All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Windows TCP- What can I do in order to receive the packages on the indexer please?

by in Getting Data In
‎03-30-2022 01:46 AM
‎03-30-2022 01:46 AM
Hello there, I am new to Splunk. I had configured my universal forwarder in order to send data to the indexer. The universal forwarder is a Linux server and running the command netstat -an | grep 9... See more...
Hello there, I am new to Splunk. I had configured my universal forwarder in order to send data to the indexer. The universal forwarder is a Linux server and running the command netstat -an | grep 9997 I can see that tcp packages are being sent to the indexer, but the status is 'TIME_WAIT'. While my indexer is a windows 10 desktop, I have added permission to accept tcp and ICMP packages, but still, I can't find the data I want on the splunk instance installed on the indexer (or any other data concerning the forwarder).  My question is then, what can I do in order to receive the packages on the indexer please? PS: I have another indexer which is a Linux desktop, and it works just fine, I can find the forwarder data. PS': Here is the link for the tutorial I've been following in order to configure the splunk instences I'm using Using the Universal Forwarder to gather data | Splunk Operational Intelligence Cookbook (packtpub.com) Any help would be appreciated ! Regards,
Labels

How to get data from Splunk Cloud?

by in Splunk Search
‎03-30-2022 01:44 AM
‎03-30-2022 01:44 AM
Can I use Splunk REST API to get data from Splunk Cloud? Can someone give me some examples? I have read some documents on how to get data from Splunk Cloud but not really understand? Any help is hi... See more...
Can I use Splunk REST API to get data from Splunk Cloud? Can someone give me some examples? I have read some documents on how to get data from Splunk Cloud but not really understand? Any help is highly appreciated.

How to create a line chart visualization?

by in Splunk Search
‎03-30-2022 12:54 AM
‎03-30-2022 12:54 AM
index=* namespace="dk1017-j" sourcetype="kube:container:kafka-clickhouse-snapshot-writer" message="*Snapshot event published*" AND message="*dbI-WAR*" AND message="*2022-03-29*" AND message="*" |fiel... See more...
index=* namespace="dk1017-j" sourcetype="kube:container:kafka-clickhouse-snapshot-writer" message="*Snapshot event published*" AND message="*dbI-WAR*" AND message="*2022-03-29*" AND message="*" |fields message |rex field=_raw "\s+date=(?<BusDate>\d{4}-\d{2}-\d{2})" |rex field=_raw "sourceSystem=(?<Source>[^,]*)" |rex field=_raw "entityType=(?<Entity>\w+)" |rex field=_raw "\"timestamp\":\"(?<Time>\d{4}-\d{2}-\d{2}[T]\d{2}:\d{2})" |sort Time desc |dedup Time |table Source, BusDate, Entity, Time     output of above command is below ------------------- Source BusDate Entity Time dbI-WAR 2022-03-29 BOOKING 2022-03-30T02:05 dbI-WAR 2022-03-29 DATA_QUALITY_REPORTS 2022-03-30T02:04 dbI-WAR 2022-03-29 DATA_QUALITY_ENTITIES 2022-03-30T02:03 dbI-WAR 2022-03-29 COMBINED_POSITION_NORMALIZED 2022-03-30T01:40 dbI-WAR 2022-03-29 COMBINED_POSITION 2022-03-30T01:36 dbI-WAR 2022-03-29 DATA_QUALITY_ENTITIES 2022-03-30T01:35 dbI-WAR 2022-03-29 DEPOSIT 2022-03-30T01:34 dbI-WAR 2022-03-29 DATA_QUALITY_REPORTS 2022-03-30T01:33 dbI-WAR 2022-03-29 DATA_QUALITY_ENTITIES 2022-03-30T00:43 dbI-WAR 2022-03-29 NEXT_BUSINESS_DAYS 2022-03-29T23:49     question - i would like to line chart  x axis should be date as date is same for all  &  y axis should be time 
Labels

How to blacklist lookup for syslogs?

