All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to check whether the Palo Alto add on is working or not?

by in Splunk Enterprise
‎04-21-2022 06:18 AM
‎04-21-2022 06:18 AM
Hello there,   Recently i have restarted the splunk from then splunk is showing an error message regarding Palo Alto network add on. And if i removed that add on, the problem will be resolved. Bu... See more...
Hello there,   Recently i have restarted the splunk from then splunk is showing an error message regarding Palo Alto network add on. And if i removed that add on, the problem will be resolved. But my query is how can i check that the add on is working in background for any purpose or not??? We are using Palo alto firewall, is this add on useful to collect the data from the palo alto firewall?? If i removed this add on does the logs of splunk will not be displayed in splunk? Please help me with this query...  Thanks in advance.

Microsoft Azure Add-on: issues with not consuming all of our user objects with the AAD user input

by in All Apps and Add-ons
‎04-21-2022 06:00 AM
‎04-21-2022 06:00 AM
We operate a rather large M$ Tenant and I am running into issues with this add on not consuming all of our user objects with the AAD user input.  It dies around 550,000 users; I am assuming due to th... See more...
We operate a rather large M$ Tenant and I am running into issues with this add on not consuming all of our user objects with the AAD user input.  It dies around 550,000 users; I am assuming due to the bearer token coming from the graph API timing out at the 1 hour mark; all of the ingestion appears to start and stop at the 1 hour mark. Anyone have any ideas how to get around this?  I really want to use splunk to version control and audit my user configurations offline and leverage this data for lookups coming from the azure related logs.  I can't however unless I get all of the user objects. Second, I would love to see group memberships supported in this add on!!  This would be super helpful to target reports and audits against accounts.
Labels

How to check the odd once out   ( field < 1) field with 2 or more values?

by in Splunk Search
‎04-21-2022 05:37 AM
‎04-21-2022 05:37 AM
how to check the odd once out   ( field < 1) field with 2 or more values  Ex  field = true                                 output field1 = true, false                     false                   ... See more...
how to check the odd once out   ( field < 1) field with 2 or more values  Ex  field = true                                 output field1 = true, false                     false                                                                false, true                             true, false                     false, true  

How to improve efficiency of a Splunk search?

by in Splunk Search
‎04-21-2022 05:12 AM
‎04-21-2022 05:12 AM
Hi All, One of my scheduled report is quite expensive. It runs everyday from Monday to Friday and results in 30 days worth of data. Search Query index=abc_* | stats count by index,host How... See more...
Hi All, One of my scheduled report is quite expensive. It runs everyday from Monday to Friday and results in 30 days worth of data. Search Query index=abc_* | stats count by index,host How can I improve its search efficiency? Please suggest .
Labels

Data Onboarding issue- unable to see the data in splunk

by in Getting Data In
‎04-21-2022 04:18 AM
‎04-21-2022 04:18 AM
Hello All, I have configured the inputs and props but unable to see the data in splunk. I have around 20 monitor stanza and all of them have same source type, below is my monitor stanza File to... See more...
Hello All, I have configured the inputs and props but unable to see the data in splunk. I have around 20 monitor stanza and all of them have same source type, below is my monitor stanza File to be monitored is below   archive.log.DYYYYMMDD.Tnnnnnn   [monitor:///opt/sw/ss/splunklogs/archive.log.*.*] index=abc disabled = 0 sourcetype=es:test:sd:logs Sample log file is below: where YYYYMMDD-Date ex-20220412 nnnnnn-6 digit timestamp ex- 171300 Below is props conf [es:test:sd:logs] SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE= ^[\d+\-\d+\-\d+\s+\d+\d:+\d+:\d+.\d+\d+] MAX_TIMESTAMP_LOOKAHEAD=28 TIME_FORMAT=%d-%m-%y %H:%M:%S.%N TIME_PREFIX=^\w Below is the data on which REGEX was done. [2022-04-04 23:10:30.643] Please let me know if there anything wrong in my configurations in internal logs for log level error it shows below error. StreamId:123456 had parsing error:unexpected character while expecting ' : ' :  ' , '

Why am I receiving "No matching visualization found for type: network-diagram-viz" message?

by in Other Usage
‎04-21-2022 04:16 AM
‎04-21-2022 04:16 AM
Hi, I am trying to use this visualization but I am getting the following error:   Can you please help? Many thanks, Patrick

How to capture multiple lines in rex

by in Splunk Search
‎04-21-2022 03:00 AM
‎04-21-2022 03:00 AM
HI all,  I am trying to capture multiple lines between two strings in my log data. But so far have not been able to figure out a solution.  the log data is as follows: 'calls': 'apfsae.providers.e... See more...
HI all,  I am trying to capture multiple lines between two strings in my log data. But so far have not been able to figure out a solution.  the log data is as follows: 'calls': 'apfsae.providers.economic.china_jobs_data_provider.ChinaJobsProvider', 'db_connection': 'providers/database_connection :: qtrewd_iq', 'db_view_name': 'adweh.V_datayes_china_recruitment', 'calls': 'apfsae.providers.mappings.company_id_to_barra_mapper.BbToBarraMapper',   I want to capture lines starting from ChinaJobsProvider to 'calls':  Thank you !
Labels

