All Topics

Top

All Topics

Splunk DB Connect 3.9 won't accept the Java Runtime "jdk-18_linux-x64_bin.tar.gz". When DB Connect prompts me to input the JRE Installation path in Configuration > Settings, it throws this error "Ne... See more...
Splunk DB Connect 3.9 won't accept the Java Runtime "jdk-18_linux-x64_bin.tar.gz". When DB Connect prompts me to input the JRE Installation path in Configuration > Settings, it throws this error "Need Oracle Corporation JRE version 1.8 or OpenSDK 1.8". I don't seem to get the link that will take me to download this JRE 1.8 version. Can someone point me in the right direction to get the right JRE version downloaded. Thanks in anticipation.
Hello A customer has a single-spa microfrontend app (https://single-spa.js.org/docs/getting-started-overview). After installing Brum, it will report an error. See the below screenshot. Is there a... See more...
Hello A customer has a single-spa microfrontend app (https://single-spa.js.org/docs/getting-started-overview). After installing Brum, it will report an error. See the below screenshot. Is there any suggestion for this case?  thanks 
AppDynamics Identity Provider users get a seamless SSO experience across AppDynamics products and services Beginning with v22.6.0, users authenticated by the global AppDynamics Identity Provider ... See more...
AppDynamics Identity Provider users get a seamless SSO experience across AppDynamics products and services Beginning with v22.6.0, users authenticated by the global AppDynamics Identity Provider (AppD IDP) will only need to sign in to an authorized AppDynamics product or service once. Now, these users will only need to sign in to AppDynamics once. As they navigate from one to another of their authorized AppDynamics products and services, they will not be asked for their password again. NOTE | This change does not affect current Controller local, SAML, and LDAP users, who can continue to sign in as they always have, without disrupting their access. On the horizon… Though this feature is currently only available for users added since v21.11, the ability to convert an existing (pre-v21.11) user account to the new SSO-enabled AppDynamics managed user identity is planned for later in 2022. Be on the lookout for an announcement describing this conversion in the future. In this article…   Frequently asked questions   Getting started with AppDynamics SSO How do I sign in so I can see and navigate to my AppDynamics products and services? Where is the password field in the sign-in screen? Why do I have to enter my username twice? Can I change my local Controller account if I am not currently a global AppDID User? What if an AppD IDP account is used for a service account API authentication on a Controller?   How do I know… What is the AppD IDP and how do I know whether I’m using it? How can I tell whether or not I’m an AppDynamics Identity Provider user?   Questions from Admins As an admin, can I set these users to be authenticated my IDP in the Account Management Portal? As an admin, how do I give users access to a Controller tenant?   Additional resources Frequently asked questions Getting started with AppDynamics SSO How do I sign in so I can see and navigate to my AppDynamics products and services? AppDynamics IDP users can use the following steps to view and navigate to their AppDynamics products and services: Navigate to https://accounts.appdynamics.com/personal-profile  Sign in as usual from any AppDynamics product or service: Starting from your Controller account Enter your account name Enter your username (which is your email address) Click Next The system will recognize you as an AppD IDP user and redirect you to the AppD IDP for authentication.  Enter your username again and click Next. Enter your password and click Sign in. You will land in the Controller signed in. Starting from any accounts service (like University or Community) Click Sign in Enter your username (which is your email address) Click Next Enter your password and click Sign in. Once signed in, you will see your target experience.  From the mini-profile (look for your username in the top of the screen), choose “Manage my Profile” or access this link. From here you can see any AppDynamics Controllers to which your profile is associated, as well as all related services (i.e., AppD University, Community, Documentation, Support) Each time you click a Controller or service from your personal profile, it will open in an active (already authenticated) new tab. Where is the password field in the sign-in screen? The password field appears once you enter the username and click next. It may either appear on the same screen, or once you are redirected to your “global” sign-in page. Why do I have to enter my username twice? You need to enter your username twice when first signing in due to our use of a global identity provider. TIPS | Use the “Remember me” functions to further streamline all your future logins.  