All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Is there a way to rename subfields based on a condition? Some of our applications log into fields, say message.message.A, message.message.B, etc, and some apps log the same fields in message.message.... See more...
Is there a way to rename subfields based on a condition? Some of our applications log into fields, say message.message.A, message.message.B, etc, and some apps log the same fields in message.message.log.A, message.message.log.B, etc. Currently in my query, if I have to search for both, I use this: index=* NOT message.message.log.A | rename message.message.* AS * | append [search index=* message.message.log.A=* | rename message.message.log.* AS *] <more commands here> Somehow when I use this it doesnt produce the expected number of events: index=* | rename message.message.* AS * | rename log.* AS * <more commands here> There are about 20 of those similarly named subfields that either in message.message.* OR message.message.log.* What is a better (or best) alternative than append?
For some reason there are entries that are not grouped together, but obviously look like they should be. In the following table, 2 rows with serviceTicketId = 00dcfe68-25d8-4c58-9228-5fc8f7ddb9d1 are... See more...
For some reason there are entries that are not grouped together, but obviously look like they should be. In the following table, 2 rows with serviceTicketId = 00dcfe68-25d8-4c58-9228-5fc8f7ddb9d1 are on separate rows, other serviceTicketIds such as 00c093f4fc527e5ff7006566b1a0fd90 have one row, but multiple event times. Here is my query: (index=k8s_main "*Published successfully event=[com.nordstrom.customer.event.OrderLineReturnReceived*") OR (index="k8s_main" cluster="nsk-oak-prod" "namespace"=app04096 "*doPost - RequestId*") OR (index=k8s_main container_name=fraud-single-proxy-listener message="Successfully sent payload to kafka topic=order-events-avro*" contextMap.eventType="OrderLineReturnReceived") | rename contextMap.orderId AS nefiOrderId contextMap.serviceTicketId AS nefiServiceTicketId | rex field=eventKey "\[(?<omsOrderId>.*)\]" | rex field=serviceTicketId "\[(?<omsServiceTicketId>.*)\]" | rex "RequestId:(?<omniServiceTicketId>.*? )" | rex "\"orderNumber\":\"(?<omniOrderId>.*?)\"" | eval appId = mvappend(container_name, app) | eval orderId = mvappend(nefiOrderId, omsOrderId, omniOrderId) | eval serviceTicketId = mvappend(nefiServiceTicketId, omsServiceTicketId, omniServiceTicketId) | stats dc(_time) AS eventCount values(_time) AS eventTime values(appId) AS app BY serviceTicketId orderId | eval timeElapsed = now() - eventTime  
Hello, I have inherited a set of splunk servers, and three are search heads.  Some of the apps on the search heads  are installed directly.  I would prefer to manage those apps from the deployment ... See more...
Hello, I have inherited a set of splunk servers, and three are search heads.  Some of the apps on the search heads  are installed directly.  I would prefer to manage those apps from the deployment server.   I have found lots of information about deploying apps via single-instance/distributed, but not a lot on how to move an app from a single instance to a deployment server. In my brain, the procedure looks like this: On the search head, tar up the app from $SPLUNK/etc/apps/<appname> copy the tar file to the deployment server untar the file into the $SPLUNK/etc/deployment-apps uninstall or disable the original app on the original searchhead Map the new  app to serverclass and to the client system (original search head) Is this correct?  --jason    
Hello, I've encountered a problem while trying to download Splunk Enterprise. I login into my account, and reach this page: https://www.splunk.com/en_us/download/splunk-enterprise.html Press... See more...
Hello, I've encountered a problem while trying to download Splunk Enterprise. I login into my account, and reach this page: https://www.splunk.com/en_us/download/splunk-enterprise.html Press the download button, a little loading circle appears and then a 401 status is received from this URL: https://eula.splunk.com/api/v1/session/callback I also added a screenshot for clarification. What's wrong with my account? I've been using it for the past year without any problems. I've tried multiple browsers and devices. Screenshot:  
Hi,  When creating Dashboard in the new Dashboard studio, I have a lot of Inputs for Filter.   I would like to break Inputs (or group them) in new Line so that Inputs are more easily reviewed.   ... See more...
