All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Why is Add-on Builder "New Input" not updating?

by in All Apps and Add-ons
‎05-27-2022 08:55 AM
‎05-27-2022 08:55 AM
Hello. I am making an app in the add-on builder with multiple inputs. So naturally, once I am done and have saved the add-on, I end up with something like this:   However, when I make any up... See more...
Hello. I am making an app in the add-on builder with multiple inputs. So naturally, once I am done and have saved the add-on, I end up with something like this:   However, when I make any updates to the app (adding a new input/ deleting an existing input) this drop down refuses to update. Is there another file I need to make a change to within the app? I looked in the UI/Nav folders but nothing stood out to me.  
Labels

How to fix MSSQL DB Connect Validation Error

by in Getting Data In
‎05-27-2022 06:52 AM
‎05-27-2022 06:52 AM
Hi all, I have trouble connecting my test MSSQL with DB Connect. I am able to connect the DB using DBVisualizer using the credential I use for the identity. I am using the Generic MSSQL Dr... See more...
Hi all, I have trouble connecting my test MSSQL with DB Connect. I am able to connect the DB using DBVisualizer using the credential I use for the identity. I am using the Generic MSSQL Driver:   The log:     2022-05-27 21:37:44.537 +0800 [dw-59 - GET /api/connections/mssql-test/status] INFO com.splunk.dbx.connector.logger.AuditLogger - operation=validation connection_name=mssql-test stanza_name= state=error sql='unknown' message='The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". ClientConnectionId:da36105c-f9e9-44e9-aeeb-023742b9a4eb'       I don't know why the error log shows SSL error when I have not enabled SSL for the connection. Below is the db_connections.conf     [mssql-test] connection_type = generic_mssql database = master disabled = 0 host = 192.168.74.238 identity = mssql-test jdbcUseSSL = false localTimezoneConversionEnabled = false port = 1433 readonly = false timezone = Etc/GMT       Thanks in advance.  
Labels

Create an alert that sends emails to addresses that are identified as a field value

by in Security
‎05-27-2022 06:39 AM
‎05-27-2022 06:39 AM
Hello guys. Looking for some help from the experts. I want to create an alert that will send emails to specific mailboxes, these addresses are part of the search result, so for example: DE... See more...
Hello guys. Looking for some help from the experts. I want to create an alert that will send emails to specific mailboxes, these addresses are part of the search result, so for example: DEVICE_TYPE VULNERABLE_COMPONENT COUNT recipient Linux Server OS Vendor Patches 5 team1@mydomain.com Linux Server Oracle WebLogic 6 team2@mydomain.com Linux Server Other 4 team3@mydomain.com Windows Server OS Vendor Patches 3 team1@mydomain.com Windows Server Oracle WebLogic 12 team2@mydomain.com Windows Server Other 3 team3@mydomain.com   So I want the team1@mydomain.com to receive the alert with the corresponding records,  DEVICE_TYPE VULNERABLE_COMPONENT COUNT recipient Linux Server OS Vendor Patches 5 team1@mydomain.com Windows Server OS Vendor Patches 3 team1@mydomain.com   and so on for the other recipients. I tried with "|sendemail to:$results.recipient$" command I've seen in other posts but it didn't work. thanks in advance for any help you can provide.

Max value of Calls per Min for Business Transaction, Tier or Application level

by in Splunk AppDynamics
‎05-27-2022 06:01 AM
‎05-27-2022 06:01 AM
Hello, As a part of capacity planning we need to calculate Avg & Max calls per min for each BT. When we tried plotting max values for call per min then its not allowing us to plot it from metric bro... See more...
Hello, As a part of capacity planning we need to calculate Avg & Max calls per min for each BT. When we tried plotting max values for call per min then its not allowing us to plot it from metric browser, but when I exported the CSV I can see the max values but those are not actual max value for a BT. Later I came to know from documentation that for node-level metrics only, min and max values are available and not visible for tier- and application-level metrics. https://docs.appdynamics.com/22.5/en/appdynamics-essentials/metrics-and-graphs/metric-browser#Metric... In this case how can we find max calls per min for individual BT for a month as i have 25 nodes in a tier. Thanks, Rahul

Splunk Timechart- How get data for last 7 days for a particular time range?

by in Dashboards & Visualizations
‎05-27-2022 05:16 AM
‎05-27-2022 05:16 AM
Hello, I am looking for the timechart option where I can get data for last 7 days for a particular time range. Ex :- if I select time range as 01:00:00 to 02:00:00 AM then should show data for la... See more...
Hello, I am looking for the timechart option where I can get data for last 7 days for a particular time range. Ex :- if I select time range as 01:00:00 to 02:00:00 AM then should show data for last 7 days for the same time range. Date/Time range Count 2022-05-27 01:00:00 02:00:00 A 2022-05-26 01:00:00 02:00:00 B 2022-05-25 01:00:00 02:00:00 C 2022-05-24 01:00:00 02:00:00 D 2022-05-23 01:00:00 02:00:00 E 2022-05-22 01:00:00 02:00:00 F 2022-05-21 01:00:00 02:00:00 G   Thanks  
Labels

