All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to prevent dashboards from being cloned?

by in Dashboards & Visualizations
‎08-10-2022 06:24 AM
‎08-10-2022 06:24 AM
Since Splunk ver. 9.0.0, anyone can clone a dashboard on a Dashboard Studio type dashboard. I would like to know how to disable this. It can be done by hiding the submenu bar.  
Labels

User accounts not listed- Why is index not viewable by a particular user?

by in Security
‎08-10-2022 06:21 AM
‎08-10-2022 06:21 AM
Ran into an issue whereas an index is not viewable by a particular user. So I tried to see what permission the user has, and find that even though the user (steveng) can log in via the AD credentia... See more...
Ran into an issue whereas an index is not viewable by a particular user. So I tried to see what permission the user has, and find that even though the user (steveng) can log in via the AD credentials, the user is not actually listed in the users page. Also, did a search with various search strings like |rest /services/authentication/users | search realname=* roles!=app* roles!=index* | dedup title type realname email tz roles | table title type realname email tz roles | rename title as Username realname as "Full name" tz AS "Time zone" email AS "Email address" type AS "Authentication system"   No result still on the ghost account for steveng. Any thoughts?  
Labels

What is the best way to get last login value from DC (we have ~60 DCs )?

by in Getting Data In
‎08-10-2022 05:40 AM
‎08-10-2022 05:40 AM
What is the best way to get last login value from DC  (we have ~60 DCs )
Labels

How do I retrieve data from Password.conf file using curl command?

by in Splunk Enterprise
‎08-10-2022 04:58 AM
‎08-10-2022 04:58 AM
HI All, I have used one password for VMware app configuration and forgot the password.  And the password is save in the password.conf file in encrypted format .Now we are trying to retrieve the pas... See more...
HI All, I have used one password for VMware app configuration and forgot the password.  And the password is save in the password.conf file in encrypted format .Now we are trying to retrieve the password through curl command api but it throwing <msg type="ERROR">Unauthorized</msg>. curl -k -u username:password https://localhost:8089/servicesNS/nobody/Splunk_TA_vmware/storage/passwords/ i tried above curl command without servicesNS and without nobody but its not working can anyone please help on this.  
Labels

Sendmail throws SyntaxError when sending email as alert action

by in Reporting
‎08-10-2022 03:33 AM
‎08-10-2022 03:33 AM
I have an alert configured in Splunk which should send the email when the alert is triggered. The alert is being added to the list of triggered alerts, but the email is not being sent. In logs I see... See more...
I have an alert configured in Splunk which should send the email when the alert is triggered. The alert is being added to the list of triggered alerts, but the email is not being sent. In logs I see the following errors:   08-09-2022 13:30:14.510 +0200 ERROR ScriptRunner [26046 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/mycommunity/bin/se ndemail.py "results_link=https://mysplunk.example.com/app/mycommunity/@go?sid=sc heduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194" "ssnam e=MYBLOG PROD Broken Requests" "graceful=True" "trigger_time=1660044614" result s_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d051859__mycommunity__RM D540c2da3bac08625c_at_1660044600_69194/results.csv.gz" "is_stream_malert=False"' : File "/opt/splunk/etc/apps/mycommunity/bin/sendemail.py", line 111 08-09-2022 13:30:14.510 +0200 ERROR ScriptRunner [26046 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/mycommunity/bin/se ndemail.py "results_link=https://mysplunk.example.com/app/mycommunity/@go?sid=sc heduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194" "ssnam e=MYBLOG PROD Broken Requests" "graceful=True" "trigger_time=1660044614" result s_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d051859__mycommunity__RM D540c2da3bac08625c_at_1660044600_69194/results.csv.gz" "is_stream_malert=False"' : except Exception, e: 08-09-2022 13:30:14.510 +0200 ERROR ScriptRunner [26046 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/mycommunity/bin/sendemail.py "results_link=https://mysplunk.example.com/app/mycommunity/@go?sid=scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194" "ssname=MYBLOG PROD Broken Requests" "graceful=True" "trigger_time=1660044614" results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194/results.csv.gz" "is_stream_malert=False"': ^ 08-09-2022 13:30:14.510 +0200 ERROR ScriptRunner [26046 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/mycommunity/bin/sendemail.py "results_link=https://mysplunk.example.com/app/mycommunity/@go?sid=scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194" "ssname=MYBLOG PROD Broken Requests" "graceful=True" "trigger_time=1660044614" results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194/results.csv.gz" "is_stream_malert=False"': SyntaxError: invalid syntax 08-09-2022 13:30:14.512 +0200 ERROR script [26046 AlertNotifierWorker-0] - sid:scheduler__d051859__mycommunity__RMD540c2da3bac08625c_at_1660044600_69194 External search command 'sendemail' returned error code 1. .   The error message is very ambiguous, so I don't know what causes this error. It seems like a bug to me. Any ideas?   Environment: Splunk 8.2.7 OS: SLES 15 SP3
Labels

