All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

A bit more words please because it's getting a bit unclear quickly. I assume that you want to search for events -5m till now, -7d -5m tll -7d and so on for the last 4 week. That's pretty clear. B... See more...
A bit more words please because it's getting a bit unclear quickly. I assume that you want to search for events -5m till now, -7d -5m tll -7d and so on for the last 4 week. That's pretty clear. But after that... What is "volume"? A count of events? Sum of their size? Something else? What do you mean by "define a range based on this"?  
1. What _exactly_ did you try? And how it 'doesn't work'? 2. EXTRACT and REPORT are two settings which can be used for search-time extractions.
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for... See more...
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for image, right now I uploaded an image manually to visualize the widget. I'm assessing a way to connect the required s3 Bucket with the widget so to get those images onto Splunk Dashboard. Please can anyone assist on how to achieve this? Thanks!
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, De... See more...
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, Define a range based on this, Get the count of the last 5 min from current time and tell when is out of the range All this in a table so I can use it from Alerts I read a lot of things, but couldn’t came up with something close enough so far, I’m still new with Splunk Thank you!
i tried transforms and props yesterday and it didnt work, but what is "EXTRACT or REPORT" you mention.
If something doesn't work as you expect step back and check if you're getting right data in to get right data out. 1. After you eval your end_time, does it conatin a proper numerical epoch timestamp... See more...
If something doesn't work as you expect step back and check if you're getting right data in to get right data out. 1. After you eval your end_time, does it conatin a proper numerical epoch timestamp? 2. The time_epoch will most definitely _not_ contain proper epoch timestamp. The now() function itself returns what you need. There's no need to strptime() it. In fact it will only break its value since you can't parse a number using your provided time format.
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval ... See more...
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S") |eval diff = (end_time-time_epoch)/60  
I think the microsoft Webhook will be EOL in the end of this year,  and I have heard that we need to migrate to use the workflow app in team.Does anyone have the solution with that
hi I have a similar problem Tried this solution and I get an empty field   |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S"... See more...
hi I have a similar problem Tried this solution and I get an empty field   |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S") |eval diff = (end_time-time_epoch)/60 @Richfez   
Dears Splunkers, I´m investigating issue with the duplicated maps+ for Splunk application icon in the Home menu of Splunk (see attached pic.) Enterprise running on Cloud. This is a weird performanc... See more...
Dears Splunkers, I´m investigating issue with the duplicated maps+ for Splunk application icon in the Home menu of Splunk (see attached pic.) Enterprise running on Cloud. This is a weird performance. Splunk version 9.1.2. Can you pls. suggest how to resolve this problem so that only 1 app. icon does appear as before? Thank you
Thank you, Giuseppe!
Just a day ago, I migrated from 9.1.5 to 9.1.6. I confirm an absence of zombie processes!
Thanks for your help, I really appreciate the time you put it. I asked in good faith I can learn this. streaming languages — like JQ I mentioned — are harder, yes, functional languages are harder, y... See more...
