All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi there, I am new to Splunk, so the question could be silly.... We set up an alert to alert out the on-call team once the first log of the day with the keyword "down" is detected by Splunk. However,... See more...
Hi there, I am new to Splunk, so the question could be silly.... We set up an alert to alert out the on-call team once the first log of the day with the keyword "down" is detected by Splunk. However, it is very chatty. I wonder if it is possible to make an alert like below. 1. If the daily scan finds multiple "down" message in the past 24 hours, it only considers the most recent "down" message. 2. And Splunk will search for the following 7 days if there are any "up" messages. 3. Splunk only considers the most recent "up" message and as long as the time stamp of the "up" message is more recent than the "down" message, Splunk doesn't alert. Otherwise, it alerts the on-call team. The most difficult parts for me are: 1. How to trigger another query if the daily schedules find the down message. 2. How to keep the query running for the following 7 days. Any help would be much appreciated. Thank you,
I am having trouble getting this case statement to work (I receive "Error in eval command"):   | eval match=case(cidrmatch("10.xx.x.0/16",asset_ip),"groupA", cidrmatch("10.xx.x.0/16",asset_ip),... See more...
I am having trouble getting this case statement to work (I receive "Error in eval command"):   | eval match=case(cidrmatch("10.xx.x.0/16",asset_ip),"groupA", cidrmatch("10.xx.x.0/16",asset_ip),"groupA", cidrmatch("192.xx.xx.0/25",asset_ip),"groupA", cidrmatch("192.xxx.xx.0/24",asset_ip),"groupA", cidrmatch("10.xx.xx.0/24",asset_ip),"groupB", cidrmatch("192.xx.x.0/24",asset_ip),"groupB", cidrmatch("192.xxx.xx.0/24",asset_ip),"groupB", cidrmatch("192.xxx.xx.0/24",asset_ip),"groupB", cidrmatch("10.xx.x.0/16",asset_ip),"groupC", cidrmatch("10.xx.x.0/16",asset_ip),"groupC", cidrmatch("10.xxx.x.0/16",asset_ip),"groupC", cidrmatch("10.xxx.x.0/16",asset_ip),"groupC", cidrmatch("10.xxx.x.0/16",asset_ip),"groupC", cidrmatch("10.xxx.x.0/16",asset_ip),"groupC", cidrmatch("10.xxx.x.0/16",asset_ip),"groupC"), "Other")         I can't seem to figure out why this isn't working. Is 'case' the wrong statement to use here?  
Hey All, I have the following issue.  There is a lookup table I am using within a query in where some items are returned with quotes and some are not.  I have the following query and I need to ensu... See more...
Hey All, I have the following issue.  There is a lookup table I am using within a query in where some items are returned with quotes and some are not.  I have the following query and I need to ensure all the results are returned without quotes.   My final query looks as follows:   I know these quotes are causing issues with my final lookups.  Any help is greatly appreciated.  
Receiving the error below. The app used to work with the same credentials but we are now receiving issues. 2022-05-24 15:49:06,518 ERROR pid=16541 tid=MainThread file=SecKit_SA_geolocation_rh_updat... See more...
Receiving the error below. The app used to work with the same credentials but we are now receiving issues. 2022-05-24 15:49:06,518 ERROR pid=16541 tid=MainThread file=SecKit_SA_geolocation_rh_updater.py:post_update:157 | Exception generated when attempting to backup a lookup file Traceback (most recent call last): File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/SecKit_SA_geolocation_rh_updater.py", line 122, in post_update stderr=subprocess.STDOUT, File "/opt/splunk/lib/python3.7/subprocess.py", line 411, in check_output **kwargs).stdout File "/opt/splunk/lib/python3.7/subprocess.py", line 512, in run output=stdout, stderr=stderr) subprocess.CalledProcessError: Command '['$SPLUNK_HOME/etc/apps/SecKit_SA_geolocation/bin/geoipupdate/linux_amd64/geoipupdate -v -d /opt/splunk/etc/apps/SecKit_SA_geolocation/data/ -f /tmp/GeoIPij8vhpu5.conf']' returned non-zero exit status 126. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/SecKit_SA_geolocation_rh_updater.py", line 124, in post_update except CalledProcessError as e: NameError: name 'CalledProcessError' is not defined  
Hello, Specs:  Splunk Enterprise 8.2.1 Server OS: RHEL 7.9 I have a distributed installation of Splunk Enterprise on RHEL 7.9 which comes with its own version of python, Splunk also comes... See more...
