All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello I would like to know if its possible to reuse the result of the field Total in another search? | stats dc(titi) as Total Thanks 
i want to trigger dashboard as PDF to my mail id.....But while scheduling PDF delivery am getting error like this: Can any one tell me why i am facing this error and how can i avoid this and t... See more...
i want to trigger dashboard as PDF to my mail id.....But while scheduling PDF delivery am getting error like this: Can any one tell me why i am facing this error and how can i avoid this and trigger mail . When i am previewing the data..it looks fine. Please help me out Thanks in Advance.
Hi, I understand that importing the evtx format into Splunk consumes more licenses than the volume displayed. (Because evtx is a compressed format.) Am I right in thinking that I will consume abo... See more...
Hi, I understand that importing the evtx format into Splunk consumes more licenses than the volume displayed. (Because evtx is a compressed format.) Am I right in thinking that I will consume about 2 to 5 times more licenses? I think I saw the material about this somewhere, can anyone share it? I would be grateful if you could help me.
  How we can extract Windows Event description instead of Raw data which only give info of Event ID..Is it possible to extract exact event info..
I have an event which contains error reason  codes of failed records . I have to extract these reason codes and get a count of each of these reason codes.
Hi Gurus, I am trying to extract data from log message using rex field=_raw. The regex I have is  "Event <(?<eventNo>.*)>, Super <(?<super>.*)>, Charge <(?<oic>.*)>, number <(?<pcn>.*)>, Card <(?... See more...
Hi Gurus, I am trying to extract data from log message using rex field=_raw. The regex I have is  "Event <(?<eventNo>.*)>, Super <(?<super>.*)>, Charge <(?<oic>.*)>, number <(?<pcn>.*)>, Card <(?<cn>.*)>, CO <(?<co>.*)>, Warn <(?<warn>.*)>" | table _time oic eventNo pcn cn super co warn and I am able to extract records. but the issue is may or may bot be present is the log and I still need to extract the rest of the data. I tried  "Event <(?<eventNo>.*)>, Super <(?<super>.*)>, Charge <(?<oic>.*)>, number <(?<pcn>.*)>, Card <(?<cn>.*)>, (CO <(?<co>.*)>,)? Warn <(?<warn>.*)>" | table _time oic eventNo pcn cn super co warn It gives me the records which does nto contain this item. I want to extract all the records irrestive of whether it is present or not present. Please let me know what am I doing wrong. Thanks a lot in advance.  
I have a piece of code as -  | rex field=$AppNC$ ".*\/(?<ChosenAppCode>.*" | search job_name=* U_APP_CODE=ChosenAppCode  From the drop down the AppNC (App Name Code) is chosen and the search should... See more...
I have a piece of code as -  | rex field=$AppNC$ ".*\/(?<ChosenAppCode>.*" | search job_name=* U_APP_CODE=ChosenAppCode  From the drop down the AppNC (App Name Code) is chosen and the search should have the app code part. How can the following be dynamic ? U_APP_CODE=ChosenAppCode Meaning, ChosenAppCode, would be the code extracted in the line above? 
Hi, Is there a way in ITSI to monitor web sites , i.e. : www.mywbsite.com , www.google.com , any given weburl Monitoring their http response , latency , availability . Regards
I'm kinda lost here. I'm trying to test something on my Splunk Free at home using receivers/simple endpoint and all I'm getting is 404. The "normal" HEC endpoints work OK. $ curl "http://172.16... See more...
I'm kinda lost here. I'm trying to test something on my Splunk Free at home using receivers/simple endpoint and all I'm getting is 404. The "normal" HEC endpoints work OK. $ curl "http://172.16.0.3:8088/services/receivers/simple?source=www&sourcetype=web_event" -d "aaaaaaaaaaaaaa" {"text":"The requested URL was not found on this server.","code":404} It's the example almost literarily copied from REST API docs. And I'm getting 404. Where to look for diagnostic info?
Hi Is it possible to filter specific field values in indexers without HeavyForwarder in indexer cluster ?   
I always struggle with this common task (common for me) -  I have a v8 UF setup on a windows10 machine,  it is logging all of the winEvent logs beautifully (back to my splunk v8 server),  however i n... See more...
