All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

sudo su splunk ./splunk reload deploy-server
Yes, you can update the configurations in `/opt/splunk/etc/deployment-apps` and push them to the clients. That should be sufficient. 
@splunklearner  It's basically: Splunk is not running as root (which is good), but you're logged in as root (which is not so good). When you try to login (which is required to reload the deployment... See more...
@splunklearner  It's basically: Splunk is not running as root (which is good), but you're logged in as root (which is not so good). When you try to login (which is required to reload the deployment server), Splunk saves your login (which would be a cookie if you we're using a browser) in a folder in your home directory (/root/.splunk/). But as Splunk does not run as root, it has no permissions to do that, therefore the error message. Solution: Do not work as root, especially not while editing files on a non-root Splunk, it will bring you into trouble. I'd suggest using a normal user, you could use the user Splunk is running at.
@rukshar  You need to update the URL: curl -v http://<serverip>:8000 Please replace it with your Splunk Web URL.
Thank you everyone that replied with helpful comments. I however discovered a math trick with logarithms to accomplish this far more succinctly. | eval log_value = ln(value_a) | stats sum(log_value... See more...
Thank you everyone that replied with helpful comments. I however discovered a math trick with logarithms to accomplish this far more succinctly. | eval log_value = ln(value_a) | stats sum(log_value) AS log_sum | eval product = exp(log_sum)
No i did not without a lot of works. 
Anytime I try to do anything with my deployment server I get this error: An error occurred: Could not create Splunk settings directory at '/root/.splunk' This includes the command -  ./splunk reloa... See more...
Anytime I try to do anything with my deployment server I get this error: An error occurred: Could not create Splunk settings directory at '/root/.splunk' This includes the command -  ./splunk reload deploy-server.  We have AWS EC2 instances hosted for all components and opening it via SSM and login via sudo -i. Tried to give sudo chown -R splunk:splunk /opt/splunk/bin.. still the same issue. And one more doubt - if we edit in etc/deployment-apps reload is enough right to distribute the updated configurations to manager? But when I restart configurations are reflecting in manager not sure why reload is throwing this error?
As I mentioned before, if I put a div around it, I can make it work. const pieClicked = (event) => { console.log(`Clicked: ${event.nativeEvent.point.options.name}`); }; <div onClick={pieClicked}... See more...
As I mentioned before, if I put a div around it, I can make it work. const pieClicked = (event) => { console.log(`Clicked: ${event.nativeEvent.point.options.name}`); }; <div onClick={pieClicked}> <Pie ... /> </div> But I can't seem to get the event handler to fire if I try to attach it to the Pie itself.  I'm guessing I'm missing something simple.
Hello @gcusello,   Thanks for your answers, I have tried this the issues is that I want too output the number of hit on domain in the lookup and if I do a raw search it will also catch Referer or o... See more...
Hello @gcusello,   Thanks for your answers, I have tried this the issues is that I want too output the number of hit on domain in the lookup and if I do a raw search it will also catch Referer or other field.   KR Théo
If you create a lookup definition, you can enable wildcard lookups. I'd also make the proxy logs the primary search and use the lookup as search query parameters, have a second field in your CSV for... See more...
If you create a lookup definition, you can enable wildcard lookups. I'd also make the proxy logs the primary search and use the lookup as search query parameters, have a second field in your CSV for inScope and mark them all as yes and then do the lookup with the definition wildcard.    url,inScope url1.com,Yes *.url2.com,Yes site.url3.com,Yes   The lookup definition (url_list) will have WILDCARD(url) in the Match Type.  The search would look like :   index=my-proxy [| inputlookup url_list | rename url as query | fields query] | lookup url_list url | where match(inScope, "Yes")   This takes all the values you have in your url CSV and uses them as filters on your proxy logs.  Then you lookup the urls in the logs to make sure they're exact matches to your list and not just other urls that might contain your urls somewhere else in the log. 
Hi @y4m373 , please try this: index=my-proxy [ | inputlookup all_url.csv | rename url AS query | fields query ] | ... in this way, you use the values in the lookup's url field in a full text searc... See more...
Hi @y4m373 , please try this: index=my-proxy [ | inputlookup all_url.csv | rename url AS query | fields query ] | ... in this way, you use the values in the lookup's url field in a full text search on the events raw data. Ciao. Giuseppe
Hello,   I have a lookup with url like  url www.url.com .url.com site.url.com   And i try to match it with my proxy logs to check if users access it. But i have issues with ".u... See more...
