All Topics

Top

All Topics

Can I just upgrade the Splunk Enterprise deployment to version 9.0 in a Splunk Cluster environment?
Need to pass the result of query1 to as a input string for the second query. For the First query i'm getting output(x-corelation id) as a filed, that output field(x-corelation id) as a input for th... See more...
Need to pass the result of query1 to as a input string for the second query. For the First query i'm getting output(x-corelation id) as a filed, that output field(x-corelation id) as a input for the second query to get errors. Attached both queries below, Please find the attachments and help me out with the requirement.  query 1:-  index=cloud_ecp sourcetype="prod-ecp-aks-cluster-logs" "bookAppointmentRequest" | fields data.req.headers.xcorrelationid   query 2 :-  index=cloud_ecp sourcetype="prod-ecp-aks-cluster-logs" <co-relationid of query1> "Error"   Note :- the co-relationid's are more than one, need to loop all those id's if any.
Hello, What is the proper way to purge Splunk SOAR/phantom containers from the database. It seems that deleting a container only hides it from the UI.  Is there a way  to purge containers with ce... See more...
Hello, What is the proper way to purge Splunk SOAR/phantom containers from the database. It seems that deleting a container only hides it from the UI.  Is there a way  to purge containers with certain filters for example purge containers where label="secific_label" and created before 6 months ... ?    
Hi all, so, on my es-security search head, this sourcetype is incorrectly parsing the user field. It is capturing all users correctly, but it's also capturing random stuff from the same log types whe... See more...
Hi all, so, on my es-security search head, this sourcetype is incorrectly parsing the user field. It is capturing all users correctly, but it's also capturing random stuff from the same log types where a username isn't present. I tried messing with the props.conf and transforms.conf but nothing seems to do anything. Does anyone have a good idea where to start? I tried to make a fresh field extraction also for just user field, but it made no difference. 
I'm having a list of serve down and need to notify once its back to normal (up),  This is the requirement, once the server is up, no need to consider the same server further, because its already up... See more...
I'm having a list of serve down and need to notify once its back to normal (up),  This is the requirement, once the server is up, no need to consider the same server further, because its already up , need to check the remaining. Eg.., There are servers A,B,C,D and E are down, which will be there in lookup, Need to check those server every minute and notify once its up, if server A,B is up after some time,  then it should trigger an alert, already server A,B is up, and after next alert, server A,B should not be considered, only remaining servers like C,D and E should be considered further, Then it check and trigger alert when C, D and E or either one is up. index=linux sourcetype=df | lookup Hobbit_threshold_data host mount outputnew l_threshold as lower_value h_threshold as higher_value condition as Condition | where ((PercentUsedSpace >= lower_value) AND (PercentUsedSpace<higher_value)) | where Condition!="no" | eval hostname=mvindex(split(host,"."),0) [ | inputlookup Hobbit_Disk_Space_Warning.csv | fields host ] | stats host=lower(host) | stats count BY host | append [ | inputlookup KCI_Hobbit_Disk_Space_Warning.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | eval status=if(total=0,"Down","Up") (Bolded query part gives you server down list host) I just modified as per the query given by you,  It does not meet the requirement.
Hi, I am unable to log in to the SAAS platform using the trial account which I created today. below are the details I received the welcome details.  Account Name: [Redacted] Username: [Redact... See more...
Hi, I am unable to log in to the SAAS platform using the trial account which I created today. below are the details I received the welcome details.  Account Name: [Redacted] Username: [Redacted] I think there is some option like local login if we click that we are getting this issue. please help resolve this issue at the earliest. ^ Post edited by @Ryan.Paredez please do not share your account name or email address on Community posts for security and privacy reasons.
Hi there, I'd like to run a report from Splunk that concerns the means of receiving the One-Time-Password for both my own company and our partners. The means can be either email or mobile phone num... See more...
