All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Upgraded my HF and Deployment servers from 9.0.4 to 9.2.2.  These are Windows servers.  Then I received KVStore/MongoDB failure messages.  I've tried the KVStore migration steps.  I've tried removing... See more...
Upgraded my HF and Deployment servers from 9.0.4 to 9.2.2.  These are Windows servers.  Then I received KVStore/MongoDB failure messages.  I've tried the KVStore migration steps.  I've tried removing the .lock files from the mongo folder.  I am trying to get the MongoDB updated/upgraded to the latest version so the KVStore will stop complaining.  Any help to clear this up would be greatly appreciated.  
You generally thought well but you have to cast your hostname to lowercase (or uppercase; doesn't matter as long as it's consistent) _before_ you do your stats. EDIT: I didn't notice it started with... See more...
You generally thought well but you have to cast your hostname to lowercase (or uppercase; doesn't matter as long as it's consistent) _before_ you do your stats. EDIT: I didn't notice it started with tstats. Of course in this case @gcusello 's solution is the way to go.
Hi @RanjiRaje , please try this: | tstats max(_time) as latest where index=indexname by host | eval host=upper(host) | stats max(latest) AS latest BY host | convert ctime(latest) Ciao. Giuseppe
Hi All, Can anyone please help me on this ... I am framing a SPL query to get list of hosts with their last eventtime. SPL query:   | tstats max(_time) as latest where index=indexname by host ... See more...
Hi All, Can anyone please help me on this ... I am framing a SPL query to get list of hosts with their last eventtime. SPL query:   | tstats max(_time) as latest where index=indexname by host | convert ctime(latest) From this query, I am getting the list as expected, but with one bug. (If I have a host both in lower case & in upper case, I am getting 2 different entries) Eg:              host                            latest              HOSTNAME1               09/17/2024 15:27:49              hostname1                   08/30/2024 15:27:00              hostname2                   09/15/2024 15:27:49              HOSTNAME2               09/13/2024 15:27:49 From here, I have to get only one entry for a host along with latest time. (For hostname1, I should get 09/17/2024 15:27:49, similarly for hostname2 I should get 09/15/2024 15:27:49) I tried adding the command,  | eval host=upper(host), latest=max(latest) | dedup host But it is not considering max of "latest", and it just showing the single row for each host with random value of "latest" Can you please suggest me the better way to achieve this. thanks
@ITWhisperer , this will be good if am doing transforming search using mvexpand but any idea on how i can achieve the same results through search time fields extractions using props & transforms.conf
https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/DashStudio/chartsSV#Single_value_2 {     "type": "splunk.singlevalue",     "dataSources": {         "primary": "ds_2x8aw5k1"     },  ... See more...
https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/DashStudio/chartsSV#Single_value_2 {     "type": "splunk.singlevalue",     "dataSources": {         "primary": "ds_2x8aw5k1"     },     "title": "Title Font",     "description": "Description Font",     "options": {         "majorFontSize": 21     },     "context": {},     "containerOptions": {},     "showProgressBar": false,     "showLastUpdated": false } This will help you statically set the font size for the values you are displaying.  By default it will set to Auto to make it appropriate for the width of your data returned.  The longer the returned value the smaller the auto text.  
Hi everyone! Is it possible to pass a parameter from search to the next "action|url" step? Like in description: $result$ if not, is it possible to somehow change this behavior by modifying this nex... See more...
Hi everyone! Is it possible to pass a parameter from search to the next "action|url" step? Like in description: $result$ if not, is it possible to somehow change this behavior by modifying this next step, if yes, then how? Thanks.
Thanks for sharing useful link but unfortunately after adding the CA-CERT Chain to the below two locations and restarting the splunk still i am receiving the same error. 1) /opt/splunk/lib/python3... See more...
Thanks for sharing useful link but unfortunately after adding the CA-CERT Chain to the below two locations and restarting the splunk still i am receiving the same error. 1) /opt/splunk/lib/python3.7/site-packages/certifi And 2) /etc/apps/<APP_FOLDER>/lib/certify   Any further suggestions please?
Hi All, I am trying to create a dashboard with total calls to a particular business transaction using ADQL query. I am able to fetch this from All applications, except from Lambda application, altho... See more...
