All Topics

i_am_manish · ‎04-21-2022

I am unable to find my script for my current dashboard and also not getting my data into dashboard so is there any method to create another script for the current data ?

WhitneySink · ‎04-21-2022

Can entitlement contacts view all support cases?

mlasky1970 · ‎04-21-2022

I've got the Add-on for Atlassian JIRA Service Desk alert action plugin installed (https://splunkbase.splunk.com/app/4958/) on my search head cluster so I can create tickets from searches and alerts ...

I've got the Add-on for Atlassian JIRA Service Desk alert action plugin installed (https://splunkbase.splunk.com/app/4958/) on my search head cluster so I can create tickets from searches and alerts however I am having trouble getting the TA to talk to JIRA. I've created an internal JIRA user on our JIRA deployment, validated the credentials work by logging into JIRA with them, so I know my credentials are okay. The configuration section in the TA accepts the credentials. However, when I go to the app and ask it to show me projects or, for that matter, anything, it returns 0 projects and 0 results. All the canned reports return a Python error in the UI. Following a different thread I checked the troubleshooting steps at https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/troubleshoot.html where it specifically talks about Python errors and how that tends to me there is a connectivity issue or credential issue. I ran the curl commands from the search head I was connected to and it can successfully connect to JIRA and pull data back! [root@splunk-head-2 ~]# curl -k https://jira.mystuff.com/rest/api/latest/project --user prodsec-splunk Enter host password for user 'prodsec-splunk': [{"expand":"description,lead,url,projectKeys","self":"https://jira.mystuff.com/rest/api/2/project/15334","id":"15334","key":"VFR","name":" Vermin Feature Request","avatarUrls":{"48x48":"https://jira.mystuff.com/secure/projectavatar?avatarId=15163","24x24":"https://jira.mystuff.com/secure/projectavatar?size=small&avatarId=15163","16x16":"https://jira.mystuff.com/secure/project So I have good credentials and end to end connectivity. I am not sure how to troubleshoot further...

mthirumalareddy · ‎04-21-2022

Hi All, We use SafeNet Trusted Access(STA) as our identity provider and we would like to pull the logs from STA to Splunk Cloud. I don't see any app for this integration. Can some one point how t...

Hi All, We use SafeNet Trusted Access(STA) as our identity provider and we would like to pull the logs from STA to Splunk Cloud. I don't see any app for this integration. Can some one point how to integrate and configure it? Thanks In Advance!

pacifikn · ‎04-21-2022

Greetings!! 1.a. I need to check data size indexed in indexers per day, per month and per year in GB? 1.b. what if the data ingested per day is 200GB/day, How do I calculate to know the stora...

Greetings!! 1.a. I need to check data size indexed in indexers per day, per month and per year in GB? 1.b. what if the data ingested per day is 200GB/day, How do I calculate to know the storage that can store all the indexed data in 5 years? or one year? and month? 2- how to install and configure indexers to be functioning? 3- How to configure syslog in splunk instance to receive logs? i have already configured network devices to send logs into splunk instance? what other steps remaining to do to receive logs in indexer? Kindly help me, Thank you in advance

daisy · ‎04-21-2022

hi all, I would like to access DS via Winscp so I can look at and donwload some apps. The problem is that Splunk is installed as and owned by splunk user. When I use Putty, I use "sudo su - splunk" a...

hi all, I would like to access DS via Winscp so I can look at and donwload some apps. The problem is that Splunk is installed as and owned by splunk user. When I use Putty, I use "sudo su - splunk" and am able to make changes to any directories under /opt/splunk. Can someone give me a hint what I need to change for Winscp to be able to use it and access the directories as I am currently getting "permission denied" messages. Thanks!

mello920 · ‎04-21-2022

Good Afternoon, My Splunk Monitoring Console just doesn't seem to work. The Overview or any tab just can't populate their dashboards. I decided to run the Health Check, to see what could be wrong b...

Good Afternoon, My Splunk Monitoring Console just doesn't seem to work. The Overview or any tab just can't populate their dashboards. I decided to run the Health Check, to see what could be wrong but everything just fails with: "search job stopped unexpectedly". I can search through my index. I looked into splunkd.log and found no errors that correlate with the Monitoring Console. What could be causing this? Can I reinstall the Monitoring Console? Any help is greatly appreciated. Thank you.

SplunkDash · ‎04-21-2022

Hello, I have some requests to work on BitBucket SPLUNK add on. I am a little new on it. Any recommendation will be highly appreciated. Thank you.

