All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ashutoshh   Same goes, for example, with Enterprise Security App.  Reach out to Splunk Sales to discuss your requirements and get a quote for the ITSI app.   
Team, I'm trying to push Jenkins Build Logs to Splunk.   Installed Splunk Plugin (1.10.1) in my Cloudbees Jenkins. Configured HTTP host,  port & token - Tested Connection and it looks good.   In... See more...
Team, I'm trying to push Jenkins Build Logs to Splunk.   Installed Splunk Plugin (1.10.1) in my Cloudbees Jenkins. Configured HTTP host,  port & token - Tested Connection and it looks good.   In Splunk, created a HEC Input in the below file with the content as below File name :  /opt/app/splunk/etc/apps/splunk_httpinput/local/inputs.conf   [http://jenkins_build_logs] description = Jenkins build Logs disabled = 0 index = infra indexes = infra sourcetype = jenkins:build token =  useACK = 0   Getting the below error in the Splunk logs -  /opt/app/splunk/var/log/splunk 02-08-2025 04:52:07.704 +0000 ERROR HttpInputDataHandler [17467 HttpDedicatedIoThread-1] - Failed processing http input, token name=jenkins_build_logs, channel=n/a, source_IP=10.212.102.217, reply=7, status_message="Incorrect index", status=400, events_processed=1, http_input_body_size=381, parsing_err="invalid_index='jenkins_console'" 02-08-2025 04:54:14.617 +0000 ERROR HttpInputDataHandler [17467 HttpDedicatedIoThread-1] - Failed processing http input, token name=jenkins_build_logs, channel=n/a, source_IP=10.212.100.150, reply=7, status_message="Incorrect index", status=400, events_processed=1, http_input_body_size=317, parsing_err="invalid_index='jenkins_statistics'"
Hi try contacting the sales as per the options and submitted email but no response  do you know someone who has that license i can pay for that 
@ashutoshh Splunk ITSI is a premium app, so it requires an additional license beyond the standard Splunk Enterprise license. If you purchased it you will need to make sure that in the 'entitlement' y... See more...
@ashutoshh Splunk ITSI is a premium app, so it requires an additional license beyond the standard Splunk Enterprise license. If you purchased it you will need to make sure that in the 'entitlement' your name is listed with your email.  Otherwise whomever is listed on the entitlement can download it for you.  
Hi there, i am new to this community but i want to understand how to purchase splunk ITSI , i already splunk Enterprise  license(purchased from aws marketplace) and free both . long back i have us... See more...
Hi there, i am new to this community but i want to understand how to purchase splunk ITSI , i already splunk Enterprise  license(purchased from aws marketplace) and free both . long back i have used splunk itsi for free with enterprise license but it need some auth and saying my user is not listed in autorized list while downloading ITSI please do help me for the same 
Hi @anissabnk, As a quick workaround in a classic dashboard, you can use colorPalette elements with type="expression" to highlight cells if the cell value also includes the status: <dashboard versi... See more...
