All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have been trying to load balance firewall logs across a 12 node index cluster the heavy forwarder is under cluster control . It sees all 12 indexes to be able to write to from its "plunk list for... See more...
I have been trying to load balance firewall logs across a 12 node index cluster the heavy forwarder is under cluster control . It sees all 12 indexes to be able to write to from its "plunk list forward-server". But regardless of all the changes I have been making in the outputs.conf with LB settings it never want to send to more than five when I monitor | tstats summariesonly=t count WHERE index="network_traffic" by splunk_server _time | timechart span=1m sum(count) by splunk_server autoLBVolume=1048576 autoLBFrequency=5 I have split the ingest into multiple small files using syslog-ng Im just wondering is this "five" a hard limit for a forwarder? or a limitation for the old release I am currently on (will I have to create a horizontal forwarding layer for the firewall logs , artificially splitting the syslog ) Im running Splunk Enterprise 7.3.9 Many thanks , if anyone has any insight
I have 3 searches executing against same lookup, and since each lookup needs to be grouped by different set of fields, my search joins each result to the previous one. I have a feeling this is not ... See more...
I have 3 searches executing against same lookup, and since each lookup needs to be grouped by different set of fields, my search joins each result to the previous one. I have a feeling this is not optimal, and want to rewrite it using stats , but don't know where to begin. I want to create a report for Total number of Nodes per Node Type and Description, and this does what I want, but I am looking to optimize. Any ideas?      Code: | inputlookup my_lookup | stats dc(eval(if(NodeType="A",NodeID,null()))) as TtlSmallNodes by LargeNodeDesc MidSizeNodeDesc SmallNodeDesc | join type=left [| inputlookup my_lookup | stats dc(eval(if(NodeType="A",NodeID,null()))) as TtlMidSizeNodes by LargeNodeDesc MidSizeNodeDesc ] | join type=left [| inputlookup my_lookup | stats dc(eval(if(NodeType="A",NodeID,null()))) as TtlLargeNodes by LargeNodeDesc ]    
What's the best way to create a search that shows only the IP addresses for all nodes on a network?
What's a good book to read for learning Splunk?
how can i create a multivalue field using makeresults command like   |makeresults |eval value_1= " one"  "two" there should be a new line between the two words 
hi I use the search below in order to display markers on a map As you can see, I use a join command in order to cross events by site between the lookup and the search   index=toto sourcetype=... See more...
hi I use the search below in order to display markers on a map As you can see, I use a join command in order to cross events by site between the lookup and the search   index=toto sourcetype=tutu | stats count as PbPerf by site sam | search PbPerf > 10 | stats dc(sam) as nbsam by site | where isnotnull(site) | join type=left site [| inputlookup BpLtLg.csv | rename siteName as site | fields site latitude longitude ] | table site nbsam latitude longitude | geostats latfield=latitude longfield=longitude globallimit=0 count(nbsam)   But the problem is that I have a difference between the marker displayed on the map and the reality For example, If I do a focus on a specific site like MONTE CARLO, I have 10 events But on the map, I just have 2 markers in this area with a count equal to 6 instead 10 even if I play with the zoom so i understand nothing Is it possible that this issue comes from the joind command? If yes, is there another solution to improve my search? thanks
hello,  I have a chart in my bashboard but when i click on Other, I don't have the results. It's possible to have the logs of the hosts when I click on other? index=firewall AND sourcetype=cisc... See more...
hello,  I have a chart in my bashboard but when i click on Other, I don't have the results. It's possible to have the logs of the hosts when I click on other? index=firewall AND sourcetype=cisco:ios AND host="*r01p" OR "*r01s"| chart count by host | rename count as NumberEvent it's not possible to use the option useother=true  for chart ?    
We are using Prompt with extended time to 4 days. We have discovered that when the time of running playbook is over the Inactivity Timeout in Account Security Settings we have playbook execution erro... See more...
We are using Prompt with extended time to 4 days. We have discovered that when the time of running playbook is over the Inactivity Timeout in Account Security Settings we have playbook execution error and a lot of authentication failure when we want to change status or add tag etc. Is theare an option than we can use Prompt with respond_in_mins larger than Inactivity Timeout and avoid authentication failure errors. Phantom version 4.10.
