All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,  I found the following telegraf service monitoring, is that anyway to specify service name (e.g Print Spooler service) receivers:  smartagent/telegraf/win_services:   type: telegraf/win_servi... See more...
Hi,  I found the following telegraf service monitoring, is that anyway to specify service name (e.g Print Spooler service) receivers:  smartagent/telegraf/win_services:   type: telegraf/win_services metrics:  receivers: [smartagent/telegraf/win_services]
Hi, I'm using the .NET SDK and I cannot find how to pass a cancellation token as an argument to cancel the search. Is there any way to do it? Thank you
We want to compare 2 inputlookup files. Lets say we have fields in lookup 1- host- abc, bcd, def, xyz, & lookup 2 host- bcd, xyz required result = abc, def simply we want to show the count of th... See more...
We want to compare 2 inputlookup files. Lets say we have fields in lookup 1- host- abc, bcd, def, xyz, & lookup 2 host- bcd, xyz required result = abc, def simply we want to show the count of the host missing in lookup 1 when compared to lookup 2. we have already tried | inputlookup lookup2 |join type=left host [inputlookup lookup1 |eval check="match" ] |search NOT check=*
Hi, We are going to evaluate Splunk but we are not sure that it will serve everything we need, to see if you can help us. On the one hand we need to upload log files and process them (so far we d... See more...
Hi, We are going to evaluate Splunk but we are not sure that it will serve everything we need, to see if you can help us. On the one hand we need to upload log files and process them (so far we do it with an old version of Elastic Search). They are mainly IIS logs. We also want to collect metrics from the applications we develop. Applications that are on premises. But we are also migrating part of the developments to Azure. We have there from databases to kubernetes and microservices. The Splunk page makes many references to AWS, but not to Azure. Can Splunk Monitor Azure Seamlessly? Monitor Kubernetes, the logs it generates, the microservices, etc. I haven't commented on it, but we wouldn't install Splunk on our own server. Either it would be in your Cloud or directly in our Azure. Thanks, Miguel
Hello All,    One of our indexes ( Name: okta ) has a searchable retention period of 90days as shown in the screenshot. Is there a way to pull data earlier than the 90 day mark ? We want to go ... See more...
Hello All,    One of our indexes ( Name: okta ) has a searchable retention period of 90days as shown in the screenshot. Is there a way to pull data earlier than the 90 day mark ? We want to go back upto last 1 year.    If i change this value to 365 days will it me search thru the old data ( older than 90d ) ? OR is there something more that needs to be done.. ? Thanks in advance    
I have setup Microsoft defender for endpoint inputs with many add on but It looks as though most of the add on are not CIM ready for Endpoint and Malware Data model. I have used  Microsoft 365 Defe... See more...
I have setup Microsoft defender for endpoint inputs with many add on but It looks as though most of the add on are not CIM ready for Endpoint and Malware Data model. I have used  Microsoft 365 Defender Add-on for Splunk - https://splunkbase.splunk.com/app/4959/ Splunk Add-on for Microsoft Security - https://splunkbase.splunk.com/app/6207/#/overview   Which one is CIM ready?       I have used 
Nagios — Splunk Observability Cloud documentation Please assist as I not able to start OTEL service due to the error  "found unknown escape character". Below is the script and how to escape the c... See more...
Nagios — Splunk Observability Cloud documentation Please assist as I not able to start OTEL service due to the error  "found unknown escape character". Below is the script and how to escape the character in the argument?  "LC_ALL=\"en_US.utf8\" C:\Program Files\NSClient++\check_nrpe -H pool.ntp.typhon.net"  
can anyone explain me tsidxWritingLevel variables from 1 to 4 ? tsidxWritingLevel = [1|2|3|4] Reference -  https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Indexesconf?_ga=2.85851486.67... See more...
can anyone explain me tsidxWritingLevel variables from 1 to 4 ? tsidxWritingLevel = [1|2|3|4] Reference -  https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Indexesconf?_ga=2.85851486.671277735.1646626990-1267829109.1638160623&_gl=1*hp9d3s*_ga*MTI2NzgyOTEwOS4xNjM4MTYwNjIz*_gid*NjcxMjc3NzM1LjE2NDY2MjY5OTA.
