All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team,    I have created a dashboard where i would like to freeze the header(time) on timeline visualization. could you please advise on how to do that by opening the <html> tag.
Hi, I have a requirement where I want to create an alert on some of my APIs which are being monitored in Splunk. I've created a search which checks the success/failures of each API and then calcula... See more...
Hi, I have a requirement where I want to create an alert on some of my APIs which are being monitored in Splunk. I've created a search which checks the success/failures of each API and then calculates the failure rate and if that is more than 10% then it triggers the alert. Now what is happening is the alerts gets triggered even for bigger blips when they are only for short duration. Like there is a high increase in error rate for 5 mins and then it gets recovered itself. I don't want to trigger the alert in that situation because it will make unnecessary callouts to people for investigation which is not required. How can i create alert which runs every 30 mins and looks into the failure rate consistently for each 5 mins in the last 30 minutes period. So if the failure rate is consistent for more than 15/20 mins then only trigger the alert. This is my base search     index=api_prod (message.httpResponseCode=50* OR message.httpResponseCode=20*) | rename message.serviceName as serviceName message.httpResponseCode as httpResponseCode | stats count as totalrequests count(eval(like(httpResponseCode, "20%"))) as successrequest count(eval(like(httpResponseCode, "50%"))) as failedrequest by serviceName | eval Total = successrequest + failedrequest | eval failureRatePercentage = round(((failedrequest/totalrequests) * 100),2) | where failureRatePercentage > 10 | fields - Total |table serviceName,totalrequests,successrequest,failedrequest,failureRatePercentage     Any guidance is really appreciated. Best Regards, Shashank
Hi All, the topic might sound very mystic but is actually rather straight forward. I have a timechart displaying the current values of a metric, actually two different metrics. But that is not the ... See more...
Hi All, the topic might sound very mystic but is actually rather straight forward. I have a timechart displaying the current values of a metric, actually two different metrics. But that is not the issue. I also have a checkbox that when ticked will handover an entire append query to the chart i mentioned above but with the time values of the previous week. <input type="checkbox" token="tok_input_1"> <label></label> <choice value="yes">something rather boring</choice> <change> <condition value="yes"> <set token="my_query_token"> | appendcols [ search index=<my_index> earliest=$tok_earliest_ref$ latest=$tok_latest_ref$ | timechart span=5min partial=f sum(Average) as "reference"] </set> </condition> <condition> <set token="<my_query_token>"></set> </condition> </change> </input>   However the timetokens for ealiest and latest will be handed over to the chart and will not be updated as time moves along, although the refernce times are re-calculated every 2mins based on the current timeframe.   Any suggestions? Regards, Mike
Any ideas how to resolve this one guys ? I'm getting 1 error every min ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-winevtlog.exe" splunk-winevtlog - WinEventMon::en... See more...
Any ideas how to resolve this one guys ? I'm getting 1 error every min ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-winevtlog.exe" splunk-winevtlog - WinEventMon::enumEvtLogChannels: Failed to enumerate event log channels: '(1717)'.
I found many errors from _internal log ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-regmon.exe" splunk-regmon - WinRegistryMonitor::configure: Failed to get configurat... See more...
I found many errors from _internal log ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-regmon.exe" splunk-regmon - WinRegistryMonitor::configure: Failed to get configuration settings: 'Regex: number too big in {} quantifier' Any ideas how to resolve this error?
Hello, I have a query which returns Planned_Sprint, Total Hours,Actual Hours,Team,Type. Now i want a stacked bar and line chart , in which the stacked bars are split by Planned_Sprint,Type and the l... See more...
Hello, I have a query which returns Planned_Sprint, Total Hours,Actual Hours,Team,Type. Now i want a stacked bar and line chart , in which the stacked bars are split by Planned_Sprint,Type and the line is only Split by Planned_Sprint. The X-axis as Planned_Sprint, the Y as (Total Hours)stacked bar and (Actual Hours)line. Planned_Sprint Total Hours Actual Hours Type Team Sp_1 10 20 A WWW Sp_1 15 10 B DDD Sp_1 5 10 B RRR Sp_2 10 15 A WWW Sp_2 20 5 A DDD Sp_2 10 10 B TTT Sp_2 5 8 C RRR Sp_3 20 20 B TTT Here is my code for the chart: | chart sum(Total Hours) AS PLANNED_Hours,sum(Actual Hours) as AC by Planned_Sprint,Type But in this even the AC gets split by Type. I do not want this, i want something like this: | chart sum(Total Hours) AS PLANNED_Hours by Planned_Sprint,Type, sum(Actual Hours) as AC by Planned_Sprint Any suggestion how this can be achieved?  