Hi,  When creating Dashboard in the new Dashboard studio, I have a lot of Inputs for Filter.   I would like to break Inputs (or group them) in new Line so that Inputs are more easily reviewed.   Example: line 1 – inputs for Asset (like Hostname, IP Address, …), line 2 – inputs for example vulnerabilities (cve, base_score, …)  I don’t see any option to move input into new line, this is now very uncomfortable as it is just lots of inputs without clear visibility (and depends on screen size where input will be, first row or second row).   I saw lots of solutions for Classic dashboard, but what about new Dashboard?  Thank you.
I'm having trouble extracting some dates from a date field. Certain assets were provided with a generic date, and I can't seem to extract the date for these events. Sample data: lastsca... See more...
I'm having trouble extracting some dates from a date field. Certain assets were provided with a generic date, and I can't seem to extract the date for these events. Sample data: lastscan newdate 2022-08-10T06:51:33.874Z 2022-08-10 2022-08-10T00:06:19.920Z 2022-08-10 1969-12-31T23:59:59.999Z     SPL: | eval newdate=strptime(lastscan,"%Y-%m-%d") | eval newdate=strftime(newdate,"%Y-%m-%d") As you can see, the events with the 1969 date are not extracting as expected and I'm getting no results for the "newdate" field.  Any thoughts on how I can extract the date from the 1969 events?
I have a particular source/sourcetype ; is there a way to know (through SPL) to get the name of the forwarder from which this particular source feed is coming?
Hopefully I can explain this so it's not too confusing and I'm not overcomplicating things....  I'm currently setting a token based on a particular click value, which is used to drive other charts in... See more...
Hopefully I can explain this so it's not too confusing and I'm not overcomplicating things....  I'm currently setting a token based on a particular click value, which is used to drive other charts in the dashboard.  I'm looking to expand upon that and lookup a second token based on that token by appending something like _IntValue to the token name. Here's an example: 1) I first set static token int values in the dashboard based on what values will appear as in the first chart.  The first chart will have click values of "Sample Click" and "Sample 2 Click".  I want to manually say that the IntValues for those are 20 and 60. <set token="Sample Click Value_IntValue">20</set> <set token="Sample 2 Click Value_IntValue">60</set> 2) When I click on the dashboard and the value is "Sample Click", I want to be able to use "Sample Click_IntValue" as a token in another chart.   The real-life scenario is certain click values will already be calculating total initiations over a period of time.  Each one of those initiations takes X hours to complete.  I want to detail how one particular task that takes 20 hours each attempt that was run 20 times over a period of time equates to 400 hours over that period of time.  And when another task is clicked that takes 60 hours to complete and was run 10 times over a period of time equates to 600 hours. Thanks in advance!!!!  
My customers certificates expired and they followed the procedures for submitting and requesting a third party certificate.  The CA returned a CA certificate that was already combined. So the custome... See more...
My customers certificates expired and they followed the procedures for submitting and requesting a third party certificate.  The CA returned a CA certificate that was already combined. So the customer did not have to combine their certificates. When trying to start splunk, it will not start. When comparing all the certificates from previous ones, one thing we noticed was the private key had a heading "--BEGIN RSA PRIVATE KEY -- ", instead of "--BEGIN PRIVATE KEY--" and two new lines after, stating "Proc-Type" and "DEK-Info".  The customer is on Splunk v8.2.7, Windows 64bit.  The keys are DoD CA60 I am wondering if the private key is not in the correct format.  Should the customer re-submit a request to generate a new key from the CA?
We are trying to standardize our nomenclature on indexes. Is it possible to rename an index along with moving data from the old index to new index name? Example: index "fit_azure" need to change t... See more...
We are trying to standardize our nomenclature on indexes. Is it possible to rename an index along with moving data from the old index to new index name? Example: index "fit_azure" need to change to "top-azure" Are there things to consider that I'm probably not keeping in mind. My concerns doing this are: Would renaming the index require re-ingesting of data? If so, what about when ingesting data into an index can sometimes delete the log on the on the system inputting into splunk? How would this impact storage, hot/warm/cold and all that? - would previous storage be inaccessible to the new index naming? Would permissions on viewing the index change?
