All Topics

Top

All Topics

I have a search that joins an index to a .csv lookup.  When I run the search for last 24 hours in the GUI, I get ~81k matches (expected).  When I run the exact same query via the sdk, I get 0 matches... See more...
I have a search that joins an index to a .csv lookup.  When I run the search for last 24 hours in the GUI, I get ~81k matches (expected).  When I run the exact same query via the sdk, I get 0 matches.  Here is my code:   service = client.connect( host=HOST, port=PORT, username=USERNAME, password=PASSWORD) import sys from time import sleep import splunklib.results as results query= "search index=my_index sourcetype=my_sourcetype | fields field1 field2 field3 field4 field5 field6 field7 | join my_primary_key[| inputlookup my_lookup_file.csv ]" kwargs = {"exec_mode": "normal", "earliest_time": "-1440m", "latest_time": "now", "search_mode": "normal", "output_mode": "json" } job = service.jobs.create(query, **kwargs) # A normal search returns the job's SID right away, so we need to poll for completion while True: while not job.is_ready(): pass stats = {"isDone": job["isDone"], "doneProgress": float(job["doneProgress"])*100, "scanCount": int(job["scanCount"]), "eventCount": int(job["eventCount"]), "resultCount": int(job["resultCount"])} status = ("\r%(doneProgress)03.1f%% %(scanCount)d scanned " "%(eventCount)d matched %(resultCount)d results") % stats sys.stdout.write(status) sys.stdout.flush() if stats["isDone"] == "1": sys.stdout.write("\n\nDone!\n\n") break sleep(2) # Get the results and display them for result in results.JSONResultsReader(job.results(output_mode='json')): print(result) job.cancel() sys.stdout.write('\n')   Can somebody please explain why the query would work and return matches in the GUI but not via the SDK?
How do I list machines that do not match my search? "if" my script runs, a message is sent to splunk. The script runs once a week. I can easily see the details of my scripts, if it runs in splunk.... See more...
How do I list machines that do not match my search? "if" my script runs, a message is sent to splunk. The script runs once a week. I can easily see the details of my scripts, if it runs in splunk. So how do I list the machines that this script doesn't even start on? eg no entry sent to splunk. This search does not list those who count is "zero", how do I list the "zero" machines?     "MyAppResults" | stats count by host | stats sum(count) as count by host   If I understood I should be using  "inputlookup hosts.csv" but I'm not sure how to use it properly. I still cannot get it to list "zero" machines.
Hello, I am trying to get data in using Splunk rest API feature of Splunk add-on builder, however I am not able to get the results using POST method.    Does anyone know what is the correct syn... See more...
Hello, I am trying to get data in using Splunk rest API feature of Splunk add-on builder, however I am not able to get the results using POST method.    Does anyone know what is the correct syntax to pass JSON query in REST request body? I tried using "data","payload","raw" as Name and in Value I have put the JSON query but it's not working.  I keep getting The response status=500 for request .... PS: I have used postman to validate my request body and it works fine and return results. however, I am not able to do that using Splunk rest API. Not sure if I am missing something.  
Team I need help with a Scatter Plot Visualization. Here's the Search I'm using:  | inputlookup append=t 07012022KPI_Formatted.csv | eval Deployed=strptime(Deployed, "%m/%d/%y") | fieldformat ... See more...
Team I need help with a Scatter Plot Visualization. Here's the Search I'm using:  | inputlookup append=t 07012022KPI_Formatted.csv | eval Deployed=strptime(Deployed, "%m/%d/%y") | fieldformat Deployed = strftime(Deployed, "%m/%d/%y") | table "Deployment Success" Deployed "Deploy Lead Time" It populates the Statistics I'm looking for: However, when I click Visualization, the Deployed axys is not showing the Dates but as numbers 0..... Screenshot for reference of my imported CSV. Any ideas how to fix it? Thank you LK
Hello,  I am using the Splunk enterprise free trial. I want to add another admin. I am on the local host, so how would the other user (happens to be in another state) access their account? Could th... See more...
Hello,  I am using the Splunk enterprise free trial. I want to add another admin. I am on the local host, so how would the other user (happens to be in another state) access their account? Could they just download the free trial and log in with the credentials I gave them for the account?  Or is it more complicated than that?
