All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone, I am new to splunk. I've got trouble when I was trying to get host values from the path. The directory I set is D:\14. splunk\SMT\. No matter what kind of extract function i was u... See more...
Hello everyone, I am new to splunk. I've got trouble when I was trying to get host values from the path. The directory I set is D:\14. splunk\SMT\. No matter what kind of extract function i was using: regex or segment, it doesn't work. For example, The host name of the following file should be "PCXXXXX", but it still shows the default host name . However, I already set the host name with regex on path, but it doesn't work... I also tried Segment in path, it still the same... Please help...
Hi, Can anyone help me how can I change the field of my query to exclude those with  PRODUCED labels query: index="hcg_ph_t2_bigdataservices_prod" sourcetype="be:streaming-services" earl... See more...
Hi, Can anyone help me how can I change the field of my query to exclude those with  PRODUCED labels query: index="hcg_ph_t2_bigdataservices_prod" sourcetype="be:streaming-services" earliest=-3h@h latest=@h | search stream_type IN (Datascore_Compress, Datascore_Decompress, Eservices_Eload, Eservices_Ebills) | eval service_details=stream_type." - ".kafka_datatype | bucket span=90m _time | stats sum(kafka_count) as count by _time service_details | stats latest(count) as current_count earliest(count) as past_count by service_details PRODUCED items which is under kafka_datatype:   I have tried to add this to my query but still does not exclude those with PRODUCED: | sort .kafka_datatype asc | fields - "PRODUCED" Please help.  Thank you, Jake
Hi All,   I've stumbled on a very frustrating problem.  I've created a HEC token to use in Zendesk so that Zendesk can send webhooks to splunk.  When i try to test the connection i receive the fo... See more...
Hi All,   I've stumbled on a very frustrating problem.  I've created a HEC token to use in Zendesk so that Zendesk can send webhooks to splunk.  When i try to test the connection i receive the following error: {"text":"Invalid authorization","code":3} I looked on the forum and found this:  https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-Why-am-I-getting-error-quot-Invalid/m-p/231409  I have tried to put the user  Splunk in front of the token and can see in chrome developer tools that it is being sent, however i am not able to successfully connect. From another machine on the network, with curl and using the word Splunk i am able to successfully post a message. Please note I do not believe this to be a firewall/port issue as that problem was resolved for me to get to this stage. Any help would be appreciated. Thanks in advance
I want to convert the result from https://community.splunk.com/t5/Splunk-Search/Find-users-who-have-done-an-event-A-but-not-done-an-event-B/m-p/110560 into monthly timechart. I have tried the follo... See more...
I want to convert the result from https://community.splunk.com/t5/Splunk-Search/Find-users-who-have-done-an-event-A-but-not-done-an-event-B/m-p/110560 into monthly timechart. I have tried the following query, but does not work:     index="x" (event="A" OR event="B") | stats count(eval(event="A")) as ACount count(eval(event="B")) as Bcount by userId | where ACount >= 1 AND BCount < 1 | timechart span=1mon count as result     Can anyone help me with this query?
Hello. Community help please. I can't figure out the problem with the data transfer to splunk. I have an index and data sources from servers. The problem is that some of the data is lost during trans... See more...
Hello. Community help please. I can't figure out the problem with the data transfer to splunk. I have an index and data sources from servers. The problem is that some of the data is lost during transfers. There are files on the server that are updated with a new name after a certain time. For example there are files N2-1.out01324, N2-1.out01325 they are searchable and Splunk can see them. But then files are updated with new name for example N2-1.out01326, N2-1.out01327 and these files are not available Splunk can't see them. Then the list is updated and files N2-1.out01328-1329 are visible again
I'm wondering about possibilities to set up a separate ES's for different teams. Due to some mergers and acquisitions one of our customers is beginning to be in a positions where single ES covering... See more...
I'm wondering about possibilities to set up a separate ES's for different teams. Due to some mergers and acquisitions one of our customers is beginning to be in a positions where single ES covering whole enterprise is not a good model. I already found that ES on its own does not support multitenancy and I would need a separate instance for each team/suborganization/whatever. But I don't think it's that easy. Of course we can set up a separate SH cluster for separate teams and install separate ES instances but if they operated on the same indexer cluster they would share notable index and all datamodels. If we wanted, we could define separate datamodels for them to use but then we would have to edit all the security content that by default uses CIM, right? Any other possibilities? Split notable index? (Multiple indexers holding "own" version of this index) Seems possible but very very ugly and hard to maintain.