by in Splunk Search
‎03-30-2022 12:54 AM
‎03-30-2022 12:54 AM
I have a blacklist.csv file that looks like the following,   IP domain 1.0.136.29 # 2018-11-12, node-1lp.pool-1-0.dynamic.totbb.net, THA, 2 1.0.136.215 # 2018-10-06, node-... See more...
I have a blacklist.csv file that looks like the following,   IP domain 1.0.136.29 # 2018-11-12, node-1lp.pool-1-0.dynamic.totbb.net, THA, 2 1.0.136.215 # 2018-10-06, node-1qv.pool-1-0.dynamic.totbb.net, THA, 2   i want to scan my syslog events and see if any IP address match the IPs in this blacklist. a syslog event looks like this: Feb 7 03:32:31 Router kernel: [WAN_IN-3009-A]IN=eth0 OUT=eth1.100 MAC=18:e8:29:44:40:ac:00:1d:aa:a2:78:axxxxxx src=128.199.123.0 DST=192.168.100.207 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=52834 DF PROTO=TCP SPT=38290 DPT=8194 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x64800000 i already set up a lookup definition and lookup table, but i dont know exactly how to put up a search to display if a syslog even matches an IP in the blacklist.csv
Labels

How to inject multiple host in the Splunk mstats?

by in Splunk Search
‎03-30-2022 12:45 AM
‎03-30-2022 12:45 AM
I am looking forward to creating a table for system metrics values like "cpu", "memory" and "swap", now if run the below search it works, but it will get all hosts available while I want my search to... See more...
I am looking forward to creating a table for system metrics values like "cpu", "memory" and "swap", now if run the below search it works, but it will get all hosts available while I want my search to be specific to some hosts. 1) | mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by host | eval "cpu_active"=100-cpu_idle | fillnull value=0 | foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)] 2)Where if i try like below then i get an error as i am beginner and not getting the right approach to get it . | mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by ("host"="host1.example.com" OR "host"="host2.example.com" OR "host"="host3.example.com" ) | eval "cpu_active"=100-cpu_idle | fillnull value=0 | foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)] 1) working screen shot  2)  trial but not working  Would appreciate to get any help or direction on this.
Labels

How to Join Alert lookup file with a mapping file depending on pattern search?

by in Dashboards & Visualizations
‎03-30-2022 12:23 AM
‎03-30-2022 12:23 AM
Hello, I have a alert dump data Horizon.csv having important columns like below: Alert   GRN   Type .... PNC/hz-hfp-l-abc[MAXRUN]      PNC/hz-hfp-l-abc   Autosys Filesystem[ivp1234.xy.com] [9... See more...
Hello, I have a alert dump data Horizon.csv having important columns like below: Alert   GRN   Type .... PNC/hz-hfp-l-abc[MAXRUN]      PNC/hz-hfp-l-abc   Autosys Filesystem[ivp1234.xy.com] [91>90]   ivp1234.xy.com   Application Filesystem[ivp1244.xy.com] [91>90]   ivp1244.xy.com   Application p.start.script.pl is down     Process down   API which I need to merge with Mapping.csv but on a condition that if Type=Autosys then merge on GRN else merge on Type details of Mapping.csv Type   Name   Module    Header Autosys   hz-hfp-l-abc   HF   EOD Job Application   <blank>   Eng   Server alerts API   <blank>   LF   Service alerts    I need output as  Alert   GRN   Type   Module   Header PNC/hz-hfp-l-abc[MAXRUN]      PNC/hz-hfp-l-abc   Autosys   HF   EOD Job Filesystem[ivp1234.xy.com] [91>90]   ivp1234.xy.com   Application   Eng   Server alerts Filesystem[ivp1244.xy.com] [91>90]   ivp1244.xy.com   Application   Eng   Server alerts p.start.script.pl is down     Process down   API   LF Service alerts
Labels

Why has the Forwarding stopped suddenly for few of the forwarders?

by in Splunk Enterprise
‎03-30-2022 12:18 AM
‎03-30-2022 12:18 AM
We have a distributed architecture  Search head cluster with 6 hosts across 3 data centres Index cluster with 6 index peers and 1 index master  Forwarders on all servers in environment  - web t... See more...
We have a distributed architecture  Search head cluster with 6 hosts across 3 data centres Index cluster with 6 index peers and 1 index master  Forwarders on all servers in environment  - web tier, app tier, load balancer tier Few months back , web tier stopped sending - log stopped coming to splunk ; but other tiers are are working  When checked the activity on web-tier , there was a patching happened and splunkd was restarted -after that forwarding stopped in web-tier  But splunkd process came up fine - still running in those  And observed below WARN messages started coming exactly same time  [ See the highlighted in red starting from 10 seconds it grows ] WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group index_peers has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. ---------- ------ +0000 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group index-peers has been blocked for 9725460 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. +0000 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group index-peers has been blocked for 9725470 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. =============================================================================  Why we picked this WARN message may be cause - as same happened in other tier recently  load lancer tier stopped stopped forwarding recently. Above WARN started showing  same time onwards - starting with  "blocked for 10 seconds  "   splunk forwarder is running fine in all these  App tier still working -sending data , so indexers are fine  not disk space or memory issue in any of these  No config changes done any where ( inputs or outputs conf or any file that matter) -its same , just that stopped working suddenly    What could have caused this sudden stopping of forwarding ? Splunk Enterprise Version:7.2.1Build:be11b2c46e23    
Labels

