All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We install Universal forwarder in Windows Server for us to pull data from [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] to Splunk, to monitor jobs/event. Currently per check we are get... See more...
We install Universal forwarder in Windows Server for us to pull data from [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] to Splunk, to monitor jobs/event. Currently per check we are getting data real time from WinEventLog. Is there a way that we can change the timing/interval in every 10mins? We already tried: interval = 600, interval = <cron> , schedule = 600 and schedule = <cron> but doesn't work.  May we know if you have any solution for this? Please...
I'm trying to upgrade from splunk 8.1 to 9.0 on a single server Windows installation. Upgrading the kvstore from mmapv1 to wiredtiger caused me some headache, but it eventually seems to work. The pro... See more...
I'm trying to upgrade from splunk 8.1 to 9.0 on a single server Windows installation. Upgrading the kvstore from mmapv1 to wiredtiger caused me some headache, but it eventually seems to work. The problem now is that I'm stuck on wiredTiger 4.0, and can't find a way to get it upgraded to 4.2. splunkd.log contains this error message:     08-03-2022 07:58:43.566 +0200 ERROR KVStoreBulletinBoardManager [7688 MainThread] - Failed to upgrade KV Store to the latest version. KV Store is running an old version, service(40). Resolve upgrade errors and try to upgrade KV Store to the latest version again.     But I can't find anything else useful in the logs. splunk show kvstore-status --verbose Any hints as to how to find out whats wrong? Or how to force the upgrade? I tried to delete the mongod-4.0.exe but that caused the kvstore to fail at startup.
Hi Team, I have following data set of two fields recAccuracy and recAccuracyCount. I want to get the sum total of two rows sets as sum total of  "PREMISE_POSSIBLE","STREET_POSSIBLE" and ,"LOCALITY_... See more...
Hi Team, I have following data set of two fields recAccuracy and recAccuracyCount. I want to get the sum total of two rows sets as sum total of  "PREMISE_POSSIBLE","STREET_POSSIBLE" and ,"LOCALITY_POSSIBLE"  as cleansed  103343 and another data set as noncleansed for the rest of field values.   recAccuracy recAccuracyCount LOCALITY_POSSIBLE 64507 PREMISE_POSSIBLE 35493 STREET_DEFINITE 46134 PREMISE_PROBABLE 70789 PREMISE_DEFINITE 363709 LOCALITY_PROBABLE 10586 STREET_POSSIBLE 3343 STREET_PROBABLE 12928   Result : noncleansed  cleansed  103343    504146   I want to draw a pie chart of these two fields. Thanks.
Hi Team, Am new to AppDynamics tool, would like to seek your help in creating Dashboard. Please share any links or documents which will help to create the Dashboards. Thanks Sreenivas
Hi there - hopefully someone can help with this:   I am trying to deploy sysmon via a deployment app however it looks like the script is having some issues: I can see the following error from the s... See more...
Hi there - hopefully someone can help with this:   I am trying to deploy sysmon via a deployment app however it looks like the script is having some issues: I can see the following error from the splunkd logs:   08-03-2022 10:54:32.982 +0800 ERROR ExecProcessor [15204 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\CONF_corp_sysmon\bin\deploy.bat"" Sharing violation I can run the script manually with no issues. Any idea's would be much appreciated! The deploy.bat file is as follows:   IF EXIST "C:\Program Files (x86)" ( SET BINARCH=Sysmon64.exe SET SERVBINARCH=Sysmon64 ) ELSE ( SET BINARCH=Sysmon.exe SET SERVBINARCH=Sysmon ) SET SYSMONDIR=C:\windows SET SYSMONBIN=%SYSMONDIR%\%BINARCH% SET SYSMONCONFIG=%SYSMONDIR%\config.xml SET GLBSYSMONBIN="%programfiles%\splunkuniversalforwarder\etc\apps\CONF_corp_sysmon\bin\%BINARCH%" SET GLBSYSMONCONFIG="%programfiles%\splunkuniversalforwarder\etc\apps\CONF_corp_sysmon\bin\config.xml" sc query "%SERVBINARCH%" | Find "RUNNING" If "%ERRORLEVEL%" EQU "1" ( GOTO startsysmon ) :installsysmon xcopy %GLBSYSMONBIN% %SYSMONDIR% /y xcopy %GLBSYSMONCONFIG% %SYSMONDIR% /y chdir %SYSMONDIR% %SYSMONBIN% -i %SYSMONCONFIG% -accepteula -h md5,sha256 -n -l sc config %SERVBINARCH% start= auto :updateconfig xcopy %GLBSYSMONCONFIG% %SYSMONCONFIG% /y chdir %SYSMONDIR% %SYSMONBIN% -c %SYSMONCONFIG% EXIT /B 0 :startsysmon sc start %SERVBINARCH% If "%ERRORLEVEL%" EQU "1060" ( GOTO installsysmon ) ELSE ( GOTO updateconfig )  
Hi, I have a CSV file that I would like to filter search results using an inputlookup command, but also to include in the returned events a comment field that is part of that same CSV. Here is an ex... See more...
