All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

hello, Good day. I'd like to ask if the integration of Appdynamics with Remedy is possible and if there is any guide in the documentation? ^ Edited by @Ryan.Paredez for clarity and searchability
I'm trying to match all domains from a lookup file with a base search and get a count of the events for each one even if there are no events matching (0 count): mysite.com  count 12 anothersite.c... See more...
I'm trying to match all domains from a lookup file with a base search and get a count of the events for each one even if there are no events matching (0 count): mysite.com  count 12 anothersite.com count 5 myothersite.com count 0         index=application sourcetype=mysource | lookup myfile.csv Domain as <corelated event field> | append [ | inputlookup myfile.csv | fields Domain] | stats count as total by Domain | fillnull value=0 total | table total | sort -total         If you can, please explain your answer - whether there is a syntax error, a keyword misuse, or conceptual error on my part. 
I'm trying to extract the total word count from field1 but am unable to find the correct solution. The format is:  field1: {'totalWordCount': 44891, 'totalUsers':49, 'usUsers':20, 'publishers':18, ... See more...
I'm trying to extract the total word count from field1 but am unable to find the correct solution. The format is:  field1: {'totalWordCount': 44891, 'totalUsers':49, 'usUsers':20, 'publishers':18, 'articlesByCountry': {'CA':124, 'US':50, 'AUS':19, 'NZ':2}, 'publishersbyCountry':{'CA':124, 'US':50, 'AUS':19}} Theres much MUCH more to this field than I listed above but I am only interested in the total word count. Any idea how to extract this information?  I've tried |rex field=field1 "'totalWordCount': * " but get an error message "The regex "totalWordCount':*' does not extract anything. It should specify at least one name group. Format: (?<name>...). Im still new to Splunk so bear with me!
<title> Clam Scan Results </title> <event> <search> ref="anti-virus scan results"> </search> <option name="list.drilldown" >none</option>   I have been trying to input this query into Splunk ... See more...
<title> Clam Scan Results </title> <event> <search> ref="anti-virus scan results"> </search> <option name="list.drilldown" >none</option>   I have been trying to input this query into Splunk and I am getting the following error: error in 'search' command: unable to parse the search: Comparator '<' is missing a term on the left hand side.   I have removed the > before the ref, but I still get the same result. Can anyone help me solve this?
Hi guys, I tried to configure the Microsoft Azure addon grabber and on azure I didn't find the work space ID Can you help me please? Thanks A.
Hi, To import csv files do we need a heavy forwarder or can we just use a universal forwarder? I tried  a universal forwarder(with no Transforms.conf or props.conf) on one machine and work and now ... See more...
Hi, To import csv files do we need a heavy forwarder or can we just use a universal forwarder? I tried  a universal forwarder(with no Transforms.conf or props.conf) on one machine and work and now i tried in another machine and doesnt work( error:Bug during applyPendingMetadata, header processor does not own the indexed extractions confs.). I´m new in splunk can anyone help?   Thanks in advance.
How to Remove Horizontal Scrollbar in Transpose Table? The scrollbar is appearing below the table.  
I have two search queries: | metadata index=* type=sources that results in something like the following (under the source field) /lorem/ipsum/dolor/sit/tortor-adaptor.log /lorem/ipsum/dolor/si... See more...
I have two search queries: | metadata index=* type=sources that results in something like the following (under the source field) /lorem/ipsum/dolor/sit/tortor-adaptor.log /lorem/ipsum/dolor/sit/tortor-adaptor.log.1 /lorem/ipsum/dolor/sit/tortor-adaptor.log.10 /lorem/ipsum/dolor/sit/tortor-adaptor.log.11 /lorem/ipsum/dolor/sit/tortor-adaptor.log.12 /lorem/ipsum/dolor/sit/tortor-adaptor.log.13 /lorem/ipsum/dolor/sit/tortor-adaptor.log.14 /lorem/ipsum/dolor/sit/tortor-adaptor.log.15  then there's the following search | tstats values(source) where index=* that produces something like the following (under the values(source) field) /lorem/ipsum/dolor/sit/tortor-adaptor.log /lorem/ipsum/nunc-test.log.1 /lorem/ipsum/dolor/sit/pulvinar/ex-eros.log /comsed/ipsum/dolor/ut-eget.log /donec/sit/nam-libero.log.1 /aliquet/ipsum/dolor/sit/vel-arcu.log   Why is Splunk showing me different results? Also, how can I search for all the increments of the source if I know what it is? For example, if I have "/lorem/ipsum/dolor/sit/tortor-adaptor.log" how can I find all of its increments (e.g. "/lorem/ipsum/dolor/sit/tortor-adaptor.log.1, /lorem/ipsum/dolor/sit/tortor-adaptor.log.2, /lorem/ipsum/dolor/sit/tortor-adaptor.log.3")?
Hi Splunkers, I have to schedule a Saved Search in Splunk Enterprise Security that must be executed in a specific time range. The task itself is not a problem; I followed  Configure > Content > C... See more...
Hi Splunkers, I have to schedule a Saved Search in Splunk Enterprise Security that must be executed in a specific time range. The task itself is not a problem; I followed  Configure > Content > Content Management -> Create new content -> Saved search and then, cause the search must sent a mail at every activation, I have chosen New Alert. The problem is the required time range: this alert must detect some kind of activity performed outside job office hour, so 18:01 of current day - 08:59 of day after (this every day).  So, for example, the search must be "active" starting from today at 18:01 until tomorrow at 08:59. My doubt is: how can I configure this time range?  This is the alert configuration window:   I thougth about using Crontab, but I'm not sure I can configure a time range wich has not the same day for starting and ending time. I thougth also about the All time panel but I didn't find anithing that help me to configure this particular time range.  
