All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Here is my query: <table id="tableColorFinalRowBasedOnData7"> <search> <query>index="xxxx" source=service (DisplayName="a*" OR DisplayName="b*") host IN (abc xyz) earliest=-60m | dedup host Nam... See more...
Here is my query: <table id="tableColorFinalRowBasedOnData7"> <search> <query>index="xxxx" source=service (DisplayName="a*" OR DisplayName="b*") host IN (abc xyz) earliest=-60m | dedup host Name | table host Name StartMode State | sort Name | eval color=case(State="Stopped","#880808",State="Running","#008000") | foreach host Name StartMode State[eval &lt;&lt;FIELD&gt;&gt;=mvappend('&lt;&lt;FIELD&gt;&gt;',color)] | fields - color</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <format type="color"> <colorPalette type="map">{"Manual":#FF7F50}</colorPalette> </format> <format type="color" field="host"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="Name"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="StartMode"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="State"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> </table> Service running is getting displayed as green and stopped as red but startmode manual is not setting to orange.
I'm sorting through web traffic and I'm trying to extract what device users are using from the user agent. However, when I have highlighted the device and check the preview, it has highlighted some d... See more...
I'm sorting through web traffic and I'm trying to extract what device users are using from the user agent. However, when I have highlighted the device and check the preview, it has highlighted some different devices like Windows, Macintosh, Linux.  But it has also highlighted a lot of random strings of text that definitely aren't devices, and when I've looked through these, I can clearly see the device in that user agent that hasn't been highlighted. Is there a way to make sure devices are being highlighted to be extracted and now random strings of text etc?
With browsers like Google Chrome and Microsoft Edge, we are experiencing problems. We have observed that Splunk dashboard modifications do not reflect on various bowers. Even after refreshing t... See more...
With browsers like Google Chrome and Microsoft Edge, we are experiencing problems. We have observed that Splunk dashboard modifications do not reflect on various bowers. Even after refreshing the dashboard, I keep seeing old results. This problem has been tried out within the team. and everyone is facing the same.  Additionally, if I check MS Edge, it appears that changes are reflecting, but not in Chrome. --------------------------------------------------------------------- Example: If I update dashboard in Google Chrome. it is not showing for others and if I refresh chrome, change will be discard but still showing on edge only for me with same link. if my teammate do changes they also facing same issue. they can see the changes reflecting in edge but not in chrome. Is it normal behavior 
How to modify the sampling interval of splunk add-on for vmware metrics, I want to change it to sampling every 5 minutes, I have tried many ways (including modifying the add-on source code), but failed
Hello, Sorry in advance if the question has already been asked, but I couldn't find anything. I'm currently working with Qualys logs on Splunk. The Qualys API to pull data into Splunk is already ... See more...
Hello, Sorry in advance if the question has already been asked, but I couldn't find anything. I'm currently working with Qualys logs on Splunk. The Qualys API to pull data into Splunk is already configured, but there are several informations that the API does not retrieve, for example software installed on scanned computers. So the question is, is it possible to add a custom API into Splunk without interfering with the existing official Qualys API ? And is there limitations for programming languages, or maybe it depends on the server on which my Splunk is running ? Thank you in advance
I can't wrap my head around how to do this search.  It's like I need an array or variable. Example Data: Hostname Storage BackupServer BackupStorage Database1 Storage1 Database2 Sto... See more...
I can't wrap my head around how to do this search.  It's like I need an array or variable. Example Data: Hostname Storage BackupServer BackupStorage Database1 Storage1 Database2 Storage2 Database3 BackupStorage   How can I say, show me a list of all servers using BackupServer[Storage], I dont know the name of backup storage in advance. All I know is the hostname is like Backupserver.  
Hello I have several lookups and I would like to display the details on a date range but I can't really do it I have tried several combinations but either I display the last one or I display too ma... See more...
Hello I have several lookups and I would like to display the details on a date range but I can't really do it I have tried several combinations but either I display the last one or I display too many elements As a bonus if I could have the total it would be cool     | inputlookup file1.csv | append [| inputlookup file2.csv] | append [| inputlookup file3.csv] | append [| inputlookup file4.csv] | append [| inputlookup file5.csv] | append [| inputlookup file6.csv] | sort - _time | eval date = strftime(_time,"%Y-%m-%d") | search date>2022-07-01 AND date<2022-07-04 | transpose 6 | sort - column | search column=date OR column=count | fields - column | rename "row 1" as "name1", "row 2" as "name2", "row 3" as "name3", "row 4" as "name4", "row 5" as "name5", "row 6" as "name6"      
Hi, I'm running simple dbxquery and it's not returning any results  dbxquery query="select * from departments;" connection="gmysqlg1" the same query as Inputs with the same connection runs fine... See more...
