All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi there, I am using REHL 8.6 x86_64 (0otpa) / Kernel 4.18.0 and trying to update Splunk Add-on for Unix and Linux...I am getting this error - An error occurred while downloading the app An error oc... See more...
Hi there, I am using REHL 8.6 x86_64 (0otpa) / Kernel 4.18.0 and trying to update Splunk Add-on for Unix and Linux...I am getting this error - An error occurred while downloading the app An error occurred while downloading the app: [HTTP 404] https://127.0.0.1:8089/services/apps/local/Splunk_TA_nix/update; [{'type': 'ERROR', 'code': None, 'text': 'Error downloading update from https://splunkbase.splunk.com/app/833/release/8.6.0/download/?origin=cfu: Not Found'}] When I manually tried to download from this link, - https://splunkbase.splunk.com/app/833/release/8.6.0/download/?origin=cfu - I am getting Oops! 404 Error: Page not found. Please share your thoughts on how to update linux / unix app from the Splunk console
I have two indexes which include same data in a different fields as seen below.  index1 -- user, fileName, ...etc index2 -- event.file, actor user = actor and fileName = event.file The follow... See more...
I have two indexes which include same data in a different fields as seen below.  index1 -- user, fileName, ...etc index2 -- event.file, actor user = actor and fileName = event.file The following search gives me if a user and their file in index2 is available in the index1, but I dont need this since I know they should be included in index1 What I am trying to find is : If a user and their file in index2 is NOT available in the index1, I wanna list them out.  Thanks for help index="index1" [search index="index2" "event"=event2 event.file="something_*" | table event.file, actor | rename event.file as fileName, actor as user ] | table actor
Hi All, I tried running the two SPLs below for same index and time range, but got two very different set of results: - SPL 1: - |tstats values(host) where index=xxx SPL 2: - index=xxx |stats val... See more...
Hi All, I tried running the two SPLs below for same index and time range, but got two very different set of results: - SPL 1: - |tstats values(host) where index=xxx SPL 2: - index=xxx |stats values(host)   In SPL 1, I get one value. In SPL 2. I get six values.   I also tried to run the following: - index=xxx Checked the fields panel on the left hand side and the host field had values same as SPL 2.   Thus, please help to share why the above was observed and how it can be resolved. Thank you
I am attempting to convert most of my xml to javascript in my dashboards.  I have several single values that I can click on and show that specific data in the table.  For example, one particular sing... See more...
I am attempting to convert most of my xml to javascript in my dashboards.  I have several single values that I can click on and show that specific data in the table.  For example, one particular single value is Blacklisted.  When I click on the numeric value, it shows details of files, md5, sha256, dates, etc that have been tagged as blacklisted.  In XML my token is set as follows:   <set token="tkblacklist">blacklist IN (t)</set>   I filter on "true."  The token is used in my table, and I get a list of blacklisted entities.   ... | search $tkblacklist$      Screenshot below is a sample of the current dashboard functionality.   When I try to do this in javascript, I am confused how to apply the token using the SingleView and pass the token to the TableView.  I have done a lot of reading, watching videos, and trial and error, but I can't seem to get this right.  Most of the examples are for text inputs, dropdowns, and muti-select features. My test.js file   require([ 'underscore', 'backbone', 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/postprocessmanager', 'splunkjs/mvc/singleview', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, Backbone, mvc, SearchManager, PostProcessManager, SingleView, TableView) { var baseSearch = new SearchManager({ id: "baseSearch", preview: true, cache: false, search: "| tstats count values(modproc.process) AS process from datamodel=dmname.modproc where nodename=modproc by modproc.blacklist modproc.process modproc.md5" // Blacklisted var blacklistProcesses = new PostProcessManager({ id: "blacklistProcesses", managerid: "baseSearch", search: "| rename modproc.* AS * | search blacklist IN (\"t\") | stats count" }); new SingleView({ id: "blacklistProcesses_Dashboard", managerid: "blacklistProcesses", height: "50", el: $("#blacklistProc") }).render(); // Get your div var my_div = $("#blacklistProc"); // Respond to clicks my_div.on("click", function(e) { var tokens = mvc.Components.get("submitted"); tokens.set("mytoken", "| search blacklist IN (\"t\")"); }); // Process Table View var tableProcesses = new PostProcessManager({ id: "tableProcesses", managerid: "baseSearch", search: "| rename modproc.* AS * | $mytoken$" }, {tokens: true}); new TableView({ id: "tblProcess", managerid: "tableProcesses", pageSize: "50", el: $("#tableProc") }).render(); });    My XML   <dashboard script="test.js" stylesheet="test.css" theme="dark"> <label>Test Javascript Dashboard</label> <row> <panel> <html> <h3 class="MainHeading"> Blacklisted </h3> <div id="blacklistProc"/> </html> </panel> </row> <row> <panel> <title>My Table</title> <html> <div id="tableProc"/> </html> </panel> </row> </dashboard>     I have also tried to use drilldown in the SingleView, but that just opens the Search window. Thanks  
In Splunk Enterprise, Is there a way to find all the dashboards etc.. that consume data from a given database input that was set up in dbconnect?