JeffPoretsky · ‎04-21-2022

User of splunk attempted a search of index="os" It returns nothing after Dec 23. (Yes this went unnoticed for this long. We were on a single version of RedHat until recently). Splunk servers are ...

User of splunk attempted a search of index="os" It returns nothing after Dec 23. (Yes this went unnoticed for this long. We were on a single version of RedHat until recently). Splunk servers are all RH7.9 Version:8.2.4 Build:87e2dda940d1 Clients are all 7.9 or 8.5

vwilson3 · ‎04-21-2022

Greetings, I have been asked to create a report that tracks users' activities across all of our servers in chronological order. We have Windows and Linux OS, as well as applications such as Oracle...

Greetings, I have been asked to create a report that tracks users' activities across all of our servers in chronological order. We have Windows and Linux OS, as well as applications such as Oracle and HANA, among others. I'm not sure where to begin a search string like that, aside from the indexes we use. Any assistance is greatly appreciated.

Marco_Develops · ‎04-21-2022

After issuing a transpose command on my bar chart visualization I can't configure conditional drilldowns. I tried using the untable command followed by the xyz series command and no luck. this i...

After issuing a transpose command on my bar chart visualization I can't configure conditional drilldowns. I tried using the untable command followed by the xyz series command and no luck. this is the query: search * | eval CATI = if(SEVCAT=="I", 1,0) | eval CATII = if(SEVCAT=="II", 1,0) | eval CATIII = if(SEVCAT=="III", 1,0) | chart sum(CATI) as I sum(CATII) as II sum(CATIII) as III | transpose | sort - "row 1" The Drilldown XML : <drilldown> <condition field = "I"> <link target="blank"></link> </condition> <condition field = "II"> <link target="blank"></link> </condition> <condition field = "III"> <link target="blank"></link> </condition> </drilldown> Any help is appreciated. Thank you, Marco

JChris_ · ‎04-21-2022

I have the following log in Splunk: { "tags":{ "app":"foobar", "ou":"internal" }, "log":"{\"key1\":\"value1\",\"key2\":\"value2\",\"key3\":\"value3\"}", "timestamp...

I have the following log in Splunk: { "tags":{ "app":"foobar", "ou":"internal" }, "log":"{\"key1\":\"value1\",\"key2\":\"value2\",\"key3\":\"value3\"}", "timestamp":"2022-04-21T17:00:00.000Z" } I know I can parse the string JSON into actual JSON and replace the _raw like this: index=my_index_name | eval _raw=log But, if I use the SPL above, the timestamp and tags keys would be deleted from the _raw, that's not what I want. I want to use SPL to parse it in a way where the _raw equals to: { "tags":{ "app":"foobar", "ou":"internal" }, "log": { "key1": "value1", "key2": "value2", "key3": "value3" }, "timestamp":"2022-04-21T17:00:00.000Z" }

LionWolf · ‎04-21-2022

Hello Community, I'm currently having trouble with a dashboard panel I'm making. The dashboard panel is supposed to display the time to triage per analyst but for every notable. The results are ...

Hello Community, I'm currently having trouble with a dashboard panel I'm making. The dashboard panel is supposed to display the time to triage per analyst but for every notable. The results are supposed to be derived from notables with the status_label "Ready for Review" OR "Closed: False Positive" OR "Pending" OR "Closed: Valid - Remediated". The field TriageTime doesn't populate anything, I suspect the problem to be within the join. Search is below: `notable` | where owner="User1" OR owner="User2" OR owner="User3" OR owner="User4" OR owner="User5" OR owner="User6" | where status_label="Ready for Review" OR status_label="Closed: False Positive" OR status_label="Pending" OR status_label="Closed: Valid - Remediated" | rename status_label as status | rename rule_id as "Notable ID" | rename rule_name as Notable | rename owner as Analyst | join type=left rule_id [ search notable | eval review_time=if(status_label="Ready for Review",_time,null()) | eval inprogresstime=if(status_label="In Progress",_time,null()) | eval TriageTime=reviewtime-inprogresstime | eval TriageTime=tostring(TriageTime,"duration") | convert timeformat="%H:%M:%S" ctime(TriageTime) | stats min(review_time) as reviewtime min(inprogress_time) as inprogresstime values(rule_name) as rule_name values(owner) as real_name by rule_id] | table TriageTime, Notable, Analyst

duggym122 · ‎04-21-2022

tl;dr I want to take a list of events, separately sum the fields "message_accounts" (accounts processed in the event) and "message_processing" (time it takes to process) by "transaction_id" (so, in e...

