All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

In my first post, I need to search Splunk using the REST API. How do I get the system to actually return me some results? Steps POST a search, example:      search=search index=myInde... See more...
In my first post, I need to search Splunk using the REST API. How do I get the system to actually return me some results? Steps POST a search, example:      search=search index=myIndex earliest=-1d "[nice-keyword]" AND "Nice catch-phrase" | rex field=_raw "reportingSystem\":\s+\"(?<system>\d{3})[\s\S]+operationCode\":\s+\"(?<opcode>\w+)[\s\S]+ticketId\":\s+\"(?<ticket>\d*)[\s\S]+transactionCode\":\s+\"(?<txcode>\w+)[\s\S]+NumericCode\":\s+\"(?<agency>\d*)" | table system, opcode, txcode, agency​     In the SEARCH User Interface, this makes a nice report Grab the job search ID. Continually GET the job status of the POSTed search until DONE or something else that helps me stop polling. Ask for the job results. Get 200 OK but no content. How does one actually format a search that can provide actual results via the API? Stumped. For days. I'm using Postman before moving on to my favorite middleware tool. Thank you.
Currently, I have a Table that gives me Severity Categories.  Sevcat I Sevcat II Sevcat III 5 10 12   I'm using the following SPL to generate this table:   |eval C... See more...
Currently, I have a Table that gives me Severity Categories.  Sevcat I Sevcat II Sevcat III 5 10 12   I'm using the following SPL to generate this table:   |eval CATI = if(SEVCAT="I", 1,0) |eval CATII = if(SEVCAT="II", 1,0) |eval CATIII = if(SEVCAT="III", 1,0) |stats sum(CATI) as "Sevcat I" sum(CATII) as "Sevcat II" sum(CATIII) as "Sevcat III" |table "Sevcat I" "Sevcat II" "Sevcat III"   Is there some way to convert this table into a piechart.  Any help is appreciated -Marco 
My query is:   Mozilla/5.0 (X11; Linux x86_64; Catchpoint) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36   I want to extract the following word from the above sting... See more...
My query is:   Mozilla/5.0 (X11; Linux x86_64; Catchpoint) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36   I want to extract the following word from the above sting with regex can you please help me.   Chrome/87.0.4280.88  
I spent a fair amount of time perusing Google and Splunk Answers but couldn't seem to find a solution that made sense... essentially the requirement I have is to display a timestamp in a Splunk dashb... See more...
I spent a fair amount of time perusing Google and Splunk Answers but couldn't seem to find a solution that made sense... essentially the requirement I have is to display a timestamp in a Splunk dashboard in a specific timezone, regardless of what user preferences people have configured. The reason for this requirement is that we have several members located globally that have a legitimate/more frequent need to have their own timezone (so we can't ask them to change to Eastern) but the dashboard in question specifically needs to report on issues using Eastern time (they need to look the same for everyone). I feel like there must be some simple way to do this that I just haven't found. I'm not doing anything complicated right now, I'm just converting a UNIX timestamp with strftime: | eval openTime=strftime(openTime,"%m/%d/%Y %H:%M:%S") | eval closedTime=strftime(closedTime,"%m/%d/%Y %H:%M:%S") When I display them in a table they display in whatever the user preference is for timezone. Every solution I've tried doesn't really seem to be a solution. It is easy to convert a timestamp with a timezone to unix. It is also easy to convert unix to a timestamp that shows your local timezone... but so far it seems impossible to convert a unix timestamp to a specific timezone (and have it display in that timezone instead of whatever the user has configured). Thoughts? To re-iterate, we cannot ask these users to change their timezone preference but these times MUST be shown in Eastern.
When I access my dashboard, I can see all the data and graphs on the panels except for one specific graph when I choose the "Prior 7 Days" option.  All the other date ranges populate as expected. I'v... See more...
When I access my dashboard, I can see all the data and graphs on the panels except for one specific graph when I choose the "Prior 7 Days" option.  All the other date ranges populate as expected. I've checked the source code and everything seems to be working properly. How can I get the graph/visualization for the one specific graph to show for the "Prior 7 Days"?
Sometimes we are not getting intermediate updates from service now to splunk in this case I need to send an alert saying that this update is missing in splunk. Can someone please with this issue
Hello, I'm trying to figure out how to do 3 months of HOT/WARM/COLD indexing but copy/forward logs every week to my frozen archive located in a separate location. I'm trying to compensate for some ... See more...
Hello, I'm trying to figure out how to do 3 months of HOT/WARM/COLD indexing but copy/forward logs every week to my frozen archive located in a separate location. I'm trying to compensate for some issues we are having with our infrastructure uptime.  Q: Does this make sense and is this possible? Could anyone provide examples or advice? Q: Is there a difference is storage space used by sending data in weekly vs monthly(or every 90 days)? Also, Splunk is installed into a Windows Environment. Thank You, Sean
Hi Experts, I have installed an application in windows server which uses 3 services(like AAA, BBB, CCC) to measure the availability of the services. I would like to ingest the status of those 3 ser... See more...
