All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Good evening, Thank you all for your support, I have a field called Memberof which contains the following data per line. 1) cn=GRP_Basic,ou=Users,dc=admin,dc=spike|cn=GRP_Hash,ou=Groups,dc=admin,... See more...
Good evening, Thank you all for your support, I have a field called Memberof which contains the following data per line. 1) cn=GRP_Basic,ou=Users,dc=admin,dc=spike|cn=GRP_Hash,ou=Groups,dc=admin,dc=spike 2) cn=GRP_ADC,ou=Groups,dc=admin,dc=spike|cn=GRP_Vabd_Admin,dc=admin,dc=spike|cn=GRP_Vabd_Supe 3) cn=GRP_sos,ou=Groups,dc=command,dc=spike I wanted to extract for each row all that starts with GRP For example for the first line I need to extract GRP_Basic and GRP_Hash For the second line I have to extract GRP_ADC and GRP_Vabd_Admin and GRP_Vabd_Supe thank you very much
I have a Dashboard that has multiple Dropdowns (Environment, Time Range, Application, Search Parameters) and I have a submit button after all of these. The Application Dropdown is special in the fact... See more...
I have a Dashboard that has multiple Dropdowns (Environment, Time Range, Application, Search Parameters) and I have a submit button after all of these. The Application Dropdown is special in the fact that there are 2 applications that need to have the application tag added to the end of it in order to search correctly. Ex, If I want to search for an application most of them look like "index=name source=name app=appname" but for 2 of the applications it needs to look like "index=name source=name app=appname$environment$" I have figured out how to alter the token value based on whether the special apps are chosen using : <input type="dropdown" token="application" searchWhenChanged="false">     <choice value="normalapp1">Normal App 1</choice>     <choice value="normalapp2">Normal App 1</choice>     <choice value="specialapp1">Special App 1</choice>     <choice value="specialapp2">Special App 2</choice>     <change>         <condition value="specialapp1">             <set token="application">specialapp1$environment$</set>         </condition>         <condition value="specialapp2">             <set token="application">specialapp2$environment$</set>         </condition>     </change> </input> The problem is that these changes are nested in this one dropdown so it only works properly when I change the application dropdown and not every time I press submit. Does anybody have a solution for updating all of the dropdowns every time the Submit button is pressed?
I have a .net core application that logs various events with properties (WorkItem, EventName, etc). I need to query WorkItems that have never had certain events kinda like a SQL NOT Exists.  I can... See more...
I have a .net core application that logs various events with properties (WorkItem, EventName, etc). I need to query WorkItems that have never had certain events kinda like a SQL NOT Exists.  I can filter out the events I don't want but I cannot select where they never existed. WorkItem | Event 1234          | Task Created 1234          | Retrieval Ready 1234          | NIGO Completed 5678          | Retrieval Ready 9012          | Task Created 9012          | Retrieval Ready The query should return all WorkItems with events that equal Retrieval Ready and not NIGO Completed...example result. WorkItem | Event 5678          | Retrieval Ready 9012          | Retrieval Ready
I installed the Crowdstrike Falcon Event Streams TA on my all-in-one Splunk after creating the API key on my Crowdstrike instance per the instructions in the add on guide.  But when I went to the app... See more...
I installed the Crowdstrike Falcon Event Streams TA on my all-in-one Splunk after creating the API key on my Crowdstrike instance per the instructions in the add on guide.  But when I went to the app, then to configuration, then account, and from there clicked the 'Add' button to add an account, the input fields are 'Account Name', 'Username', and 'Password'.  Not, as the guide says, 'Account name', 'ClientID', and 'Secret'. I have not found anything so far to switch from username/password to clientid/secret.  What am I missing? Thanks
Hi All,  I am new to splunk. We are using splunkcloud and version 8.2.  We are exploring how to ingest gitlab audit logs in splunk. I checked gitlab project audit add on is not available in spl... See more...
Hi All,  I am new to splunk. We are using splunkcloud and version 8.2.  We are exploring how to ingest gitlab audit logs in splunk. I checked gitlab project audit add on is not available in splunkcloud. I have tested HEC endpoints. For me my HEC working from curl https request.  But I am clueless how can I ingest gitlab logs to splunk and keep this process realtime and automated. Please suggest.   Thanks in advance.