Eval Comparision shows no matches despite both fields having same values

by in Splunk Search
‎03-29-2022 11:05 PM
‎03-29-2022 11:05 PM
Hi All,  I need to filter my search based on the condition if the values of 2 fields are equal or not.  The 2 fields in question are actor.alernateID  and src_user_email and both fields are visible ... See more...
Hi All,  I need to filter my search based on the condition if the values of 2 fields are equal or not.  The 2 fields in question are actor.alernateID  and src_user_email and both fields are visible in the same event. For example:  Raw data shows value of actor.alternateID is   anand.pandey@company.com   Likewise, Raw data shows value or src_user_email is also same:  anand.pandey@company.com If i run the following search,  the value of the field match  comes out to be "No match" .  Why is eval showing them to be not a match if both field values are the same ?      index=xxx sourcetype=xxxx .... | eval match=if(actor.alternateId=src_user_email,"Match","No Match")       Likewise, instead  if i  use the where condition instead of eval  ,  this shows NO results to display;   meaning  even the where clause thinks both fields are different .       |where src_user_email = actor.alternateID     The same is happening for other email IDs and other fields even though their values are same. What am i doing wrong here? How to compare fields then?  Both are strings.
Labels

How to add background cover for Dashboard Panel Title Colors?

by in Splunk Search
‎03-29-2022 11:03 PM
‎03-29-2022 11:03 PM
Hello,   I am trying to add a background cover for the panels within a dashboard.   I have attached a photo of what we currently have and then a photo example of what I am trying to do.   ... See more...
Hello,   I am trying to add a background cover for the panels within a dashboard.   I have attached a photo of what we currently have and then a photo example of what I am trying to do.   Including is the source code for these panel sections.   <row> <panel> <title>DoS Protection Count and Distribution Aggregate - ALL DATACENTER FIREWALLS</title> <table> <title>DoS Protection Count and Distribution - ALL DATACENTER FIREWALLS</title> <search> <query>index=pan_logs threat_category=flood dvc="FD0*.*" rule="* DoS Protection" vendor_action="random-drop" OR vendor_action="drop" action!=unknown | stats sparkline sum(repeat_count) by vsys_name dvc dest_ip action | sort by sum(repeat_count) desc limit=10 | rename sparkline AS "Distribution", sum(repeat_count) AS "Count", dest_ip AS "Destination", vsys_name AS "Virtual System", dvc AS "Device", action AS "Action" | table Device "Virtual System" Action Count Destination Distribution</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <refresh>2m</refresh> <refreshType>delay</refreshType> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>ALL DATACENTERS | Resources Unavailable</title> <chart> <title>ALL DATACENTERS | Resources Unavailable</title> <search> <query>index=pan_logs dvc="*" session_end_reason="resources-unavailable" | timechart span=5h count by dvc</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <refresh>2m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row>  

Why when opening Splunk enterprise it is showing refused to connect?

by in Splunk Search
‎03-29-2022 10:44 PM
‎03-29-2022 10:44 PM
  after trying to open my Splunk enterprise on my pc I am getting this page, please help me out here

How to upgrade Splunk from 8.2.2 to latest version?

by in Splunk Enterprise
‎03-29-2022 09:57 PM
‎03-29-2022 09:57 PM
i want to upgrade splunk from 8.2.2 to latest version. is there  a way to output the data stored in Splunk to another storage ?? please provide splunk documentation.   Appreciate your time. 

