All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

While the search is technically more or lese correct, its performance will depend on the use case and with a big lookup you might hit search limits. Another possible approach would be <your_base_se... See more...
While the search is technically more or lese correct, its performance will depend on the use case and with a big lookup you might hit search limits. Another possible approach would be <your_base_search> | lookup my.csv src_ip OUTPUT matchsrc_ip | lookup my.csv dest_ip OUTPUT matchdest_ip | where isnull(matchsrc_ip) AND isnull(matchdest_ip)
The issue has been resolved by re-installing the Splunk enterprise.  
Hi @Pellecrino , your search seems to be correct, I'd change the order of the commands, even if it should not be relevant: index=network_traffic NOT ( [ | inputlookup devices.csv | rename ip_addres... See more...
Hi @Pellecrino , your search seems to be correct, I'd change the order of the commands, even if it should not be relevant: index=network_traffic NOT ( [ | inputlookup devices.csv | rename ip_address AS src_ip | fields src_ip ] [ | inputlookup devices.csv | rename ip_address AS dest_ip | fields dest_ip ] ) Debug the issue running one by one the two conditions. Ciao. Giuseppe
Since upgrading to the new 4.0.4 release of the Lookup File Editor, the app no longer shows any lookups in the main interface.  The Status page says the REST handler is offline, and while the trouble... See more...
Since upgrading to the new 4.0.4 release of the Lookup File Editor, the app no longer shows any lookups in the main interface.  The Status page says the REST handler is offline, and while the troubleshooting page references that, it provides no recommendations aside from restarting Splunk. Well, we have restarted everything at least 3 times, but still cannot access our lookups.  What does a REST handler being offline even mean?  Is that a setting?  Can the Search Head just not see the REST interface?  We couldn't find any settings or conf files within the editor app that define a particular address.  The app resides on the search head, along with the lookups, so I can't imagine it is a firewall issue. This is the only error we are seeing in the internal logs: 09/16/2024 09:50:24 AM -0500 CDT ERROR Failed to handle request due to an unhandled exception Traceback (most recent call last):   File "D:\Splunk\etc\apps\lookup_editor\bin\lookup_editor\rest_handler.py", line 196, in handle     return function_to_call(request_info, **query)   File "D:\Splunk\etc\apps\lookup_editor\bin\lookup_editor_rest_handler.py", line 688, in post_file_size             lookup_author = res["entry"][i]["author"] KeyError: 'author' Help?
Hi @Dabbsy , I have never heard of a problem like this! Try using another support (eg. tgz instead of rpm), then wait until tomorrow because there is the new version 9.3.1 that probably will not h... See more...
Hi @Dabbsy , I have never heard of a problem like this! Try using another support (eg. tgz instead of rpm), then wait until tomorrow because there is the new version 9.3.1 that probably will not have the same problem. If this does not solve the problem, open a Case with Splunk Support. Ciao. Giuseppe
Hmm interesting - so for info in case anyone else gets the same issue. uninstalled splunk package rpm -e splunk.x86_64 then rpm -i -prefix=/hopt package_name.rpm did the trick. I had tried unin... See more...
Hmm interesting - so for info in case anyone else gets the same issue. uninstalled splunk package rpm -e splunk.x86_64 then rpm -i -prefix=/hopt package_name.rpm did the trick. I had tried uninstalling and then installing earlier, but that didn't work,  for some reason it needed the prefix option. bin directory now recreated and I can now start splunk :-).
Hi all, I've got a lookup file called devices.csv that contains 2 fields, hostname and ip_address. The index I'm searching has 2 fields, src_ip and dest_ip. I'd like to exclude results where ... See more...
