All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It doesn't work like that. Parentheses group search conditions only. You can't spawn separate post-processing command for part of your data this way. You would need to use multisearch or append. But ... See more...
It doesn't work like that. Parentheses group search conditions only. You can't spawn separate post-processing command for part of your data this way. You would need to use multisearch or append. But in your case it's probably not needed. Just do your rex command after the initial search. Unrelated note - don't use wildcards at the beginning of your search term unless you really can't avoid it.
Hi, Im trying to use an OR function in the below query trying to combine two indexes and then use stats function like an alternate for join command (index=serverdata sourcetype="server:stats" | rex... See more...
Hi, Im trying to use an OR function in the below query trying to combine two indexes and then use stats function like an alternate for join command (index=serverdata sourcetype="server:stats" | rex "app_code=\"(?<application_code>[|w.\"]*)" ) OR (index="hostapp" source=hostDB_Table dataasset="*host_Data*") i have tried to use escape characters but its still not working thanks     
I would recommend the Tenable TA at https://splunkbase.splunk.com/app/4060 for getting the data in to Splunk which uses Splunk Modular Inputs to connect to your Tenable service and pull the data. Yo... See more...
I would recommend the Tenable TA at https://splunkbase.splunk.com/app/4060 for getting the data in to Splunk which uses Splunk Modular Inputs to connect to your Tenable service and pull the data. You can also download the Tenable App (https://splunkbase.splunk.com/app/4061) which is different to the TA in that it is more focussed on visualising the Tenable data. This utilises the data in the TA and the data you have ingested. Both of these Splunk apps are built and supported by Tenable themselves but assume you but assumes you're using Tenable's feature products - there are separate Splunkbase apps made by Tenable for WAS / EASM if you are using these products. Please let me know how you get on and consider upvoting/karma this answer if it has helped. Regards Will
Hi @tkwaller1 , You should be able to your search as follows:     (index=index1) OR (index=index2 sourcetype="api") | eval EventId=COALESCE(Number__c, EventId) | stats dc(index) as indexCount by ... See more...
Hi @tkwaller1 , You should be able to your search as follows:     (index=index1) OR (index=index2 sourcetype="api") | eval EventId=COALESCE(Number__c, EventId) | stats dc(index) as indexCount by EventId | where indexCount>1     Please let me know how you get on and consider upvoting/karma this answer if it has helped. Regards Will
Hello, I have 2 questions about Splunk AI Assistant(Cloud Version). If Customers sign the EULA and receive notification that app can be installed on their Stack, is the app possible for install on ... See more...
Hello, I have 2 questions about Splunk AI Assistant(Cloud Version). If Customers sign the EULA and receive notification that app can be installed on their Stack, is the app possible for install on all the customer stacks. In case Stack has premium products like ITSI and ES can app be used from Premium Search heads or it needs to be installed only on Adhoc SH and used only from there for its purposes? Thanks! Regards Darina Stoyanova-Mateva
Hi @secure as @gcusello stated you can have only one base search. What would it mean to have 2 in a panel?  The base search just returns the results so how could you use 2 together? I am not sure... See more...
Hi @secure as @gcusello stated you can have only one base search. What would it mean to have 2 in a panel?  The base search just returns the results so how could you use 2 together? I am not sure if this helps but you can have a base search use another base search.
Hello I have a search like     index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count by EventId | search count < 2     What it does is sear... See more...
Hello I have a search like     index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count by EventId | search count < 2     What it does is search 2 indexes for ids and counts them, expecting 2(1 from each index). What I would like to ensure is that when the count is less than the expected 2 that its only source is from the first search. Meaning that if there is only 1 record it is from the first portion of the search and not found in the second. In the table however I only want to show the EventId.   Thanks for the assistance!
@shaunm001 You can check the source-type along with index you are searching to it should’ve presence of MessageTrace, i can’t see much on your environment but if you still have confusion you can put ... See more...
@shaunm001 You can check the source-type along with index you are searching to it should’ve presence of MessageTrace, i can’t see much on your environment but if you still have confusion you can put down support case to get more help.
Yes new builds old cluster. Appreciate the info that was helpful.
Hi @danielbb  I used the TA below for a long time and it worked well. https://splunkbase.splunk.com/app/4060 
Splunk is there a way to dump out all ServiceNow add on setup for each/all alert? trying to grab all alerts that has this action and put in a table with all the setup it has : state, CI, contact  ... See more...
