All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We have got below vulnerabilities on Splunk servers, please help how to resolve it insecure cipher suites: * TLS 1.2 ciphers: * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_GCM_SHA256 ... See more...
We have got below vulnerabilities on Splunk servers, please help how to resolve it insecure cipher suites: * TLS 1.2 ciphers: * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_GCM_SHA256 * TLS_RSA_WITH_AES_256_GCM_SHA384
I submit my app "OBS Connector" at  Apr 11, 2022, and it's still in pending approval stage right now, how long need to be wait?
Hi all, I want to set a condition "credential.helper= ", notice there is a trailing space after the "=".  What I want to achieve is to catch anything record that has "credential.helper=" and any ... See more...
Hi all, I want to set a condition "credential.helper= ", notice there is a trailing space after the "=".  What I want to achieve is to catch anything record that has "credential.helper=" and any value after "=" sign. So if there is only a trailing space, I can ignore it. How could I go about it in  a search, please? Thanks,  
Hello, Many of my team members are unable to receive the call on their mobile phones even being the on-call person. Is there any issue on your end ?  
Let's suppose I have the following search:   | makeresults | eval name="Denis", age=34 | append [| makeresults | eval name="Nazarena", age=28] | append [| makeresults | eval ... See more...
Let's suppose I have the following search:   | makeresults | eval name="Denis", age=34 | append [| makeresults | eval name="Nazarena", age=28] | append [| makeresults | eval name="Diego", age=10] | append [| makeresults | eval name="Maria", age=43] | search age > 30 | stats count by name   It outputs: name count Denis 1 Maria 1   I need to get the number of times some name appears when it's age is higher than 30 BUT I need to show the unmatched names (lower than 30) as "count = 0". Something like this: name count Denis 1 Nazarena 0 Diego 0 Maria 1 What should I need to change in this search in order to achieve that?
Hello,  I'm working with splunk 8.2.4 installed in Windows 11 OS  I'm trying to collect performance log data from a linux virtual machine, I installed and configured the universal forwarder and f... See more...
Hello,  I'm working with splunk 8.2.4 installed in Windows 11 OS  I'm trying to collect performance log data from a linux virtual machine, I installed and configured the universal forwarder and followed all the configuration steps from NMON performance monitor userguide and I even followed the steps of the troubleshooting guide, but the problem is still the same :  In the splunk server I only get the event types nmon_collect and nmon_clean, and get this error in the search app  : no files found in directory: /opt/splunkforwarder/var/log/nmon/var/csv_repository/*.csv When running the nmon_helper.sh script manually from the cmd of the linux VM i get this error :  Does anyone know the source of the problem and can help me to solve it please  ?  And thanks in advance   .  
we are currently plaining to migrate the IronPort to cloud  what is the best was to integrate it with Splunk Enterprise
Assistance/advice greatly appreciated; I am able to login to splunk web with a Splunk Native user, but via a perl script I get an unauhorized response Excerpt from perl script :  $post = $ua->post... See more...
Assistance/advice greatly appreciated; I am able to login to splunk web with a Splunk Native user, but via a perl script I get an unauhorized response Excerpt from perl script :  $post = $ua->post( "https://prod-forwardermanagement-splunk-vip.xxxx.uk:8089/servicesNS/$app/auth/login", Content => "username=$username&password=$password" ); This is the response: <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Unauthorized</msg> </messages> </response>
Hello, I upgraded our office's Search Head (SH) to 8.1.9 from 8.0.4. On the previous version, MC wouldn't even load. Now that it does, the Overview Window just says "Searching for..." (See screensho... See more...
Hello, I upgraded our office's Search Head (SH) to 8.1.9 from 8.0.4. On the previous version, MC wouldn't even load. Now that it does, the Overview Window just says "Searching for..." (See screenshot below). But I can do a search for my indexer or forwarder and other events in the Search App. Not sure what I am missing with the MC setup. Other tabs like the Health Check work. Any suggestions or help are greatly appreciated! Thank you very much.   V/r, mello920  
We have the following command that works well -    | transaction job_name startswith=STARTING keeporphans=true   Is it possible to convert it to the stats command?
Hi Team, I am installing splunk universal forwarder using ansible : When I am trying to start splunk and accept license, I am getting below error : ``` fatal: [Server-a]: FAILED! => {"changed"... See more...
