All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

From this given log: "SQL:SELECT TABLE_NAME, COLUMN_NAME FROM TABLE_COLUMNS WHERE SCHEMA_NAME = ? AND TABLE_NAME in (?,?,?,?,?,?,?) AND DATA_TYPE_NAME IN ('CLOB', 'NCLOB', 'BLOB')","i":1,"t":250,"s... See more...
From this given log: "SQL:SELECT TABLE_NAME, COLUMN_NAME FROM TABLE_COLUMNS WHERE SCHEMA_NAME = ? AND TABLE_NAME in (?,?,?,?,?,?,?) AND DATA_TYPE_NAME IN ('CLOB', 'NCLOB', 'BLOB')","i":1,"t":250,"slft":250,"st":250,"m":16,"nr":0,"rt":0,"rn":8,"fs":0} 1. I want to extract the entire SQL's containing table names "TABLE_COLUMNS"   . 2. Extract their corresponding  numbers for t , slft   3. chart on:  SQL_STMT | t | slft  I need some help to get this query working:      "SELECT TABLE_NAME, COLUMN_NAME FROM TABLE_COLUMNS WHERE SCHEMA_NAME" | rex field= _raw "\"SQL:(?P<SQL_stmt>)\s*[FROM TABLE_COLUMNS]\s+\"" | rex field=_raw "SELECT \s* FROM TABLE_COLUMNS \s* ,\"t\":(?P<tvalue>[\d]) "slft":?P<slft_value>\d"| chart count over by SQL_stmt,tvalue, slft_value | sort by slft_value desc  
Hello, I'm working on showing a panel if the $env:user$ is a match based on a search. The search that I'm using works for this use case:   | rest /services/authentication/current-context splu... See more...
Hello, I'm working on showing a panel if the $env:user$ is a match based on a search. The search that I'm using works for this use case:   | rest /services/authentication/current-context splunk_server=local | fields username | rename username AS id   This retrieves the appropriate ID (otherwise, I would just use the $evn:user$ for conditional visibility, but this never works). With the query result, I set a token envid to $result.id$ I then do a condition match where $envid$==uu_33 (uu_33 represents the user ID required to display a panel). The result of the query is always correct with "uu_33", which matches the condition I have written. I have tried following the splunk guides, and I have tried the following condition matches: <condition match="'$envid$'==&quot;uu_33&quot;"> (current) <condition match="$envid$==&quot;uu_33&quot;"> <condition match="'$envid$'==uu_33"> <condition match="$envid$==uu_33"> Nothing makes the panel show. Here is my XML.  Any help would be appreciated.   <dashboard> <label>testenvid</label> <row> <panel> <html> <b>hi. your current id is $env:user$. The current result is $envid$ is set to be equal to $result.id$.</b> </html> </panel> <panel depends="$showpanel$"> <table> <search> <finalized> <set token="envid">$result.id$</set> </finalized> <done> <condition match="'$envid$'==&quot;uu_33&quot;"> <set token="showpanel">TRUE</set> </condition> </done> <query>| rest /services/authentication/current-context splunk_server=local | fields username | rename username AS id</query> <earliest>-60m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </dashboard>    
Hello, I have a HEC with events like the following:   { "Log": { "Status": "Ordered", "Platform": { "A": { "Tracking": {"Field1": "Value1", "Fiel... See more...
Hello, I have a HEC with events like the following:   { "Log": { "Status": "Ordered", "Platform": { "A": { "Tracking": {"Field1": "Value1", "Field2": "Value2"} } } } }   When I run the query   index="my_index" AND Log.Status="Ordered" | table Log.Status Log.Platform.A.Tracking   I get all the data for Status. However my requirement is to have the JSON object Log.Platform.A.Tracking in a string format - the JSON as a String? How can I achieve this?
Hi Experts, I am Unable to install splunkforwarder-8.2.2-87344edfcdb4-x64-release.msi on window server 2012 R2. Getting -UF setup Wizard ended prematurely.        Any help much appreciated !!!!... See more...
