All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Scenario: I have a dropdown with options: East, West, South and North. When i pick East from my dropdown and East populates in my panel, I'd like to show my panel. However if East is not populated i... See more...
Scenario: I have a dropdown with options: East, West, South and North. When i pick East from my dropdown and East populates in my panel, I'd like to show my panel. However if East is not populated in my search i want to hide the panel. Is there a way to do it dynamically?   Thank you.
Hi, I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't rea... See more...
Hi, I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated? index=_internal sourcetype=splunkd Metrics TERM(group=per_sourcetype_thruput) component=Metrics | fields ev series _time | rename ev as events, series as sourcetype | timechart limit=15 partial=f minspan=30s per_second(events) as EPS by sourcetype | append [ | tstats dc(source) as Sources, dc(sourcetype) as Sourcetypes, dc(host) as Hosts where index=* by _time | timechart partial=f sum(Sources) as Sources, sum(Sourcetypes) as Sourcetypes, sum(Hosts) as Hosts ] | timechart partial=f first(*) as * | addtotals | fields _time Total | appendpipe [| stats count | where count=0 | eval Total="0"]  
HI Everyone, I am trying to update multiple value in the same field using eval case command but it returning the below error Error in 'eval' command: The expression is malformed. Expected ). My... See more...
HI Everyone, I am trying to update multiple value in the same field using eval case command but it returning the below error Error in 'eval' command: The expression is malformed. Expected ). My requirement is to update when website is ABC the delievery_status should be on_the_way, and when website is xyz the delievery_status should be delievered else it should say Nt delievered. and i am writing the below case statement | eval delievery_status = case (website="ABC" "on_the_way" website="xyz", "delievered", "Not_delievered") Can anyone please help me on this what i am missing in this
We have a Splunk app, that needs to be disabled by the users themselves as per the systems health and maintenance mode. Curious to know which role/capability in splunk is responsible for granting thi... See more...
We have a Splunk app, that needs to be disabled by the users themselves as per the systems health and maintenance mode. Curious to know which role/capability in splunk is responsible for granting this level of access. Already have revisited `edit_local_apps` capability as part of https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Rolesandcapabilities#Add.2C_edit.2C_and_remove_capabilities_from_roles and this doesn't seems to answer the query.   Thanks
Hi We already use Splunk internally and we would like to know if Splunk could be used in scoring uses cases. We would like to reproduce the same type of example as the one presented in this follo... See more...
Hi We already use Splunk internally and we would like to know if Splunk could be used in scoring uses cases. We would like to reproduce the same type of example as the one presented in this following article with ELK. https://www.compose.com/articles/using-query-string-queries-in-elasticsearch/ We have seen that the score command appears with the Splunk Machine Learning toolkit addition but it seems much more complex. Would it be possible as in the example to have a classified search (in the example with ELK, a scoring on the title of a movie against keywords)  
From the installation option, there is one section where I can choose from Local or domain Account. Some how installation using Domain wasn't working, so I used Local account to install.  1. Are th... See more...
From the installation option, there is one section where I can choose from Local or domain Account. Some how installation using Domain wasn't working, so I used Local account to install.  1. Are there a BIG difference between those two installation? I understand that we can authenticate with LDAP on the Splunk Web, so does it mean local/domain won't matter that much? 2. We have created the local admin account, can this be linked with AD and uploaded under specified DC groups?  
hello I try to add a csv file manually but when I do it I receive the message "is not supported, only utf-8 encoded files are supported" I checked the file with notepad++ and the file is encoded ... See more...
hello I try to add a csv file manually but when I do it I receive the message "is not supported, only utf-8 encoded files are supported" I checked the file with notepad++ and the file is encoded with UTF-8 so what is wrong please?  
TL;DR; I need to set a value on one SH in a cluster, and then tell the other SH what it is using Python. Tried using the RESTapi (see below) but any tips where someone has done it before would be g... See more...
TL;DR; I need to set a value on one SH in a cluster, and then tell the other SH what it is using Python. Tried using the RESTapi (see below) but any tips where someone has done it before would be great!  Full Version I'm working on a clustered instance of Splunk. It talks to another tool using an access token which expires after so long (1 hour). When the user calls the tool and the token has expired a new token is generated and needs to be shared between the other SHs so they can use it until it expires again. The token is set in Python and I looked to use the services.post command to update a custom conf file/stanza     service.post('/servicesNS/nobody/APP/configs/conf-app/session')     And when I run it under admin it works fine, but when I run it as a user I get an error:     HTTP 403 Forbidden -- You (user=barry) do not have permission to perform this operation (requires capability: admin_all_objects).     But I don't want the user to have admin_all_objects.   I have given the user a role which has write access to the conf file:     [APP/session] owner = nobody access = read : [ app_role ], write : [ app_role ]     Can anyone suggest how I can get the API to update the local conf without admin or come up with a better way to share the token between SHs?
Hi Folks,   I'm using splunk 9.0.1 and I installed the event gen and splunk windows add-on 8.5.0. looks like is not present the eventgen.conf on this add-on version. it not possible generate ... See more...
Hi Folks,   I'm using splunk 9.0.1 and I installed the event gen and splunk windows add-on 8.5.0. looks like is not present the eventgen.conf on this add-on version. it not possible generate fake windows event any more? Regards
Is there away to setup an alert when the disk drive space is at 75GB and not an alert by % of disk drive space left? 
