All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am running splunk docker containers to distribute splunk.  I am up and up for my indexer cluster, indexer Manager and search head cluster.  All is well.  I am using persistent storage which confirm... See more...
I am running splunk docker containers to distribute splunk.  I am up and up for my indexer cluster, indexer Manager and search head cluster.  All is well.  I am using persistent storage which confirmed is persistent.  Only issue I am having with my deployment is when I stop my indexer Manager container and remove it, then start another one from the same yml file the ansible pre flight checklist thinks it wants to upgrade to the 9.3.2 (which its on).  This only happens on the indexer Manager and none of my other containers.  Any thoughts.
Does anyone know if it is possible to create specific thresholds for each host in the dashboard studio table? I'm using a table where I focus on hard disk usage, previously I had no problems with the... See more...
Does anyone know if it is possible to create specific thresholds for each host in the dashboard studio table? I'm using a table where I focus on hard disk usage, previously I had no problems with the configuration since the threshold was 80% amber and 90% red. However, I was asked to adjust this threshold to 90 amber and 95 red only for a specific server. My question is, is it possible for the color format table to have different thresholds depending on the host?    
The Splunkbase page for that app (you linked to it in your OP) will take you to the documentation.  Login to Splunkbase and the page will have a "Visit site" link.
Hi, we are a splunk partner previously Appdynamics partner.  In Appdynamics we had a solution to monitor IBM Z, however we are not really sure how to work with IBM Z Operational Log and Data Analytic... See more...
Hi, we are a splunk partner previously Appdynamics partner.  In Appdynamics we had a solution to monitor IBM Z, however we are not really sure how to work with IBM Z Operational Log and Data Analytics in Splunk, could you help us with a link or docs regarding this splunk solution.   Thanks in advance
That worked. Thank you for the help!
Hi, we've configured the "Message Trace" input type for Splunk Add-On for Microsoft Office 365 but don't seem to be receiving any data. Other input types (Mailbox, Management Activity, etc) are worki... See more...
Hi, we've configured the "Message Trace" input type for Splunk Add-On for Microsoft Office 365 but don't seem to be receiving any data. Other input types (Mailbox, Management Activity, etc) are working. Not sure what the problem is, any suggestions on how to troubleshoot?  I did notice a discrepancy when viewing the current configuration of the input versus the options available when editing the input (the same value is reported "in days" in one place and "in minutes" in another): Could it be my delay throttle truly is set to 1440 days rather than minutes? I believe I have all the API permissions set correctly, but let me know if this doesn't look right:  
My solution was to configure another alert to send a lookup with a status of the first alert. I created a logic rule where if the first alert has a new result different from the second alert, this on... See more...
My solution was to configure another alert to send a lookup with a status of the first alert. I created a logic rule where if the first alert has a new result different from the second alert, this one would be triggered. | eval Estado=case( State="Offline", "Critico", State="EnSplunk", "Safe") | join type=left host [ | inputlookup lkp_mx_mr_pci_diponibles_results.csv | eval host1=host | eval Estado1=Estado | table host host1 Estado1 Servicio ] | eval Estado2=Estado | eval host2=host | eval case=if(host1=host2 AND Estado1=Estado2, "true", "false") | table Estado host SO Servicio Fecha host1 host2 Estado1 Estado2 case | sort Estado | where Estado="Critico" AND case="false" | fields - host1 host2 case Estado1 Estado2
I have Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) installed.  My security team flagged a possible vuln on /opt/splunk/opt/mongo/lib/libcurl.so.4.8.0 related to CVE-2024-7264, which apparently affe... See more...
