All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello,  I write this message because i have an issue with SPLUNK UI and SPL search. I'm a new developper and I am discovering SPLUNK UI framework.   Everyhting was fine until now. When i use ... See more...
Hello,  I write this message because i have an issue with SPLUNK UI and SPL search. I'm a new developper and I am discovering SPLUNK UI framework.   Everyhting was fine until now. When i use raw data in the dashboard it works, but when i put a SPL as :  search3 : {          type: 'ds.search',          options: {             query: "index=\"phantom_container\" | dedup id | search severity = \"critical\" | stats count",             queryParameters: {              earliest: "-7d@d",              latest: "now"                   meta: {},                },                             }, Splunk said that a TenantId is required. I don't understand this issue. Can you resolve it or give me a solution please ?   Any help is welcomed    
Hi, I have a series of bar charts and when I hoover each bar, I currently see the count value. What I actually need is the percentage value. Here is my current query and bar chart: ... See more...
Hi, I have a series of bar charts and when I hoover each bar, I currently see the count value. What I actually need is the percentage value. Here is my current query and bar chart:   | inputlookup Migration-Status-All.csv | search Vendor = "Symantec" | eval dummy = 'Migration Comments' | chart count over "Migration Comments" by dummy How can I change my query to show a percentage when hoovering over each bar? Many thanks, Patrick
hello all, i have an app developed on my linux splunk sandbox and it is working fine. after copying it to the deployment server and deploy it to a UF running on linux, it's not running at all. th... See more...
hello all, i have an app developed on my linux splunk sandbox and it is working fine. after copying it to the deployment server and deploy it to a UF running on linux, it's not running at all. the inputs.conf is:   [script://$SPLUNK_HOME/etc/apps/PBNL_getTVlogs/bin/getTVlogs.sh] disabled = false interval = 0 14 * * * index = tvlogs sourcetype = TVlogs [monitor://$SPLUNK_HOME/etc/apps/PBNL_getTVlogs/logs/TVlogs.csv] disabled = false index = tvlogs sourcetype = TVlogs   so what's wrong here? any help is welcome
I am new to splunk and still wokring out the kinks however im wondering as to why i have the iplocation of clients and ect however i want to just select one country in country field however when i se... See more...
I am new to splunk and still wokring out the kinks however im wondering as to why i have the iplocation of clients and ect however i want to just select one country in country field however when i select one it gives me nothing how do i get around this 
Hello Community, We have 2 target groups to route events.(2 indexers, one is ours and other 3rd party) i want to configure Splunk HF to route events which does not contain particular keyword, ( lik... See more...
Hello Community, We have 2 target groups to route events.(2 indexers, one is ours and other 3rd party) i want to configure Splunk HF to route events which does not contain particular keyword, ( like a NOT operation) to one target group and all events to other target group For example below should be my transforms.conf except that i am not sure about the Regex command. transforms.conf [specific_events] REGEX = "NOT ping" DEST_KEY = _TCP_ROUTING FORMAT = specific_event_targetgroup [all_events] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = all_event_targetgroup   I have tried few Regex commands ^(?!.*ping).* and ^((?!ping).)*$ which worked in regex101 and splunk UI search but not in the conf files. Once i have applied these regex commands to conf file, no events were reaching indexers. Can someone help on this?      
Dear Community, I am new to Splunk so apologies for the newbie question: Basic Problem I have a field which holds an Object and I am having difficulties retrieving a value from a specific key w... See more...
Dear Community, I am new to Splunk so apologies for the newbie question: Basic Problem I have a field which holds an Object and I am having difficulties retrieving a value from a specific key within this object. Purpose I am running a search and I want to retrieve two datetime values from two separate keys within a field, find the difference between these 2 datetime values and finally return a list of events where the difference is less than a particular value. I know how to return a table of results based on a simple criteria and can perform datetime manipulations, I just cannot retrieve the actual datetime values needed to make the calculation. *I can successfully store the whole object to a variable using the eval command but cannot extract the value from it. Assumptions The thing I am working with is indeed an Object. I.e. a dictionary style list in the following format {"key1" : "value" , "key2" : "value" , "key2" : "value"} I am attempting to extract the value using the eval command   Any help would be greatly appreciated. Kind regards, Ben
Hello Splunk team, I am trying for a logic to disable the alerts in the particular app while I disable maintenance mode in master app Is this possible in Splunk? Please help me out with this?
Hello everyone, I want to make search that searches events in index1, and if it finds event, search should take field from it, and make search with this field in another one index. If there are 0 e... See more...
Hello everyone, I want to make search that searches events in index1, and if it finds event, search should take field from it, and make search with this field in another one index. If there are 0 events with this field - then alert. It is possible?
Hi, i have some problems with create spl file, which using to integrate into splunk es.
I have installed the Splunk Add-on for Microsoft Office 365 Reporting Web Service 2.0.0  I m getting  requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/r... See more...
