All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi guys, When I use Splunk-search, it doesn't suggest auto-complete for fields It is crucial. It is almost impossible to know all fields, and searching for fields from the list on the left side a... See more...
Hi guys, When I use Splunk-search, it doesn't suggest auto-complete for fields It is crucial. It is almost impossible to know all fields, and searching for fields from the list on the left side and then copying them is just a waste of time, especially when the fields are JSON objects ( A.B.C{a:b,c:d,e:[a,b,c]} ) Am I missing something? Is there a feature or an add-on that provides this ability?  
Hi everyone, I have a table like below: _time status 01/10/2021 inactive 02/10/2021 active 03/10/2021 active 04/10/2021 active 05/10/2021 active ... See more...
Hi everyone, I have a table like below: _time status 01/10/2021 inactive 02/10/2021 active 03/10/2021 active 04/10/2021 active 05/10/2021 active 06/10/2021 inactive 07/10/2021 inactive 08/10/2021 inactive 09/10/2021 active 10/10/2021 active 11/10/2021 active 12/10/2021 active 13/10/2021 inactive 14/10/2021 inactive The requirement is using Splunk to show the period when status is inactive (not by each day like the table) Do you have any idea, please? Thanks a lot!  
Hello Splunkers, I would like to have a better insight on my license usage, but the "Squash_threshold" default conf is not enough. I have been looking here if there were answers, sadly there are fe... See more...
Hello Splunkers, I would like to have a better insight on my license usage, but the "Squash_threshold" default conf is not enough. I have been looking here if there were answers, sadly there are few answers and the rare that exist are a little old. In the documentation, it is said to ask to a Splunk expert, my contact being in holidays yet, I would like to try to move forward anyways.  So have you any recommendations on this setting and the possible consequences if I increase it?   Thanks in advance,  Best regards,
Hi , I have logs with below format  X.X.X.X. - - [02/Aug/2022:10:31:18 +0200] "GET /api/mc/v0.1/agendas/view/background-tasks?is-details-required=false HTTP/1.1" 200 20 "-" " "https://XXX.AAA.COM... See more...
Hi , I have logs with below format  X.X.X.X. - - [02/Aug/2022:10:31:18 +0200] "GET /api/mc/v0.1/agendas/view/background-tasks?is-details-required=false HTTP/1.1" 200 20 "-" " "https://XXX.AAA.COM" "Mozilla/5.0 (Windows NT X.O; Win64; x64; rv:98.0)  Firefox/98.0" X.X.X.X.X - - [02/Aug/2022:10:31:18 +0200] "GET /api/mc/v0.1/agendas/view/background-tasks?is-details-required=false HTTP/1.1" 200 20 "-" " "https://XXX.AAA.COM" "Mozilla/5.0 (Windows NT X.O; Win64; x64; rv:98.0)  Firefox/98.0" X.X.X.X.- - [02/Aug/2022:10:31:33 +0200] "GET /api/mt/v0.1/tasks/view-count HTTP/1.1" 200 371 "https://XXX.AAA.COM" "Mozilla/5.0 (Windows NT X.O; Win64; x64; rv:98.0)  Firefox/98.0" X.X.X.X. - - [02/Aug/2022:10:31:33 +0200] "GET /api/mt/v0.1/work-items?start-position=0&number-of-items=11 HTTP/1.1" 200 3084  "https://XXX.AAA.COM" "Mozilla/5.0 (Windows NT X.O; Win64; x64; rv:98.0)  Firefox/98.0" out of these logs i want to get only  events which has /api/mt in it and drop the remaining events  My configurations:   [monitor:///aaa/yyy/xxxx/access_log] disabled = false sourcetype = mytask:access_log index = temp props.conf [mytask:access_log] TRANSFORMS-set = setnull TRANSFORMS-set = setparsing    Transforms.conf  [setnull] REGEX = ^(.*)mc(.*) DEST_KEY = queue FORMAT = nullQueue  [setparsing] REGEX = ^(.*)mt(.*) DEST_KEY = queue FORMAT = indexQueue Do we need set anything else in the configs 
Use case has been prepared with help of Splunk article  https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-determine-when-a-host-stops-sending-logs-to-splunk-expeditiously.html | tstats lat... See more...
Use case has been prepared with help of Splunk article  https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-determine-when-a-host-stops-sending-logs-to-splunk-expeditiously.html | tstats latest(_time) as latest where index=* earliest=-24h by host | eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c") | where recent=0 However receiving multiple false positive alerts for the windows servers(index=windows). what will reason behind this ? its slow logs ingestion or in real there is no events for the mentioned index/sourcetype.
I have a scenario that i'm getting N number of results for last 60min splunk search like below (5:00Pm to 06:00PM). 2022-08-02 17:59:45.203   CCL220727468 2022-08-02 17:59:40.555   CCL220711461  ... See more...
