All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, I need your urgent help in fixing one of the issue in my PROD environment.  we have an application log which rotates twice daily. once in the afternoon and once around midnight. Logs star... See more...
Hi All, I need your urgent help in fixing one of the issue in my PROD environment.  we have an application log which rotates twice daily. once in the afternoon and once around midnight. Logs starts feeding in splunk when log rotates around afternoon and stops feeding when log rotates around midnight. if we do some minor changes to inputs like adding any extra parameter to inputs.conf if starts feeding again and then stops again in few seconds. This is my inputs.conf [monitor:///var/log/logpath/logpath/xx*.log] sourcetype = abcd disabled = false index = xyz   this is my props.conf [abcd] SHOULD_LINEMERGE=TRUE BREAK_ONLY_BEFORE = \w\|\d+\|\d{2}:\d{2}:\d{2}\.\d{6} MAX_TIMESTAMP_LOOKAHEAD = 15 NO_BINARY_CHECK = true TIME_FORMAT = %H:%M:%S.%6N TIME_PREFIX = \w.*\|\d*\| category = Custom disabled = false pulldown_type = true TRUNCATE=50000 MAX_EVENTS = 9999 Please let me know if any other information is required here. Any help here will be highly appreciated. Thanks in advance Prateek 
I recently learned that it is best practice to use the Monitoring Console to manage our Splunk servers instead of installing Universal Forwarders on them, how then do we run a search across all of ou... See more...
I recently learned that it is best practice to use the Monitoring Console to manage our Splunk servers instead of installing Universal Forwarders on them, how then do we run a search across all of our Splunk servers Event Logs to for instance see how long each one was up for?  I have the query and I can run it against all of our other servers that do have the Universal Forwarder installed on them and it works great, but when I query the wineventlog index it finds none of our Splunk servers in it
Hello team,   we are looking for an incident management solution and wish to try out Splunk On Call but we were not able to start a trial from your product page as we are unable to submit the trial... See more...
Hello team,   we are looking for an incident management solution and wish to try out Splunk On Call but we were not able to start a trial from your product page as we are unable to submit the trial form and we get the following error    any ideas about what we might be doing wrong here?
so recently I went to troubleshoot some servers that were not showing up in our queries and that's when I discovered that the ones that work that actually send their Even Log data to our Indexers the... See more...
so recently I went to troubleshoot some servers that were not showing up in our queries and that's when I discovered that the ones that work that actually send their Even Log data to our Indexers they do not have an Outputs.conf file, how can that be? in the etc\system\local that is 
Hi all,  I am working with logs in splunk and here I need to to capture the word before date and time field and the word after it. ERROR 2022-06-09 xyz-abc So, using regular expression i wanted... See more...
Hi all,  I am working with logs in splunk and here I need to to capture the word before date and time field and the word after it. ERROR 2022-06-09 xyz-abc So, using regular expression i wanted to extract the word "error" and "xyz-abc"  but it is not necessarily the starting of log this phrase can be anywhere  in the log like log1: ERROR 2022-06-09 xay-abc  connecting to network. log2: java.net.spring ERROR 2022-06-09 connecting to network. so, please help me with a solution so that I can extract the field which contains error and the other field which contains abc-xyz. thanks in advance
I setup a Controller audit report on both our SaaS Controllers and received the report over email. There's nothing in the email or the report which indicates which report is for which of the two cont... See more...
I setup a Controller audit report on both our SaaS Controllers and received the report over email. There's nothing in the email or the report which indicates which report is for which of the two controllers. As the email is also sent as AppDynamics Reports <noreply@appdynamics.com> we have no way of telling the reports apart.
so I want to know how long our Splunk servers have been up for, I got the query and it works great on hundreds of other servers but not on our two dozen Splunk servers (Cluster Master, Deployment Ser... See more...
so I want to know how long our Splunk servers have been up for, I got the query and it works great on hundreds of other servers but not on our two dozen Splunk servers (Cluster Master, Deployment Servers, Indexers, Search Heads, etc.) I think it is because we do not have the Universal Forwarder installed on them, so can we install it on the Splunk servers or am I dense and missing something and we can just use some of the Splunk Enterprise component to send Even Log data to our Indexers
To extract the specific part for data from the file path, C:/Users/USSACDev/AppData/Local/Temp/WindowsAETemp/35018_2225424_1655272292585 C:/Users/USSACDev/AppData/Local/Temp/WindowsAETe... See more...
To extract the specific part for data from the file path, C:/Users/USSACDev/AppData/Local/Temp/WindowsAETemp/35018_2225424_1655272292585 C:/Users/USSACDev/AppData/Local/Temp/WindowsAETemp/35018_2225421_1655272247058 The bolded part should be extracted, as i already extracted by a regex command, | rex "\"aeci\".*\"temp_path\":\s+\"(?<activity_id>[^\"]+)" By the above command, I got the file path, In that i need the specifies bolded part, Can anyone help in this, Provide the single regex command that should include above specified regex command, like, it should be from, aeci (used in above regex) .
AppDynamics 21.5 version supports COCOA-Pods or not? If yes but COCOA-PODS version could not be for this SDK version. which to specify version need to mention in Pod file for AppD SDK version 21.5
Hello, I found a ton of eventtypes for the vmware agent module like AGENT_CONNECTED, AGENT_RECONNECTED, AGENT_SHUTDOWN, etc.  I can't find one for AGENT_UNREACHABLE though.  I'm hoping to trigger a... See more...
