All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

hi, i am a bit lost, i am trying to extract some % values of specific parameters. but with no luck example i want to extract the anti-virus value of 12%   this is my command | rex field=_raw ... See more...
hi, i am a bit lost, i am trying to extract some % values of specific parameters. but with no luck example i want to extract the anti-virus value of 12%   this is my command | rex field=_raw "Anti-Spam\s*<(?<cpu>.*)>" Gauges: Current System RAM Utilization 65% Overall CPU load average 43% CPU Utilization MGA 20% Anti-Virus 12% Reporting 0% Quarantine 0%
Hi, The start-up script for the spring boot application is like this java -javaagent:/opt/jeppesen/crew-leave/Appagent/AppServerAgent-ibm-22.2.0.33545/javaagent.jar -jar /opt/app/app.jar. The A... See more...
Hi, The start-up script for the spring boot application is like this java -javaagent:/opt/jeppesen/crew-leave/Appagent/AppServerAgent-ibm-22.2.0.33545/javaagent.jar -jar /opt/app/app.jar. The AppDynamics log shows that the app agent is created successfully. But nothing is getting captured.  Also, under agents, I see that the uptime is 0%. This is for a Linux server. I get a few warnings at the end [AD Agent init] 07 Mar 2022 19:56:16,708 WARN InstrumentationHandler - Retransformation not enabled. [AD Agent init] 07 Mar 2022 19:56:16,708 INFO AnnotationPropertyListenerManager - Class.privateGetPublicMethods() is not available, will try the public methods [AD Agent init] 07 Mar 2022 19:56:16,708 INFO AnnotationPropertyListenerManager - Registered NodeProperty [enable-async-correlation-for] to method [public void com.singularity.ee.agent.appagent.services.transactionmonitor.common.activity.CustomActivityRuleApplier.setEnableAsync(java.lang.String)] in class class com.singularity.ee.agent.appagent.services.transactionmonitor.common.activity.CustomActivityRuleApplier 1 [AD Agent init] 07 Mar 2022 19:56:16,715 INFO BCIFixer - Scheduling BCIFixer at [300000] ms intervals. [AD Agent init] 07 Mar 2022 19:56:16,715 INFO BCIFixer - Retransformation is NOT supported on this JVM. BCIFixer is active - but will NOT retransform classes [AD Agent init] 07 Mar 2022 19:56:16,715 INFO BCIEngineService - Pinging to retransform classes by worker [AD Agent init] 07 Mar 2022 19:56:16,715 WARN InstrumentationHandler - Retransformation not enabled. [AD Agent init] 07 Mar 2022 19:56:16,719 INFO JavaAgent - JVM Process Persistence File <pid = 41888 nodeDirectory = /opt/jeppesen/crew-leave/Appagent/AppServerAgent-ibm-22.2.0.33545 appName = CrewRequest tierName = WebNode nodeName = 103 homeDirectory = / machineId = 24821 uniqueHostId = mrnf-cl103 controllerHost = cubits202202230044249.saas.appdynamics.com controllerPort = 443 accountKey = c754eab83f6444f17a46da72929b318b82407869 versionDirectory = /opt/jeppesen/crew-leave/Appagent/AppServerAgent-ibm-22.2.0.33545/ver22.2.0.33545> was written [AD Agent init] 07 Mar 2022 19:56:16,719 INFO JavaAgent - Started AppDynamics Java Agent Successfully. [AD Thread Pool-Global0] 07 Mar 2022 19:56:16,746 INFO TransformationManager - Class transformations will take place in a background thread [main] 07 Mar 2022 19:56:17,601 INFO ClassMetaDataManager - Unable to locate class meta data for org.springframework.boot.loader.archive.Archive$EntryFilter [main] 07 Mar 2022 19:56:17,688 INFO ClassMetaDataManager - Unable to locate class meta data for org.springframework.boot.loader.jar.JarEntryFilter
Hi We are sending in Opentelemtory metrics into Splunk via HTTP Event Collector. However, we got the following errors the other days "server is busy" . I can see the data did come in at that time... See more...
Hi We are sending in Opentelemtory metrics into Splunk via HTTP Event Collector. However, we got the following errors the other days "server is busy" . I can see the data did come in at that time, but it gets retried so that explains that. How do I stop this from happening in the future? Another question is what is the max throughput Splunk can take in via HTTP? The below code came from the OP - Python scripts      2022-03-04T19:41:36.125+0100 info exporterhelper/queued_retry.go:215 Exporting failed. Will retry the request after interval. {"kind": "exporter", "name": "splunk_hec/logs", "error": "Post \https://dell425srv:9088/services/collector\: context deadline exceeded (Client.Timeout exceeded while awaiting headers)", "interval": "5.6081835s"}       Thanks in advance Rob
Hi, after a Windows system crash of the raid controller, I only get empty reports.  I moved the installation to a VM and everything looked good... But: empty dashboard reports! Getting data from ... See more...