Hi Experts, I am Unable to install splunkforwarder-8.2.2-87344edfcdb4-x64-release.msi on window server 2012 R2. Getting -UF setup Wizard ended prematurely.        Any help much appreciated !!!!!!!!!   splunk.log file content--- sharing some last lines    Splunk> The IT Search Engine. Checking prerequisites... Checking mgmt port [8089]: open Checking kvstore port [8191]: open Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from 'C:\Program Files\SplunkUniversalForwarder\splunkforwarder-8.2.2-87344edfcdb4-windows-64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... SplunkForwarder: Starting (pid 13848) Timed out waiting for splunkd to start. 8:17:18 AM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd uninstall >> "C:\Users\asharma\AppData\Local\Temp\splunk.log" 2>&1" Removing service SplunkForwarder Service removed Disabled. 8:17:19 AM C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\SplunkUniversalForwarder\bin\SplunkMonitorNoHandleDrv.inf >> "C:\Users\asharma\AppData\Local\Temp\splunk.log" 2>&1" 8:17:20 AM C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\SplunkUniversalForwarder\bin\splknetdrv.inf >> "C:\Users\asharma\AppData\Local\Temp\splunk.log" 2>&1" 8:17:21 AM C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf >> "C:\Users\asharma\AppData\Local\Temp\splunk.log" 2>&1"  
Hi,   I need help with below query search. Below is the sample logs. Logs: Conatainer: dev_test_cluster CountRequired: 2 CountRunning: 1 FunctionName: dev_dd_app I need to write a query ... See more...
Hi,   I need help with below query search. Below is the sample logs. Logs: Conatainer: dev_test_cluster CountRequired: 2 CountRunning: 1 FunctionName: dev_dd_app I need to write a query for to compare the CountRequired and CountRunning values and show details when CountRunning is less than CountRequired. Appreciate the help.
Hi Splunk Masters, Currently stomped and couldn't find the solution through the forums. I have to chart the values from this particular column that his 50 different instances that change per differ... See more...
Hi Splunk Masters, Currently stomped and couldn't find the solution through the forums. I have to chart the values from this particular column that his 50 different instances that change per different input in the dropdown (kindly refer to the code and screenshots for reference).  Currently searching  for a way to rename the values in the legend so that I could pass it in a drilldown to another dashboard. Is there a way to do it for the single column? <edit> I would want either to rename it or add the four (4) alphanumeric characters from the dropdown plus a <space>, < - >, and <space> before the series names. For example, when the user selects D7X0, the output on the right is what the search would produce and the one on the left is my desired outcome: BATPLOW D7X0 - BATPLOW BATTLOW D7X0 - BATTLOW D7X0WGHT D7X0 - D7X0WGHT DDFTMED D7X0 - DDFTMED MQDFLT D7X0 - MQDFLT STCHI D7X0 - STCHI STCLOW D7X0 - STCLOW SYSSTC D7X0 - SYSSTC SYSTEM D7X0 - SYSTEM TSOMED D7X0 - TSOMED OTHER D7X0 - OTHER </edit> Thanks     <form theme="dark"> <label>CSC/ERSC/PSI_SRVCLASS_Report</label> <fieldset submitButton="true" autoRun="true"> <input type="dropdown" token="lpar"> <label>Select to View</label> <choice value="-LPAR-">-LPAR-</choice> <choice value="D7X0">D7X0</choice> <choice value="H7X0">H7X0</choice> <choice value="D1D0">D1D0</choice> <choice value="DAD0">DAD0</choice> <choice value="E1D0">E1D0</choice> <choice value="H1D0">H1D0</choice> <choice value="WSYS">WSYS</choice> <choice value="YSYS">YSYS</choice> <default>-LPAR-</default> </input> <input type="text" token="from"> <label>From MM/DD/YYYY</label> <default>01/01/2022</default> </input> <input type="text" token="to"> <label>To MM/DD/YYYY</label> <default>01/31/2022</default> </input> </fieldset> <row> <panel> <title>$lpar$ $from$ $to$</title> <chart> <title>Shows the Average of each Service Class</title> <search> <query>index=mainframe-platform