Is there a way to specify Shared option fieldColors on every chart?

by in Dashboards & Visualizations
‎05-27-2022 04:55 AM
‎05-27-2022 04:55 AM
Hi, I work on a dashboard with several charts. All these charts use the same customized fieldColors option but I have to repeat the option charting.fieldColors in each chart. Question :  Is t... See more...
Hi, I work on a dashboard with several charts. All these charts use the same customized fieldColors option but I have to repeat the option charting.fieldColors in each chart. Question :  Is there a way to specify the option just one time and reuse it in each chart ? Thank you
Labels

How to segregated by payment method?

by in Splunk Enterprise
‎05-27-2022 03:44 AM
‎05-27-2022 03:44 AM
Hello Team, As per the below screen . I need to segregated payment method like  below graph in Splunk. How can I achieve this in Splunk . Below screenshot belongs to NewRelic.      

Is it possible for a search head cluster to search multiple index clusters?

by in Deployment Architecture
‎05-27-2022 03:27 AM
‎05-27-2022 03:27 AM
 Is it possible for a search head cluster to search multiple index clusters?  A Solo Searchhead can do so, but I'm not sure with the Searchhead Cluster. 
Labels

Time modifiers for splunk dashboard - using base search

by in Getting Data In
‎05-27-2022 02:55 AM
‎05-27-2022 02:55 AM
Hi All, I am using base search , I want to use time picker(earliest and latest) in other panel which is using this base search. How can I achieve that ? Reference query :     <form versio... See more...
Hi All, I am using base search , I want to use time picker(earliest and latest) in other panel which is using this base search. How can I achieve that ? Reference query :     <form version="1.1" theme="dark"> <label>Test Dashboard</label> <description>Dashboard created for testing purpose</description> <search id="base_12"> <query> index=test_index </query> <earliest>0</earliest> <latest></latest> </search> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time"> <label>Time Picker</label> <default> <earliest>-7d@w0</earliest> <latest>@w0</latest> </default> </input> <search base="base_12"> <query>| search (($app$) AND ($environment$))| stats count by test | fields test</query> </search>     Regards, NVP
Labels

How to set maintenance mode for indexer cluster with hashed password?

by in Security
‎05-27-2022 02:37 AM
‎05-27-2022 02:37 AM
Hi all I am having issues trying to script enabling and disabling maintenance mode with a hashed password. The command is /opt/splunk/bin/splunk enable maintenance -mode - auth admin: somepasswor... See more...
Hi all I am having issues trying to script enabling and disabling maintenance mode with a hashed password. The command is /opt/splunk/bin/splunk enable maintenance -mode - auth admin: somepassword Is there a way I can hash the password. I have tried the hash-passwd and user-seed.conf but it does not seem to hash my clear text password upon restarting splunk  

How to run HF in autoscaling group in stateless mode?

by in Getting Data In
‎05-27-2022 02:33 AM
‎05-27-2022 02:33 AM
I want to run Heavyforwarder in autoscaling group in stateless mode, Can I do it without worrying about data directory /opt/splunk?   
Labels

Is there a Universal Forwarder Version Check command?

by in Installation
‎05-27-2022 01:31 AM
‎05-27-2022 01:31 AM
Hello, Is ther any command we can use to check the version of Universal Forwarder that is running actually?
Labels

How to search License Usage by Host to Dashboard?

by in Installation
‎05-26-2022 10:23 PM
‎05-26-2022 10:23 PM
Hi Team, I want to pull the license usage stats particularly for 4 to 5 hosts for the last 30 days with a time span of 1 day in GB and bring it in a dashboard so kindly help out with the query.  ... See more...
Hi Team, I want to pull the license usage stats particularly for 4 to 5 hosts for the last 30 days with a time span of 1 day in GB and bring it in a dashboard so kindly help out with the query.   host information host 1 = xyz host 2 = abc host 3 = def host 4 = ghi host= vbg  
Labels

How to run a search query with a scheduler (crontab)

by in Splunk Search
‎05-26-2022 08:45 PM
‎05-26-2022 08:45 PM
I would like to run a search query every few min, how can i do that. E.g. index = "a" sourcetype = "b" Any help is appreciated.
Labels

How to decode a ML model to export their properties?

