All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, I have configured inputs to monitor a file path but no events visible in Splunk.   Checked internal index and found the below error      
Hi everyone !   As an intern for an engineer degree, I have to make a stat of the art around Windows logs and how it is used with Splunk among others.  So here is my question, what are you doing u... See more...
Hi everyone !   As an intern for an engineer degree, I have to make a stat of the art around Windows logs and how it is used with Splunk among others.  So here is my question, what are you doing usually with Windows logs, which piece of information do you get back and what is the purpose?  Thank you in advance for your answers! Regards, Antoine
We have log files generated in the Linux server.  We want to push it into Splunk based on a regular time interval automatically.  Thanks in advance
Can anyone help to plot a line chart , x-axis with a non Zero Value. like the below image.  you can see the graph is starting from 1994-95. this is what i required. any one can p... See more...
Can anyone help to plot a line chart , x-axis with a non Zero Value. like the below image.  you can see the graph is starting from 1994-95. this is what i required. any one can please help us. Thankyou.  
I'm going to the page below and selecting Windows OS,  I'm then redirected to the download page. I get the error: There was an error loading this page Please try again in some minustes. I'm ... See more...
I'm going to the page below and selecting Windows OS,  I'm then redirected to the download page. I get the error: There was an error loading this page Please try again in some minustes. I'm tried on different browsers and another computer but still not working. Anyone let me now, how can I download it? 
Hi, I'm collecting logs from a s3 path using "Splunk Add-on for Amazon Web Services". I want to extract a field from the s3 path string. I was able to do it using this expression `rex field=source ... See more...
Hi, I'm collecting logs from a s3 path using "Splunk Add-on for Amazon Web Services". I want to extract a field from the s3 path string. I was able to do it using this expression `rex field=source "[.]*\/batch_id=(?<batch_id>[0-9]*)\/[.]*"`. How can I do this using Field Extraction in Splunk Cloud so that it automatically extracts this field at search time? Thanks
query to find out activity towards a particular URL eg: URL - https://www.microsoft.com/en-us/security
I keep getting this every time I try to download the 60 day trial.  Why? I have made an account, verified email and tried to download on several browsers to all get the same message.  Please help as ... See more...
I keep getting this every time I try to download the 60 day trial.  Why? I have made an account, verified email and tried to download on several browsers to all get the same message.  Please help as I need this for my IT course and they only direct us to the site.  I have tried calling the phone numbers to just be thrown in a loop in the options and even when going to sales they just say no one is available.  For such and apparently needed application, there is no information or help in regard with this issue.  I have also cleared cache, tried different pc's and all the same result.  I hope someone knows what this is because of as even the cyber data lecturer cant answer it.
Hi All, I need to correlate data from 2 different Indexes wherein the field name is common.   Index=idx1  ( This index has general user info)  Field Name:  sys_created_by Value: <email id of ... See more...
Hi All, I need to correlate data from 2 different Indexes wherein the field name is common.   Index=idx1  ( This index has general user info)  Field Name:  sys_created_by Value: <email id of the user> Other fields in idx1 of interest: login_time Index=idx2  ( This is the Index which has URLs accessed by the user) Field Name:  sys_created_by Value: <email id of the user> The url  information is stored in a field called "url" in idx2. Use case is to take the sys_created_by field from IDX1  and lookup/search for all urls  in IDX2  accessed by  the   sys_created_by coming from idx1.    I cannot rely on sys_created_by field from idx2 alone as it doesn't have all the other user attributes that are in IDX1 such as login_time.   Hence i need to correlate data across the two indexes. Do i need to do which will merge the sys_created_by from both indexes ?   eval common_field = coalesce(sys_created_by, sys_created_by)   I tried something like :   (index=idx1 sys_created_by!="") OR (index=idx2 sys_created_by!="" url!="") | stats values(url) values(login_time) BY sys_created_by   But this doesn't show results as expected.  Is there a way to reference my common field like shown below in BY ;  to tell Splunk which idx it needs to refer ?   | stats values(url), values(login_time) BY ( idx2.sys_created_by)  
I would like to hide/not display the panel when there is no data. Is it possible in Splunk dashboard studio? If yes, how can we acheive it? Can anyone plz guide.
