All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, figured out to get the week number based on the day number  Get_Week_Number=floor(tonumber(strftime(ToDateTime1, "%d"))/7)+1, also adjusted my preferences to the datetime to show eastern
Hi sainag, Thank you so much for your quick response. I was able to use your example and get it as follow - 2 things i noticed are 1 is the week number as 40 this should have been the october month... See more...
Hi sainag, Thank you so much for your quick response. I was able to use your example and get it as follow - 2 things i noticed are 1 is the week number as 40 this should have been the october month week number 2 is the time part - i have 08.48.12 which is EST - but in my results i see it as 07.48.12 ToDateTime1=strptime(TempDate1, "%a %d %b %Y %H:%M:%S:%3N %Z"), Get_Day_Name=strftime(ToDateTime1, "%A"), Get_Month_Num=strftime(ToDateTime1, "%d"), Get_Month_Name=strftime(ToDateTime1, "%b"), Get_Year=strftime(ToDateTime1, "%Y"), Get_Week_Number=strftime(ToDateTime1, "%U"), Get_Time_Part=strftime(ToDateTime1, "%H:%M:%S") Thanks a lot
Hi  Can you please help me to create multi line chart with the below data.  Data in the below format is fetched in SPlunk. I need to create a multi line chart with the same data as below:  Data : ... See more...
Hi  Can you please help me to create multi line chart with the below data.  Data in the below format is fetched in SPlunk. I need to create a multi line chart with the same data as below:  Data :  On the X axis : Time  Y axis : column1  Count1, count2 and count3 should be the 3 lines in the multi line chart.  Last command in the Splunk Query to fetch the data in the table form is below :  | table column1  column2  Time Count1 Count2 Count3  With this data can we create a multi linechart in SPlunk ?     
I started noticing this error recently too, and found the following (old) Community post that pointed my in the direction of splunkd web timeout: https://community.splunk.com/t5/All-Apps-and-Add-o... See more...
I started noticing this error recently too, and found the following (old) Community post that pointed my in the direction of splunkd web timeout: https://community.splunk.com/t5/All-Apps-and-Add-ons/Error-while-installing-an-app-on-Splunk-6-on-Windows/m-p/138027/highlight/true Sure enough I had the default 30 seconds in place, and after increasing that (and restarting Splunk) I haven't observed the message.   @TiagoTLD3 wrote: Hello! Since 7.3.0 I'm seeing the reload process for assets and identities failing frequently. Any ideas?       RROR pid=20559 tid=MainThread file=base_modinput.py:execute:820 | Execution failed: 'SplunkdConnectionException' object has no attribute 'get_message_text' Traceback (most recent call last): File "/app/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 601, in simpleRequest serverResponse, serverContent = h.request(uri, method, headers=headers, body=payload) File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1710, in request conn, authority, uri, request_uri, method, body, headers, redirections, cachekey, File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1425, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/app/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1377, in _conn_request response = conn.getresponse() File "/app/splunk/lib/python3.7/http/client.py", line 1373, in getresponse response.begin() File "/app/splunk/lib/python3.7/http/client.py", line 319, in begin version, status, reason = self._read_status() File "/app/splunk/lib/python3.7/http/client.py", line 280, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/app/splunk/lib/python3.7/socket.py", line 589, in readinto return self._sock.recv_into(b) File "/app/splunk/lib/python3.7/ssl.py", line 1079, in recv_into return self.read(nbytes, buffer) File "/app/splunk/lib/python3.7/ssl.py", line 937, in read return self._sslobj.read(len, buffer) socket.timeout: The read operation timed out During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 483, in reload_settings raiseAllErrors=True File "/app/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 613, in simpleRequest raise splunk.SplunkdConnectionException('Error connecting to %s: %s' % (path, str(e))) splunk.SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /services/identity_correlation/identity_manager/_reload: The read operation timed out',) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/app/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 811, in execute log_exception_and_continue=True File "/app/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 380, in do_run self.run(stanzas) File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 586, in run reload_success = self.reload_settings() File "/app/splunk/etc/apps/SA-IdentityManagement/bin/identity_manager.py", line 486, in reload_settings logger.error('status="Failed to reload settings" error="%s"', e.get_message_text()) AttributeError: 'SplunkdConnectionException' object has no attribute 'get_message_text'        
Thank you for your prompt response and help. Logs are coming from other sources e.g firewall. Maybe I should have used hostname/computername that is reaching out to those URLs
I am referring to the Deployment Server list.    When I go to [Settings > Forwarder Management > Clients] and click DELETE RECORD on a client - it says this option has been deprecated. I can still ... See more...