Hi, I have a CSV file that I would like to filter search results using an inputlookup command, but also to include in the returned events a comment field that is part of that same CSV. Here is an example of my table as stuff.csv: src user comment 192.168.1.1   This matches with the IP only   john This matches with the user only 192.168.1.2 bobby This matches with both IP and user   I would like to do something like this:   index=main [|inputlookup stuff.csv | fields - comment] | lookup stuff.csv src,user   The main problem here is that the inputlookup subsearch only returns values that have entries, which effectively act as wildcard if the field is empty, while the lookup command treats empty fields as literal blank values. In this example, assuming all events in my index have values for src and user, only matches with the 3rd row would ever return results from the lookup command. The desired behavior is, for example: Event contains src=192.168.1.1 and any username - The comment on row 1 is appended Event contains user=John and any src - The comment on row 2 is appended Event contains src=192.168.1.2 and user=Bobby - The comment on row 3 is appended   From the snippet above the following behavior is observed: Example 1 - No comment is appended (Undesired) Example 2 - No comment is appended (Undesired) Example 3 - Comment from row 3 is appended as desired   Can I somehow append the comment that associates with the matched row back to the events?
Hi , For analytical purpose we are downloading splunk data , daily we process large amount of data ( 3-4 millions of records) currently we are using native  http client call to splunk export api en... See more...
Hi , For analytical purpose we are downloading splunk data , daily we process large amount of data ( 3-4 millions of records) currently we are using native  http client call to splunk export api endpoint    in c# and able to fetch the data. we are planning to  switch to splunk sdk for better performance in poc, I have used ExportSearchPreviewsAsync() but I am not able to download the data  I am facing below issues , it will be great help if you guys can share your ideas  1)  though I am setting earliest date and latest date in search arg jobs but method call is not taking those values. 2)  data is coming in xml format , tried passing output to csv but no luck 3) also please suggest how can we save searchid from above methodcall
I was tring to ingest data into Splunk via HEC. One field of my data is: myKey1 = " This is my Application message log, myKey2=myValue2 in the text."  There is a Key=VALUE enclosed in the value of ... See more...
I was tring to ingest data into Splunk via HEC. One field of my data is: myKey1 = " This is my Application message log, myKey2=myValue2 in the text."  There is a Key=VALUE enclosed in the value of Field_name. Splunk will parse the data into two key: myKey1 = " This is my Application message log, KEY=VALUE in the text."  myKey2=myValue2 myKey2=myValue2 is part of the myKey1.   I don't want it. What I can do to avoid the influence of an equal sign in the text string?  
Hello,  Can someone  Please help to build rex for field extraction in one event. Currently iam using the below basic rex but its pulling only first line in the results. i need all the results so i ca... See more...