How to show Splunk field based on count of another field on a bar chart?

by in Dashboards & Visualizations
‎08-10-2022 02:48 AM
‎08-10-2022 02:48 AM
Hi, I have a table of data which I need to display the count of "Migration Stratus" in a bar chart. Here is the raw data: Location Number of Devices Migration Status When Planned ... See more...
Hi, I have a table of data which I need to display the count of "Migration Stratus" in a bar chart. Here is the raw data: Location Number of Devices Migration Status When Planned Bangalore, India 10 Not Started Not Known Cork, IRE 4 Not Started Not Known Eldorado Du Sol, Brazil 3 Not Started Not Known Hopkinton, USA 4 Not Started Not Known Otemachi, Japan 3 Not Started Not Known Cyberjaya, Malaysia 4 Not Started Not Known Limerick, IRE 4 Not Started Not Known Austin, USA 6 Not Started Not Known Penang, Malaysia 5 Not Started Not Known Durham, USA 6 Not Started Not Known Singapore, Singapore 4 Not Started Not Known Santa Clara, USA 2 Not Started Not Known Sydney, Australia 2 In Progress FY23 Q2 Xiamen, China 6 Not Started Not Known  Here is my current output, where when I hoover over "In Progress" it shows 1 and over "Not Started", shows 13: At the moment, my query is just counting the number of rows for a particular value in "Migration Status" and this value is what is seen when hoovering over each bar on bar chart: | inputlookup Migration-Status-Symantec3.csv | fillnull value=null | eval dummy = 'Migration Status' | chart count over "Migration Status" by dummy What I need is the SUMMATION of "Number of Devices" for a particular value in "Migration Status". How can this be achieved???? Many thanks as always

How to fix date format to extracted eval field?

by in Getting Data In
‎08-10-2022 02:18 AM
‎08-10-2022 02:18 AM
index="indnewwrapper" | search rfq_id: | join [ search index="indnewwrapper" | search rfq_id: | eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1900-01-01 12:00... See more...
index="indnewwrapper" | search rfq_id: | join [ search index="indnewwrapper" | search rfq_id: | eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1900-01-01 12:00:00.000") ] | eval validateEmailMessagecomplete1=strftime(strftime(validateEmailMessagecomplete,"%A %B %d %Y %I:%M:%S %p %Z"),"%Y-%m-%d %H:%M:%S") | table pRFQ_Id,validateEmailMessagecomplete,validateEmailMessagecomplete1 I am finding a string in a search and extracting a validateEmailMessagecomplete date. using like function. i am getting desired output but i am not able to change to datetime format validateEmailMessagecomplete1 it shows blank value i searched various post on the forum. but did not found desired solution.          
Labels

Search for Universal Forwarder getting dropped by the firewall?

by in Splunk Search
‎08-10-2022 02:10 AM
‎08-10-2022 02:10 AM
Hi Splunkers,   I am trying to do a search that gives me a list of forwarders that cannot contact the Deployment server do tô be dropped by the firewall, I have this search below but it gives me ... See more...
Hi Splunkers,   I am trying to do a search that gives me a list of forwarders that cannot contact the Deployment server do tô be dropped by the firewall, I have this search below but it gives me too many false positives, is there a way I can have a search to only trigger if I have results with action!=allowed and 0 events for action=allowed? My search below,   index=firewall dest=deployment_server dest_port=8089 action!=allowed sourcetype=ops | stats count by srcIP action _date
Labels