I always struggle with this common task (common for me) -  I have a v8 UF setup on a windows10 machine,  it is logging all of the winEvent logs beautifully (back to my splunk v8 server),  however i need to monitor something specific on this machine.   (NB: i do NOT use deployment-server in anyway, anywhere) I need this windows UF to monitor all *.log files , recursively, within X Directory.  in this case, its : C:\ProgramData\vMix\    (any/all *.log files recursively) and C:\Users\pc\Documents\vMixStorage\logs    (any/all *.log files recursively) So i edit inputs.conf: notepad++.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf" and i add these stanzas, one at a time (and then test to see if data is getting to my splunk server):      [monitor://C:\Users\pc\Documents\vMixStorage\log\*] disabled = 0 index = pcs recursive = true sourcetype = vMIX [monitor://C:\ProgramData\vMix\...\*.log] disabled = 0 index = pcs blacklist = .*stream.*|stream.* whitelist = *.log recursive = true sourcetype = vMIX [monitor://C:\ProgramData\vMix\*.log] disabled = 0 index = pcs blacklist = .*stream.*|stream.* sourcetype = vMIX [monitor://C:\Users\pc\Documents\vMixStorage\...\*.log] disabled = 0 index = pcs recursive = true sourcetype = vMIX [monitor://C:\Users\pc\Documents\vMixStorage\logs\] disabled = 0 index = pcs blacklist = .*stream.* whitelist = *.log recursive = true sourcetype = vMIX      At some point in adding the above, one stanza at a time,  i did get the *.logs to flow in,  however they then stopped updating/ flowing in (but win event log is ofcourse still flowing in, rock solid). I get this output from  .\splunk.exe list monitor   which to me seems like its NOT what i want (as i *think* i should be seeing those directories under "Monitored Directories"  ,  but i have yet to be able to get that to occur.     PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe list monitor Monitored Directories: [No directories monitored.] Monitored Files: C:\ProgramData\vMix\*.log C:\ProgramData\vMix\...\*.log C:\Users\pc\Documents\vMixStorage\...\*.log C:\Users\pc\Documents\vMixStorage\log\* C:\Users\pc\Documents\vMixStorage\logs\     btool debug:     .\splunk.exe cmd btool inputs list --debug ## <snip> ## C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\ProgramData\vMix\*.log] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.*|stream.* C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\ProgramData\vMix\...\*.log] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.*|stream.* C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf whitelist = *.log C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\...\*.log] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\log\*] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf [monitor://C:\Users\pc\Documents\vMixStorage\logs\] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf blacklist = .*stream.* C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = vMIX-JCv71-p1000 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf index = pcs C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf recursive = true C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf sourcetype = vMIX C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf whitelist = *.log C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf [monitor://C:\Windows\System32\DHCP] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf crcSalt = <SOURCE> ## <snip> ##     Can anyone please help or point me to the correct Stanza i should be using here?  i really have spent hours searching and reading forum posts,  (which is how i arrived at the stanzas above) as i know this is a common task, however i know im still not doing this correctly. ( + its not working   )  -  thank you! (appologies for the poor spacing,  i have tried to re-edit but it does not seem to be saving my changes on edit->post)
Im trying to join the correct source hostname to my Event from where a RDP Connection was innitiated. Since the Event just provides the Source IP-Address, I want to join the hostname from my summary... See more...
Im trying to join the correct source hostname to my Event from where a RDP Connection was innitiated. Since the Event just provides the Source IP-Address, I want to join the hostname from my summary Index that has hostnames with the IP-Addresses which they have been assigned to over time (1m Bucket) Unfortunately its not working as expected. I build the search as following: <search string for RDP Logon Event> | bucket span=1m _time | join type=left [search index=<summary_index> | eval source_host = hostname | eval Source_Network_Address = IP | fields _time Source_Network_Address source_host] | table _time host source_host Source_Network_Address   Now what happens is, that the Source_Network_Addresses are getting matched, but it only returns the latest _time value from the summary_index by the matched Network Address for all, which ofc mostly results in a wrong hostname Why is it not also matching the _time value from the base search with the _time value from the subsearch? both _time fields are in timestamp format Thanks for helping me  
Hello,   I have install bonnie++  Ver 1.03e on Ubuntu 20.04.4, try to run Command bonnie++ , attached please fine the output screen shot.   May I know how to calculate or check the IOPS from ... See more...
Hello,   I have install bonnie++  Ver 1.03e on Ubuntu 20.04.4, try to run Command bonnie++ , attached please fine the output screen shot.   May I know how to calculate or check the IOPS from this bonnie++ output ? should it be just last column > Random > 313.2 /sec ?  thank you ! I heard that we should have least IOPS 800 for splunk and ideally 1200 + for Splunk.
I have HEC to send an event to Splunk in JSON format:     { Status: Down Source: GCP URL: url_1 } { Status: Up Source: GCP URL: url_2 } { Status: Down Source: AWS... See more...
