All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

This should be pretty easy but not sure why events are still coming in. We have hosts set up to send to multiple Splunk stacks and one is security only so we want to drop incoming perfmon data.  I'... See more...
This should be pretty easy but not sure why events are still coming in. We have hosts set up to send to multiple Splunk stacks and one is security only so we want to drop incoming perfmon data.  I've created the following:   Transforms:     [setnull] REGEX = (.) DEST_KEY = queue FORMAT = nullQueue     Props:     [Perfmon:ProcessorInformation] TRANSFORMS-proc=setnull [PerfmonMetrics:CPU] TRANSFORMS-cpu=setnull [PerfmonMetrics:LogicalDisk] TRANSFORMS-ldisk=setnull [PerfmonMetrics:Memory] TRANSFORMS-mem=setnull [PerfmonMetrics:Network] TRANSFORMS-net=setnull [PerfmonMetrics:PhysicalDisk] TRANSFORMS-pdisk=setnull [PerfmonMetrics:Process] TRANSFORMS-process=setnull [PerfmonMetrics:System] TRANSFORMS-sys=setnull       However these source types are still coming through! It's been pushed out to a cluster from the CM and can see it applied on the indexers. Any obvious mistakes?   Thanks!
Hello, I have a source file with a very large event size as I require to use TRUNCATE=1000000 in my props. Do you think....it would be any issue for SPLUNK indexer/UF to handle this large size of T... See more...
Hello, I have a source file with a very large event size as I require to use TRUNCATE=1000000 in my props. Do you think....it would be any issue for SPLUNK indexer/UF to handle this large size of TRUNCATE value or event size? Are there any other alternatives if there are any issues? Any recommendation would be highly appreciated. Thank you!
Greetings!!   I'm getting the warning alerts showing me that splunk forwarder is not active, as shown on the below pic, splunk forwarder is running (/opt/splunkforwarder/bin/splunk status ... See more...
Greetings!!   I'm getting the warning alerts showing me that splunk forwarder is not active, as shown on the below pic, splunk forwarder is running (/opt/splunkforwarder/bin/splunk status ) but in Monitoring Console under Forwader:Management is not active it's showing a missing status,as shown on the above screenshot even when I try to stop and restart the splunkforwader service(/opt/splunkforwarder/bin/splunk stop) can't be stopped, as shown on the below screenshot Kindly help me on how i can fix the error, Kindly help and guide me on how to fix this, Thank you in advance.        
Hi, I am trying to create a table but how do I  extract these information in my query? I tried double quote " " but it's just looking for exact word.  I want to list out like Subject: Account Name,... See more...
Hi, I am trying to create a table but how do I  extract these information in my query? I tried double quote " " but it's just looking for exact word.  I want to list out like Subject: Account Name, then Logon Info   Subject: Security ID: S-1 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No   rmation: Logon Type: 3. I hope it makes sense. Thank you 
Hi, I am creating a React app and need to create a symbolic link with Splunk using yarn run link:app. Currently, I am using getting the following permissions issue: Can you please he... See more...
Hi, I am creating a React app and need to create a symbolic link with Splunk using yarn run link:app. Currently, I am using getting the following permissions issue: Can you please help?
I have a dashboard as the following    May'22 Apr'22 Mar'22 KPI 1 random% random% random% KPI 2  random% random% random% KPI 3 random% random% ra... See more...
I have a dashboard as the following    May'22 Apr'22 Mar'22 KPI 1 random% random% random% KPI 2  random% random% random% KPI 3 random% random% random% KPI 4 random% random% random% The percentages for the KPI's are coming fine but the user wants to be able to download the actual data or at least show the Numerator and Denominator in the same dashboard on mouse hover or something. Any Idea how this can be achieved?
Hi Team, For hands-on, I registered for the Splunk Cloud trial which provides me the access to Splunk Cloud platform for 14days. As I did not receive an email (not in Spam as well), I started lookin... See more...
Hi Team, For hands-on, I registered for the Splunk Cloud trial which provides me the access to Splunk Cloud platform for 14days. As I did not receive an email (not in Spam as well), I started looking at the settings > Instances. To my wonder, within the Instances page, I saw my previous work email address against the instance allocated. I changed this email address long back (should say at least 3 years back). I cross verified my profile and see that, it has my latest personal email address. Now the question, why is my free instance linked to my previous email address? Any idea on how to change? Thank you in advance.
Dashboard Classic are in use I implemented a table chart I'd like to modify the column size of the table Is there a way? A <- > B  Narrow the gap between A and B A B C  D ... See more...