I see a strange behaviour in Splunk. There is this SPL, when ran between 3/13/2022 6:00 AM to 3/14/2011 6:00 AM time range shows some events at 3/13/2022 - 7:00 AM (Between 7-8 AM).  But when I... See more...
I see a strange behaviour in Splunk. There is this SPL, when ran between 3/13/2022 6:00 AM to 3/14/2011 6:00 AM time range shows some events at 3/13/2022 - 7:00 AM (Between 7-8 AM).  But when I re-run the same SPL between 3/13/2022 6:00 AM to 3/13/2011 8:00 AM , hoping to see the same set of events, But I see ZERO events !!    This is very strange !! Am I missing something simple  here..? Why this weird behaviour ? Additional Observation :  When I change the time range between 2/12 to 3/13 - the events shows,  But when I keep the same date 3/13 7 AM to 3/13  10 AM - It doesn't show. It works when the time range is more that 24 hours
Hi , IHAC who using Akamai SIEM Integration  to ingest data and the addon is deployed on HF. Now they are trying to move the addon to other HF. Customer thought they need to move offset also. but the... See more...
Hi , IHAC who using Akamai SIEM Integration  to ingest data and the addon is deployed on HF. Now they are trying to move the addon to other HF. Customer thought they need to move offset also. but they don't know the offset location. Anyone advice for offset location on Akamai SEIM Integration App?
Hi peeps, I would like to trigger an alert from Splunk and send the alert to a third-party app. The third party-app can only receive and parse data by raw events.  I create the alert using the ... See more...
Hi peeps, I would like to trigger an alert from Splunk and send the alert to a third-party app. The third party-app can only receive and parse data by raw events.  I create the alert using the 'stats' command which generating a statistic, which means the alert are send is a  statistic to the 3rd party app. How do we send the raw event from the statistic data as an alert? Please help.
I've recently upgraded to Splunk version 8.2.2.1 and this morning Splunk sent out an email to all Splunk admins giving results of a scan from the "Python Upgrade Readiness App". I have the results o... See more...
I've recently upgraded to Splunk version 8.2.2.1 and this morning Splunk sent out an email to all Splunk admins giving results of a scan from the "Python Upgrade Readiness App". I have the results of the scan already, and can run the scan myself if I need to. How do I turn off the email alerts? Documentation (https://docs.splunk.com/Documentation/Splunk/8.2.2/UpgradeReadiness/Emails) says to do the following: Navigate to the Python or jQuery tab in the Upgrade Readiness App. Email notifications for Python and jQuery are controlled separately on their respective tabs. Select Modify Weekly Email Notification and edit your settings for each scan. But I don't have these Python or jQuery tabs in my Upgrade Readiness App. There doesn't seem to be anywhere to modify these settings. Could anyone let me know how to do this?
Hi Team, Could you help me with the complete splunk query for  list of servers which are sending data in last 14 days from the lookup and not sending in last 7 days if we write....    | eval ... See more...
Hi Team, Could you help me with the complete splunk query for  list of servers which are sending data in last 14 days from the lookup and not sending in last 7 days if we write....    | eval day=if(_time<relative_time(now(),"-7d@d"),"sentdatalastweek","didnotsenddatainthelast7days")   what does that mean?   Regards  
Is there a way to contact Splunk sales team? There's no response on +1 866.GET.SPLUNK (1 866.438.7758), questions, sent through the form on the official site, as well as emails are not answered.  ... See more...
Is there a way to contact Splunk sales team? There's no response on +1 866.GET.SPLUNK (1 866.438.7758), questions, sent through the form on the official site, as well as emails are not answered.  My country is not in the list here (https://partners.splunk.com/locator/) and I have no idea how to reach someone who can provide some info how to get the license.  Thank you.
KPI XYZ-123 XYZ-12345 Service-123 Service-12345 random_data random_data random_data random_data random_data random_data random_data random_data random_data r... See more...
KPI XYZ-123 XYZ-12345 Service-123 Service-12345 random_data random_data random_data random_data random_data random_data random_data random_data random_data random_data   I Have a dashboard like this one above , I want to enable drilldown for the columns whose field-names start with XYZ and disable drilldown for the ones that start with Service. Is there any way i can achieve this in xml ?
Post upgrading Microsoft Azure Add on for Splunk to 3.2.0 we are not receiving authentication details in Splunk. Also, non-interactive login details are not available.  Field to check if the authen... See more...
Post upgrading Microsoft Azure Add on for Splunk to 3.2.0 we are not receiving authentication details in Splunk. Also, non-interactive login details are not available.  Field to check if the authentication is success or failed is not in the raw logs, field name - authenticationDetailssucceeded. Other authentication details are also missing.
How  to find a real time job is running morethan 30 mins for example below screenshot. Here need to create an alert for which job is running more than 30 mins. Now we are manually watching this jo... See more...
How  to find a real time job is running morethan 30 mins for example below screenshot. Here need to create an alert for which job is running more than 30 mins. Now we are manually watching this job from SH -->activity-->job. Thanks in Advance.  
I am trying to run a Linux bash script on the deployment server to pull down the deployment clients. I have the Splunk command correct, but get an authentication error when this is run under cron or... See more...
I am trying to run a Linux bash script on the deployment server to pull down the deployment clients. I have the Splunk command correct, but get an authentication error when this is run under cron or even from the command line. There are multiple postings on this command, but none of them talk about requiring authentication. How do we work around the account password issue? Splunk 8.2.3 command: Splunk reload deploy-server -class I tried the -auth parameter that is shown on other command options, but this one does not seem to like this option. command: splunk reload deploy-server -class results: Your session is invalid. Please login. Splunk username: admin Password: An authentication error occurred: Client is not authenticated Any guidance would be appreciated.