Hello,   I have a lookup with url like  url www.url.com .url.com site.url.com   And i try to match it with my proxy logs to check if users access it. But i have issues with ".url.com" since it don't exactly matches the hostname. I have tried to replace them with "*.url.com" but splunk lookup don't match wildcard. I have tried things like this but nothing worked : | inputlookup all_url.csv | rename url as lookup_url | join type=inner [ search index=my-proxy | eval lookup_url="*" . lookup_url . "*" | search hostname=lookup_url ] Do you have any idea ? Thanks
I'm working to try and automate the creation of muting rules for our maintenance windows, I've been looking around to see if there is a way to use the API to create a muting rule, but I'm not finding... See more...
I'm working to try and automate the creation of muting rules for our maintenance windows, I've been looking around to see if there is a way to use the API to create a muting rule, but I'm not finding anything, does this not exist? Is there an existing integration with Service-Now that would do this that I'm just not finding? I'm hoping to tie into our change management system to have these muting windows created automatically upon approval. 
Hey, Did you ever find a way to do this?
I appreciate everyone's input on this! I ended up deploying RHEL 8 servers for now. I will nudge them towards RHEL 9 when they are ready to upgrade the version of their Splunk cluster.  Thanks! Dan... See more...
I appreciate everyone's input on this! I ended up deploying RHEL 8 servers for now. I will nudge them towards RHEL 9 when they are ready to upgrade the version of their Splunk cluster.  Thanks! Daniel
I'm trying to get the product to do what the examples show it doing.  On the Events tab, I see the Pie chart responding to a click event and updating the screen to show which wedge was clicked.  I'm ... See more...
I'm trying to get the product to do what the examples show it doing.  On the Events tab, I see the Pie chart responding to a click event and updating the screen to show which wedge was clicked.  I'm simply trying to re-create what is shown to be a feature of the product. Could I accomplish the same thing in a different way?  Of course.  But I'm trying to learn how to use the actual features of the product.  This is obviously a feature since I can see it working on the Event tab of the page linked above.  I just don't know HOW to do what I see it doing.
Thank you for your reply. At this stage, we are testing the system and currently only receiving data from a single device. Our goal is to demonstrate the value of Splunk to our clients so they can b... See more...
Thank you for your reply. At this stage, we are testing the system and currently only receiving data from a single device. Our goal is to demonstrate the value of Splunk to our clients so they can begin using it. However, before reaching that point, we need to resolve these types of issues to ensure a smooth production environment where clients can rely on their data being available. We were able to revert to a previous snapshot, which helped restore the system to a cleaner state. However, I am now focused on finding a solution to prevent the system from hitting the 500 MB index data limit, in order to avoid license violations until we are ready to move to an enterprise license. Any advice on how to adjust the system or prevent this issue would be greatly appreciated. Thank you again for your assistance.
I cannot download the splunk Enterprise . Once i click on download all i download is a zip file with .tgz extension 
Hi @Zorghost , It isn't so clear because you have th same information available on Splunk and in dynamic way instead in static way on the share. Anyway, you have to define a search to extract only ... See more...
Hi @Zorghost , It isn't so clear because you have th same information available on Splunk and in dynamic way instead in static way on the share. Anyway, you have to define a search to extract only the fields you need, not all the full events; in this way, you'll reduct so much the number of data to extract. Ciao. Giuseppe
Hello @kiran_panchavat , Thanks for your response, However, i checked and found that SElinux is already permissive(0) here  [acnops_splunk@IEM***** ~]$ getenforce Permissive   Also, i did c... See more...
Hello @kiran_panchavat , Thanks for your response, However, i checked and found that SElinux is already permissive(0) here  [acnops_splunk@IEM***** ~]$ getenforce Permissive   Also, i did curl from local server and don't find any connection error showing in the below output    [acnops_splunk@IEM****** ~]$ curl -v http://<serverip>:8000 * Rebuilt URL to: http://<serverip>:8000/ * Trying <serverip>... * TCP_NODELAY set * Connected to <serverip> port 8000 (#0) > GET / HTTP/1.1 > Host: <serverip>:8000 > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 303 See Other < Date: Fri, 07 Feb 2025 13:30:56 GMT < Content-Type: text/html; charset=UTF-8 < X-Content-Type-Options: nosniff < Content-Length: 339 < Location: http://<serverip>:8000/en-US/ < Vary: Accept-Language < Connection: Keep-Alive < X-Frame-Options: SAMEORIGIN < Server: Splunkd < <!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta http-equiv="refresh" content="1;url=http://<serverip>:8000/en-US/"><title>303 See Other</title></head><body><h1>See Other</h1><p>The resource has moved temporarily <a href="http://<serverip>/en-US/">here</a>.</p></body></html> * Connection #0 to host <serverip> left intact