All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi all,  I would like to configure the splunk on call slack add on but when an admin wanted to approve the integration, it requested the following permissions: 11 permissions and scopes require... See more...
Hi all,  I would like to configure the splunk on call slack add on but when an admin wanted to approve the integration, it requested the following permissions: 11 permissions and scopes required On behalf of the app: - View messages and other content in public channels that VictorOps has been added to channels:history - View messages and other content in private channels that VictorOps has been added to groups:history - Add shortcuts and/or slash commands that people can use commands - View the name, email domain and icon for workspaces VictorOps is connected to team:read - Send messages as @victorops chat:write - Send messages as @victorops with a customised username and avatar chat:write.customize On behalf of the user: - View information about a user’s identity identify - View basic information about public channels in a workspace channels:read - View basic information about a user’s private channels groups:read - Manage a user’s public channels and create new ones on a user’s behalf channels:write - Manage a user’s private channels and create new ones on a user’s behalf groups:writeAll actions on a request will affect the entire workspace Question 1: Just doing due diligence here, does the last permission "Manage a user’s private channels" give it the ability to read messages on other private channels on the workspace?  reading in the knowledge base it states: "Note: The scope of private channels is limited to the channels that the person who integrates Splunk On-Call to Slack has access to. If you would like all private channels to be mapped to Splunk On-Call, we recommend creating a “Service Account” that has access to all private channels for this use." Question 2 - does this mean the app would have access to all channels the admin user who approves to integration by default? Or would they approve it per channel? 
Hi ! I wonder how to correct the following behaviour. Here's my architecture : 1 dns entry point load balancing between 2 forwarders on port 8088 for Http Event Collector (HEC). behind that 1... See more...
Hi ! I wonder how to correct the following behaviour. Here's my architecture : 1 dns entry point load balancing between 2 forwarders on port 8088 for Http Event Collector (HEC). behind that 1 indexer (monoinstance). indexer ack activated for one collect serie (one index with one sourcetype).   When sending event, an IdAck is answered back to check if the event is correctly received by the indexer.   Problem : 2 different events can have the same ackID ! I suppose it is because of the load balancing and each ackID list is linked to each forwarder. As the query is balanced, I cannot know if I will be answerd be the fw1 or 2.   Event1 is processed by fw1 with idAck = 7 Event2 is processed by fw2 with idAck = 7 (also !!)   When asking for indexing ack status for idAck7 : my query can be processed by fw1 or 2, but the answer cannot be meaningful because I don't know which event I'm asking about.   How do we go around this behaviour ? Does this mean I can't load balance the entrypoint in front of the forwarder ? In this case, how am I supposed to allow high availability of the service ?   Thank your a lot in advance for you insights   Ema
hi everyone,   can someone please advice me how to set up kubernetes for splunk ? i want to use the below splunk add on https://splunkbase.splunk.com/app/3991/#/details please  
I am trying to remove warning from my dashboard. Because 'Advanced XML isn't supported and it has to be replaced with Simple XML'. I am stuck at this code where the error says, Unknown Option nam... See more...
I am trying to remove warning from my dashboard. Because 'Advanced XML isn't supported and it has to be replaced with Simple XML'. I am stuck at this code where the error says, Unknown Option name = 'displayRowNumbers' for node 'table' Unknown Option name = 'linkFields' for node 'table' Unknown Option name = 'linkView' for node 'table' The code is, <title>Base search</title> <option name="count">10</option> <option name="displayRowNumbers">false</option> <option name="linkFields">result</option> <option name="linkView">flashtimeline</option> Any suggestion what to replace my code with ?
Regex for  From:  FA.south dam.australia-mb.ccjbh need to get only: ccjbh 
I'm trying to calculate the milliseconds between two events by same transactionId, and then show in a timechart Here my current query   "My event 1" | stats latest(_time) as time_login by tran... See more...
I'm trying to calculate the milliseconds between two events by same transactionId, and then show in a timechart Here my current query   "My event 1" | stats latest(_time) as time_login by transactionId |join transactionId [search "My event 2" | stats latest(_time) as time_finish by transactionId] | eval difference=time_finish-time_login   This query works really slow and half of the time it does not work, but if I try to add this to the end of the query   | timechart avg(difference) 
I've recently installed Splunk_TA_nix and started using the "ps" script. The data is ingested into my ES. However it is not translated into CIM Endpoint.Processes object, because it lacks "report" ta... See more...