Hi. I'm having a nightmare getting this adaptive response TA working.  Has anybody got it working? I'm getting the following error. ta_forescout_response_init.py:45 - CRITICAL - Unexpected error ... See more...
Hi. I'm having a nightmare getting this adaptive response TA working.  Has anybody got it working? I'm getting the following error. ta_forescout_response_init.py:45 - CRITICAL - Unexpected error while getting alert actions from CounterACT: HTTPSConnectionPool(host='forescout.mattlab.local', port=443): Max retries exceeded with url: /splunk/actions_info?auth=CounterACT%20A6885132-A0EE-4AED-A2A3-8C01AF148957 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) The guide I've followed is here.  Specifically page 15: https://www.forescout.com/resources/app-and-add-on-for-splunk-how-to-guide-2-9-1/ ******************************************************************************************** To enable HTTPS communication using Forescout eyeExtend for Splunk: 1. Operators must not use the default self-signed web-portal certificate; instead, they need to procure their own certificate. See Appendix System Certificate for Web Portal. 2. Once the certificates are installed on the CounterACT Appliance, the Forescout platform Public Key Certificate must be appended to the cacert.pem file at the following location: $SPLUNK_HOME/lib/python2.7/site-packages/requests/cacert.pem **************************************************************************** I have created a server certificate for forescout and copied the CA cert over to request directory below root@splunklinux:/opt/splunk/lib/python3.7/site-packages/requests# ls -al total 228 drwxrwxrwx 3 10777 10777 4096 May 15 21:56 . drwxrwxrwx 73 10777 10777 4096 May 2 12:56 .. -rwxrwxrwx 1 10777 10777 21344 Feb 1 00:57 adapters.py -rwxrwxrwx 1 10777 10777 6271 Feb 1 00:57 api.py -rwxrwxrwx 1 10777 10777 10206 Feb 1 00:57 auth.py -rw-r--r-- 1 root root 2110 May 15 19:26 cacert.pem -rwxrwxrwx 1 10777 10777 453 Feb 1 00:57 certs.py -rwxrwxrwx 1 10777 10777 1678 Feb 1 00:57 compat.py -rwxrwxrwx 1 10777 10777 18430 Feb 1 00:57 cookies.py -rwxrwxrwx 1 10777 10777 3185 Feb 1 00:57 exceptions.py -rwxrwxrwx 1 10777 10777 3515 Feb 1 00:57 help.py -rwxrwxrwx 1 10777 10777 757 Feb 1 00:57 hooks.py -rwxrwxrwx 1 10777 10777 3921 Feb 1 00:57 __init__.py -rwxrwxrwx 1 10777 10777 1096 Feb 1 00:57 _internal_utils.py -rwxrwxrwx 1 10777 10777 34210 Feb 1 00:57 models.py -rwxrwxrwx 1 10777 10777 542 Feb 1 00:57 packages.py drwxrwxrwx 2 root root 4096 May 15 21:59 __pycache__ -rwxrwxrwx 1 10777 10777 29332 May 15 21:56 sessions.py -rwxrwxrwx 1 10777 10777 4129 Feb 1 00:57 status_codes.py -rwxrwxrwx 1 10777 10777 2981 Feb 1 00:57 structures.py -rwxrwxrwx 1 10777 10777 30049 Feb 1 00:57 utils.py -rwxrwxrwx 1 10777 10777 436 Feb 1 00:57 __version__.py there was no cacert.pem file in this location - what does it mean append the public key to the cacert.pem file?  i just copied the ca cert from my forescout signed CA over to this location and called it cacert.pem as it didn't exist?  
Given below is a snippet of splunk event. My requirement is to find all the occurrences of "isOutstanding": true. Here the point to note is that one event may/may not have multiple occurrences. Need ... See more...