sourcetype="mainframe:serviceclass" MVS_SYSTEM_ID=$lpar$ | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | eval _time=strptime(DATE." ","%Y-%m-%d") | where _time &gt;= strptime("$from$", "%m/%d/%Y") AND _time &lt;= strptime("$to$", "%m/%d/%Y") | chart avg(MIPS_UTIL) over DATE by SRVCLASS</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option> <option name="charting.axisLabelsY.majorUnit">200</option> <option name="charting.axisTitleX.text">Dates</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.chart">column</option> <option name="charting.chart.overlayFields">D7X0WGHT,H7X0WGHT,D1D0WGHT,DAD0WGHT,E1D0WGHT,H1D0WGHT,WSYSWGHT,YSYSWGHT</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">top</option> <option name="height">468</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>      
I'm not sure if this is the correct board. We run Splunk 8.2.1 on Linux. Lately a number of our domain users have been logging in via MFA to Azure. These are domain users logging in using domain cr... See more...
I'm not sure if this is the correct board. We run Splunk 8.2.1 on Linux. Lately a number of our domain users have been logging in via MFA to Azure. These are domain users logging in using domain credentials, but the logon is never recorded in the domain controller logs and as a result it's not see in the Splunk reports I have not been able to get much info from the Azure folks.  I'm told that Azure, although it verifies the credentials, does not close the loop back to the domain controller.  No solution is offered.   I have to believe there is more to the story. Has anyone encountered this issue?
Does anyone have experience writing a query that can be used to alert on disabled AD accounts being re-enabled? I've learned that Windows EventCode 4722 can be used to find accounts being enabled, bu... See more...
Does anyone have experience writing a query that can be used to alert on disabled AD accounts being re-enabled? I've learned that Windows EventCode 4722 can be used to find accounts being enabled, but I'm unsure of how to correlate that with whether or not the account was in a disabled state beforehand.  
I have the following json event:   { "tags": [ {"key":"Name","value":"Damian"}, {"key":"Age","value":34}, {"key":"Country","value":"Argentina"}, {"key":"City","value":"Buen... See more...
I have the following json event:   { "tags": [ {"key":"Name","value":"Damian"}, {"key":"Age","value":34}, {"key":"Country","value":"Argentina"}, {"key":"City","value":"Buenos Aires"} ] }   I need to extract the correspondent fields in my event, with the key and value: Name="Damian" Age="34" Country="Argentina" City="Buenos Aires" This is what I tried:   | spath path=tags{}.key output=a_keys | spath path=tags{}.value output=a_values | eval {a_keys} = a_value     But the result of it is a multivalued field: Name Age Country City = [ "Damian", "34", "Argentina", "Buenos Aires" ] How can I create the correct fields?
With macOS Ventura (13) coming in a few months. Is there is a plan to provide a client that at least supports macOS Monterey (12)?
I have the raw data where i need to convert the time in raw data to particular time zone example:if the time contains emea in it i need to convert to CST time. his is the 3 conditions of time zon... See more...
I have the raw data where i need to convert the time in raw data to particular time zone example:if the time contains emea in it i need to convert to CST time. his is the 3 conditions of time zone: when emea => CEST/CST time when apac => HKT time when us=>EDT 6/10/22 9:39:00.000 AM   2022-06-10 15:39:00 emea 6/10/22 9:41:56.000 AM   2022-06-10 15:41:56 apac 6/10/22 9:41:56.000 AM   2022-06-10 15:41:56 us   Please help me on the query Thank you in advance
Hi everyone, I'm actually trying to set up splunk-connect-for-kubernetes to get my cluster logs. I created 2 metrics and 1 HEC but i don't know if they are correctly set up or not : . My metric... See more...
