All Topics

Top

All Topics

I am not able to find the host field information for the events coming from a particular machine.  This is related to a particular source type. Other logs from a different source type from the same m... See more...
I am not able to find the host field information for the events coming from a particular machine.  This is related to a particular source type. Other logs from a different source type from the same machne has host field information. Events are reaching splunk, but they are missing host field information. Can someone help?
Hi, We are having JMS Unresolved destinations as remote services and it is showing broken transactions due to this. We would like to include the pooled-jms package (https://github.com/messaginghub/... See more...
Hi, We are having JMS Unresolved destinations as remote services and it is showing broken transactions due to this. We would like to include the pooled-jms package (https://github.com/messaginghub/pooled-jms) in the Java agent as it is a Spring recommendation for JMS 2.0 since its version 2.1 ( 8th Jun 2020) https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.1-Release-Notes#activemq-pooling # If you were using activemq-pool, support has been removed in this release in favor of pooled-jms that offers the same features while being JMS 2.0 compliant. We are using org.messaginghub.pooled.jms.JmsPoolMessageConsumer and the agent error reported is: Caused by: java.lang.NoSuchMethodException: org.messaginghub.pooled.jms.JmsPoolMessageConsumer.getDestination() Thank you, David
When I send the splunk search result data via webhook I am only getting only the  first row. Is there any alternative to this?
I have used the "Prometheus Metrics for Splunk" plugin from the Splunk Apps to get data from the Prometheus remote write. Both Prometheus and Splunk are installed on the local Windows machine (for ... See more...
I have used the "Prometheus Metrics for Splunk" plugin from the Splunk Apps to get data from the Prometheus remote write. Both Prometheus and Splunk are installed on the local Windows machine (for testing).  A Prometheus remote write is used to send data to the splunk. Splunk Configuration ```` [prometheusrw] port = 8098 maxClients = 10 [prometheusrw://856412] bearerToken = ABC123 index = prometheus whitelist = * sourcetype = prometheus:metric disabled = 0 ```` Prometheus configuration ```` - url: "http://localhost:8098" authorization: credentials: "ABC123" tls_config: insecure_skip_verify: true write_relabel_configs: - source_labels: [__name__] regex: expensive.* action: drop ```` prometheus error log: ```` ts=2022-07-12T11:40:22.139Z caller=dedupe.go:112 component=remote level=info remote_name=856412 url=http://localhost:8098 msg="Done replaying WAL" duration=10.5184238s ts=2022-07-12T11:40:22.438Z caller=dedupe.go:112 component=remote level=warn remote_name=856412 url=http://localhost:8098 msg="Failed to send batch, retrying" err="Post \"http://localhost:8098\": EOF" ```` Suggest corrections/ways to get prometheus data to Splunk.
Hi, I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action. I'd like to run the Drill-down  search setting as earliest 2 minutes before the earliest time o... See more...
Hi, I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action. I'd like to run the Drill-down  search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes. I'm trying this configuration but seems not to work properly. Is there a way to do so? Is there a way to set earliest in the Drill-down search?   Thanks a lot Marta    
Hi Splunkers, Can anyone share the link for Splunk Demo Portal. The old link is no more working https://o2.splunkit.io/oxygen
I am looking for drilldown option in boxplot. I tried editing in source and tried to do drilldown but it is not working. Is there any workaround solution for this ?
Hi  I have suspecious behaviour of splunk when index log file. here is the issue when I search through yesterday log it only show events from 12:00 to 23:59! log from 00:00 to 12:00 missed!   I... See more...
Hi  I have suspecious behaviour of splunk when index log file. here is the issue when I search through yesterday log it only show events from 12:00 to 23:59! log from 00:00 to 12:00 missed!   I have two path that continiously index by splunk, like below:   index today /data/today   index yesterday /data/yesterday   index today: log will be copy on above path, every day  and contain log file from 00:00 to 12:00  of today index yesterday: log copy on above path, every day  and contain log file from 00:00 to 23:59 of yesterday   FYI: index and path completely different. FYI: log files are same and the only different is "today log" contain data till 12:00   any idea? Thanks
Hi  The customer requested check issue for MS O365 app. In the process of collecting data using continuously_monitor Mode, it is repeatedly confirmed that it does not work properly from the time m... See more...
Hi  The customer requested check issue for MS O365 app. In the process of collecting data using continuously_monitor Mode, it is repeatedly confirmed that it does not work properly from the time millisecond is added to the time value. This causes data collection to not work. Is this a bug in the o365 app? Have you ever seen or remembered a similar phenomenon? Refer attached img. Thanks in advance. Jiho  
Hi, I'm new in Splunk alerting and I met a problem on changing alert permission by using ACL REST API.  I'm writing a script to help me create Splunk alerts through REST API, and I use the saved/se... See more...
