All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, After setting up a brand new standalone server (v 8.2.6) and migrating our data from another server, it seems as we don't see any events in both _internal and _audit indexes... I've checke... See more...
Hello, After setting up a brand new standalone server (v 8.2.6) and migrating our data from another server, it seems as we don't see any events in both _internal and _audit indexes... I've checked file permissions, and a whole lot of config files and could not manage to get this fixed. Can someone please provide some pointers on what might be the issue? EDIT: Forgot to mention that the old server was running the same version and that both of those indexes were working just fine. Thanks!
I'm getting the following error in the machine-agent.log file for URL-Monitor Error creating environment task org.yaml.snakeyaml.scanner.ScannerException: null; mapping values are not allowed here... See more...
I'm getting the following error in the machine-agent.log file for URL-Monitor Error creating environment task org.yaml.snakeyaml.scanner.ScannerException: null; mapping values are not allowed here; in 'reader', line 83, column 17: username: DV_RO Here is the URL that is causing the error #SAP Healthchecks - name: SAP-ROI-Healthcheck url: https://sap-domain?senderParty=DesignView&senderService=BC_DesignView&receiverParty=&receiverService=&interface=MI_1519_DV_SAPC_Request_Intl_Out&interfaceNamespace=http://company.com/DesignViewInternational followRedirects: false authType: BASIC username: DV_ROI password: password groupName: SAP I've run the YAML against a lint program and it's valid YAML so can't understand why it's failing. This is the only URL that uses BASIC authentication. I have other URLs that use other authentication methods without any problems. 
Hi, I have a CS, which runs every 6mins looking back -65m and -5m.. It triggered a notable alert, where for the same dest value, it triggered ten notables in the same time 11.46pm.................... See more...
Hi, I have a CS, which runs every 6mins looking back -65m and -5m.. It triggered a notable alert, where for the same dest value, it triggered ten notables in the same time 11.46pm........................... How much throttle time should I set to avoid this? Thankyou!
Hi all, I have a some dashboards which are placed as different tabs using user interface. All the dashboards have same front page which is selection from the dropdowns.  Is it possible to pass values... See more...
Hi all, I have a some dashboards which are placed as different tabs using user interface. All the dashboards have same front page which is selection from the dropdowns.  Is it possible to pass values selected in the dropdown of first dashboard to the other dsahboards in the other tabs? This is how the dashboards look. Instead of selecting those values again in the second dashboard. Is it possible to pass the already selected values?
Hi All,   I have a splunk query which i cannot get to work for the life of me:  This is the search |inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1 |appen... See more...
Hi All,   I have a splunk query which i cannot get to work for the life of me:  This is the search |inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1 |append [search index=main sourcetype="feeds" source="/opt/splunkforwarder/bin/scripts/stats.sh" type=feed |rename dn as "Threat Feed" customerID as companyId |table "Threat Feed" companyId | join companyId [| dbxquery query="mysql query" ] |eval observed = 0] |stats min(observed) as observed values(customerId) as cs by "Threat Feed" | where observed =1 Current Result: Threat Feed (column name) Feed55 <<< Correct feed that should not exist in any of the customers The csv file only has a column named Threat Feed, there are five rows only. The search results are around 25 different feeds per customer (50 customers) I am interested in showing which feeds from the CSV do not exist in the search results i.e from the 25 feeds, i need this by customer so that i can create an alert. At the moment i am getting an output of the 1 feed name that doesnt exist, but i cant link this to the customer as the csv file does not have a customerID field as its a generic file.
smartagent/nagios: type: nagios command: xxx collection_interval/interval/ scrape_interval????   
hi All, Though i have set frozenTimePeriodInSecs to a year on a cluster, the logs are only getting retained till 90 days max same settings in other cluster is working fine. need some help checkin... See more...
hi All, Though i have set frozenTimePeriodInSecs to a year on a cluster, the logs are only getting retained till 90 days max same settings in other cluster is working fine. need some help checking the issue. thanks in advance,
Nagios — Splunk Observability Cloud documentation e.g:- smartagent/nagios: type: nagios command: first command service: "nagios_1stCommand" command: 2nd command service: "nagios_2ndCommand"
Hello Experts, I have a dashboard with a dropdown with the following selection 2022-Mar 2022-Apr 2022-May Based on the selection I choose a source and run various searches and display the dashbo... See more...