tl;dr I want to take a list of events, separately sum the fields "message_accounts" (accounts processed in the event) and "message_processing" (time it takes to process) by "transaction_id" (so, in essence, two composite values related to the transaction_id across however many chunks it was split to) so that I can bucket/bin the sum of the message_accounts by the corresponding average of the message_processing value across all of these families of events I have messages that show sub-totals of processing time for split-off chunks of a larger message, identified by a field called "transaction_id" For example, our service accepts consolidated messages from another service (from 1 unit to thousands of combined message units) and splits them into chunks no larger than 100, where each chunk retains the "transaction_id" of the message source, so it's unique to the original message which we then split into more manageable pieces to be processed in parallel.

jankowsr · ‎04-21-2022

I use Splunk Enterprise 8.0.4.1 In indexes.conf I have changed maxTotalDataSizeMB value. According to https://docs.splunk.com/Documentation/Splunk/8.0.4/Indexer/Determinerestart that kind of chan...

I use Splunk Enterprise 8.0.4.1 In indexes.conf I have changed maxTotalDataSizeMB value. According to https://docs.splunk.com/Documentation/Splunk/8.0.4/Indexer/Determinerestart that kind of change should not require splunk restart. Anyway I can't see the change in GUI https://my_splunk/en-US/manager/launcher/data/indexes without doing splunk restart. Any clue why is it like that?

Khanu89 · ‎04-21-2022

I am trying to create a pie chart that would show difference error codes by category. Here is my current query: index= my_index | stats last(_time) as _time last(Message) as Message by Type ...

I am trying to create a pie chart that would show difference error codes by category. Here is my current query: index= my_index | stats last(_time) as _time last(Message) as Message by Type | stats count by Type | eval ErrorCode=443 | eval ErrorrCode=503 I'd like to pull in all errors without specifying the ErrorCodes as I have in my query.

weidertc · ‎04-21-2022

I have a time selector with custom tokens that control various aspects of the dashboard. Changing the value of the time selector changes the values of the custom tokens. I also have a separate inpu...

