All Topics

Top

All Topics

I'm working with a Splunk install that someone else had setup.  There's a few customizations that have disabled the HTTPS access over 8089.  I'm trying to run the Upgrade Readiness App before upgradi... See more...
I'm working with a Splunk install that someone else had setup.  There's a few customizations that have disabled the HTTPS access over 8089.  I'm trying to run the Upgrade Readiness App before upgrading (From Splunk (from version 8.0.1), but would like to run the scan over HTTP without having to revert all the custom settings in Splunk.  Is there a way to change the Upgrade Readiness App to scan over HTTP instead? Thank You, Jason
Hi! I have a dashboard that has search input fields that allow to run a search and the results are displayed on the table.  I want to create a custom button to act on the data from the search. I ... See more...
Hi! I have a dashboard that has search input fields that allow to run a search and the results are displayed on the table.  I want to create a custom button to act on the data from the search. I don't want to repeat the search using tokens and searchmanager. Is it possible to load the full results from the table on javascript in the case of a multi page table like this : I know it's possible to download a .csv file using the SID from the search but I want to know if there is other way to do it.   I can extract the data from the table page that's currently rendered on the dashboard.   Thank you in advance.
We wanted to share some newly published best practices for upgrading your Splunk!  Every great Splunk admin should be thinking about upgrading to the latest version and we want to make sure you’ve ... See more...
We wanted to share some newly published best practices for upgrading your Splunk!  Every great Splunk admin should be thinking about upgrading to the latest version and we want to make sure you’ve got all the guidance you need. We recommend that an upgrade is performed every two years. Learn how to get in the ‘sweet spot’ of Splunk Enterprise updates - ensuring you can implement stable new features, keep pace with innovation and reduce risk. Read the “Upgrading Splunk Enterprise” Lantern how-to article in order to get help during your upgrade process. You’ll learn about version compatibility, avoiding pitfalls, order of operations, and general tips and best practices. We also have resources available on our Splunk Answers Discussion board. Happy upgrading, folks! — The Splunk Community Team
We are getting the small hot buckets warning for this index, but the timestamps look fine just with a few hours offset. Not quite sure where to go from here.
Hey guys, I hope you're doing well,    I didn't receive the SMS verification code or SMS alters on the Splunk on-call product. My team across the world (US, Brazil, Ecuador) are receiving ... See more...
Hey guys, I hope you're doing well,    I didn't receive the SMS verification code or SMS alters on the Splunk on-call product. My team across the world (US, Brazil, Ecuador) are receiving SMSs but I'm (from Paraguay) not receiving the SMS. The phone zone code for Paraguay is +595 and a complete phone number should be +595 XXX XXXXXX.  I tried with two different phone numbers.   Do you have any suggestions?    Thanks,       
Hi. Does anyone know how to use background, or highlight a specifi are in the chart between two values? For example, below is a chart and then i'd have two overlay values, and i'd like to highlight t... See more...
Hi. Does anyone know how to use background, or highlight a specifi are in the chart between two values? For example, below is a chart and then i'd have two overlay values, and i'd like to highlight the area between those values in green. Where field A is 15,000,000 and field b is 20,000,000. Thank you in advance!  
Hello, Whenever a user logins to Splunk with some role, I want to hide the Splunk App bar from that specific user/role. Without using hidesplunkbar=true How can I achieve it?  Thanks a lot. 
Hi, How can we get the number of users per min in the User Experience section from Appdynamics? ^ Post edited by @Ryan.Paredez to add a title that has a question. Please try your best to ask a ... See more...
Hi, How can we get the number of users per min in the User Experience section from Appdynamics? ^ Post edited by @Ryan.Paredez to add a title that has a question. Please try your best to ask a question in the title. This helps others Search and find existing content.
Environment: Splunk ES SH running in cloud (Classic experience). There are two apps for a particular sourcetype (let's call it "sourcetype-x"):  TA-customer-props (the old one) zzz-customer_pro... See more...