Hello Experts, I have a dashboard with a dropdown with the following selection 2022-Mar 2022-Apr 2022-May Based on the selection I choose a source and run various searches and display the dashboard. For example, If user input is 2022-Apr, I use the token to use C:\\test\\data_2022-Apr.csv and run searches and it works fine. However I also have a requirement where I need to Plot a value from all three sources in a single panel. For example, Say I have a data point arrived with various calculations called "total utilization" from each sources in the above list. I need to plot this value for the last 3 months (current + last two months data ) in a single panel. So if the user selects 2022-May, I need to run searches on each of the above file, get the total utilization and display in a single column chart. I have used eval command to work out the past months file names and worked out the search command to get the value as well. However, since I am using different sources, I am only able to get them in different search commands, i.e in a different dashboard panel. So the question is, Is it possible to combine multiple search commands on different sources into one single search and generate a single column graph ? I have looked at subsearch related posts earlier, however they seem to be on different sourcetypes rather than source itself. Would appreciate any inputs. Thanks in advance.
Hi Team, Recently we got an email from Splunk Support stating with the Subject as "Splunk Enterprise Advisories - May 2022" so when checked the email I can able to see around 8 Advisories mentioned... See more...
Hi Team, Recently we got an email from Splunk Support stating with the Subject as "Splunk Enterprise Advisories - May 2022" so when checked the email I can able to see around 8 Advisories mentioned for Splunk Enterprise and they have also mentioned that Splunk Cloud wont be impacted and our environment we have 4 Splunk HF servers and 1 Deployment master server which are running with Splunk enterprise instance.   Reference Link: https://www.splunk.com/en_us/product-security.html?lst=Email1&utm_medium=email&utm_source=splunk&utm_campaign=FY23Q2_CSM_GLBL_OTH_PTF_EN_Security_CVE And our servers  are running with Splunk Enterprise with versions Splunk 8.1.2 (build 545206cc9f70) & Splunk 8.1.3 (build 63079c59e632) respectively. So is it mandate to upgrade our HF and DM servers to the latest version i.e. from 8.1.2 or 8.1.3 to 8.2.6? Or do we have any workaround to address the gaps?  Also currently we are running with 8.1.2 or 8.1.3 so can i directly upgrade them to 8.2.6 version will there be any changes? Best recommendations? So if we upgrade them to latest version will it fix all security vulnerability issue?  Also whether it should be upgraded immediately (Our HF and DM servers) or can we perform the upgrade might be in a month or so?   Kindly help on the same.  
a b c d e f g xyz 1 2 3 4 5 6   My table  looks like that I need the following table a b c d e f g xyz 1000.00 2000.00 3... See more...
a b c d e f g xyz 1 2 3 4 5 6   My table  looks like that I need the following table a b c d e f g xyz 1000.00 2000.00 3000.00 4000.00 5000.00 6000.00                 but with the below command I am getting the following table : my string field gets eliminated my query for data | foreach * [eval <<FIELD>> = round(('<<FIELD>>' * 1000),2) ] a b c d e f g   1000.00 2000.00 3000.00 4000.00 5000.00 6000.00   How to obtain everything  above along  with xyz in a column ?
Hi, I have 2 separate queries as below: Query1: (normal splunk search e.g. index=* host=abcde | table Message1,Message2,Status ....) Message1, Message2, Status aaaa,bbbb,0x000006d Query2: (using... See more...
Hi, I have 2 separate queries as below: Query1: (normal splunk search e.g. index=* host=abcde | table Message1,Message2,Status ....) Message1, Message2, Status aaaa,bbbb,0x000006d Query2: (using inputlookup blabla.csv | table Status,Action) Status,Action 0x00006d,Failure How do i map both queries above and produce output as below: Output: Message1,Message2,Status,Action aaaa,bbbb,0x00006d,Failure Basically the Status from Query1 needs to be mapped with Query2 and output the corresponding action. Appreciate the help!    