Hi Team, I am installing splunk universal forwarder using ansible : When I am trying to start splunk and accept license, I am getting below error : ``` fatal: [Server-a]: FAILED! => {"changed": true, "cmd": ["/opt/splunkforwarder/bin/splunk", "start", "--accept-license", "--answer-yes", "--no-prompt"], "delta": "0:00:00.130544", "end": "2022-04-16 17:17:20.807732", "msg": "non-zero return code", "rc": 1, "start": "2022-04-16 17:17:20.677188", "stderr": "\n-- Migration information is being logged to '/opt/splunkforwarder/var/log/splunk/migration.log.2022-04-16.17-17-20' --\nERROR while running renew-certs migration.", "stderr_lines": ["", "-- Migration information is being logged to '/opt/splunkforwarder/var/log/splunk/migration.log.2022-04-16.17-17-20' --", "ERROR while running renew-certs migration."], "stdout": "\nThis appears to be an upgrade of Splunk.\n--------------------------------------------------------------------------------)\n\nSplunk has detected an older version of Splunk installed on this machine. To\nfinish upgrading to the new version, Splunk's installer will automatically\nupdate and alter your current configuration files. Deprecated configuration\nfiles will be renamed with a .deprecated extension.\n\nYou can choose to preview the changes that will be made to your configuration\nfiles before proceeding with the migration and upgrade:\n\nIf you want to migrate and upgrade without previewing the changes that will be\nmade to your existing configuration files, choose 'y'.\nIf you want to see what changes will be made before you proceed with the\nupgrade, choose 'n'.\n\n\nPerform migration and upgrade without previewing configuration changes? [y/n] y\n\nMigrating to:\nVERSION=8.2.4\nBUILD=87e2dda940d1\nPRODUCT=splunk\nPLATFORM=Linux-x86_64\n\n\nERROR: In order to migrate, Splunkd must not be running.", "stdout_lines": ["", "This appears to be an upgrade of Splunk.", "--------------------------------------------------------------------------------)", "", "Splunk has detected an older version of Splunk installed on this machine. To", "finish upgrading to the new version, Splunk's installer will automatically", "update and alter your current configuration files. Deprecated configuration", "files will be renamed with a .deprecated extension.", "", "You can choose to preview the changes that will be made to your configuration", "files before proceeding with the migration and upgrade:", "", "If you want to migrate and upgrade without previewing the changes that will be", "made to your existing configuration files, choose 'y'.", "If you want to see what changes will be made before you proceed with the", "upgrade, choose 'n'.", "", "", "Perform migration and upgrade without previewing configuration changes? [y/n] y", "", "Migrating to:", "VERSION=8.2.4", "BUILD=87e2dda940d1", "PRODUCT=splunk", "PLATFORM=Linux-x86_64", "", "", "ERROR: In order to migrate, Splunkd must not be running."]} ``` This error not happens everytime. First time when I run the script it doesnot throw this error and runs successfully. If I run second time on same host, it shows this error . Can someone help me to understand this please ??? ``` command I am using : /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes Thanks in Advance, Poojitha 
Hi, Is there any way to set up an alert for server reboots in Appdynamics? ^ Post edited by @Ryan.Paredez for a searchable title. Please make sure the title of your posts are questions.
Hello, I have a dashboard with two different time filters. The first time filter is used to filter the _time filter The second time filter should be used to filter the results on a different fi... See more...
Hello, I have a dashboard with two different time filters. The first time filter is used to filter the _time filter The second time filter should be used to filter the results on a different field X. I see in the dashboard URL form2.date2.earliest=<VALUE> &   form2.date2.latest=<OPTIONAL_VALUE> I would like in a where clause or something similar to filter my results based on that date2 input. What is the best way to do it in Splunk> I Hope without Code snippet the question is clear and understandable.
Hi, I've been trying to use the output from a lookup as input to another lookup. In the first lookup i have the name of the files to search: I have a query with field names on a column like this:  ... See more...
Hi, I've been trying to use the output from a lookup as input to another lookup. In the first lookup i have the name of the files to search: I have a query with field names on a column like this:  field1 name1 name2  then, i search field1 in a lookup with a column with file names like this: | lookup wheretosearch.csv field1 OUTPUTNEW lookup_name  my lookup wheretosearch.csv looks like this field1 lookup_name name1 name1_lookup.csv name2 name2_lookup.csv  Then, I need that field lookup_name to search in a lookup for each row: | lookup lookup_name .... But obviously, this is not possible because the variable lookup_name is not the name of a csv file. How can i do this? 
Hi, I am using streamstats to calculate the rank based on cumulative count per day per category. On few days, a particular category may not appear. So, on those days, I want to have the count for t... See more...