Environment: Splunk ES SH running in cloud (Classic experience). There are two apps for a particular sourcetype (let's call it "sourcetype-x"):  TA-customer-props (the old one) zzz-customer_props (the new one) Settings > Sourcetype > sourcetype-x > edit > Advanced > adding some new extractions and evals When I'm trying to dump all props using REST API call, I see that my settings are merged in a SA-IdentityManagement , how come? As far I know, the SA-IdentityManagement should contain lookups only. Is the any way to "de-configure" sourcetype-x from TA-customer-props and SA-IdentityManagement and leave it's configuration in zzz-customer_props only?  
 Hi, I was trying to see Browse More Apps in Splunk Enterprise and they are not showing me giving the error "Service Unavailable". We have the proxy configured in server.conf [proxyConfig] http_pro... See more...
 Hi, I was trying to see Browse More Apps in Splunk Enterprise and they are not showing me giving the error "Service Unavailable". We have the proxy configured in server.conf [proxyConfig] http_proxy=http://xxx:8080 https_proxy=http://xxx:8080 Can you help? Thanks in advance.
Hello Team, Splunkers,    I am working on a correlation search and need to use a regex expression to strip all text before a column ":". Following the suggestion presented in:  https://community.s... See more...
Hello Team, Splunkers,    I am working on a correlation search and need to use a regex expression to strip all text before a column ":". Following the suggestion presented in:  https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regex-to-remove-all-text-before-an-optional/m-p/259105   I managed to strip the text using this expression which was derived from the topic above:    | rex field=my_host "(?<my_host>[^\:]+)$"   and apply it to the following line:  Microsoft.Windows.Server.10.0.LogicalDisk:my_host.server;D  it will work and I will receive: my_host.server;D However if I apply the above expression to the same line but with column at the end of the string looking like this:  Microsoft.Windows.Server.10.0.LogicalDisk:my_host.server;D: this will not be matched. Could you please assist me with editing my expression to cover both cases and still get my_host.server;D as a result.   Regards Nikolay  
I have this lookup that has a list of searches I want to run. I want to run a search that can run output the "magic" values search results. The expected search. This is the search I am using,... See more...
I have this lookup that has a list of searches I want to run. I want to run a search that can run output the "magic" values search results. The expected search. This is the search I am using, " | inputlookup test.csv  | map search=$magic$ " When I run this this is the error I am getting: "  Unable to run query '"search index::client* sourcetype::ActiveDirectory | fields admonEventType memberOf sAMAccountName sAMAccountType | head 100 | fieldsummary maxvals=2 | where count > 0 | table field values"'. "
Hi. I'm rather fresh to Splunk and all it's magic. I was wondering if there is a place where I can find the information regarding servers responding to DMC connections. as in the monitoring consol... See more...
Hi. I'm rather fresh to Splunk and all it's magic. I was wondering if there is a place where I can find the information regarding servers responding to DMC connections. as in the monitoring console has ServerA and ServerB to monitor. how do i force ServerA to use static port X and ServerB to use static port Y when sending data to the monitoring console I'd believe it would be as simple as  [specific_stanza_name] DMC_uri:port_of_choice but i have not managed to find any info regarding the servers response to DMC queries
Hopefully I can explain this in a way where it can be understood and fingers crossed answered.  I have a search that returns the user and date. On occasion the user is blank, in which case I want to ... See more...
Hopefully I can explain this in a way where it can be understood and fingers crossed answered.  I have a search that returns the user and date. On occasion the user is blank, in which case I want to perform a search on a different index to get the appropriate value and populate the first search results. I am trying the following: | eval user=if(user=””), searchmatch(new search | table UserName), $user$) This is easy enough when the value is hard coded, but want to grab the result from the new search value. Obviously, this does not work but hopefully gives an idea what is desired. Any ideas how to accomplish?
I did a partial upgrade of one of my environments (upgraded all components except for indexers at the moment due to time constraints). And suddenly the status is showing IOWait as red. Similar to h... See more...