Splunk is there a way to dump out all ServiceNow add on setup for each/all alert? trying to grab all alerts that has this action and put in a table with all the setup it has : state, CI, contact  type, assignment group ,....ect    
Hello everyone! We have some exciting news -The Splunk AppDynamics Mobile Real User Monitoring (MRUM) Session Replay preview is now available (for MRUM users)! It's a feature within AppDynamics MRU... See more...
Hello everyone! We have some exciting news -The Splunk AppDynamics Mobile Real User Monitoring (MRUM) Session Replay preview is now available (for MRUM users)! It's a feature within AppDynamics MRUM that allows you to visually replay recordings of actual user interactions within your mobile application. Key Details: • Requires controller version 25.1 and MRUM agent upgrade • Free preview starts Feb 2025 (20,000 session replays/month) • Helps teams reduce MTTR, optimize UX, and understand user behavior Check out these FAQs for additional details:   FAQs General Overview Questions What is AppDynamics MRUM Session Replay? AppDynamics MRUM Session Replay is a feature within AppDynamics Mobile Real User Monitoring that allows you to visually replay recordings of actual user interactions within your mobile application. It captures a user's journey through the app, showing their taps, swipes, and other actions, providing a video-like representation of their experience. This feature is currently in public preview, with general availability expected soon. What problems does MRUM Session Replay solve? AppDynamics MRUM Session Replay solves several key problems related to mobile app development, troubleshooting, and user experience optimization: Faster Troubleshooting (Reduced MTTR): Session replay helps developers and DevOps teams quickly identify the root cause of crashes, Application Not Responding (ANR) errors, performance issues, and other errors. By visualizing the user's actions leading up to the problem, they can pinpoint the exact moment the issue occurred and understand the context, significantly reducing mean time to resolution (MTTR). Improved User Experience (UI/UX Optimization): Product managers, developers, and designers can use session replay to understand how users actually interact with the app. By observing real user behavior, they can identify friction points, confusing navigation, or areas where the UI/UX could be improved. This data-driven approach helps optimize the user experience, leading to increased engagement and satisfaction.   Understanding User Behavior: Session replay provides valuable insights into how users navigate and use the app. This understanding can inform design decisions, feature prioritization, and overall app strategy. Seeing the app through the user's eyes helps teams understand what's working and what's not.   Reproducing Issues: Replicating user-reported bugs can be challenging. Session replay eliminates this difficulty by providing a clear, visual record of the user's actions, making it easier to reproduce and fix the issue. What are the benefits of MRUM Session Replay, and why should you care about it? MRUM Session Replay offers two key benefits that directly impact customer satisfaction and business outcomes: Enable Faster Troubleshooting: Session replay drastically reduces the time it takes to diagnose and fix issues in your mobile app. By providing a visual recording of the user's actions leading up to a crash, error, or performance bottleneck, developers can quickly pinpoint the root cause. This eliminates the guesswork and back-and-forth communication often associated with traditional debugging methods. Faster troubleshooting translates to quicker resolution times for bugs and issues. This means less disruption for users, fewer negative app store reviews, and ultimately, a more stable and reliable app experience. A happy user is more likely to continue using your app and recommend it to others. Optimize the End-User Experience on Mobile Application: Session replay offers invaluable insights into how users actually interact with your app. By watching real user sessions, you can identify friction points, confusing navigation, and areas where the UI/UX could be improved. This data-driven approach to optimization allows you to make informed decisions about design changes and feature prioritization. A seamless and intuitive user experience is crucial for app success. By optimizing the user experience, you can increase user engagement, reduce churn, and improve customer satisfaction. A positive user experience is a key differentiator in the competitive mobile app market. Ultimately, a better user experience can lead to increased app usage, higher conversion rates, and improved business outcomes.   Product Specific Questions What controller version is required?   You need controller version 25.1 to use MRUM Session Replay. Do mobile agents need to be upgraded to use this feature? Yes MRUM agents must be upgraded to 25.1 to use Session Replay. Are admin rights needed to enable Session Replay? Yes, users with admin permission to configure MRUM can enable session replay How is the preview enabled?  Prerequisite Mobile Session replay (Early preview) will be available for customers with controller version 25.1 or above. ◦ Upgrade the agent SDK ◦ Provide blob service endpoint ◦ Provide session replay module dependency (Only for Android) Configuration Enable Session replay in Mobile App Group Configuration -> Session replay. (Need admin permission for mobile configuration) How long is the preview available? The MRUM Session Replay free preview will be available for all active MRUM customers starting in February 2025. During the free trial, each account will get 20,000 session replays per month. What happens after the preview is over? After the preview ends, the feature will be available only for those with a Session Replay license. How much will the Session Replay feature cost? Pricing is not finalized yet for this feature. Will I lose my data after the free preview? Yes, you may. Your Session Replay data will be available for 8 days.  After 8 days, that data will be lost. When the GA version is available, you can purchase and extend storage to lengthen the duration of data availability.  
