All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Team, I wanted to understand if Splunk captures data/logs generated from Glue jobs. If yes, can you share what all metrics are captured? How do they get captured? Also, if the metrics captur... See more...
Hello Team, I wanted to understand if Splunk captures data/logs generated from Glue jobs. If yes, can you share what all metrics are captured? How do they get captured? Also, if the metrics captured for Athena and Aurora could also be explained, it will be helpful. Thanks!
Hi Helpers - Below is my usecase where I am stuck with my ES upgrade.  My Splunk version recently upgraded from 7.2.7 to 8.1.3 Post the Splunk upgrade, Splunk ES views were throwing pop-up messages... See more...
Hi Helpers - Below is my usecase where I am stuck with my ES upgrade.  My Splunk version recently upgraded from 7.2.7 to 8.1.3 Post the Splunk upgrade, Splunk ES views were throwing pop-up messages “Timelines could not be loaded”. Splunk ES was on 4.5.2 which was working fine on Splunk 7.2.7. Since it looked incompatible, we planned to upgrade it to 6.2.0. Below is the process followed. It's on a SHC environment with 3 Search Heads   On ES Deployer, take backups of etc/shcluster/apps to etc/apps folders On ES Deployer, copied the apps (SA-*, DA-*, SplunkEnterpriseSecuritySuite) from etc/shcluster/apps to etc/apps folder Ran the upgrade command – (/opt/splunk/bin/splunk install app ./splunk-enterprise-security_620.spl -update 1) Ran the essinstall command as per the install documentation – (/opt/splunk/bin/splunk search '| essinstall --deployment_type shc_deployer' -auth admin:TelstraDR01 action=upgrade) – (Output attached) /opt/splunk/bin/splunk restart – (Multiple Invalid Stanzas and Output attached) Planning to replace all conf files from backup apps directories to the upgraded apps directories as we have noticed there is a change in the conf files. Not sure which ones to replace and the consequences – PENDING   Bit confused with the documentation. Upgrade documentation didn't have essinstall action=upgrade part. But read about it in some blog. Am I supposed to run it or not? When I followed the upgrade documentation, only SplunkEnterpriseSecuritySuite app folder got changed and the remaining SA-* and DA-* apps were unchanged. But SA-* and DA-* got changed when I ran essinstall command followed by splunk restart. All this is just on deployer. Haven't pushed any changes to search heads. Has anyone recently did ES upgrade and can share me clear steps to be followed? Raised a Splunk support case and they are advicing just to follow the upgrade doco which is fully not clear. Thanks & Regards, Naresh
  How to get details of Windows servers which are not activated or failed to activate Windows via KMS server? I would like to prep a dashboard which shows servers failed windows activation.
Hi everyone,  I am new to SPLUNK and I am trying to search for distinct IDs where its PRODUCT column does not include certain value. For example. If I assume I have the following table called TABLE... See more...
Hi everyone,  I am new to SPLUNK and I am trying to search for distinct IDs where its PRODUCT column does not include certain value. For example. If I assume I have the following table called TABLE1: ID PRODUCT PHONE 1 A 999999 2 A 888888 2 B 888888 1 C 999999 3 D 777777 3 C 777777 3 B 777777 4 B 666666 4 D 666666 5 A 555555 5 B 555555 5 D 555555 ... .... .....   What I want is the following output when I want to look for IDs where its Product column values does not equal C:   ID PHONE 2 888888 4 666666 5 555555 .... .....   How to write the search query in splunk?  pls help
I am stuck.  Have tried all of the options I have found.  Most come close, but cannot make it work.  I collect data from a CMDB that has field with a date I need to filter on, created_date.  What I ... See more...