I did a partial upgrade of one of my environments (upgraded all components except for indexers at the moment due to time constraints). And suddenly the status is showing IOWait as red. Similar to https://community.splunk.com/t5/Splunk-Enterprise/Why-is-the-health-status-of-IOWait-red/m-p/565902#M9870 Anyone knows if it's any known issue/bug? Or shall I tell the customer to fill a case with the support? The servers in question are really doing... not much. One of the servers in question is a master node. Supposedly getting killed by IOWait whereas top shows... top - 13:12:37 up 210 days, 1:04, 1 user, load average: 0.35, 0.29, 0.28 Tasks: 255 total, 1 running, 254 sleeping, 0 stopped, 0 zombie %Cpu0 : 4.0 us, 1.3 sy, 0.3 ni, 94.4 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu1 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu2 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu3 : 0.3 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu4 : 0.0 us, 0.3 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu5 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu6 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu7 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu8 : 0.3 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu9 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu10 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu11 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu12 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu13 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu14 : 0.3 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu15 : 0.7 us, 0.0 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem: 65958320 total, 4973352 used, 60984968 free, 48540 buffers KiB Swap: 4194300 total, 0 used, 4194300 free. 2479532 cached Mem Other two are search-heads. Again - top output: top - 13:13:08 up 174 days, 23:12, 1 user, load average: 5.91, 6.91, 5.82 Tasks: 456 total, 2 running, 454 sleeping, 0 stopped, 0 zombie %Cpu0 : 19.3 us, 5.0 sy, 0.0 ni, 73.7 id, 0.0 wa, 0.0 hi, 2.0 si, 0.0 st %Cpu1 : 4.4 us, 7.7 sy, 0.0 ni, 87.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu2 : 5.1 us, 6.8 sy, 0.0 ni, 88.2 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu3 : 5.8 us, 5.8 sy, 0.0 ni, 88.5 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu4 : 6.9 us, 3.4 sy, 0.0 ni, 89.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu5 : 4.6 us, 6.0 sy, 0.0 ni, 86.4 id, 0.0 wa, 0.0 hi, 3.0 si, 0.0 st %Cpu6 : 3.8 us, 3.8 sy, 0.0 ni, 92.4 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu7 : 10.6 us, 3.8 sy, 0.0 ni, 85.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu8 : 6.1 us, 5.8 sy, 0.0 ni, 88.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu9 : 4.7 us, 4.4 sy, 0.0 ni, 90.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu10 : 3.9 us, 4.6 sy, 0.0 ni, 88.8 id, 0.0 wa, 0.0 hi, 2.6 si, 0.0 st %Cpu11 : 4.4 us, 5.1 sy, 0.0 ni, 90.5 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu12 : 6.4 us, 5.4 sy, 0.0 ni, 87.0 id, 0.0 wa, 0.0 hi, 1.3 si, 0.0 st %Cpu13 : 9.5 us, 2.7 sy, 0.0 ni, 86.8 id, 0.0 wa, 0.0 hi, 1.0 si, 0.0 st %Cpu14 : 4.7 us, 5.4 sy, 0.0 ni, 89.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu15 : 9.4 us, 4.0 sy, 0.0 ni, 86.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu16 : 5.1 us, 5.8 sy, 0.0 ni, 89.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu17 : 3.8 us, 6.2 sy, 0.0 ni, 90.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu18 : 7.2 us, 3.9 sy, 0.0 ni, 85.2 id, 0.0 wa, 0.0 hi, 3.6 si, 0.0 st %Cpu19 : 3.1 us, 4.8 sy, 0.0 ni, 92.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu20 : 5.5 us, 5.9 sy, 0.0 ni, 88.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu21 : 7.6 us, 5.5 sy, 0.0 ni, 86.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu22 : 5.5 us, 5.9 sy, 0.0 ni, 88.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu23 : 5.7 us, 6.4 sy, 0.0 ni, 87.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu24 : 5.8 us, 4.8 sy, 0.0 ni, 89.4 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu25 : 4.5 us, 5.9 sy, 0.0 ni, 89.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu26 : 5.0 us, 7.4 sy, 0.0 ni, 87.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu27 : 4.7 us, 4.7 sy, 0.0 ni, 90.5 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu28 : 6.1 us, 5.1 sy, 0.0 ni, 88.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu29 : 5.7 us, 6.4 sy, 0.0 ni, 87.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu30 : 8.8 us, 5.4 sy, 0.0 ni, 85.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu31 : 8.9 us, 4.4 sy, 0.0 ni, 86.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem: 65938200 total, 9247920 used, 56690280 free, 15468 buffers KiB Swap: 4194300 total, 0 used, 4194300 free. 1184380 cached Mem  As you can see - the servers are mostly idling, the search heads do some work, but not much. To make things even more interesting, three other SHs dedicated to ES stressed way more than this SH-cluster, don't report IOWait problems. All I did was migrate kvstore to WiredTiger and upgraded splunk from 8.1.2 to 8.2.6. That's all.