Hi, after a Windows system crash of the raid controller, I only get empty reports.  I moved the installation to a VM and everything looked good... But: empty dashboard reports! Getting data from the windows eventlogs into splunk still works, but most entries have this problem: Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error... I checked wecutil gs and I found, it was set to "rendered text" for both of my subscriptions. I've set it back to "events" but still no luck. Restart of the service: not luck. I'm running SPLUNK Enterprise 8.2.5 on Windows Server 2016. Any hints are highly appreciated! Best, EL
I wanted to ask if it was easy or possible to forward logs if some may be in text format from a HF to another device and send in JSON format?
We have an instance where KV store is not running and we're looking to clean the whole thing out. However, we would like to see if we're able to keep the data. So, my question is; is there any othe... See more...
We have an instance where KV store is not running and we're looking to clean the whole thing out. However, we would like to see if we're able to keep the data. So, my question is; is there any other way to do a backup of KV store data than using the "splunk backup kvstore" command?
Hello community, I have a problem with my research. My searches are then sent to Splunk OnCall to manage alerts. However, I noticed that some fields in my request can sometimes have a lot of chara... See more...
Hello community, I have a problem with my research. My searches are then sent to Splunk OnCall to manage alerts. However, I noticed that some fields in my request can sometimes have a lot of characters, and in this case, the information does not go to Splunk OnCall. The large number of characters is not useful and I would like to limit the number so that it does not block towards Splunk OnCall. I therefore seek to limit the number of characters in a field of my request, whatever the result. I came across this post (https://community.splunk.com/t5/Splunk-Search/Limit-length-of-field-of-characters-in-search-results/mp/134908#M36872) but the command does not work. Here is an example request:     index=my_index state=* | fields hostname service_description output state     It is the "output" field that I would like to limit. Based on the link above, I wrote:     index=my_index state=* | fields hostname service_description output state | eval output=substr(output,1,15)     But that doesn't fix it. Do you have any idea where I should dig for this? FYI, I'm on Enterprise 8.2.3 Thank you in advance Rajaion
Hi all, I have a stream of events which come in to SOAR. When the event is loaded in SOAR, a playbook runs against it automatically - and this calls an App action, which completes successfully ... See more...
Hi all, I have a stream of events which come in to SOAR. When the event is loaded in SOAR, a playbook runs against it automatically - and this calls an App action, which completes successfully and returns data. In another playbook, which will be manually run, how do I access the data returned by the App action? Do I need to save the app action data as a new artifact, and call it that way, or is there a way to list all app actions in a container, and get the app action ID, and retrieve the data? Thanks!
Hi I have a query based on response times from a  service. index=homebanking "/soa/mcoi-rc-services/ContractService" Time="*" | rex field=_raw "\/(?<time>[^_\/]+)[\w\.]+($|\s)" | stats count by T... See more...
Hi I have a query based on response times from a  service. index=homebanking "/soa/mcoi-rc-services/ContractService" Time="*" | rex field=_raw "\/(?<time>[^_\/]+)[\w\.]+($|\s)" | stats count by Time | fields - count I get these results......   I'd like to now create a graph of these results showing a graduation or reduction of the response times. Can someone help? Best, Sheldon.        
Hi  All, I am going to work on a multisite architecture (3-sites) where we are keeping 6 indexers in a cluster (2 in each sites) ,and 6 SHs in a cluster (2 in each sites) , 3 SHs in another cluste... See more...
Hi  All, I am going to work on a multisite architecture (3-sites) where we are keeping 6 indexers in a cluster (2 in each sites) ,and 6 SHs in a cluster (2 in each sites) , 3 SHs in another cluster (1 in each site) for reporting .  1 Indexer cluster 2 SHs clusters i wanted to understand what will be the best site search factor & site replication factor for a 3-sites multisite clustering . Any suggestion will be appreciated .  Thanks , Sushree 
I have host stop event logged in a summary index Index=summary search_name=feed_status Host_name Host_status Host1a Host_stop Host2b Host_stop Host4a Host_stop H... See more...
I have host stop event logged in a summary index Index=summary search_name=feed_status Host_name Host_status Host1a Host_stop Host2b Host_stop Host4a Host_stop Host1b Host_stop Host3a Host_stop I also have a lookup table for failover paired hosts. Host_primary Host_secondary Host1a Host1b Host2a Host2b Host3a Host3b Host4a Host4b I need to generate the host stop alert when both failover paired hosts are stopped. In this case alerting on Host1a and Host1b stopped.
Hi Team , Can someone help with query to get recipients email ID and owner of email alerts in splunk. Thanks in advance!
I want to have a table of deleted accounts with the attributes time, adminstrator, user, message but the administrator and users fields still remain empty index = msad source=wineventlog:security E... See more...