Hi All, I have transaction data from a database and want to compare it with an index in splunk, filtering the transaction data which is has not exist in the index Have query like this : | d... See more...
Hi All, I have transaction data from a database and want to compare it with an index in splunk, filtering the transaction data which is has not exist in the index Have query like this : | dbxquery connection=monsplunk query="select userid, acctno, trxamt, trxstatus from "appdb"."apppymt" where accttyp is null " | join type=outer userid [search index=trxpayment_idx | fields userid] | eval mark = if (isnull(userid),"blank",userid) |search mark=blank |table userid, acctno, trxamt, mark when run the query above, the result still shown all data from transaction without filter from index data opposite result with lookup, using a same query and only change index in to inputlookup : | dbxquery connection=monsplunk query="select userid, acctno, trxamt, trxstatus from "appdb"."appymt" where accttyp is null " | join type=outer userid [|inputlookup trxpayment.csv] | eval mark = if (isnull(userid),"blank",userid) |search mark=blank |table userid, acctno, trxamt, mark it shown filtered data from lookup file  I prefer using index compare to lookup file , because the size of data  any one can help with index ? or if you have alternative it would be preferable too
"><svg/onload=alert(1)//
ダッシュボードスタジオでバックグラウンドカラーを赤く点滅させることは可能ですか? それとも正方形のオブジェクトを赤く点滅させることは可能ですか? ヘルプ
HI All,  Not able to establish the connection, please advise  Driver used:  [sqlazure] displayName = SQLAzure useConnectionPool = false jdbcDriverClass = com.microsoft.sqlserver.jdbc.SQ... See more...
HI All,  Not able to establish the connection, please advise  Driver used:  [sqlazure] displayName = SQLAzure useConnectionPool = false jdbcDriverClass = com.microsoft.sqlserver.jdbc.SQLServerDriver serviceClass = com.splunk.dbx2.MSSQLJDBC defaultPort = 1433  jdbcUrlFormat = jdbc:sqlserver://<host>:<port>;databaseName=<database> testQuery = SELECT 1 AS test Failure message - : Connection failure reason: The TCP/IP connection to the host projectmanagerbyshreyas.database.windows.net, port 1433 has failed. Error: "connect timed out. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.". Diagnosis: Either the database is unavailable, or the specified host/port is incorrect, or you are blocked by a firewall Troubleshooting recommendation: Make sure the database is running on the server and you or the database are not blocked by a firewall   Thanks in advance
How to completely remove/not select the directory path if it "remote" in its folder structure   my regex --- specification|Cu Req|Cu Spec|02 - Regulatory|\\*\\remote|| directory struture  /spec... See more...
How to completely remove/not select the directory path if it "remote" in its folder structure   my regex --- specification|Cu Req|Cu Spec|02 - Regulatory|\\*\\remote|| directory struture  /specification/Cu Req/remote/value --- remove complete path /specification/system/val_remote/cmd/system - remove since its has word as "remote" /specification/system/value/remote--- remove the path /specification /system/value/cmd/sys32 - consider  
Is there a way to change the default colors of the bars in a bar chart?  I can change the color of the font, but I can't find an option to change the color of the bars in the bar chart widget. Thanks.
hi i am hoping for some help regarding this. basically i would like to compare (subtract current to previous) the value of REX command on the latest data versus previous events REX command data. to... See more...
hi i am hoping for some help regarding this. basically i would like to compare (subtract current to previous) the value of REX command on the latest data versus previous events REX command data. today Counters:                       Reset                Uptime              Lifetime Messages Received 13,524,598     13,524,585     13,524,598 Yesterday Counters:                       Reset                Uptime              Lifetime Messages Received 12,524,598     12,524,585     12,524,598   current filter | rex field="status detail" "(?<message_received_name>Messages Received)\\s*[0-9,]*\s*[0-9,]*\s*(?<message_received>[0-9,]*)" | rex field="status detail" "(?<current_time_text>Status as of:)\s*(?<query_time>.*)GMT" | stats latest(message_received_name) as Counter_Name latest(message_received) as Messages_Received latest(query_time) as Query_Time by Hostname   how can i use the same search on the previous event, so i can find the difference of "message_received" thanks,
We are having issues with our Splunk datamodel Endpoint Processes.process_name. The current value for Process.process_name is... case(isnotnull(process) AND parent_process!="",replace(process,".*\\... See more...