Hello Splunkers!! We are upgrading one of our environments from Splunk 8.2.1 to Splunk 8.2.7. When I upgraded and checked 'Monitoring Console', 'Summary' and 'Health Check' are not showing on the m... See more...
Hello Splunkers!! We are upgrading one of our environments from Splunk 8.2.1 to Splunk 8.2.7. When I upgraded and checked 'Monitoring Console', 'Summary' and 'Health Check' are not showing on the menu bar anymore.  Did I miss anything? How do I fix these issues?  I appreciate your work will be provided.    PS. same issue when we upgraded to 8.2.2.2
After upgrade to 9.0 seeing following ERROR TcpOutputQ [<thread id> TcpOutEloop] - Unexpected event id=<eventid>
Hello, When I try to test TAs locally, on my single instance, the Inputs page fails to load with a 404 and the message: This is normal on Splunk search heads as they do not require an Input page... See more...
Hello, When I try to test TAs locally, on my single instance, the Inputs page fails to load with a 404 and the message: This is normal on Splunk search heads as they do not require an Input page. Check your installation or return to the configuration page. I get that search heads should not run TA's in a distributed architecture, but this is a single instance. Anyone know how to get around this?  Hoping to find a solution that can be applied globally. Thank you.
So I'm trying to extract a field called "secureToken=tokenvalue" from our akamai logs. However when I try to extract the field, it gives me the following error message: The extraction failed. If yo... See more...
So I'm trying to extract a field called "secureToken=tokenvalue" from our akamai logs. However when I try to extract the field, it gives me the following error message: The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings. I have attempted to manually edit the regex, but I have not a lot of experience with regex so any help would be greatly appreciated  Thanks
Hi  Team, The below screen shot in prod environment Splunlk App displaying app when ever select , but dev environment when ever select app not displaying , i had verified the permissions also visib... See more...
Hi  Team, The below screen shot in prod environment Splunlk App displaying app when ever select , but dev environment when ever select app not displaying , i had verified the permissions also visible,   please help me what is the exact issue.        
Hello,   I want to compare event counts for indexes to evaluate if there is unexpected changes in logging. In order to react in time I want those counts to be summed up from start of day until no... See more...
Hello,   I want to compare event counts for indexes to evaluate if there is unexpected changes in logging. In order to react in time I want those counts to be summed up from start of day until now() for each day of the last seven days, so I can directly see which amount I would expect for each day until e.g. 2pm. The tricky part for me is, how to sum those event counts for the days before today (up until the current time, but for e.g. yesterday). I managed to get some results showing the counts for each day until now() for each day. But i have no clue how to sum them per day.  Search:       |tstats prestats=t count WHERE index=<example> by _time span=1h | eval now=tonumber(strftime(now(),"%H")) | eval hour=strftime(_time, "%H") | where hour<=now | timechart span=1h count |table _time count         Result: The result makes me pretty hapy already, but the step to get a sum out of those counts per day somehow eludes me. many thanks for a hint in the right direction.
Hello, We have a lookup/kvstore containing over 3.M records*. We need to count the number of times each value is found over all of the records. Ex: Count the occurrence of the same LAST_NAME Fi... See more...
Hello, We have a lookup/kvstore containing over 3.M records*. We need to count the number of times each value is found over all of the records. Ex: Count the occurrence of the same LAST_NAME Field Name: LAST_NAME Values: JONES, SMITH, DAVIS, GARCIA Counters Values: 12, 34, 16, 23 This is just one of several different counters: BIRTH_YEAR, CITY, STATE, etc. Because of the limits within Splunk, this code would result in blanks and inaccurate counts.   | eventstats count(ID) as count_same_city by CITY   Any suggestions? * The number of records increases by 10K every week. Thanks in advance, and God bless, Genesius
Hi  I am referring below table for example,  I want add CSS for both values in Office column in the table.   Name Position Office Age Airi Satou Accountant Tokyo 33 A... See more...