I am ingesting some JSON events, and one of the fields is just a massive spammy "//0//0//0//0" repeated 15000+ times. I know my regexes are working fine, and I accomplished this by changing my lookah... See more...
I am ingesting some JSON events, and one of the fields is just a massive spammy "//0//0//0//0" repeated 15000+ times. I know my regexes are working fine, and I accomplished this by changing my lookahead in transforms:     [extractMessage] REGEX = "original":([\s\S]*?})}," LOOKAHEAD=100000 DEST_KEY= _raw FORMAT = $1 WRITE_META = true     BUT sedcmd doesnt listen to lookahead as defined in transforms, because it has to be called from props, and props has no lookahead! So looking at my props.conf:     [host::xx] SEDCMD-tst = s/(?:a){20,}/yoink/g     I made a bigass file of the letter "a", and counted how many chars were on each event. Then the sedcmd went in and replaced the "a"s with "yoink". Behold.... SEDCMD stops working at 4105 chars. I NEED MORE. How to expand SEDs reach?  
Hi When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a W... See more...
Hi When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance Second log: of an object.     Please your support.
Hello, everyone! I configured source from my database via splunk db connect app. Events contain field "time" and I want that Splunk _time field be equal to this, because now I have two times real... See more...
Hello, everyone! I configured source from my database via splunk db connect app. Events contain field "time" and I want that Splunk _time field be equal to this, because now I have two times real time (field "time" from event) and time when Splunk took event from database (field "_time").
Hi All, i want to finding out all sourcetype which is configured for all report in our splunk. suppose we have configured now 100 reports then i want to see with the help of query which  source t... See more...
Hi All, i want to finding out all sourcetype which is configured for all report in our splunk. suppose we have configured now 100 reports then i want to see with the help of query which  source type is configured for all this 100 reports this is my question.    Regadrs, Sanket Kaware  
Hi Team, We are using Splunk Enterprise SIEM tool. we want to check all the source type which is configured for all alert/dashboard/report . As we have searched and tried with below query but it is... See more...
Hi Team, We are using Splunk Enterprise SIEM tool. we want to check all the source type which is configured for all alert/dashboard/report . As we have searched and tried with below query but it is not showing expected result which we want.   index="*" | stats count by source type   We want to check all source type which is configured under the all reports or all dashboards or all alerts. if you can give me 3 different query for this then it is also fine we are not required all this in one query. Could you please suggest and help us for this .   Regards, Sanket Kaware           
Hi, I have following data which I use search to find from last 30 days and save it into lookup:  Customers Old Acquired Product New Acquired Product Jack Product 1 Product 2 Alan  Prod... See more...
Hi, I have following data which I use search to find from last 30 days and save it into lookup:  Customers Old Acquired Product New Acquired Product Jack Product 1 Product 2 Alan  Product 4 Product 5 Chris Product 3 Product 2 Ceb Product 5 Product 3   Now, I know every day or every few days each customers products are changing as they are acquiring new products. Here is what I want to do: Create saved search  Modifying existing lookup to ensure each customer key value update accordingly: For e.g. next day customer Jack and chris acquired new product. So saved search schedule will pick up the change and update the lookup as follow: Customers Old Acquired Product New Acquired Product Jack Product 2 Product 4 Alan  Product 4 Product 5 Chris Product 3 Product 2 Ceb Product 3 Product 2 i know i have to use outputlookup and lookup command but i have fear it is going to overwrite it. 
Hi,  I am currently running Splunk 8.1.9 Is it possible to create a role, that will allow a user to access only specific fields in an index? Example: field1, field2, field3, field4, field5 ... See more...
Hi,  I am currently running Splunk 8.1.9 Is it possible to create a role, that will allow a user to access only specific fields in an index? Example: field1, field2, field3, field4, field5 User have access to the index, but can only view data in field1, field4 and field5.   Much thanks.  
Hi, I have a chart to display value by time. Then I calculate the average of the value. I want to display the avg next to the chart, what can I do please?   Thanks in advanced!