All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

hi When I call the lookup like below it works fine     | inputlookup test.csv     but when I use the lookup in a search I have the message below     Error in 'lookup' command: Cou... See more...
hi When I call the lookup like below it works fine     | inputlookup test.csv     but when I use the lookup in a search I have the message below     Error in 'lookup' command: Could not construct lookup     here is the lookup  what I have to do please?
Hi everyone, I have a list of id and event by day. But some days are missing for some id, now I want to fill 0 or null for the missing date to have continuous day for every id. _time id ... See more...
Hi everyone, I have a list of id and event by day. But some days are missing for some id, now I want to fill 0 or null for the missing date to have continuous day for every id. _time id value 01/04/2022 1 10 01/04/2022 2 20 01/04/2022 3 30 02/04/2022 1 15 02/04/2022 2 30 03/04/2022 3 45 04/04/2022 1 25 04/04/2022 2 45 04/04/2022 3 65 Expecting: _time id value 01/04/2022 1 10 01/04/2022 2 20 01/04/2022 3 30 02/04/2022 1 15 02/04/2022 2 30 02/04/2022 3   03/04/2022 1   03/04/2022 2   03/04/2022 3 45 04/04/2022 1 25 04/04/2022 2 45 04/04/2022 3 65   thanks a lot.
Hi Everyone, We have Ping Directory application (LDAP) running on the Linux server. We have java appAgent and machine agent installed and configured on the Linux server.  The issue is that everyday ... See more...
Hi Everyone, We have Ping Directory application (LDAP) running on the Linux server. We have java appAgent and machine agent installed and configured on the Linux server.  The issue is that everyday 1.05 AM my appAgent restarting and that JVM restart time is showing on the AppDynamic dashboard instead of the Ping Directory JVM status.  I have spoken to internal AppD team and raised a support ticket but not satisfied with their responses. I understand their argument that javaagent will not start standalone as it is part of Ping Directory JVM.  I'm trying to chase the mystery what is causing the javaagent restart at exactly 1.05 AM everyday. Appreciate any help in troubleshooting this issue.  Thanks, Anand Gulla 
¿Por qué los secretos están enmascarados en Jenkins y no en Splunk? En los logs de jenkins utilizando withcredentials las contraseñas me aparecen enmascaradas pero al consultar los jobs de splunk me ... See more...
¿Por qué los secretos están enmascarados en Jenkins y no en Splunk? En los logs de jenkins utilizando withcredentials las contraseñas me aparecen enmascaradas pero al consultar los jobs de splunk me aparece descifrada como puedo solucionar esto
Hi All, Has anybody implemented a search to detect the following use case ? https://adsecurity.org/?p=1785  Any suggestions how to write the query will be highly appreciated.  We are getting A... See more...
Hi All, Has anybody implemented a search to detect the following use case ? https://adsecurity.org/?p=1785  Any suggestions how to write the query will be highly appreciated.  We are getting AD logs in with all the necessary auditing enabled.
Alerts vs Reports on Splunk "Searches, reports and alerts" page   I want to make this query to show the number of alerts and number of reports that match exactly how it shows on the "Searches, re... See more...
Alerts vs Reports on Splunk "Searches, reports and alerts" page   I want to make this query to show the number of alerts and number of reports that match exactly how it shows on the "Searches, reports and alerts" page.     | rest /servicesNS/-/-/saved/searches <eval for type here> | stats count by type       I found this question long ago but no answer given to an exact matching number of count - https://community.splunk.com/t5/Alerting/What-is-the-difference-between-alert-and-report/m-p/368683  Woodcock mentioned this, which is a nice explanation of why there is no difference between alert and report anymore.     Originally only alerts had alert actions but customers insisted and now reports also can have alert actions so literally there is no functional difference between the two. There is now only a taxonomical difference which you are free to slice any way that you like. Settings-wise, the difference between the two now is defined in savedsearches.conf as: alert.track=1 means alert and alert.track=0 means report. That is it.       The main thing is I want to find out how Splunk is deciding whether it's alert or report on the web?
I am trying to create a table which shows 3 column error msg, errorcode, and count. my current query is pulling the errorcode/msg in one column and error count  individually instead of whole. Please ... See more...
I am trying to create a table which shows 3 column error msg, errorcode, and count. my current query is pulling the errorcode/msg in one column and error count  individually instead of whole. Please assist. my Current Query My current query           Current Output Expected Output
So I have this search looking to send emails to people logging into a legacy SH, but the map command breaks my results.    index=_audit sourcetype = audittrail action="login attempt"|eval user=us... See more...
So I have this search looking to send emails to people logging into a legacy SH, but the map command breaks my results.    index=_audit sourcetype = audittrail action="login attempt"|eval user=user.""."@gmail.com"|fields user|map search="sendemail to=$user$ subject=Please Stoping Using Old SH message="Please migrate to new SH" sendresults=true inline=true format=raw"
We are sending order numbers into Analytics from Business Transactions.  We are sending the order numbers at various stages in the order flow.  We are sending order numbers as NEW orders, and sending... See more...