Hello,  Can someone  Please help to build rex for field extraction in one event. Currently iam using the below basic rex but its pulling only first line in the results. i need all the results so i can table them. |rex field=_raw "(TEST_DETAIL_MESSAGE\s\=)(?<MESSAGE>\w+\D+\,)" |rex field=_raw "(TEST_COUNT\s\=)(?<COUNT>\s\d+)"  
I would like to create a dashboard to show the percentage of each of my service meeting a certain performance requirement.  Each of the request access log entry would have field serviceName, txTime, ... See more...
I would like to create a dashboard to show the percentage of each of my service meeting a certain performance requirement.  Each of the request access log entry would have field serviceName, txTime, and I would like to generate a table that show the percentage of requests meeting my SLA requirement of say 1000ms.   The desired output would look something like ServiceName                     Percentage Service1                                98.9% Service2                                99% thank you
Hi Guys, my question is  Can priority (the regular P1/P2/P3 column) and job alias from the pw_map lookup be added to this alert as additional columns? I’ve recently started seeing some ingest issues... See more...
Hi Guys, my question is  Can priority (the regular P1/P2/P3 column) and job alias from the pw_map lookup be added to this alert as additional columns? I’ve recently started seeing some ingest issues with a few queues, and these columns would help with escalation and determining downstream impacts.
Hi,   We are looking to add a custom field to our alerts to BigPanda. Is there a way to add fields natively or a workaround done by any Splunk users?   Thanks, Kay
Hello Splunk Community,  I have two search heads.  1 search head is able to send out email alerts and the other one can't. I am using Amazon SES as the Mail Host. Each Search Head has a uniq... See more...
Hello Splunk Community,  I have two search heads.  1 search head is able to send out email alerts and the other one can't. I am using Amazon SES as the Mail Host. Each Search Head has a unique Access Key and setup the secret key.  I can't figure out why 1 of the search heads can not send an email out and the other can.   I used the sendemail command on the server with the issue and this is the error message I am getting: command="sendemail", (535, b'Authentication Credentials Invalid') while sending mail to:<myEmailAdress> Thoughts? 
Hi folks, Just started using splunk lately and I'm stuck with this alert that I want to create, I've been told to add priority ( P1,P2,P3 column) and job alias from pw_job_mopping lookup be added t... See more...
Hi folks, Just started using splunk lately and I'm stuck with this alert that I want to create, I've been told to add priority ( P1,P2,P3 column) and job alias from pw_job_mopping lookup be added to this alert that already exist as additional columns. Any help will be appreciated .  
As we work on the migration to the cloud, we have the following case - We are sending the syslog data to a heavy forwarder on the cloud (and to the on-prem indexers), to its 9997 port. When reachin... See more...
As we work on the migration to the cloud, we have the following case - We are sending the syslog data to a heavy forwarder on the cloud (and to the on-prem indexers), to its 9997 port. When reaching this HF, we would like to fork just the firewall data to a subset of the indexers. Is it possible to make such a routing? We would like to have something like -    [<transforms_stanza_name>] SOURCE=index REGEX=^firewall DEST_KEY=_TCP_ROUTING FORMAT=<subset of cloud indexers>    
@aplura_llc_supp  Hello, please see the error below, I am running the getwatchlist sample query from the About page. |getwatchlist http://www.spamhaus.org/drop/drop.lasso delimiter=; relevantField... See more...
