All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We have installed following two apps in our splunk environment to get data into our splunk enterprise environment   1) GitHub App for Splunk [https://splunkbase.splunk.com/app/5596/] 2) GitHub Aud... See more...
We have installed following two apps in our splunk environment to get data into our splunk enterprise environment   1) GitHub App for Splunk [https://splunkbase.splunk.com/app/5596/] 2) GitHub Audit Log Monitoring Add-On for Splunk[https://splunkbase.splunk.com/app/5595/]   We have configured both webhook and access token based ingestion setup to get logs into splunk but we are getting following errors and not able to see the data in dashboard    05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 404 - url: https://github.dowjones.net/api/graphql/enterprises/enterprise-name/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: {"message":"Not Found","documentation_url":"https://docs.github.com/enterprise/3.3/graphql"} host = xxxxxxxxs.netlog_level = ERRORsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd 5/11/22 8:59:00.164 PM 05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" response.status_code, response.url, response.text host = **************   any troubleshooting steps would be helpful   
Hi Splunkers, I have a dashboard done in Splunk Dashboard Studio (cannot be done in simple XML) and I'm struggling to find a way how to hide "Edit" button and Splunk Bar in there. In the previous so... See more...
Hi Splunkers, I have a dashboard done in Splunk Dashboard Studio (cannot be done in simple XML) and I'm struggling to find a way how to hide "Edit" button and Splunk Bar in there. In the previous solution it was easy, just to paste the following in the source of the dashboard: hideSplunkBar="true" hideEdit="true" I tried to add it in json format in various portions of the code, but with no success. Any ideas? Is this even doable? 
Hello,  I need to setup an alert that triggers if I got an event on an specific timeshift. The reason is that  in my company there are employees which connects to an AWS Workspace and when they log ... See more...
Hello,  I need to setup an alert that triggers if I got an event on an specific timeshift. The reason is that  in my company there are employees which connects to an AWS Workspace and when they log in out of their shift Security department needs to be updated.  This is the main search request: (index=aws_description sourcetype="aws:cloudwatchlogs") ( NOT eni ) actionType"successfulLogin" and I'm not pretty sure how to place it into a time range and get a triger when I get an event from 19:00 PM until 06:00 AM So far the alert runs on Cron Schedule in a time range "last 5 mins" and a Cron expression 0/5 **** in order to check every 5 minuts, but it will get me all the time range and I only need the metioned below. Any Idea? Thank you, Iván
How to use spath command for the below logs i have attached in the screenshot.  
Hi All,   We have now fine tuning our environment  for that purpose we need your favor. We want to check few parameters for every dashboard ,report and alert which is mentioned in the below scree... See more...
Hi All,   We have now fine tuning our environment  for that purpose we need your favor. We want to check few parameters for every dashboard ,report and alert which is mentioned in the below screenshot . We request you ,could you provide the query which gives this required output as mentioned in the below.    
Hi Guys, We have an on prem server where the Software run and provide the API URL. I'm testing the API URL with the Splunk add-on builder with a custom app.  When I run the API rest url on m... See more...
Hi Guys, We have an on prem server where the Software run and provide the API URL. I'm testing the API URL with the Splunk add-on builder with a custom app.  When I run the API rest url on my browser, I get the warning "you connection isn't private" ERR_CERT_AUTHORITY_INVALID pass that and I get prompt to login.  I login and I get the data just fine. BUT when I try to do it with the add-on builder I get the error:  File "/opt/splunk/lib/python3.7/ssl.py", line 1139, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106) I pass the user and password on the inputs but I always get the same error. Anyone had this issue and know how to solve it? is it any path I could add the server certificate? Thanks  
Hi Team, Could you please help me with the below requirement? Java application which is enabled for monitoring in Appdynamics. Currently, only Business Transaction related to Web services are confi... See more...
Hi Team, Could you please help me with the below requirement? Java application which is enabled for monitoring in Appdynamics. Currently, only Business Transaction related to Web services are configured.  But java specific business transactions are not configured.  Customer requirement is  custom Business transactions for for java are to be configured. Kindly guide me how configure custom BTs for Java. Thanks in advance Thanks&Regards Srinivas
Hi Team, Could you please help me with the below requirement? (I am new to appdynamics) I have to configure health rule for a Business Transaction when the volume (calls per minute) is less than th... See more...