Hi everyone, I'm actually trying to set up splunk-connect-for-kubernetes to get my cluster logs. I created 2 metrics and 1 HEC but i don't know if they are correctly set up or not : . My metrics are using the Search & Reporting application ( don't know if i should use something else ) . My HEC don't have a specific sourcetype ( using automatic one ) and have the two created metrics. As i'm using splunk enterprise on my localhost my values.yml file is configured this way :   And for the metrics part : The deployment with helm seems to be correct : But i don't receive any data from my cluster. Where am i doing it wrong ? Thank you in advance,
Hi, I am getting this error, can anyone help? WARN ManagedMonitorDelegate - Metric Reporter Queue full. Dropping metrics. ^ Post edited by @Ryan.Paredez this post was split off into its own new... See more...
Hi, I am getting this error, can anyone help? WARN ManagedMonitorDelegate - Metric Reporter Queue full. Dropping metrics. ^ Post edited by @Ryan.Paredez this post was split off into its own new post because it was a reply to a post that was over two years old. It's better to create a new conversation than you reply to a post that is over a year old. 
Hey all, I'm trying to build a clickable dashboard. For that, I had choosen line chart visualization. So in the below pic you can see the line chart resulting count of events with respective some ran... See more...
Hey all, I'm trying to build a clickable dashboard. For that, I had choosen line chart visualization. So in the below pic you can see the line chart resulting count of events with respective some random id. So my idea is to make that id or count clickable so that we redirect to see the original events i.e for below shown id we should able to see all 6,630 event logs in new tab.. Is that possible by any chance? Thanks in advance @ITWhisperer 
Hi Team, We have been requested to integrate logs CloudWAN application logs using API key/token(Pull). Means Pull logs from CloudWan using API token But the issue is that CloudWAN API key has val... See more...
Hi Team, We have been requested to integrate logs CloudWAN application logs using API key/token(Pull). Means Pull logs from CloudWan using API token But the issue is that CloudWAN API key has validity only 1 days so it is not possible generate API key on daily basis to pull the logs from CloudWAN. So we are looking any Automated Scripts or Method to generate API key and refresh data into SPlunk.    
Hi All, I  have below logs in one event: AMQ8450I: Display queue status details. QUEUE(ECS.AU.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(00.28.06) LPUTTIME(00.28.06) AMQ8450I: Disp... See more...
Hi All, I  have below logs in one event: AMQ8450I: Display queue status details. QUEUE(ECS.AU.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(00.28.06) LPUTTIME(00.28.06) AMQ8450I: Display queue status details. QUEUE(ECS.HK.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.32.35) LPUTTIME(01.32.35) AMQ8450I: Display queue status details. QUEUE(ECS.ID.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.26.46) LPUTTIME(01.26.46) AMQ8450I: Display queue status details. QUEUE(ECS.MY.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.38.02) LPUTTIME(01.38.02) AMQ8450I: Display queue status details. QUEUE(ECS.PH.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(23.12.07) LPUTTIME(23.12.07) AMQ8450I: Display queue status details. QUEUE(ECS.SG.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.39.26) LPUTTIME(01.39.26) AMQ8450I: Display queue status details. QUEUE(ECS.TH.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.28.20) LPUTTIME(01.28.20) AMQ8450I: Display queue status details. QUEUE(ECS.VN.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(21.47.43) LPUTTIME(21.47.43) I tried to create a table out of the data using the query: *** | rex field=_raw max_match=0 "QUEUE\((?P<Queue_Name>[^\)]+)\)" | rex field=_raw max_match=0 "CURDEPTH\((?P<Cur_Depth>[^\)]+)\)" | rex field=_raw max_match=0 "LGETTIME\((?P<Get_Time>[^\)]+)\)" | rex field=_raw max_match=0 "LPUTTIME\((?P<Put_Time>[^\)]+)\)" | table Queue_Name,Cur_Depth,Get_Time,Put_Time But the table comes out as below: Queue_Name Cur_Depth Get_Time Put_Time ECS.AU.TO_KAFKA_RES.LISTEN ECS.HK.TO_KAFKA_RES.LISTEN ECS.ID.TO_KAFKA_RES.LISTEN ECS.MY.TO_KAFKA_RES.LISTEN ECS.PH.TO_KAFKA_RES.LISTEN ECS.SG.TO_KAFKA_RES.LISTEN ECS.TH.TO_KAFKA_RES.LISTEN ECS.VN.TO_KAFKA_RES.LISTEN 0 0 0 0 0 0 0 0 00.28.06 01.32.35 01.26.46 01.38.02 23.12.07 01.39.26 01.28.20 21.47.43 00.28.06 01.32.35 01.26.46 01.38.02 23.12.07 01.39.26 01.28.20 21.47.43 The problem here is that all the data is coming up in one row only. I tried "mvexpand" command to split up in individual rows but failed to do so. Please help to modify the query to make the output table come as one row per line. Thank All..!!