Hi @anissabnk, As a quick workaround in a classic dashboard, you can use colorPalette elements with type="expression" to highlight cells if the cell value also includes the status: <dashboard version="1.1" theme="light"> <label>anissabnk_table</label> <row depends="$hidden$"> <html> <style> #table1 th, #table1 td { text-align: center !important } </style> </html> </row> <row> <panel> <table id="table1"> <search> <query>| makeresults format=csv data=" _time,HOSTNAME,PROJECTNAME,JOBNAME,INVOCATIONID,RUNSTARTTIMESTAMP,RUNENDTIMESTAMP,RUNMAJORSTATUS,RUNMINORSTATUS,RUNTYPENAME 2025-01-20 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-19 20:18:25.0,,STA,RUN,Run 2025-01-19 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-18 20:18:25.0,2025-01-18 20:18:29.0,FIN,FWF,Run 2025-01-18 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-17 20:18:25.0,2025-01-17 20:18:29.0,FIN,FOK,Run 2025-01-17 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-16 20:18:25.0,2025-01-16 20:18:29.0,FIN,FWW,Run 2025-01-16 04:38:04.142,AEW1052ETLLD2,AQUAVISTA_UAT,Jx_104_SALES_ORDER_HEADER_FILE,HES,2025-01-15 20:18:25.0,2025-01-15 20:18:29.0,FIN,HUH,Run " | eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S.%Q") | search PROJECTNAME="*" INVOCATIONID="*" RUNMAJORSTATUS="*" RUNMINORSTATUS="*" | eval status=case(RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown") | eval tmp=JOBNAME."|".INVOCATIONID | eval date=strftime(strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%Y-%m-%d") | eval value=if(status=="Unknown", "Unknown", "start time: ".coalesce(strftime(strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), "").urldecode("%0a").if(status=="In Progress", "Running", "end time: ".coalesce(strftime(strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q"), "%H:%M"), ""))).urldecode("%0a").status | xyseries tmp date value | eval tmp=split(tmp, "|"), Job=mvindex(tmp, 0), Country=mvindex(tmp, 1) | fields - tmp | table Job Country *</query> </search> <option name="drilldown">none</option> <option name="wrap">true</option> <format type="color"> <colorPalette type="expression">case(like(value, "%Unknown"), "#D3D3D3", like(value, "%Successful Launch"), "#90EE90", like(value, "%Failure"), "#F0807F", like(value, "%Completed with Warnings"), "#FEEB3C", like(value, "%In Progress"), "#ADD9E6")</colorPalette> </format> </table> </panel> </row> </dashboard> There may be arcane methods for formatting cells without using JavaScript or including the status in the value, but I don't have them readily available.
It is often much easier for volunteers to provide answers (particularly to search/SPL questions) if you post sample events in their raw format so that we can attempt to simulate your situation and de... See more...
It is often much easier for volunteers to provide answers (particularly to search/SPL questions) if you post sample events in their raw format so that we can attempt to simulate your situation and design solutions to meet your needs. We do not have the benefit of access to your data so you need to give us something to work with.
I'll keep this question open another day or so. I'm thrilled I managed to solve the issue, but I'll admit......the solution isn't exactly as clean and efficient as I'd like it. If anyone smarter than... See more...
I'll keep this question open another day or so. I'm thrilled I managed to solve the issue, but I'll admit......the solution isn't exactly as clean and efficient as I'd like it. If anyone smarter than me wants to propose a better soltion, I'm happy to hear it.
Sorry I wasn't clear enough. There are two shared fields: mac_add and ip_add. However, I need to be able summarize by the Session_ID field. Because the field isn't shared, I first summarize by mac... See more...
Sorry I wasn't clear enough. There are two shared fields: mac_add and ip_add. However, I need to be able summarize by the Session_ID field. Because the field isn't shared, I first summarize by mac_add and ip_add in the first stats command. Then in the second, I summarize by Session_ID. The issue is that the time field becomes a multi-value field with the time stamps for each of the events summarized rather than a unique timestamp for each Sesion_ID. Mhmm....maybe I can mvzip a Session_ID and it's time field together to keep  the pair together between stats and split them apart further down the pipeline.... --------------------- The answer to that question is YES! I can do exactly that, and it fixes the problem. What I did was use mvzip to combine the Session_ID and time for into a new field session_time after the first stats command. Then, after the second stats summarizing by the Session_ID field, I split apart the session_time field with mvexpand to get individual events pairing a session time with its time. I then used rex to split that pair into two new fields, a session and time field. Finally, a dedup to clean out the duplicates, and it was done! This is the command now. (index=indexA) OR (index=indexB) | rex field=text "AuditSessionID (?<SessionID>\w+)" | rex field=pair "session-id=(?<SessionID>\w+)" | eval time_{index}=strftime(_time,"%F %T") | eval ip_add=coalesce(IP_Address, assigned_ip), mac_add=coalesce(upper(src_mac), upper(mac)) | eval auth=case(CODE=45040, "True", true(), "False") | stats values(host_name) as hostname values(networkSwitch) as Switch values(switchPort) as Port values(auth) as Auth values(SessionID) as Session_ID values(time_indexA) as time by mac_add, ip_add | eval session_time=mvzip(Session_ID, time) | stats values(time) as time values(hostname) as hostname values(Switch) as Switch values(Port) as Port values(Auth) as Auth values(ip_add) as IP_Address values(mac_add) as MAC_Address by Session_ID | mvexpand session_time | fields - time Session_ID | rex field=session_time "(?<Session_ID>\w+),(?<Time>.+)" | fields - sesison_time | dedup Session_ID Time | table Time Hostname MAC_Address IP_Address Switch Port Auth Session_ID
If data from the TA is not being indexed then ITSI cannot find it and display it. Why is the data not indexed?