I have a scenario that i'm getting N number of results for last 60min splunk search like below (5:00Pm to 06:00PM). 2022-08-02 17:59:45.203   CCL220727468 2022-08-02 17:59:40.555   CCL220711461  2022-08-02 17:59:34.985   CCL220727468 2022-08-02 17:59:22.080   CCL220727468 2022-08-02 17:59:02.638   CCL220727468 2022-08-02 17:14:02.734   CCL220707460 2022-08-02 17:11:29.456   CCL220729470 2022-08-02 17:04:52.780   CCL220729470  In that i need to exclude the events close to the end time (for eg. I need to exclude the events with timestamp > 05:55PM. The events at the edge of search end time is not required). This is for setup an alert which shows the number of events in last 60min
 Hello, I want to have the possibility to create reports of the diskspace and/or memory from my machine. How can i set-up this?
Hi All, Please suggest the query or solution to achieve below requirement. 1. List of searches or query run by user (looking for the report where shows searches as per user) 2. List of Searches... See more...
Hi All, Please suggest the query or solution to achieve below requirement. 1. List of searches or query run by user (looking for the report where shows searches as per user) 2. List of Searches/reports which use one particular index. (i.e - Use case: User locked out is using index=windows) 
i have a list of string lets say  "abc" "bcd" "def" "efg" "fgh". I want to search each of these string against a query for example : "abc" index=xyz sourcetype=logs host=localhost | table _time... See more...
i have a list of string lets say  "abc" "bcd" "def" "efg" "fgh". I want to search each of these string against a query for example : "abc" index=xyz sourcetype=logs host=localhost | table _time, _raw and i want to search it as - if this string occurs in the result-set within last 10 days then it should print "present" otherwise it should print "absent"
In the splunkbase  it says "Splunk Add-on for Symantec Endpoint Protection"  TA's latest version 3.4.0  is compatible with CIM 4.x,  whereas if we check in release notes, it says the TA is compatible... See more...
In the splunkbase  it says "Splunk Add-on for Symantec Endpoint Protection"  TA's latest version 3.4.0  is compatible with CIM 4.x,  whereas if we check in release notes, it says the TA is compatible with CIM 5.0.1. I am using CIM 4. Does anyone know,  if this version of Symantec Add on is backwards compatible with CIM 4? (or is it compatible with CIM 5 only?)
I have a search that is generating the results like below. I need a search where if TAC, CellName and Date are same in 2 rows, it would remove those rows where SiteName and Address is "NULL", and if ... See more...
I have a search that is generating the results like below. I need a search where if TAC, CellName and Date are same in 2 rows, it would remove those rows where SiteName and Address is "NULL", and if the TAC, CellName and Date are different in 2 rows, rows with "NULL" value for field SiteName and Address remains.  
Splunk web was working fine. We need to add our Sonicwall firewall sys logs to Splunk add data input. Guide us to configure Data inputs and index data automatically. Is it possibile to configure so... See more...
Splunk web was working fine. We need to add our Sonicwall firewall sys logs to Splunk add data input. Guide us to configure Data inputs and index data automatically. Is it possibile to configure sonicwall with out a UF.
Can someone please explain steps to create ticket in ServiceNow from Splunk alert. I did found these links  Use alert-triggered scripts for the Splunk Add-on for ServiceNow  Use custom alert ac... See more...
Can someone please explain steps to create ticket in ServiceNow from Splunk alert. I did found these links  Use alert-triggered scripts for the Splunk Add-on for ServiceNow  Use custom alert actions for the Splunk Add-on for ServiceNow  But before I dig deep into above, just want to know if there is anyone in this group who is already doing this? if yes , what's the best way to get this done? Thank You.  
Hi, Can someone suggest to me a method to ensure, my scheduled report will run without being skipped. Cron = 8,18,28,38,48,58 * * * * with a schedule window of 15 minutes. I use a custom timefram... See more...
Hi, Can someone suggest to me a method to ensure, my scheduled report will run without being skipped. Cron = 8,18,28,38,48,58 * * * * with a schedule window of 15 minutes. I use a custom timeframe larger than required to cater for when the report is skipped. Generally the report will run 2 times an hour sometimes 3, but at times does not run for a full hour. When I run the report adhoc, it takes less than a minute.
Shouldn't the "Default value" for this 'Add-on Setup Parameter' get saved in the respective conf file's default file? Or do anything, for that matter? I see it the 'Display initial text' renders when... See more...
Shouldn't the "Default value" for this 'Add-on Setup Parameter' get saved in the respective conf file's default file? Or do anything, for that matter? I see it the 'Display initial text' renders when the Configuration UI is loaded but since no value for this is set in the 'default' file there effectively is no value set anywhere - resulting in a broken add-on since it's not "fully configured". Said another way: The default values for Add-on Setup Parameters don't seem to get saved into the respective default conf file created (default/<ta_name>.conf). Conversely, any default values for the Data Input properties do get saved in the proper place in default/inputs.conf . I see some of this info is saved in the <ta_name>_rh_settings but that seems to only handle the setup pages. The result of this missing default config is that when I try to save a new instantiation of the input it won't work because it's missing those critical Add-on Setup Parameters. I'm not AoB expert so maybe I'm doing something wrong here? Cross post: https://splunk-usergroups.slack.com/archives/C04DC8JJ6/p1659404655720859
Hi, I have many logs like this    {"line":{"timestamp":"2022-07-27T20:35:32.756Z","level":"DEBUG","thread":"http-nio-8080-exec-4","mdc":{"clientId":"9AuZjs2vQMCfAYpSB","requestId":"62d-b003-3af... See more...