Hi, all   my understanding is splunk forwarders store data in the cache memory when transferring data to Splunk indexer. is there a way to set limits the amount of data stored in the Splunk For... See more...
Hi, all   my understanding is splunk forwarders store data in the cache memory when transferring data to Splunk indexer. is there a way to set limits the amount of data stored in the Splunk Forwarder's cache memory ???    
Does anyone know why a lookahead such as the following causes a dashboard panel to hang with "waiting for data", but works perfectly when run in an independent search?   rex field=foo "(?=\w+$)(?P<... See more...
Does anyone know why a lookahead such as the following causes a dashboard panel to hang with "waiting for data", but works perfectly when run in an independent search?   rex field=foo "(?=\w+$)(?P<bar>\w+$)"   Stranger still - if the rex command is ``` commented out ```, the issue continues to occur. For context, the panel is a tabular drilldown panel that uses a boolean token to display on/off, and two tokens for earliest and latest values, based on the selected "row" of a column chart using $row._time and relative_time($row._time$, "+1h"). The panel displays without issue when the rex is removed. Other rex commands work without issue. The solution in this case was to remove the lookahead entirely. However, given the status of "waiting for data", does anyone know the cause (and thus ways to avoid this issue in general)?
I have an use case where I need to run the analytics on top of data that lands into Splunk. So, I want to store all the data into S3 too as and when the data lands into Splunk. I would like to know... See more...
I have an use case where I need to run the analytics on top of data that lands into Splunk. So, I want to store all the data into S3 too as and when the data lands into Splunk. I would like to know the best possible way we have with latest version of Splunk Enterprise/Splunk Cloud platform to save copy of Splunk data into S3 as and when the data comes into Splunk. Please give suggestions on the same. Thanking you.
Hi, as I create an extraction field with regex, the field match is shown correct. I can check the regex on https://regex101.com/. The field is shown in raw events, if I tray to define next field ... See more...
Hi, as I create an extraction field with regex, the field match is shown correct. I can check the regex on https://regex101.com/. The field is shown in raw events, if I tray to define next field But in search the field is not found. Field extraction regex: (?<=Evaluation: )(?P<evaln_from_tr>.*)(?= NumOfChannels) Sample log line: [30-Apr-2022 05:52:40][XXX][getResults]Evaluation: zl_numcount NumOfChannels: 1 Permissions: Everybody read and write Verbose mode search without a new field:  index=XXX sourcetype=XXX host=XXX source="XXX.txt" method=geResults "* NumOfChannels: *" found 1485 events like example, with different names. Verbose mode search with a new field: index=XXX sourcetype=XXX host=XXX source="XXX.txt" method=geResults  evaln_from_tr="*"  "* NumOfChannels: *" found 0 events! Why the field is shown by extraction of another field but not found by search?
Error connecting: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that ... See more...
Error connecting: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.. Your Splunk instance is specifying custom CAs to trust using sslRootCAPath configuration in server.conf's [sslConfig] stanza. Make sure the CAs in the appsCA.pem (located under $SPLUNK_HOME/etc/auth/appsCA.pem) are included in the CAs specified by sslRootCAPath. To do this, append appsCA.pem to the file specified by the sslRootCAPath parameter.
Hi, I have this Gantt for example that you see in stages and the time they took:   I need to find the critical path values and then make them in same color but different from stages that d... See more...
Hi, I have this Gantt for example that you see in stages and the time they took:   I need to find the critical path values and then make them in same color but different from stages that doesn't part of the critical path. is Splunk supports in find critical path in Gantt?  and if not, and I calculate this by myself, how can I change the color of this specific stages in the same Gantt ? for example I create this query that find the stage in critical path and keep them in stage_critical: index="abc" source="efg" | table Stage,STARTTIME,FINISHTIME,TIME_RUNNING,FEEDER_ID_NAME,dependOn,FEEDER_ID,username,id ,DUT| search FEEDER_ID_NAME=* | search id="1234" DUT IN (*) STARTTIME!="NULL" FINISHTIME=* | eval Stage=DUT.".".Stage | stats list(dependOn) as dependOn by id,DUT,STARTTIME,Stage,FINISHTIME | mvexpand dependOn | eval sp=split(dependOn," ") | mvexpand sp | dedup sp | eval dependOn=sp | eval dut2=replace(dependOn,DUT."_"."*"."_","==") | table * | rex field=dut2 "==(?<stage_critical>\w+)" | eval stage_critical=DUT.".".stage_critical | table *   in this query I want that every Stage that appears in stage_critical would be in red. would you help me?    