Why am I Unable to use Network Diagram Viz on dashboard

by in Reporting
‎04-21-2022 02:39 AM
‎04-21-2022 02:39 AM
Hey, I need to use the Network Diagram Viz as one of my panels for my dashboard: https://splunkbase.splunk.com/app/4438/#/details However, it appears I am using the app incorrectly. ... See more...
Hey, I need to use the Network Diagram Viz as one of my panels for my dashboard: https://splunkbase.splunk.com/app/4438/#/details However, it appears I am using the app incorrectly. Can you please help? Thanks, Patrick

How to create a query wit top notable event sources with HOSTNAME?

by in Splunk Search
‎04-21-2022 02:36 AM
‎04-21-2022 02:36 AM
Hello Could someone help me with a query? I have this default report Top Notable Event Sources which returns me IP's (count, sparkline etc). How can I add an extra column to have the hostname of ... See more...
Hello Could someone help me with a query? I have this default report Top Notable Event Sources which returns me IP's (count, sparkline etc). How can I add an extra column to have the hostname of those IP's?   

How to write search with CASE and MATCH function?

by in Splunk Search
‎04-21-2022 02:12 AM
‎04-21-2022 02:12 AM
Hi peeps,  I need help to fine tune this query; index=network sourcetype=ping | eval pingsuccess=case(match(ping_status, "succeeded"), Number) Basically, I want to create a new field for ping ... See more...
Hi peeps,  I need help to fine tune this query; index=network sourcetype=ping | eval pingsuccess=case(match(ping_status, "succeeded"), Number) Basically, I want to create a new field for ping success that will show the event count as values. Please help.

Can Threat Explorer items from Microsoft Defender for Office 365 appear in Splunk?

by in Installation
‎04-21-2022 01:42 AM
‎04-21-2022 01:42 AM
Can Threat Explorer items from Microsoft Defender for Office 365 appear in Splunk? My client wants to check if there is an attachment for sending and receiving mail. I registered the WindowsDefenderA... See more...
Can Threat Explorer items from Microsoft Defender for Office 365 appear in Splunk? My client wants to check if there is an attachment for sending and receiving mail. I registered the WindowsDefenderATP app in Azure AD, is this correct?
Labels

After installing license and restart , splunk is still reflecting the trial license of 500MB

by in Splunk Search
‎04-21-2022 01:35 AM
‎04-21-2022 01:35 AM
Hello Experts,  I have splink enterprise up with trial version installed.  The license group was trail license grou;p, I did get a license to bump up size for an year.  without changing the license... See more...
Hello Experts,  I have splink enterprise up with trial version installed.  The license group was trail license grou;p, I did get a license to bump up size for an year.  without changing the license server group, installed that license.  UI Asked to restart  the server and i did. however UI still reflects trial version which supports 500MB only.  if i change server group to enterprse and add license it says this license already installed But during selection of enterprise server group it says  "There are no valid Splunk Enterprise licenses installed. You will be prompted to install a license if you choose this option." What is the resolution ? Should I  delete license and change group ?       
Labels

Why does Splunk values() return swapped counts?

by in Splunk Search
‎04-21-2022 01:10 AM
‎04-21-2022 01:10 AM
I want to use the values() function because I want to group by fields. If I just use count by I get the correct result but it doesn't look nice. If I use the values function the counts get swapped. ... See more...
I want to use the values() function because I want to group by fields. If I just use count by I get the correct result but it doesn't look nice. If I use the values function the counts get swapped. this is how count by returns the results:  Function                  |    Status  |  count Authentication     |     Pass     |    10 Authentication     |     Fail       |      3 this is how the values() returns the results: Function                  |    Status  |  count Authentication     |     Pass     |    3                                     |     Fail       |     10 Here is the count by search:  | stats count by Function,  Status | table Function, Status, count Here is the values search: | stats count by Function,  Status | stats values(Status) as Status, values(count) as Count by Function | table Function, Status, Count So my question is how do I group by Function while getting the correct counts for the status.  
Labels

Why am I receiving this About IBM Resilient/SOAR Splunk Add-on Error Message

by in All Apps and Add-ons
‎04-21-2022 01:07 AM
‎04-21-2022 01:07 AM
Hi team, I downloaded "IBM Resilient/SOAR Splunk Add-on", restarted Splunk. Then I entered the information, I'm sure the IP and organization information is correct, we did it this way in another in... See more...
Hi team, I downloaded "IBM Resilient/SOAR Splunk Add-on", restarted Splunk. Then I entered the information, I'm sure the IP and organization information is correct, we did it this way in another integration. I just created API Key and Secret via IBM Resilient, I entered them as well. But I still encounter the error seen in the pop-up in the screenshot below, has anyone encountered this before? Thanks  