Hi, I'm running simple dbxquery and it's not returning any results  dbxquery query="select * from departments;" connection="gmysqlg1" the same query as Inputs with the same connection runs fine on scheduling  Version: Splunk Enterprise 9.0.0
How to add IP and devices
  Hello community,   I am trying to "reroute" specific logs (based on Regex match) to a different index. This is done on the heavy-forwarder. It is ingested via syslog. Both props and transform a... See more...
  Hello community,   I am trying to "reroute" specific logs (based on Regex match) to a different index. This is done on the heavy-forwarder. It is ingested via syslog. Both props and transform are in the correct folder where syslogs events are ingested. I have created a ruleset in props.conf:   [vmware] TRANSFORMS-include = reroute_to_indexA   And here is the config from transform.conf:   [reroute_to_indexA] SOURCE_KEY = _raw REGEX = ^.*2300-.*$ DEST_KEY = _MetaData:Index FORMAT = index-a   Last but not least here is a sample of the logs I am working with:   Jul 5 09:02:11 10.32.37.214 1 2022-07-05T09:02:11.339-04:00 2300-RDSH-1-2 View - 1009 [View@6876 Severity="INFO" Module="Agent" EventType="AGENT_DISCONNECTED" UserSID="omitted" UserDisplayName="omitted" PoolId="2300-rdsh-farm1" MachineId="omitted" MachineName="2300-RDSH-1-2" MachineDnsName="2300-rdsh-1-2" CurrentSessionLength="180" TotalLoginLength="180" SessionType="APPLICATION"] User omitted has disconnected from machine 2300-RDSH-1-2     At this point I would have expected to see the logs being written to index-a. What have I done so far as troubleshooting: Remove SOURCE_KEY Replace SOURCE_KEY = _raw with field:MachineDnsName Replace SOURCE_KEY = _raw with fields:MachineDnsName Substituted the REGEX for .*2300.* and .*2300-.* Nothing have helped so far; any help or pointers would be greatly appreciated.   Thank you,        
Hello, Using Splunk Enterprise 8.2.6 and ITSI Version 4.11.5 I am defining entity types and I need to set CPU usage thresholds as follows: >=95 warning >=98 critical The interface only lets me... See more...
Hello, Using Splunk Enterprise 8.2.6 and ITSI Version 4.11.5 I am defining entity types and I need to set CPU usage thresholds as follows: >=95 warning >=98 critical The interface only lets me set "greater than" or "less than": I figured that if I set values to 97.9 and 94.9 then I can configure the thresholds correctly.  Only problem is that this is not permitted even though the metrics themselves are displayed with decimals! This is very problematic oversight because I won't be able to set and monitor any thresholds 100% reliably How can I get around this issue? Thanks! Andrew
Remove field values from one multi-valued field which values are present in another multi-valued field Looking for something like:     | eval dest=mvfilter(if(dest IN email_sender, null(), dest))... See more...
Remove field values from one multi-valued field which values are present in another multi-valued field Looking for something like:     | eval dest=mvfilter(if(dest IN email_sender, null(), dest))     Here dest contains both sender and receiver of the email. hence I'm trying to exclude the sender from it. (FYI, the sender is also a multi-valued field that's because I've used stats before it.)  
Hi I want to filter wineventlogs on universal forwarder with blacklist config. But It doesn't work as described in the document. Why is this not working_?       [WinEventLog://Security] disable... See more...
Hi I want to filter wineventlogs on universal forwarder with blacklist config. But It doesn't work as described in the document. Why is this not working_?       [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml=false index=wineventlog blacklist7 = EventCode="4624|4625|4634" User="\w+\$"       I just want to filter out usernames endswith $. Happy splunking. 
Hello, What is the procedure for migrating a deployer to a new server? We are running on Linux and are on version 8.1.6 on deployer and search head cluster and we cannot reuse IP-addresses or hostn... See more...
Hello, What is the procedure for migrating a deployer to a new server? We are running on Linux and are on version 8.1.6 on deployer and search head cluster and we cannot reuse IP-addresses or hostnames. I have read https://docs.splunk.com/Documentation/Splunk/8.1.6/DistSearch/BackuprestoreSHC but it's not crystal clear since we are only migrating the deployer and the search head cluster will remain the same. Thanks!