Alternatively, sign in to your personal profile page first. It will show you everything you have access to and provide direct access links. Can I change my local Controller account if I am not currently a global AppDID User? We are working on a migration to AppD IDP user capability that will upgrade your existing Controller account to AppD IDP. It is on the roadmap for later this year. What if an AppD IDP account is used for a service account API authentication on a Controller? You can expect successful authentications when an AppD IDP account is used for a service account AppD IDP authentication on a Controller. The service account can be authenticated without the SSO flow. That said, we recommend that customers move to our OAUTH-based API clients for this process , wherever possible, to improve security. See the documentation for this feature here. Back to TOC How do I know… What is the AppD IDP and how do I know whether I’m using it? AppD IDP stands for “AppDynamics Identity Provider”. Until now, each Controller has served as its own identity provider. From this point forward, we are moving that function to the AppD IDP, a global AppDynamics Identity Provider.   If you have chosen SAML or LDAP as your authentication provider in the Controller tenant authentication provider settings tab, then you are not using the new AppD IDP for user identity management, but instead are using your own provider. If your Controller tenant has “AppDynamics” selected in the Controller tenant authentication provider tab, then users created since v21.11  are using the AppD IDP for user identity management.  How can I tell whether or not I’m an AppDynamics Identity Provider user? If your account was created between now and v21.11, and your email address is your username, then you are an AppDynamics Identity Provider user.   You can confirm this by logging into your personal profile at https://accounts.appdynamics.com/personal-profile. If the Assigned Controller Tenants sections lists the Controllers you use, you are an AppDynamics Identity Provider user. Legacy local AppDynamics user accounts are those created before v.21.11 that do not use email as their username. NOTE | As with Controller based SAML and LDAP users, current pre-v21.11 legacy local users can continue to sign in as they always have, without a disruption to their access. Back to TOC Questions from Admins As an admin, can I set these users to be authenticated my IDP in the Account Management Portal? Yes! This is like any other AppDIDP-managed user except that when they sign in, they will be redirected to the customer IDP. Just add the user using their email address to the Controller account.  As an admin, how do I give users access to a Controller tenant? The user must be added from the Controller users page, using their email address. If a user’s email exists in the AppD IDP, that account will be used for SSO features. NOTE | Users cannot be given access to a Controller tenant from the Accounts Management Portal at this time. Back to TOC   Additional Resources You may find the following AppDynamics Documentation resources useful: Create AppD IDP User API OpenAuthorization Mechanisms  SAML Federation AppDynamics API Clients Also related to this topic are the following Knowledge Base articles: Access to AppDynamics University is easier than ever Changes to user creation and password policy  AppDynamics Global Identity Migration Experience FAQ
I need to get the list of the IPs that have generated the most outgoing traffic. When the query is generated I find that there are multiple records for the same IP. Is there any way to get a tota... See more...
I need to get the list of the IPs that have generated the most outgoing traffic. When the query is generated I find that there are multiple records for the same IP. Is there any way to get a total of GB for each IP? Thank you  
I don't have a ton of experience with Splunk yet but I've been asked to find API endpoints (which appear to be in our raw data) and see how often their being used.    Example Events: | 2022-07-... See more...
I don't have a ton of experience with Splunk yet but I've been asked to find API endpoints (which appear to be in our raw data) and see how often their being used.    Example Events: | 2022-07-08 05:59:06 21.30.2.80 POST /api/transact/credit/sale 5051 - 571.232.505.62 okhttp/3.18.9 | 2022-07-08 05:02:01 22.35.3.79 POST /api/transact/device 6062 - 641.141.323.82 okhttp/2.15.3   What I want to end up with is the api and a count: /api/transact/credit/sale        3,475 /api/transact/device                    275   Is this possible? Thank you!!
Splunk Enterprise 8.2.3.3 on Linux In our implementation, I'm using a cluster app on our Indexer and Search Head clusters to control LDAP authentication. I have two separate apps (due to different ... See more...
