All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have some data and  I am trying to  extract fields from multi line raw data.   TIMESTAMP=23-12-2021,Eligible_to_be_Purged=0,Total_Records_Inserted=79871,Row_Count=0,NUMORDERSPURGED=14267,INVOCA... See more...
I have some data and  I am trying to  extract fields from multi line raw data.   TIMESTAMP=23-12-2021,Eligible_to_be_Purged=0,Total_Records_Inserted=79871,Row_Count=0,NUMORDERSPURGED=14267,INVOCATIONS=781016,AVERAGE=101.76,MAXIMUM=171465,NUMOFGETJOBSPROCESSED=163,GETJOBS_AVERAGE=17114.57 TIMESTAMP=24-12-2021,Eligible_to_be_Purged=0,Total_Records_Inserted=51367,Row_Count=0,NUMORDERSPURGED=206884,INVOCATIONS=471196,AVERAGE=981.21,MAXIMUM=237037,NUMOFGETJOBSPROCESSED=97,GETJOBS_AVERAGE=14298.03 TIMESTAMP=25-12-2021,Eligible_to_be_Purged=0,Total_Records_Inserted=57405,Row_Count=0,NUMORDERSPURGED=51558,INVOCATIONS=205747,AVERAGE=960.54,MAXIMUM=301445,NUMOFGETJOBSPROCESSED=45,GETJOBS_AVERAGE=36616.87   I wanted exact all fields from all 3 lines.        
Hi, I need list of all the successful events details in the 'If' condition. For those successful list I need to extract few more details and send alert.  I tried stats count it is giving only co... See more...
Hi, I need list of all the successful events details in the 'If' condition. For those successful list I need to extract few more details and send alert.  I tried stats count it is giving only count and for the eventstats it is giving all the values(Success and Failed events). Please help me here to get the detail list of successful events. Please see the below attachment.
Hi all,   New to splunk and i have seen that this has been asked many times but most of the results are based on matching one column from a search with another, my query is slightly different.   ... See more...
Hi all,   New to splunk and i have seen that this has been asked many times but most of the results are based on matching one column from a search with another, my query is slightly different.   I have the following :   A search  that outputs the following in a table/columns/rows:   name, feed, alarm attack, true, false block, true, true   I also have a lookup table which has a predefined list of the above with the correct values, i.e   name,feed,alarm attack, true,true    .....and so on. What i am looking for is for the search to compare its results with the lookup table and if there are any rows from the search that do not match those rows from the lookup to represent those to me as a result. I'm only interested in what isn't matching.   At the same time i would like to handle the possibility of there being an result from the search that doesn't exist in the lookup table. Thank you in advance and i look forward to your answers :).
Dear Splunkers, I'm trying to get data from a Pub/Sub but i receive a 403 error. I configured the add-on in a HF, following the splunk documentation and I setup a proxy because the HF is in an in... See more...
Dear Splunkers, I'm trying to get data from a Pub/Sub but i receive a 403 error. I configured the add-on in a HF, following the splunk documentation and I setup a proxy because the HF is in an internal network. I tried a curl following this guide "https://blog.differentpla.net/blog/2017/10/05/google-pub-sub-bash/"(adding -x for proxy) and it's worked, so the credentials are correct and the service account has right permissions. Thank you.
Hello dear commnuity I contact you because I realized my machine learning model that I implemented in splunk (mltk) but when I apply my model on my data here is the error I get : Error in 'apply' co... See more...
Hello dear commnuity I contact you because I realized my machine learning model that I implemented in splunk (mltk) but when I apply my model on my data here is the error I get : Error in 'apply' command: Failed to load model "modele": Failed to load algorithm with an invalid name: <class 'algos.LinearRegression.LinearRegression'>.
2022-04-11 05:46:26 POST /BestMarket.Internal.Market.Transactions/MarketTransactionService  ContractName="BestMarket.Platform.Transactions.Contracts.IProviderTransactionServiceAsync"+OperationName=... See more...
2022-04-11 05:46:26 POST /BestMarket.Internal.Market.Transactions/MarketTransactionService  ContractName="BestMarket.Platform.Transactions.Contracts.IProviderTransactionServiceAsync"+OperationName="WithdrawAsync"+RequestType="WithdrawRequest"+WithdrawRequest="{'ProviderName':'NIkora'+'BrandName':'Vazisubani'+'CustomerId':'2ed928f1-3bec-4794-adce-a3ed9221152b'+'Amount':0.6+'TransactionId':'6253c0b3eb303a42bed6ffc1'+Reference':'8382608392617'+'WalletmarketId':12946+'Comment':'market+round:+0cb0d4b0-13b1-41ff-b367-ad34446c717a:8382608392617'+'IsRepeatable':true+'IsFinal':false+'BonusContext':'best.Market'+'BonusContribution':0.0+'Device':1+'TransactionType':null+'DeviceType'                    I want to  Get Amount As Table, but when i write    |  table  Amount -- Column is empty empty 
username to split  - domain\user expected result  for user2 field -         domain                                                                               user   SPL - | eval user2=spli... See more...
username to split  - domain\user expected result  for user2 field -         domain                                                                               user   SPL - | eval user2=split(user,"\")    error stated - unbalanced quotes   thanks for assistance
Hi All, I am trying to install splunk universal forwarder. While adding the forwarder its asking for admin. username and password : command : /opt/splunkforwarder/bin/splunk add forward-server... See more...