I have a time selector with custom tokens that control various aspects of the dashboard. Changing the value of the time selector changes the values of the custom tokens. I also have a separate input dropdown with a list of times taken from when our alerts fired. I need to update the time selector when the alert dates/times are chosen so the panels below update with a timeframe showing what happened with alert. When changing the value of the separate input dropdown to a new date, the 'earliest' and 'latest' update on the time selector, but none of its custom tokens do. They only change when I change the time selector. When I update input dropdowns with other input dropdown dynamically, they work, just not when I attempt to update the time selector from another input dropdown. How can I update "all" tokens on the time selector, not just 'earliest' and 'latest' from the other dropdown? <form theme="dark"> <label>Time Issue</label> <description></description> <fieldset submitButton="false" autoRun="false"> <input type="time" token="time" searchWhenChanged="true"> <label>Time Frame</label> <default> <earliest>@d-1d</earliest> <latest>now</latest> </default> <change> <eval token="time.earliest">if(len('earliest')=0 OR 'earliest="" OR isnull('earliest') OR 'earliest'="null" OR 'earliest'="0", "@d-90d", 'earliest')</eval> <eval token="time.latest">if('latest'="now" OR len('latest')=0 OR isnull('latest') OR 'latest'="null","@m",'latest')</eval> <eval token="time.earliest_type">if(match('earliest', ".*[@smhdwy].*"), "rel", "abs")</eval> <eval token="time.latest_type">if(match('latest', ".*[@smhdwy].*"), "rel", "abs")</eval> <eval token="time.earliest_epoch">if($time.earliest_type$="rel", relative_time(now(), 'earliest'), 'earliest')</eval> <eval token="time.latest_epoch">if($time.latest_type$="rel", relative_time(now(), 'latest'), 'latest')</eval> <eval token="time.difference">$time.latest_epoch$-$time.earliest_epoch$</eval> <eval token="form.panel">if($time.difference$<=604801,"compare","single")</eval> <eval token="form.span">if($time.difference$>2592000,"1d",if($time.difference$>604800,"1h",if($time.difference$>172800,"15m",if($time.difference$>86400,"3m","1m"))))</eval> <eval token="time.earliest_day1">if($time.earliest_type$="rel", 'earliest' . "-1d", 'earliest'-86400)</eval> <eval token="time.earliest_day1_epoch">'earliest'-86400</eval> <eval token="time.latest_day1">if($time.latest_type$="rel", 'latest' . "-1d", 'latest'-86400)</eval> <eval token="time.latest_day1_epoch">'latest'-86400</eval> <eval token="time.earliest_week1">if($time.earliest_type$="rel", 'earliest' . "-1w", 'earliest'-604800)</eval> <eval token="time.earliest_week1_epoch">'earliest'-604800</eval> <eval token="time.latest_week1">if($time.latest_type$="rel", 'latest' . "-1w", 'latest'-604800)</eval> <eval token="time.latest_week1_epoch">'latest'-604800</eval> </change> </input> <input type="dropdown" token="span" searchWhenChanged="true"> <label>Span</label> <choice value="1m">1 Minute</choice> <choice value="3m">3 Minute</choice> <choice value="5m">5 Minutes</choice> <choice value="10m">10 Minutes</choice> <choice value="15m">15 Minutes</choice> <choice value="30m">30 Minutes</choice> <choice value="1h">1 Hour</choice> <choice value="3h">3 Hours</choice> <choice value="6h">6 Hours</choice> <choice value="12h">12 Hours</choice> <choice value="1d">1 Day</choice> <change> <eval token="span.seconds">case($span$="1m", 60, $span$="3m", 180, $span$="5m", 300, $span$="10m", 600, $span$="15m", 900, $span$="30m", 1800, $span$="1h", 3600, $span$="3h", 10800, $span$="6h", 21600, $span$="12h", 43200, $span$="1d", 86400)</eval> <eval token="time.earliest_snap">(int($time.earliest_epoch$/$span.seconds$)*$span.seconds$)+$span.seconds$</eval> <eval token="time.latest_snap">int($time.latest_epoch$/$span.seconds$)*$span.seconds$</eval> <eval token="time.earliest_week1_snap">(int($time.earliest_week1_epoch$/$span.seconds$)*$span.seconds$)+$span.seconds$</eval> <eval token="time.latest_week1_snap">int($time.latest_week1_epoch$/$span.seconds$)*$span.seconds$</eval> <eval token="time.difference_snap">$time.latest_snap$-$time.earliest_snap$</eval> <eval token="span.intervals">ceil($time.difference$/$span.seconds$)</eval> <eval token="span.intervals_snap">$time.difference_snap$/$span.seconds$</eval> </change> <default>5m</default> <initialValue>5m</initialValue> </input> <input type="dropdown" token="panel" searchWhenChanged="true"> <label>Panel</label> <choice value="single">Single</choice> <choice value="compare">Compare</choice> <change> <condition value="compare"> <unset token="showPanelSingle"></unset> <set token="showPanelCompare">true</set> </condition> <condition value="single"> <unset token="showPanelCompare"></unset> <set token="showPanelSingle">true</set> </condition> </change> <default>compare</default> <initialValue>compare</initialValue> </input> <input type="dropdown" token="timeOption" searchWhenChanged="true"> <label>Choose a Time</label> <fieldForLabel>timeLabel</fieldForLabel> <fieldForValue>time</fieldForValue> <search> <done> <condition match="len('timeOption') != "0""> <unset token="form.time.earliest"></unset> <unset token="form.time.latest"></unset> <eval token="form.time.earliest">if($timeOption$ > relative_time(now(), "@d-1d"), "@d-1d", relative_time($timeOption$, "@d-2h"))</eval> <eval token="form.time.latest">if($timeOption$ > relative_time(now(), "@d-1d"), "@m", relative_time($timeOption$, "@d+1d+2h"))</eval> </condition> </done> <query>| makeresults count=5 | eval _time = floor((relative_time(_time, "@d") / 86400) * 86400) | streamstats current=false count as _row | eval time = _time - (_row * 86400) | eval timeLabel = strftime(time, "%Y-%m-%d")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <condition match="len('timeOption') != "0""> <unset token="form.time.earliest"></unset> <unset token="form.time.latest"></unset> <eval token="form.time.earliest">if($timeOption$ > relative_time(now(), "@d-1d"), "@d-1d", relative_time($timeOption$, "@d-2h"))</eval> <eval token="form.time.latest">if($timeOption$ > relative_time(now(), "@d-1d"), "@m", relative_time($timeOption$, "@d+1d+2h"))</eval> </condition> </change> </input> </fieldset> <row> <panel> <html> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>timeOption</span></div> <div style="width: 300px; float: left;"><span>$timeOption$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest</span></div> <div style="width: 300px; float: left;"><span>$time.earliest$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest</span></div> <div style="width: 300px; float: left;"><span>$time.latest$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.latest_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_type</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_type$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_type</span></div> <div style="width: 300px; float: left;"><span>$time.latest_type$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.difference</span></div> <div style="width: 300px; float: left;"><span>$time.difference$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_day1</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_day1$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_day1</span></div> <div style="width: 300px; float: left;"><span>$time.latest_day1$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_day1_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_day1_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_day1_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.latest_day1_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_week1</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_week1$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_week1</span></div> <div style="width: 300px; float: left;"><span>$time.latest_week1$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_week1_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_week1_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_week1_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.latest_week1_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>panel</span></div> <div style="width: 300px; float: left;"><span>$panel$</span></div> </div> </html> </panel> </row> </form>

wvalente2 · ‎04-21-2022

Hi all, I need your help with a query to extract the values of fields with multiple values. The problem I'm facing is that not every JSON structure has the two values that I need to extract (Name a...