Hello, Specs:  Splunk Enterprise 8.2.1 Server OS: RHEL 7.9 I have a distributed installation of Splunk Enterprise on RHEL 7.9 which comes with its own version of python, Splunk also comes with two more versions of python. I am creating an external lookup that runs a python script which performs an API call and retrieves the values based on the input from the user in the Splunk Search. My goal is to install an isolated version of Python 3 on the server. To achieve this I need to install Python 3 from source, and in order to compile the source code I need to install "Development Tools" along with other software that will be detailed below. Main concern: I am not sure if installing this tools might negatively affect the behavior of Splunk or the OS Python. This Splunk instance is located on a critical infrastructure, and there is no margin for error. For reference below are the steps to be performed. Download Python from source: https://www.python.org/downloads/source/ Create directory for new python installation: opt/ti_scripts/python3.10.4 Install tools for compiling code: sudo yum groupinstall "Development Tools" -y Additional compiling tools: sudo yum install gcc openssl-devel libffi-devel bzip2-devel -y Decompress python tar: tar xvf Python-3.10.4.tgz Go to decompressed directory: cd Python-3.10.4 Specify location for the new python installation: sudo ./configure --enable-optimizations --prefix=/opt/ti_scripts/python3.10.4 Install without altering default python: sudo make altinstall Create a soft link for the new python: sudo ln -s /opt/ti_scripts/python3.10.4 usr/bin/python3.10.4 Please help me with this situation, thanks.
I have a DCS with Splunk Add-on for VMware with 2 DCN. For some reason, it stopped ingesting data for two days. Is it possible to backfill the data for the two days it missed?
Hi All, I have created a summary index . I am making use of "sistats count by <fields>" to populate all the fields required. And I see those fields as well.  The issue is - On this index I am t... See more...
Hi All, I have created a summary index . I am making use of "sistats count by <fields>" to populate all the fields required. And I see those fields as well.  The issue is - On this index I am trying to use chart command and also stats count(<field>) as test (chart command in one query and stats count in another query) but its not working. There is no results returned. Instead I use stats command and populate data to summary index , both commands are working. Please let me know why chart and stats command are not working on the summary index that I have created using sistats command . [sichart as well not working]. I am missing some technical information here. Regards, PNV
Hi,  I am trying to create a query to get all values that are larger than the average value. I have a file size field and I need to find all the files that are larger than the average file size. 
Hi When I create Splunk apps which derive from React components, I usually create the React component on the Command Line and start Splunk via the Command Line also, resulting in Splunk been shown... See more...
Hi When I create Splunk apps which derive from React components, I usually create the React component on the Command Line and start Splunk via the Command Line also, resulting in Splunk been shown on my localhost. Is it possible to create such React components on an IDE like Visual Studio in conjunction with Splunk? Thanks
Hi how can I extract only last 2 word that exist in className I have log like this: 2022-05-24 16:29:51,918 INFO [APP] [ActionName] className[xx.xx.xxx.xxxx.xxx.session.controller.SearchClusterFi... See more...
Hi how can I extract only last 2 word that exist in className I have log like this: 2022-05-24 16:29:51,918 INFO [APP] [ActionName] className[xx.xx.xxx.xxxx.xxx.session.controller.SearchClusterFinancialTcpMBean.search] status[done] 2022-05-24 16:29:51,918 INFO [APP] [ActionName] className[xx.xx.xxx.xxxx.xxx.session.controller.SearchClusterFinancialTcpMBean.search.attribute] status[done]   excpected output: SearchClusterFinancialTcpMBean.search search.attribute   Any idea? Thanks,
Hello all Could you please help me to get a price quote for Splunk Enterprise? I already contacted the sales team twice but did not get any answer from them
How would I write the following statements in Splunk? Variables are start_access and last_access Statement If 20 days have passed from the start_access AND there was no last_access since the las... See more...
How would I write the following statements in Splunk? Variables are start_access and last_access Statement If 20 days have passed from the start_access AND there was no last_access since the last start_access, then the result is not active.
Hi, Everyone I try to collect log with "Prisma Cloud Compute (Twistlock) App for Splunk" (Prisma Cloud Compute (Twistlock) App for Splunk | Splunkbase) but I found many error messages from the py... See more...
Hi, Everyone I try to collect log with "Prisma Cloud Compute (Twistlock) App for Splunk" (Prisma Cloud Compute (Twistlock) App for Splunk | Splunkbase) but I found many error messages from the python script follow as the picture below and this is my inputs.conf Does anyone have any suggestions?   Thank you
Hi Community, I have this problem about data correlation, here's the detail. The source file is a test result summary named summary.xml, and it's not time sensitive.  Splunk will parse the file t... See more...