I am trying parse data from three tables. In one table I have MAC_ADDR and HOST_NAME info, the second table has MAC_ADDR IP_ADDR NEIGHBOR_ADDR PORT and the third has IF_MAC DEVICE_NAME.  The field... See more...
I am trying parse data from three tables. In one table I have MAC_ADDR and HOST_NAME info, the second table has MAC_ADDR IP_ADDR NEIGHBOR_ADDR PORT and the third has IF_MAC DEVICE_NAME.  The field names are as above. I use join for the first two table the following way:     search router_table | join mac_addr [ search dhcp_table ] | table mac_addr host_name neighbor_mac ip_addr port        Now I want to search table 3 having fields IF_MAC and DEVICE_NAME where I want to search (if_mac=neighbor_mac) and append device_name. I tried appendcols but I can't pass the neighbor_mac as an argument to the third subsearch. Can anyone help me figure out a way to add the result of the third search?
Hi All,   We are using Splunk add for VMware to monitor Vcenter device. This is installed on virtual appliance. There was no  issue until reboot of the appliance. But after the reboot  yesterday... See more...
Hi All,   We are using Splunk add for VMware to monitor Vcenter device. This is installed on virtual appliance. There was no  issue until reboot of the appliance. But after the reboot  yesterday, we are not receiving data on VMware indexes(VMware-inv, VMware-task event and VMware-perf). We could see all the Vcenter devices are connected in Splunk add on for Vcenter. But still we are not receiving any data. I could see the ports the required ports are opened. In the _internal logs I could see the below error: RROR Application Updater - Error checking for update, URL=https://apps.splunk.com/api/apps:resolve/checkforupgrade: Connect Timeout   Could any one please  provide any inputs to know why there is not data collected. Is the above error related to VMware app.   regards Manjunath R
Hi, I have a lookup containing some admin users and I need to add some text like "ADS_" before the username to distinguish them from normal users. I tried: index=myindex tag=authentication | look... See more...
Hi, I have a lookup containing some admin users and I need to add some text like "ADS_" before the username to distinguish them from normal users. I tried: index=myindex tag=authentication | lookup Ads.csv Utenza AS username OUTPUT Gruppo | fillnull value=NULL | eval username=if(Gruppo="NULL",username, ADS_.username) | eval action=if(match(details_message,"opened a Web Portal"),"success",action) | search action=success dest_host!="- -" | stats count by username | sort count desc   what I'm missing?   Thanks in advance!
Is it possible to set TLS to only one input? For example: Checkpoint --> TLS --> SC4S --> Splunk CISCO ASA --> UDP514 --> SC4S --> Splunk So far, i can only find information about enabling TLS ... See more...
Is it possible to set TLS to only one input? For example: Checkpoint --> TLS --> SC4S --> Splunk CISCO ASA --> UDP514 --> SC4S --> Splunk So far, i can only find information about enabling TLS for all, just wondering if i can set it per source.   Thanks!