We've done a new install of IT Essentials work, and was trying to add entities, but don't have the create entity button. My account has itoa_admin, itoa_analyst, itoa_user roles assigned. I do have a... See more...
We've done a new install of IT Essentials work, and was trying to add entities, but don't have the create entity button. My account has itoa_admin, itoa_analyst, itoa_user roles assigned. I do have a create entity type button, but there are no configured entity types. I have installed the AWS & nix content packs. What am I missing?
I'm struggling with some field mapping and not exactly sure the best way to go about this.  Below are two different event examples from the sourcetype="oracle:listener:text".  I'm wanting the Service... See more...
I'm struggling with some field mapping and not exactly sure the best way to go about this.  Below are two different event examples from the sourcetype="oracle:listener:text".  I'm wanting the Service and Version fields extracted.  I am able to get the Service extracted at search time using regex, but having difficulties with getting the version field.  Using the Splunk field extractor I can get this field using two different regex examples, but it doesn't allow me to add two field examples.  I receive the following: "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings." Able to extract SERVICE field using REGEX: ^(?:[^=\n]*=){8}(?P<SERVICE_NAME>\w+) 28-APR-2022 10:39:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN2)(VERSION=318767104)) * status * 0   Able to extract VERSION field using REGEX: (?:[^\.\n]*\.){4}\w+\)\(\w+=\d+\)\)\)\(\w+=(?P<VERSION_NUMBER>\d+) 28-APR-2022 10:39:24 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=ora31-vip.test.com)(PORT=1521)))(VERSION=318767104)) * status * 0 Able to extract another VERSION field from a different event example using the following REGEX: ^(?:[^=\n]*=){9}(?P<VERSION_NUMBER>\d+) 28-APR-2022 10:39:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN2)(VERSION=318767104)) * status * 0   I'm using the latest Splunk Add-on for Oracle Database (https://splunkbase.splunk.com/app/1910/ version 4.1.0) that collects and ingest data from Oracle Database Server. Looking at the props.conf for Splunk_TA_oracle, it doesn't appear it does anything for these two fields I'm wanting. [oracle:listener:text] SHOULD_LINEMERGE = False LINE_BREAKER = ([\r\n]+)\d+-\w{3}-\d{4}\s+\d+\:\d+\:\d+ KV_MODE = None TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %d-%b-%Y %H:%M:%S EVAL-app = "oracle" REPORT-ORACODE = ORACODE REPORT-CLIENTIP_listener = CLIENTIP_listener REPORT-DESTIP_listener = DESTIP_listener REPORT-DESTPORT_listener = DESTPORT_listener REPORT-CLIENTUSER_listener = CLIENTUSER_listener REPORT-USER_listener = USER_listener REPORT-PROGRAM_listener = PROGRAM_listener REPORT-STATUS_listener = STATUS_listener EVAL-action = if(STATUS=0, "success", "failure") FIELDALIAS-dest = DESTIP as dest FIELDALIAS-src=CLIENTIP as src FIELDALIAS-src_user = CLIENT_USER as src_user, CLIENT_USER as user LOOKUP-ORACODE = oracle_ora_code_lookup ORACODE OUTPUTNEW DESCRIPTION, CAUSE, ACTION as oracle_listener_action FIELDALIAS-port = DESTPORT as port Is it worth trying to get these fields mapped adjusting some things in the oracle app or should I just focus on extracting the fields at search time instead?
I am producing some stats in splunk but I want to extract data for about 10 uri_method instead of 100s currently displayed in the table. The last line is where I am getting stuck. I want to be able t... See more...
