All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to plot a trellis chart showing the average time spent on a website?

by in Dashboards & Visualizations
‎07-05-2022 09:33 PM
‎07-05-2022 09:33 PM
Hi Community,  If i need Plot a trellis chart showing the average time spent on a website for each user session by browser what's the best approach for this ?

Errors after upgrading Splunk from 8.1.5 to 9.0

by in Installation
‎07-05-2022 08:36 PM
‎07-05-2022 08:36 PM
I am getting the following error messages after  upgrading Splunk from 8.1.5 to 9.0. The config its complaining about is part of the default/federated.conf so shouldn't be complaining in the first p... See more...
I am getting the following error messages after  upgrading Splunk from 8.1.5 to 9.0. The config its complaining about is part of the default/federated.conf so shouldn't be complaining in the first place.   Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 18: appContext (value: search). Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 19: useFSHKnowledgeObjects (value: false). Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard). Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).    
Labels

Networking with Splunk- How to config router to send syslogs to Splunk?

by in Splunk Enterprise
‎07-05-2022 05:37 PM
‎07-05-2022 05:37 PM
How to Config Router to Send Syslogs to Splunk

How to Combine Multiple Data Sources in Pie Chart Visualization?

by in Splunk Search
‎07-05-2022 04:11 PM
‎07-05-2022 04:11 PM
I have a data sources that shows if an order was resolved as fraudulent (data="resolutions")  and in a different data source (data="headers") i have payment_method (Visa, Mastercard, etc)  I want... See more...
I have a data sources that shows if an order was resolved as fraudulent (data="resolutions")  and in a different data source (data="headers") i have payment_method (Visa, Mastercard, etc)  I want to see a pie chart of only orders that have chargebacks on them by payment method.        data=headers | top payment_method         This works for the pie chart of payment method. I tried:       data=headers OR data=resolutions resolution_name="ACM Chargeback Received - Fraud" | top payment_method         and a few other variations, but I can't seem to get it to work.    Even if I can't do a pie chart and could figure out a table with  Payment Method | Count of Resolution Name (chargeback) that would work
Labels

How do I use Greater Than in a string

by in Splunk Search
‎07-05-2022 03:03 PM
‎07-05-2022 03:03 PM
I have a field called rules_tripped It returns the results like this      rules_tripped="5237260000001713515:Item Sku Fraud & Chargeback Percentage 0:0"     Rule ID : Rule Name : Rule Score I... See more...
I have a field called rules_tripped It returns the results like this      rules_tripped="5237260000001713515:Item Sku Fraud & Chargeback Percentage 0:0"     Rule ID : Rule Name : Rule Score I want to only search for rules that have a rule score of > 800  Is that possible to split the query and search for only rules with a rule score of > 800?
Labels

How to Migrate dashboards to new user in Splunk Cloud?

by Splunk Employee in Dashboards & Visualizations
‎07-05-2022 02:39 PM
‎07-05-2022 02:39 PM
Hi All, my customers security engineer has left the organization and we're curious how we can migrate the dashboards he was using over to other user profiles in Splunk Cloud.  Thank you!
Labels

Help with Extracting host via transforms

by in Getting Data In
‎07-05-2022 01:44 PM
‎07-05-2022 01:44 PM
We have the following -    # /data/xxxx/<hostname>_syslog.log [datanow-syslog-host] SOURCE_KEY = source REGEX = \/data\/xxxx\/(.+)_syslog\.log DEST_KEY = MetaData:Host FORMAT = host::$1   ... See more...
We have the following -    # /data/xxxx/<hostname>_syslog.log [datanow-syslog-host] SOURCE_KEY = source REGEX = \/data\/xxxx\/(.+)_syslog\.log DEST_KEY = MetaData:Host FORMAT = host::$1   Trying to extract the host name from the source without much luck. Any ideas? 
Labels

How to identify user activities login / logout (reason to logout)?

by in Getting Data In
‎07-05-2022 12:52 PM
‎07-05-2022 12:52 PM
Hi Team, I am a learner, so want to know about identifying the session login / logout time periods of an users and reasons for the activities.  
Labels

Upgrading from 8 to 9 (UF question)- Are there specific versions I cannot upgrade from?

by in Splunk Enterprise
‎07-05-2022 12:45 PM
‎07-05-2022 12:45 PM
Good afternoon,  I am upgrading from Splunk 8 to 9. And I have a hodgepodge of UFs that are all over the place in versioning. From 6.x all the way to 8.  I know you cannot multiple version upgrad... See more...
Good afternoon,  I am upgrading from Splunk 8 to 9. And I have a hodgepodge of UFs that are all over the place in versioning. From 6.x all the way to 8.  I know you cannot multiple version upgrade, I will need to go 6 to 7 to 8 to 9.    My question is this. Are there specific versions that I cannot upgrade from? For instance, does a 6.x need to be upgraded to a specific version of 7 then a specific version of 8 or will any version in the line of upgrades work? I have tried to do some searching but I am not finding the answer to my specific question. Which makes me think the upgrade version, as long as it is in order doesn't matter but I need to make sure because we have several hundred to do.    Thanks   
Labels

