, time) | stats values(time) as time values(hostname) as hostname values(Switch) as Switch values(Port) as Port values(Auth) as Auth values(ip_add) as IP_Address values(mac_add) as MAC_Address by Session_ID | mvexpand session_time | fields - time Session_ID | rex field=session_time "(?<Session_ID>\w+),(?<Time>.+)" | fields - sesison_time | dedup Session_ID Time | table Time Hostname MAC_Address IP_Address Switch Port Auth Session_ID
If data from the TA is not being indexed then ITSI cannot find it and display it. Why is the data not indexed?
In order to get data from Splunk you must first get the data into Splunk. Splunk is a data processing platform but you need go have something to be processed. How would you get that data? Where from?... See more...
In order to get data from Splunk you must first get the data into Splunk. Splunk is a data processing platform but you need go have something to be processed. How would you get that data? Where from? If the only way to produce such data is running gpresult, you need to run it and store the results somehow in Splunk.
You can focus it to the first column with something like this inside the <panel> <html depends="$alwaysHideCSS$"> <style> /* Right align only the first column of the table */ ... See more...
You can focus it to the first column with something like this inside the <panel> <html depends="$alwaysHideCSS$"> <style> /* Right align only the first column of the table */ #table1 .table th:nth-child(1), #table1 .table td:nth-child(1) { text-align: right!important; } </style> </html>
Thanks, Kiran! I am reading up on this now.!
Now you're Splunking! Watch out for approximation errors! 2 * 3 * 4 = 24 exp(ln(2) + ln(3) + ln(4)) ~= 23.999999999999993
Is it this one? https://dev.splunk.com/observability/reference/api/incidents/latest#endpoint-create-single-muting-rule
Hi guys!  I am getting the following error message when trying to publishing a model which I created in "Experiments". I do not know what this should mean? Does anyone has an idea?    I wou... See more...
Hi guys!  I am getting the following error message when trying to publishing a model which I created in "Experiments". I do not know what this should mean? Does anyone has an idea?    I would appreciate your help!    Best regards!
@cdavidsonbp  Have a look at the content packs: https://docs.splunk.com/Documentation/ContentPackApp/latest/Overview/Overview#Available_content_packs  specifically https://docs.splunk.com/Documen... See more...
@cdavidsonbp  Have a look at the content packs: https://docs.splunk.com/Documentation/ContentPackApp/latest/Overview/Overview#Available_content_packs  specifically https://docs.splunk.com/Documentation/CPWindowsMon/1.3.0/CP/About  and https://docs.splunk.com/Documentation/CPWindowsDash/1.4.0/CP/About 
Hello, I am trying to find a way to report on all Applied Group Policy Objects for all of our domain joined computers. This would be similar to running the following command:         gpresult /r /s... See more...
Hello, I am trying to find a way to report on all Applied Group Policy Objects for all of our domain joined computers. This would be similar to running the following command:         gpresult /r /scope computer Is there a way that Splunk can gather all of this information as a report. I did see there was an app called Splunk App for Windows Infrastructure but it was EOLd. Is there anything new that would audit our computers? Thanks, Charlie
Found it. Adding onEventHandler={myHandler} wasn't enough.  I also had to add hasEventHandlers={true}.  Then it'll actually fire myHandler. <Pie onEventHandler={myHandler} hasEventHandlers={tru... See more...
Found it. Adding onEventHandler={myHandler} wasn't enough.  I also had to add hasEventHandlers={true}.  Then it'll actually fire myHandler. <Pie onEventHandler={myHandler} hasEventHandlers={true} ... />
@rukshar  Internally on the server, Splunk is running fine. Externally, if you cannot access http://<server-ip>:8000, the firewall may be blocking the connection. Contact your OS team to fix this. 
@Verity_Partners  Since you are using a Splunk trial license and hitting the 500 MB daily indexing limit, 1. Disable Unnecessary FortiGate Logs 2. Use props.conf and transforms.conf to drop unwant... See more...
@Verity_Partners  Since you are using a Splunk trial license and hitting the 500 MB daily indexing limit, 1. Disable Unnecessary FortiGate Logs 2. Use props.conf and transforms.conf to drop unwanted events before indexing them. This can be done by defining transforms to filter out unnecessary logs. 3. Since your system is hitting violations overnight, create alerts to notify you before reaching the limit OR Monitor your license usage.  4. If you are using Splunk for testing, apply for a Developer License .  https://dev.splunk.com/enterprise/dev_license/  https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html 
When i ran the command its shows nothing, does that means 8000 port is not open? sudo firewall-cmd --list-ports [acnops_splunk@IEM***** ~]$ netstat -tulnp | grep 8000 (Not all processes could ... See more...
When i ran the command its shows nothing, does that means 8000 port is not open? sudo firewall-cmd --list-ports [acnops_splunk@IEM***** ~]$ netstat -tulnp | grep 8000 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 3679909/splunkd [acnops_splunk@IEMS****** ~]$   netstat -tulnp | grep 8000  
@andy2025  That introspection error means your script failed to load, could be a syntax error, etc. Check this, but it's an outdated version.  https://community.splunk.com/t5/All-Apps-and-Add-ons/Un... See more...
@andy2025  That introspection error means your script failed to load, could be a syntax error, etc. Check this, but it's an outdated version.  https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-initialize-modular-input-quot-upload-pcap-quot-after-6/m-p/262577 
@rukshar  It seems that Splunk Web (port 8000) is not open in the firewall. Please coordinate with the firewall or OS team and inform them about this. We recently encountered a similar issue, and af... See more...
@rukshar  It seems that Splunk Web (port 8000) is not open in the firewall. Please coordinate with the firewall or OS team and inform them about this. We recently encountered a similar issue, and after notifying the Linux team, they made some firewall-level changes at the OS level. Following those changes, we were able to access the Splunk Web successfully. sudo firewall-cmd --permanent --add-port=8000/tcp sudo firewall-cmd --reload Check if the port is open. sudo firewall-cmd --list-ports If you see 8000/tcp in the list, the port is now open. After opening the port, restart Splunk sudo su - splunk /opt/splunk/bin/splunk restart Check if Splunk Web is listening on port 8000:  netstat -tulnp | grep 8000 If firewalld is disabled but iptables is in use, you need to allow port 8000:  sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT sudo iptables-save | sudo tee /etc/sysconfig/iptables sudo systemctl restart iptables