How do I return the points from an Outlier chart that are identified as outliers?  Specifically, I'm looking for the times that the outliers happen.  I need to do some secondary querying at those tim... See more...
How do I return the points from an Outlier chart that are identified as outliers?  Specifically, I'm looking for the times that the outliers happen.  I need to do some secondary querying at those times only. Thank You
Hi, I'd like to create a script to automate splunk hole process install. And im wondering how i could retrieve automaticaly the latest version of the package with wget command. instead of getting... See more...
Hi, I'd like to create a script to automate splunk hole process install. And im wondering how i could retrieve automaticaly the latest version of the package with wget command. instead of getting by myself by log in splunk website with my credentials, is it possible to provide my login credentials directly in the wget command ? In other words, i would like to calibrate my wget command to say it : hey wget, go get splunk latest version, here are my credentials... At 1st glance, i would say that that python or ansible could help but I don't know how to take it... Thanks in advance for your suggestions.
Hi Guys, We recently setup Splunk to use OKTA SAML as SSO authentication .  But upon configuring, the username format for users in Splunk was employeeNumber@domain which is incorrect. We need to u... See more...
Hi Guys, We recently setup Splunk to use OKTA SAML as SSO authentication .  But upon configuring, the username format for users in Splunk was employeeNumber@domain which is incorrect. We need to update the username format as first name-last name. We got in touch with the OKTA team and they updated the same at their end and sent me new updated metadata file, which I uploaded to Splunk but still username format is same and incorrect. Can you guys help in figuring out what settings do I need to change in Splunk to make this work? I am not too good with this so try to be a bit detailed in your answers. Thanks, Neerav Mathur  
Dear team, Could you please help me with the below requirement? We have got a requirement to replace the existing Nodes with new nodes. Could you please guide me on how to achieve the requireme... See more...
Dear team, Could you please help me with the below requirement? We have got a requirement to replace the existing Nodes with new nodes. Could you please guide me on how to achieve the requirement? Thanks & Regards Srinivas
Hi We use Splunk internally for log consultation. But we have a new need for our web application. We would like to have a word or phrase search functionality to get a list of results that fully matc... See more...
Hi We use Splunk internally for log consultation. But we have a new need for our web application. We would like to have a word or phrase search functionality to get a list of results that fully match or come close to matching the search. For example, if I search "field="It's raining today", I get events that contain. It's raining today It's raining today Its raining today today It's raining ... Can machine learning apps enable this kind of thing? Is there a module or addon to do this kind of thing with Splunk.   Thanks for your help
Hello Splunkers, I want to calculate the time difference between the change in state of eventtype for each transation ID.    
Hi please I have 3 questions regarding the splunk enterprise solution (500 mega free log) infact I am a student and I want to master this solution 1/ after 3 quota overruns, what exactly happen... See more...
Hi please I have 3 questions regarding the splunk enterprise solution (500 mega free log) infact I am a student and I want to master this solution 1/ after 3 quota overruns, what exactly happens? does splunk server stop receiving logs or what?? 2/ what is the difference between: Free license and Enterprise Trial license? 3/ in case I had 2 splunk servers and I want to put one of the 2 as slave because I will need it but I only need the logs that analyzed it, what happens technically?
Hi all, I have a  sample json file like this.     { "Project Name" : "abc", "Project Group":"A", "Unit":"B", "groups_data":[{ "a":"32.064453125", "b":"5.451171875", "c":"0.3349609375", "d":"0.1... See more...
Hi all, I have a  sample json file like this.     { "Project Name" : "abc", "Project Group":"A", "Unit":"B", "groups_data":[{ "a":"32.064453125", "b":"5.451171875", "c":"0.3349609375", "d":"0.181640625", "e":"4.58203125", "f":"81.1611328125"}] }     I want to plot a pie chart for the key value pairs present in the groups_data. I tried extracting the data using this query.     myindex sourcetype="_json"| rex field=_raw "\"group_data\":\[\{\"(?<component>[^/]*)\":"\"(?<Value>\d+)\"\}\]| eval tmp = mvzip(component,Value) |mvexpand tmp |eval component=mvindex(split(tmp,","),0) |eval Value=mvindex(split(tmp,","),1)|chart values(Value) by component     I am not able to pie chart. It says tmp does not exist.Can anyone tell me is there anything wrong in the regex part? Something i missed anywhere?
Hi  I need to compare two xml file with Splunk to find changes, is it possible? sample file Thanks 
Hello, Like any other ES user, we have threat intel feeds configured that came along with box.  How can i view the actual data of this threat intel feed ?   For example:   Lets take the cisco_top_... See more...
Hello, Like any other ES user, we have threat intel feeds configured that came along with box.  How can i view the actual data of this threat intel feed ?   For example:   Lets take the cisco_top_one_million_sites OR  emerging_threats_ip_blocklist  sources. All of these 4 commands error out.   Well,  how can i find what is being downloaded ? How to view these collection s ? | inputintelligence emerging_threats_ip_blocklist OR | inputlookup emerging_threats_ip_blocklist OR | inputintelligence cisco_top_one_million_sites OR | inputlookup cisco_top_one_million_sites