Hi Everyone, Here is some context,  one of our customers is using our Splunk App we created with the Add On builder. All it does is forward alerts into our platform and we use splunk.Intersplunk t... See more...
Hi Everyone, Here is some context,  one of our customers is using our Splunk App we created with the Add On builder. All it does is forward alerts into our platform and we use splunk.Intersplunk to get the search results.  The customer is getting the following error but we do not know why: "07-11-2022 15:31:37.179 +0000 ERROR sendmodalert - action=bigpanda_alert STDERR - backports.configparser.MissingSectionHeaderError: File contains no section headers.","2022-07-11T11:31:37.179+0000","bigpanda_alert",,,,,,,,,,,,,,,sendmodalert,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,15,11,31,july,37,monday,2022,0,,,,,,,,,,,"action=bigpanda_alert STDERR - backports.configparser.MissingSectionHeaderError: File contains no section headers.","err0r nix-all-logs nix_errors splunk_modalert splunkd-log",,,,,,lpec5009spksh03,,,"_internal",,,,,,1,,ERROR,,,,,,,,,,,,,,,,,,,,"--_::._+___-_=__-__..:_____.",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"/opt/splunk/var/log/splunk/splunkd.log",splunkd,,"URL-REDACTED-HERE",,,,,,,,,error,,,error,,,,,,29,,,0,,,,,,,,,,,,,,,,,   My initial suspicion is that it is related to enableheader  being overriden in etc/system/default/command.conf with false, but I tried it on my instance and I got no errors. Any insights into this would be greatly apreciated!
Hi everyone, I was looking at how I can ingest data from BitBucket Cloud to Splunk Cloud (8.2.2 Victoria).  The old bitbucket app gets rejected by the Splunk Cloud app upload. I saw the Lantern art... See more...
Hi everyone, I was looking at how I can ingest data from BitBucket Cloud to Splunk Cloud (8.2.2 Victoria).  The old bitbucket app gets rejected by the Splunk Cloud app upload. I saw the Lantern article (Atlassian: Bitbucket - Splunk Lantern), but it doesn't have any actual information. Does anyone have any working integrations of Splunk Cloud to Bitbucket Cloud?  Any source type/data type information? Thanks in advance!
Hey everyone, I'm pretty new to both splunk and jira but I'm trying to integrate them both to get real-time events/alerts from splunk sent over to jira as a task or open ticket, I've tried an addon c... See more...
Hey everyone, I'm pretty new to both splunk and jira but I'm trying to integrate them both to get real-time events/alerts from splunk sent over to jira as a task or open ticket, I've tried an addon called Atlassion Jira Issue Alerts but can't seem to get it working after the configuration, no alerts have been showing up, can someone guide me as to how to configure it since the details page for the addon doesn't really say much, or a different addon or even way of integrating through the use of the API's? (not that I've used one before but with proper guidance I can conduct the research to get it) thanks in advance!
i have index=main  user=Local Domain\abc it wont search any result but if i search with index=main  user=Local Domain\\abc it works, i tried rex as well but it didnt work for my dashboard as it wont... See more...
i have index=main  user=Local Domain\abc it wont search any result but if i search with index=main  user=Local Domain\\abc it works, i tried rex as well but it didnt work for my dashboard as it wont display any search, any solution to search without adding another \ to the search
Scenario: I have a dropdown with options: East, West, South and North. When i pick East from my dropdown and East populates in my panel, I'd like to show my panel. However if East is not populated i... See more...
Scenario: I have a dropdown with options: East, West, South and North. When i pick East from my dropdown and East populates in my panel, I'd like to show my panel. However if East is not populated in my search i want to hide the panel. Is there a way to do it dynamically?   Thank you.
Hi, I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't rea... See more...
Hi, I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated? index=_internal sourcetype=splunkd Metrics TERM(group=per_sourcetype_thruput) component=Metrics | fields ev series _time | rename ev as events, series as sourcetype | timechart limit=15 partial=f minspan=30s per_second(events) as EPS by sourcetype | append [ | tstats dc(source) as Sources, dc(sourcetype) as Sourcetypes, dc(host) as Hosts where index=* by _time | timechart partial=f sum(Sources) as Sources, sum(Sourcetypes) as Sourcetypes, sum(Hosts) as Hosts ] | timechart partial=f first(*) as * | addtotals | fields _time Total | appendpipe [| stats count | where count=0 | eval Total="0"]  
HI Everyone, I am trying to update multiple value in the same field using eval case command but it returning the below error Error in 'eval' command: The expression is malformed. Expected ). My... See more...
