All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Dears, I am new to splunk, just installed trail versions through wget, Splunkd is running but unable to connect with 8000 port after adding inbound rules in aws! what needs to be done? can an... See more...
Dears, I am new to splunk, just installed trail versions through wget, Splunkd is running but unable to connect with 8000 port after adding inbound rules in aws! what needs to be done? can anyone help me on this? Thanks in advance.
We are excited to announce the preview of Splunk ITSI custom threshold windows (CTW). ITSI CTW allows you to adjust your severity levels when an expected abnormal behavior may arise - e.g. public hol... See more...
We are excited to announce the preview of Splunk ITSI custom threshold windows (CTW). ITSI CTW allows you to adjust your severity levels when an expected abnormal behavior may arise - e.g. public holidays, peak day of the year or month, or large retail moment like Black Friday. Need access to the ITSI CTW preview? Complete this brief application, we will contact you if there is space and availability to participate!  Already have access to the preview?  Want to access product docs? ITSI custom threshold windows Docs offers detailed guidance on how to use the feature  Want to request more features? Add your ideas and vote on other ideas at ITSI custom threshold windows Ideas Portal    Please reply to the thread below with any questions or to get support from the Splunk team, our product and engineering teams are subscribed to this post and will be checking for feedback and questions!
Hi, I have a table as the main search using dbxquery below: | dbxquery connection=my_connection query="SELECT id, start_date, end_date FROM my_table" Sample records: id, start_date, end_date ... See more...
Hi, I have a table as the main search using dbxquery below: | dbxquery connection=my_connection query="SELECT id, start_date, end_date FROM my_table" Sample records: id, start_date, end_date 1, 2020-01-01, 2020-01-04 2, 2020-01-03, 2020-01-05 ...... And I have another lookup csv with only two columns below: date, amount 2020-01-01, 10 2020-01-02, 20 2020-01-03, 10 2020-01-04, 10 2020-01-05, 20 ...... The output I want is: id, start_date, end_date, total 1, 2020-01-01, 2020-01-04, 50 # total sum of 2020-01-01 to 2020-01-04 (10+20+10+10) 2, 2020-01-03, 2020-01-05, 40 # total sum of 2020-01-03 to 2020-01-05 (10+10+20) What could be the best way to get this done? Thanks in advance!
Cisco ACI APP for Splunk, when I enable this collection, it creates a huge load on the APIC. [script://$SPLUNK_HOME/etc/apps/TA_cisco-ACI/bin/collect.py -classInfo aaaModLR faultRecord eventRecord]... See more...
Cisco ACI APP for Splunk, when I enable this collection, it creates a huge load on the APIC. [script://$SPLUNK_HOME/etc/apps/TA_cisco-ACI/bin/collect.py -classInfo aaaModLR faultRecord eventRecord] I have attempted to widen the interval, but it just reduces the number of times the load happens. The APIC is almost unusable while this collection is happening.  I removed these one at a time, and it appears to be the poll of the eventRecord that is causing the drag on the APIC. I thought Splunk would only pull in the new information since the last poll, but that does not appear to be what is actually happening.  Is this expected? Is there a way to remedy this issue?
Do the resulting files from a "dump" command have a TTL? I think they must since the files I created on Friday no longer exist. Here is the search I am using to create the files.   index = “myI... See more...
Do the resulting files from a "dump" command have a TTL? I think they must since the files I created on Friday no longer exist. Here is the search I am using to create the files.   index = “myIndexName” sourcetype=”mySourcetype” myFilterField IN(123ABC, 456DEF, 789GHI) | dump basefilename= ABCCorp_06-06-22_0800_01330_ rollsize=1000 compress=5 format=raw | table *     Thank you.
Hi there, I have this type of event coming into splunk:  ``` [redacted:54407 24943076666] Processing MessageDispatcher.deliver_batch([#<Message::Queued:0x0000aaab14d8f418 @id=10440927, @created_a... See more...