Given below is a snippet of splunk event. My requirement is to find all the occurrences of "isOutstanding": true. Here the point to note is that one event may/may not have multiple occurrences. Need to find the total count from multiple events over a period of time. { \"school\": { \"schoolId\": \"1\", \"schoolName\": \"SchoolX\", \"schoolType\": \"private\", \"students\": [ { \"id\": \"1\", \"isOutstanding\": true, }, { \"id\": \"2\", \"isOutstanding\": false, }, { \"id\": \"3\", \"isOutstanding\": false, } ] } } The below Splunk query index=myIndex "isOutstanding":true gives the count of events having "isOutstanding": true. But it doesn't consider the count of multiple occurrences in one event. How can I get the count of all the occourences in an event? TIA  
I need to update many params in many saved searches via POST API from nodejs. I  can create alerts, but cannot update all the params (including spl search) via POST to this endpoint https://${HOST}... See more...
I need to update many params in many saved searches via POST API from nodejs. I  can create alerts, but cannot update all the params (including spl search) via POST to this endpoint https://${HOST}:8089/servicesNS/${USERNAME}/${APP}/saved/searches/${ALERTNAME}  Error message is: cannot create .. savedsearch by the name already exists. Is there an  endpoint to update (POST/PUT) all the params (in GUI)? I was able to update only some params using splunk javascript/python3 sdk, but it doesn't support many of the advanced params and is very slow compared to the POST API, and some of the params names are different? Some examples (with all supported params by sdk (JS/Python3 and API) would be helpful.
Hello, it seems like I'm unable to connect to Splunk Enterprise any longer I keep getting  This page isn’t working 127.0.0.1 didn’t send any data. ERR_EMPTY_RESPONSE  I've tried checking my... See more...
Hello, it seems like I'm unable to connect to Splunk Enterprise any longer I keep getting  This page isn’t working 127.0.0.1 didn’t send any data. ERR_EMPTY_RESPONSE  I've tried checking my firewall but still no change please help
Hi all, I can see the logs coming in from a particular source=das*.log through backend Linux but when I search with the same source I cannot see data in ui  One more thing if I use with index name ... See more...
Hi all, I can see the logs coming in from a particular source=das*.log through backend Linux but when I search with the same source I cannot see data in ui  One more thing if I use with index name and source also I am not getting any data in ui  Note: when I searched with internal index I could see logs from that host IP but not from the source in ui  Can any one help on this issue.    
Hi, I have a field name Details. This field contains a lot of information in varying format. e.g. software installed on endpoints, updates installed etc. I need to extract this information from thi... See more...
Hi, I have a field name Details. This field contains a lot of information in varying format. e.g. software installed on endpoints, updates installed etc. I need to extract this information from this field. Sample is below. What is the best approach? I need both from configuring field extraction for this in configs or in actual Splunk search using rex or eval. Fields to be extracted: Path Version/Installed Version: Both need to be extracted in a way that *Version* is used to cover variations. Method/Detection Method: Both need to be extracted in a way that *Method* is used to cover variations. Variation 1: <plugin_output> Path : /opt/AdoptOpenJRE/jdk8u332-b09-jre/ Version : 1.8.0_332 Binary Location : /opt/AdoptOpenJRE/jdk8u332-b09-jre/bin/java Details : This Java install appears to be Java Runtime Environment, since "jre" was found in the installation path and javac was not found (medium confidence). This Java install may be Oracle Java or OpenJDK Java due to "org.openjdk.java.util" in the binary (low confidence). Detection Method : "find" utility </plugin_output> Variation 2: <plugin_output> Path : /HP/hpoa/CADE2/HP/nonOV/openadaptor/1_6_5/classes/oa_jdk14_classes.jar Version : 1.1.0 JMSAppender.class association : Found JdbcAppender.class association : Found JndiLookup.class association : Not Found Method : MANIFEST.MF dependency </plugin_output> Variation 3: <plugin_output> Path : /opt/IBM/WebSphere855/AppServer/java_1.7_64/ Installed version : 7.0 Fixed version : 7.0.11.5 Path : /opt/IBM/WebSphere855/AppServer.old/java_1.7_64/ Installed version : 7.0 Fixed version : 7.0.11.5 Path : /opt/IBM/WebSphere855/AppServer.gagan/java_1.7_64/ Installed version : 7.0 Fixed version : 7.0.11.5 Path : /opt/IBM/InstallationManager/eclipse/jre_7.0.100001.20170309_1301/ Installed version : 7.0 Fixed version : 7.0.11.5 </plugin_output> Thanks in-advance!!
I am trying to create a simple bar chart to check and report status of a service.  Something similar to Intercom Status. (https://www.intercomstatus.com) The bar will show green if the service is... See more...