Splunk Enterprise 8.2.3.3 on Linux In our implementation, I'm using a cluster app on our Indexer and Search Head clusters to control LDAP authentication. I have two separate apps (due to different authentication needs on each) but essentially the same basic LDAP configuration. This has been working fine since inception but we recently had to update the password used to connect to the LDAP server. I thought it would be a matter of simply updating the password in the 'default' authentication.conf in each of the apps and then deploying an app bundle to each cluster. I assumed that the 'local' authentication.conf, which normally gets created on each node with an encrypted version of the app password, would get updated with a new encrypted password on each of the cluster nodes as part of the bundle push. The bundle deployments worked fine, but LDAP authentication was not working afterwards. The 'local' authentication.conf did not get updated during the app bundle push to either cluster and the way I got it working was: 1. Manually remove the app's 'local' authentication.conf from all of the Indexer and Search Head nodes 2. Do a rolling restart of each cluster After that, the LDAP authentication worked correctly. Is that expected? Is there a better way of doing this? Any issues with my use of 'default' / 'local' for these purposes? Thanks in advance for any thoughts.
I have read a lot of different threads and docs but still having trouble pulling what I need out of the below JSON. Essentially want a condensed list of the vulnerabilities data but this JSON nests t... See more...
I have read a lot of different threads and docs but still having trouble pulling what I need out of the below JSON. Essentially want a condensed list of the vulnerabilities data but this JSON nests the vulnerabilities based on the "Package". I would like a table that lists all the applicable vulns and for each image. Table I am trying to get Image Name (CVE) NVD_Score Description etc... Image_name CVE-2022-0530 4.3 A flaw was found....     Image of JSON example I can include raw data if that would help.  
Good day friends... I expose the following issue: A little over a month ago we upgraded the splunk version from 7.0 to 8.1.7.2, I do not know if because of the upgrade splunk no longer let me c... See more...
Good day friends... I expose the following issue: A little over a month ago we upgraded the splunk version from 7.0 to 8.1.7.2, I do not know if because of the upgrade splunk no longer let me create users marking the following error: "In handler 'users': Could not get info for role that does not exist: windows-admin". I also removed the apps that splunk had and that are compatible, among them "Splunk App for Windows Infrastructure". I don't know if this or the above generated this problem. Can you help me if anyone has had this happen and how did you solve it? thanks
Hi All, I'm trying to make a 1 month of a dexter report in Appdynamics. But unable to do it. Kindly share the steps for monthly report generation.
I have logs from switches being ingested, but the data doesn't conform to any standard data model. Is this possible or  
Please help me load jquery-ui into a dashboard xml Also, can i load the jquery-ui css inside the require.conf? in the browser console, i'm getting this error:  JQuery Version: 3.6.0 VM4289:50 U... See more...
Please help me load jquery-ui into a dashboard xml Also, can i load the jquery-ui css inside the require.conf? in the browser console, i'm getting this error:  JQuery Version: 3.6.0 VM4289:50 Uncaught TypeError: Cannot read properties of undefined (reading 'ui') at eval (eval at <anonymous> (dashboard.js:1276:187236), <anonymous>:50:20) at Object.execCb (eval at module.exports (dashboard.js:632:662649), <anonymous>:1658:33) at Module.check (eval at module.exports (dashboard.js:632:662649), <anonymous>:874:51) at Module.eval (eval at module.exports (dashboard.js:632:662649), <anonymous>:1121:34) at eval (eval at module.exports (dashboard.js:632:662649), <anonymous>:132:23) at eval (eval at module.exports (dashboard.js:632:662649), <anonymous>:1164:21) at each (eval at module.exports (dashboard.js:632:662649), <anonymous>:57:31) at Module.emit (eval at module.exports (dashboard.js:632:662649), <anonymous>:1163:17) at Module.check (eval at module.exports (dashboard.js:632:662649), <anonymous>:925:30) at Module.enable (eval at module.exports (dashboard.js:632:662649), <anonymous>:1151:22)       require.config({ waitSeconds: 0, paths: { 'localjquery':'/static/app/myapp/lib/jquery.min', 'jqueryui':'/static/app/myapp/lib/jquery-ui.min' }, shim: { 'jqueryui': { deps: ['localjquery'] } } }); require([ // 'splunkjs/ready!', 'underscore', 'backbone', 'localjquery', 'splunkjs/mvc', 'jqueryui', 'splunkjs/mvc/simplexml/ready!' ], function (_,Backbone, $, mvc) { defaultTokenModel = mvc.Components.get("default"); console.log("JQuery Version:"); console.log(jQuery().jquery); console.log("JQuery-UI Version:"); console.log($.ui.version); });       Dashboard     <dashboard script="input_slider_range.js" stylesheet="lib/jquery-ui.min.css"> <label>slider range</label> <row> <panel> <html> SLIDER <p> <label for="amount">Price range:</label> <input type="text" id="amount" readonly="true" style="border:0; color:#f6931f; font-weight:bold;" /> </p> <div id="slider-range"></div> </html> </panel> </row> </dashboard>      
Hello, My goal is to create a ping test for several cameras we have onsite. I'm looking for advice on this issue. We are using a software called Genetec for our cameras (not sure if this can be int... See more...