Hi Community, I have this problem about data correlation, here's the detail. The source file is a test result summary named summary.xml, and it's not time sensitive.  Splunk will parse the file to some events like event1,2,3,etc.  The test info is in event 1 and results are in even 2,3,4. My goal is to count the results of all tests under the same info. I don't know how to link these info.  What kind of SPL search I could use? For example: Summary1.xml: event1 test info: alpha event2 Pass   event3 Fail   event4 Fail   Summary2.xml: event1 test info: beta event2 Pass   event3 Pass   event4 Pass     The results I expected: Test info results alpha pass:1, failed:2 beta pass:   3, failed:0  
Hi I have a basic statement, however, I want the answers to be in per second. So I need to provide all the results by 60, however, as I am using the by command I cant do something like eval count =... See more...
Hi I have a basic statement, however, I want the answers to be in per second. So I need to provide all the results by 60, however, as I am using the by command I cant do something like eval count = count/60. As all the columns are different - I might be able to use a for - but this might affect _time. Any ideas? Am i missing something simple hear?   index="murex_logs" | timechart span=1m count by mx.env              
Hi All , I am trying to login into splunk instance  with javascript sdk  credentials but it is not working well. var http = new splunkjs.ProxyHttp("/proxy"); // Create a Service instance a... See more...
Hi All , I am trying to login into splunk instance  with javascript sdk  credentials but it is not working well. var http = new splunkjs.ProxyHttp("/proxy"); // Create a Service instance and log in var service = new splunkjs.Service(http, { username: "admin", password: "yourpassword", scheme: "https", host: "localhost", port:"8089", version:"5.0" }); // Verify we logged in // Print installed apps to the console to verify login service.apps().fetch(function(err, apps) { if (err) { alert("Error listing apps"); return; } var myapps = ""; var appsList = apps.list(); for(var i = 0; i < appsList.length; i++) { myapps += "App " + i + ": " + appsList[i].name + "<br/>" } document.getElementById("applist").innerHTML=myapps; }); }    
Hi Team, I wanted to know whether Splunk License Monitoring Console will show license usage report for all Splunk deployed product or only for Enterprise. Also Monitoring Console and Cloud Monito... See more...
Hi Team, I wanted to know whether Splunk License Monitoring Console will show license usage report for all Splunk deployed product or only for Enterprise. Also Monitoring Console and Cloud Monitoring console what is the difference, I mean i know CMC is for Splunk Cloud Platform and other one is for Enterprise. But wanted to check whether both will show License usage report for all Splunk Product deployment (ex:Splunk RUM, Splunk Enterprise security,Splunk SOAR, Splunk Threat Research). Do we see usage report for all product in one dashboard or there is different dashboards for all product. Very confused ,If anybody has any answer please let me know. Regards, Avinash
Hi, I'm trying to reduce the incidents in our environment as a part of which trying to group the events if they have similar fields and error messages. As a part of which I have below itsi_entity=x... See more...
Hi, I'm trying to reduce the incidents in our environment as a part of which trying to group the events if they have similar fields and error messages. As a part of which I have below itsi_entity=xxx (hostname) itsi_correlation_key=alertname."~".fingerprint (finger print is a unique for each alert) Now in my environment, have multiple hosts which may generate same alert My search is working well when it comes to single host where it is giving correlation key like below itsi_entity- xxx itsi-correlation-key-spacealert ~6089797 itsi_message : Nodes affected: xxx description:space alert If an itsi_entity is having multiple hosts which are impacted then it looks below itsi-entity- abc,xvz,def itsi-correction-key - null (does not display anything) itsi-message: Nodes affected abc,xvz,def description:high Cpu alert   I need some help here to display the correlation key if the entity has multiple values.          
Hello! I want to ask about Private Spacebridge for Splunk Secure Gateway. Anyone got respond from submitting in Beta? After long time of waiting i don`t have any respond from splunk. I really want... See more...
Hello! I want to ask about Private Spacebridge for Splunk Secure Gateway. Anyone got respond from submitting in Beta? After long time of waiting i don`t have any respond from splunk. I really want to test it out in my company. Is there any other chance to make it private (on-prem) version? I`m talking about it: https://www.splunk.com/en_us/form/privately-hosted-spacebridge-for-splunk-secure-gateway.html
Hi, I'm trying to load a excel file from phantom vault for updating the data inside. I'm able to fetch file but couldn't open it for updating the cell values. Can anyone help me with the custom cod... See more...
Hi, I'm trying to load a excel file from phantom vault for updating the data inside. I'm able to fetch file but couldn't open it for updating the cell values. Can anyone help me with the custom code to read and write the vault files.