Hi there, I'd like to run a report from Splunk that concerns the means of receiving the One-Time-Password for both my own company and our partners. The means can be either email or mobile phone number     index=2FA-OTP "has called sendOtp with" AND "for primary customers:" | rex ".* has called sendOtp with (?<means>.*?) for .* from:(?<regnr>.*?) for primary customers: (?<hostname>.+)" | stats count as nrs by hostname,regnr,means   The above Splunk search gives results like: ... 94.***.**.**:45701 has called sendOtp with +45 41***** for hf10028 from:Partner-Company-A for primary customers: site.example.com 95.***.**.**:45702 has called sendOtp with +47 41***** for hf10029 from:Partner-Company-B for primary customers: site.example.com 98.***.**.**:45732 has called sendOtp with james@example.com for jm23456 from:mycompany for primary customers: site2.example.com 98.***.**.**:45732 has called sendOtp with +48 98***** for jm23457 from:mycompany for primary customers: site2.example.com ... However, I'd like to further group the counting results by grouping into Email (means containing '@') or SMS (means containing no '@'), if it's for my own company (regnr containing "mycompany") or Partners (regnr containing no "mycompany") Thanks in advance  
Hi All, Need your support in resolving an issue in a pie chart. I can see the below-mentioned results in statistics and pie chat while running in a separate search window.  When adding the same p... See more...
Hi All, Need your support in resolving an issue in a pie chart. I can see the below-mentioned results in statistics and pie chat while running in a separate search window.  When adding the same pie chart to dashboard panel. Failed filed is missing in pie chart.  We have tried charting.chart.sliceCollapsingThreshold with 0 also. No luck. While dashboard is loading we can able to see the field Failed. But not able see it after job completes.   Please provide you inputs. Thanks in Advance  
Good morning, I have an app that is currently deployed in several servers via deployment manager. Recently we install a new server and I add it to a specific server class in order to receive a smal... See more...
Good morning, I have an app that is currently deployed in several servers via deployment manager. Recently we install a new server and I add it to a specific server class in order to receive a small app. For some reason, the app does not get deployed but others server classes do get deployed. The error in the splunkd.log file is the following 06-20-2022 12:08:43.952 +0200 INFO DeployedApplication [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - Checksum mismatch 0 <> 6534619572757127978 for app=Splunk_TA_windows - Process terminated. Will reload from='splunk.xxx.yyy.zzz:8089/services/streams/deployment?name=default:Process%20Termination:Splunk_TA_windows%20-%20Process%20terminated' 06-20-2022 12:08:44.154 +0200 ERROR HttpClientRequest [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - HTTP client error=Connection closed by peer while accessing server=https://splunk.xxx.yyy.zzz:8089 for request=https://splunk.xxx.yyy.zzz:8089/services/streams/deployment?name=default:Process%20Termination:Splunk_TA_windows%20-%20Process%20terminated. 06-20-2022 12:08:44.154 +0200 WARN HTTPClient [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - Download of file C:\Program Files\SplunkUniversalForwarder\var\run\Process Termination\Splunk_TA_windows - Process terminated-1655717532.bundle failed with status 502 06-20-2022 12:08:44.154 +0200 WARN DeployedApplication [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - Problem downloading from uri=splunk.xxx.yyy.zzz:8089 to path='/services/streams/deployment?name=default:Process%20Termination:Splunk_TA_windows%20-%20Process%20terminated' 06-20-2022 12:08:44.155 +0200 ERROR DeployedServerclass [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - name=Process Termination Failed to download app=Splunk_TA_windows - Process terminated 06-20-2022 12:08:44.174 +0200 WARN DC:DeploymentClient [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - Restarting Splunkd... could someone tell me what is happening? the same app is already deployed in other servers without any issue. thanks  
Hello, I've started the Free Trial period but I'm not able to access the Controller (the SaaS portal). I try to input the Account, the Username and the password and it says Login Failed. Moreover, t... See more...