Hi  I am referring below table for example,  I want add CSS for both values in Office column in the table.   Name Position Office Age Airi Satou Accountant Tokyo 33 Angelica Ramos Chief Executive Officer London 47 Ashton Cox Junior Technical Author San Francisco 66 Bradley Greer Software Engineer London 41 Brenden Wagner Software Engineer San Francisco 28 Brielle Williamson Integration Specialist New York 61 Bruno Nash Software Engineer London 38 Caesar Vance Pre-Sales Support New York 21 Cara Stevens Sales Assistant New York 46 Cedric Kelly Senior Javascript Developer Edinburgh 22   I want highlight both values Tokyo and San Francisco. I have added script it will work but problem is its will work one value only. It will highlight San Francisco only. I have add script as follows      require( [ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, TableView) { function cssLoad(tableName, field_name, field_val) { var CustomLinkRender = TableView.BaseCellRenderer.extend({ canRender: function (cell) { return _([field_name]).contains(cell.field); }, render: function ($td, cell) { var cell_value = cell.value; if (cell.field == field_name) { if (cell_value == field_val.trim()) { $td.css('color', '#1717E6'); $td.css('font-weight', 'bold'); $td.css('text-decoration', 'underline'); $td.css('text-decoration-color', 'blue'); } } $td.text(cell_value).addClass('string'); } }); var selectedTable = mvc.Components.get(tableName); if (typeof (selectedTable) != "undefined") { selectedTable.getVisualization(function (tableView) { tableView.addCellRenderer(new CustomLinkRender()); tableView.render(); }); } } //Single table Hardcode call cssLoad('table1', 'Position', 'Software Engineer'); cssLoad('table1', 'Age', '66'); cssLoad('table1', 'Office', 'Tokyo'); cssLoad('table1', 'Office', 'New York') });        Please Help me!.  For highlight multiple values. 
Good day, We have an issue where when we try to setup email notifications with our email server with Splunk, no emails will send to the respective email addresses. We tried adding the adding the in... See more...
Good day, We have an issue where when we try to setup email notifications with our email server with Splunk, no emails will send to the respective email addresses. We tried adding the adding the information: "ipaddress:port" to the mail host section but no luck. We do not require a username and password. We also tried following the instructions from the documentation here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail There was no luck there either. Is there an alternative way to setup email notifications through SSH or something else? This has to satisfy a STIG requirement. Please let me know if I need to provide additional information to the forum. Thank you
My installer is in the otp path, along with other splunk installer [root@siem-security opt]# ls splunk splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm splunk-enterprise-security_530.spl splunk-7.... See more...
My installer is in the otp path, along with other splunk installer [root@siem-security opt]# ls splunk splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm splunk-enterprise-security_530.spl splunk-7.2.6-c0bf0f679ce9-linux-2.6-x86_64.rpm splunk-8.2.7-2e1fca123028-linux-2.6-x86_64.rpm splunkforwarder-7.2.6-c0bf0f679ce9-linux-2.6-x86_64.rpm  I allready have splunk installed with version 8.0.0 and when I run rpm -ivh splunk-8.2.7-2e1fca123028-linux-2.6-x86_64.rpm I get the following error with many package files, this is only part of the error splunk-8.2.7-2e1fca123028.x86_64 installation file /opt/splunk/share/splunk/search_mrsparkle/templates/layout/admin_lite.html conflicts with package file splunk-8.0.0-1357bef0a7f6.x86_64 splunk-8.2.7-2e1fca123028.x86_64 installation file /opt/splunk/share/splunk/search_mrsparkle/templates/layout/view.html conflicts with package file splunk-8.0.0-1357bef0a7f6.x86_64 splunk-8.2.7-2e1fca123028.x86_64 installation file /opt/splunk/share/splunk/search_mrsparkle/templates/layout/wizard.html conflicts with package file splunk-8.0.0-1357bef0a7f6.x86_64 splunk-8.2.7-2e1fca123028.x86_64 installation file /opt/splunk/share/splunk/search_mrsparkle/templates/lib.html conflicts with package file splunk-8.0.0-1357bef0a7f6.x86_64 splunk-8.2.7-2e1fca123028.x86_64 installation file /opt/splunk/share/splunk/search_mrsparkle/templates/licensing/overview.html conflicts with package file splunk-8.0.0-1357bef0a7f6.x86_64 splunk-8.2.7-2e1fca123028.x86_64 installation file /opt/splunk/share/splunk/search_mrsparkle/templates/licensing/usage.html conflicts with package file splunk-8.0.0-1357bef0a7f6.x86_64 splunk-8.2.7-2e1fca123028.x86_64 installation file /opt/splunk/share/splunk/search_mrsparkle/templates/pages/static.html conflicts with package file splunk-8.0.0-1357bef0a7f6.x86_64  
index=idx_rdap source="*f5*" "*member*" "RO1B4-0JLSM4000S" "/Common/pool_d2i_*gkrgkl" | rex field=member "\/Common\/(?<server>[^:]*)" | stats latest(status) as Last_status, values(pool), as pool_name... See more...
