All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, Anyone is using this app and is able to troubleshoot the app for me? https://splunkbase.splunk.com/app/3530/ I installed it but there was no result found, can't find any errors. @markhill... See more...
Hi, Anyone is using this app and is able to troubleshoot the app for me? https://splunkbase.splunk.com/app/3530/ I installed it but there was no result found, can't find any errors. @markhill1 wondering if you could help on this?  Thank you!
Hi, I can't see the icon picture for alert action option, already the "alert_action.conf" configured as below:   [email] icon_path = mod_alert_icon_email.png.   Please your support
Hi, I have a use-case where I need to monitor the contents of a file that will be replaced on a daily basis (name will be the same) but data within the file keeps changing. I developed a script to... See more...
Hi, I have a use-case where I need to monitor the contents of a file that will be replaced on a daily basis (name will be the same) but data within the file keeps changing. I developed a script to automate that replaces the contents on the file over a specific interval and had set up the forwarder accordingly. The contents keep changing but the forwarder is not able to read the newly updated changes within the file, is there some way this could be achieved in Splunk where I could read the contents of the updating file whose name remains the same throughout its lifetime. Thanks, Pravin
I wanted to add this chaining command with my search and display total of the values under fields(columns) "a-b-1"  and "a-b-2" and give the total results as total_requests  eval total_requests=a-b-... See more...
I wanted to add this chaining command with my search and display total of the values under fields(columns) "a-b-1"  and "a-b-2" and give the total results as total_requests  eval total_requests=a-b-1+a-b-2 where "a-b-1" and "a-b-2" is the field1 and field2 which i want to add using '+' operator I have tried putting fields in double quotes and single quotes but unfortunately  it is not working. I can do it by renaming the fields but can someone suggest someway to do without renaming it.
Hi, My requirement is i need to show URL (ex: https://google.com) as hyperlink on "109" value of  'SFG Request ID' column and when clicked on 109 it should take me to the URL added. The below d... See more...
Hi, My requirement is i need to show URL (ex: https://google.com) as hyperlink on "109" value of  'SFG Request ID' column and when clicked on 109 it should take me to the URL added. The below details are from lookup file.Similarly i need to display Different URL for on values of 'SFG Request ID' column URL details are not present in the csv file,It is present in another lookup file. Can anyone please suggest me how to do this?
Hello Everyone,  I am new to splunk. I am searching the logs and I am getting my url like this /api/sns/exts/djs/310200019110274535/ds/310200019110274536/. What I want here is i want to extract the... See more...
Hello Everyone,  I am new to splunk. I am searching the logs and I am getting my url like this /api/sns/exts/djs/310200019110274535/ds/310200019110274536/. What I want here is i want to extract the djs data which is 310200019110274535 in this case. Any help would be appreciated.
I am working in Hxc capture program and currently I am facing an issue in Signalfx. So I am reaching out for help/guidance. I have created an Alert in signalFx using terraform. The condition for ... See more...
I am working in Hxc capture program and currently I am facing an issue in Signalfx. So I am reaching out for help/guidance. I have created an Alert in signalFx using terraform. The condition for the alert is that if the signal is less than 1 for a certain time( 2 for warning and 5 for critical),then alert will be triggered. The code in Signalflow is : signal = data('HealthCheckStatus', filter=filter('stat', 'upper') and filter('aws_account_id', '823990414917') and filter('aws_tag_Name', 'hxc-staging-health-check')).publish(label='A') detect(when(signal < 1, '2m')).publish('WARNING[staging]: Route53 health down for 2m') detect(when(signal < 1, '5m')).publish('CRITICAL[staging]: Route53 health down for 5m')   After that we created a condition when the signal came below 1 ( it came to 0).In the Alert graph we can see the same .But instead of actually triggering the alert,it is giving us a preview. (Attached screenshot)   The exact Alert message is "Estimated alert count: 1 in 1 hour. Alerts that would have triggered  shown in chart below." So the bottom line is that Signalfx is not triggering the alert. The code that I am using for this is : https://github.com/HylandSoftware/tf-cfg-hxc-signalfx-alerts/blob/main/terraform/alerts-route53-health.tf   Alert Link:https://hyland.signalfx.com/#/detector/v2/FQo6JaWA0AI/edit?detectorSignalFlowEditor=1    
hi all, after i've disabled notifications in splunk upgrade readiness app, it's now sending a notification to splunk@mySplunkServer.  there is no user splunk in our splunk enterprise 8.2.5 defined... See more...
hi all, after i've disabled notifications in splunk upgrade readiness app, it's now sending a notification to splunk@mySplunkServer.  there is no user splunk in our splunk enterprise 8.2.5 defined. splunkd is running as user splunk on ubuntu 20.04. any ideas? thank you...
Hi  Suppose the time zone is in string format like 100403, need to convert this in 24 hour format. Output should be like 22:04:03. 
how to distribute the default app, if I want to do some changes  to the default app to the SHC members ?
Hello - thank you for assisting in advance. I need to write up a query which will pull in client/server errors from event message into table format as shown below.  _time status_category ... See more...
