All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi all   My first post on this Community. I am a veteran of another BI tool that starts with a Q, and very keen to learn new tools and play with new toys!   I scanned on community but could n... See more...
Hi all   My first post on this Community. I am a veteran of another BI tool that starts with a Q, and very keen to learn new tools and play with new toys!   I scanned on community but could not find a relevant answer, so please forgive if this is not a new subject.   I installed a forwarder on my Pi Zero, but cannot start it. Downloaded the ARM version with  sudo wget -O splunkforwarder-8.2.5-77015bc7a462-Linux-armv8.tgz "https://download.splunk.com/products/universalforwarder/releases/8.2.5/linux/splunkforwarder-8.2.5-77015bc7a462-Linux-armv8.tgz"   Then untarred it: sudo tar -xvzf splunkforwarder-8.2.5-77015bc7a462-Linux-armv8.tgz   Then tried to start: sudo ./splunk start --accept-license I just get this weird error message. No idea how to proceed.  
Hi Folks, I have been working on a dashboard that displays result as a timechart grouping by days. I see results are displayed for the dates I have chosen. My requirement here is to not to have wee... See more...
Hi Folks, I have been working on a dashboard that displays result as a timechart grouping by days. I see results are displayed for the dates I have chosen. My requirement here is to not to have weekend data on the dashboard. which I have achieved that by adding the below in the search query. | eval date_wday=lower(strftime(_time,"%A")) |where NOT (date_wday="saturday" OR date_wday="sunday") | fields - date_wday But my question here is how I can achieve this dynamically? Instead of adding this in the query, I should have input button in dashboard which should be used to select 'weekend data needed' or 'not needed' and accordingly result should be populated in Dashboard. Can someone advise on this? Much appreciate for the suggestions provided. Thanks.
Hello Splunkers!   is there any figure(numbering) guide for the  Replication Factor and Search Factor on Index clustering settings?   any official guide documentations?   Thank you in adv... See more...
Hello Splunkers!   is there any figure(numbering) guide for the  Replication Factor and Search Factor on Index clustering settings?   any official guide documentations?   Thank you in advance
Hi , I need the help to write splunk query for calculating CPU Linux load average for last 1,5 and 15 mins. I have splunk TA nix app and collected the metrics vmstat_metric.loadAvg1mi and used this... See more...
Hi , I need the help to write splunk query for calculating CPU Linux load average for last 1,5 and 15 mins. I have splunk TA nix app and collected the metrics vmstat_metric.loadAvg1mi and used this metrics  for last 1 min query.  But I am not sure how to calculate the load average for last 5 and 15 mins. can anyone   
Hello Splunkers!   In my knowledge, mono db is only for the internal uses and able to access with internal Splunk SPL.    Is there any official documentation about this?   Thank you in ad... See more...
Hello Splunkers!   In my knowledge, mono db is only for the internal uses and able to access with internal Splunk SPL.    Is there any official documentation about this?   Thank you in advance.
we have a dashboard that checks endpoint health and creates a message, "Endpoint XYZ is available" The source is a path to a script /u01/splunk/etc/apps/<app_name>/bin/ping.sh Is there a way for ... See more...
we have a dashboard that checks endpoint health and creates a message, "Endpoint XYZ is available" The source is a path to a script /u01/splunk/etc/apps/<app_name>/bin/ping.sh Is there a way for me to read the contents of the script from the search bar? Is it possible to overwrite or append the script from the search bar if I am an app owner? I do not have Splunk server command line access.
Hi Team, I am getting below error while trying to post data to my splunk using below url. I have installed the certificates in the source system by taking them from browser(lock sysmbol) Can you ... See more...
Hi Team, I am getting below error while trying to post data to my splunk using below url. I have installed the certificates in the source system by taking them from browser(lock sysmbol) Can you please check and help what certificates are exactly installed to post data to below URL end point url: https://prd-p-jmw56.splunkcloud.com:8088/services/collector/raw Error Details java.net.ConnectException: java.security.cert.CertificateException: No name matching prd-p-jmw56.splunkcloud.com found, cause: java.security.cert.CertificateException: No name matching prd-p-jmw56.splunkcloud.com found   thanks, Venkat
Hello guys, I would like to have best practices regarding deploying new Splunk cluster V8, could you say if correct and in logical order?   1. Install Splunk on all nodes with non-root user (ex... See more...