In order to get data from Splunk you must first get the data into Splunk. Splunk is a data processing platform but you need go have something to be processed. How would you get that data? Where from?... See more...
In order to get data from Splunk you must first get the data into Splunk. Splunk is a data processing platform but you need go have something to be processed. How would you get that data? Where from? If the only way to produce such data is running gpresult, you need to run it and store the results somehow in Splunk.
You can focus it to the first column with something like this inside the <panel> <html depends="$alwaysHideCSS$"> <style> /* Right align only the first column of the table */ ... See more...
You can focus it to the first column with something like this inside the <panel> <html depends="$alwaysHideCSS$"> <style> /* Right align only the first column of the table */ #table1 .table th:nth-child(1), #table1 .table td:nth-child(1) { text-align: right!important; } </style> </html>
Thanks, Kiran! I am reading up on this now.!
Now you're Splunking! Watch out for approximation errors! 2 * 3 * 4 = 24 exp(ln(2) + ln(3) + ln(4)) ~= 23.999999999999993
Is it this one? https://dev.splunk.com/observability/reference/api/incidents/latest#endpoint-create-single-muting-rule
Hi guys!  I am getting the following error message when trying to publishing a model which I created in "Experiments". I do not know what this should mean? Does anyone has an idea?    I wou... See more...
Hi guys!  I am getting the following error message when trying to publishing a model which I created in "Experiments". I do not know what this should mean? Does anyone has an idea?    I would appreciate your help!    Best regards!
@cdavidsonbp  Have a look at the content packs: https://docs.splunk.com/Documentation/ContentPackApp/latest/Overview/Overview#Available_content_packs  specifically https://docs.splunk.com/Documen... See more...
@cdavidsonbp  Have a look at the content packs: https://docs.splunk.com/Documentation/ContentPackApp/latest/Overview/Overview#Available_content_packs  specifically https://docs.splunk.com/Documentation/CPWindowsMon/1.3.0/CP/About  and https://docs.splunk.com/Documentation/CPWindowsDash/1.4.0/CP/About 
Hello, I am trying to find a way to report on all Applied Group Policy Objects for all of our domain joined computers. This would be similar to running the following command:         gpresult /r /s... See more...
Hello, I am trying to find a way to report on all Applied Group Policy Objects for all of our domain joined computers. This would be similar to running the following command:         gpresult /r /scope computer Is there a way that Splunk can gather all of this information as a report. I did see there was an app called Splunk App for Windows Infrastructure but it was EOLd. Is there anything new that would audit our computers? Thanks, Charlie
Found it. Adding onEventHandler={myHandler} wasn't enough.  I also had to add hasEventHandlers={true}.  Then it'll actually fire myHandler. <Pie onEventHandler={myHandler} hasEventHandlers={tru... See more...
Found it. Adding onEventHandler={myHandler} wasn't enough.  I also had to add hasEventHandlers={true}.  Then it'll actually fire myHandler. <Pie onEventHandler={myHandler} hasEventHandlers={true} ... />
@rukshar  Internally on the server, Splunk is running fine. Externally, if you cannot access http://<server-ip>:8000, the firewall may be blocking the connection. Contact your OS team to fix this.