Hi, I'm new in Splunk alerting and I met a problem on changing alert permission by using ACL REST API.  I'm writing a script to help me create Splunk alerts through REST API, and I use the saved/searches endpoint to create a new alert and the everything goes well, the alert is created successfully. Then I add `{alert_name}/acl` into the url and attempt to update the alert's permission which I have created before.  But I receive an 403 error tell me "You do not have permission to change the owner of this object".     <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">You do not have permission to change the owner of this object.</msg> </messages> </response>     More confused is I can change the permission on Splunk Web GUI, I can see the "edit permission" button for this alert. BTW, my account doesn't have the admin role. I have no ideas on this problem and I don't know whether it related to account role or any capability. Does anyone encountered the same problem? Need your help and much appreciate!
Hello, Splunkers!! We are configuring Search Head clustering and when we init it, it gives a hostname error. However, init has been configured and so does bootstrap.  Also, there is no problem ... See more...
Hello, Splunkers!! We are configuring Search Head clustering and when we init it, it gives a hostname error. However, init has been configured and so does bootstrap.  Also, there is no problem deploying apps on clusters.  How do I fix the error below?  Huge thanks in advance!   WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Search head clustering has been initialized on this node. You need to restart the Splunk Server (splunkd) for your changes to take effect.
Hello, I have XML files with Multi Line field values and have some issues with extracting those values. Sample field extraction code for first 2 values and sample data/events are given below. Any he... See more...
Hello, I have XML files with Multi Line field values and have some issues with extracting those values. Sample field extraction code for first 2 values and sample data/events are given below. Any help will be highly appreciated. Thank you!   Sample code <USER>(?P<USER>.+)<\/USER>\\n\\r<USERTYPE>(?P<USERTYPE>.+)<\/USERTYPE>   Sample Data <MTData>                                 <USER>TEST05GLBC</USER>                                 <USERTYPE>Admin</USERTYPE>                                 <SUBJECT />                                 <SESSION>hp0vtlg001</SESSION>                                <SYSTEM>DS</SYSTEM>                                 <EVENTTYPE>USER_Supervisor</EVENTTYPE>                                 <EVENTID>VIEW</EVENTID>                                 <SIP>10.210.345.254</SIP>                                 <EVENTSTATUS>120</EVENTSTATUS>                                 <EMSG />                                 <STATUS>FALSE</STATUS>                                 <STIME>2022-06-02 19:10:57.967</STIME>                                 <VADDATA>2019:00-00002; 2019:00-0000002; 2019:00-00003</VADDATA>                                 <TIMEPERIOD />                                 <CODE />                                 <RTYPE />                                 <DTFTYPE />                                 <DIP>10.225.35.45</DIP>                            <DEVICE>Laptop</DEVICE>                 </MTData>                   <MTData>                                 <USER>TEST06HLDC</USER>                                 <USERTYPE>Power</USERTYPE>                                 <SUBJECT />                                 <SESSION>hp2ftlg021</SESSION>                                <SYSTEM>Test</SYSTEM>                                 <EVENTTYPE>USER_MANAGER</EVENTTYPE>                                 <EVENTID>Update</EVENTID>                                 <SIP>10.210.345.254</SIP>                                 <EVENTSTATUS>122</EVENTSTATUS>                                 <EMSG />                                 <STATUS>TRUE</STATUS>                                 <STIME>2022-06-02 19:20:57.967</STIME>                                 <VADDATA>2019:00-00012; 2019:00-0000002; 2019:00-00024</VADDATA>                                 <TIMEPERIOD />                                 <CODE />                                 <RTYPE />                                 <DTFTYPE />                                 <DIP>10.225.35.45</DIP>                             <DEVICE>Laptop</DEVICE>                 </MTData>  
Having trouble with my roles/groups mapping with SAML. Setting up Azure AD+SAML on a test host here and my claim for group is coming back like so "d5366c24-8188-xxxx-xxxx-65e599a64ed9" rather than t... See more...
Having trouble with my roles/groups mapping with SAML. Setting up Azure AD+SAML on a test host here and my claim for group is coming back like so "d5366c24-8188-xxxx-xxxx-65e599a64ed9" rather than the human readable "SplunkSSO" group name which I expect. Funny enough this works [roleMap_SAML] power = d5366c24-8188-xxxx-xxxx-65e599a64ed9 But I kinda expecting to have human readable groups to roles. I assume there is an error in Attributes and Claims in the Splunk Azure App. Not seeing it though. Any ideas where I might look?