How to subsearch/multisearch date based on minimum of main search?

by in Splunk Search
‎03-29-2022 09:08 PM
‎03-29-2022 09:08 PM
lets say I have a subsearch or multisearch. I want to have my subsearch/multisearch date to be 30 days before the start of main search date. Right now i have it hardcoded all the way from start d... See more...
lets say I have a subsearch or multisearch. I want to have my subsearch/multisearch date to be 30 days before the start of main search date. Right now i have it hardcoded all the way from start date of my data . But in reality I am interested only 30 day before main search.  The main search will be something like "Before 03/01/2022". So here my subsearch  earliest date should be  from "03/01/2022" minus 30 days  till "03/01/2022"      | multisearch [search index="abc" ] [search index="xyz" earliest="11/01/2021:20:00:00"]     Thanks.
Labels

How to create API to send jobs to splunk app?

by in Splunk Search
‎03-29-2022 08:52 PM
‎03-29-2022 08:52 PM

How to get the last hour of events but also remove any data after last hour

by in Splunk Search
‎03-29-2022 08:51 PM
‎03-29-2022 08:51 PM
Deleted
Labels

Can I get data out Splunk Cloud Platform?

by in Splunk Search
‎03-29-2022 08:50 PM
‎03-29-2022 08:50 PM
Can I get data in Splunk Cloud Platform? and how can i get it (REST API, library in python,...) Any help is appreciated

How to search a splunk search result?

by in Splunk Search
‎03-29-2022 08:39 PM
‎03-29-2022 08:39 PM
I have a macro named X that uses the lookup in the search and produces the results as follows  indexes index IN ("ABC","DEF")   where as indexes is column name   Now I want to use the macro X ... See more...
I have a macro named X that uses the lookup in the search and produces the results as follows  indexes index IN ("ABC","DEF")   where as indexes is column name   Now I want to use the macro X result (index IN ("ABC","DEF")) in a separate search as follows    my_search | where `X` which should execute as below my_search | where index IN ("ABC","DEF")   Now how can I achieve that?  
Labels

How to get data in Splunk Cloud Platform?

by in Getting Data In
‎03-29-2022 07:41 PM
‎03-29-2022 07:41 PM
Can I get data in Splunk Cloud Platform? and how can i get it (REST API, library in python,...) Any help is appreciated
Labels

Help creating a table that shows Incident Review Mean Time to Triage for each type of notable per notable owner

by in Splunk Enterprise Security
‎03-29-2022 05:19 PM
‎03-29-2022 05:19 PM
Hello,   This is my first time seeking help in a forum, I apologize if my ask is confusing.   I'm looking to pull the metrics for each analyst based on the Mean time to triage each type of no... See more...
Hello,   This is my first time seeking help in a forum, I apologize if my ask is confusing.   I'm looking to pull the metrics for each analyst based on the Mean time to triage each type of notable in the Incident Review dashboard. I need a table that shows the time it took for each analyst to put the status in "Ready for Review" after they put the status as "In Progress, the analyst name, & the notable name   This is a similar search to the one I have right now: |`incident_review` | rename status_label as status | where status == "Ready for Review" | sort - _time | table status,rule_id,rule_name,owner_realname | rename rule_id as "Notable ID" | rename rule_name as Notable | rename owner_realname as Analyst | join type=left rule_id [ search notable | rename _time as notable_creation_time | convert ctime(notable_creation_time) | stats min(notable_creation_time) as notable_creation_time by rule_id]

Can we add Audible alerts in dashboard Trellis View?

by in Alerting
‎03-29-2022 04:27 PM
‎03-29-2022 04:27 PM
Hi, i have a Trellis view single value where it shows the statues of up/down. When the status is down, i would like to get a sound alert. Is it possible in Splunk? Please let me know, if there is a w... See more...
Hi, i have a Trellis view single value where it shows the statues of up/down. When the status is down, i would like to get a sound alert. Is it possible in Splunk? Please let me know, if there is a way of adding audible alert based on the query condition. Thank you!  
Labels

How to add flashing or blinking in Trellis View?

by in Dashboards & Visualizations
‎03-29-2022 03:55 PM
‎03-29-2022 03:55 PM
I have a single value trellis view where it shows the status of items up (Green) and down (Red). When the status is down (Red), i would like to get the trellis view to flash or blink. I added the htm... See more...
I have a single value trellis view where it shows the status of items up (Green) and down (Red). When the status is down (Red), i would like to get the trellis view to flash or blink. I added the html code below to my trellis view, however all statues green/red are flashing now. I would like the statuses or red items to flash only. Please let me know if there is a way to achieve this in Splunk dashboard. Thank You!   <panel depends="$alwaysHideCSSPanel$"> <html> <style> @keyframes blink { 100%, 0% { opacity: 0.6; } 60% { opacity: 0.9; } } #singlevalue rect { animation: blink 0.8s infinite; } </style> </html>  
Labels