Possible to show all values from same field name with different values from one Event?

by in Splunk Search
‎08-10-2022 01:52 AM
‎08-10-2022 01:52 AM
Hi, I'm trying to make my query show all the different values from one field (Product) that it is showing in the Event. I have data from Event that has Product=ABC, Product=????? and Product=??.  T... See more...
Hi, I'm trying to make my query show all the different values from one field (Product) that it is showing in the Event. I have data from Event that has Product=ABC, Product=????? and Product=??.  The Products will have random / different values. When I run the query it will only show me the Product=ABC not any of the others with different values but same field.         index=X Name=* currency=* channel=* country=* state=* Product=* | stats list(Name) as Name, list(currency) as currency, list(amount) as amount, list(channel) as device, list(country) as From, list(state) as Status, list(Product) as Products |         I would like to have it show all the Products from the one event.  So in case there are 3 Products  Products ABC ????? ?? --- In case I have another event with four fields with Products it has to show all 4.  Products ABC ????? ?? 4th Product Is this possible ?   Thank you,
Labels

How to efficiently delete data from index that has high volume?

by in Splunk Enterprise
‎08-10-2022 01:36 AM
‎08-10-2022 01:36 AM
Hi Splunkers ,  I have a splunk index with 3 source types corresponding to each ticket types. it has millions of record in last 10 months and we have now started re pulling all the data again due ... See more...
Hi Splunkers ,  I have a splunk index with 3 source types corresponding to each ticket types. it has millions of record in last 10 months and we have now started re pulling all the data again due to 2 new fields which client wants to onboard. Since we do not want to keep the older records which does not have the new fields , We need to find out a way on how to identify the data eligible for deletion. Please note, all tickets have updates more than 1 times up to 50 times as well.

How to get Mstats sum by time?

by in Splunk Search
‎08-10-2022 01:00 AM
‎08-10-2022 01:00 AM
Hi Team, I'm new to Splunk and will need some help in getting this query total sum by timestamp as we are not explicitly timestamp from code. |mstats sum(_value) as total WHERE index='abc' | w... See more...
Hi Team, I'm new to Splunk and will need some help in getting this query total sum by timestamp as we are not explicitly timestamp from code. |mstats sum(_value) as total WHERE index='abc' | where total>0

Why are events duplicating when running | collect command using output_format=hec?

by in Splunk Search
‎08-10-2022 12:54 AM
‎08-10-2022 12:54 AM
HI    I am facing issue when running collect command event are double in new index test  | collect index=test_1 output_format=hec if in test index there are 100 event when running collect com... See more...
HI    I am facing issue when running collect command event are double in new index test  | collect index=test_1 output_format=hec if in test index there are 100 event when running collect command  with output_format=hec then event are 200 in test_1 index. how can I resolved this event duplication.
Labels

How to build SPL query for the configured storage path?

by in Splunk Enterprise Security
‎08-10-2022 12:51 AM
‎08-10-2022 12:51 AM
Can Someone  help to build the query for below. Need to collect configured path list (coldpath/homePath / thawedPath ) by indexes.  

Why can't I see FortiAP logs?

by in Getting Data In
‎08-10-2022 12:07 AM
‎08-10-2022 12:07 AM
Hello team, I have a Fortigate v7.2.0 connected to a FortiAP (FP221E-v7.2) . After i configured Splunk as a syslog server and enabling all the logs at information level, i can see logs for traffic,... See more...
Hello team, I have a Fortigate v7.2.0 connected to a FortiAP (FP221E-v7.2) . After i configured Splunk as a syslog server and enabling all the logs at information level, i can see logs for traffic, UTM and vpn , but i can not see anything in the Wireless and System pages. Wireless and System pages are blank, no data found.  I checked the raw logs on the Fortigate side and i didn't saw any change in the values.  Please help.   Best regards.
Labels

