All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, is Splunk Enterprise still free after 60 days of free trial? Thanks!
Hi,   I having an issue with setting up my search head cluster environment. I have a stand alone deployment server instance, a SHC deployer, and 3 search heads. Do I need KV Store setup in all of t... See more...
Hi,   I having an issue with setting up my search head cluster environment. I have a stand alone deployment server instance, a SHC deployer, and 3 search heads. Do I need KV Store setup in all of the instances or is it only in the SHC deployer or Deployment server?   Thank you,
Hi, With have some applications running on kubernetes. All the logs produced by the application are sent to the standard output of the pod instance. On those logs, we would like to be able to extr... See more...
Hi, With have some applications running on kubernetes. All the logs produced by the application are sent to the standard output of the pod instance. On those logs, we would like to be able to extract them (based on a pattern for exemple) and send them to a specific index. The others logs would go to a "by default" index. Can we acheive this with splunk OTEL for kubernetes? do you have some hints where i should start first ? thank you  
Hi, I have created a timeline of URLs hit over a given session. Here is my chart:   and here is the respective XML code:   However, I need to add the time and dates on t... See more...
Hi, I have created a timeline of URLs hit over a given session. Here is my chart:   and here is the respective XML code:   However, I need to add the time and dates on the top of the timeline as such: How can I do this? Many thanks, Patrick
Hello Splunk friends, I'm trying to send a report from Splunk that contains an attached report. The email subject needs to be last months date, i.e. "My Report Name _ Mar_22", and the same for th... See more...
Hello Splunk friends, I'm trying to send a report from Splunk that contains an attached report. The email subject needs to be last months date, i.e. "My Report Name _ Mar_22", and the same for the email attachment filename.  I currently have this working using hidden field eval values like so, but I've noticed that if my table returns no results, I'll also get no value for last months date. My Search looks like so:         Index = myIndex Process = myProcess earliest=-1mon@mon latest=now | eval _date_one_month_ago = relative_time (now(), "-1mon@mon") | eval _reporting_date = strftime (_date_one_month_ago, "%b_%Y") | stats count by orgName           Any help would be really appreciated in populating the email subject and attachment name with last months date, without depending on my table to have data. Thank you
Hello colleagues, I would like to know I have events where there is a unixTime field. But the _time field does not show correctly how can I write in props.conf so that the _time field takes time... See more...
Hello colleagues, I would like to know I have events where there is a unixTime field. But the _time field does not show correctly how can I write in props.conf so that the _time field takes time from the unixTime field
I am not able to create multiple form in single dashboard. I want to create fieldset in multiple rows in dashboard. 
In Splunk documentation for the outlier command, it say: " The transform option truncates the outlying values to the threshold for outliers." Would like to understand how it calculates the thresh... See more...
In Splunk documentation for the outlier command, it say: " The transform option truncates the outlying values to the threshold for outliers." Would like to understand how it calculates the threshold mentioned above.  For this SPL below, the total_bytes value of 92000, is replaced with 000244. How does Splunk come up with the value of 244?   | makeresults | fields - _time | eval data="101,20220101,3;101,20220102,200;101,20220103,210;101,20220104,220;101,20220105,200;101,20220106,210;101,20220107,220;101,20220108,92000;101,20220109,200;101,20220110,3;" | makemv delim=";" data | mvexpand data | eval splitted = split(data,",") | eval day_hour_key=mvindex(splitted,0,0), date=mvindex(splitted,1,1) , total_bytes=mvindex(splitted,2,2) | fields day_hour_key,total_bytes,date| outlier action=transform mark=true total_bytes | rename total_bytes as transform_total_bytes    
Hi Splunkers, I am struggling to verify connection status of master node in indexer through VM using linux command.  Does someone know what command can I use to view the connection status between t... See more...
Hi Splunkers, I am struggling to verify connection status of master node in indexer through VM using linux command.  Does someone know what command can I use to view the connection status between them?
I am unable to find my script for my current dashboard and also not getting my data into dashboard so is there any method to create another script for the current data ?
Can entitlement contacts view all support cases?
I've got the Add-on for Atlassian JIRA Service Desk alert action plugin installed (https://splunkbase.splunk.com/app/4958/) on my search head cluster so I can create tickets from searches and alerts ... See more...