I want to have a table of deleted accounts with the attributes time, adminstrator, user, message but the administrator and users fields still remain empty index = msad source=wineventlog:security EventCode=4726 | rex field=member_dn "(?<Administrator> S+)s+(?<User> S+)" | table _time Administrator User action signature and that I checked event raw, I noticed that the field membr_dn is empty have a solution?
Hello, I would like to have confirmation of the best secure way to create smartstore volume (with access keys) : how will bundle validation behave if :? - I declare volumes (with access_keys) in /o... See more...
Hello, I would like to have confirmation of the best secure way to create smartstore volume (with access keys) : how will bundle validation behave if :? - I declare volumes (with access_keys) in /opt/splunk/etc/apps/myvolumes/local/indexes.conf ON each indexers - I push the indexes definitions (with those volumes) in /opt/splunk/etc/master-apps/myindexes/local/indexes.conf from the Cluster Master Protocol would be : maintenance mode, stop every indexers, deploy new conf files via git (and finalize manually for the volume keys not to appear in git), validate bundle on the CM => Will it even work as there is no volume definition on the CM in /opt/splunk/etc/master-apps/myindexes/local/indexes.conf ? There is something I do not understand : How am I supposed to secure (encrypt ?) the access keys in the cluster AND use the CM for bundle deployment ? Thank you, Ema
Hi guys, I am using Splunk enterprise for monitoring the application name called Nextcloud. Here I want to customize the dashboard for Nextcloud for that I have imported my nextcloud.log into my ... See more...
Hi guys, I am using Splunk enterprise for monitoring the application name called Nextcloud. Here I want to customize the dashboard for Nextcloud for that I have imported my nextcloud.log into my Splunk. In my log file, it has user: xxxxx I want to search the keyword to select multiple users from my log file to get the report I don't know what is keyword it is been used to pull the data. Can anyone help me with this? Sample Keywords: source="/xxx/xxx/xxx/nextcloud.log" host="nextcloud" sourcetype="Nextcloud" | search user= "*"  The above command works for every user but i want to get reports of only 2 users how do i do that?
Hello Community, I have quite a strange issue to face... For a project I'm working on, I would need to create a new case if the search returns no events. I've tried to create a dummy example to m... See more...
Hello Community, I have quite a strange issue to face... For a project I'm working on, I would need to create a new case if the search returns no events. I've tried to create a dummy example to make myself clear: | makeresults | eval letter1="A", letter2="B", letter3="C" | append     [| makeresults     | eval letter1="D", letter2="E", letter3="F"] | search letter1="K" | appendpipe     [| ??ifnotresults??     | append         [| makeresults         | eval letter1="X", letter2="Y", letter3="Z"]     | where false() ] | table letter1 letter2 letter3   In particular, I have no idea how to evaluate the ??ifnotresults??  part. Do you think it is possible to achieve this? Thanks in advance for your kind support
Hi Team, Rule "Insecure Or Cleartext Authentication Detected" detects says when Logon type "8" is detected in windows logs.  As per Splunk : Detects authentication requests that transmit the pas... See more...
Hi Team, Rule "Insecure Or Cleartext Authentication Detected" detects says when Logon type "8" is detected in windows logs.  As per Splunk : Detects authentication requests that transmit the password over the network as cleartext (unencrypted) https://docs.splunksecurityessentials.com/content-detail/insecure_or_cleartext_authentication_detected/ As Per Windows:  The credentials do not traverse the network in plaintext (also called cleartext). https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 Could you please let us know why this difference in description, This is creating some challenges in understanding the logs. Can someone help on this.
_time=time1, _raw=some contents _time=time2, _raw=some contents _time=time3, _raw=some contents _time=time4, _raw=some contents __time=time5, _raw=some contents   Now I want to extract th... See more...
_time=time1, _raw=some contents _time=time2, _raw=some contents _time=time3, _raw=some contents _time=time4, _raw=some contents __time=time5, _raw=some contents   Now I want to extract the data between time2 and time3 using of _time filed , can anyone help with this?
i have 1 universal forwarder and 2 heavy forwarder. If two of my heavy forwarder lost communication with the UF at the same time, how will the data accumulate in the persistent queue of the UF?  ... See more...
i have 1 universal forwarder and 2 heavy forwarder. If two of my heavy forwarder lost communication with the UF at the same time, how will the data accumulate in the persistent queue of the UF?    please provide splunk documentation or previous splunk community Q&A if you have any.  
Hello I have a field called hostName which contains hosts: host1\user1 host1\user2 host2\user2 host3\user3 And I want to basically do a count of the number of times each host appears: s... See more...
Hello I have a field called hostName which contains hosts: host1\user1 host1\user2 host2\user2 host3\user3 And I want to basically do a count of the number of times each host appears: so: Host1 = 2 Host2 = 1 Host3 = 1 So I want to cut the data after the backslash (\) and display the host part of the data as a count. I worked out the regex for this is ".+?\\" on Regex 101 but I am not able to figure it out with the rex field commands Thank you!