Hi All, I am trying to create a dashboard with total calls to a particular business transaction using ADQL query. I am able to fetch this from All applications, except from Lambda application, although the transactions are showing in application dashboard, but unable to get the count using query. Also unable to list the BTs of that application using query.  The same query is working for other application and business transactions. PFB the query which I used. SELECT count(*) FROM transactions WHERE application = "test-1" AND transactionName = "/test/api/01/" Please check and let me know, why I am not able to pull this.  Regards Fadil
many thanks @jawahir007 
| rex field=raw_msg max_match=0 "(?<=\(|]\\\\;)(?<group>[^:]+:status:[^:]*:pass_condition\[[^\]]*\]:fail_condition\[[^\]]*\]:skip_condition\[[^\]]*)\]"
Hi @tomjb94 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poi... See more...
Hi @tomjb94 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Where are you seeing that?  In what context? Splunk doesn't process audio.  Please tell us more about the use case and the issue.
Thanks @ITWhisperer , the additional backslash seems to be doing the trick for rex command but still no luck having this worked with transforms.conf mv_add=true setting. Basically i need this fields ... See more...
Thanks @ITWhisperer , the additional backslash seems to be doing the trick for rex command but still no luck having this worked with transforms.conf mv_add=true setting. Basically i need this fields to be available at search time hence trying to figure out a way for that.  And when you say extract each group of fields as a whole what you mean by that. Can you please help me with an example to better understand that approach ?
Hi Giussepe,  Many thanks for your response, its greatly appreciated. I need the rex to be dynamic regardless of the particular timestamp in the original message i sent, its going to be a saved searc... See more...
Hi Giussepe,  Many thanks for your response, its greatly appreciated. I need the rex to be dynamic regardless of the particular timestamp in the original message i sent, its going to be a saved search. In addition, when i run this i get 0 results despite running exactly within the timestamp of that particular message in Splunk. I think this search may be quite expensive on our indexers, so for now i'll just get this working with the existing extracted fields. Thanks again, Tom
There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers On the Enterprise Security menu ba... See more...
There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers On the Enterprise Security menu bar, select Configure > General > General Settings. Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers . Select the contents for the package. You must select at least one of the following options to download the package. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package. Click Download the Package to create and download the Splunk_TA_ForIndexers. After the add-on downloads, you can modify the contents of the package. For example, modify indexes.conf to conform with site retention settings and other storage options. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers. When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.   Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA_ForIndexers_and_manage_deployment_manually
In general, it is better to use  entires  with  xxxxxx.mystack.splunkcloud.com where mystack is your stackid HEC : https://http-inputs.mystack.splunkcloud.com/  
Hi, What does session end reason = aged-out mean? We are facing one way audio issue. Could this be possibly a reason?  thanks  
I was able to fix my issue.  I simply added the "rename" function in my main table search. | advhunt cred=all renew=True query="DeviceProcessEvents | where Timestamp > ago(30d) | where FileName h... See more...
I was able to fix my issue.  I simply added the "rename" function in my main table search. | advhunt cred=all renew=True query="DeviceProcessEvents | where Timestamp > ago(30d) | where FileName has 'file.exe' | project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName" | spath input=_raw | stats count by AccountName,DeviceName | sort -count   | advhunt cred=all renew=True query="DeviceProcessEvents | where Timestamp > ago(30d) | where FileName has 'file.exe' | project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName" | spath input=_raw | rename AccountName as user | stats count by user,DeviceName | sort -count  
Hello @rukshar  if you have self-signed certificate in your local network then you have add those CA CERT Chain to below locations: 1) /opt/splunk/lib/python3.7/site-packages/certifi And 2) /etc... See more...
Hello @rukshar  if you have self-signed certificate in your local network then you have add those CA CERT Chain to below locations: 1) /opt/splunk/lib/python3.7/site-packages/certifi And 2) /etc/apps/<APP_FOLDER>/lib/certify Check if this resolves your problems, this documentation : https://splunk.my.site.com/customer/s/article/Office-365-Add-on-not-ingesting-any-events-and-throwing-SSL can help you understand ERROR its of splunk built add-on but yes same solution can be applied in your case as well. If this helps you please mark this as answer.