Hello, My goal is to create a ping test for several cameras we have onsite. I'm looking for advice on this issue. We are using a software called Genetec for our cameras (not sure if this can be integrated with Splunk nor if it is completely necessary).  Details: Currently I have Splunk Cloud (3 on-premise Hosts AWS) Cameras that connect to a physical router at our office. I have access to the physical router used by the cameras.  Private IPs within a VLAN.  I have access to the cameras' private IPs and can ping them when connected to our VPN.  Genetec software used for our cameras.  Goals: Create Alerts when the cameras go down via a ping test. Possibly create a dashboard showing each's camera's availability (meaning if it is on or off)  
Hello peeps, Currently I have a list of processing times. And I am trying to create a dashboard that shows the average time, max time, and the count of how many times that action is processed. inde... See more...
Hello peeps, Currently I have a list of processing times. And I am trying to create a dashboard that shows the average time, max time, and the count of how many times that action is processed. index=IndexA | stats avg(cTotal) max(cTotal) count(cTotal) by name | sort 10 -count(cTotal) Totaltime is a given header and an example is  When I run the script, I get accurate results for count and max, but the avg is not currently working. I'm thinking it's because of the time string (hours, min, sec, milisec) but if anyone has any advice on how to make the average work, I would love to hear it!
We are trying to filter out events from a Syslog server that is ingesting data for a number of sources but the one we are trying to filter is from our Meraki devices.  Each Meraki is considered a sou... See more...
We are trying to filter out events from a Syslog server that is ingesting data for a number of sources but the one we are trying to filter is from our Meraki devices.  Each Meraki is considered a source and the sourcetype is meraki.  This is a sample of the events coming into Splunk: 2022-07-08 07:14:51.427 xxx.xxx.xxx.xxx 1 Location_XXX flows src=xxx.xxx.0.1 dst=8.8.8.8 mac=70:D3:79:XX:XX:XX protocol=icmp type=8 pattern: allow icmp host = xxx.xx.0.2source = /syslog0/syslog/meraki/xxx.xx.0.2/messages.log sourcetype = meraki There are more than 100 sources all using the format:  /syslog0/syslog/meraki/<IP Address>/messages.log How can I put that source in props.conf without listing each one separately? 
We recently upgraded our on prem Splunks to version 9.0.0 and now any time we click on our home grown Dashboards we get this error: This dashboard version is missing. Update the dashboard version ... See more...
We recently upgraded our on prem Splunks to version 9.0.0 and now any time we click on our home grown Dashboards we get this error: This dashboard version is missing. Update the dashboard version in source   we were on an older version of Splunk 8.x for a while so no idea when this has changed  
Hi,  I have two event fields with the same name "timestamp". I just want to display (in stats) the "timestamp" field from the "ResponseReceive" logEventType. Not the one from logType "SystemLog". C... See more...