I am referring to the Deployment Server list.    When I go to [Settings > Forwarder Management > Clients] and click DELETE RECORD on a client - it says this option has been deprecated. I can still click delete, but the client never goes aways. See my attached screenshot. 
I would like to update my universal forwarders to send data to 2 separate endpoints for 2 separate splunk environments.  How can I do this using my Deployment Server.  I already have an App that I wi... See more...
I would like to update my universal forwarders to send data to 2 separate endpoints for 2 separate splunk environments.  How can I do this using my Deployment Server.  I already have an App that I will use for UF update.
Hi @yuanliu  Thank you for your suggestion. The subsearch has a max 50k limit, not 5k. If one or more subsearches hit the 50k limitation, I'd want to get an email notification indicating which subs... See more...
Hi @yuanliu  Thank you for your suggestion. The subsearch has a max 50k limit, not 5k. If one or more subsearches hit the 50k limitation, I'd want to get an email notification indicating which subsearch exceeded the 50k limit.  In the example  below, an email alert will be sent indicating that 2 subsearches exceed the 50k limit: search3 = 60k rows and search4 = 70k rows.  I can create a scheduled report that sends an email every day, but I am not sure if the report has the ability to send emails only when it meets a certain condition. search1 | join max=0 type=left ip [search ip="10.1.0.0/16" |eval this = "search 2"] | join max=0 type=left ip [search ip="10.2.0.0/16" |eval this = "search 3"] | join max=0 type=left ip [search ip="10.3.0.0/16" |eval this = "search 4"]  
Based on what I can understand, you can try using something like this and tweak it as needed. | makeresults | eval datetime_str="Thu 10 Oct 2024 08:48:12:574 EDT" | eval datetime=strptime(dateti... See more...
Based on what I can understand, you can try using something like this and tweak it as needed. | makeresults | eval datetime_str="Thu 10 Oct 2024 08:48:12:574 EDT" | eval datetime=strptime(datetime_str, "%a %d %b %Y %H:%M:%S:%3N %Z") | eval day_name=strftime(datetime, "%A"), day_of_month=strftime(datetime, "%d"), month=strftime(datetime, "%b"), year=strftime(datetime, "%Y"), week_number=strftime(datetime, "%U"), time_part=strftime(datetime, "%H:%M:%S") | fields datetime_str, datetime, day_name, day_of_month, month, year, week_number, time_part | eval hour=substr(time_part, 1, 2), minute=substr(time_part, 4, 2), second=substr(time_part, 7, 2)    
The reason for your error is "Poorly formatted data" . Regarding INDEXED_EXTRACTIONS=JSON, here is the good article on when/where it can be used. Can you please run this search and show me th... See more...
The reason for your error is "Poorly formatted data" . Regarding INDEXED_EXTRACTIONS=JSON, here is the good article on when/where it can be used. Can you please run this search and show me the output for your sourcetype? index=_internal source=*splunkd.log* AggregatorMiningProcessor OR LineBreakingProcessor OR DateParserVerbose WARN data_sourcetype="my_json" | rex "(?<type>(Failed to parse timestamp|suspiciously far away|outside of the acceptable time window|too far away from the previous|Accepted time format has changed|Breaking event because limit of \d+|Truncating line because limit of \d+))" | eval type=if(isnull(type),"unknown",type) | rex "source::(?<eventsource>[^\|]*)\|host::(?<eventhost>[^\|]*)\|(?<eventsourcetype>[^\|]*)\|(?<eventport>[^\s]*)" | eval eventsourcetype=if(isnull(eventsourcetype),data_sourcetype,eventsourcetype) | stats count dc(eventhost) values(eventsource) dc(eventsource) values(type) values(index) by component eventsourcetype | sort -count  
Hi, Before asking i did try to find but not able to locate the thread that has this kind of datetime values..so i had to come up with this new thread I have the datetime values in string format like... See more...
Hi, Before asking i did try to find but not able to locate the thread that has this kind of datetime values..so i had to come up with this new thread I have the datetime values in string format like Thu 10 Oct 2024 08:48:12:574 EDT   sometimes there may be a null in it - thats how it is  what is that i have to do with this is get/derive into separate columns day name like Thursday day of month like 10 month like Oct year 2024 week - weeknumber like 2 or 3 Time part into separate column like 08:48:12:57  - not worried about EDT separate the time components into again 08 as Hour 48 as Min 12 as Sec not worried about ms still looking for threads with this kind of but...again sorry this is a basic one just needs more searching
Yup sorry, I should have delineated what I have done. Log Examples: Time: 10/10/24 6:30:11.478 AM Start Event: 2024-10-10T06:30:11.478-04:00 | INFO | 1 | | xxxxxxxxxxxxxxxxx : Start View R... See more...