I have Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) installed.  My security team flagged a possible vuln on /opt/splunk/opt/mongo/lib/libcurl.so.4.8.0 related to CVE-2024-7264, which apparently affects libcurl versions between 7.32.0 and prior to 8.9.1. I ran both the following commands   splunk cmd curl --version splunk cmd mongodb --version   and confirmed the libcurl version is affected. The relevant results were: Curl:   curl 7.61.1 ... libcurl/7.61.1 ...   Mongod:   mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libssl.so.10: no version information available (required by mongod) db version v7.0.14 Build Info: { "version": "7.0.14", ... }      How do I go about disabling Mongod (if possible)? Alternatively, is there any info on whether this will be addressed in a future update or if this is relevant at all for Splunk Enterprise?
Hi @woodcock , Thanks for this piece of info. I am facing the same issue right now. As per this documentation 'https://github.com/splunk/splunk-connect-for-syslog/blob/main/docs/gettingstarted/quicks... See more...
Hi @woodcock , Thanks for this piece of info. I am facing the same issue right now. As per this documentation 'https://github.com/splunk/splunk-connect-for-syslog/blob/main/docs/gettingstarted/quickstart_guide.md' , we can either use docker or podman to get this started. Since podman was already installed in my linux machine, I chose it. After updating sc4s.service for podman, I am trying to reload deamon and restart sc4s, but syslog service isn't starting. When executing 'journalctl -xe', I am seeing the below error.  Trying to pull ghcr.io/splunk/splunk-connect-for-syslog/container3:latest... podman[147844]:Error: initializing source docker://ghcr.io/splunk/splunk-connect-for-syslog/container3:latest: pinging container registry ghcr.io: Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io on 192.124.60.53:53: no such host Could you please assist here , am I missing anything?
I'm doing POC using Splunk Trail and HEC to ingest audit log from Enterprise CMS [Sitecore], Sitecore doesn't support Authorization Header. So, I would like to enable query string authorization f... See more...
I'm doing POC using Splunk Trail and HEC to ingest audit log from Enterprise CMS [Sitecore], Sitecore doesn't support Authorization Header. So, I would like to enable query string authorization for my trail splunk cloud instance. But I'm unable to create ticket as one of the option is loading, tried call etc. But no luck. Can anyone help me getting connected to  splunk support? " For Splunk Cloud, you must open a Splunk Support ticket to set allowQueryStringAuth to true. Support for a toggle in Splunk Web for this setting is planned for a future release. As per above comment, this configuration is added in splunk web? I couldn't find it. But might be looking at wrong place. Thanks, appreciate your help!
I am training and evaluating a forecast model using MLTK's StateSpaceForecast. I would like to fit on part of the dataset, and have a held back testing set to evaluate. The trick, though, is that I w... See more...
I am training and evaluating a forecast model using MLTK's StateSpaceForecast. I would like to fit on part of the dataset, and have a held back testing set to evaluate. The trick, though, is that I want the forecaster to forecast out 15 minutes in the future while autoregressively looking at the current feature values.  For example, take my query that tries to find the TPR, FPR, etc. for exceeding some SLA violation using my holdout set. Currently, it just uses the beginning of the holdout set to predict out 2 hours.      | fit StateSpaceForecast latency_p95_log from latency_p95_log, threadcount_p95, threadcount, total_socket_errors, n_running_procs, time_wait_cpu, HourOfDay, DayOfWeek holdback=2h forecast_k=15m conf_interval=95 into ml_latency_forecast | apply ml_latency_forecast forecast_k=2h holdback=2h | eval predicted = exp('predicted(latency_p95_log)') | eval predicted_low=exp('lower95(predicted(latency_p95_log))'), predicted_high=exp('upper95(predicted(latency_p95_log))') | eval predicted_SLA = if(predicted > 1.0, 1, 0) | eval true_positive = if(predicted_SLA=1 AND SLA_violation=1, 1, 0) | eval false_positive = if(predicted_SLA=1 AND SLA_violation=0, 1, 0) | eval true_negative = if(predicted_SLA=0 AND SLA_violation=0, 1, 0) | eval false_negative = if(predicted_SLA=0 AND SLA_violation=1, 1, 0) | eval holdout = if(isnull('lower95(predicted(latency_p95_log))'), 0, 1) | table _time predicted predicted_high predicted_low latency_p95     Is there any examples someone can help give me for doing a forecast and evaluating the fit on on-seen data during training?  Splunk MLTK Algorithms on GitHub 
Hi @SR .. may i know if you get results for the first search.. if no, pls understand that Application= may be service= or something else(depends on your logs).  if your search fails, then pls check ... See more...