Hi All, In my raw events, there is a field called "dv_last_login_time" ( already indexed)  as shown below that shows timestamp in a human readable format.  I need to extract the hour value out of ... See more...
Hi All, In my raw events, there is a field called "dv_last_login_time" ( already indexed)  as shown below that shows timestamp in a human readable format.  I need to extract the hour value out of this .   All i am doing is running the following eval command  but this does not end up creating any new field  date_hour. In short it doesn't seem to work. What could be the issue?      eval date_hour=strftime(dv_last_login_time, "%H")     In Contrast,  if i use _time  which is also in human readable format, instead of dv_last_login_time , eval()  works  as expected and we see  a new field called date_hour created      eval date_hour=strftime(_time, "%H")     Secondly,  assuming we are able to extract the hour successfully how to add +9 hours to the same field.  My end goal is to do something like  | where  duration > date_hour  and < date_hour +9  
I have created a table as below  using the query  index=xyz | stats count(Status) as Total by Transaction,Status Transaction Status count(Status) A 200 OK 45 A 400 Bad Request 20 B... See more...
I have created a table as below  using the query  index=xyz | stats count(Status) as Total by Transaction,Status Transaction Status count(Status) A 200 OK 45 A 400 Bad Request 20 B 200 OK 110 B 400 Bad Request 15 B 500 Internal Server Error 5 C 200 OK 85 C 400 Bad Request 25 C 500 Internal Server Error 30 But I want to get a transpose of the table as below: Transaction 200 OK 400 Bad Request 500 Internal Server Error Total A 45 20 0 65 B 110 15 5 130 C 85 25 30 140 Please help me to create a query to get the desired output.
Hello All,   I having issue with data due to DST timezone update since 29 March as data is coming one hour late in splunk and due to that we are getting false alert. Can someone guide me how can... See more...
Hello All,   I having issue with data due to DST timezone update since 29 March as data is coming one hour late in splunk and due to that we are getting false alert. Can someone guide me how can we update the timezone in DB connect app? also again do we need to make it to default after DST end? Appreciating your help.
I'm attempting to run a query and I've run into a really weird situation where if I run a query with "head 10 | fields *" I'm getting results but if I use "stats" with any field it does not return re... See more...
I'm attempting to run a query and I've run into a really weird situation where if I run a query with "head 10 | fields *" I'm getting results but if I use "stats" with any field it does not return results. For example, this query is returning the results:     index=main sourcetype=o365:management:activity Field1=Value1 | head 10 | fields *       This is returning no results:     index=main sourcetype=o365:management:activity Field1=Value1 | stats count by _time     Somehow this does work and returns the result   index=main sourcetype=o365:management:activity Field1=Value1 | head 10 | stats count by _time   I've looked into it and did not manage to find similar issues, did anyone see anything similar before?
In my ES App, I have a rule where I noted some discrepancy regarding the source country for the src  ip  112.196.162.127. Using 'iplocation'  command in SPL it shows as Turkey. But in whoisdomain... See more...
In my ES App, I have a rule where I noted some discrepancy regarding the source country for the src  ip  112.196.162.127. Using 'iplocation'  command in SPL it shows as Turkey. But in whoisdomaintools it shows as India. 112.196.162.127 IP Address Whois | DomainTools.com Any suggestion why this is the case ?
When I run the script to install EUM (euem-64bit-linux-21.4.3.34447.sh), it showed this notification: .... Setting the configuration properties... Checking EUM MySQL version Please wait as this o... See more...
When I run the script to install EUM (euem-64bit-linux-21.4.3.34447.sh), it showed this notification: .... Setting the configuration properties... Checking EUM MySQL version Please wait as this operation may take some time... Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary. Failed to create the EUM user account in the database. Rolling back changes ... Finishing installation ... Please help me to fix this. Can we create account manually?
Hello Splunk Community I am writing a c# .net core API to install the Splunk app. I was able to install the app via postman call successfully. Now, I am automating the same call via c#. The request... See more...
Hello Splunk Community I am writing a c# .net core API to install the Splunk app. I was able to install the app via postman call successfully. Now, I am automating the same call via c#. The request headers generated by Postman and C# API to install the app route match to be exactly the same, however, when I call this route https://docs.splunk.com/Documentation/SplunkCloud/8.2.2201/Config/ManageApps#Install_an_app via my API, I keep getting 403 Forbidden. I know the tokens I am passing are correct, and ACL-Legal-Ack flag is set to Y. What else could be missing that is throwing this error?
Hello, I have events with complex/inconsistence data structure. Need to extract field 2 values under 2 different fields. The regex I wrote is not working for all cases. My regex and sample events are... See more...