I've recently installed Splunk_TA_nix and started using the "ps" script. The data is ingested into my ES. However it is not translated into CIM Endpoint.Processes object, because it lacks "report" tag.  I know I can add it by crafting my own tags.conf file. However, most of the default configurations in Splunk are configured as they are for some reason. So, what it the reason not to have "report" tag for Linux scripted sourcetypes? Below an example of tags.conf part for ps eventtype stanza: [eventtype=ps] performance = enabled cpu = enabled success = enabled ps = enabled oshost = enabled process = enabled
Hi All,    I have number of events with error srtring in event. I need to fetch al the events with error string except hibernet errors. "ERROR org.hibernate.engine.jdbc.spi.SqlExceptionHelper - O... See more...
Hi All,    I have number of events with error srtring in event. I need to fetch al the events with error string except hibernet errors. "ERROR org.hibernate.engine.jdbc.spi.SqlExceptionHelper - ORA-00001: unique constraint" I am not sure about the logs with other errors..as there are multiple logs with hibernate error ..i cant be able to fetch it. i need to extract all other logs with error keyword in the event. Can anyone please help me on the same. Thanks in advance.
Hi Is it possible to round the current time in a quarter of hour ( quarter superior) For exemple if its 9h56 i would like to diplay 10:00 and 11:42 i would like to display 11:45 Thanks
Hi All,  We have request from a Cybersecurity team to monitor the Windows Event Viewer logs in Splunk, my question is how to configure the monitoring stanza to get the event data into splunk. Eve... See more...
Hi All,  We have request from a Cybersecurity team to monitor the Windows Event Viewer logs in Splunk, my question is how to configure the monitoring stanza to get the event data into splunk. Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Admin Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Operational  When I check the properties to find the exact Log Path details I could see like this  %SystemRoot%\System32\Winevt\Logs\OpenSSH%4Operational.evtx %SystemRoot%\System32\Winevt\Logs\OpenSSH%4Admin.evtx My question is how to write the monitoring stanza for this path and define the sourcetype for the same. [WinEventLog://Application/OpenSSH/Operational] sourcetype=winEventLog:OpenSSH:Operational index=test disable=0 [WinEventLog://Applicaion/OpenSSH/Adminl] sourcetype=winEventLog:OpenSSH:Admin index=test disable=0 Please guide me on this 
Hello, I have Splunk Stream app installed on my Search Head (Deployment Server) which controls the Stream Forwarders deployed on my Indexers (Deployment Clients). Even though app is deployed and I ... See more...
Hello, I have Splunk Stream app installed on my Search Head (Deployment Server) which controls the Stream Forwarders deployed on my Indexers (Deployment Clients). Even though app is deployed and I receive stream data, whenever I change the configuration of my streams (remove fields from protocols, add IP blacklist filters etc) the configuration does not get applied on Stream Forwarders even though I have tried to restart them. No IP filtering is applied nor protocol fields are removed. Any way I can troubleshoot that? Thanks Chris
I get below result when use Chart count over field-A by Field-B We can see there are cell with value 0, is there any solution to replace these 0 with SPACE for particular cell? Thanks.   replace 0 f... See more...
I get below result when use Chart count over field-A by Field-B We can see there are cell with value 0, is there any solution to replace these 0 with SPACE for particular cell? Thanks.   replace 0 for over value 1 + by field value 1/4;  replace 0 for over value 2 + by field value 3/5. Over field value by field value1 by field value2 by field value3 by field value 4 by field value5 Total Over value 1 0 0 1 0 0 1 Over value 2 0 0 0 603 0 603 Over value 3 0 0 12 0 0 12 Over value 4 0 0 0 600 0 600
I am using mobile linkage with splunk secure gateway. I modified the file etc/apps/splunk_secure_gateway/bin/spacebridgeapp/alerts/device_role_mapping.py as below to enable up to 100 accounts. AS... See more...