Hi all, I need your help with a query to extract the values of fields with multiple values. The problem I'm facing is that not every JSON structure has the two values that I need to extract (Name and Value). Below is an example of the log: "OperationProperties": [{ "Name": "Actions", "Value": "XX" }, { "Name": "Conditions", "Value": "XX" }, { "Name": "Provider", "Value": "XX" }, { "Name": "RemoveOutlookRuleBlob" }, { "Name": "Name", "Value": "XX" }, { "Name": "IsNew" }, { "Name": "IsDirty", "Value": "XX" }, { "Name": "RuleOperation", "Value": "XX" }, { "Name": "ServerRule", "Value": "XX" }], The fields 'Name: IsNew' and 'Name:RemoveOutlookRuleBlob' do not have the corresponding 'Value:' field. I tried the following search, but I noticed that when the 'Value' field doesn't exist, it aggregates with the next available 'Value' field. base search.... | spath path=OperationProperties{}.Name output=Name | spath path=OperationProperties{}.Value output=Value | eval temp=mvzip(Name, Value) | table Name Value, temp temp Actions,ForwardToRecipientsAction Conditions,SentToRecipientsCondition,FromRecipientsCondition Provider,RuleOrganizer RemoveOutlookRuleBlob,XXX Name,True IsNew,Delete IsDirty, XX *The 'IsNew' field does not have 'True' value, as you can see in the first image. My final search will looks like this after I correct the Name=Value. base search... | spath path=OperationProperties{}.Name output=Name | spath path=OperationProperties{}.Value output=Value | eval temp=mvzip(Name, Value) | mvexpand temp | eval Name=mvindex(split(temp,","),0), Value=mvindex(split(temp,","),1), Value=mvindex(split(temp,","),2) | eval {Name}=Value | stats values(*) as * by _time Id Can I have any solutions here? Thank you.

mjones414 · ‎04-21-2022

I have a situation where I want to launch lookup editor in a new window, load a particular lookup and have a pre-determined filter that is set by a token on the dashboard I'm coming from. All work B...

I have a situation where I want to launch lookup editor in a new window, load a particular lookup and have a pre-determined filter that is set by a token on the dashboard I'm coming from. All work BUT the filter portion because it appears that the filtering takes place in jquery and therefore I dont have a way to pass the string. Is there a way to pass the string in the url with an undocumented property so that I can get the dashboard link to launch completely?

super_saiyan · ‎04-21-2022

Hi all, i want to hide / delete / exclude some keyword like " supersaiyan" , "leave" from the below event using mvfilter. can anyone please tell me how to do it ? | makeresults | eval targe...

Hi all, i want to hide / delete / exclude some keyword like " supersaiyan" , "leave" from the below event using mvfilter. can anyone please tell me how to do it ? | makeresults | eval target_text="My name is supersaiyan, leave this to me" Thanks

All Topics

All Topics

Is there any method to create another script for the current data?

Why can't I see all of our open support cases?

Why is Add-on for Atlassian JIRA Service Desk alert action not talking to JIRA?

How to get SafeNet Trusted Access(STA) logs to Splunk cloud?

How to to check data size indexed in indexers per day, per month and per year in GB?

Deployment Server access via Winscp

Why isn't Health Check Running?

BitBucket Add On

Why is index not populating?

How to track users' activities across all systems?

How to configure Drilldown after using transpose command?

How to parse string JSON along with actual JSON?

Specific field not populating in dashboard panel

Combining And Analyzing Stats Across Events by Other Fields

Why is indexes.conf change not reflected in GUI without restart?

Receiving error from pie chart that should show difference error codes by category

Modify custom tokens on time selector from another input (with run anywhere xml dashboard)

Why do results from extraction of multivalued fields contain fields missing in each statements?

Lookup Editor: supplying a tokened string filter from a dashboard

How to exclude some keyword by using mvfilter?

All Topics

Are you a member of the Splunk Community?

All Topics