Dashboard Classic are in use I implemented a table chart I'd like to modify the column size of the table Is there a way? A <- > B  Narrow the gap between A and B A B C  D                
I am trying to  create a search  which will give the difference in count for a field called "id" and show what are those different values for that field "id". For instance if the current hour count... See more...
I am trying to  create a search  which will give the difference in count for a field called "id" and show what are those different values for that field "id". For instance if the current hour count for id is 900 and previous hour count is 830 ...I want to see the difference as 70 and show what are those 70 different id's .Currently I am able to get the difference using below search index="netbox_test" | rename "results{}.id" as "id" | timechart span=1h count(id) as total | delta total as difference   Thanks in Advance
I want to create an alert based on syslog login and logout data.I want the alert to be triggered when a session is opened for but doesnt have a session closed for  a particular session id and if that... See more...
I want to create an alert based on syslog login and logout data.I want the alert to be triggered when a session is opened for but doesnt have a session closed for  a particular session id and if that session is opened for more than 8 hours compared to the time the splunk alert is scheduled.   For example if a session is opened by a user at 8AM and if he doesnt log off by 4PM which is more than 8 hrs than it needs to be alerted by giving the user session id    Following are the sample data for  login and logoff sessions  2022-05-21T20:00:02.048677-07:00 login-se01 CRON[4031976]: pam_unix(cron:session): session closed for user abc   2022-05-21T20:00:02.041845-07:00 login-se01 CRON[4031976]: pam_unix(cron:session): session opened for user abc by (uid=0)
Hi, I am creating a React app for Splunk on a Putty terminal. I am following the following tutorial: https://splunkui.splunk.com/Create/AppTutorial However, I am unable to build the output dire... See more...
Hi, I am creating a React app for Splunk on a Putty terminal. I am following the following tutorial: https://splunkui.splunk.com/Create/AppTutorial However, I am unable to build the output directory needed to be symlinked into Splunk's application directory with the command:  yarn run link:app I have set the $SPLUNK_HOME environmental variable to /opt/splunk but everytime I run the yarn run link:app command, I keep getting the following error: node: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory How can this be solved please?  Thanks,
Hello, Splunkers!  Need help in finding the alternative to the append command. I have a data with 8 fields [say A,B,C,D,E,F,G,H] in one index, Out of 8 fields in which 6 fields have the same fiel... See more...
Hello, Splunkers!  Need help in finding the alternative to the append command. I have a data with 8 fields [say A,B,C,D,E,F,G,H] in one index, Out of 8 fields in which 6 fields have the same field values say [A=High, A=low, A=medium],[B=High, B=Low, B=medium].etc ,remaining 2 fields have the value of [true and false]. I need to count the field values with respect to the field. I achieved this using append, but it is taking too much time due to large data sets. Looking for an alternative solution. below is the sample query. index=Test | eval 1="A" chart count  over 1 by "A" append[index=Test | eval 1="B" chart count  over 1 by "B"] append[index=Test | eval 1="C" chart count  over 1 by "C"] ....... The output should be like this Field  High Low Medium TRUE FALSE A 10 3 2     B 8 4 3     C 8 7 0     D 8 0 7     E 8 3 4     F 9 2 3     G       5 10 H       7 8  
I have a search being used in a dashboard (note the use of XML encoding for < and > symbols) that leverages the HTTP user agent field to identify browser and device type, then displays results (from ... See more...