I am producing some stats in splunk but I want to extract data for about 10 uri_method instead of 100s currently displayed in the table. The last line is where I am getting stuck. I want to be able to search uri_method for multiple values with wildcard.  i.e. the following should be returned  www.example.com/v2/customers/* (HEAD) example.co.uk/v1/orders/* (HEAD) www.example.com/xy/customers/* (GET) www.abc.com/v3/customers (GET) www.GetOrder.com/v2/orders/* (GET) www.ListOrders.com/v2/orders (GET) www.ListAddresses.com/xy/customers/*/addresses (GET) BUT NOT: www.example.com/xy/customers/*/details (GET) www.GetOrder.com/v2/orders/*/shipping/* (GET) www.GetOrder.com/v2/orders/*/returns/* (GET)   If I remove the where clause(last line), I get 100s of results. I want to list only some items(uri_method) that end with "customers/* (HEAD)", "orders/* (HEAD)", "customers/* (GET)", "customers (GET)", "orders (GET)","orders/* (GET)", "addresses (GET)" etc. If I use Where clause with field name "IN", the wildcard * is not considered. If I use LIKE, I'm not sure how to add multiple values to where clause. Please help. index=main env=test ("*Method=GET*" OR "*Method=HEAD*") "StatusCode=200" | rex field=log "ResponseTime=(?<ResponseTime>\d+)" | rex field=log "StatusCode=(?<StatusCode>\d+)" | rex field=log "\"?Method\"?\=(?<Method>[^,]*)" | rex field=log "Uri=(?<uri>[^\,?]+)" | rex field=uri "uri=(?<uri>[?].*)" | eval uri = urldecode(uri) | eval uri = replace(uri, "/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}","/*") | eval uri = replace(uri, "(\/[0-9]+)", "/*") | eval uri_method = uri + " (" + Method + ")" | stats perc95(ResponseTime) as response, count as request_rate by uri_method, StatusCode | eval score = toNumber(response) * toNumber(request_rate) | sort -score | table uri_method,StatusCode,response,request_rate ,score | where uri_method IN ("*customers/* (HEAD)","*orders/* (HEAD)",  "*users/* (HEAD)", "*customers/* (GET)", "*customers (GET)", "*orders (GET)","*orders/* (GET)", "*addresses (GET)")
i have a query to pull out stats and counts based on incoming applictiond and request path  it gave me stats when i tried to pull for month jan,feb but its not giving me back data for March till no... See more...
i have a query to pull out stats and counts based on incoming applictiond and request path  it gave me stats when i tried to pull for month jan,feb but its not giving me back data for March till now  is it issue with query or something with splunk tool    below is my search query pattern  mysearch query | bucket _time span=day| stats count by attributes.headers.client_id, attributes.requestPath,_time | spath input=log
Hello Splunkers While running the attached query, results are populating very slow. From that query i want to achieve trend graph by using the line visualisation. But graphs are populating very slo... See more...
Hello Splunkers While running the attached query, results are populating very slow. From that query i want to achieve trend graph by using the line visualisation. But graphs are populating very slow. Please recommend how can I optimize my query to get the results quickly. Please check the attachment for the query.      
Bad passwords logged in the DC Netlogon logs: for a specific account name:  index=cim sourcetype=netlogon host=*dc* "0xC000006A" Logon_Account="*<accountname>”  *** need the asterisk since the netlo... See more...
Bad passwords logged in the DC Netlogon logs: for a specific account name:  index=cim sourcetype=netlogon host=*dc* "0xC000006A" Logon_Account="*<accountname>”  *** need the asterisk since the netlogon log usually puts the domain netbios name in front of the account name, for a specific account by source:  index=cim sourcetype=netlogon host=*dc* "0xC000006A" Logon_Account="*<accountname>”   *** same query as above because I did not find an easy way to get the bad password source.  Anyone please help me 
Hello, I have configured my OpenTelemetry agent to instrument the MySQL database my PHP application uses. Next, I followed the install process for the PHP agent to collect traces. My application is ... See more...
Hello, I have configured my OpenTelemetry agent to instrument the MySQL database my PHP application uses. Next, I followed the install process for the PHP agent to collect traces. My application is being detected in APM, and MySQL shows up as an inferred service in APM, so far so good. When I open Database Query Performance to analyse the queries being executed against my database, however, Splunk claims it cannot display any query data, no matter how large I make the time window.  Yet, when I look at the traces of my application, Splunk is able to see the content of the query spans and their latency. I'm having difficulty understanding why no data is flowing into the Database Query Performance while everything seems to be configured well. Is this feature simply not enabled for trial users?
Wondering if there is anyway to recover data that is not reporting within splunk on any alert or dashboard during a time period that splunk had ran out of space and accounts that had ownership became... See more...