I have installed the Splunk Add-on for Microsoft Office 365 Reporting Web Service 2.0.0  I m getting  requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-05T14:01:45.002473Z'%20and%20EndDate%20eq%20datetime'2022-08-05T15:01:45.002473Z' we are using  Modern Authentication (OAuth)   as per the doc we have  Office 365 Exchange Online ->ReportingWebService.Read.All   is Exchange Administrator mandatory  ?   
I am working on a dashboard, where I have to display the timelines for multiple dates. Relase In ST(Start Date) In ST(End Date) In RT(Start Date) In RT(End Date) In ET(Start Dat... See more...
I am working on a dashboard, where I have to display the timelines for multiple dates. Relase In ST(Start Date) In ST(End Date) In RT(Start Date) In RT(End Date) In ET(Start Date) In ET(End Date) 22.1             22.2 03/01/2022 20/01/2022 25/01/2022 02/02/2022 03/02/2022 11/02/2022 22.3 24/01/2022 10/02/2022 16/02/2022 23/02/2022 24/02/2022 04/03/2022 22.4 16/02/2022 03/03/2022 08/03/2022 16/03/2022 17/03/2022 03/03/2022   The dates are as above, I managed display the timeline for 2 dates but when I am incorporating multiple dates, the dashboard gets distorted this is what I want. This is what I have implemented. This is my search. | rename "PR_Go_Live" as In_PR "In_ST_Start Date" as ST_Start_Date "In_ST_End Date" as ST_End_Date "In_ST_End Date" as RT_End_Date | eval start = strptime(ST_Start_Date, "%d/%m/%Y") | eval end = strptime(In_PR, "%d/%m/%Y") | eval duration = (end - start) * 1000 | stats count by start ST_End_Date ST_End_Date duration Release | table start Release ST_End_Date duration      
I am trying to download vulnerability report for a 1000 hosts. Instead of providing them in the splunk query. I thought of uploading them as a csv format and fetch the data. is it possible in splunk?... See more...
I am trying to download vulnerability report for a 1000 hosts. Instead of providing them in the splunk query. I thought of uploading them as a csv format and fetch the data. is it possible in splunk? 
Hi,guys I found that the data transmitted by my security device was inconsistent with the amount searched on search. When I checked the cause, I found a large number of similar error logs in splunk... See more...
Hi,guys I found that the data transmitted by my security device was inconsistent with the amount searched on search. When I checked the cause, I found a large number of similar error logs in splunkd.log file of Indexer server, and the error contents were as follows: (08-10-2022 18:01:52.492 +0800 ERROR HttpInputDataHandler - Failed processing HTTP input, token name=****_traffic, Channel =n/a, source_IP=1*.*.*, reply=10, events_processed=0, http_input_body_size=2014), what is the cause of this and how can I solve this problem? Thank you for any help, every suggestion may be very helpful to me. thank you!
Hi, I have a bunch of failure events of different api endpoints. The field is called RequestPath and some examples are: /v1/locations/45BH-JGN /v1/exceptions/ABS/12 /v1/exceptions/ODD/13 ... See more...
Hi, I have a bunch of failure events of different api endpoints. The field is called RequestPath and some examples are: /v1/locations/45BH-JGN /v1/exceptions/ABS/12 /v1/exceptions/ODD/13 /v2/absence/100 Basically, I am trying to extract only the endpoints without the ids, so that I can get a count of which endpoints are failing, example /v1/locations/ --- 1 failure /v1/exceptions/ABS/  ----- 4 failures /v1/exceptions/ODD/ ---- 10 failures , etc. How can I do the same?    
Hello! New to splunk. Trying to make a dashboard to find Change tickets in our enviornment to help with outage diagnostics. Long story short, I'd like to have the Time Range Picker apply to fields... See more...
Hello! New to splunk. Trying to make a dashboard to find Change tickets in our enviornment to help with outage diagnostics. Long story short, I'd like to have the Time Range Picker apply to fields that contain dates, but not the _time field. There are two fields specifically, Start Date and End Date, that I would like to work with.   I'd like the Time Range picker to apply to the dates in the Start Date and End Date fields instead of _time. Is there any way to do this for one if not both fields?
I know I can use tokens inside CSS within an XML dashboard to automatically change styles through changing settings through tokens, but this does not seem to work if the CSS is loaded via the stylesh... See more...
I know I can use tokens inside CSS within an XML dashboard to automatically change styles through changing settings through tokens, but this does not seem to work if the CSS is loaded via the stylesheet="xx.css" in the dashboard. Is there any way to create CSS that can be dynamic based on the values of tokens. I'm looking to have user definable colour schemes through colour values defined in config.  
new splunk user i installed my splunk on my windows machine and i want to receive logs and how to find a logon event? in the search index there is only default index=internal and audit, so these lo... See more...
new splunk user i installed my splunk on my windows machine and i want to receive logs and how to find a logon event? in the search index there is only default index=internal and audit, so these logs are the same received login event logs?. Is it detected logon event if the user accesses this windows machine? Do I need to install any third party application to get logs? because splunk forwarder is a remote way to send logs so on local machine how can i do that? i want to check user login event in splunk Example: if user access this windows machine then SIEM splunk job is check logon event log details like if people with valid IP only access this windows machine or not
Hello All, Splunk Enterprise version 8.1 Post a recent server crash, our Splunk instance isn't coming up.  The splunk service isn’t’ starting despite us having gracefully rebooted the server once. ... See more...