I have a search being used in a dashboard (note the use of XML encoding for < and > symbols) that leverages the HTTP user agent field to identify browser and device type, then displays results (from highest to lowest volume) in a table. Here's the search:   index=foo sourcetype=bar source=*widget.log* http.agent | rex field=http_user_agent "(?&lt;useragent&gt;\S+)\s+\((?&lt;deviceType&gt;[A-Za-z0-9 .]+); (?&lt;OSinfo&gt;[A-Za-z0-9 _.;:\/-]+)\).*\) (?&lt;extensions&gt;.+)" | eval browserType = if(match(extensions, "^.*CriOS\/[0-9.]+"),"Chrome for iOS", if(match(extensions, "Google-Read-Aloud"),"Chrome with Google TTS (Text To Speech)", if(match(extensions, "^.*GSA\/[0-9.]+"),"Google Search App for iOS", if(match(extensions, "^.*EdgiOS\/[0-9.]+"),"Edge for iOS", if(match(extensions, "^.*FxiOS\/[0-9.]+"),"Firefox for iOS", if(match(extensions,"^Version\/[0-9.]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions,"^Version\/[0-9.]+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions, "^.*Edg\/[0-9.]+$$"),"Edge", if(match(extensions, "^.*EdgA\/[0-9.]+$$"),"Edge for Android", if(match(http_user_agent, "^.*rv:11.0.*"),"Internet Explorer 11", if(match(http_user_agent, "^.*Gecko.*Firefox.*"),"Firefox", if(match(http_user_agent, "^.*OPR"),"Opera", if(match(extensions, "^.*Chrome\/[0-9.]+\sSafari\/[0-9.]+$$"),"Chrome", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sSafari\/[0-9.]+$$"),"Chrome for Android", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Chrome for Android","OTHER"))))))))))))))))) | eval deviceType = if(match(http_user_agent,"Windows NT 10.0"),"Windows 10", if(match(http_user_agent,"Windows NT 6.0"),"Windows Vista", if(match(http_user_agent,"Windows NT 6.1"),"Windows 7", if(match(http_user_agent,"Windows NT 6.2"),"Windows 8", if(match(http_user_agent,"Windows NT 6.3"),"Windows 8.1", if(match(http_user_agent,"\(Windows Mobile 10;"),"Windows Mobile 10", if(match(http_user_agent,"iPhone"),"iPhone", if(match(http_user_agent,"X11"),"Linux", if(match(http_user_agent,"\(Linux x86_64;"),"Linux", if(match(http_user_agent,"iPad"),"iPad", if(match(http_user_agent,"Macintosh"),"MacOS", if(match(http_user_agent,"Linux; Android.*;"),"Android", if(match(http_user_agent,"Linux; Android.*\)"),"Android", if(match(http_user_agent,"Android.*; Mobile;"),"Android","OTHER")))))))))))))) | eval browserDevice = browserType . ":" . deviceType | stats count as Events by browserDevice | sort - Events   (side note: I tried using a Splunkbase TA such as "TA-user-agents" to facilitate the user agent parsing, but I found that it was adding a LOT of time to my search execution...so I just isolated specific user agent fields of interest in my search). I've recently had an ask to filter the table results to show only the Apple related results returned in the "browserDevice" field (i.e., "Safari:MacOS", "Safari for iOS:iPhone", etc.). The key here is to show each result's percentage share among all possible "browserDevice" results returned (Apple or non-Apple related). I had originally scoped my base search to only include Apple related objects; while only Apple results were returned, the percentages were based on all Apple results as opposed to all Apple/non-Apple results. The table results should show the count and the percentage share; how would I accomplish this ask?  
Hi Splunk gurus, I have a deployment like below: 3 nodes as Search Head cluster, 3 nodes as Search peers and 1 manager node of this indexer cluster. The SHC is connecting to the indexer cluster via... See more...
Hi Splunk gurus, I have a deployment like below: 3 nodes as Search Head cluster, 3 nodes as Search peers and 1 manager node of this indexer cluster. The SHC is connecting to the indexer cluster via https://docs.splunk.com/Documentation/Splunk/8.2.6/DistSearch/SHCandindexercluster#Integrate_with_a_single-site_indexer_cluster When I quarantined one of the indexers(search peers), it did say that one of the indexers is excluded,  this only showed up in the web page of manager node (which is working as a search head as well) but not in the page of any other search head, is this normal? Thanks.
Hi everyone, I have the following search: index=xyz | eval new_field = field | eval length=len(new_fied) | eval new_field = substr(new_field, 1, len(new_field) -15) | table new_field,field,le... See more...
Hi everyone, I have the following search: index=xyz | eval new_field = field | eval length=len(new_fied) | eval new_field = substr(new_field, 1, len(new_field) -15) | table new_field,field,length With that I'm removing the last 15 digits of "new_field"  So this query works but the problem is that my "new_field" have 4 different lenghts and for each one I need to do something different then I'd like to create a condition to extract last 15 numbers only if the lenght is 27 (one of the lenghts) sample: 011332255667799114466990033 turns out > 011332255667 I was trying to do something like below: | eval new_field = if((len(new_field)==27, "0", new_field)substr(new_field, 1, len(new_field) -15)) For sure this is not working, but just to show my idea and what I need to accomplish. When the "new_field" has <> 27 digits it goes wrong Any idea? Thanks
Hi guys,  This is one example of my data: Optional("{\"operationName\":\"createCart\",\"variables\":{\"customerId\":\"34234323\",\"operationalModel\":\"PICK_AND_COLLECT\",\"storeId\":\"596\"}}") ... See more...