Hello, I've started the Free Trial period but I'm not able to access the Controller (the SaaS portal). I try to input the Account, the Username and the password and it says Login Failed. Moreover, the error that I'm getting according to the Network tab is a 499 Status code: Please, could you provide any solution? Other issue tickets: https://community.appdynamics.com/t5/Licensing-including-Trial/Unable-to-start-SaaS-free-trial/m-p/44989 Kind Regards, Alex.
Query to find when host is stopped,  Here as mentioned in picture, the field _time stopped at the time , when the host is stopped and it's back to normal, when host is started . So need to trig... See more...
Query to find when host is stopped,  Here as mentioned in picture, the field _time stopped at the time , when the host is stopped and it's back to normal, when host is started . So need to trigger alert when host is stopped.
Hi all, I configured a smartstore into 2 new splunk core infrastractures. i didnt' encounter error setting the indexer and multisite but when i configured the smartstore I started to receive these ... See more...
Hi all, I configured a smartstore into 2 new splunk core infrastractures. i didnt' encounter error setting the indexer and multisite but when i configured the smartstore I started to receive these errors multiple time: ERROR CacheManager [1721417 cachemanagerUploadExecutorWorker-3] - action=upload, cache_id="*THE*BUCKET*", status=failed, reason="HTTP Error 14: Retry policy exhausted in Read(): PerformWork() - CURL error [6]=Couldn't resolve host name [UNAVAILABLE]", elapsed_ms=881841 ERROR CacheManager [1721414 cachemanagerUploadExecutorWorker-0] - action=upload, cache_id="*THE*BUCKET*", status=failed, reason="HTTP Error 9: Permanent error in ComposeObject: {\n "error": {\n "code": 412,\n "message": "At least one of the pre-conditions you specified did not hold.",\n "errors": [\n {\n "message": "At least one of the pre-conditions you specified did not hold.",\n "domain": "global",\n "reason": "conditionNotMet",\n "locationType": "header",\n "location": "If-Match"\n }\n ]\n }\n}\n [FAILED_PRECONDITION]", elapsed_ms=327982 I checked the content of GCS folder with cmd: splunk cmd splunkd rfs ls index:my_index | grep *THE*BUCKET*IN*ERROR* I check the bucket and it's in the folder. I tried to restart CM and a rolling restart of indexer but the error persist.   I share the .conf: server.conf: [cachemanager] max_cache_size = 250000 hotlist_recency_secs = 604800 max_concurrent_downloads = 4 hotlist_bloom_filter_recency_hours = 168 indexes.conf: [volume:remote_store] storageType = remote path = gs://bucket remote.gs.credential_file=cred  
Hi, I have updated a React Component on one of my Splunk Apps. However, when I now relaunch Splunk, I see no change but rather an empty app. I have cleared my browser cache, my yarn cache an... See more...
Hi, I have updated a React Component on one of my Splunk Apps. However, when I now relaunch Splunk, I see no change but rather an empty app. I have cleared my browser cache, my yarn cache and my yarn cache .... but still no content on my browser now when launching the app. Can you please help, Thanks
Hello, Everyone. I want to Install Universal Forwarder in RHEL5 32bit version. Is it available for installation provide any link and It should be compactable with the latest version of Splunk main.... See more...
Hello, Everyone. I want to Install Universal Forwarder in RHEL5 32bit version. Is it available for installation provide any link and It should be compactable with the latest version of Splunk main. Any Idea for this thanks in advance.
Hi All, I was trying to find the unencrypted passwords in my logs by using one anchor pattern. After getting the password value by anchor pattern, I have to check whether it is encrypted or not. In m... See more...
