All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I need to display list of all failed status code in column by consumers Final Result: Consumers Errors Total_Requests Error_Percentage list_of_Status Test 10 100 10  5... See more...
I need to display list of all failed status code in column by consumers Final Result: Consumers Errors Total_Requests Error_Percentage list_of_Status Test 10 100 10  500 400 404           Is there a way we can display the failed status codes as well in of list of status coloumn index=test | stats count(eval(status>399)) as Errors,count as Total_Requests by consumers | eval Error_Percentage=((Errors/Total_Requests)*100)
Thank you for your response.   Yes, I know it is not an HEC endpoint. That detail was included to illustrate that it is not a cURL syntax error. It is a paid account, and the instance is hosted by ... See more...
Thank you for your response.   Yes, I know it is not an HEC endpoint. That detail was included to illustrate that it is not a cURL syntax error. It is a paid account, and the instance is hosted by splunk. I am mostly getting curl: (28) Failed to connect to <org>.splunkcloud.com port 8088 after 21053ms: could not connect to server   Just to clarify the purpose of this. I am writing a script to ingest data from another of our services over http.  Thank you for your help.
It would help if you told us a little about the issues you having rather than just saying you have issues. We also need to know which platform you use (AWS or GCP) and if it is a trial or paid accou... See more...
It would help if you told us a little about the issues you having rather than just saying you have issues. We also need to know which platform you use (AWS or GCP) and if it is a trial or paid account.  Those answers are used at https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector to determine the correct endpoint.  It could indeed be a port error. The URL from which you got a response is a REST API endpoint, not a HEC endpoint.
Thank you @richgalloway  I appreciate the information.  It looks like I was trying to do something that isn't possible.  I'll review the documentation you sent and look at trying this as a dashboard.... See more...
Thank you @richgalloway  I appreciate the information.  It looks like I was trying to do something that isn't possible.  I'll review the documentation you sent and look at trying this as a dashboard. Thanks again!
Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk... See more...
Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Control_workflow_action_appearance_in_field_and_event_menus for more information. That said, workflow actions are not applicable to reports. If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.
Estimados. donde podría encontrar la métrica Availability Trend de un job, para usarla en un dashboard. seria para hacerlo tal cual como esta en la imagen , pero en un dash. Translated version De... See more...
Estimados. donde podría encontrar la métrica Availability Trend de un job, para usarla en un dashboard. seria para hacerlo tal cual como esta en la imagen , pero en un dash. Translated version Dear all, where could I find the Availability Trend metric for a job to use it in a dashboard? I want to replicate it exactly as it appears in the image but in a dashboard. ^Post edited by @Ryan.Paredez to translate the post. 
Hello, I am having issues configuring the HTTP Event Collector on my organizations Splunk cloud instance. I have set up a token, and have been trying to test using the example curl commands. However... See more...
Hello, I am having issues configuring the HTTP Event Collector on my organizations Splunk cloud instance. I have set up a token, and have been trying to test using the example curl commands. However, I am having issues discerning which endpoint is the correct one. I have tested out several endpoint formats: - https://<org>.splunkcloud.com:8088/services/collector - https://<org>.splunkcloud.com:8088/services/collector/event - https://http-inputs-<org>.splunkcloud.com:8088/services/collector... - several other that I have forgotten.  For context, I do receive a response when I get from https://<org>.splunkcloud.com/services/server/info From what I understand, you cannot change the port from 8088 on a cloud instance, so I do not think it is a port error.  Can anyone point me to any resources that would be able to help me determine the correct endpoint? (Not this: Set up and use HTTP Event Collector in Splunk Web - Splunk Documentation. I've browsed for hours trying to find a more comprehensive resource.)   Thank you!  
Hi @roopeshetty , Can you elaborate more about what did you try already when you mentioned " We tried many options using proxy settings but none of them are working."?   Also, it is not sure if yo... See more...
Hi @roopeshetty , Can you elaborate more about what did you try already when you mentioned " We tried many options using proxy settings but none of them are working."?   Also, it is not sure if you are running in a standalone environment or a clustered one, and if the proxy configs you tried were in conf files or added via REST. Check this documentation about some good example on how to configure proxy and non-proxy addresses, and make sure that you define the http/https_proxy correctly (use the same config mentioned in your browser for reference if that is using a direct proxy address instead of a auto-discovery script.) Configure splunkd to use your HTTP Proxy Server - Splunk Documentation Notice that you must pass the authentication in the URL if your proxy requires it. ( like http://user:pass@myproxy.com:80)
>>> Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue. Precisely @dural_yyz .  Giving the easy and quick installation methods, p... See more...
>>> Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue. Precisely @dural_yyz .  Giving the easy and quick installation methods, proving direct options to upload a log file, assigning default indexes options are too good. The first timers will really like these features. But, for the "email" functionality with the "default settings" such as "send anything anywhere"... looks bit odd. It should be like, by default, you can not send anything to any domain.  The informational note should say that, if you like to send email alerts to outside domain, pls request the Splunk Admins/power users to update the config file abcd.conf thru x y z methods. Thanks for reading, have a great day
My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from Abus... See more...