I am using mobile linkage with splunk secure gateway. I modified the file etc/apps/splunk_secure_gateway/bin/spacebridgeapp/alerts/device_role_mapping.py as below to enable up to 100 accounts. AS-IS async def get_registered_devices(auth_header, user_list, async_kvstore_client, max_batch_size=20): TO-BE async def get_registered_devices(auth_header, user_list, async_kvstore_client, max_batch_size=100): Please check the reason for the limit of 20 accounts, whether there is any problem even if you change it to 100 as above, and if there is a problem, the possible impact.
While searching with time range, timestamp append 5:30 UTC time in query. I don't want  to append 5:30 using '$tokEarliest1$' and '$tokLatest1$' in search query. Below are the code-   <form theme... See more...
While searching with time range, timestamp append 5:30 UTC time in query. I don't want  to append 5:30 using '$tokEarliest1$' and '$tokLatest1$' in search query. Below are the code-   <form theme="dark"> <label>CIS Usage Dashboard - Event Rate</label> <search> <query> |makeresults </query> <earliest>$timepicker.earliest$</earliest> <latest>$timepicker.latest$</latest> <progress> <eval token="tokEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> <eval token="tokLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> <eval token="tokEarliest1">strftime(tokEarliest,"%Y-%m-%d %H:%M:%S.%3N")</eval> <eval token="tokLatest1">strftime(tokLatest,"%Y-%m-%d %H:%M:%S.%3N")</eval> </progress> </search> <description>draft event ingestion rate by wfm at day or hour level</description> <fieldset submitButton="true" autoRun="false"> <input type="time" token="timepicker" searchWhenChanged="false"> <label>Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="stack"> <label>Select the Stack</label> <choice value="cust01">Kronos Customer Stack (CUST)</choice> <default>cust01</default> <initialValue>cust01</initialValue> <fieldForLabel>stack</fieldForLabel> <fieldForValue>stack</fieldForValue> </input> <input type="dropdown" token="env" searchWhenChanged="true"> <label>Environment</label> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <default>prd01</default> <search> <query>index=cust-prd-wfd-wfl-* |eval env = mvindex(split(host, "-"), 1) | stats count by env</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="cluster"> <label>Select the WFM Cluster</label> <fieldForLabel>cluster</fieldForLabel> <search> <query>index=*-wfd-wfm-ilb | rex field=host "\w+\d{2}\-(?&lt;env&gt;\w+)\-ins\d+\-(?&lt;cluster&gt;wfm\d+)"|search host="*$env$*" | stats count by cluster | fields cluster</query> <earliest>-15m</earliest> <latest>now</latest> </search> <fieldForValue>cluster</fieldForValue> <choice value="">All</choice> <default>All</default> </input> <input type="dropdown" token="timespan"> <label>Time Span</label> <choice value="1h">Hour</choice> <choice value="1d">Day</choice> <initialValue>1d</initialValue> </input> </fieldset> <row> <panel> <search id="basedatesearch"> <query>| koogledimen service=WFMPPASQuery action=QueryAllWFMAtOnce scope="cust01-$env$" query="select date(created_timestamp) , sum(case when status = 1 then 1 else 0 end) as success, sum(case when status = 0 or status = 2 and dispatch_count &lt; 4 then 1 else 0 end) as processing, sum(case when status = 2 and dispatch_count = 4 then 1 else 0 end) as error from domain_event_listener_status where listener_id='CIS_PUSH_LISTENER' and created_timestamp &gt;= '$tokEarliest1$' and created_timestamp &lt;= '$tokLatest1$' group by date(created_timestamp)"| eval envstatus=if(like(scope, "%$env$%"), 1, 0)| eval wfmstatus=if(like(scope, "%$cluster$%"), 1, 0)| where envstatus=1 and wfmstatus=1 </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <title>Events Count by WFM - Success</title> <chart> <search base="basedatesearch"> <query> | chart sum(success) by date,scope</query> </search> <option name="charting.axisTitleX.text">WFM</option> <option name="charting.axisTitleY.text">Event Counts</option> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>   Have any solution for this ?  
Hi Appdynamics, I'm trying to enable thread correlation support Netcore agent, but I couldn't find the steps by referring to the link. "https://docs.appdynamics.com/21.7/en/application-monitoring/in... See more...
Hi Appdynamics, I'm trying to enable thread correlation support Netcore agent, but I couldn't find the steps by referring to the link. "https://docs.appdynamics.com/21.7/en/application-monitoring/install-app-server-agents/net-agent/net-microservices-agent/net-core-microservices-agent-support". @Anonymous  Please share the document containing the steps to enable thread support for the Netcore microservices agent. Thanks in advance.