Hi,  I have two event fields with the same name "timestamp". I just want to display (in stats) the "timestamp" field from the "ResponseReceive" logEventType. Not the one from logType "SystemLog". Currently is displays both.  Is there a way to do this? Any assistance is appreciated. Thank you!! ... | fields timestamp, apiName, apiVersion, ceoCompanyId, entityId, sessionId, transactionDetailsResponse.transactionDetailsList.totalCount, transactionDetailsResponse.transactionDetailsList.transactionDetails{}.acctNumber, transactionDetailsResponse.transactionDetailsList.transactionDetails{}.Amount, transactionDetailsResponse.transactionDetailsList.transactionDetails{}.tranDateTime, transactionDetailsResponse.transactionDetailsList.transactionDetails{}.totalTranCount | rename transactionDetailsResponse.transactionDetailsList.totalCount AS "TransactionCount", transactionDetailsResponse.transactionDetailsList.transactionDetails{}.acctNumber AS "AcctNum", transactionDetailsResponse.transactionDetailsList.transactionDetails{}.Amount AS "Amount", transactionDetailsResponse.transactionDetailsList.transactionDetails{}.tranDateTime AS "TranDateTime", transactionDetailsResponse.transactionDetailsList.transactionDetails{}.totalTranCount AS "TotalTranCount" | stats values(timestamp) AS timestamp, values(TranDateTime) AS TranDateTime, values(apiName) AS apiName, values(apiVersion) AS apiVersion, values(ceoCompanyId) AS ceoCompanyId, values(entityId) AS entityId, values(TotalTranCount) AS TotalTranCount, values(AcctNum) AS AcctNum, by sessionId,    
Hi All, I have this report    My requirement is only show in table those event that do not have the Plugin Name = "TLS Version 1.1 Protocol Deprecated"  with the Port= 8443 OR =8444 as I ha... See more...
Hi All, I have this report    My requirement is only show in table those event that do not have the Plugin Name = "TLS Version 1.1 Protocol Deprecated"  with the Port= 8443 OR =8444 as I have fill color with yellow. But, still keep show the event  that have Plugin Name = "TLS Version 1.1 Protocol Deprecated " with other Port exclude Port 8443 OR 8444. I am using below search and the result show only Plugin Name = "TLS Version 1.1 Protocol Deprecated " with other port exclude Port 8443 OR 8444. I want a result show all Plugin Name...... exclude Plugin Name = "TLS Version 1.1 Protocol Deprecated"  that have  Port= 8443 OR =8444 Any suggestions?
In logs there are multiple lines printed like below  and I want to print all of them in a table but my search query only prints one value , need help to print multiple records  Balance amount is ze... See more...
In logs there are multiple lines printed like below  and I want to print all of them in a table but my search query only prints one value , need help to print multiple records  Balance amount is zero for invoice id:20220402-126-12300-A Balance amount is zero for invoice id:20220502-126-12300-B Balance amount is zero for invoice id:20220602-126-12300-C Need to print like : 20220704-126-77300-A, 20220404-126-77300-A , 20220704-126-77300-A query I am trying : rex field=_raw "Balance amount is zero for invoice id:(?P<InvoiceExceptionNo>\S+)"
Hello community In our distributed environemnt we have a few Hello community In our distributed environment we have a few heavy forwarders set up to deal with zone boundaries and whatnot. Silly... See more...
Hello community In our distributed environemnt we have a few Hello community In our distributed environment we have a few heavy forwarders set up to deal with zone boundaries and whatnot. Silly enough of me, I assumed these would all be configured and humming along, though it turned out that not a single one of them where actually being used. I have looked through the manual, as well as the forum here, though I am still somewhat confused regarding the setup and configuration needed. So I’ll take this step-by-step. We have a universal forwarder set up in a Linux machine set to collect some sys/os logs and a filewatch for application log. Now, the UF connects to the deployment server and fetches the configuration, so far so good. Though nothing shows up on indexers and/or search heads. First of all, I noticed that “Receive data” on the HF was empty, I assume there should be a port listed here so I added the standard port. After this, the server could “curl” connect to the HF, so this seemed like a fantastic start. However, still no log. The local splunkd log in the UF shows: 07-08-2022 13:36:07.718 +0200 ERROR TcpOutputFd [4105329 TcpOutEloop] - Connection to host=<ip>:<port> failed 07-08-2022 13:36:07.719 +0200 ERROR TcpOutputFd [4105329 TcpOutEloop] - Connection to host=<ip>:<port> failed So traffic is allowed though still the UF cannot connect to HF. From what I can tell from other threads, I also need to have the same apps as deployed on the UF installed on the HF? Or am I misinterpreting this? Could this explain the failed connections? I have the inputs correct on the UF, I have the outputs.conf pointing at the HF. The HF sends _internal to indexers so that seems ok. It is just not accepting connections from the UF. What exactly do I need to have on the HF so that log can be “redirected” from UF to IX?
Hi, Does anyone know how I can make the columns in all my tables the same width so that it lines up? Im using the transpose command to fill in the header_field.