I see multiple Tenable Apps and TAs in Splunkbase, which one should I use to get Tenable data in?   
Hi @Jeewan , downloading the UniversalForwarder App from your Splunk Cloud instance, there's the outputs.conf file in which you should find the Splunk Cloud IPs of your instance. Ciao. Giuseppe
Hello, I have been trying to migrate elk data to splunk, we have elk data dating back 2 years and I have attempted to use the elastic integrator app from splunk base. I was able to set it up with SSL... See more...
Hello, I have been trying to migrate elk data to splunk, we have elk data dating back 2 years and I have attempted to use the elastic integrator app from splunk base. I was able to set it up with SSL and its bringing logs in from the past 30 days. The issue I have is that if I try to change the timeframe in the inputs.conf it will not work, and if I try to use a wildcard for the indice it will not work as well. Has anyone found a way around this? I am also open to hearing any other suggestions to get old elk data into splunk, thank you.  #https://splunkbase.splunk.com/app/4175
Hi @Sec-Bolognese , I don't know how AWS Cloudwatch runs, but, it's possible to dend logs from a Forwarder to Splunk Cloud and to a third party, following the instructions at  https://docs.splunk.c... See more...
Hi @Sec-Bolognese , I don't know how AWS Cloudwatch runs, but, it's possible to dend logs from a Forwarder to Splunk Cloud and to a third party, following the instructions at  https://docs.splunk.com/Documentation/Splunk/9.4.0/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system and https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd Ciao. Giuseppe
Hi @secure , in a dashboard it's possible to define more base searches, but in each panel, it's possible to use only one base search, not more. Ciao. Giuseppe
if we have to allow or whitelist the Splunk cloud IP's somewhere how to get the Splunk Cloud IP's for whitelisting ?  are these IP's are static ? is there any fix range of IP's Splunk uses for ... See more...
if we have to allow or whitelist the Splunk cloud IP's somewhere how to get the Splunk Cloud IP's for whitelisting ?  are these IP's are static ? is there any fix range of IP's Splunk uses for Splunk Cloud so we can use those for whitelisting
Hi i have a complex base search where iam comparing data from two indexes using left join and getting the results in a table query is working fine but its very slow so i have now decided to split it... See more...
Hi i have a complex base search where iam comparing data from two indexes using left join and getting the results in a table query is working fine but its very slow so i have now decided to split it into two base searches and then combine them in the panel  index=serverdata | rex "host_name=\"(?&lt;server_host_name&gt;[^\"]*)" | lookup servers_businessgroup_appcode.csv appcode output Business_Group as New_Business_Group |chart dc(host_name) over appcode by host_environment | eval TOTAL_servers=DEV+PAT+PROD | table appcode DEV PAT PROD TOTAL_servers   2nd Base search  index=abc | rex field=data "\|(?<server_name>[^\.|]+)?\|(?<appcode>[^\|]+)?\|" | lookup servers_businessgroup_appcode.csv appcode output Business_Group as New_Business_Group  i want to use this in third panel  combine both the searches using a left join and get the list of servers details in both the index  question how can i use two base searches in a single search   
Hi - I need to be able to send copies of logs to both Splunk Cloud and an AWS Cloudwatch Log Group.  Is it possible to configure the Universal Forwarder to send logs from the same source to both loca... See more...
Hi - I need to be able to send copies of logs to both Splunk Cloud and an AWS Cloudwatch Log Group.  Is it possible to configure the Universal Forwarder to send logs from the same source to both locations?  If not, has anybody use UF and the Cloudwatch Agent to monitor the same log file - I'm worried about two products watching the same file.