I am trying to create a simple bar chart to check and report status of a service.  Something similar to Intercom Status. (https://www.intercomstatus.com) The bar will show green if the service is up (1), and will show red if the service go down (2), in per day status.  Like a 0 (red) and 1(green).  any suggestions if this can be achieved with Splunk?  
Index=XYZ  source= abc*.logs host=kfg  So I when I checked in internal index data is coming from host, I checked forwarder server class mapping is fine, I could see the data is deploying. But still... See more...
Index=XYZ  source= abc*.logs host=kfg  So I when I checked in internal index data is coming from host, I checked forwarder server class mapping is fine, I could see the data is deploying. But still cannot see data. What other steps i need to follow to get data in index XYZ  
Splunk cant start
Hello, We are using Splunk with CAC / Smart Card authentication and want to add to our configuration the ability to map LDAP groups to roles within Splunk. What we'd like to have happen: * User ... See more...
Hello, We are using Splunk with CAC / Smart Card authentication and want to add to our configuration the ability to map LDAP groups to roles within Splunk. What we'd like to have happen: * User logs in with CAC / Smart Card authentication with PIN. * Splunk looks up the user in an LDAP directory to get their group memberships. * Splunk maps group membership into a role like "user" or "admin" within the application. CAC / Smart Card authentication means we've centralized our authentication. What we're looking for is to build on that to centralize authorization by using LDAP group membership to determine the correct permissions for each user. How Splunk is currently configured: * A web server like Apache is configured to require TLS client certificate authentication. * The web server find's the user's ID (or equivalent field within the TLS client certificate data). * The web server assigns that user ID to an HTTP header. e.g. `X-MY-REMOTE-USER-ID` * The web server reverse proxies the connection to the Splunk web application server. * The Splunk web application is configured, via `web.conf` , to use SSO with the `remoteUser` configuration setting to set the Splunk user based on the value of the HTTP header. Is there a way to achieve the configuration we're looking for? Here are our existing Splunk authentication configuration: `$SPLUNK_HOME/etc/system/local/web.conf` ``` [settings] SSOMode = strict enableSplunkWebSSL = true httpport = 8443 login_content = <div>REDACTED</div> privKeyPath = /path/to/key.pem remoteUser = X-MY-REMOTE-USER-ID remoteUserMatchExact = 1 serverCert = /path/to/tls/cert.pem tools.proxy.on = false trustedIP = 127.0.0.1 updateCheckerBaseURL = 0 keepAliveIdleTimeout = 270 server.thread_pool = 100 tools.sessions.timeout = 15 ``` `$SPLUNK_HOME/etc/system/local/authorization.conf` ``` # cat authentication.conf [authentication] authType = Splunk [splunk_auth] constantLoginTime = 0.000 enablePasswordHistory = 1 expireAlertDays = 15 expirePasswordDays = 60 expireUserAccounts = 1 forceWeakPasswordChange = 1 lockoutAttempts = 3 lockoutMins = 1440 lockoutThresholdMins = 15 lockoutUsers = 1 minPasswordDigit = 1 minPasswordLength = 15 minPasswordLowercase = 1 minPasswordSpecial = 1 minPasswordUppercase = 1 passwordHistoryCount = 5 verboseLoginFailMsg = 0 ```
I am working on something to return our alerts from rest functions. What I want to do is allow users to historically look at the alert query and see what adjustments can be made to certain items.  ... See more...
I am working on something to return our alerts from rest functions. What I want to do is allow users to historically look at the alert query and see what adjustments can be made to certain items.   | rest "/servicesNS/-/-/saved/searches" | search title="SomeAlert" | fields qualifiedSearch   From the search above, I want Splunk to run the qualifiedfieldsearch; which is the search string. Is this something that is possible?
How can i get the "last time" there was traffic on one of the services/for a particular client?
Hello all, Is there a way to sample resulting events from a transaction? Thanks!
Hi, I created a table using Splunk Dashboard Studio (Absolute).  However a column contains results like A, B, C, 0, 1. A, B and C display align left and 0 and 1 displays aligned right. I want all... See more...
Hi, I created a table using Splunk Dashboard Studio (Absolute).  However a column contains results like A, B, C, 0, 1. A, B and C display align left and 0 and 1 displays aligned right. I want all to be align left. When selecting code option to add align command, I keep getting error and it does not align left. How should I code this: "options": { "columnFormat": {"align": "left"} }