My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from AbuseIPDB as a CSV and my report using the CSV lookup works.  I'm trying to get data on IPs, blacklist or not, leveraging the API. I want a report that looks like the one I have for blacklisted IPs.  
Hi @Utkc137 , sorry, but you're receiving logs from BlueCoat using syslog or from another Splunk Forwarder? usually BlueCoat uses syslogs not a Splunk Forwarder. splunktcp inputs is for log forward... See more...
Hi @Utkc137 , sorry, but you're receiving logs from BlueCoat using syslog or from another Splunk Forwarder? usually BlueCoat uses syslogs not a Splunk Forwarder. splunktcp inputs is for log forwarding from another Splunk system not using syslogs! Ciao. Giuseppe
we run in an issue with the Indexer ... if there are 5 Times an drop of the max day volume .. the indexer will be disable ... what is the case now with our installation  Error in tsats command: your... See more...
we run in an issue with the Indexer ... if there are 5 Times an drop of the max day volume .. the indexer will be disable ... what is the case now with our installation  Error in tsats command: your Splunk license expired or you have exceeded license limit too many times.  Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK The license is now free and no way back to Enterprise trial , there is no way back  when the license is expired.
Here my workflow action:   This is the search I created for my report: index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb" I get 0 results.  When I take off the workflow a... See more...
Here my workflow action:   This is the search I created for my report: index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb" I get 0 results.  When I take off the workflow action piece, I get 635 results in 15 minutes.
Interesting, I am seeing the same behavior as Merter above with jdk 1.8 and AppD 24.7.  Curious there are no errors in the logs and metrics are hitting the controller.  Only indicator is that the ins... See more...
Interesting, I am seeing the same behavior as Merter above with jdk 1.8 and AppD 24.7.  Curious there are no errors in the logs and metrics are hitting the controller.  Only indicator is that the instrumentation status is Failed, and the DC shows Pending.  Also, due to the limit on number of concurrent services to instrument and the fact that the 2 services never fully succeed, no other services will be instrumented.
This the configuration I have as of now .. I am out of reasons on why this would not work.  Am I missing something very basic here? Inputs:   ./splunk btool inputs list --debug splunktcp://2514 /o... See more...
This the configuration I have as of now .. I am out of reasons on why this would not work.  Am I missing something very basic here? Inputs:   ./splunk btool inputs list --debug splunktcp://2514 /opt/splunk/etc/system/local/inputs.conf [splunktcp://2514] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/local/inputs.conf disabled = false /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/local/inputs.conf index = mmsproxy /opt/splunk/etc/system/local/inputs.conf source = tcp.bluecoat /opt/splunk/etc/system/local/inputs.conf sourcetype = bluecoat:proxysg:access:syslog   Props:   ./splunk btool props list --debug bluecoat | grep -ie local /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf [bluecoat] /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_PREFIX = ^ /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf rename = bluecoat:proxysg:access:syslog /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf [bluecoat:proxysg:access:syslog] /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf EVENT_BREAKER_ENABLE = true /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf KV_MODE = none /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf MAX_DAYS_AGO = 10951 /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf SHOULD_LINEMERGE = false /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TIME_PREFIX = ^ /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf TRUNCATE = 64000 /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf category = Network & Security /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog /opt/splunk/etc/apps/Splunk_TA_bluecoat-proxysg/local/props.conf pulldown_type = true        
https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Define_an_email_notification_action_for_an_alert_or_scheduled_report Right now the domain setting is still listed at 'Optio... See more...
https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Define_an_email_notification_action_for_an_alert_or_scheduled_report Right now the domain setting is still listed at 'Optional' for the documentation which obviously hasn't caught up with the default install health checks.  So you wont find the supporting information you are requesting just yet.  But I have been in the security side of corporate life for some time.  Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue.
Switched the inputs to 2154 .. still no luck.
Port 9997 is a reserved port for splunk - if this is an external stream from syslog or any other source please select a different port. Example port=2514 I selected that as 514 is syslog reserved ... See more...
Port 9997 is a reserved port for splunk - if this is an external stream from syslog or any other source please select a different port. Example port=2514 I selected that as 514 is syslog reserved and 1514 I have seen for TCP encrypted syslog so best to just get up and away from that.  But by keeping the *514 format it will be easier for others who may inherit your setup to know instinctively that it's a syslog source.
For testing, I tied the props you provided along with these inputs.conf Test 1: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = fals... See more...
For testing, I tied the props you provided along with these inputs.conf Test 1: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat:proxysg:access:syslog disabled = false Test 2: [splunktcp://9997] index = mmsproxy source = tcp.bluecoat sourcetype = bluecoat disabled = false   Restarted Splunk on both these tests. Still no luck.
I deleted my custom dashboard from the dashboard list on my AppDynamics SaaS Controller, is there a way I can recover a deleted dashboard?