Hi All, Our Search heads are with Splunk Cloud version 8.2.2203.2 and there is a requirement from our application team to use Stream Processor Service that is part of Splunk offering (Ref: https://d... See more...
Hi All, Our Search heads are with Splunk Cloud version 8.2.2203.2 and there is a requirement from our application team to use Stream Processor Service that is part of Splunk offering (Ref: https://docs.splunk.com/Documentation/StreamProcessor/standard/Admin/About) for Wineventlog and IIS logs. Is it something specific we need to purchase as a license? Or will it come with my Splunk Cloud subscription? So when I checked the document it is mentioned as Get access to a tenant and the Stream Processor Service https://docs.splunk.com/Documentation/StreamProcessor/standard/Admin/About#:~:text=Log%20in%20with%20your%20splunk,for%20the%20Stream%20Processor%20Service. So kindly let  me know who will be the Stream Processor Service team? And also it has been mentioned to configure templates and other stuffs so kindly let me know how to proceed further.    
Hey all, I have a summary table that shows these values and there are also some common values.     Process Error  Success Total A 5 5 10 B 6 9 15 A ... See more...
Hey all, I have a summary table that shows these values and there are also some common values.     Process Error  Success Total A 5 5 10 B 6 9 15 A 7 2 9 C 3 8 11 C 1 3 4 B 5 5 10 I want to combine these common values (under Process) and also add the numerical values together. I am hoping for a result like this in my summary table. Process Error  Success Total A 12 7 19 B 11 14 25 C 4 11 15   Any help would be much appreciated. Thanks!  
Hi Splunkers, I have an issue with the use of Data Model, eval command and sourcetype as filter. Let me explain better. Customer asked us to modify the field  action on Data Model Email: if the s... See more...
Hi Splunkers, I have an issue with the use of Data Model, eval command and sourcetype as filter. Let me explain better. Customer asked us to modify the field  action on Data Model Email: if the sourcetype is a particular one, let's say xxx, action must be equal to another field called  final_action Otherwise, the normal behaivor is fine. Now, in the Email Data Model the field action is a calculated one with the following eval expression: if(isnull(action) OR action="","unknown",action) So, I thought to simply modify it in a case expression, adding the check on the sourcetype; based on this, I tested the following search: | from datamodel:"Email" | eval action = case(isnull(action) OR action="","unknown", sourcetype="xxx", final_action, 1=1, action) | stats count values(action) as action by sourcetype  But it does not works; I mean, the field action is correctly filled for all other sourcetypes we have, but the action output field, for sourcetype xxx is empty. My first doubt was: does the problem exists because I used different fields in case function, not equal between them? So I used this search: | from datamodel:"Email" | eval action = if(isnull(action) OR action="","unknown", action) | eval action = if(sourcetype="xxx", final_action, action) | stats count values(action) as action by sourcetype But the action output for sourcetype xxx is still empty. I'm sure that the field is correct and populated because if I use a search without datamodel, comparing 2 different sourcetype we have for mails, the search work fine. For example, if I use: index=* sourcetype IN (xxx, yyy) | eval action=if(sourcetype="xxx", final_action, action) | stats count values(action) as action by sourcetype The outoput is the desiderd one: the action field for yyy is the already exiting one, while for xxx is overwritten with final_action values.
Hi, We are looking for some help on GR (Geo Redundant) Splunk setup. Has anyone already have such an architecture implemented in your/customer environment. Did we follow any reference architectur... See more...
Hi, We are looking for some help on GR (Geo Redundant) Splunk setup. Has anyone already have such an architecture implemented in your/customer environment. Did we follow any reference architectures published by SPLUNK.  Appreciate if you can share some ideas. Thanks in Advance.
Hi, I have a bar chart where I need each bar to represent a different category (each with a different colour), similar to how each section og my pie charts represent a different section: ... See more...
Hi, I have a bar chart where I need each bar to represent a different category (each with a different colour), similar to how each section og my pie charts represent a different section: Here is the XML for my current bar chart? <chart> <search> <query> | inputlookup Migration-Status-McAfee | fillnull value=null | eval "Completion Status"=if('Completion Status'=""," ",'Completion Status') | chart count over "Completion Status" </query> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">top</option> <option name="charting.seriesColors">[0x008000,0xffff00,0xff0000]</option> </chart> Can you please help? Thanks so much!