@aplura_llc_supp  Hello, please see the error below, I am running the getwatchlist sample query from the About page. |getwatchlist http://www.spamhaus.org/drop/drop.lasso delimiter=; relevantFieldName=’sourceRange’ relevantFieldCol=1 referenceCol=2 ignoreFirstLine=True comment=; Errors - 'update_default_profile' referenced before assignment fix_values() missing 1 required positional argument: 'result'     8-02-2022 18:52:32.466 ERROR ScriptRunner [28863 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/getwatchlist/bin/getwatchlist.py __EXECUTE__ http://www.spamhaus.org/drop/drop.lasso  delimiter=; relevantFieldName=’sourceRange’ relevantFieldCol=1 referenceCol=2 ignoreFirstLine=True comment=;':   error_message="local variable 'update_default_profile' referenced before assignment" error_type="<class 'UnboundLocalError'>" error_arguments="local variable 'update_default_profile' referenced before assignment" error_filename="getwatchlist.py" error_line_number="76"  08-02-2022 18:52:32.466 ERROR ScriptRunner [28863 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/getwatchlist/bin/getwatchlist.py __EXECUTE__ http://www.spamhaus.org/drop/drop.lasso  delimiter=; relevantFieldName=’sourceRange’ relevantFieldCol=1 referenceCol=2 ignoreFirstLine=True comment=;':   error_message="fix_values() missing 1 required positional argument: 'result'" error_type="<class 'TypeError'>" error_arguments="fix_values() missing 1 required positional argument: 'result'" error_filename="getwatchlist.py" error_line_number="398" 
Hello, I would like to export the page Settings->Appdynamics Agents. I looked in the API documentation but I can't find anything. My goal is to get a list of all servers (not for each app) as well a... See more...
Hello, I would like to export the page Settings->Appdynamics Agents. I looked in the API documentation but I can't find anything. My goal is to get a list of all servers (not for each app) as well as the agent version installed. I know there is an API call to get the list per application. I am looking for the export of the page: Settings->Appdynamics Agents. Thanks, Nabil
Hi community, I am stuck on a problem where i have to calculate percentage and Percent Difference.    I have 3 columns, for example --  Name |  Errorcode |  Result abc     |   324   |   5 ... See more...
Hi community, I am stuck on a problem where i have to calculate percentage and Percent Difference.    I have 3 columns, for example --  Name |  Errorcode |  Result abc     |   324   |   5 abc     |    999 |   1 abc     |  Total |    6 I want the output to look like this --  Name |  Errorcode |  Result | Percent of Total |  Percent Difference ( week over week) abc     |   324   |   5 |     83.33 | 25 abc     |    999 |   1 | 16.67 |  100 abc     |  Total |    6 | 100 |  100  for Percent Difference (week over week) should look at the errors for that Name from the prior week and understanding the percent difference to this week.  Example, if there were 3 1027 errorcodes last week and 6 1027 errors this week the percent difference would be 100%. 
Hi community, I am stuck on a problem where i have to calculate percentage and Percent Difference.    I have 3 columns, for example --  Name |  Errorcode |  Result abc     |   324   |   5 ... See more...
Hi community, I am stuck on a problem where i have to calculate percentage and Percent Difference.    I have 3 columns, for example --  Name |  Errorcode |  Result abc     |   324   |   5 abc     |    999 |   1 abc     |  Total |    6 I want the output to look like this --  Name |  Errorcode |  Result | Percent of Total |  Percent Difference ( week over week) abc     |   324   |   5 |     83.33 | 25 abc     |    999 |   1 | 16.67 |  100 abc     |  Total |    6 | 100 |  100  for Percent Difference (week over week) should look at the errors for that Name from the prior week and understanding the percent difference to this week.  Example, if there were 3 1027 errorcodes last week and 6 1027 errors this week the percent difference would be 100%. 
Hi, I have two search queries which results in table as follow: | search query1 | table type1 platform1 target1 type1 platform1 target1 X WIN path/cpp X None pat... See more...
Hi, I have two search queries which results in table as follow: | search query1 | table type1 platform1 target1 type1 platform1 target1 X WIN path/cpp X None path/c X LINUX path/py   | search query2 | table type2 platform2 target2 type2 platform2 target2 Z WIN path/cpp Z LINUX path/cpp   (Target are unique based on their full path) How I can compare both tables . by making left join between both tables and comparing, such that : -> join both tables where first query table is the lead when comparing against, left join I believe ? -> Count as match only IF target from first query where platform = WIN , exists in second table where platform = WIN  -> Count as match only IF target from first query where platform = LINUX, exists in second table where platform = LINUX -> Count as match only IF target from first query where platform = NONE, exists  in second table for both platform = LINUX and platform = WIN else no match Then list results in table with total matching target, total  missing target, total target for type X , total target for type Z . How I can reach this ?  Thanks