Is it possible to set a hardcoded value for the "Items per page" on the searches, reports, and alerts page?

by in Alerting
‎07-05-2022 10:42 AM
‎07-05-2022 10:42 AM
Is it possible to set a hardcoded value for the "Items per page" on the Searches, Reports, and Alerts page? Each time I open the console, it resets to "10" and I would like to keep it set to 100 for ... See more...
Is it possible to set a hardcoded value for the "Items per page" on the Searches, Reports, and Alerts page? Each time I open the console, it resets to "10" and I would like to keep it set to 100 for all users at all times. 

How to change cell color based on condition in a dashboard?

by in Dashboards & Visualizations
‎07-05-2022 09:38 AM
‎07-05-2022 09:38 AM
Here is my query: <table id="tableColorFinalRowBasedOnData7"> <search> <query>index="xxxx" source=service (DisplayName="a*" OR DisplayName="b*") host IN (abc xyz) earliest=-60m | dedup host Nam... See more...
Here is my query: <table id="tableColorFinalRowBasedOnData7"> <search> <query>index="xxxx" source=service (DisplayName="a*" OR DisplayName="b*") host IN (abc xyz) earliest=-60m | dedup host Name | table host Name StartMode State | sort Name | eval color=case(State="Stopped","#880808",State="Running","#008000") | foreach host Name StartMode State[eval &lt;&lt;FIELD&gt;&gt;=mvappend('&lt;&lt;FIELD&gt;&gt;',color)] | fields - color</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <format type="color"> <colorPalette type="map">{"Manual":#FF7F50}</colorPalette> </format> <format type="color" field="host"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="Name"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="StartMode"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="State"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> </table> Service running is getting displayed as green and stopped as red but startmode manual is not setting to orange.

Extracting fields doesn't extract the same information

by in Splunk Search
‎07-05-2022 09:01 AM
‎07-05-2022 09:01 AM
I'm sorting through web traffic and I'm trying to extract what device users are using from the user agent. However, when I have highlighted the device and check the preview, it has highlighted some d... See more...
I'm sorting through web traffic and I'm trying to extract what device users are using from the user agent. However, when I have highlighted the device and check the preview, it has highlighted some different devices like Windows, Macintosh, Linux.  But it has also highlighted a lot of random strings of text that definitely aren't devices, and when I've looked through these, I can clearly see the device in that user agent that hasn't been highlighted. Is there a way to make sure devices are being highlighted to be extracted and now random strings of text etc?
Labels

Why am I receiving browser issues with dashboard modification?

by in Monitoring Splunk
‎07-05-2022 08:46 AM
1 Karma
‎07-05-2022 08:46 AM
1 Karma
With browsers like Google Chrome and Microsoft Edge, we are experiencing problems. We have observed that Splunk dashboard modifications do not reflect on various bowers. Even after refreshing t... See more...
With browsers like Google Chrome and Microsoft Edge, we are experiencing problems. We have observed that Splunk dashboard modifications do not reflect on various bowers. Even after refreshing the dashboard, I keep seeing old results. This problem has been tried out within the team. and everyone is facing the same.  Additionally, if I check MS Edge, it appears that changes are reflecting, but not in Chrome. --------------------------------------------------------------------- Example: If I update dashboard in Google Chrome. it is not showing for others and if I refresh chrome, change will be discard but still showing on edge only for me with same link. if my teammate do changes they also facing same issue. they can see the changes reflecting in edge but not in chrome. Is it normal behavior 
Labels

How to modify the sampling frequency of splunk add-on for vmware metrics

by in All Apps and Add-ons
‎07-05-2022 08:41 AM
‎07-05-2022 08:41 AM
How to modify the sampling interval of splunk add-on for vmware metrics, I want to change it to sampling every 5 minutes, I have tried many ways (including modifying the add-on source code), but failed
Labels

Is it possible to add Custom API for data input without interfering with existing official Qualys API?

by in Splunk Cloud Platform
‎07-05-2022 08:38 AM
‎07-05-2022 08:38 AM
Hello, Sorry in advance if the question has already been asked, but I couldn't find anything. I'm currently working with Qualys logs on Splunk. The Qualys API to pull data into Splunk is already ... See more...
Hello, Sorry in advance if the question has already been asked, but I couldn't find anything. I'm currently working with Qualys logs on Splunk. The Qualys API to pull data into Splunk is already configured, but there are several informations that the API does not retrieve, for example software installed on scanned computers. So the question is, is it possible to add a custom API into Splunk without interfering with the existing official Qualys API ? And is there limitations for programming languages, or maybe it depends on the server on which my Splunk is running ? Thank you in advance
Labels