Hello guys, I would like to have best practices regarding deploying new Splunk cluster V8, could you say if correct and in logical order?   1. Install Splunk on all nodes with non-root user (except if you want HF), verify ulimits 2. Configure one server "manager" with monitoring console, license master, deployer & deployment server roles 3. Configure Master Node (cluster master) on separate server 4. Configure peers, connect them to the MN 5. Configure search heads, connect them to the MN 6. Configure Universal forwarders   Thanks.
Hi everybody, I need to upgrade Splunk Enterprise from 7.3.X to 8.1.0 and then to 8.2.5 (Windows).  The architecture includes: - 1 cluster master - 1 search head - 2 indexers (cluster)  - 1 d... See more...
Hi everybody, I need to upgrade Splunk Enterprise from 7.3.X to 8.1.0 and then to 8.2.5 (Windows).  The architecture includes: - 1 cluster master - 1 search head - 2 indexers (cluster)  - 1 deployment servers - 1 heavy forwarder - n universal forwarders Looking at the documentation, these are the steps to follow: Download the MSI file to the host. Double-click the MSI file. The installer runs and attempts to detect the existing version of Splunk Enterprise installed on the machine. When it locates the prior installation, it displays a panel that asks you to accept the licensing agreement. Accept the license agreement. The installer then installs the updated Splunk Enterprise. This method of upgrade retains all parameters from the existing installation. The installer restarts Splunk Enterprise services when the upgrade is complete, and places a log of the changes made to configuration files during the upgrade in %TEMP%. Shouldn't I stop the the splunk service before? Do I only need to double click on the installer and follow the wizard on each host? That's it? Is there something that I'm missing?   About Splunk apps and add-ons: I need to update some of them, should I do it before or after the Splunk upgrade? Example: Add-on for VMware ESXi Logs is now 3.4.2 and needs to be upgraded to 4.0.3 (which doesn't support Splunk 7.X). I think I should upgrade Splunk first, then add-ons and apps, correct?   Thanks in advance for any help.
I have a local access to Splunk on my system and I am seeking out means of accessing the API via a C# application. I noticed there was some documentation but no clear direction on data definition or ... See more...
I have a local access to Splunk on my system and I am seeking out means of accessing the API via a C# application. I noticed there was some documentation but no clear direction on data definition or additional routes to accessing the data. Could I get some help with this?
I have a string in this form: sub = 13433 cf-ipcountry = US mail = abc.test@gmail.com ct-remote-user = testaccount elevatedsession = N iss = www.google.com user-agent = Apache-HttpClie... See more...
I have a string in this form: sub = 13433 cf-ipcountry = US mail = abc.test@gmail.com ct-remote-user = testaccount elevatedsession = N iss = www.google.com user-agent = Apache-HttpClient/4.5.8 (Java/1.8.0_322) I want to extracr iss fields value I tried this but did not work | rex max_match=0 field=_raw "\/sub \/user-agent \/(?<temp>.*)"
My log is like this: Time Event 3/23/22 11:00:00.000 AM Application 'AAA' is running Application 'BBB' is stopped Database 'CCC' is running Database 'DDD' is running 3/23/22 11:10:00... See more...
My log is like this: Time Event 3/23/22 11:00:00.000 AM Application 'AAA' is running Application 'BBB' is stopped Database 'CCC' is running Database 'DDD' is running 3/23/22 11:10:00.000 AM Application 'AAA' is running Application 'BBB' is running Database 'CCC' is stopped Database 'DDD' is running   I want to extract a table like Time Server Host Status 3/23/22 11:00:00.000 AM Application AAA running 3/23/22 11:00:00.000 AM Application BBB stopped 3/23/22 11:00:00.000 AM Database CCC running 3/23/22 11:00:00.000 AM Database DDD running 3/23/22 11:10:00.000 AM Application AAA running 3/23/22 11:10:00.000 AM Application BBB running 3/23/22 11:10:00.000 AM Database CCC stopped 3/23/22 11:10:00.000 AM Database DDD running   How to do this? If anyone has idea?