I am stuck.  Have tried all of the options I have found.  Most come close, but cannot make it work.  I collect data from a CMDB that has field with a date I need to filter on, created_date.  What I am trying to accomplish: Generate a query for all events of the past 3 weeks where there are CMDB events that have a field "created_date" spanning multiple months, I only want those events that have a created_date that falls with the the 3 week period.   If I use the following query, it returns as expected all events within the three week period.  What I want are all events based on the created_date, not based on _time. BTW, created_date has a standard time output: "%Y-%m-%d %H:%M:%S"   index=cmdb dv_number=* dv_assigned_to=* dv_state=* created_date earliest=3w@w latest=@w | search [| inputlookup cmdb_users.csv| table dv_assigned_to ] | timechart span1w count(dv_number)   What I also tried, was converting the field created_date, to _time using the following, which turned created_date into epoch, but did produce the correct _time ouput, but cannot use earliest/latest since my understanding is earliest/latest only work on the initial search.    index=cmdb dv_number=* dv_assigned_to=* dv_state=* created_date earliest=3w@w latest=@w | search [| inputlookup cmdb_users.csv| table dv_assigned_to ] | eval created_date=strptime(created_date,"%Y-%m-%d %H:%M:%S") | eval _time=created_date ........ ..... ..   I also tried using a where statement, which partially worked, but would only cover the outer boundary (3weeks), not the inner boundary of the end of the last week. | where created_date <= relative_time(now(), "-3w@w") AND created_date >= relative_time(now()), "@w")  
Hi Team, Is it possible to onboard the salesforce data using the HEC methodology? Thanks, Dibeena
Hi, I’m using the Event Timeline viz to create a timeline. The visualisation works when its a single panel in a dashboard. However, I need this timeline visualisation to work in a dashboard with a ... See more...
Hi, I’m using the Event Timeline viz to create a timeline. The visualisation works when its a single panel in a dashboard. However, I need this timeline visualisation to work in a dashboard with a drilldown from other panels. The functionality of this timeline works as expected on this drilldown dashboard…….EXCEPT the time axis is not labelled. Same queey and options as the standalone dashboard,same data used,same panel settings…..but time axis is labelled in the standalone dashboard but not in the dashboard I actually need it to work,the drill down dashboard. What could be the reason for this?Are the bins needing to be a certain form for this viz perhaps?Any way to force this viz to show the time axis? Thanks, Patrick
In a log if there are two similar words with different value , how to retrieve value of second word using regex ? Example: "Display details of value =abc and value=def for id=1". how to display val... See more...
In a log if there are two similar words with different value , how to retrieve value of second word using regex ? Example: "Display details of value =abc and value=def for id=1". how to display value "def" ?   index=* "Letters" |rex field=_raw max_match=0 "value=?(?<value2>[^\n]*)" |stats values(value2) as letter by id   Above query returns 1     "abc and value=def"  
Get data from Universal Forwarder, but 100MB data takes an hour Do you have any settings to speed up?
Can not find main app search
Can you please point me to the start up screen , where I can start a new search.
I've seen this on some older posts, but I am currently battling this issue. For some hosts, restarting it makes the logs start flowing again without the above error message (Suggesting a delayed star... See more...
I've seen this on some older posts, but I am currently battling this issue. For some hosts, restarting it makes the logs start flowing again without the above error message (Suggesting a delayed start is the answer). But on some of them, a restart does nothing, there is real security logs that Splunk is merely reporting above error message for. 
Hi,  I'm encountering this error when i run btool check: Invalid key in stanza [email] in /opt/splunk/etc/apps/search/local/alert_actions.conf, line 2: show_password (value: True). and inside ... See more...
Hi,  I'm encountering this error when i run btool check: Invalid key in stanza [email] in /opt/splunk/etc/apps/search/local/alert_actions.conf, line 2: show_password (value: True). and inside the alert_actions.conf: [email] show_password = True Could i just delete or rename the file ? and what is this stanza for ? Cause i can't see it in the documentation https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Alertactionsconf
I am getting IPv6 with collapsed zero's and IPv4 quad (ie "fe80::192.168.10.100") for source and I want to parse out the IPv6 part of that field.  What do I need to add in my prop to parse that part ... See more...
I am getting IPv6 with collapsed zero's and IPv4 quad (ie "fe80::192.168.10.100") for source and I want to parse out the IPv6 part of that field.  What do I need to add in my prop to parse that part out?  Thank you for any and all help.
I'm currently developing a splunk query that will query 2 indexes to correlate data by leveraging a users email, but  I'm not receiving any luck       index="A" Example="A" | dedup email | ... See more...