Hi, We have requirement where we have to get the start till end log of one process and when we get the log we can see the logs of other process as well which is running in parallel. So we want to ge... See more...
Hi, We have requirement where we have to get the start till end log of one process and when we get the log we can see the logs of other process as well which is running in parallel. So we want to get the lines of only the process which we have to work on. The process number changes at every run. Sample Log: 2022-02-14 02:30:00,046 [Worker-3] DEBUG User job started 2022-02-14 02:30:00,063 [Worker-3] DEBUG Calling importData 2022-02-14 02:30:00,063 [Worker-3] DEBUG Initializing External DB connection 2022-02-14 02:30:00,065 [Worker-2] DEBUG another process started 2022-02-14 02:30:00,067 [Worker-3] DEBUG url before binding 2022-02-14 02:30:00,082 [Worker-2] DEBUG ExistingAccount 2022-02-14 02:30:00,083 [Worker-2] DEBUG query is array 2022-02-14 02:30:00,097 [Worker-2] DEBUG Done.... assigning access for account 2022-02-14 02:30:00,524 [Worker-2] DEBUG closing connection 2022-02-14 02:30:00,547 [Worker-2] Task Complete 2022-02-14 02:30:00,560 [Worker-3] DEBUG inside finally... 2022-02-14 02:30:00,567 [Worker-3] DEBUG sending Notification Email 2022-02-14 02:30:00,567 [Worker-3] DEBUG User job ended we have used below search to get above log : index=test sourcetype=debugLog | transaction startswith="User job started" endswith="User job ended" we want the output as below. So how we can add extra logic to above search to get below output? 2022-02-14 02:30:00,046 [Worker-3] DEBUG User job started 2022-02-14 02:30:00,063 [Worker-3] DEBUG Calling importData 2022-02-14 02:30:00,063 [Worker-3] DEBUG Initializing External DB connection 2022-02-14 02:30:00,067 [Worker-3] DEBUG url before binding 2022-02-14 02:30:00,560 [Worker-3] DEBUG inside finally... 2022-02-14 02:30:00,567 [Worker-3] DEBUG sending Notification Email 2022-02-14 02:30:00,567 [Worker-3] DEBUG User job ended  
Hi, how can i correlate events from different indexes when both( field names and  values) are different ? For example: I have a some app logs  in an index=id1 . There is field called user in this i... See more...
Hi, how can i correlate events from different indexes when both( field names and  values) are different ? For example: I have a some app logs  in an index=id1 . There is field called user in this index   which has values like: SmithJ JohnK  Now i want to find out what is the IP address of these users from our firewall index.  But  In the Firewall index,  the user names are in following format: Field Name:  PanOSSourceUserName Value:  <Domain>\SmithJ Field Name:  PanOSSourceUserName Value:  <Domain>\JohnK As you can see, the firewall index has names appended by our <domain name>\ while the app index doesn't have domain name in the user field.    There are other fields called src_ip and Country in firewall events. How can i craft  a search that takes the user field from app index and compares/ correlates that with the PanOSSourceUserName field from Firewall index and accordingly displays the src_ip of the user .  Hope i am clear. End result:  Table or Stats whatever works with following columns  _time user PanOSSourceUserName src_ip Country               Thanks in advance   
Hello,  I have a question can a single value panel be clickable in any direction? For example, i applied a drilldown to that single value and i want to click the panel instead of the value itself. ... See more...
Hello,  I have a question can a single value panel be clickable in any direction? For example, i applied a drilldown to that single value and i want to click the panel instead of the value itself. Instead of clicking the middle, is it possible in all direction ?  Thank you for your help !
I have added a dropdown in my panel as shown below. My issue is that regardless of which option I chose it shows red in the pie chart and 100%. I would like to know how I can change colors by the sel... See more...
I have added a dropdown in my panel as shown below. My issue is that regardless of which option I chose it shows red in the pie chart and 100%. I would like to know how I can change colors by the selection and also for the percentage to update based on the selection from the drop down.
hello everyone, i ran a search query and in "source" section i can see 100+ results. but when i clicked on it i was only able to see 10 sources. how can i see / view all sources ?