Hey, I am using a timechart on my dashboard, but it only shows NULL values. When I run the same search on search console, it shows all values as expected. What is the issue? Here is how it looks... See more...
Hey, I am using a timechart on my dashboard, but it only shows NULL values. When I run the same search on search console, it shows all values as expected. What is the issue? Here is how it looks when I run it in the Search: Here is how the timechart looks in the dashboard: Here is the XML code for the dashbaord: Can you please help?
Hello,  I'm using Splunk Cloud. I have date with this format and i want splunk to identify date as the timestamp(_time value). {                "date":     "2022-03-08T13:00:46.3204337+01:00"... See more...
Hello,  I'm using Splunk Cloud. I have date with this format and i want splunk to identify date as the timestamp(_time value). {                "date":     "2022-03-08T13:00:46.3204337+01:00",                "Delay Time":     "0 Sec",                "OrderNumber":      "6285071",                 "Key / CLE":    "622203040258800100A",                  "Name":    "ZM400_FINCON9P"              } I have a source type defined like this but it's not working.    Did someone have a solution please ?  Thank you all 
Quick Question. I don't understand how to use certificates for forwarders. We have 300+ UFs. There's no way they're all going to have their own unique certificate. How do I generate csr for the U... See more...
Quick Question. I don't understand how to use certificates for forwarders. We have 300+ UFs. There's no way they're all going to have their own unique certificate. How do I generate csr for the UFs' certificates? The certificates will need to be signed by a third party. If I have a certificate with the SANs of my indexers, could I use that certificate for my UFs too? Do I need to obtain a wildcard certificate for the UFs? Thanks    
i have created Tabs in Dashboard ,tabs are auto running when autorun=false any solution Thanks&regards lateef
Hello,   First, I already read this post : https://community.splunk.com/t5/Dashboards-Visualizations/Background-color-in-navbar-is-gone-in-7-1-and-7-2/td-p/359770 And tried its solution. It works ... See more...
Hello,   First, I already read this post : https://community.splunk.com/t5/Dashboards-Visualizations/Background-color-in-navbar-is-gone-in-7-1-and-7-2/td-p/359770 And tried its solution. It works sometimes but not all the times. My guess is that the div isn't always there for some reason. I opened the developer console in Chrome, and it seems that the objet's name is ".view---pages-enterprise---8-2-2-1---1zrJY". As you can see, there is the splunk version inside it. And it changes with dark mode: ".view---pages-dark---8-2-2-1---2d_9P" Do you have also this behavior and how can I successfully change the background color of the navbar accross Splunk upgrades?   Thanks
Hello, I'm trying to run the following:   | makeresults count=1 | eval data = "{\"something\":\"something\",\"something\":\"something\",\"something\":\"something\"}" | eval header = "{\"heade... See more...
Hello, I'm trying to run the following:   | makeresults count=1 | eval data = "{\"something\":\"something\",\"something\":\"something\",\"something\":\"something\"}" | eval header = "{\"header-api-key\":\"something\"}" | curl method=post uri="https://api.something/v2" headerfield=header data=data debug=t verifyssl=false | table *   and I'm getting "{"status": "error", "result": "Invalid json format in the request". Also I tried to add "{\"content-type\":\"application/json\"}" like :   | eval header = "{"{\"content-type\":\"application/json\"}",\"header-api-key\":\"something\"}"   but I get the some error. Note that I have the latest version of TA-webtools Anyone has any suggestions?  Thank in advance 
Hi  I have Too many open files, but i have ulimit of 65536 I believe I have set my Splunk up correctly, but my Search head has crashed twice now in 2 days. Is 65536 too small? Should i try and ... See more...