Hi guys,  This is one example of my data: Optional("{\"operationName\":\"createCart\",\"variables\":{\"customerId\":\"34234323\",\"operationalModel\":\"PICK_AND_COLLECT\",\"storeId\":\"596\"}}") Optional("{\"operationName\":\"getOrdersByCustomer\",\"variables\":{\"pagination\":{\"currentPage\":1,\"pageSize\":100}}}") Basically i want to retrieve all values such as: operationName\":\"createCart\" As context, the field extraData.REQUEST_BODY should be a JSON, but due to a error code (can´t release now to prod), this became a malformed JSON, hence a simple string, so i'm trying to get all operationName values This is my splunk query index="mint" apiKey=*** | search event_name=*** extraData.ENDPOINT=*** | rex field='extraData.REQUEST_BODY' "(?<opName>operationName\\\"\:\\\"\w+\\\")" | table opName i have verified the Regex, and i have removed single quotes from 'extraData.REQUEST_BODY', i have tried to change to double quotes, etc. Could you please help me? Thank you  
I have a query to fetch account create endpoint and errors after   (index=foo "account/create") OR (index=bar ERROR)   But right part of OR would return all errors in time frame. Is it poss... See more...
I have a query to fetch account create endpoint and errors after   (index=foo "account/create") OR (index=bar ERROR)   But right part of OR would return all errors in time frame. Is it possible to fetch events from bar index in 5 seconds after event in foo index? I found Localize function, but looks like it works only in same index
Hi, I was hoping someone can help me, though I have seen some examples, but all of them involve case.  I need to create a statistical table that would give me the letter grade, count, percentage a... See more...
Hi, I was hoping someone can help me, though I have seen some examples, but all of them involve case.  I need to create a statistical table that would give me the letter grade, count, percentage and grand total as the last column (the last one is just for me to see the actual total)   Letter grade Count Perc % Grand Total A 33 33.33 100 B 33 33.33 100 C... 33... 33.33... 100 ... no score 1 1 100   I wrote in SQL where I join 2 tables the ones with the SCORES and one with the STUDENTS. If a student does not have a score or it's a zero, they should just go to the no score bucket. SELECT t.SCORE as [grade], count(*) [counter], count(*)*100.00 / SUM(COUNT(*)) OVER() as [perc students %], SUM(COUNT(*)) OVER() as [total students] FROM ( select case when SCORE = 0 then 'no score or zero' when SCORE between 1 and 59 THEN 'F' when SCORE between 60 AND 69 THEN 'D' when SCORE between 70 AND 79 THEN 'C' when SCORE between 80 AND 89 THEN 'B' else 'A' end as SCORE FROM [main_db].[dbo].[scores] RIGHT JOIN [main_db].[dbo].[students] ON [scores].STUDENTNUMBER = [students].STUDENTNUMBER ) t Group by t.SCORE My SPL I have so far is that I need join them but I am having a hard time: This contains the list of active student numbers: index=main host=main source=students  sourcetype=db_students STUDENTNUMBER And this contains all (inactive and active) student numbers and their scores. index=main host=main source=scores sourcetype=db_scores | dedup STUDENTID | eval scoreRange=case(SCORE >= 90, "A", SCORE >= 80 AND CREDIT_SCORE <= 89, "B", SCORE >= 70 AND CREDIT_SCORE <= 79, "C", SCORE >= 60 AND CREDIT_SCORE <= 69, "D", SCORE >= 0 AND CREDIT_SCORE <= 59, "F" ) | stats count(STUDENTID) by scoreRange Don't know how to join the above to get the counts from active students (STUDENT table) only and don't know how to tell that if there's no score in the SCORES table, to give me "No Score". I'd really appreciate any hints you can give me, I believe it may need tweaks because it needs to be more efficient and perhaps I don't need to use CASE.   Much appreciated!   Diana
I have an index with ~200 fields and need to know the single most common non-null value for each field. How do I uncover that with Splunk? In this example, I'd start here: Fruits Sizes Integer... See more...
I have an index with ~200 fields and need to know the single most common non-null value for each field. How do I uncover that with Splunk? In this example, I'd start here: Fruits Sizes Integers apple   1 banana large 10 strawberry   3 apple   3 blueberry large 2   And would aim to end up here: Fruits Sizes Integers apple large 3   I don't have a test query to share since I'm not sure how to begin approaching this, and haven't seen anything on the forum here that is a close match. Would greatly appreciate any insights into how to get this done!
When doing an extracted field can the regex named capture group be based on a back reference.  The idea is I would have an unamed capture group followed by a named capture group using /1 as the name ... See more...
When doing an extracted field can the regex named capture group be based on a back reference.  The idea is I would have an unamed capture group followed by a named capture group using /1 as the name so the name is what was first captured in the unamed group.  I know the following does not work but im hoping some small change might make it work: (?<\1>.*?)