I've got the Add-on for Atlassian JIRA Service Desk alert action plugin installed (https://splunkbase.splunk.com/app/4958/) on my search head cluster so I can create tickets from searches and alerts however I am having trouble getting the TA to talk to JIRA. I've created an internal JIRA user on our JIRA deployment, validated the credentials work by logging into JIRA with them, so I know my credentials are okay. The configuration section in the TA accepts the credentials. However, when I go to the app and ask it to show me projects or, for that matter, anything, it returns 0 projects and 0 results. All the canned reports return a Python error in the UI. Following a different thread I checked the troubleshooting steps at https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/troubleshoot.html where it specifically talks about Python errors and how that tends to me there is a connectivity issue or credential issue. I ran the curl commands from the search head I was connected to and it can successfully connect to JIRA and pull data back!  [root@splunk-head-2 ~]# curl -k https://jira.mystuff.com/rest/api/latest/project --user prodsec-splunk Enter host password for user 'prodsec-splunk': [{"expand":"description,lead,url,projectKeys","self":"https://jira.mystuff.com/rest/api/2/project/15334","id":"15334","key":"VFR","name":" Vermin Feature Request","avatarUrls":{"48x48":"https://jira.mystuff.com/secure/projectavatar?avatarId=15163","24x24":"https://jira.mystuff.com/secure/projectavatar?size=small&avatarId=15163","16x16":"https://jira.mystuff.com/secure/project So I have good credentials and end to end connectivity. I am not sure how to troubleshoot further...
Hi All,   We use SafeNet Trusted Access(STA) as our identity provider and we would like to pull the logs from STA to Splunk Cloud. I don't see any app for this integration. Can some one point how t... See more...
Hi All,   We use SafeNet Trusted Access(STA) as our identity provider and we would like to pull the logs from STA to Splunk Cloud. I don't see any app for this integration. Can some one point how to integrate and configure it?  Thanks In Advance!
Greetings!!   1.a. I need to check data size indexed in indexers per day, per month and per year in GB? 1.b. what if the data ingested per day is 200GB/day, How do I calculate to know the stora... See more...
Greetings!!   1.a. I need to check data size indexed in indexers per day, per month and per year in GB? 1.b. what if the data ingested per day is 200GB/day, How do I calculate to know the storage that can  store all the indexed data in 5 years? or one year? and month? 2-  how to install and configure indexers to be functioning? 3- How to configure syslog in splunk instance  to receive logs? i have already configured network devices to send logs into splunk instance? what other steps remaining to do to receive logs in indexer? Kindly help me, Thank you in advance
hi all, I would like to access DS via Winscp so I can look at and donwload some apps. The problem is that Splunk is installed as and owned by splunk user. When I use Putty, I use "sudo su - splunk" a... See more...
hi all, I would like to access DS via Winscp so I can look at and donwload some apps. The problem is that Splunk is installed as and owned by splunk user. When I use Putty, I use "sudo su - splunk" and am able to make changes to any directories under /opt/splunk. Can someone give me a hint what I need to change for Winscp to be able to use it and access the directories as I am currently getting "permission denied" messages.  Thanks!
Good Afternoon, My Splunk Monitoring Console just doesn't seem to work. The Overview or any tab just can't populate their dashboards. I decided to run the Health Check, to see what could be wrong b... See more...
Good Afternoon, My Splunk Monitoring Console just doesn't seem to work. The Overview or any tab just can't populate their dashboards. I decided to run the Health Check, to see what could be wrong but everything just fails with: "search job stopped unexpectedly". I can search through my index. I looked into splunkd.log and found no errors that correlate with the Monitoring Console. What could be causing this? Can I reinstall the Monitoring Console? Any help is greatly appreciated. Thank you.  
Hello, I have some requests to work on BitBucket  SPLUNK add on. I am a little new on it. Any recommendation will be highly appreciated. Thank you.
User of splunk attempted a search of index="os" It returns nothing after Dec 23. (Yes this went unnoticed for this long. We were on a single version of RedHat until recently). Splunk servers are ... See more...
User of splunk attempted a search of index="os" It returns nothing after Dec 23. (Yes this went unnoticed for this long. We were on a single version of RedHat until recently). Splunk servers are all RH7.9 Version:8.2.4 Build:87e2dda940d1   Clients are all 7.9 or 8.5
Greetings, I have been asked to create a report that tracks users' activities across all of our servers in chronological order.  We have Windows and Linux OS, as well as applications such as Oracle... See more...
Greetings, I have been asked to create a report that tracks users' activities across all of our servers in chronological order.  We have Windows and Linux OS, as well as applications such as Oracle and HANA, among others.  I'm not sure where to begin a search string like that, aside from the indexes we use.  Any assistance is greatly appreciated.
After issuing a transpose command on my bar chart visualization I can't configure conditional drilldowns. I tried using the untable command followed by the xyz series command and no luck. this i... See more...
After issuing a transpose command on my bar chart visualization I can't configure conditional drilldowns. I tried using the untable command followed by the xyz series command and no luck. this is the query:   search * | eval CATI = if(SEVCAT=="I", 1,0) | eval CATII = if(SEVCAT=="II", 1,0) | eval CATIII = if(SEVCAT=="III", 1,0) | chart sum(CATI) as I sum(CATII) as II sum(CATIII) as III | transpose | sort - "row 1"     The Drilldown XML :   <drilldown> <condition field = "I"> <link target="blank"></link> </condition> <condition field = "II"> <link target="blank"></link> </condition> <condition field = "III"> <link target="blank"></link> </condition> </drilldown>     Any help is appreciated. Thank you,  Marco