Hi Team, Could you please help me with the below requirement? (I am new to appdynamics) I have to configure health rule for a Business Transaction when the volume (calls per minute) is less than the baseline. I have configured  based on baseline.  But, alert is not being triggered even when there is a low volume of or call volume is below baseline.  Please find the attached screenshot of health rule configured and the chart showing the volume of calls (volume of calls is below baseline which should trigger an alert). Below is the expectation from the customer. " . I would prefer you to advise on an appropriate deviation to be configured to avoid too many false alarms. Ex.: is a deviation of 30% appropriate ? (=30% less call than usual)" Kindly help me to configure the health rule properly. Thanks&Regards Srinivas
Hi all,  whenever I get a new log I wanted to count of the number of logs for the last 5 min and then append it to a graph. but I should be able to see graph of 1whole day
Hello, After setting up a brand new standalone server (v 8.2.6) and migrating our data from another server, it seems as we don't see any events in both _internal and _audit indexes... I've checke... See more...
Hello, After setting up a brand new standalone server (v 8.2.6) and migrating our data from another server, it seems as we don't see any events in both _internal and _audit indexes... I've checked file permissions, and a whole lot of config files and could not manage to get this fixed. Can someone please provide some pointers on what might be the issue? EDIT: Forgot to mention that the old server was running the same version and that both of those indexes were working just fine. Thanks!
I'm getting the following error in the machine-agent.log file for URL-Monitor Error creating environment task org.yaml.snakeyaml.scanner.ScannerException: null; mapping values are not allowed here... See more...
I'm getting the following error in the machine-agent.log file for URL-Monitor Error creating environment task org.yaml.snakeyaml.scanner.ScannerException: null; mapping values are not allowed here; in 'reader', line 83, column 17: username: DV_RO Here is the URL that is causing the error #SAP Healthchecks - name: SAP-ROI-Healthcheck url: https://sap-domain?senderParty=DesignView&senderService=BC_DesignView&receiverParty=&receiverService=&interface=MI_1519_DV_SAPC_Request_Intl_Out&interfaceNamespace=http://company.com/DesignViewInternational followRedirects: false authType: BASIC username: DV_ROI password: password groupName: SAP I've run the YAML against a lint program and it's valid YAML so can't understand why it's failing. This is the only URL that uses BASIC authentication. I have other URLs that use other authentication methods without any problems. 
Hi, I have a CS, which runs every 6mins looking back -65m and -5m.. It triggered a notable alert, where for the same dest value, it triggered ten notables in the same time 11.46pm.................... See more...
Hi, I have a CS, which runs every 6mins looking back -65m and -5m.. It triggered a notable alert, where for the same dest value, it triggered ten notables in the same time 11.46pm........................... How much throttle time should I set to avoid this? Thankyou!
Hi all, I have a some dashboards which are placed as different tabs using user interface. All the dashboards have same front page which is selection from the dropdowns.  Is it possible to pass values... See more...
Hi all, I have a some dashboards which are placed as different tabs using user interface. All the dashboards have same front page which is selection from the dropdowns.  Is it possible to pass values selected in the dropdown of first dashboard to the other dsahboards in the other tabs? This is how the dashboards look. Instead of selecting those values again in the second dashboard. Is it possible to pass the already selected values?
Hi All,   I have a splunk query which i cannot get to work for the life of me:  This is the search |inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1 |appen... See more...
Hi All,   I have a splunk query which i cannot get to work for the life of me:  This is the search |inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1 |append [search index=main sourcetype="feeds" source="/opt/splunkforwarder/bin/scripts/stats.sh" type=feed |rename dn as "Threat Feed" customerID as companyId |table "Threat Feed" companyId | join companyId [| dbxquery query="mysql query" ] |eval observed = 0] |stats min(observed) as observed values(customerId) as cs by "Threat Feed" | where observed =1 Current Result: Threat Feed (column name) Feed55 <<< Correct feed that should not exist in any of the customers The csv file only has a column named Threat Feed, there are five rows only. The search results are around 25 different feeds per customer (50 customers) I am interested in showing which feeds from the CSV do not exist in the search results i.e from the 25 feeds, i need this by customer so that i can create an alert. At the moment i am getting an output of the 1 feed name that doesnt exist, but i cant link this to the customer as the csv file does not have a customerID field as its a generic file.