I'm currently developing a splunk query that will query 2 indexes to correlate data by leveraging a users email, but  I'm not receiving any luck       index="A" Example="A" | dedup email | rename email AS actor | join actor [search index="B" | table _time, actor, fileName, shared, url ]     I also tried this query as well   (index="A" Example="A" OR index="B") | fields email | where email = actor | table _time, work_email, fileName, shared, url  
Hello,  I would like to know if I can monitor IOT with Appdyamics and is so what agent should I use. thanks.  ^ Post edited by @Ryan.Paredez . Please have the title of the post be in a diges... See more...
Hello,  I would like to know if I can monitor IOT with Appdyamics and is so what agent should I use. thanks.  ^ Post edited by @Ryan.Paredez . Please have the title of the post be in a digestible question format. This helps others search and find content. 
I have the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/) installed on my heavy forwarder and ingesting audit data from an event hub input configured as a centra... See more...
I have the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/) installed on my heavy forwarder and ingesting audit data from an event hub input configured as a central repository for our tenant's audit data. This is working like a champ. I see tons of event hub data, it's all parsing as expected. I'd love to use some dashboards to avoid making my own. I saw that the Microsoft Azure App for Splunk contains dashboards (https://splunkbase.splunk.com/app/4882/) for data collected from both the Cloud Services add-on above as well as the standard Azure add-on. Seems like what I want. However, after deploying the app to my SHC none of the dashboards work. Digging further into it it appears that the sourcetype the App is looking for is totally different than the sourcetype that the MCS add-on generates. All the events in the index are sourcetype=mscs:azure:eventhub but the App is looking for sourcetype=azure:eventhub. The question is, is the App actually supposed to work with the MCS add-on and if so does anyone have advice on making that work? Or is there a different app that provides dashboards for the data ingested by the MCS add-on? It looks like I could change the sourcetype in the configuration of the App but that doesn't feel like something I should be changing when the description says it works with the add-on.
Hi guys searched through all topics and couldn`t find anything relevant to my issue. So hope some one would help me with my question. We use splunk cloud enterprise security. We have AWS environment... See more...
Hi guys searched through all topics and couldn`t find anything relevant to my issue. So hope some one would help me with my question. We use splunk cloud enterprise security. We have AWS environment mostly with Linux instances what I want to achieve is to search on splunk for any new files put in /tmp or /sbin and etc.  Was googling, searching in documentation all I can find is this document https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Data/Monitorfilesanddirectories that says that I should use CLI. But this doesn't`t make seance we use splunk cloud there is no CLI right? And I think this article is about accessing and monitoring Splunk files right?  So yee in short how to search for any new files added in to instances.   Cheers.
I would like to narrow down my results and rename a few fields using an initial search, let's call these results A. Then I want to take A and search on `event_type=event1` and massage the results ... See more...
I would like to narrow down my results and rename a few fields using an initial search, let's call these results A. Then I want to take A and search on `event_type=event1` and massage the results to get B Then take A and search on `event_type=event2` and massage the results to get C Then I want to combine the results B and C and use chart to dedup and display the combined result. With my current query, the column for stage1 in my table is all null, but if I do the search with the contents of the append at the root and remove the second search, I get populated results My current query is the following:   index=... ... | rename some_field as taskID | append [search "event.event_type"=event1 | eval stageDuration='event.payload.total_duration'-'event.payload.provisioning_duration' | eval stageID="stage1"] | search "event.event_type"=event2 | rename event.payload.total_duration as stageDuration event.payload.stageID as stageID | chart sum(stageDuration) over taskID by stageID | table taskID, stage1, * | where isnull(stage4) | fillnull value=0    
Hello, Are there any queries I can run from SPLUNK search head to find: 1. all configured DB Connections and their associated index/source Types in SPLUNK. Any help will be highly appreciated! 2. ... See more...
Hello, Are there any queries I can run from SPLUNK search head to find: 1. all configured DB Connections and their associated index/source Types in SPLUNK. Any help will be highly appreciated! 2. all Add On are currently using in SPLUK?   Any help will be highly appreciated, thank you!