I have HEC to send an event to Splunk in JSON format:     { Status: Down Source: GCP URL: url_1 } { Status: Up Source: GCP URL: url_2 } { Status: Down Source: AWS URL: url_1 } { Status: Up Source: AWS URL: url_2 }     I want to extract value from JSON then declare a variable, not sure should I use eval or stats For example: declare a variable usl_1_aws_status, it should be Down declare a variable usl_2_gcp_status, it should be UP How to do I extract value from JSON then declare a variable?
I have events like these (just some made-up data), that are pushed in JSON format to Splunk:       {"name":"abc", "grade":"third", "result": "PASS", "courses":["math","science","literature"],... See more...
I have events like these (just some made-up data), that are pushed in JSON format to Splunk:       {"name":"abc", "grade":"third", "result": "PASS", "courses":["math","science","literature"], "interests":["this","that"]}       Events are being generated all the time, and I need to get the latest values of "result", "courses" and "interests" for a given "name" and "grade". Note that "courses" and "interests" are lists/arrays, while other fields are strings. So I am doing somethings like:       index=whatever name=abc grade=third | stats latest(courses) as courses, latest(interests) as interests, latest(result) as result index=whatever name=abc grade=third | stats latest(courses{}) as courses, latest(interests{}) as interests, latest(result) as result index=whatever name=abc grade=third | eval courses=json_array_to_mv(courses), interests=json_array_to_mv(interests) | stats latest(courses) as courses, latest(interests) as interests, latest(result) as result         Also tried with "tstats" approach.   None of those work. I get the courses and interests as empty values. result comes in fine, because its a string.   How can I get the "latest" lists of courses and interests given other values?
I have a lookup file that has 5 columns.  Those are src_ip, dest_ip, dest_port, signature and active. src_ip has 18 values while the dest_ip has 50 values.  Signature is based on the dest_ip field,... See more...
I have a lookup file that has 5 columns.  Those are src_ip, dest_ip, dest_port, signature and active. src_ip has 18 values while the dest_ip has 50 values.  Signature is based on the dest_ip field, meaning 30 of the dest_ip we'll see a signature named "ssh login."  The other 20 sigs will be "ftp login."  sigs that are "ssh login" will always be dest_port=22 and sig "ftp login" will always be dest_port=21. The src_ip can hit any of the destinations / dest_ports / signatures. I've tried this in my search but it falls short of adding in the src_ip against all the dest_ip. | inputlookup exclusion_list.csv | fields src_ip dest_ip dest_port signature | format | table search The issue I'm seeing is once the search gets to a row in the lookup file that doesn't contain a src_ip it doesn't add on to the results.  So in essence I end up with 18 line that have: ( (dest_ip=xxxx AND dest_port=22 AND signature=xxx AND src_ip=yyyy) OR (dest_ip=xxxx AND dest_port=22 AND signature=xxx) ) I can't figure out how to make the command sedn the src_ip's to all the dest_ip / dest_port / signature combos. This is hard to write out what I want but hopefully there is some help out there.  Thanks in advance.
I'm trying to install a fresh install of Enterprise Security onto a search head cluster.  I uploaded the app via the GUI onto the shc deployer, but before I click start configuration process, I not... See more...
I'm trying to install a fresh install of Enterprise Security onto a search head cluster.  I uploaded the app via the GUI onto the shc deployer, but before I click start configuration process, I note the following message:  Single Search Head Deployment Splunk Enterprise Security is being configured on a single search head deployment. How do I get it to recognize it is a search head cluster deployer? 
Is there a way to make a timechart like this in splunk? I really don't need the number values on the y axis I mostly care about showing the status as good, fair or poor.   . 
Hello All, I have a really simple search, while it works, I'd like to do some operations on that data:     index=xxxx earliest=-2w@w0 latest=@w6@d+24h | timechart span=7d count(response_tim... See more...
Hello All, I have a really simple search, while it works, I'd like to do some operations on that data:     index=xxxx earliest=-2w@w0 latest=@w6@d+24h | timechart span=7d count(response_time)     Output is  2022-03-13                          3,xxx,xxx 2022-03-20                            3,xxx.xxx The deal is, I'd really like to have those seperate outputs as variables like Week1 and Week2. This way I could do some operations to see my sites volume week to week change so I can normalize error data. Hopefully this makes sense.
Hi All, after querying and grouping my data, my timestamp is of different format like 2021-01-20 07:22:34.545674 2020-02-18T11:03:44.543+0000 2021-01-25T11:05:33.003Z 2022-04-01 19:51:01.41... See more...
Hi All, after querying and grouping my data, my timestamp is of different format like 2021-01-20 07:22:34.545674 2020-02-18T11:03:44.543+0000 2021-01-25T11:05:33.003Z 2022-04-01 19:51:01.411826Z 2021-05-22 02:49:26.607839 How to have a uniform format for all the timestamp values in the stats table