Hi there, I have this type of event coming into splunk:  ``` [redacted:54407 24943076666] Processing MessageDispatcher.deliver_batch([#<Message::Queued:0x0000aaab14d8f418 @id=10440927, @created_at=Fri, 03 Jun 2022 14:21:43.890133282 UTC +00:00>, #<Message::Queued:0x0000aaab14dbc8c8 @id=10440928, @created_at=Fri, 03 Jun 2022 14:21:43.896693884 UTC +00:00>]{"tag":"something","strand":null,"singleton":null,"priority":25,"attempts":0,"created_at":"2022-06-03T14:21:43Z","max_attempts":15,"source":"hostname:redacted,pid:29920"} ```   I would like to extract all of the json fields dynamically without individually pulling them out with multiple rex's. I have tried the following, but I am not seeing the json fields being parsed. `myjson` is successfully extracted, but spath does not pull out individual fields from the json:  ``` index="myindex" source="mysource"  | rex field=_raw "(?<myjson>\{.+\})" | spath myjson ```
Hi, I am trying to create a splunk app that mimics as much of the Search and Report functionality as possible with some additional customizations. At the moment I am trying to import the field_extr... See more...
Hi, I am trying to create a splunk app that mimics as much of the Search and Report functionality as possible with some additional customizations. At the moment I am trying to import the field_extractor view into my application, however I do not see documentation to support incorporating views that do not exist in the splunkjs/mvc directory.  Is this possible?
Hello, I have a number of unique searches for various infrastructure resources. I would like to create a dashboard that builds a chart based on the chosen entry from a dropown. Unfortunately, there... See more...
Hello, I have a number of unique searches for various infrastructure resources. I would like to create a dashboard that builds a chart based on the chosen entry from a dropown. Unfortunately, there's no easy way to create a base search and use tokens. In other words, I would like each input title to reference a specific search in datsources. example dropdown:  input selected value 1= "dataSources": "search_1" input selected value 2 = "dataSources": "search_2" input selected value 3 = "dataSources": "search_3" I could not find any documentation with examples of something similar. Thanks in advance.
Hello, Anyone know a fix for Tenable Add-On for Splunk on that error? After splunk upgrade to 8.2.6 from 8.0.5 i got that thing blinking on red on my indexer. "Unable to initialize modular inpu... See more...
Hello, Anyone know a fix for Tenable Add-On for Splunk on that error? After splunk upgrade to 8.2.6 from 8.0.5 i got that thing blinking on red on my indexer. "Unable to initialize modular input "tenable_sc" defined in the app "Splunk_TA_nessus": Introspecting scheme=tenable_sc: script running failed (PID 753455 exited with code 1)" Thanks a lot for any advices! Have a nice day!!
Hi, My data is in below format I am trying to add the total of all the columns and show it as below Please help me on how can i achieve this and also i am trying to sort by rename... See more...
Hi, My data is in below format I am trying to add the total of all the columns and show it as below Please help me on how can i achieve this and also i am trying to sort by rename 1 2 as JAN FEB so on but after renaming it is sorting by alphabetical order. How can i sort based on month wise?
Anyone has any experience in ingesting Incidents from Microsoft Sentinel (formerly Azure Sentinel)? I found info about the https://splunkbase.splunk.com/app/4564 add-on which works with Graph Securi... See more...
Anyone has any experience in ingesting Incidents from Microsoft Sentinel (formerly Azure Sentinel)? I found info about the https://splunkbase.splunk.com/app/4564 add-on which works with Graph Security which is supposed to be a "middleware" of sorts between different kinds of security events but on the other hand I find that data pulled this way is very limited in terms of details. So I thought about callind Sentinel API directly. There is supposedly API we could use, it has PowerShell module, I'm not sure about decent "curlable" docs but I didn't look very hard for it. Yet. The question however is are we doomed to write something completely from scratch or is there anything ready that I could use?
Sample Event:  sent=1 received=0 packet_loss=100 min_ping=NA avg_ping=NA max_ping=NA jitter=NA return_code=1 dest=SHTCE***   Tried code: index=network | eval Availability= case(received="1", 100... See more...
Sample Event:  sent=1 received=0 packet_loss=100 min_ping=NA avg_ping=NA max_ping=NA jitter=NA return_code=1 dest=SHTCE***   Tried code: index=network | eval Availability= case(received="1", 100,received="0", 0) | stats avg(Availability) by dest | sort +avg(Availability) | rename avg(Availability) as "Availability %" | streamstats current=f latest(packet_loss) as packet_loss latest(_time) as last_checked latest(_raw) AS prevEvent by dest | eval downtime = _time - last_checked | rename dest as Host | table Host  
Hi , Thanks in Advance, We have requirement that the  two github repos are in two (eg: USA and Canada)different country.so every day we replicate code. The monitoring script would be created, which... See more...