Yup sorry, I should have delineated what I have done. Log Examples: Time: 10/10/24 6:30:11.478 AM Start Event: 2024-10-10T06:30:11.478-04:00 | INFO | 1 | | xxxxxxxxxxxxxxxxx : Start View Refresh (price_vw) !!!   Time: 10/10/24 6:30:11.509 AM End Event: 2024-10-10T06:30:11.509-04:00 | INFO | 1 | | xxxxxxxxxxxxxxxxx : End View Refresh (price_vw) !!!   index=* ("Start View Refresh (price_vw)" OR "End View Refresh (price_vw)") | transaction startswith="Start View Refresh (price_vw)" endswith="End View Refresh (price_vw)" | table duration Now when I just look for the log events, I get 4 sets of Start and End events. But when run the above for the same duration I was expecting 4 sets of duration, but I get just 2 sets.
Could you please check if the default.xml exists under %SplunkHome%/etc/apps/search/default/data/ui/nav/?
Thank you.   Appreciate your assistance and input on helping me learn the finer details of Splunk and how the logic works.   And yes, the lookup is .csv and not .cvs.  Was a type-o.  I have a sand bo... See more...
Thank you.   Appreciate your assistance and input on helping me learn the finer details of Splunk and how the logic works.   And yes, the lookup is .csv and not .cvs.  Was a type-o.  I have a sand box I work with for Splunk so manually type my searches on my work computer in the Splunk forum to help me learn the syntax better.  Old school way of understanding how to learn something, especially when it comes to code.    Thanks again.
On a side note: long after migrating to wiredTiger we stumbled over some version trouble after upgrading Splunk from 9.1.4 to 9.1.5. It turned out that a simple "touch splunk/var/run/splunk/kvstore_... See more...
On a side note: long after migrating to wiredTiger we stumbled over some version trouble after upgrading Splunk from 9.1.4 to 9.1.5. It turned out that a simple "touch splunk/var/run/splunk/kvstore_upgrade/versionFile42" was able to resolve the problem.
Hi @jroedel , eventtype and tag aren't related to the fields: you have to create at first an eventtype for the login, called e.g. "my_technology_login": index=my_index sourcetype=my_sourcetype ("h... See more...
Hi @jroedel , eventtype and tag aren't related to the fields: you have to create at first an eventtype for the login, called e.g. "my_technology_login": index=my_index sourcetype=my_sourcetype ("has logged onto the server" OR "logged on" and tag it as "Authentication" required BY CIM and "LOGIN". then index=my_index sourcetype=my_sourcetype (logoff OR "has logged off the server") and tag it as "Authentication" required BY CIM and "LOGOUT". The last sample doesn't seems to be a logfail event, please check it and apply as the others. Then you have to extract fields: user and src using regexes. Ciao. Giuseppe
Lets for now focus on a *successful* login. As shown in my initial post, there are multiple events for the same successfull login. One does carry the username, the other carries the source ip. On wh... See more...
Lets for now focus on a *successful* login. As shown in my initial post, there are multiple events for the same successfull login. One does carry the username, the other carries the source ip. On which one should I set the event type and tag? And how do I enrich that event with the field from the other one?
Hi @jroedel , ok, you have to create eventtypes and add to login, logout and logfail eventtypes the tag "authentication. You should try to use the Add-On Builder app (https://splunkbase.splunk.com/... See more...
Hi @jroedel , ok, you have to create eventtypes and add to login, logout and logfail eventtypes the tag "authentication. You should try to use the Add-On Builder app (https://splunkbase.splunk.com/app/2962) or the CIM-Vladiator app (https://splunkbase.splunk.com/app/2968) that helps you in field aliases, calculated fields and tagging. I usually use the second one. Ciao. Giuseppe
Maybe I just do not see it: How would I apply an event type for a successfull login event, that is scattered over multiple log entries? My requirement is, to achieve cim-comliance with this data sou... See more...
Maybe I just do not see it: How would I apply an event type for a successfull login event, that is scattered over multiple log entries? My requirement is, to achieve cim-comliance with this data source.
Hi @waJesu , if host is the host sending the logs and url is a fied in your logs, youcould run something like this: index=your_index sourcetype=your_sourcetype earliest=-24h latest=now host=your_ho... See more...
Hi @waJesu , if host is the host sending the logs and url is a fied in your logs, youcould run something like this: index=your_index sourcetype=your_sourcetype earliest=-24h latest=now host=your_host | stats count BY URL obviously this search depends on the extracted fields. Ciao. Giuseppe