All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

This gives me the following warnings: PS C:\Program Files> .\SplunkUniversalForwarder\bin\splunk.exe btool --check --debug Unrecognized argument: --check PS C:\Program Files> .\SplunkUniversalFo... See more...
This gives me the following warnings: PS C:\Program Files> .\SplunkUniversalForwarder\bin\splunk.exe btool --check --debug Unrecognized argument: --check PS C:\Program Files> .\SplunkUniversalForwarder\bin\splunk.exe btool check --debug No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\default-mode.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\health.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\limits.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\server.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\web.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\inputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\server.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\restmap.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\transforms.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\transforms.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\manager-apps\_cluster\default\indexes.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf Invalid key in stanza [webhook] in C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf, line 22 9: enable_allowlist (value: false). No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\audit.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\authentication.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\authorize.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\conf.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\default-mode.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\federated.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\global-banner.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\health.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\limits.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\livetail.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\messages.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\metric_alerts.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\metric_rollups.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\procmon-filters.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\props.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\restmap.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\server.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\source-classifier.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\telemetry.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\transforms.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\visualizations.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\web-features.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\web.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\workload_policy.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\workload_pools.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\workload_rules.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\authentication.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\migration.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\server.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\user-seed.conf PS C:\Program Files> When I try to upgrade the Universal installer to splunkforwarder-9.0.1-82c987350fde-x64-release.msi the install process hangs. But finally it went on. Iám looking for a workaround for tese warnings on my Windows Forwarder.
I have a dashboard that gets its base query from a dropdown option and that to run that base query takes the values from other dropdown and populate it and then run the search. this is a part of the... See more...
I have a dashboard that gets its base query from a dropdown option and that to run that base query takes the values from other dropdown and populate it and then run the search. this is a part of the query: <input type="dropdown" token="tokSearchOption1" searchWhenChanged="true"> <label>Select Query</label> <choice value="Orginal">Original</choice> <choice value="Filtered">Filtered</choice> <change> <condition value="Orginal"> <set token="tokSearchQuery">index=pos  | fields host,_raw | rex field=host "REG(?&lt;store_id&gt;\d{1,4})(?&lt;register_id&gt;\d{1,2})"| search store_id="$store_id$" AND register_id="$register_id$" where store_id and register_id values are rendered from another dropdown.  But when we 1st time hit the submit in the dashboard the query shows no result and this is due to the fact that it is not able to render the dropdown values from other ie. it is not taking the value from the store_id dropdown  and the register id dropdown. This happens just for the 1st time the dashboard is loaded but then after on it works fine! How to fix the issue?  
Hi, I am having some troubles to merge two searches and I am looking for the best way to do this.  We have firewall traffic with NAT that is made on two levels. My goal is to be able to identify t... See more...
Hi, I am having some troubles to merge two searches and I am looking for the best way to do this.  We have firewall traffic with NAT that is made on two levels. My goal is to be able to identify the flow with original and nated ip addresses. I explain : FW1 : src1,dst1,xlatesrc1,xlatedst1 FW2 : src2 (=xlatescr1), dst2 (=xlatedst1), xlatedst2 goal = table : src1,dst1,xlatesrc1,xlatedst1 (=xlatedst2 if it exists, xlatedst1 instead) I have made something like: search_FW1 | stats by src1,dst1,xlatesrc1,xlatedst1 | join left=[ search search_FW2 | stats values(xlatedst2) as xlatedst1 by src2] | rename src2 as xlatesrc1 | table src1,dst1,xlatesrc1,xlatedst1 But I have noticed that if src2 does not exist in search_FW1, I loose the event from my main search (search_FW1) :(. I thought that the "left" parameter of "join" should solve the issue, but it does not...  Any idea how to avoid it (and maybe optimize my search as I have seen that "join" has poor performance)? Thanks
Hi, is it possible to hide the values of the chart overlay on Dashboard Studio, to simulate a trend line?
Hi all, How do I get two fileds "ip numbers" in an timechart? I tried the aggregate fileds, but show up wrong in my visualisation of showing src and dst ip. index=firewall dest_ip=* src=* d... See more...
Hi all, How do I get two fileds "ip numbers" in an timechart? I tried the aggregate fileds, but show up wrong in my visualisation of showing src and dst ip. index=firewall dest_ip=* src=* dest_port=8090 action=blocked | eval dstsrc=dest_ip . src | timechart count by dstsrc Regards Jan
Hi Team, I am unable to open my splunk cloud rest-api URL's in my local machine. Do we need to enable something in my local machine. Please find the error below.   Thanks, Venkata Krishna
Hello,   Is there any App or Add-on for Imperva DAM logs, currently I'm getting logs in CEF format. If no, can I use Imperva Add-on for WAF logs instead? Does it work? IF so, how would be the c... See more...
Hello,   Is there any App or Add-on for Imperva DAM logs, currently I'm getting logs in CEF format. If no, can I use Imperva Add-on for WAF logs instead? Does it work? IF so, how would be the configuration required?
I saw there is responses from 2013 and 2015 you cannot rename a report. Why is this still not a thing? Is there something preventing this from being added? This seems very basic and is disappointing ... See more...
I saw there is responses from 2013 and 2015 you cannot rename a report. Why is this still not a thing? Is there something preventing this from being added? This seems very basic and is disappointing I cannot change my report without deleting and recreating it.
All,   What is the best way to update a KV store using automation? Python script or APIs. I am looking to take data from logs from a file and update a KV store based on that data or extract. 
can we invoke custom javascript or css in the dashboard studio App to adding animations? If yes, How?  