Hi , Thanks in Advance, We have requirement that the  two github repos are in two (eg: USA and Canada)different country.so every day we replicate code. The monitoring script would be created, which will compare the USA and Canada repositories. This script will be executed as part of code replication pipelines. The comparison result generated by script, would be saved in a log file. This log file would then be sent to Splunk using Splunk Forwarder. . Alerts would be created in Splunk to send automated email. These alerts would get triggered if any differences are identified b/w the repositories based on the log data sent to Splunk. Is there any way to compare two repos using splunk app directly  
i have a table case id severity open date status age 3241765 critical 6/5/2022 awaiting 30 days 9847636 high  1/6/2022 pending 5 days   i want to... See more...
i have a table case id severity open date status age 3241765 critical 6/5/2022 awaiting 30 days 9847636 high  1/6/2022 pending 5 days   i want to highlight the table by queries like those: if severity=critical AND status=awaiting or pending - highlight the values critical and awaiting in red if severity=critical AND status=awaiting or pending more than 30 days- highlight the row in red if case is open more then 30 days - mark the cell in red.
Hi all, I need some assistance please, I am trying to create a report which shows all Active Directory activities carried out. Should contain columns as follows: Login, Account, Domain, Group, iH... See more...
Hi all, I need some assistance please, I am trying to create a report which shows all Active Directory activities carried out. Should contain columns as follows: Login, Account, Domain, Group, iHost and Date. The Group column shows the name of the Add group which has been added or removed and the Host is the Domain Controler. The Account column is the asset number of the machine.   Thanks in advance!
Hi  I have a dropdown in my dashboard studio which has some static values like TokenName: appName Display Name Value App1 Value1 App2 Value2   In my search que... See more...
Hi  I have a dropdown in my dashboard studio which has some static values like TokenName: appName Display Name Value App1 Value1 App2 Value2   In my search query, i need to use both display name and value. We can get the value using $appName$ but is it possible to also get display name? Hoping for a help. Thanks  
My Splunk Cloud Free Trial allow me to login, also offer option to upload test data. We need to check out the REST API provided by Splunk for Search for use by our own test application from computer ... See more...
My Splunk Cloud Free Trial allow me to login, also offer option to upload test data. We need to check out the REST API provided by Splunk for Search for use by our own test application from computer Please advice how Splunk Cloud Free Trial can be setup for REST API access from internet.
Hello All, I have integrated spring boot application with AppDynamics. I need to collect Request methods(GET,POST,DEL) and Status Codes(200..) in my data collectors. I am able to collect User-Agent,... See more...
Hello All, I have integrated spring boot application with AppDynamics. I need to collect Request methods(GET,POST,DEL) and Status Codes(200..) in my data collectors. I am able to collect User-Agent, Host using  HTTP Request Data Collectors but not Request Methods and Status codes.  
I have a dropdown list with manually specified choices - A, C, D and All, but somehow splunk will auto populate another option * as default in my dropdown list after saving it. The reason why I do ... See more...
I have a dropdown list with manually specified choices - A, C, D and All, but somehow splunk will auto populate another option * as default in my dropdown list after saving it. The reason why I do not want * to be representing All in my dashboard is because Type might content B data that I want to exclude from being shown on my dashboard.   Anyone knows how to remove this * option?  Thank you     <input type="dropdown" token="contentType"> <label>Type</label> <choice value="A">A</choice> <choice value="C">C</choice> <choice value="D">D</choice> <choice value="ALL" OR content_type="C" OR content_type="D">All</choice> <prefix>(</prefix> <suffix>)</suffix> <default>"A" OR content_type="C" OR content_type="D"</default> <initialValue>""A" OR content_type="C" OR content_type="D"</initialValue> </input>        
Hi,  The DMC got an alert "DMC Alert - Search Peer Not Responding".. it works fine when a search peer goes down, but then when it come back, we should get an alert/notification saying "Search Peer ... See more...
Hi,  The DMC got an alert "DMC Alert - Search Peer Not Responding".. it works fine when a search peer goes down, but then when it come back, we should get an alert/notification saying "Search Peer up now", right, but, somehow the DMC/Splunk developers missed to consider this situation/condition.  i can check the "DMC Alert - Search Peer Not Responding" alert's search query and modify it to create the opposite.. like "DMC Alert - Search Peer Responding Fine" Now the question is...the "DMC Alert - Search Peer Responding Fine" alert should work only after the first SH down alert. hope you got this issue. Please suggest how we can achieve this, thanks.