How to write inputs.conf to Monitor files in a directory which is dynamic?

by in Splunk Enterprise
‎04-20-2022 11:12 PM
‎04-20-2022 11:12 PM
Hi All, I want to monitor files which keeps changing the filename according to the current date falling under respective month and year directory. Can anyone please help me out how can we monitor t... See more...
Hi All, I want to monitor files which keeps changing the filename according to the current date falling under respective month and year directory. Can anyone please help me out how can we monitor the same. I tried using wild card in the inputs.conf, but it seems to be not working. Format: D:\Logs\<dynamic-year>\<dynamic-month>\<dynamic-date>.txt D:\Logs\2022\04\21042022.txt I used the below config under inputs.conf [monitor://D:\Logs\*\*\*.txt] disabled = true crcSalt = <SOURCE> index = indexname sourcetype = sourcetypename   Many Thanks in Advance!   

K8s "api-user" Requirement for Auto Instrumentation

by in Splunk AppDynamics
‎04-20-2022 11:01 PM
1 Karma
‎04-20-2022 11:01 PM
1 Karma
Hi Folks, Need help to understand the requirement of "api-user" (Controller local User) with administrative rights for auto instrumentation using cluster agent on EKS. We have installed the cluster ... See more...
Hi Folks, Need help to understand the requirement of "api-user" (Controller local User) with administrative rights for auto instrumentation using cluster agent on EKS. We have installed the cluster agent successfully into our EKS cluster and it is reporting data properly, now we are planning to achieve auto instrumentation of all the containers/pods running. While going through the documentation I found that there is a requirement to create a local user with an administrator role. I don't want to provide a local user with admin rights to the application team due to security concerns, Kindly suggest what else we can do here. Also, why AppDynamics is not using "API Client" token-based authentication instead of the user? Reference documentation: https://docs.appdynamics.com/21.4/en/infrastructure-visibility/monitor-kubernetes-with-the-cluster-agent/auto-instrument-applications-with-the-cluster-agent

Why does search with subsearch fail if earliest and latest is used?

by in Splunk Search
‎04-20-2022 10:50 PM
‎04-20-2022 10:50 PM
The following search does not produce any results: index=* earliest="04/19/2022:15:00:00" latest="04/19/2022:17:00:00" | fields _time, index, sourcetype | head 1 | eval mail=[| makeresults | eval... See more...
The following search does not produce any results: index=* earliest="04/19/2022:15:00:00" latest="04/19/2022:17:00:00" | fields _time, index, sourcetype | head 1 | eval mail=[| makeresults | eval mail="\"abc@cde.com\"" | return $mail] The search and the sub search produce each one result. The search returns one result as expected when the  the earliest and latest option in the base search are omitted.
Labels

How to change "string" in dashboard studio to add colours value?

by in Dashboards & Visualizations
‎04-20-2022 09:42 PM
‎04-20-2022 09:42 PM
Hi Team,     There is a column formatting (table) to highlight colours for the values..but i could see formatting says "String" instead of number tried updating in the code but still unable to do i... See more...
Hi Team,     There is a column formatting (table) to highlight colours for the values..but i could see formatting says "String" instead of number tried updating in the code but still unable to do it.. Could anyone please let me know how to change it to number from "string" to add the colours value.
Labels

How would I extract fields from raw data containing auto populated numbers in the fields I am trying to extract?

by in Splunk Search
‎04-20-2022 09:29 PM
‎04-20-2022 09:29 PM
Hello Community, How would I extract fields from raw data containing auto populated numbers in the fields I am trying to extract? The below example is field containing raw data. Notice the numbers ... See more...
Hello Community, How would I extract fields from raw data containing auto populated numbers in the fields I am trying to extract? The below example is field containing raw data. Notice the numbers inside the bracket.  The numbers are not the same for events and will auto change from 1 to 2 digits. For the below example, I would like to extract values for user_id, NAME, and Car. What would be the rex command? Event 1 for _raw field: user_id:[4] "peter1234" NAME:[10] "Peter" Car:[3] "Pinto" Event 2 for _raw field: user_id:[11] "peter1234" NAME:[5] "Peter" Car:[9] "Gremlin" Thank You for any assistance. Joe
Labels

Need Help with Splunk Query- Titles in chart

by in Splunk Search
‎04-20-2022 08:20 PM
‎04-20-2022 08:20 PM
Hi,   Can any one please help me with the query currently iam using " | rename * AS \|*\| "  but i don't want \  in the header  so i want  like  |PeriodDate| only. \|PeriodDate\| \|Vend... See more...
Hi,   Can any one please help me with the query currently iam using " | rename * AS \|*\| "  but i don't want \  in the header  so i want  like  |PeriodDate| only. \|PeriodDate\| \|VendorName\| \|ContractName\| \|Code\| |2021/12/19| |SAM| |HI-HI| |511| |2021/12/19| |SAM| |HI-HI| |51.1| |2021/12/19| |SAM| |HI-HI| |51.1|
Labels