Hi  I have Too many open files, but i have ulimit of 65536 I believe I have set my Splunk up correctly, but my Search head has crashed twice now in 2 days. Is 65536 too small? Should i try and make it bigger?       bash$ cat /proc/32536/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size unlimited unlimited bytes Max resident set unlimited unlimited bytes Max processes 790527 790527 processes Max open files 65536 65536 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 1546577 1546577 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us hp737srv autoengine /hp737srv2/apps/splunk/       I am also getting the following messages from my 3 indexers (I have an indexer cluster)   When I run the following command, I can see Splunk 1 hour after startup taking 4554?        bash$ lsof -u autoengine | grep splunk | awk 'BEGIN { total = 0; } $4 ~ /^[0-9]/ { total += 1 } END { print total }' 4554       So at the moment, I have made a case with Splunk, but I might have to put in nightly restarts if it keeps happening. In the last few months, I have set up a heave forwarder to send in HEC data to the indexers. This data has been increasing, so I am not sure if this is the issue? Thanks in advance
my query is  <dashboard version="1.1"> <label>CCEcolour</label> <row> <panel> <table> <search> <query>index=*** source=service Name IN (*abc* *def* *ghi* *jkl* *mno*) host IN (xyz) earliest=... See more...
my query is  <dashboard version="1.1"> <label>CCEcolour</label> <row> <panel> <table> <search> <query>index=*** source=service Name IN (*abc* *def* *ghi* *jkl* *mno*) host IN (xyz) earliest=-60m | dedup host Name | table Name Status State | sort Name | eval color=case(Status="Stopped","HIGH",Status="Running","LOW") | foreach Name Status State [ eval &lt;&lt;FIELD&gt;&gt;=mvappend('&lt;&lt;FIELD&gt;&gt;',color)] | fields - color </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="Name"> <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"HIGH"),"#53A051")</colorPalette> </format> <format type="color" field="Status"> <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"HIGH"),"#53A051")</colorPalette> </format> <format type="color" field="State"> <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"HIGH"),"#53A051")</colorPalette> </format> </table> </panel> </row> </dashboard>   For the below result where i have "State" as "Stopped" , the entire row should be in Red Color including corresponding Status and Name. Name Status State abc OK Running def OK Running hij OK Stopped klm OK Running nop OK Running
Hi splunkers, I thought it would be easier, but now I need to ask you for help. I need to make a simple tart chart with the percent of an IP Address and the percent of all other together as "Othe... See more...
Hi splunkers, I thought it would be easier, but now I need to ask you for help. I need to make a simple tart chart with the percent of an IP Address and the percent of all other together as "Other". How can I group all values in a single value "other" but leaving out just the value I want to analyze? Thanks!
I am currently working on an integration from a python scrip, collecting a JSON object, and parsing it to an event via the Splunk Add-on Builder however the object does not seem to appear within Splu... See more...
I am currently working on an integration from a python scrip, collecting a JSON object, and parsing it to an event via the Splunk Add-on Builder however the object does not seem to appear within Splunk.  From the Add-on Builder code, I have a loop that cycles round an array extracting objects to ingest as events:   for item in item_group: helper.log_warning(item) stat_time = int(time.time()) event = helper.new_event(time=stat_time,source="Addon-Helper", index="testing", sourcetype="_json", data=json.dumps(item)) ew.write_event(event) helper.log_warning(event)    When I pull the extract from the log I get:   2022-03-08 10:43:56,350 WARNING pid=59367 tid=MainThread file=base_modinput.py:log_warning:302 | {'field_1': 'value_string', 'field_2': 'value_string', 'field_3': 'value_float', 'field_4': 'value_string', 'field_5': ['value_IP'], 'field_6': 'value_string', 'field_7': value_time, 'field_8': 'value_string', 'field_9': 'value_string'} 2022-03-08 10:43:56,351 WARNING pid=59367 tid=MainThread file=base_modinput.py:log_warning:302 | <splunklib.modularinput.event.Event object at 0x7f9072656250>   However, there is nothing added to the "testing" index, nor on wildcard search, nor on error searching for ingestion.  In addition I have tried seeing the data field to a string, which still creates the object but Splunk does not seem to parse it:   event = helper.new_event(time=stat_time,source="Addon-Helper", index="testing", sourcetype="_json", data="Testing String") ew.write_event(event)   This may simply be a staring too long at a problem kind of challenge and missing something basic but any help would be great. 
index=Network dest_ip=xx.xx.xx.xx action=allowed Trying to list total allowed connections to destination IP by day, regardless of source to try and determine the volume of connections per day of th... See more...
index=Network dest_ip=xx.xx.xx.xx action=allowed Trying to list total allowed connections to destination IP by day, regardless of source to try and determine the volume of connections per day of the week and show which days are busiest and also if possible to determine when during the day do the number of connections peak. Any help would be greatly appreciated.