Unable to see logs in CEF query

by in Splunk Enterprise
‎08-09-2022 11:24 PM
‎08-09-2022 11:24 PM
I have successfully created data model and created output for windows logs. We were able to see logs under sample log in CEF format, but now unable to get logs on forwarded machine. Also can't see it... See more...
I have successfully created data model and created output for windows logs. We were able to see logs under sample log in CEF format, but now unable to get logs on forwarded machine. Also can't see it under sample search for CEF
Labels

How do I create a search, excluding a list of CIDR ranges?

by in Splunk Search
‎08-09-2022 09:46 PM
‎08-09-2022 09:46 PM
So I'm trying to create a metrics search using the following query:   index="test" identities="ident_*" src=10.11.40.0/22 OR src=10.11.48.0/22 OR src=10.11.56.0/22 OR src=10.11.64.0/22 OR src=10.... See more...
So I'm trying to create a metrics search using the following query:   index="test" identities="ident_*" src=10.11.40.0/22 OR src=10.11.48.0/22 OR src=10.11.56.0/22 OR src=10.11.64.0/22 OR src=10.11.72.0/22 OR src=10.120.40.0/22 OR src=10.120.48.0/22 OR src=10.120.56.0/22 OR src=10.120.64.0/22 OR src=10.15.8.0/22 OR src=10.15.40.0/22 OR src=10.15.48.0/22 OR src=10.15.56.0/22 OR src=10.15.72.0/22 OR src=10.15.76.0/22 OR src=10.15.80.0/22 | top src | outputlookup test-excludes-no-dedup.csv I then take the CSV and use it here: index="test" identities="ident_*" NOT [ inputlookup test-excludes-no-dedup.csv ] | top src Is this the correct way to [exclude] the CIDR ranges contained within the lookup CSV? I get some results doing this but here it is, almost 1AM and I'm starting to question whether OR is correct.  Maybe I should be using AND?  I want to find all the 'src' items that are not in those CIDR ranges in the CSV.. am I going about it correctly?  
Labels

Is there a way to monitor the status of all lookup files through a search?

by in Monitoring Splunk
‎08-09-2022 06:54 PM
‎08-09-2022 06:54 PM
Is there a way to monitor the status of all lookup files through a search query. I would like to specifically show all lookups that are unreadable and alert on these.
Labels

Can a lookup be recreated and use the existing lookup definition?

by in Splunk Search
‎08-09-2022 06:27 PM
‎08-09-2022 06:27 PM
The scenario is,  A lookup csv has become unreadable. A lookup definition exists for it. The lookup was deleted and recreated. The existing definition was not changed.   My question is: Can a... See more...
The scenario is,  A lookup csv has become unreadable. A lookup definition exists for it. The lookup was deleted and recreated. The existing definition was not changed.   My question is: Can a lookup be recreated and use the existing lookup definition?
Labels

How to upload customer app in Splunk?

by in All Apps and Add-ons
‎08-09-2022 06:22 PM
‎08-09-2022 06:22 PM
HI everyone   I want to upload customer app on splunk(like picture).    If I creat an APP, is it automatically uploaded to the app market(?)?      
Labels

How to compare a field with latest two events?

by in Dashboards & Visualizations
‎08-09-2022 06:12 PM
‎08-09-2022 06:12 PM
Hello SPLUNKERS, I have a field called GPU which has values GPU0,GPU1,GPU2,GPU3. etc ..Some might have 7 values some might have 4 and some might have 3 for each host... I  want to compare   the curr... See more...
Hello SPLUNKERS, I have a field called GPU which has values GPU0,GPU1,GPU2,GPU3. etc ..Some might have 7 values some might have 4 and some might have 3 for each host... I  want to compare   the current GPU and with the previous event for that host and if there is a difference I want to show what is the difference  and if its same then show no difference .For example  Current Event : GPU0,GPU1,GPU2,GPU3,GPU4,GPU5,GPU6,GPU7 Previous Event : GPU0,GPU2,GPU6,GPU7   Thanks in Advance I want to output the difference :GPU1,GPU3,GPU4,GPU5 
Labels