by in All Apps and Add-ons
‎05-26-2022 08:34 PM
‎05-26-2022 08:34 PM
I read https://docs.splunk.com/Documentation/MLApp/5.3.1/API/SavingModels and it highlights the way of creating your custom model and saving it with codecs in a way that Splunk can understand.  Is ... See more...
I read https://docs.splunk.com/Documentation/MLApp/5.3.1/API/SavingModels and it highlights the way of creating your custom model and saving it with codecs in a way that Splunk can understand.  Is there any way that I can decode my model (not custom, rather one created via the fit command) so I can see the structure of my model and the properties?  I want to be able to export the model to use it in a personal system.  Appreciate the help,
Labels

Help with converting JOIN to STATS/EVENTSTATS

by in Splunk Search
‎05-26-2022 07:06 PM
‎05-26-2022 07:06 PM
I started with the following query, required to join a knowledge library with discovered hosts. The results are stored in a summary index for quick(er) retrieval.  The first query is usually less tha... See more...
I started with the following query, required to join a knowledge library with discovered hosts. The results are stored in a summary index for quick(er) retrieval.  The first query is usually less than 100 events, the second is 70,000+ every time, but the whole thing runs in less than 60s.  The problem is the 50,000 JOIN subsearch limitation.       index=qualys sourcetype="qualys:hostDetection" QID=* SEVERITY IN (3 4 5) LAST_SCAN_DATETIME=* earliest=-15min latest=now() | join type=inner QID [search index=qualys sourcetype="qualys:knowledgebase" QID=* earliest=1 latest=now() | dedup QID | table QID THREAT_INTEL_VALUES CVSS_V3_BASE PUBLISHED_DATETIME THREAT_INTEL_IDS VENDOR_REFERENCE TITLE] |table _time IP DNS NETBIOS TRACKING_METHOD OS TAGS QID TITLE TYPE SEVERITY STATUS LAST_SCAN_DATETIME LAST_FOUND_DATETIME LAST_FIXED_DATETIME PUBLISHED_DATETIME THREAT_INTEL_VALUES THREAT_INTEL_IDS CVSS_V3_BASE VENDOR_REFERENCE RESULTS       In order to overcome the JOIN/subsearch limit and maybe gain some efficiencies I tried using eventstats instead.  The resultant query is below, and runs for over an hour with questionable results (never really finishes.  Pretty sure it is not giving me the same output as the JOIN.  What am I doing wrong? New query     (index=syn_sec_qualys sourcetype="qualys:hostDetection" QID=* SEVERITY IN(3 4 5) LAST_SCAN_DATETIME=* earliest=-15m@m latest=now) OR (index=syn_sec_qualys sourcetype="qualys:knowledgebase" QID=* earliest=1 latest=now) | eventstats values(_time) AS _time, values(DNS) AS DNS values(TRACKING_METHOD) AS TRACKING_METHOD values(NETBIOS) AS NETBIOS values(OS) AS OS, values(TAGS) AS TAGS, values(TITLE) AS TITLE, values(TYPE) AS TYPE, values(SEVERITY) AS SEVERITY, values(LAST_SCAN_DATETIME) AS LAST_SCAN_DATETIME, values(LAST_FOUND_DATETIME) AS LAST_FOUND_DATETIME, values(LAST_FIXED_DATETIME) AS LAST_FIXED_DATETIME values(PUBLISHED_DATETIME) AS PUBLISHED_DATETIME values(THREAT_INTEL_VALUES) AS THREAT_INTEL_VALUES, values(THREAT_INTEL_IDS) AS THREAT_INTEL_IDS values(CVSS_V3_BASE) AS CVSS_V3_BASE, values(VENDOR_REFERENCE) AS VENDOR_REFERENCE, values(RESULTS) AS RESULTS BY IP, QID | TABLE _time IP DNS NETBIOS TRACKING_METHOD OS TAGS QID TITLE TYPE SEVERITY STATUS LAST_SCAN_DATETIME LAST_FOUND_DATETIME LAST_FIXED_DATETIME PUBLISHED_DATETIME THREAT_INTEL_VALUES THREAT_INTEL_IDS CVSS_V3_BASE VENDOR_REFERENCE RESULTS        
Labels

How to string two dropdown tokens to use in where clause?