Hi All, I want to understand if there is a way to perform an action to the server through Splunk. For e.g. to run ls -lrt command for a path to kill/terminate a process to run a script on... See more...
Hi All, I want to understand if there is a way to perform an action to the server through Splunk. For e.g. to run ls -lrt command for a path to kill/terminate a process to run a script on the server etc. Your kind help will be highly appreciated. Thank you..!!
Hi Splunk Community! I have a line chart of some values over time grouped by fieldA and so by default there is a legend that indicates the unique values from fieldA by color. May i know how i can ... See more...
Hi Splunk Community! I have a line chart of some values over time grouped by fieldA and so by default there is a legend that indicates the unique values from fieldA by color. May i know how i can just have the line chart without the legend? How should i hide the legend? Thanks in advance!
When I save a search result as Report and schedule it, next scheduled time is always set as NULL, hence my reports are never generated, please help.
Hi all, I have a Splunk App with React and JS SDK, that calls a custom REST endpoint, that calls a Python script, which uses Splunk Python SDK. Is there a way to pass the session from the logged in... See more...
Hi all, I have a Splunk App with React and JS SDK, that calls a custom REST endpoint, that calls a Python script, which uses Splunk Python SDK. Is there a way to pass the session from the logged in User using the Dashboard from JS/REST to the Python script, so that I do not need to write the authentication details for the Python SDK connection in a file? Best regards!
Hi , Thanks in Advance, My json file . how to extract fields using props and transform configuration file. { "AAA": { "modified_files": [ "a/D:\\\\splunk\\\\A / ui/.env", "a/D:\\\\splunk\\... See more...
Hi , Thanks in Advance, My json file . how to extract fields using props and transform configuration file. { "AAA": { "modified_files": [ "a/D:\\\\splunk\\\\A / ui/.env", "a/D:\\\\splunk\\\\A / ui/.env.example", "a/D:\\\\splunk\\\\B / ui/.env", "a/D:\\\\splunk\\\\B / ui/.env.example" ] } }{ "BBB": { "modified_files": [ "a/D:\\\\splunk\\\\A / ui/.env", "a/D:\\\\splunk\\\\A / ui/.env.example", "a/D:\\\\splunk\\\\B / ui/.env", "a/D:\\\\splunk\\\\B / ui/.env.example" ] } }{ "CCC": { "modified_files": [ "a/D:\\\\splunk\\\\A / ui/.env", "a/D:\\\\splunk\\\\A / ui/.env.example", "a/D:\\\\splunk\\\\B / ui/.env", "a/D:\\\\splunk\\\\B / ui/.env.example" ] } }{ "DDD": { "modified_files": [ "a/D:\\\\splunk\\\\A / ui/.env", "a/D:\\\\splunk\\\\A / ui/.env.example", "a/D:\\\\splunk\\\\B / ui/.env", "a/D:\\\\splunk\\\\B / ui/.env.example" ] } }