Hi @SR .. may i know if you get results for the first search.. if no, pls understand that Application= may be service= or something else(depends on your logs).  if your search fails, then pls check the search below: do you get results for index="Nex" Application="Pe***g.Ne**s.Platform.Host" OR the better do this search index="Nex" "Pe***g.Ne**s.Platform.Host" maybe pls send me a direct msg here in my profile, i can try to help you further. thanks.  
HI I have just read this post that all these good apps will no longer be available. This is a bit shocking to me as I use them all the time. Is anyone else affected by this? If you are using enter... See more...
HI I have just read this post that all these good apps will no longer be available. This is a bit shocking to me as I use them all the time. Is anyone else affected by this? If you are using enterprise and can't use Dashboards studio, as I have very complex code, what are we supposed to do? https://lantern.splunk.com/Splunk_Platform/Product_Tips/Extending_the_Platform/Splunk_Custom_Visualizations_apps_end_of_life_FAQ Any help would be Great. Robert 
Maybe one idea to Splunk Dev team...  if a user uploading an excel file, the Splunk can create a warning msg saying that,... "the excel file is a proprietary filetype used on Windows OS,  pls consid... See more...
Maybe one idea to Splunk Dev team...  if a user uploading an excel file, the Splunk can create a warning msg saying that,... "the excel file is a proprietary filetype used on Windows OS,  pls consider converting the file to a csv file and then upload it to the Splunk, thanks".
fixed it for me, I only have one RHEL8 left and this was causing headaches with long reboot times because of it hanging!
@CMPC while you can't enforce character count in the response, you could state the minimum requirement in the question and then  process the response and perform a check and ask the question again if... See more...
@CMPC while you can't enforce character count in the response, you could state the minimum requirement in the question and then  process the response and perform a check and ask the question again if not met.  
thank you so much for assistance, we will try if we can implement it within inputs.conf
@kiran_panchavat There is no HF involved The data is coming via UF with inputs.conf pre configured  with source= udp:9514 could you let me know how are you passing regex in your transforms.conf... See more...
@kiran_panchavat There is no HF involved The data is coming via UF with inputs.conf pre configured  with source= udp:9514 could you let me know how are you passing regex in your transforms.conf ? (the goal is to change the name from udp:9514 to auditd) I tried these regex and didn't got the required results REGEX = udp\:9514 REGEX = source::udp:9514  
Hello, I have a question regarding the prompt action, is there any possibility to make the answer to a question that is via message mandatory Can it have a minimum of mandatory characters?
@davedeluxe- There is no direct way to run Python script from Splunk dashboard. But you can use one of the two ways below to Run Python script from a dashboard button. Python Custom Command Create... See more...
@davedeluxe- There is no direct way to run Python script from Splunk dashboard. But you can use one of the two ways below to Run Python script from a dashboard button. Python Custom Command Create Javascript to initiate the Splunk search with this custom command in it. Python Custom Rest Endpoint Create Javascript to make a rest call to the custom rest endpoint created by you.   And in both case you can use Javascript to pass whatever data you need to pass-along the way. And you can put your custom python script within custom python command code or custom rest endpoint code. And you will find number of examples online for both custom command & custom rest endpoint. This is one is old blog about custom rest endpoint for reference - https://community.splunk.com/t5/Dashboards-Visualizations/Can-I-call-a-Python-script-from-a-dashboard-and-output-its/m-p/398088   I hope this helps!!! Kindly upvote if it does!!!!