Hi, I am using streamstats to calculate the rank based on cumulative count per day per category. On few days, a particular category may not appear. So, on those days, I want to have the count for that category from the  previous day. I tried all the arguments of streamstats and other commands with no success. Can someone help me on it please? I am pasting the code of similar case but for ranking based on the cumulative points for each football match    index=index | stats sum(TotalPoints) AS Points BY match, "Sold To" | fillnull value=0 | rename "Sold To" AS Owner | sort match | streamstats sum(Points) AS Total BY Owner | sort match Total | streamstats count AS Rank BY match | xyseries match Owner Rank   Output match Owner1 Owner2 Owner3 1 2 (Rank 2, Total: 10) 1 (Rank 1, Total: 15) (Total: 0) 2 1 (Rank 1, Total: 25) 3 (Rank 3, Total: 18) 2 (Rank 2, Total: 20) 3 (Total: 0) 2 (Rank 2, Total: 23) 1 (Rank 1, Total: 30)   Expected Output match Owner1 Owner2 Owner3 1 2 (Rank 2, Total: 10) 1 (Rank 1, Total: 15) 3 (Rank 3, Total: 0) 2 1 (Rank 1, Total: 25) 3 (Rank 3, Total: 18) 2 (Rank 2, Total: 20) 3 2 (Rank 3, Total: 25) 3 (Rank 2, Total: 23) 1 (Rank 1, Total: 30)
Don't show a result where the src_ip is X and dest_ip is Y  index=test    host=test  source=test conn_state=sf   | eval src_ip=x and 
Is there a way to do the following?   <row depends="$resultCount$"<=3>   I have a few panels I want to show dynamically based on the results from the above search.
Hi Everyone, I am struggling a lot to create a Dashboard that will show SLA for alerts received on Incident review Dashboard Basically I need two things only 1. SLA from alert received until ... See more...
Hi Everyone, I am struggling a lot to create a Dashboard that will show SLA for alerts received on Incident review Dashboard Basically I need two things only 1. SLA from alert received until assigned ( from status New to status in progress) 2. SLA from alert pending to closure ( from status Pending to status Closed) I am facing many issues where empty fields into alert urgency and creation time I have spent a week to create below query   | tstats `summariesonly` earliest(_time) as incident_creation_time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | `drop_dm_object_name("Notable_Events_Meta")` | `get_correlations` | join type=outer rule_id [| from inputlookup:incident_review_lookup | eval _time=time | stats earliest(_time) as review_time by rule_id, owner, user, status, urgency] | rename user as reviewer | lookup update=true user_realnames_lookup user as "reviewer" OUTPUTNEW realname as "reviewer_realname" | eval reviewer_realname=if(isnull(reviewer_realname),reviewer,reviewer_realname), nullstatus=if(isnull(status),"true","false"), temp_status=if(isnull(status),-1,status) | lookup update=true reviewstatuses_lookup _key as temp_status OUTPUT status,label as status_label,description as status_description,default as status_default,end as status_end | eval incident_duration_minutes=round(((review_time-incident_creation_time)/60),0) | eval sla=case(urgency="critical" AND incident_duration_minutes>15, "breached", urgency="high" AND incident_duration_minutes>15, "breached", urgency="medium" AND incident_duration_minutes>45, "breached", urgency="low" AND incident_duration_minutes>70, "breached", isnull(review_time), "incident not assigned", 1=1, "not breached") | convert timeformat="%F %T" ctime(review_time) AS review_time, ctime(incident_creation_time) AS incident_creation_time | fields rule_id, source, urgency, reviewer_realname, incident_creation_time, review_time, incident_duration_minutes, sla, status_label | table rule_id, source, urgency, reviewer_realname, incident_creation_time, review_time, incident_duration_minutes, sla, status_label But still a lot of things are missing, could you please help in creating a small Dashboard with below requirements 1. SLA from alert received until assigned ( from status New to status in progress) 2. SLA from alert pending to closure ( from status Pending to status Closed) Many thanks in advance
Hello, I'm using an App which is listed as a visualization.  With it I can go into a dashboard and create a panel with it.   My question is because I don't have to copy and paste in XML code myse... See more...
Hello, I'm using an App which is listed as a visualization.  With it I can go into a dashboard and create a panel with it.   My question is because I don't have to copy and paste in XML code myself for a panel does that mean if the App updates then any related panels would automatically update as well.  If not do I need to recreate it as I would for a panel I'd manually create.   thanks
Do any of you use (or know of) any scripts that look at splunk configuration and point out errors, or otherwise allow for a framework to do some sanity checking? This is a fairly open question, and I... See more...
Do any of you use (or know of) any scripts that look at splunk configuration and point out errors, or otherwise allow for a framework to do some sanity checking? This is a fairly open question, and I'd also love any ideas for what kind of things you'd like to see in such a script.