Hi All, I was trying to find the unencrypted passwords in my logs by using one anchor pattern. After getting the password value by anchor pattern, I have to check whether it is encrypted or not. In my logs the encyption is done by using asterisk(*) symbol. So, It has been difficult for me to differentiate between user entered password and encrypted password as user password can also have the asterisk(*) symbol. There are no prior requirements for the passwords like atleast 1Uppercase, 1 lowercase etc.. The Password will have no min length. Passwords can be like: 1. 1234556687 2. RonnieAlex 3. Tyler@123 4. #%@cosmic123 5. A***B*V*****U**Y***(Encrypted password in my log)  Help me with the regex that matches all the above cases. Thx in advance
Hi All,  I am using transaction to group my DDOS appliance events based on a field called status which has values like starting, holding and end.       | transaction eventID startswith=star... See more...
Hi All,  I am using transaction to group my DDOS appliance events based on a field called status which has values like starting, holding and end.       | transaction eventID startswith=starting endswith=end maxspan=12h     Raw events:  Notice there is a status value in every event.     Jun 20 13:58:05 172.x.x.x logtype=attackevent;datetime=2022-06-20 13:57:38+08:00;eventID=7861430818955774485;status=starting;dstip=10.x.x.x;eventType=DDoS Attack Alert;severity=high;description=pps=3450,bps=39006800;subtype=FIN/RST Flood;attackDirection=inbound; Jun 20 13:59:05 172.x.x.x logtype=attackevent;datetime=2022-06-20 13:58:07+08:00;eventID=7861430818955774485;status=holding;dstip=14.x.x.x;eventType=DDoS Attack Alert;severity=high;description=pps=0,bps=0;subtype=FIN/RST Flood;attackDirection=inbound; Jun 20 14:00:07 172.x.x.x logtype=attackevent;datetime=2022-06-20 13:59:07+08:00;eventID=7861430818955774485;status=end;dstip=14.x.x.x;eventType=DDoS Attack Alert;severity=high;description=pps=0,bps=0;subtype=FIN/RST Flood;attackDirection=inbound;     As you know, there is a duration field created that has the duration of the entire transaction start to end. Now, Is there a way calculate the duration between the status=holding and status=end also ?   Basically another transaction command in the same query but that will have startswith=holding and endswith=end ? Requirement is to find out how long was the attack in holding status. I am assuming adding another sub transaction may help to meet this. 
Hi Everyone, I have a field called as TriggeredMessage coming in an event in Splunk and I want to extract the short description field from it. Below is the sample triggeredmessage and it will be va... See more...
Hi Everyone, I have a field called as TriggeredMessage coming in an event in Splunk and I want to extract the short description field from it. Below is the sample triggeredmessage and it will be varying : Alert::Serious::Server::Memory Utilization is 92 %, which is above threshold 90% & less than 95%::memory.   And I want to extract a short description as below : Server::Memory Utilization is 92 %, which is above threshold 90% & less than 95% I am trying the regex but not working for me. Please help me on this.   Thanks.
Hi, I am using a multiselect input with the following query: |inputlookup ABC | eval hjk=_key | lookup XYZ asset OUTPUT ass AS name, app AS application | stats values( application) ... See more...
Hi, I am using a multiselect input with the following query: |inputlookup ABC | eval hjk=_key | lookup XYZ asset OUTPUT ass AS name, app AS application | stats values( application) However, when I add this onto the actual dashboard, no results are generated as expected on the actual input. What am I doing incorrectly? Thanks,
Hi, I am new to Splunk. I just started using it last month. For me the below  " | eval error=substr(msg, 0, 1000) |  table error app_name"    is not working  with my alert event. It doesn't work f... See more...
Hi, I am new to Splunk. I just started using it last month. For me the below  " | eval error=substr(msg, 0, 1000) |  table error app_name"    is not working  with my alert event. It doesn't work for large strings with 20k or more characters. The table cells show blank in this case. But values can be found in verbose mode but in fast mode. However it works when the msg is of ~1150 characters.
Hi, I have a dashboard as follows:   And the stakeholder wants a legend as follows added to the dashboard:   How can this be achieved? Thanks,