Hi all, I've got a lookup file called devices.csv that contains 2 fields, hostname and ip_address. The index I'm searching has 2 fields, src_ip and dest_ip. I'd like to exclude results where both the src_ip and dest_ip fields match an IP address from my lookup file, it doesn't need to be the same IP, it just needs to be listed in that CSV. If either the src_ip field or the dest_ip field doesn't contain an IP address listed in the ip_address field I would expect to see it. I'm just looking for advice on whether this is the best way of querying the data. Current query: index=network_traffic AND NOT ([| inputlookup devices.csv | fields ip_address | rename ip_address AS src_ip] AND [| inputlookup devices.csv | fields ip_address | rename ip_address AS dest_ip])
Hi Splunkers, I am trying to configure rest api monitoring via splunk add-on builder but while configuring when i am trying to test the result i am receiving SSL error. Splunk-Add-on Builder Ve... See more...
Hi Splunkers, I am trying to configure rest api monitoring via splunk add-on builder but while configuring when i am trying to test the result i am receiving SSL error. Splunk-Add-on Builder Version:4.3.0 Splunk Enterprise Version:9.1.1 What could be done to mitigate this SSL error? Awaiting quick help and response Pasting the error herewith: 2024-09-16 15:28:49,569 - test_rest_api - [ERROR] - [test] HTTPError reason=HTTP Error HTTPSConnectionPool(host='endpoints.office.com', port=443): Max retries exceeded with url: /version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) when sending request to url=https://endpoints.office.com/version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 method=GET Traceback (most recent call last): File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connectionpool.py", line 722, in urlopen chunked=chunked, File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connectionpool.py", line 404, in _make_request self._validate_conn(conn) File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connectionpool.py", line 1060, in _validate_conn conn.connect() File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connection.py", line 429, in connect tls_in_tls=tls_in_tls, File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket sock, context, tls_in_tls, server_hostname=server_hostname File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) File "/splunk/lib/python3.7/ssl.py", line 428, in wrap_socket session=session File "/splunk/lib/python3.7/ssl.py", line 878, in _create self.do_handshake() File "/splunk/lib/python3.7/ssl.py", line 1147, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/requests/adapters.py", line 497, in send chunked=chunked, File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connectionpool.py", line 802, in urlopen method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2] File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/util/retry.py", line 594, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='endpoints.office.com', port=443): Max retries exceeded with url: /version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/http.py", line 230, in _retry_send_request_if_needed uri=uri, body=body, method=method, headers=headers File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/http.py", line 219, in _send_internal verify=self.requests_verify, File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/requests/sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/requests/adapters.py", line 517, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='endpoints.office.com', port=443): Max retries exceeded with url: /version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/engine.py", line 308, in _send_request response = self._client.send(request) File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/http.py", line 296, in send url, request.method, request.headers, request.body File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/http.py", line 243, in _retry_send_request_if_needed raise HTTPError(f"HTTP Error {err}") from err cloudconnectlib.core.exceptions.HTTPError: HTTP Error HTTPSConnectionPool(host='endpoints.office.com', port=443): Max retries exceeded with url: /version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) 2024-09-16 15:28:49,570 - test_rest_api - [INFO] - [test] This job need to be terminated. 2024-09-16 15:28:49,570 - test_rest_api - [INFO] - [test] Job processing finished 2024-09-16 15:28:49,571 - test_rest_api - [INFO] - [test] 1 job(s) process finished 2024-09-16 15:28:49,571 - test_rest_api - [INFO] - [test] Engine executing finished 
I'm upgrading splunk enterprise to 9.3 using the rpm file, but when I run  rpm -U splunk-9.3.0-51ccf43db5bd.x86_64.rpm it installs all the folders, but removes the bin directory, so I can't then st... See more...
I'm upgrading splunk enterprise to 9.3 using the rpm file, but when I run  rpm -U splunk-9.3.0-51ccf43db5bd.x86_64.rpm it installs all the folders, but removes the bin directory, so I can't then start splunk. i've searched through the communities, and a few people seem to have hit the issue on windows, but not linux. how can I get around this issue? thanks Dabbsy
Hi, I have an App that has a set of icons that work fine on light mode, but if I switch to dark mode, they become invisible. If I add the lighter icons and dark mode, then the icons become invisible... See more...