by in Dashboards & Visualizations
‎05-26-2022 06:03 PM
‎05-26-2022 06:03 PM
Updated the post since the error changed into "Error in 'where' command. The expression is malformed. Expected)" My aim is to use two separate stings of tokens in my search to pass the following: ... See more...
Updated the post since the error changed into "Error in 'where' command. The expression is malformed. Expected)" My aim is to use two separate stings of tokens in my search to pass the following: 1) "Start of the Month" + "Year"   ($month1$ $year$) 2) "End of the Month" + "Year" ($month2$ $year$) I was trying to combine the strings using <eval> within the <change> step but had no luck on finding a guide to implement it properly. Would it be better just to add the <eval> within the search or would it be better to do it during the change to avoid any complications?       <form theme="dark"> <label>CSC/ERSC/PSI PAGING Report</label> <fieldset submitButton="true" autoRun="true"> <input type="dropdown" token="lpar"> <label>Select to View</label> <choice value="----">----</choice> <choice value="D7X0">D7X0</choice> <choice value="H7X0">H7X0</choice> <choice value="D1D0">D1D0</choice> <choice value="DAD0">DAD0</choice> <choice value="E1D0">E1D0</choice> <choice value="H1D0">H1D0</choice> <choice value="WSYS">WSYS</choice> <choice value="YSYS">YSYS</choice> <default>----</default> </input> <input type="dropdown" token="year"> <label>Select Year</label> <choice value="----">----</choice> <choice value="2022">2022</choice> <default>----</default> </input> <input type="dropdown" token="month1"> <label>Select Month</label> <choice value="****">****</choice> <choice value="01/01/">January</choice> <choice value="02/01/">February</choice> <choice value="03/01/">March</choice> <choice value="04/01/">April</choice> <choice value="05/01/">May</choice> <choice value="06/01/">June</choice> <choice value="07/01/">July</choice> <choice value="08/01/">August</choice> <choice value="09/01/">September</choice> <choice value="10/01/">Ocotber</choice> <choice value="11/01/">November</choice> <choice value="12/01/">December</choice> <default>****</default> <change> <condition label="****"> <set token="month2">----</set> </condition> <condition label="January"> <set token="month2">01/31/</set> </condition> <condition label="February"> <set token="month2">02/29/</set> </condition> <condition label="March"> <set token="month2">03/31/</set> </condition> <condition label="April"> <set token="month2">04/30/</set> </condition> <condition label="May"> <set token="month2">05/31/</set> </condition> <condition label="June"> <set token="month2">06/30/</set> </condition> <condition label="July"> <set token="month2">07/31/</set> </condition> <condition label="August"> <set token="month2">08/31/</set> </condition> <condition label="September"> <set token="month2">09/30/</set> </condition> <condition label="October"> <set token="month2">10/31/</set> </condition> <condition label="November"> <set token="month2">11/30/</set> </condition> <condition label="December"> <set token="month2">12/31/</set> </condition> </change> </input> </fieldset> <row> <panel> <chart> <search> <query>index=mainframe-platform sourcetype="mainframe:mpage" MVS_SYSTEM_ID=$lpar$ | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | eval _time=strptime(DATE." ","%Y-%m-%d") | where _time &gt;= strptime("$month1$""$year$", "%m/%d/%Y") AND _time &lt;= strptime("$month2$""$year$", "%m/%d/%Y") | chart sum(VIO_PAGING_SEC) as "$lpar$ Sum of VIO_PAGING_SEC" sum(SYSTEM_PAGEFAULTS_SEC) as "$lpar$ SYSTEM_PAGEFAULTS_SEC" sum(SWAP_PAGIN_SEC) as "$lpar$ SWAP_PAGIN_SEC" sum(LOCAL_PAGEFAULTS_SEC) as "$lpar$ LOCAL_PAGEFAULTS_SEC" over _time</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> </form>     Would appreciate the help.
Labels

Exclusion of values on dashboard- How to fix this?

by in Splunk Search
‎05-26-2022 05:54 PM
‎05-26-2022 05:54 PM
Hi, I have an filter for selecting the country values, provided this as a drop down. we have options like singapore,malaysia,china,vietnam and also have an option of ALL. Based on the above selec... See more...
Hi, I have an filter for selecting the country values, provided this as a drop down. we have options like singapore,malaysia,china,vietnam and also have an option of ALL. Based on the above selection I have an panel that shows the success / failure counts graphs will appear. The issue I am facing is I am getting the values like(Null,Value,Other,18,38) in countryCode column if I run the dashboard. But I don't see any event with the countryCode parameter having this values. So, can you help on fixing this issue?? Thanks, Sahana   

How to write query for Windows remote desktop connection?

by in Splunk Search
‎05-26-2022 05:03 PM
‎05-26-2022 05:03 PM
I am looking for Splunk query to find out Windows remote desktop service status and also to find to port 3389 is listening on server..
Labels

Anyone have a method for pushing scheduled report data to Graphite?

by in Splunk Enterprise
‎05-26-2022 03:16 PM
‎05-26-2022 03:16 PM
I need to push data from a Splunk report to Graphite. I know there's an archived app in Splunkbase but I'm sure the python is incompatible with Splunk 8.2.4.  Anyone have a method for pushing schedul... See more...
I need to push data from a Splunk report to Graphite. I know there's an archived app in Splunkbase but I'm sure the python is incompatible with Splunk 8.2.4.  Anyone have a method for pushing scheduled report data to Graphite?
Labels