smartagent/nagios: type: nagios command: xxx collection_interval/interval/ scrape_interval????   
hi All, Though i have set frozenTimePeriodInSecs to a year on a cluster, the logs are only getting retained till 90 days max same settings in other cluster is working fine. need some help checkin... See more...
hi All, Though i have set frozenTimePeriodInSecs to a year on a cluster, the logs are only getting retained till 90 days max same settings in other cluster is working fine. need some help checking the issue. thanks in advance,
Nagios — Splunk Observability Cloud documentation e.g:- smartagent/nagios: type: nagios command: first command service: "nagios_1stCommand" command: 2nd command service: "nagios_2ndCommand"
Hello Experts, I have a dashboard with a dropdown with the following selection 2022-Mar 2022-Apr 2022-May Based on the selection I choose a source and run various searches and display the dashbo... See more...
Hello Experts, I have a dashboard with a dropdown with the following selection 2022-Mar 2022-Apr 2022-May Based on the selection I choose a source and run various searches and display the dashboard. For example, If user input is 2022-Apr, I use the token to use C:\\test\\data_2022-Apr.csv and run searches and it works fine. However I also have a requirement where I need to Plot a value from all three sources in a single panel. For example, Say I have a data point arrived with various calculations called "total utilization" from each sources in the above list. I need to plot this value for the last 3 months (current + last two months data ) in a single panel. So if the user selects 2022-May, I need to run searches on each of the above file, get the total utilization and display in a single column chart. I have used eval command to work out the past months file names and worked out the search command to get the value as well. However, since I am using different sources, I am only able to get them in different search commands, i.e in a different dashboard panel. So the question is, Is it possible to combine multiple search commands on different sources into one single search and generate a single column graph ? I have looked at subsearch related posts earlier, however they seem to be on different sourcetypes rather than source itself. Would appreciate any inputs. Thanks in advance.
Hi Team, Recently we got an email from Splunk Support stating with the Subject as "Splunk Enterprise Advisories - May 2022" so when checked the email I can able to see around 8 Advisories mentioned... See more...
Hi Team, Recently we got an email from Splunk Support stating with the Subject as "Splunk Enterprise Advisories - May 2022" so when checked the email I can able to see around 8 Advisories mentioned for Splunk Enterprise and they have also mentioned that Splunk Cloud wont be impacted and our environment we have 4 Splunk HF servers and 1 Deployment master server which are running with Splunk enterprise instance.   Reference Link: https://www.splunk.com/en_us/product-security.html?lst=Email1&utm_medium=email&utm_source=splunk&utm_campaign=FY23Q2_CSM_GLBL_OTH_PTF_EN_Security_CVE And our servers  are running with Splunk Enterprise with versions Splunk 8.1.2 (build 545206cc9f70) & Splunk 8.1.3 (build 63079c59e632) respectively. So is it mandate to upgrade our HF and DM servers to the latest version i.e. from 8.1.2 or 8.1.3 to 8.2.6? Or do we have any workaround to address the gaps?  Also currently we are running with 8.1.2 or 8.1.3 so can i directly upgrade them to 8.2.6 version will there be any changes? Best recommendations? So if we upgrade them to latest version will it fix all security vulnerability issue?  Also whether it should be upgraded immediately (Our HF and DM servers) or can we perform the upgrade might be in a month or so?   Kindly help on the same.  
a b c d e f g xyz 1 2 3 4 5 6   My table  looks like that I need the following table a b c d e f g xyz 1000.00 2000.00 3... See more...
a b c d e f g xyz 1 2 3 4 5 6   My table  looks like that I need the following table a b c d e f g xyz 1000.00 2000.00 3000.00 4000.00 5000.00 6000.00                 but with the below command I am getting the following table : my string field gets eliminated my query for data | foreach * [eval <<FIELD>> = round(('<<FIELD>>' * 1000),2) ] a b c d e f g   1000.00 2000.00 3000.00 4000.00 5000.00 6000.00   How to obtain everything  above along  with xyz in a column ?