Hi, I have many logs like this    {"line":{"timestamp":"2022-07-27T20:35:32.756Z","level":"DEBUG","thread":"http-nio-8080-exec-4","mdc":{"clientId":"9AuZjs2vQMCfAYpSB","requestId":"62d-b003-3aff82daddc9","requestUrl":"http://example.com","requestMethod":"POST","apigeeRequestIdHeader":"rrt-0e9fc19850 378837932","requestUri":"/v1/exchanges","userId":"ZWJ5FWLNM"},"logger":"com.eServiceImpl","message":"ChangeSet is not Valid. Error count is : 4. Aggregate error message is : Property of type 'source.acc-1.0.0' is missing required property 'schemaNamespace'.\nProperty of type 'source.acc-1.0.0' is missing required property 'sourceId'.\nProperty of type 'host.acc-1.0.0' is missing required property 'fileUrn'.\nProperty of type 'host.acc-1.0.0' is missing required property 'versionUrn'..Total time for validation is : 0ms"},"source":"stdout","tag":"cd76691","attrs":{"cloudos.portfolio.version":"0.1.2001","com.amazonaask-arn":"arn:aus-west-716:task/COSV2-C-UW2/5e563a4","docker.image":"artifactory.devcloud.net/oud/001","obs.mnkr":"fdxs-abcd22"}}     Success validations are identified by the string "ChangeSet is Valid" in line.message field and failed validations are identified by the string "ChangeSet is not Valid" in line.message as shown above. Now I want a query to get results of % of failed and passed events by line.mdc.clientId field. Please Help! Output: ClientId     | failed %. | failed events (number).  | pass %  | passed events (number) A.                 | X%            |. a                                              | Y%          |.  b . .     Basic search | line.message="ChangeSet is*"    The above search is the basic search where I want the grouping of results (as discussed above in example as per clientId) to be happened .
eStreamer sending about 12 logs per minute and each log is about 30 mg this is causing an issue with the license consumption, we get license violation every day what setting can I change to reduce ... See more...
eStreamer sending about 12 logs per minute and each log is about 30 mg this is causing an issue with the license consumption, we get license violation every day what setting can I change to reduce the number of logs and the size of the logs   thank you  
I wanted to compare a Lookup with a Search: Ex: Lookup "list_host_lookup.csv" Server AA BB CC DD EE FF GG Search index=abcddf sourcetype | dedup Host | table HOST STATUS HOST STAT... See more...
I wanted to compare a Lookup with a Search: Ex: Lookup "list_host_lookup.csv" Server AA BB CC DD EE FF GG Search index=abcddf sourcetype | dedup Host | table HOST STATUS HOST STATUS AA Active BB Active CC Off DD Active GG Off HH Active II Off If the lookup host (list_host_lookup.csv) is not in the Search or if it is in the Search and is "Off", create a "NOK" field. If the lookup host (list_host_lookup.csv) is in the Search or if it is in the Search and is "Active", create an "OK" field.
Hi, I want the alert to trigger if there are extracts where TOTAL_PIECES >0 and RETRIEVAL_ATTEMPT= 10 Is there anybody can help with this please? My search is, index=A source=B sourcetype=c ... See more...
Hi, I want the alert to trigger if there are extracts where TOTAL_PIECES >0 and RETRIEVAL_ATTEMPT= 10 Is there anybody can help with this please? My search is, index=A source=B sourcetype=c | fillnull value=0 TOTAL_PIECES RETRIEVAL_ATTEMPT | where RETRIEVAL_ATTEMPT= 10 | rename "SASP_CTRL_SEQ_NBR" as "Extract_Seq_ID" ,"IV_STS" as "IV_Status", "RETRIEVAL_ATTEMPT" as "Retrieval_Attempt","PSTG_STMT_N" as "Pos_St","TOTAL_PIECES" as "Piece_Count" | table "Extract_Seq_ID","IV_Status","Retrieval_Attempt","Pos_St","Piece_Count"  
Hello, I have a Sonicwall TZ600 with both Syslog on 514 and log autmation over to an ftp folder on the Splunk server. I do see data but I am not sure any of it is relevant. Are there any good, ... See more...
Hello, I have a Sonicwall TZ600 with both Syslog on 514 and log autmation over to an ftp folder on the Splunk server. I do see data but I am not sure any of it is relevant. Are there any good, recent, guides for setting up a Sonicwall with Splunk so I can see interface usage and other key metrics? I'm new to Splunk and am trying to focus on learning through the setup of this device. Thanks.