Hi, I have an App that has a set of icons that work fine on light mode, but if I switch to dark mode, they become invisible. If I add the lighter icons and dark mode, then the icons become invisible in light mode. Is there a way to have both sets of icons and have them change based on the active mode?
Hi @alferone , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
This looks more like a permissions issue, probably for authorizing instance principal authentification in your OCI deployment.
Good day, I'm trying to setup the HF to forward to an additional syslog target which expects the RFC5424 (Grafana Alloy) so far the HF is reaching the syslog target but then the target complains abo... See more...
Good day, I'm trying to setup the HF to forward to an additional syslog target which expects the RFC5424 (Grafana Alloy) so far the HF is reaching the syslog target but then the target complains about missing priority and I'm not sure if this because of the RFC5424 vs RFC3164 I've tried the following outputs.conf option: [syslog:my_syslog_group] disabled = false server = grafana-alloy.svc.cluster.local:51898 type = tcp #other tested variant priority = <NO_PRI> priority = <34> #tested with or without timeformat timestampformat = %b %e %H:%M:%S How can i make sure that the HF syslog forward is using the RFC5424 format?
I have the slack integration hooked up to Splunk On-call I would like to trigger a Splunk On-call alert when the Slack usergroup is used. How do I go about setting that up if anyone knows? Thank... See more...
I have the slack integration hooked up to Splunk On-call I would like to trigger a Splunk On-call alert when the Slack usergroup is used. How do I go about setting that up if anyone knows? Thank you in advance
Load the Monitoring Console Indexing -> Performance -> Indexing Performance: Instance Select various Indexers in your cluster to compare - If various Indexers have massively different queue values... See more...
Load the Monitoring Console Indexing -> Performance -> Indexing Performance: Instance Select various Indexers in your cluster to compare - If various Indexers have massively different queue values then you may have a data imbalance, since UF's by default stick to an ingestion queue for 30 seconds you should observe this over time. - If all queues left to the right are full then this is a disk write issue, the indexer can't write to disk fast enough. - You can via .conf settings override default indexer queue and pipeline settings to increase available size, but you should be very confident in your admin abilities and I don't recommend this for novice administrators.  Working with Splunk support is recommended regardless of your experience novice or advanced. 
Please share the rest of the configuration e.g. the data source with the search being used
Hi All, We are getting below error message ITSI rules_engine: "ErrorMessage="One or more fields are missing to create episode state." in splunk which is stopping episode creation for some of the ev... See more...
Hi All, We are getting below error message ITSI rules_engine: "ErrorMessage="One or more fields are missing to create episode state." in splunk which is stopping episode creation for some of the events. However when we check the search results there are no null or empty field values for respective fields. Please help me to fix this ASAP with a detailed steps. Thanks in Advance to all.
Done
Correct, it works now. Can you please edit your answer? I'll mark it as solution after that.   Thanks a lot!
Hi Splunk,  I created a dashboard with various panels. Some of the panels are tables with drilldown searches allowing you to click on the value, and opening a new tab using the value clicked on ($... See more...
Hi Splunk,  I created a dashboard with various panels. Some of the panels are tables with drilldown searches allowing you to click on the value, and opening a new tab using the value clicked on ($row.user.value$) in the new search.  However, for some reason the drilldown on one panel opens the search without populating the variable: $row.user.value$ All the other panels' drilldown searches work. Source code of panel:   { "type": "splunk.table", "options": { "count": 100, "dataOverlayMode": "none", "drilldown": "none", "showRowNumbers": false, "showInternalFields": false }, "dataSources": { "primary": "ds_aaaa" }, "title": "Panel One (Last 30 Days)", "eventHandlers": [ { "type": "drilldown.linkToSearch", "options": { "query": "index=\"winlog\" EventCode=4625 user=$row.user.value$", "earliest": "auto", "latest": "auto", "type": "custom", "newTab": true } } ], "context": {}, "showProgressBar": false, "showLastUpdated": false }   The SPL after clicking on the table value: index="winlog" EventCode=4625 user=$row.user.value$ Why does the $row.user.value$ not populate?