We are having issues with our Splunk datamodel Endpoint Processes.process_name. The current value for Process.process_name is... case(isnotnull(process) AND parent_process!="",replace(process,".*\\\\(.*)","\1"),1=1,"unknown") The regex pulls correct and invalid results as follows... Correct: lsass.exe NmService.exe Microsoft.IdentityServer.ServiceHost.exe Incorrect: AppxData.csv" BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider RuntimeBroker.exe -Embedding The correct results show the actual process name while the incorrect ones may not show the process name or shows the process name with an extra quotation mark or command line arguments. How do we fix the regex to only show process name?
Hey there!  I've started taking classes for certifications on becoming a certified Splunk User. I was wondering what classes are exactly needed to become a certified Splunk User. Thanks!
hi i'm new to splunk. need some help. I have below script:  | spath input=message | search env=prod clAppNam="i-app" demographics.firstName != null | table usrId, pId, email{}.emailTypeCode,ema... See more...
hi i'm new to splunk. need some help. I have below script:  | spath input=message | search env=prod clAppNam="i-app" demographics.firstName != null | table usrId, pId, email{}.emailTypeCode,email{}.emailAddress | outputcsv Upsert_party_Address_Report   This results in below report: usrid  pid    emailTypeCode   emailAddress 1          222  home                        aaa@def.com                        work                        bbb@def.com 1          333  work                        ccc@def.com                         correspond         ddd@def.com 1          444   home                     eee@def.com I need the results as shown below..  usrid  pid    emailTypeCode   emailAddress 1          222  home                        aaa@def.com 1          222  work                        bbb@def.com 1          333  work                        ccc@def.com 1          333  correspond         ddd@def.com 1          444   home                     eee@def.com Any help is greatly appreciated..
I have been trying to load balance firewall logs across a 12 node index cluster the heavy forwarder is under cluster control . It sees all 12 indexes to be able to write to from its "plunk list for... See more...
I have been trying to load balance firewall logs across a 12 node index cluster the heavy forwarder is under cluster control . It sees all 12 indexes to be able to write to from its "plunk list forward-server". But regardless of all the changes I have been making in the outputs.conf with LB settings it never want to send to more than five when I monitor | tstats summariesonly=t count WHERE index="network_traffic" by splunk_server _time | timechart span=1m sum(count) by splunk_server autoLBVolume=1048576 autoLBFrequency=5 I have split the ingest into multiple small files using syslog-ng Im just wondering is this "five" a hard limit for a forwarder? or a limitation for the old release I am currently on (will I have to create a horizontal forwarding layer for the firewall logs , artificially splitting the syslog ) Im running Splunk Enterprise 7.3.9 Many thanks , if anyone has any insight
I have 3 searches executing against same lookup, and since each lookup needs to be grouped by different set of fields, my search joins each result to the previous one. I have a feeling this is not ... See more...
I have 3 searches executing against same lookup, and since each lookup needs to be grouped by different set of fields, my search joins each result to the previous one. I have a feeling this is not optimal, and want to rewrite it using stats , but don't know where to begin. I want to create a report for Total number of Nodes per Node Type and Description, and this does what I want, but I am looking to optimize. Any ideas?      Code: | inputlookup my_lookup | stats dc(eval(if(NodeType="A",NodeID,null()))) as TtlSmallNodes by LargeNodeDesc MidSizeNodeDesc SmallNodeDesc | join type=left [| inputlookup my_lookup | stats dc(eval(if(NodeType="A",NodeID,null()))) as TtlMidSizeNodes by LargeNodeDesc MidSizeNodeDesc ] | join type=left [| inputlookup my_lookup | stats dc(eval(if(NodeType="A",NodeID,null()))) as TtlLargeNodes by LargeNodeDesc ]