Hello, I found a ton of eventtypes for the vmware agent module like AGENT_CONNECTED, AGENT_RECONNECTED, AGENT_SHUTDOWN, etc.  I can't find one for AGENT_UNREACHABLE though.  I'm hoping to trigger an alert through splunk based on that eventtype.  I can't find it in any vmware documentation and can't seem to find anyone asking the question.  I can't be the only one Is there an AGENT_UNREACHABLE eventtype or is there even a different way I can extract that piece from another event? Example:         index=* Module=Agent AGENT_CONNECTED index=* Module=Agent AGENT_UNREACHABLE          
I have a log file with a unique identifier (requestid) for a sequence of events. I want to show a breakup of all events within the requestid. I plan to show that by "marking" the start and stop logs ... See more...
I have a log file with a unique identifier (requestid) for a sequence of events. I want to show a breakup of all events within the requestid. I plan to show that by "marking" the start and stop logs of different events (based on the specific log message) I plan to track and finally create some table like this: 06/14/22 12:35:03.022 requestid=1requestid1 started 06/14/22 12:36:03.022 requestid=1 Event1 started 06/14/22 1237:03.022 requestid=1Event2 started 06/14/22 12:38:03.022 requestid=1 Event2 ended 06/14/22 12:39:03.022 requestid=1 Event1 ended 06/14/22 12:40:03.022 requestid=1requestid1 ended Event      | Start Time                              | Duration ------------------------------------ Event1| 06/14/22 12:36:03.022.     |  180 Event2| 06/14/22 12:37:03.022.     |  60 The timeseries will be across the duration of the requestid transaction of 5 mins. Could you let me know how this can be achieved? Thanks!
I'm trying to change the color of a row in a table based on the value of a field 'action'. If it's equal to "allowed", I want the row to be green. If it's equal to "blocked", I want it to be red.  ... See more...
I'm trying to change the color of a row in a table based on the value of a field 'action'. If it's equal to "allowed", I want the row to be green. If it's equal to "blocked", I want it to be red.  How can this be done in the code? I'm not seeing much documentation online for manipulating context.  Thanks in advance and appreciate the help.
Hi, am working on a lookup in a lookup. i have the following search: index=* source="*WinEventLog:Security" EventCode=4688 [| inputlookup attacktoolsh.csv WHERE discovery_or_attack=attack | stats... See more...
Hi, am working on a lookup in a lookup. i have the following search: index=* source="*WinEventLog:Security" EventCode=4688 [| inputlookup attacktoolsh.csv WHERE discovery_or_attack=attack | stats values(filename) as search | format] | transaction host maxpause=10m | where eventcount>=5 | fields - _raw closed_txn field_match_sum linecount |table ComputerName, New_Process_Name, Process_Command_Line, _time, eventcount This works fine, the lookup attactoolsh.csv has the tools, an i have a hit on a client. now i would like to intergrate a second lookup file in the search that looks a file with a computername/username in it, that if the search hits on attacktoolsh.csv it looks in the second file and if a computer/user is in that file the search should not produce a notable.  in short, computer A is running "nmap" this is allowed on computer A and Computer A is in the second file. Computer B is running "nmap" and is not allowed to run this, so produce a notable / warning. anybody an idea how to intergrate this toghter. Thanks.
I'm trying to change the font size of a table in a dashboard studio visualization. How is this done in the code? I've tried a few ways but having no luck. Thanks in advance and I appreciate the he... See more...
I'm trying to change the font size of a table in a dashboard studio visualization. How is this done in the code? I've tried a few ways but having no luck. Thanks in advance and I appreciate the help.
 AL9851 | Z1 | [https://example1.com/] recording played asia location is Down AL9851 | Z1 | [http://alphabeta/] recording played from asia location is Down AL9851 | Z1 | [http://alphabeta/] recordi... See more...
 AL9851 | Z1 | [https://example1.com/] recording played asia location is Down AL9851 | Z1 | [http://alphabeta/] recording played from asia location is Down AL9851 | Z1 | [http://alphabeta/] recording played from US location is Down   i have above log from that need to extract URL .as URL varies but content is same before and after URL .  
I need to find number of events that start with certain conditions and ends with certain condition .  example  index="*" source="*" | transacton startWith=C OR D endWith=A OR B  Need to find co... See more...
I need to find number of events that start with certain conditions and ends with certain condition .  example  index="*" source="*" | transacton startWith=C OR D endWith=A OR B  Need to find count ..  How to do it ?
I want to add a few rex statements to my existing search based on the token being set. Please see example below.  ex: | regex _raw="$token1$" if($token2$){ | regex _raw!="abc" | regex _raw!="xyz... See more...
I want to add a few rex statements to my existing search based on the token being set. Please see example below.  ex: | regex _raw="$token1$" if($token2$){ | regex _raw!="abc" | regex _raw!="xyz" } Please let me know if I can achieve this in some other way. Thanks!
I am running something like the following.       | bin _time span=1s | stats count by fuzz       When doing this though I do get gaps where there is no result for some second time fra... See more...
I am running something like the following.       | bin _time span=1s | stats count by fuzz       When doing this though I do get gaps where there is no result for some second time frames.  I do need per second data but when doing this I feel I am getting some false data since it is not accounting for the missing seconds. Essentially I want to see how many transactions a second we are posting to specific servers
Hi everyone, My team is asking if it would be possible to have a single dashboard panel to link to different dashboards to the matching report similar to the "Navigation Menu" since it might make it... See more...
Hi everyone, My team is asking if it would be possible to have a single dashboard panel to link to different dashboards to the matching report similar to the "Navigation Menu" since it might make it more user friendly to give public access for that dashboard via a hyperlink. I uploaded the names of the report via a lookup CSV table. Was considering of placing it there but was unsure if that would work and would rather have it as a click on the report kind of option for the business users. See screenshot for reference. Is there a way to do it using XML or HTML? | inputlookup capcaity_report_titlte.csv      
When I add all the details required on Splunk add on for office 365, I click add and then get the following error: Screenshot is attached   Regards, Faisal