Hi,  I am trying to get all events with two different kinds of objectname(A or B vs C) but with the same username and their access time should be close.  The accessTime of events with Objectname C s... See more...
Hi,  I am trying to get all events with two different kinds of objectname(A or B vs C) but with the same username and their access time should be close.  The accessTime of events with Objectname C should be happen just after the events with  Objectname A or B.  Here is my current query: index=index1 host=host1 ObjectName=A OR ObjectName=B |rename accessTime AS accTime1 | eval ptime=strptime(accTime1,"%Y-%m-%d %H:%M:%S") | join userName [ search index=index1 ObjectName=C | rename accessTime AS accTime2 | eval itime=strptime(accTime2,"%Y-%m-%d %H:%M:%S") ] | eval diff=abs(ptime-itime)/60 |appendpipe [|search diff<2] | timechart span=1day dc(userName) is there any way can help me optimize this query since when the search time window become to be 1 months or more, the subsearch limitations will influence the search result. Thanks!
A scheduler issue may be described as: - reduced number of completed scheduled searches running during certain periods - scheduler locks up and doesn’t run any scheduled searches for a period of ti... See more...
A scheduler issue may be described as: - reduced number of completed scheduled searches running during certain periods - scheduler locks up and doesn’t run any scheduled searches for a period of time - high number of skipped/deferred scheduled searches How can I provide Splunk Support the right diagnostics to solve my problem and determine root cause? 
I am befuddled why the below two searches return different counts for the same period of time. The tstats one returns a smaller count. I would expect them to be the same number with tstats just finis... See more...
I am befuddled why the below two searches return different counts for the same period of time. The tstats one returns a smaller count. I would expect them to be the same number with tstats just finishing faster. Anyone have thoughts on this?     | tstats count where index=* index!=_*     and     index=* index!=_* | stats count      
Uploading Splunk-Enterprise-Security package (800MB .spl file) from user machine to deployer via deployer web UI results in the following exception: 413 Request Entity Too Large nginx environment:... See more...
Uploading Splunk-Enterprise-Security package (800MB .spl file) from user machine to deployer via deployer web UI results in the following exception: 413 Request Entity Too Large nginx environment: Environment is Azure AKS Search Heads behind NGINX Ingress controller attempted to add the application via the Deployer instance Upload Page. Click Upload and it fails instantly with: 413 Request Entity Too Large nginx
Had to take an indexer down for several days while a SSD was replaced, I used the "splunk offline --enforce-counts" command to allow the data to replicate back out to the other indexers (we have repl... See more...
Had to take an indexer down for several days while a SSD was replaced, I used the "splunk offline --enforce-counts" command to allow the data to replicate back out to the other indexers (we have replication factor of 1).  I'm curious now after the SSD has been replaced, what is the best option to rejoin this host back to the cluster?
Hi everyone! Since I've never done | rex command, I would like to parse the ip_address out of the raw event using rex command. The event is: org.apache.sor.client.soj.impl.HttpSorClient$Exception... See more...
Hi everyone! Since I've never done | rex command, I would like to parse the ip_address out of the raw event using rex command. The event is: org.apache.sor.client.soj.impl.HttpSorClient$Exception: Error from server at https://pimcv.sps.g:443/sor: Failed handshake due to exhausted 12 seconds timeout on channel [id: 0x2c132bc6, L:/56.201.42.175:42 - R:/56.201.45.41:86]. Can somebody help do this please!
I need help in displaying the input radio button option based on previous input radio button option selection. If i have below options created as inputs :   <input type="Radio" token="envi... See more...
I need help in displaying the input radio button option based on previous input radio button option selection. If i have below options created as inputs :   <input type="Radio" token="environment"> <label >ENV<label> <choice value="site1">s1</choice> <choice value="site2">s2</choice> <choice value="site3">s3</choice> </input> <input type="Radio" token="sub-environment"> <label >S-ENV<label> <choice value="site1-Area1">s1A1</choice> <choice value="site1-Area2">s1A2</choice> <choice value="site1-Area3">s1A3</choice> <choice value="site2-Area1">s2A1</choice> <choice value="site2-Area2">s2A2</choice> <choice value="site2-Area3">s2A3</choice> <choice value="site3-Area1">s3A1</choice> <choice value="site3-Area2">s3A2</choice> <choice value="site3-Area3">s3A3</choice> <choice value="*">All</choice> </input>   I wan to dynamically display the input fields based on the first radio button option selection.     if user selects site1 radio button option automatically display radio button option labels  labels s1A1,s1A2, s1A3 and All    if user selects site2 radio button option automatically display radio button option labels  labels s2A1,s2A2, s2A3 and All    if user selects site3 radio button option automatically display radio button option labels  labels s3A1,s3A2, s3A3 and *