Since Splunk ver. 9.0.0, anyone can clone a dashboard on a Dashboard Studio type dashboard. I would like to know how to disable this. It can be done by hiding the submenu bar.  
Ran into an issue whereas an index is not viewable by a particular user. So I tried to see what permission the user has, and find that even though the user (steveng) can log in via the AD credentia... See more...
Ran into an issue whereas an index is not viewable by a particular user. So I tried to see what permission the user has, and find that even though the user (steveng) can log in via the AD credentials, the user is not actually listed in the users page. Also, did a search with various search strings like |rest /services/authentication/users | search realname=* roles!=app* roles!=index* | dedup title type realname email tz roles | table title type realname email tz roles | rename title as Username realname as "Full name" tz AS "Time zone" email AS "Email address" type AS "Authentication system"   No result still on the ghost account for steveng. Any thoughts?  
What is the best way to get last login value from DC  (we have ~60 DCs )
HI All, I have used one password for VMware app configuration and forgot the password.  And the password is save in the password.conf file in encrypted format .Now we are trying to retrieve the pas... See more...
HI All, I have used one password for VMware app configuration and forgot the password.  And the password is save in the password.conf file in encrypted format .Now we are trying to retrieve the password through curl command api but it throwing <msg type="ERROR">Unauthorized</msg>. curl -k -u username:password https://localhost:8089/servicesNS/nobody/Splunk_TA_vmware/storage/passwords/ i tried above curl command without servicesNS and without nobody but its not working can anyone please help on this.  
I have an alert configured in Splunk which should send the email when the alert is triggered. The alert is being added to the list of triggered alerts, but the email is not being sent. In logs I see... See more...
I have an alert configured in Splunk which should send the email when the alert is triggered. The alert is being added to the list of triggered alerts, but the email is not being sent. In logs I see the following errors:   08-09-2022 13:30:14.510 +0200 ERROR ScriptRunner [26046 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/mycommunity/bin/se ndemail.py "results_link=https://mysplunk.example.com/app/mycommunity/@go?sid=sc heduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194" "ssnam e=MYBLOG PROD Broken Requests" "graceful=True" "trigger_time=1660044614" result s_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d051859__mycommunity__RM D540c2da3bac08625c_at_1660044600_69194/results.csv.gz" "is_stream_malert=False"' : File "/opt/splunk/etc/apps/mycommunity/bin/sendemail.py", line 111 08-09-2022 13:30:14.510 +0200 ERROR ScriptRunner [26046 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/mycommunity/bin/se ndemail.py "results_link=https://mysplunk.example.com/app/mycommunity/@go?sid=sc heduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194" "ssnam e=MYBLOG PROD Broken Requests" "graceful=True" "trigger_time=1660044614" result s_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d051859__mycommunity__RM D540c2da3bac08625c_at_1660044600_69194/results.csv.gz" "is_stream_malert=False"' : except Exception, e: 08-09-2022 13:30:14.510 +0200 ERROR ScriptRunner [26046 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/mycommunity/bin/sendemail.py "results_link=https://mysplunk.example.com/app/mycommunity/@go?sid=scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194" "ssname=MYBLOG PROD Broken Requests" "graceful=True" "trigger_time=1660044614" results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194/results.csv.gz" "is_stream_malert=False"': ^ 08-09-2022 13:30:14.510 +0200 ERROR ScriptRunner [26046 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/mycommunity/bin/sendemail.py "results_link=https://mysplunk.example.com/app/mycommunity/@go?sid=scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194" "ssname=MYBLOG PROD Broken Requests" "graceful=True" "trigger_time=1660044614" results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194/results.csv.gz" "is_stream_malert=False"': SyntaxError: invalid syntax 08-09-2022 13:30:14.512 +0200 ERROR script [26046 AlertNotifierWorker-0] - sid:scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194 External search command 'sendemail' returned error code 1. .   The error message is very ambiguous, so I don't know what causes this error. It seems like a bug to me. Any ideas?   Environment: Splunk 8.2.7 OS: SLES 15 SP3
Hi, I have a table of data which I need to display the count of "Migration Stratus" in a bar chart. Here is the raw data: Location Number of Devices Migration Status When Planned ... See more...