How to display the error input or value errors in a pop up? I am trying to build a custom command and want to show errors raised or returned in a pop up or modal. For example: In the inputlookup ,... See more...
How to display the error input or value errors in a pop up? I am trying to build a custom command and want to show errors raised or returned in a pop up or modal. For example: In the inputlookup , if no csv name is provided, it will return below error. How to show it in form of an pop up or modal? Also how to remove the First line and display only the 2nd and 3rd line? @splunk  @niketnilay  
Hi Community!  If I know the SID, search ID,  is there a way I can see the scheduled job/report/search associated with the SID?   
We removed a number of files to prevent problems with log4j. Now when I run a file integrity check, the missing files are showing up as "missing". Since we know we removed them, I would like to hav... See more...
We removed a number of files to prevent problems with log4j. Now when I run a file integrity check, the missing files are showing up as "missing". Since we know we removed them, I would like to have the file integrity check skip those files. How do I do this?
I'm using my on-prem DS to push out apps to my UFs. The current cert has expired, how can I push a new cert to my UFs? I see that in my DS, I have a directory /opt/splunk/etc/deployment-apps/100_splu... See more...
I'm using my on-prem DS to push out apps to my UFs. The current cert has expired, how can I push a new cert to my UFs? I see that in my DS, I have a directory /opt/splunk/etc/deployment-apps/100_splunkcloud/default/. In this directory I have a server.pem file with last year's date. Is this where I need to move the new pem file? I thought it was in the /opt/splunk/etc/deployment-apps/100_splunkcloud/local directory instead.    Thank you!
Hello, I have one data source and getting feed through the inputs.conf file located under default folder and it is currently assigned to one sourcetype. It has files with 3 different naming convent... See more...
Hello, I have one data source and getting feed through the inputs.conf file located under default folder and it is currently assigned to one sourcetype. It has files with 3 different naming conventions and I have to create three source types based on that. How should I do it? Should I create separate configuration files (props and inputs)  inside the local folder and assign 3 sourcetypes; leave the inputs.conf file under default folder as it is? or should I make changes within  inputs.conf  located in default folder.  But it is recommended not to  make any changes within  default folder. Your recommendation would be highly appreciated. Thank you!
Hi there, So I've first download  the machine learning toolkit app but  was not able to run the app due to this error: " Python for Scientific Computing is a Splunk Add-on that includes several... See more...
Hi there, So I've first download  the machine learning toolkit app but  was not able to run the app due to this error: " Python for Scientific Computing is a Splunk Add-on that includes several Python libraries for scientific computing, including numpy, scipy, pandas, scikit-learn, and statsmodels. Several of the dashboards included in the Machine Learning Toolkit require these modules. Please download and install the platform-specific version of this add-on that is appropriate for your Splunk Search Head:" So I've download the correct add on Python for Scientific Computing  but neither of the apps are working. 
Below is the sample log: {[-]     context: default      level: INFO      logger: logginfdata.pre-request.util     mdc: { [+]  } message:  this is a json request [evenId=7654678767888... See more...
Below is the sample log: {[-]     context: default      level: INFO      logger: logginfdata.pre-request.util     mdc: { [+]  } message:  this is a json request [evenId=76546787678888899999]] thread: RealtimeExecutor-1999 timestamp: 2022-03-23 15:44:41.965 } may i know how can write props for this kind of logs.
In Splunk Enterprise 9.0.0.1, I scheduled a saved search with an invalid macro name in it. When run, I receive the following error message as I should: Error in 'SearchParser': The search specifies ... See more...
In Splunk Enterprise 9.0.0.1, I scheduled a saved search with an invalid macro name in it. When run, I receive the following error message as I should: Error in 'SearchParser': The search specifies a macro 'my_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. The search was skipped, the error was logged to scheduler.log, and the log ingested into _internal all as expected. However, the reason field gets cut off because of the quotation marks in the error message. It thinks the field value ends at "have" when it should end at "information." I believe this is a minor defect. Is there any way to submit a bug report? I tried creating a case but received a message saying I don't have  a Support Contract or entitlement to do so. Can anyone point me in the right direction? Thanks!   Edit: Created Splunk Ideas post: https://ideas.splunk.com/ideas/EID-I-1586
I recently re-installed MS Windows AD Objects app due to some issues. After the re-install, I tried the lookups build configuration wizard, but it doesn't seem to build lookups even though wizard ran... See more...
I recently re-installed MS Windows AD Objects app due to some issues. After the re-install, I tried the lookups build configuration wizard, but it doesn't seem to build lookups even though wizard ran successfully with all green "successful" message.  I tried reseting the admon baseline, adding manual domain input but still no luck. Indexes look correct, log is still getting ingested,  I used pre-defined TA inputs.conf files, mainly working with 1 DC. This DC has below apps. Splunk_TA_windows  Splunk_TA_windows_dc Splunk_TA_windows_admon  Main lookup i'm trying to build is 'AD_User_LDAP_list' as my searches with this lookup shows error message "The lookup table 'AD_User_LDAP_list' requires a .csv or KV store lookup definition." Can somebody point me to the right direction to fix this issue?  
Hello, I currently have the DB Connect plugin installed to receive the logs from an aurora database. To date everything works without problem but my client tells me that he needs to go from versio... See more...
Hello, I currently have the DB Connect plugin installed to receive the logs from an aurora database. To date everything works without problem but my client tells me that he needs to go from version 11.6 to version 11.5 I would like to know if I should do something or the fact that it is already working with the current version implies that with a higher version it should not affect anything?   https://docs.splunk.com/Documentation/DBX/3.8.0/JDBCPostgres/About