Thanks for your help, I really appreciate the time you put it. I asked in good faith I can learn this. streaming languages — like JQ I mentioned — are harder, yes, functional languages are harder, yes, but all is doable. Yes, shown json is tricker, but I just happen to know, that there will be just one query there, and if not, I can call one more reduce in JQ and I'm good, still oneliner. Regarding the SPL — the spl solution is just crazy. I just cannot see what each individual part does and why. And the documentation does it make it harder instead of easier. But I probably miss some basic premise of splunk. Ok, simple sample, simpler task.       | makeresults | eval _raw="{ \"json\": { \"class\": \"net.ttddyy.dsproxy.support.SLF4JLogUtils\", }, }"       Use regex to remove word ttddyy and return .json.class. Should be exceptionally trivial. If I ran that just thing above I see the json. OK, now projection:       … | table _raw.json.class       no.       … | table json.class       no.       ... | table _raw       yes. OK, so maybe it's not parsed or whatever. spath to the rescue.       … | spath _raw.json.path | table json.path //please consider this as all potential combinations of cartesian products of all subpaths from _raw.json.path and same with table.       no! Ok(!!) maybe it's input parameter:       ... | spath input=_raw.json path=json.class | table json.class //all cartesian products again.       no.  ok. .. So maybe we need output for something I don't know what:       | spath input=_raw path=json.class output=aaaaa | table aaaaa //all cartesian products of subpaths again.       30 minutes passed... It's just-a-simple-projection.  No luck and I didn't even get to regex, which will be true struggle (all regex flavors are really easy, that's not the crux of the problem). chatgpt thinks this is the solution:       | makeresults | eval _raw="{\"json\": {\"class\": \"net.ttddyy.dsproxy.support.SLF4JLogUtils\"}}" | spath input=_raw path=json.class | table json.class       but it isn't. Does not print anything(it's so confusing, that trained chatgpt cannot do projection OR it does not work on our heavily paid sw). Can you please explain, how simple projection works in splunk and what steps the engine really do internally since it's really mystery? In jq to compare:       jq -n '{ "json": { "class": "net.ttddyy.dsproxy.support.SLF4JLogUtils", } } | .json | .class | sub("ttddyy";"goddamm-easy")'       to explain: 1) declare json 2) take .json subtree 3) take .class subtree 4) do replacement. 40s, straightforward. UPDATE: if I export data returned for table, and then download the data, I got different results in file than on screen, so I guess that what-is-shown on screen is different to what-the-data-of-query-is, which is probably source of confusion, since I'm working with something I can see, while splunk probably work with some datastructure I'm not aware of. { "preview": false, "result": { "json.msg": //:| ...
No, wait. source _is_ a metadata field already. You can use transforms to either cut it as you initially planned or to extract data from it to another indexed field. You can also use EXTRACT or REPO... See more...
No, wait. source _is_ a metadata field already. You can use transforms to either cut it as you initially planned or to extract data from it to another indexed field. You can also use EXTRACT or REPORT to extract the field in search time. There are many possibilities here.
I'll probably make a meta field as you suggested, I didn't  wanted to do it at the start but it seems the only way.
Hi, this is my 1st post, I'm a newbie splunkers. I have a case from my clients so, the splunk is running with LB following with the SH cluster. I already using LDAP to inject the data for login ac... See more...
Hi, this is my 1st post, I'm a newbie splunkers. I have a case from my clients so, the splunk is running with LB following with the SH cluster. I already using LDAP to inject the data for login access account in splunk.  When I checked out the audittrail log in query table, it's showing only 1 spesific clientip or src. That was different with the 1st time I inject the AD for login access to splunk, or inside the dev server because we only use AIO/standalone splunk in dev. It's showing the real IP of the user. But now, when I logged in to the splunk web, the audit trail log, will show the spesific 1 IP, I think it's LB or AD IP.  Even I used the native user like "admin", it will show only 1 IP, and it's not my device IP. How to make the real IP  fromuser showing, while using LB in shcluster instead of only 1 IP from LB or AD in Audittrail log?
Hi @PickleRick  As your information Yesterday if my inputs.conf will mess the sourcetype so i was assesment all sourcetype was generated in my searchhead.  Could you please correction my inputs.con... See more...