HI Everyone, I am trying to update multiple value in the same field using eval case command but it returning the below error Error in 'eval' command: The expression is malformed. Expected ). My requirement is to update when website is ABC the delievery_status should be on_the_way, and when website is xyz the delievery_status should be delievered else it should say Nt delievered. and i am writing the below case statement | eval delievery_status = case (website="ABC" "on_the_way" website="xyz", "delievered", "Not_delievered") Can anyone please help me on this what i am missing in this
We have a Splunk app, that needs to be disabled by the users themselves as per the systems health and maintenance mode. Curious to know which role/capability in splunk is responsible for granting thi... See more...
We have a Splunk app, that needs to be disabled by the users themselves as per the systems health and maintenance mode. Curious to know which role/capability in splunk is responsible for granting this level of access. Already have revisited `edit_local_apps` capability as part of https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Rolesandcapabilities#Add.2C_edit.2C_and_remove_capabilities_from_roles and this doesn't seems to answer the query.   Thanks
Hi We already use Splunk internally and we would like to know if Splunk could be used in scoring uses cases. We would like to reproduce the same type of example as the one presented in this follo... See more...
Hi We already use Splunk internally and we would like to know if Splunk could be used in scoring uses cases. We would like to reproduce the same type of example as the one presented in this following article with ELK. https://www.compose.com/articles/using-query-string-queries-in-elasticsearch/ We have seen that the score command appears with the Splunk Machine Learning toolkit addition but it seems much more complex. Would it be possible as in the example to have a classified search (in the example with ELK, a scoring on the title of a movie against keywords)  
From the installation option, there is one section where I can choose from Local or domain Account. Some how installation using Domain wasn't working, so I used Local account to install.  1. Are th... See more...
From the installation option, there is one section where I can choose from Local or domain Account. Some how installation using Domain wasn't working, so I used Local account to install.  1. Are there a BIG difference between those two installation? I understand that we can authenticate with LDAP on the Splunk Web, so does it mean local/domain won't matter that much? 2. We have created the local admin account, can this be linked with AD and uploaded under specified DC groups?  
hello I try to add a csv file manually but when I do it I receive the message "is not supported, only utf-8 encoded files are supported" I checked the file with notepad++ and the file is encoded ... See more...
hello I try to add a csv file manually but when I do it I receive the message "is not supported, only utf-8 encoded files are supported" I checked the file with notepad++ and the file is encoded with UTF-8 so what is wrong please?  
TL;DR; I need to set a value on one SH in a cluster, and then tell the other SH what it is using Python. Tried using the RESTapi (see below) but any tips where someone has done it before would be g... See more...
TL;DR; I need to set a value on one SH in a cluster, and then tell the other SH what it is using Python. Tried using the RESTapi (see below) but any tips where someone has done it before would be great!  Full Version I'm working on a clustered instance of Splunk. It talks to another tool using an access token which expires after so long (1 hour). When the user calls the tool and the token has expired a new token is generated and needs to be shared between the other SHs so they can use it until it expires again. The token is set in Python and I looked to use the services.post command to update a custom conf file/stanza     service.post('/servicesNS/nobody/APP/configs/conf-app/session')     And when I run it under admin it works fine, but when I run it as a user I get an error:     HTTP 403 Forbidden -- You (user=barry) do not have permission to perform this operation (requires capability: admin_all_objects).     But I don't want the user to have admin_all_objects.   I have given the user a role which has write access to the conf file:     [APP/session] owner = nobody access = read : [ app_role ], write : [ app_role ]     Can anyone suggest how I can get the API to update the local conf without admin or come up with a better way to share the token between SHs?
Hi Folks,   I'm using splunk 9.0.1 and I installed the event gen and splunk windows add-on 8.5.0. looks like is not present the eventgen.conf on this add-on version. it not possible generate ... See more...
Hi Folks,   I'm using splunk 9.0.1 and I installed the event gen and splunk windows add-on 8.5.0. looks like is not present the eventgen.conf on this add-on version. it not possible generate fake windows event any more? Regards
Is there away to setup an alert when the disk drive space is at 75GB and not an alert by % of disk drive space left? 
How do I return the points from an Outlier chart that are identified as outliers?  Specifically, I'm looking for the times that the outliers happen.  I need to do some secondary querying at those tim... See more...
How do I return the points from an Outlier chart that are identified as outliers?  Specifically, I'm looking for the times that the outliers happen.  I need to do some secondary querying at those times only. Thank You