We are sending order numbers into Analytics from Business Transactions.  We are sending the order numbers at various stages in the order flow.  We are sending order numbers as NEW orders, and sending the same order numbers when they reach a stage of completion, ASSIGNED. The values are coming in from 2 different business transactions, so they show up in different columns in Analytics. We are struggling to write a query to return only the order numbers that show up in NEW, that don't show up in ASSIGNED, to alert us to orders that may be stuck. My sql guy tried: select segments.userData.'NEW' from transactions where segments.userData.'NEW' is not null minus select segments.userData.'ASSIGNED' from transactions where segments.userData.'ASSIGNED' is not null ... but ADQL doesn't use 'minus' and also doesn't seem to allow two 'select' commands in a single query. Any ideas?
After installing the app, add-on, and configuring the API permissions, the M365 Usage & Adoption dashboard does not populate. Going into Search, there are no results for the Office365Services User Co... See more...
After installing the app, add-on, and configuring the API permissions, the M365 Usage & Adoption dashboard does not populate. Going into Search, there are no results for the Office365Services User Counts source. I'm wondering if maybe an API permission has moved from Office 365 Management APIs to the Microsoft Graph API? Any feedback would be appreciated.
Hello! I'm trying to pull in full product names into a table, but only the first word is getting pulled in.  The field name is Product. Example products are: Cash product Cash connections ... See more...
Hello! I'm trying to pull in full product names into a table, but only the first word is getting pulled in.  The field name is Product. Example products are: Cash product Cash connections Checking app Checking cash product When I create the table, I only see "Cash" or "Checking" as the product names instead of the full name. I can't figure out how to do a rex command to help solve this. (Or some other way to solve for it.) Maybe something like this? I'm just guessing.    "(Cash|Checking)\s[a-z]\w*"   Appreciate any help!  
Do use the following extension https://developer.cisco.com/codeexchange/github/repo/Appdynamics/url-monitoring-extension where I monitor URL. Custom metric gives a status of either 0, 2,3 4 UNKNOWN(... See more...
Do use the following extension https://developer.cisco.com/codeexchange/github/repo/Appdynamics/url-monitoring-extension where I monitor URL. Custom metric gives a status of either 0, 2,3 4 UNKNOWN(0) FAILED(2) ERROR(3) SUCCESS(4) But using other than a timegraph does not give me the information because it is important to know the percentage of when is 0, 1,2,3 (DOWN) or 4 (UP) So Timegraph shows me when someting is down, but i want also to add this custom metric to a expression like: percentage of 0,2 & 3 (DOWN)    and percentage of 4 (UP) and show this in a pie or gauge or metric value . For me this above does not seems to work with the calculation (how many percentage over time are 0-3 and how much is 4 in percentage) Minimum: Minimum value, only available for averaged metrics Maximum: Maximum value, only available for averaged metrics Value: Contains the average or the sum across the time range depending on the metric Sum: Aggregated value of the metric over the time range Count: A count of the observed values over the time range Current: The sum of the most recent minute's metric data value across all the included nodes Secondly is it possible to put this custom metric into Analytics ? and therefor make better calculation possibilities
I have a big event and I want to capture the string between "Message=" and "UpDocCaseRepository" in other words i want to capture this specific string-- "Service encountered a database error." ... See more...
I have a big event and I want to capture the string between "Message=" and "UpDocCaseRepository" in other words i want to capture this specific string-- "Service encountered a database error." InnerMessage="Method Name: LOBCaseService.LoadCaseText, Error Message: Service encountered a database error., Exception: System.Net.Http.HttpRequestException: Cannot get client case document(s). Lob service call was not successful. reasonPhrase=Unauthorized\r\n at .eCAC.Service.CDR._1.Repository. event- 2022-04-04 21:15:37,734 ERROR WCFServiceClient.Web.InfrastructureService sTime="4/5/2022 1:15:37 AM" LocalId="403654042" Method="LoadCase" Message="Service encountered a database error." InnerMessage="Method Name: LOBCaseService.LoadCaseText, Error Message: Service encountered a database error., Exception: System.Net.Http.HttpRequestException: Cannot get client case document(s). Lob service call was not successful. reasonPhrase=Unauthorized\r\n at .eCAC.Service.CDR._1.Repository.UpDocCaseRepository.<SendUpDocRequest>d__14`1.MoveNext() in s:\jenkins\workspace\_ecac_se---aeddb52c\.eCAC.Service.CDR\1.Repository\UpDocCaseRepository.cs:line 191\r\n--- End of stack trace from previous location where exception was thrown
I'm trying to make a time chart where it uses the time value specified in my table.  Rather than the default _time value. Currently I'm trying something like this: base search |eval Fail... See more...