Hi  this is what appears to me when I try to complete the training: Denied Person Due to U.S. export compliance requirements, Splunk has blocked your access to Splunk web properties. We are in t... See more...
Hi  this is what appears to me when I try to complete the training: Denied Person Due to U.S. export compliance requirements, Splunk has blocked your access to Splunk web properties. We are in the process of reviewing this and you will get a welcome email from Splunk once the review is cleared. This review may take up to 2 business days. If you do not receive a welcome email from Splunk after 2 business days, feel free to reach out to support@splunk.com When reaching out, be sure to provide your full name, complete address, email, and the Splunk.com username you registered with. We will respond as soon as possible. I could not know the reason, can you help me?
Hello, My SPL expertise are limited. I'm trying to write a search which matches a sequence of events. I'm working with sysmon logs from a windows machine. first event is a file creation event wher... See more...
Hello, My SPL expertise are limited. I'm trying to write a search which matches a sequence of events. I'm working with sysmon logs from a windows machine. first event is a file creation event where Image ends with dllhost.exe and TargetFilename starts with C:\windows\system32\. something like:   index=sysmon EventID=11 Image="*dllhost.exe" TargetFilename="C:\\windows\\system32\\*"   next event is an image load event where Image starts with C:\windows\system32\ and Signature does not start with the keyword "Microsoft ". something like   index=sysmon EventID=7 Image="C:\\windows\\system32\\*" Signature != "Microsoft *"   Value of TargetFilename in Event 1 must be equal to value of ImageLoaded  field in Event 2. And Event 2 must occur within 1 minute of Event 1. I tried inner join, where I join results based on TargetFilename from Event 1and ImageLoaded  (renamed) from Event 2, But this solves only first part of the puzzle. I want both events to occur in a sequence i.e. join if Event 2 time is less than 1 minute of Event 1 time.  I don't know how to articulate this with SPL. Also I'd nice if someone can show me how to do all this with tstats Thanks
Hello, I have the dashboard panel  which gives latest time with respect to source and host, now I want to give a color to the rows where time exceeds more than one in last 7 days. Please help me ... See more...
Hello, I have the dashboard panel  which gives latest time with respect to source and host, now I want to give a color to the rows where time exceeds more than one in last 7 days. Please help me out. index=A OR index=B | stats latest(_time) as latest_time by source,host | eval latest_time=strftime(latest_time,"%d/%m/%y %H:%M:%S:%Q") | table latest_time,source,host|sort -latest_time when the time range is more than 24 hours the column should be in red.as mentioned below Thnak you in advance, Veeru. latest_time source host 01/05/22 23:19:08:898 trace.log y 30/04/22 23:19:08:597 SystemOut.log y 30/04/22 23:19:08:388 SystemOut.log x 30/04/22 23:19:08:388 trace.log x 30/04/22 23:19:05:611 SystemOut.log y 30/04/22 23:19:05:611 trace.log x 30/04/22 23:09:40:000 SystemOut.log y 30/04/22 23:06:05:000 SystemOut.log x 30/04/22 22:57:14:000 SystemOut.log y
I am trying to download Splunk Enterprise, but keep getting an error message telling me that there is an error loading the page and try in a few minutes. Looking at the address bar I'm assuming it's ... See more...
I am trying to download Splunk Enterprise, but keep getting an error message telling me that there is an error loading the page and try in a few minutes. Looking at the address bar I'm assuming it's got to do with acceptance of the EULA, but it doesn't give me an optiotn of doing that. I've tried downloadin other versions, for other OS's, older versions, but he same error keeps appearing. Trying to download on other PC's, other browsers, nothing works. How do people get into using Splunk, I can't Ignasz