Hello - thank you for assisting in advance. I need to write up a query which will pull in client/server errors from event message into table format as shown below.  _time status_category Error Code error_count 2022-01-26:17:30:00 server error 503 2 2022-01-26:18:30:00 client error 404 6   Here are  examples of the EvenTypes and available fields for the index. Error 503       Fields
Hi there, Is it possible to search for windows interactive logons from the Authentication data model? eg. I can do it this way: index=* source="*WinEventLog:Security" LogonType=2 OR LogonType=1... See more...
Hi there, Is it possible to search for windows interactive logons from the Authentication data model? eg. I can do it this way: index=* source="*WinEventLog:Security" LogonType=2 OR LogonType=10 OR LogonType=11 And I'm looking for an equivalent way using a data model eg: | tstats summariesonly=true count from datamodel=Authentication by Authentication.action Authentication.app Authentication.dest Authentication.signature Authentication.src Authentication.src_user Authentication.user |search <SOME LOGIC> Thank you!
Hi team, I have a query related to splunk alert msg send to WebEx chat to individual person. If there is any process, please help me out on this. Thanks in advance.  
Hi was wondering if possible, how to convert a date field into an abbreviate Month (Jan , Feb, Mar, Apr) So the 2 fields on the left are existing fields and the ones on the right would be the new o... See more...
Hi was wondering if possible, how to convert a date field into an abbreviate Month (Jan , Feb, Mar, Apr) So the 2 fields on the left are existing fields and the ones on the right would be the new ones  Created  Closed Month_Open Month_Closed 8/27/2020 3:37 9/2/2020 12:00 Aug Sep 10/15/2020 3:31 10/21/2020 12:00 Oct Oct 11/5/2020 3:59 11/10/2020 5:17 Nov Nov 12/3/2020 3:33 4/13/2022 10:48 Dec Apr
Team, I am having a query which would result as below. _time Host Name version 3/2/2022  15:22:04 PM 3 car 248 3/1/2022  15:21:04 PM 3 car 246 3/1/2022 ... See more...
Team, I am having a query which would result as below. _time Host Name version 3/2/2022  15:22:04 PM 3 car 248 3/1/2022  15:21:04 PM 3 car 246 3/1/2022  15:20:07PM 2 car 246 3/1/2022  15:20:03 PM 3 bus 600 3/1/2022  15:19:02 PM 2 bus 600 2/1/2022  15:20:03 PM 3 Toy 600 2/1/2022  15:19:02 PM 2 Toy 248 2/1/2022  14:19:02 PM 2 Toy 248   After that i need final output like below. _time Host Name version Final 2/1/2022  15:20:03 PM 3 Toy 600 Not matching 3/1/2022  15:20:03 PM 3 bus 600 Matched 3/1/2022  15:21:04 PM 3 car 246 Matched 3/2/2022  15:22:04 PM 3 car 248 Not matching    I am not sure to compare between columns itself. Could someone please help me out here. Thanks
Logs are going to source= WinEventLog:Application and sourcetype="WinEventLog" instead of source="WinEventLog:Security" sourcetype="WinEventLog:Security" Ran this search index=*** sourcetype="*wi... See more...
Logs are going to source= WinEventLog:Application and sourcetype="WinEventLog" instead of source="WinEventLog:Security" sourcetype="WinEventLog:Security" Ran this search index=*** sourcetype="*wineventlog*" rha***s-wds EventCode=517 signature="The audit log was cleared"
hello,  I just started with splunk and I need your help. I am not sure why alerts not working for me this is an example ( looking for ping event +  PowerShell )       ... See more...
hello,  I just started with splunk and I need your help. I am not sure why alerts not working for me this is an example ( looking for ping event +  PowerShell )       I set up to send an email to my inbox ( Do i need to configure stmp or something? or it will working without any configuration?) also I cant see anything in Alet tab - just a comment  >  There are no fired events for this alert. I am not sure what I am doing wrong, please help me if you can! Many thanks     ( I have 60days free splunk)   thank you
Hi Team, My universal forwarder certificate package, will be expiring soon in my splunk cloud environment. As a result, splunk vendor updated forwarder package on stack with updated certificates to ... See more...
Hi Team, My universal forwarder certificate package, will be expiring soon in my splunk cloud environment. As a result, splunk vendor updated forwarder package on stack with updated certificates to be deployed across any forwarders that connect directly to my Splunk instance. My Action: I should download and install the updated Universal Forwarder certificate package on all forwarders prior to the upcoming maintenance window. Can someone elaborate the pre-conditions and further steps to be taken care before my maintenance window. FYI - I have the splunkclouduf.spl package Thanks, Sabari    
Hello As you can see in my search I transpose time in my header field   | eval time=strftime(_time,"%H:%M") | sort time | fields - _time _span _origtime _events | fillnull value=0 | transpo... See more...
Hello As you can see in my search I transpose time in my header field   | eval time=strftime(_time,"%H:%M") | sort time | fields - _time _span _origtime _events | fillnull value=0 | transpose 0 header_field=time column_name=KPI include_empty=true | sort KPI   Most of the time it works well But it seems that until I have results = 0, the time header field is dont display I have row1, instead 08:00, row2 instead 09:00 You can see the result below is anybody have an idea please?