Hello, I have events with complex/inconsistence data structure. Need to extract field 2 values under 2 different fields. The regex I wrote is not working for all cases. My regex and sample events are given below. Any help will be appreciated. Thank you.   Regex I wrote: ^\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*.\w*.\w*.\w*\|\w*\|(?P<CODE>\d*)\|\w*\|(?P<ERRORMSG>\w*)\| (working only for First and Last events)   Sample events: 4CODEREG|REGT|MEF|IFA|REMOVE||||1234567890|bUnXG_o0PbpgAY2Go6F6jWWh|105.103.110.91|SAAS_BFAF_AUDIT|00|00|||20220419074638|||||<TRANSACTIONDATA><StatusMessage>GTX Key 202210954371398 Removing file: /opt/mef/temp/Attachments/IN//K20220419074627.3410.37570.68836.46248.co1rprdljap1s0l</StatusMessage></TRANSACTIONDATA> wse083affc-1|TESTCASE|GETTRANS|VIEW_TRANS|VIEWPDF||||670018015|aMTmD8BKoyxOkt7U6MuUIl-2|2600:1700:2ed0:f8ws0:7566:140b:f358:6d20|SAAS_BSAF_AUDIT|01||Exception thrown from TDS on pdf or||20220419091342|202012|30|1|0|1;VENF; 446ODEREG|REGT|MEF|IFA|REMOVE||||1234567890|bUnXG_o0PbpgAY2Go6F6jWWh|104.103.110.90|SAAS_BFAF_AUDIT|01|00|Error||20220419074638|||||<TRANSACTIONDATA><StatusMessage>GTX Key 202210954371398 Removing file: /opt/mef/temp/Attachments/IN//K20220419074627.3410.37570.68836.46248.co1rprdljap1s0l</StatusMessage></TRANSACTIONDATA>   NOTE: First event doesn't have any values for ERRORMSG  (High Lights are values)
We have a custom dashboard and whenever we load it I'm getting this error " A custom Javascript error caused an issue loading your dashboard, like due to the dashboard version update. See the develop... See more...
We have a custom dashboard and whenever we load it I'm getting this error " A custom Javascript error caused an issue loading your dashboard, like due to the dashboard version update. See the developer console for more details" We are running Splunk 8.2.5. Has something changed? this was working previously? any idea how I can resolve this ?
Hello how are you? We are having trouble connecting with the CISCO ACI Add-on for Splunk - Configuration Screen (https://splunkbase.splunk.com/app/1897/) with my APIC It throws us the following err... See more...
Hello how are you? We are having trouble connecting with the CISCO ACI Add-on for Splunk - Configuration Screen (https://splunkbase.splunk.com/app/1897/) with my APIC It throws us the following error: "Error: Could not login with provided credentials for APIC aci.blp.com.ar. Error: HTTPSConnectionPool(host='aci.XXXXXX.com', port=443): Max retries exceeded with url: /api/aaaLogin .json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)'))). Message: None" Any ideas? Thanks since now
Has anyone here set an alert in Splunk monitoring of Salesforce that runs a script on alert action that calls back in to the org? I'm just now looking at the possibility of creating some "self healin... See more...
Has anyone here set an alert in Splunk monitoring of Salesforce that runs a script on alert action that calls back in to the org? I'm just now looking at the possibility of creating some "self healing" alerting for a recurring issue we have in SF prod (scheduled batch jobs falling out of queue) and saw the option to run a script in Splunk on alert. Salesforce has an executeanonymous (string apexcode) method through Tooling API exposed in both SOAP and REST. My thought was to have a class built in my SF Prod org that Splunk could just call in to which would handle the logic of finding what's fallen out of spool & kick off the script to put it back in the hopper. 
My HF stopped forwarding events. So far: 1. The splunkd service is running  2. no firewalls enabled 3. Running this command is successful which I think means I'm connecting to the indexers   ... See more...
My HF stopped forwarding events. So far: 1. The splunkd service is running  2. no firewalls enabled 3. Running this command is successful which I think means I'm connecting to the indexers               $ ./bin/splunk cmd openssl s_client -connect inputs1.<stack>.splunkcloud.com:9997 4. Tried restarting the service with no success.  5. the splunkd.log file on the HF is reporting a lot of ERROR TcpInputProc errors   Help! Thank you Any suggestions would be appreciated
Hello all,  I am having trouble with a search that is not returning results as it should. The search is below and I have attached an example of the lookup file. When I run a search just looking for... See more...
Hello all,  I am having trouble with a search that is not returning results as it should. The search is below and I have attached an example of the lookup file. When I run a search just looking for an individual IP it does return events but is not working with the lookup file. Any help is appreciated. index=wineventlog OR index=fortigate | lookup TORIP TORIP AS src_ip OUTPUT TORIP | search TORIP=*  
If I need to increase the number of UBA nodes, is it necessary to change the license?