Hello All, Splunk Enterprise version 8.1 Post a recent server crash, our Splunk instance isn't coming up.  The splunk service isn’t’ starting despite us having gracefully rebooted the server once. The error is it thinks TCP port 8089 is already occupied by splunk itself despite splunk service not running. Pls see below output.   Even if I force kill the process ID related to 8089/TCP,  the system automatically spawns a new process ID  and shows 8089 as occupied yet again by splunkd.  This is going in an endless loop.  There is nothing in splunkd.log file to indicate this weird behavior. What is making splunk launch a new process automatically despite us force killing the PID ? I have tried https://community.splunk.com/t5/Deployment-Architecture/How-to-resolve-error-quot-ERROR-The-mgmt-port-8089-is-already/m-p/357386  but no luck. As mentioned we even restarted the host.       [svc-splunk@hostname bin]$ ./splunk status splunkd is not running. [svc-splunk@hostname bin]$ ./splunk start Splunk> The Notorious B.I.G. D.A.T.A. Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: not available ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port. root@hostname bin]# netstat -tulpn | grep 8089 tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 7523/splunkd [root@hostname bin]# kill -9 7523 [root@hostname bin]# netstat -tulpn | grep 8089 tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 7979/splunkd [root@hostname bin]# kill -9 7979 [root@hostname bin]# netstat -tulpn | grep 8089 tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 8452/splunkd [svc-splunk@hostname bin]$ ./splunk status splunkd is not running.       Any suggestions ?  If reinstall the only option, then pls suggest how to take backup of this Deployment Server and restore.  This is a Deployment server with over 500+ clients phoning home to it Thanks
I have an alert where i want the below date and time should get displayed in email subject Here alert is getting the data from March 02,2022 8:00pm to March 03,2022 8:00pm Like from  yesterday 8:... See more...
I have an alert where i want the below date and time should get displayed in email subject Here alert is getting the data from March 02,2022 8:00pm to March 03,2022 8:00pm Like from  yesterday 8:00pm to today's 8:00pm data and alert will get triggered everyday at 11pm   I want to get the date and  time like shown below March 02,2022 8:00pm to March 03,2022 8:00pm Thanks in advance           
I have 2 searches from two individual log files with Txid in common (could be outerjoin):  The first search I get the Txid from source file A and get the duration of that transaction. The second se... See more...
I have 2 searches from two individual log files with Txid in common (could be outerjoin):  The first search I get the Txid from source file A and get the duration of that transaction. The second search (I used Drilldown Editor to create a click event -->   Set TxnId=$click.value$) is to retrieve appname, columns from a SQL statement,  host and by the selected Txnid. I'd like to make these two outputs as one result.  How do I do it?  The exact syntaxes I used are as follows: index="IDX"   (host="PRhosts")  source="WS.webapi.log"   "Controller.Post" "- End" | rex field=_raw "s/^.* {/{/" mode=sed  | spath output=status path=stat  |rex field=_raw "\s+T+\s(?<txid>.*?)\s+Controller\\.Post\s\\-\s(?<duration>.*?)\s\\-\s+End" |sort - duration |table txid duration index="IDX"  (host="PRhosts") source="*WS.Business.Milestones.log" |rex field=_raw "s/^.* {/{/" mode=sed |spath output=nv path=flds{}.nv |spath output=status path=stat |spath output=tid path=tid |spath output=fn path=flds{}.fn | search tid=$Txnid$ | table fn nv host status tid WS.Webapi.log raw date looks like one line below (and you can guess there is a - Begin somewhere above but there is no duration recorded): 08/10/22 19:21:18.33 p06712 [00017] T M2kYTm7ywE6RFEnqc9m_1g Controller.Post - 00:00:00:270 - End WS.Business.Milestones.log  raw data look like the following: 08/10/22 19:26:03.44 p08604 [00106] T {"tid":"H2R2JPpkiECRHW5hEszG3Q","sid":"T1-COOLSECURITY:CSAPPAUTH-{E7690AF7-D1F0-4A84-A612-7E47C9F07679}","stat":"Success","sf":"EmployeeLogic","sm":"GetAsync","dt":"2022-08-10T23:26:03.4462133Z","flds":[{"fn":"username","nv":"HostedRedirGlobalEmployeeWS_PR"},{"fn":"dbQueries","nv":"SQL_QUERIES=SELECT emp.EMP_ID, emp.REPORTS_TO_SCID, emp.DEPT_CODE , emp.EMP_ID\n FROM coolemp.SHIPS_COOL2 emp\n WHERE ((UPPER(emp.SYSTEM_PERSON_TYPE) != UPPER('Pending Worker'))) AND ((UPPER(emp.USER_SID) = UPPER(:emp_userSid)))"}]}   So I'd like to know how to join the above 2 results into one so I can show the duration, with fn and nv values that has the SQL field "emp.Last_Updated_Date".