Hi, I have a table of data which I need to display the count of "Migration Stratus" in a bar chart. Here is the raw data: Location Number of Devices Migration Status When Planned Bangalore, India 10 Not Started Not Known Cork, IRE 4 Not Started Not Known Eldorado Du Sol, Brazil 3 Not Started Not Known Hopkinton, USA 4 Not Started Not Known Otemachi, Japan 3 Not Started Not Known Cyberjaya, Malaysia 4 Not Started Not Known Limerick, IRE 4 Not Started Not Known Austin, USA 6 Not Started Not Known Penang, Malaysia 5 Not Started Not Known Durham, USA 6 Not Started Not Known Singapore, Singapore 4 Not Started Not Known Santa Clara, USA 2 Not Started Not Known Sydney, Australia 2 In Progress FY23 Q2 Xiamen, China 6 Not Started Not Known  Here is my current output, where when I hoover over "In Progress" it shows 1 and over "Not Started", shows 13: At the moment, my query is just counting the number of rows for a particular value in "Migration Status" and this value is what is seen when hoovering over each bar on bar chart: | inputlookup Migration-Status-Symantec3.csv | fillnull value=null | eval dummy = 'Migration Status' | chart count over "Migration Status" by dummy What I need is the SUMMATION of "Number of Devices" for a particular value in "Migration Status". How can this be achieved???? Many thanks as always
index="indnewwrapper" | search rfq_id: | join [ search index="indnewwrapper" | search rfq_id: | eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1900-01-01 12:00... See more...
index="indnewwrapper" | search rfq_id: | join [ search index="indnewwrapper" | search rfq_id: | eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1900-01-01 12:00:00.000") ] | eval validateEmailMessagecomplete1=strftime(strftime(validateEmailMessagecomplete,"%A %B %d %Y %I:%M:%S %p %Z"),"%Y-%m-%d %H:%M:%S") | table pRFQ_Id,validateEmailMessagecomplete,validateEmailMessagecomplete1 I am finding a string in a search and extracting a validateEmailMessagecomplete date. using like function. i am getting desired output but i am not able to change to datetime format validateEmailMessagecomplete1 it shows blank value i searched various post on the forum. but did not found desired solution.          
Hi Splunkers,   I am trying to do a search that gives me a list of forwarders that cannot contact the Deployment server do tô be dropped by the firewall, I have this search below but it gives me ... See more...
Hi Splunkers,   I am trying to do a search that gives me a list of forwarders that cannot contact the Deployment server do tô be dropped by the firewall, I have this search below but it gives me too many false positives, is there a way I can have a search to only trigger if I have results with action!=allowed and 0 events for action=allowed? My search below,   index=firewall dest=deployment_server dest_port=8089 action!=allowed sourcetype=ops | stats count by srcIP action _date
Hi, I'm trying to make my query show all the different values from one field (Product) that it is showing in the Event. I have data from Event that has Product=ABC, Product=????? and Product=??.  T... See more...
Hi, I'm trying to make my query show all the different values from one field (Product) that it is showing in the Event. I have data from Event that has Product=ABC, Product=????? and Product=??.  The Products will have random / different values. When I run the query it will only show me the Product=ABC not any of the others with different values but same field.         index=X Name=* currency=* channel=* country=* state=* Product=* | stats list(Name) as Name, list(currency) as currency, list(amount) as amount, list(channel) as device, list(country) as From, list(state) as Status, list(Product) as Products |         I would like to have it show all the Products from the one event.  So in case there are 3 Products  Products ABC ????? ?? --- In case I have another event with four fields with Products it has to show all 4.  Products ABC ????? ?? 4th Product Is this possible ?   Thank you,
Hi Splunkers ,  I have a splunk index with 3 source types corresponding to each ticket types. it has millions of record in last 10 months and we have now started re pulling all the data again due ... See more...
Hi Splunkers ,  I have a splunk index with 3 source types corresponding to each ticket types. it has millions of record in last 10 months and we have now started re pulling all the data again due to 2 new fields which client wants to onboard. Since we do not want to keep the older records which does not have the new fields , We need to find out a way on how to identify the data eligible for deletion. Please note, all tickets have updates more than 1 times up to 50 times as well.