Hi @PickleRick  As your information Yesterday if my inputs.conf will mess the sourcetype so i was assesment all sourcetype was generated in my searchhead.  Could you please correction my inputs.conf ? here  [monitor:///var/log/audit/audit.log] disabled = false index = NewIndex sourcetype = linux_audit [monitor:///var/log/auth.log] disabled = false index = NewIndex sourcetype = auth-too_small [monitor:///var/log/cron] disabled = false index = NewIndex sourcetype = kern-too_small [monitor:///var/log/kern.log] disabled = false index = NewIndex sourcetype = kern-too_small [monitor:///var/log/messages] disabled = false index = NewIndex sourcetype = syslog [monitor:///var/log/mongodb/mongod.log] disabled = false index = NewIndex sourcetype = mongod-2 [monitor:///var/log/nginx/access.log] disabled = false index = NewIndex sourcetype = access_combined [monitor:///var/log/nginx/error-NewIndex-fe.log] disabled = false index = NewIndex sourcetype = error-NewIndex-fe-too_small [monitor:///var/log/nginx/jm-click-fe.log] disabled = false index = NewIndex sourcetype = jm-click-fe-too_small [monitor:///var/log/nginx/NewIndex-ess-http-3001.log] disabled = false index = NewIndex sourcetype = NewIndex-ess-http-too_small [monitor:///var/log/nginx/NewIndex-ess-pakta-http.log.1] disabled = false index = NewIndex sourcetype = NewIndex-ess-http-too_small [monitor:///var/log/nginx/NewIndex-jmpd-http.log] disabled = false index = NewIndex sourcetype = access_combined [monitor:///var/log/nginx/NewIndex-be.log] disabled = false index = NewIndex sourcetype = access_combined [monitor:///var/log/nginx/NewIndex-cms-be.log] disabled = false index = NewIndex sourcetype = NewIndex-cms-be-too_small [monitor:///var/log/redis/redis-server.log] disabled = false index = NewIndex sourcetype = redis-server-too_small [monitor:///var/log/sssd/sssd_NewIndex.co.id.log] disabled = false index = NewIndex sourcetype = sssd_NewIndex.co.id-too_small [monitor:///var/log/syslog] disabled = false index = NewIndex sourcetype = syslog [monitor:///var/log/ubuntu-advantage-timer.log] disabled = false index = NewIndex sourcetype = ubuntu-advantage-timer.log-3 [monitor:///var/log/ubuntu-advantage.log] disabled = false index = NewIndex sourcetype = ubuntu-advantage-6 [monitor:///var/log/ufw.log] disabled = false index = NewIndex sourcetype = syslog [monitor:///var/log/unattended-upgrades/unattended-upgrades.log] disabled = false index = NewIndex sourcetype = unattended-upgrades [monitor:///var/log/vmware-vmtoolsd-root.log] disabled = false index = NewIndex sourcetype = vmware-vmtoolsd-root [monitor:///home/*/.bash_history] disabled = false index = NewIndex sourcetype = bash_history Or maybe you have best practice setting for my case ? 
This worked for me on my updated version - thanks!
I am using the following html for my alert action data entry screen.  The tenant mulit-select does not show up in the configuration dictionary of the payload object passed to the python script.  What... See more...
I am using the following html for my alert action data entry screen.  The tenant mulit-select does not show up in the configuration dictionary of the payload object passed to the python script.  What am I doing wrong? Payload passed to python script: Payload: {'app': 'search', 'owner': 'jon_fournet@bmc.com', 'result_id': '1', 'results_file': '/opt/splunk/var/run/splunk/dispatch/rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19/per_result_alert/tmp_1.csv.gz', 'results_link': 'http://clm-aus-wm6fwd:8000/app/search/search?q=%7Cloadjob%20rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now', 'search_uri': '/servicesNS/jon_fournet%40bmc.com/search/saved/searches/sentToBHOM12', 'server_host': 'clm-aus-wm6fwd', 'server_uri': 'https://127.0.0.1:8089', 'session_key': 'juYpGOJO29CVEJXEhNFtlVZu0NdAUtGRObXSddXgB^nwDFZHofpZ58tDr^dfFRHcAeBKb3sKvtUNY48u7z2go^bDjUIR1K59YJhT3mkpPKXm3Vom_mXwSCA5rF2AQsgeoEuM332jKYMhEiZRakt1Qs69if_wD_QAPo', 'sid': 'rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19', 'search_name': 'sentToBHOM12', 'configuration': {'additional_info': 'This is an additional slot', 'category': 'AVAILABILITY_MANAGEMENT', 'ciid': 'test ciid', 'citype': 'testcitype', 'hostname': 'splunktesthost', 'logLevel': 'WARN', 'message': ' kkkk', 'object': 'testobject', 'originuri': 'testuri', 'severity': 'WARNING', 'subcategory': 'APPLICATION'}   HTML: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Information</title> <style> body { background-color: lightblue; font-family: Arial, sans-serif; } .container { width: 80%; margin: 20px auto; } .section { background-color: white; padding: 15px; margin-bottom: 20px; border: 2px solid black; border-radius: 5px; } .section h2 { margin-top: 0; } </style> </head> <body> <form class="form-horizontal form-complex"> <h1>BHOM