Make sure Value from one specific event is not in any other events

by in Splunk Search
‎07-05-2022 08:26 AM
‎07-05-2022 08:26 AM
I can't wrap my head around how to do this search.  It's like I need an array or variable. Example Data: Hostname Storage BackupServer BackupStorage Database1 Storage1 Database2 Sto... See more...
I can't wrap my head around how to do this search.  It's like I need an array or variable. Example Data: Hostname Storage BackupServer BackupStorage Database1 Storage1 Database2 Storage2 Database3 BackupStorage   How can I say, show me a list of all servers using BackupServer[Storage], I dont know the name of backup storage in advance. All I know is the hostname is like Backupserver.  
Labels

How to display search with multiple lookup? [SOLVED]

by in Splunk Search
‎07-05-2022 07:27 AM
‎07-05-2022 07:27 AM
Hello I have several lookups and I would like to display the details on a date range but I can't really do it I have tried several combinations but either I display the last one or I display too ma... See more...
Hello I have several lookups and I would like to display the details on a date range but I can't really do it I have tried several combinations but either I display the last one or I display too many elements As a bonus if I could have the total it would be cool     | inputlookup file1.csv | append [| inputlookup file2.csv] | append [| inputlookup file3.csv] | append [| inputlookup file4.csv] | append [| inputlookup file5.csv] | append [| inputlookup file6.csv] | sort - _time | eval date = strftime(_time,"%Y-%m-%d") | search date>2022-07-01 AND date<2022-07-04 | transpose 6 | sort - column | search column=date OR column=count | fields - column | rename "row 1" as "name1", "row 2" as "name2", "row 3" as "name3", "row 4" as "name4", "row 5" as "name5", "row 6" as "name6"      
Labels

Why is my dbxquery returnning no results?

by in All Apps and Add-ons
‎07-05-2022 07:22 AM
‎07-05-2022 07:22 AM
Hi, I'm running simple dbxquery and it's not returning any results  dbxquery query="select * from departments;" connection="gmysqlg1" the same query as Inputs with the same connection runs fine... See more...
Hi, I'm running simple dbxquery and it's not returning any results  dbxquery query="select * from departments;" connection="gmysqlg1" the same query as Inputs with the same connection runs fine on scheduling  Version: Splunk Enterprise 9.0.0
Labels

Adding IP and device

by in Splunk Observability Cloud
‎07-05-2022 07:04 AM
‎07-05-2022 07:04 AM
How to add IP and devices

Transforms.conf to reroute logs to different index.

by in Getting Data In
‎07-05-2022 06:13 AM
‎07-05-2022 06:13 AM
  Hello community,   I am trying to "reroute" specific logs (based on Regex match) to a different index. This is done on the heavy-forwarder. It is ingested via syslog. Both props and transform a... See more...
  Hello community,   I am trying to "reroute" specific logs (based on Regex match) to a different index. This is done on the heavy-forwarder. It is ingested via syslog. Both props and transform are in the correct folder where syslogs events are ingested. I have created a ruleset in props.conf:   [vmware] TRANSFORMS-include = reroute_to_indexA   And here is the config from transform.conf:   [reroute_to_indexA] SOURCE_KEY = _raw REGEX = ^.*2300-.*$ DEST_KEY = _MetaData:Index FORMAT = index-a   Last but not least here is a sample of the logs I am working with:   Jul 5 09:02:11 10.32.37.214 1 2022-07-05T09:02:11.339-04:00 2300-RDSH-1-2 View - 1009 [View@6876 Severity="INFO" Module="Agent" EventType="AGENT_DISCONNECTED" UserSID="omitted" UserDisplayName="omitted" PoolId="2300-rdsh-farm1" MachineId="omitted" MachineName="2300-RDSH-1-2" MachineDnsName="2300-rdsh-1-2" CurrentSessionLength="180" TotalLoginLength="180" SessionType="APPLICATION"] User omitted has disconnected from machine 2300-RDSH-1-2     At this point I would have expected to see the logs being written to index-a. What have I done so far as troubleshooting: Remove SOURCE_KEY Replace SOURCE_KEY = _raw with field:MachineDnsName Replace SOURCE_KEY = _raw with fields:MachineDnsName Substituted the REGEX for .*2300.* and .*2300-.* Nothing have helped so far; any help or pointers would be greatly appreciated.   Thank you,