Hi All, I am trying to install splunk universal forwarder. While adding the forwarder its asking for admin. username and password : command : /opt/splunkforwarder/bin/splunk add forward-server I checked results on the google and tried the default credentials admin/changeme. Its not working. I am installing this UF on ec2 linux instance. I am stuck with the login failure here.  Please anyone help me on this. Thanks in Advance, Poojitha NV
Hi Team, I need to find difference between two tables and generate an alert when the diffence between Table B and Table A is greater than 3 and publish the diffence in table. Kindly help on this ... See more...
Hi Team, I need to find difference between two tables and generate an alert when the diffence between Table B and Table A is greater than 3 and publish the diffence in table. Kindly help on this Table A       Table B    3234          3240 4234           4236 2345           2348 1345           1349
Hello dears, Can i list search result with stat count like hourly trend ? Example; Hour : 00:00 EventCount: 10 Hour : 01:00 EventCount: 15 Hour : 02:00 EventCount: 23 . . Hour : 23:00... See more...
Hello dears, Can i list search result with stat count like hourly trend ? Example; Hour : 00:00 EventCount: 10 Hour : 01:00 EventCount: 15 Hour : 02:00 EventCount: 23 . . Hour : 23:00 EventCount : 127 Regards.
Dears I tried to install private app in my splunk cloud developer account, I have 14 days trial and my account is admin. I referred to this link to install private app https://docs.splunk.com/Doc... See more...
Dears I tried to install private app in my splunk cloud developer account, I have 14 days trial and my account is admin. I referred to this link to install private app https://docs.splunk.com/Documentation/SplunkCloud/8.2.2201/Admin/PrivateApps#Install_private_apps_on_Splunk_Cloud_Platform. But I found there is no button install  Install app from file. Would you please tell me how I can install an app from file for my splunk cloud account. Thanks very much!
Hey folks, I have one set of application where there is version upgrade.Due to that version upgrade they changed the path of logs. As they are facing some issues with sourcetype,they changed the sour... See more...
Hey folks, I have one set of application where there is version upgrade.Due to that version upgrade they changed the path of logs. As they are facing some issues with sourcetype,they changed the sourcetype name as well. IS there a  way to know which alerts are configured with this sourcetype /source and change them to new source/sourcetype instead of opening all the alerts manually and check where those sourcetype/source is used in query Thanks in Advance,
Hi Splunkers,  I have defined a filed as follows using eval condition        | eval body = "Sample Example :-" . " ---- " . " HOST INFORMATION: " . " ---- Source Network Address: " . src ... See more...
Hi Splunkers,  I have defined a filed as follows using eval condition        | eval body = "Sample Example :-" . " ---- " . " HOST INFORMATION: " . " ---- Source Network Address: " . src . " ---- Source Network Hostname: " . srcdns_hostname . " ---- " . " END "       which produces the result as follows  Now, I would like to change the above result into the below format how can I achieve that        Sample Example :- HOST INFORMATION: Source Network Address: 1.1.3.5 Source Network Hostname: ABCD.net END        
I am trying to on board logs for Sage accounting software to Splunk, how do I go about it? I could not find any documentation, TA or app on this, how do I get Sage logs to Splunk? Is there any TA or ... See more...
I am trying to on board logs for Sage accounting software to Splunk, how do I go about it? I could not find any documentation, TA or app on this, how do I get Sage logs to Splunk? Is there any TA or Apps for Sage? 
Hi Team, I am getting  date and time format as "Created_time =1649576166225" in raw log we have to convert. Please help me convert in readable format for all logs. Need to do any changes in input l... See more...
Hi Team, I am getting  date and time format as "Created_time =1649576166225" in raw log we have to convert. Please help me convert in readable format for all logs. Need to do any changes in input level or anything please help me          
I have created a lookup for a threat feed CSV file we are using.  After deleting all the Lookup CSV files and removing all the peops.conf and Transforms.conf inputs for this lookup from the the depl... See more...
I have created a lookup for a threat feed CSV file we are using.  After deleting all the Lookup CSV files and removing all the peops.conf and Transforms.conf inputs for this lookup from the the deployer, CMn SHs and indexers I still see an error 
I need regular expression to extract JSON from message field .. Can some one help After extract i want to parse the extracted json using spath command   { [-] @timestamp: 2022-04-09T05:50:04.3... See more...
I need regular expression to extract JSON from message field .. Can some one help After extract i want to parse the extracted json using spath command   { [-] @timestamp: 2022-04-09T05:50:04.336Z @version: 1 file: test.log message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: { "context": { "httpContextKey": 1111111111, "verbId": 2, "verb": "GET", "originalVerb": "GET", "protocol": "https", "parameters": { "uri": { "version": "v2" }}}} name: test no: 111111111111 }
My company does not have a Windows Server with Splunk Enterprise so I cannot use the Splunk Add-on for SCOM to ingest the data.  I would like to use the database instead but I dont know  what data fr... See more...
My company does not have a Windows Server with Splunk Enterprise so I cannot use the Splunk Add-on for SCOM to ingest the data.  I would like to use the database instead but I dont know  what data from tables to send like the add-on performs.   Can someone help?
I need a query to view disk encryption (DAR) of all my hosts, be it Bit Locker, LUKS, etc. index=* host=* | ??? Thank you in advance.
The SplunkWorks-built TA called Splunk Add-on for Cisco FireSIGHT said in the description that it is able to parse NGIPS logs. But upon inspection of the `props.conf`, it doesn't have sourcetype for ... See more...
The SplunkWorks-built TA called Splunk Add-on for Cisco FireSIGHT said in the description that it is able to parse NGIPS logs. But upon inspection of the `props.conf`, it doesn't have sourcetype for NGIPS. Which should I use? I tried the `cisco:sourcefire` but it's not working.