Tenant Configuration</h1> <div class="control-group"> <label class="control-label" for="bmc_tenants">Tenants</label> <div class="controls"> <select id="bmc_tenants" name="action.sendToBHOM.param.tenants" multiple size="3"> <option value="prod">Production</option> <option value="qa">QA</option> <option value="dev">Development</option> </select> <span class="help-block">The BHOM Tenants to forward alerts</span> </div> </div> <h1>BHOM Event Configuration</h1> <div class="control-group"><label class="control-label" for="bmc_severity">Severity</label> <div class="controls"><select id="bmc_severity" name="action.sendToBHOM.param.severity"> <option value="OK">Ok</option> <option value="WARNING">Warning</option> <option value="MINOR">Minor</option> <option value="MAJOR">Major</option> <option value="CRITICAL">Critical</option> </select><span class="help-block">The severity of the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_hostname">Source Hostname</label> <div class="controls"><input id="bmc_hostname" name="action.sendToBHOM.param.hostname" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Hostname of the source of the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_object">Object</label> <div class="controls"><input id="bmc_object" name="action.sendToBHOM.param.object" type="text" placeholder="e.g. Splunk_log_1 " /> <span class="help-block">The Object related to the alert</span></div> </div> <div class="control-group"> <div class="control-group"><label class="control-label" for="bmc_category">Category</label> <div class="controls"><input id="bmc_category" name="action.sendToBHOM.param.category" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Category related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_subcategory">Sub-Category</label> <div class="controls"><input id="bmc_subcategory" name="action.sendToBHOM.param.subcategory" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Sub-Category related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_originuri">Origin URI</label> <div class="controls"><input id="bmc_originuri" name="action.sendToBHOM.param.originuri" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Origin URI related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_ciid">CI ID</label> <div class="controls"><input id="bmc_ciid" name="action.sendToBHOM.param.ciid" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The CI ID related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_citype">CI Type</label> <div class="controls"><input id="bmc_citype" name="action.sendToBHOM.param.citype" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The CI Type related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_event_message">Message</label> <div class="controls"><textarea id="bmc_event_message" style="height: 120px;" name="action.sendToBHOM.param.message"> </textarea><span class="help-block">The message for the event send to BHOM</span</div> </div> </div> <div class="control-group"><label class="control-label" for="bmc_additional_info">Additional Info</label> <div class="controls"><input id="bmc_additional_info" name="action.sendToBHOM.param.additional_info" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Additional Information related to the alert</span></div> </div> </div> <h1>Log Level (logs written to index _internal)</h1> <label for="logLevel">Choose a log level:</label> <select id="logLevel" name="action.sendToBHOM.param.logLevel"> <option value="INFO">INFO</option> <option value="WARN">WARNING</option> <option value="ERROR" selected>ERROR</option> <option value="DEBUG">DEBUG</option> </select> </body> </html>  
Hi @LY, The MIME type error should have been preceded by a status 404. console.js has been removed (technically, quarantined) from current versions of Splunk Enterprise. All modern browsers should ... See more...
Hi @LY, The MIME type error should have been preceded by a status 404. console.js has been removed (technically, quarantined) from current versions of Splunk Enterprise. All modern browsers should have a native console object, and you can remove the util/console requirement from tokenlinks.js: --- tokenlinks.js.original 2024-09-23 19:40:34.985325558 -0400 +++ tokenlinks.js 2024-09-23 19:40:59.456196826 -0400 @@ -1,10 +1,9 @@ requirejs([ '../app/simple_xml_examples/libs/jquery-3.6.0-umd-min', '../app/simple_xml_examples/libs/underscore-1.6.0-umd-min', - 'util/console', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' -], function($, _, console, mvc) { +], function($, _, mvc) { function setToken(name, value) { console.log('Setting Token %o=%o', name, value); @@ -51,4 +50,4 @@ } } }); -}); \ No newline at end of file +});  You can also remove the console.log() and console.warn() lines if you don't need them.