Dear Splunk Experts and Community, We are interested in receiving notifications as often as possible when an event is received into Splunk.  We have currently set up a Saved Search that has an act... See more...
Dear Splunk Experts and Community, We are interested in receiving notifications as often as possible when an event is received into Splunk.  We have currently set up a Saved Search that has an action of Webhook to send us alerts every few minutes which is working ok for us. However, as we are new to this system we aren't sure if there is a better way to implement a feed from Splunk to our API. Any additional suggestions? Thanks!    
hello As you can see, I use a table with one hour bin span and I need to drillwown on every row in order to display more details in another dashboard   how to do this please?
Hello Team, What capabilities are required for enabling and disabling the maintenance mode. Based on the following link https://community.splunk.com/t5/Security/Capabilities-needed-for-a-service-acco... See more...
Hello Team, What capabilities are required for enabling and disabling the maintenance mode. Based on the following link https://community.splunk.com/t5/Security/Capabilities-needed-for-a-service-account-to-enable-Maintenance/m-p/345744 , i did provide the following capability edit_indexer_cluster ,  but no breakthrough.
IHAC who are using SH/IDX on AWS and they want to enable encryption the volume (SSD Disk) which Splunk installed on running mode. but customer wonder if it will impact current system.  the volume i... See more...
IHAC who are using SH/IDX on AWS and they want to enable encryption the volume (SSD Disk) which Splunk installed on running mode. but customer wonder if it will impact current system.  the volume include indexed data and installed files.  Do we have any side impact  or condition to enable encryption the disk volume on running mode ?Thank you,
Hello. I would like to know if there any command from the dashboard code or from the address bar (chrome URL bar) to be able to automatically put a dashboard in full screen. I saw a command for a s... See more...
Hello. I would like to know if there any command from the dashboard code or from the address bar (chrome URL bar) to be able to automatically put a dashboard in full screen. I saw a command for a shortcut in chrome but it does not show me the dashboard in full screen, I would like to avoid hitting the button every time I open the dashboard. Thanks.
Cannot be retrieved after field extraction- If field extraction is classified as ` no search is performed after field extraction. However, if you classify | ,  in the same way, extraction and search ... See more...
Cannot be retrieved after field extraction- If field extraction is classified as ` no search is performed after field extraction. However, if you classify | ,  in the same way, extraction and search will work normally. Is there any problem? _raw  field1`field2`field3`field4`field5` ex) (?P<field_name>[^\`]*)`(?P<field_name2>[^\`]*)`(?P<field_name3>[^\`]*)`(?P<field_name4>[^\`]*)`(?P<field_name5>[^\`]*)`  
Search Query: index=winevent source="WinEventLog:Security" EventCode="4624 | stats count by user Source_Network_Address Output utilizing Sankey visualization:                             User... See more...
Search Query: index=winevent source="WinEventLog:Security" EventCode="4624 | stats count by user Source_Network_Address Output utilizing Sankey visualization:                             User A                                                                                      10.20.30.40 Target                                          Count                                    Source                                               Count - 10.20.30.40                                   26                                    User A                                                       26                                                                                                         User B                                                       30                             User B                                                                                      10.20.30.50 Target                                          Count                                    Source                                               Count - 10.20.30.40                                   30                                    User B                                                       10 - 10.20.30.50                                   10 How do I only identify Users that have connected to more than 1 box? I attempted to use the Where function/argument however I may inputting the syntax incorrectly since it provides no results.
I'm trying to setup the Splunk IT Essentials Work app in a single instance environment, and when I open up the app it says it is unable to retrieve subscription data. None of the documentation mentio... See more...
I'm trying to setup the Splunk IT Essentials Work app in a single instance environment, and when I open up the app it says it is unable to retrieve subscription data. None of the documentation mentions anything related to a subscription. I was under the impression that I just needed to download and install this app, what subscription is it looking for?