index=idx_rdap source="*f5*" "*member*" "RO1B4-0JLSM4000S" "/Common/pool_d2i_*gkrgkl" | rex field=member "\/Common\/(?<server>[^:]*)" | stats latest(status) as Last_status, values(pool), as pool_name, values(_time) as _time by pool, server | stats values(Last_status) as Last_status, values(server) as server by pool | eval severity=case(server="XC001X02" AND server="XC001X03" AND Last_status="down", "1", server="XC001X03" AND Last_status="down", "3", server="XC001X02" AND Last_status="down", "3",true(),"0" ) | table pool, Last_status, severity, server | eval hour_of_the_starttime=strftime(_time, "%H") | eval support_group=if(hour_of_the_starttime>=19 OR hour_of_the_starttime<7,"WW-XX-TFORMEGI-L3", "WW-XX-MSEGI-L2") | eval ressource="GKR-GkL-I:" + pool | eval service_offring="GKR-GkL-I" | eval description="VIP GMS got a service status down \n \nDetail : One or more legs Impacted service on :" + pool + "\n On server(s): " + tostring(server) + " \n\n\n\n; " + support_group + " ;KB=KB00000" | table ressource description pool service_offring severity server support_group
Hi Community, For some reason, the extension does not work anymore since I've upgraded to tlsv1.3. Does anyone know if they're compatible or maybe some config adjustments are necessary to collect... See more...
Hi Community, For some reason, the extension does not work anymore since I've upgraded to tlsv1.3. Does anyone know if they're compatible or maybe some config adjustments are necessary to collect metrics? Thanks
Hi everyone, I have the following issue: within a search and a data field I find values like this: db2_stat = "1,3:8" db2_stat = "2,5:7" My issue now is this should be translated into a comma ... See more...
Hi everyone, I have the following issue: within a search and a data field I find values like this: db2_stat = "1,3:8" db2_stat = "2,5:7" My issue now is this should be translated into a comma separated list of all values starting with the value on the left side of the colon, ending with the value on the right side. In other words: the resulting data field should look like this: db2_stat_xlated = "1,3,4,5,6,7,8" db2_stat_xlated = "2,5,6,7" I thought, I'd write a macro that calls recursively until the start value reaches end value. But whatever I've tried I ended up with the message  "Error in 'SearchParser': Reached maximum recursion depth (100) while expanding macros. Check for infinitely recursive macro definitions.". Last version of the macro code | eval st_v = $start_v$, ed_v = $end_v$, value_list = $val$ | eval nx_v = st_v + 1 | eval value_list = case(st_v < ed_v, value_list . st_v . "," . `GEN_VALUE_LIST(nx_v, ed_v, value_list)`,                          st_v == ed_v, value_list . st_v, 1==1, value_list) The macro definition GEN_VALUE_LIST(3) with these arguments start_v, end_v, val   Query to test | makeresults `GEN_VALUE_LIST(3,6,"1,")` | table *   Although I'm keen to understand SPLUNK's issue with it (code transferred to perl language works) I'd mostly appreciate a working solution beyond defining all possible list values in a lookup file   Many thanks in advance, Ekke
i am using splunk cloud and need to about splunk status page  in that there are multiple services are there while opening the link https://status.scp.splunk.com/ can anyone let me know the descri... See more...
i am using splunk cloud and need to about splunk status page  in that there are multiple services are there while opening the link https://status.scp.splunk.com/ can anyone let me know the description about those services and impact if not working 
Hello, I encounter a bug in exporting a panel in my dashboard, on my end, it's just open a new tab with nothing in it, but on my customer's side, it's show How can I go about this bug?