Wondering if there is anyway to recover data that is not reporting within splunk on any alert or dashboard during a time period that splunk had ran out of space and accounts that had ownership became disabled?  space issue has been fixed and alerts and dashboards have been given different ownership.  splunk forwarder is running on all computers. Basically when we run an of our alerts and dashboards we don't get any events between the dates of 4/15 and 4/27.   Event logs on all computers have events for the time period but splunk isn't pulling them.
Hi, is there a way to search for more than one appearance of a pattern in a string? For example: Command cmd.exe c:\windows\\\\\\\\sytem32\[...] cmd.exe c:\windows\sytem32\[...] I would want... See more...
Hi, is there a way to search for more than one appearance of a pattern in a string? For example: Command cmd.exe c:\windows\\\\\\\\sytem32\[...] cmd.exe c:\windows\sytem32\[...] I would want to search for rows with more than single consecutive "\" , in case of above only first row to be returned.
Hi, I have a requirement to generate a report/export to excel the problems triggered for all the applications (total 113 applications) in AppDynamics in the last month. How can we achieve this?... See more...
Hi, I have a requirement to generate a report/export to excel the problems triggered for all the applications (total 113 applications) in AppDynamics in the last month. How can we achieve this? From the documentation, I could see we can generate reports through REST API.  Please guide me on how to create an API to extract data.  We are using windows OS. Could you please help me? Thanks & regards Srinivas
hi all, i have an app with several dashboards, each displaying data from different indexes. the users have roles assigned, which allow them to view different dashboards. the roles allow access to... See more...
hi all, i have an app with several dashboards, each displaying data from different indexes. the users have roles assigned, which allow them to view different dashboards. the roles allow access to different indexes. some month ago, i've added a monitor that sends the data to the 'main' index using a datasource. now i'm asked to add a dashboard for this data and allow some users to use it. i've added a role, inherited the company base user role and capabilities, the index 'main' and a restriction to the datasource. my testuser that only has this role can use the dashboard. BUT: as soon i add this role to other users, they can use this new dashboard, but not the otherones anymore. they simply say 'No results found.' any ideas? thanks...
Hi! I am trying to use the "ipv6compress" command (https://splunkbase.splunk.com/app/4912/) on a Splunk 8.1.7.2 install, and I can see the tool tip, but when it runs, it says "Unknown search command ... See more...
Hi! I am trying to use the "ipv6compress" command (https://splunkbase.splunk.com/app/4912/) on a Splunk 8.1.7.2 install, and I can see the tool tip, but when it runs, it says "Unknown search command 'ipv6compress'.". From what I can tell, the files are loaded correctly on the system. Might someone know why this error is coming up? Thanks!
I have a service that does uploading in bulk per request. Each request will contain a list of 100 records. In splunk i get this list of 100 request as one event. Is there a way i can split this list ... See more...
I have a service that does uploading in bulk per request. Each request will contain a list of 100 records. In splunk i get this list of 100 request as one event. Is there a way i can split this list and generate 100 splunk events through query Sample log event: [2022-04-28T09:27:39,755+0000]-[INFO ]-["threadPoolTaskExecutor-1" traceId=8f22a26fcd03cdfdcd186131aa862c09, spanId=c4bb44c1f0561b9b, sampled=false cid=, clu=]-[c.i.v.s.t.k.EventBusConsumer]-[110]-Message. key = null . Size = 5008 . Value = {"items": [{"contactID": "1","firstName": "ricj"},{"contactID": "2","firstName": "rock"},{"contactID": "3","firstName": "rob"}]}   Expected events: {"contactID": "1","firstName": "rich"} {"contactID": "2","firstName": "rock"} {"contactID": "3","firstName": "rob"}
Hi All, We are monitoring the same log file from multiple hosts and we have observed that when  a particular error gets logged the service of that machine stops, when this happens there is nothing e... See more...
Hi All, We are monitoring the same log file from multiple hosts and we have observed that when  a particular error gets logged the service of that machine stops, when this happens there is nothing else logged in the log file but the error,  The machine will try automatically to bring up the service, and if it does so successfully then other normal logs will follow. Aim: Our aim is to capture this particular error but only alert if that error is the last entry on this log file in the last 30 minutes or so. Any help on this would be greatly appreciated. For arguments sake the error looks like this: ***ERROR*** Exception occurred in serviceB_TDR