I'm trying to make a time chart where it uses the time value specified in my table.  Rather than the default _time value. Currently I'm trying something like this: base search |eval Failures = if(STATUS ="Failed",1,0) | timechart sum(Failures) by TIME DATE TIME  SYSTEM Failures 03/01/2022 12:00 Development 10 03/01/2022 13:00 Development 2 04/01/2022 15:00 Development 3 05/01/2022 18:00 Development 8    Any suggestions help :-).   Thank you, Marco
Hello, I had  PagerDuty App for Splunk | Splunkbase installed on our instance of Splunk and when I went to the setup page and put the API and integration url in and it confirm nothing happened. Whe... See more...
Hello, I had  PagerDuty App for Splunk | Splunkbase installed on our instance of Splunk and when I went to the setup page and put the API and integration url in and it confirm nothing happened. When I checked on the browser console I saw there were two 404 (not found) errors.   splunkd/__raw/services/properties/alert_actions/pagerduty/param.integration_key?output_mode=json&_=23232443242   When I tried clicking confirm I receive another 404 error.   There there's no alerts_actions.conf in the pagerduty local folder and there is one in default I checked the security rights and they all seem fine.  I tried making a local dev instance to see if I could break the permissions and replicate the error but it worked fine everytime and created a alerts_actions.conf in the pagerduty app local folder.   If anyone knows a solution to this problem I'd greatly appreciate the help.  My current theory from the initial 404 error and URL chunk I included, is it keeps looking for the alerts_actions.conf in the local folder.  So if I manually created it with the proper stanza and fields that might let me setup PagerDuty.  As to why it's not actually creating it I'm not sure since the permissions all look good. thanks
I generated a Diag and now i need to creat an index for it. how do i create it ?    
Hi. How I can compare load during the same time every day for business days? I.e. time 11:oo AM - 7:00 PM on Monday, Tuesday -----, Friday ----------------- Monday - 3200 Tuesday  - 3300 ... See more...
Hi. How I can compare load during the same time every day for business days? I.e. time 11:oo AM - 7:00 PM on Monday, Tuesday -----, Friday ----------------- Monday - 3200 Tuesday  - 3300 Wednesday - 5400 Thursday - 3200 Friday - 3100 -------------------- TIA
We are having a connection issue on Splunk Enterprise 8.2.6 on prem with Splunk Secure Gateway 2.7.4, according to the firewall rules the connection port 443 outbound to the host prod.spacebridge.spl... See more...
We are having a connection issue on Splunk Enterprise 8.2.6 on prem with Splunk Secure Gateway 2.7.4, according to the firewall rules the connection port 443 outbound to the host prod.spacebridge.spl.mobi is allowed. We verified the connection using the troubleshooting guide in the documentation by running: curl https://prod.spacebridge.spl.mobi/health_check Also we tried the test for wss connection and we get the correct response: curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: echo.websocket.events" -H "Origin: https://echo.websocket.events" -H "Sec-WebSocket-Key: d3d3LnNwbHVuay5jb20=" -H "Sec-WebSocket-Version: 13" https://echo.websocket.events When we run the following rest command:   | rest "services/ssg/test_websocket" request_type="{\"versionGetRequest\": {}}" request_mode=clientSingleRequest     We get this output:   auth_code_status = 200 completed_client_registration = 0 error = 'token_id' server_registration_status = 400 splunk_server = server wss_response = 0   The error traceback in _internal is:   2022-05-09 11:22:58,148 ERROR [rest_base] [__init__] [exception] [4772] Spacebridge error Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/util/helper.py", line 13, in extract_parameter result = obj[key] KeyError: 'self_register' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/base_endpoint.py", line 53, in handle res = self.handle_request(request) File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/base_endpoint.py", line 86, in handle_request return self.post(request) File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/registration/saml_registration_handler.py", line 70, in post self_register = extract_parameter(request['query'], SELF_REGISTER_LABEL, QUERY_LABEL) File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/util/helper.py", line 15, in extract_parameter raise Errors.SpacebridgeRestError('Error: Request requires %s parameter "%s"' % (source_name, key), 400) spacebridgeapp.rest.util.errors.SpacebridgeRestError: Error: Request requires query parameter "self_register"   Any ideas on how to solve this issue? or continue the troubleshooting?
hello I timechart events without a by clause     | timechart count(crash) as "crash" count(hang) as "hang"     When I click on "cras" or "hang" I need to open a drilldown not in another... See more...
hello I timechart events without a by clause     | timechart count(crash) as "crash" count(hang) as "hang"     When I click on "cras" or "hang" I need to open a drilldown not in another dashboard but with ajust in a new window I trie with a token or with a link to the search but it doesnt works Could you help please?
Hi I need to create an alert for when the VPN goes down but only when the drop lasts more than 1 minute. I would appreciate your help   Right now I have the alert set to report any down event... See more...
Hi I need to create an alert for when the VPN goes down but only when the drop lasts more than 1 minute. I would appreciate your help   Right now I have the alert set to report any down events and then manually check which ones last longer than 1 minute. index=paloalto |search EventID=tunnel-status-down OR EventID=tunnel-status-up