Hi Experts, I have installed an application in windows server which uses 3 services(like AAA, BBB, CCC) to measure the availability of the services. I would like to ingest the status of those 3 services to Splunk to showcase/display the availability of the application. I'm using universal forwarder in windows server and also installed Splunk_TA_Windows, but not sure how to filter and ingest only for 3 specific services. Please help in ingesting the data. Regards, Karthikeyan.SV
I have two queries:  1. index=A sourcetype=B  "ERROR_A" | rex field=_raw "loginid (?<login_id>\d+) ::" | deduploginid | tableloginid o/p eg:: 123 456 789   2. index=A sourcetype=B  "ERROR_B" |... See more...
I have two queries:  1. index=A sourcetype=B  "ERROR_A" | rex field=_raw "loginid (?<login_id>\d+) ::" | deduploginid | tableloginid o/p eg:: 123 456 789   2. index=A sourcetype=B  "ERROR_B" | rex field=_raw "loginid (?<login_id>\d+) ::" | dedup loginid | table loginid o/p eg:: 878 123 456 Query 1 finds all the login ID which failed because of ERROR_A and Query 2 finds all the login ID which failed because of ERROR_B. I want to find all the loginId which failed because of both ERROR_A and ERROR_B.SO expected result from above is 123 456 How can I combine both these queries given the the loginid is a extract field from raw logs.?
All, Will INDEXED_EXTRACTIONS = JSON perform the extractions on an All-in-One platform? Here is my props.conf The sourcetype was executed but none of the fields were extracted. I can see the ... See more...
All, Will INDEXED_EXTRACTIONS = JSON perform the extractions on an All-in-One platform? Here is my props.conf The sourcetype was executed but none of the fields were extracted. I can see the fields & values in _raw but they are not listed as fields. Here is what I see with an adhoc search. The time "field" within _raw is Jan 5, 2022 I did index the data on 2/22/22 but I am uncertain where the _time field came from. It matches nothing in the data.       props.conf (no transforms.conf) # created on 2/22/2022 for a test case using INDEXED_EXTRACTIONS=JSON # The non-highlighted settings are identical to a known working stanza for the exact same data [allfields_index_extracted] INDEXED_EXTRACTIONS = JSON NO_BINARY_CHECK = true LINE_BREAKER = ([\r\n]+) EVENT_BREAKER = ([\r\n]+) EVENT_BREAKER_ENABLE = true SHOULD_LINEMERGE = false TIME_PREFIX = ^"?{""?time""?: TIME_FORMAT = %s.%6N MAX_TIMESTAMP_LOOKAHEAD = 17 category = Structured description = INDEXED_EXTRACTIONS eq JSON pulldown_type = 1 # Search Time stuff # Disable search time field extractions since INDEXED_EXTRACTIONS=JSON KV_MODE = none AUTO_KV_JSON = false disabled = false  Appreciate the help!    
Hello, Need to color cells in a dashboard table based on duplicate cell values (2 or more) within the same row.  Here is the formatting code for the attached example.       <format type="... See more...
Hello, Need to color cells in a dashboard table based on duplicate cell values (2 or more) within the same row.  Here is the formatting code for the attached example.       <format type="color"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format>       Thanks and God bless, Genesius
  index=instance1 sourcetype=source1 "Invalid-Access" | fields reqId | table reqId   The above query gives me a table as below 12A 32B 34C Unable to write a query which take all this va... See more...
  index=instance1 sourcetype=source1 "Invalid-Access" | fields reqId | table reqId   The above query gives me a table as below 12A 32B 34C Unable to write a query which take all this values and search for results in different sourcetype=source2. Tried this below but not getting the results. Can anyone help ?   index=instance1 sourcetype=source2 [search index=instance1 sourcetype=source1 "Invalid-Access" | fields reqId | table reqId]    
Hi all, I'm a beginner working with splunk. I have 2 Logfiles with the same Name, but from 2 different Hosts. I would like to compare both file for an expression (e.g. "server disconected") and onl... See more...
Hi all, I'm a beginner working with splunk. I have 2 Logfiles with the same Name, but from 2 different Hosts. I would like to compare both file for an expression (e.g. "server disconected") and only get the result, when the same expression is in both file in the sime time-period (last 10 min.)  so that i could use the select for a notification. I hope you understand what i mean Thanks, Simon
Have a search result as GET https://…. | Status: 403 | Message: Forbidden | Duration: 166 | x-req-id: ssv5s-ssy67-78vshb | x-correlation-id: vsvsuj-75sys7-sbbjs7   Need to extract value of x-re... See more...
Have a search result as GET https://…. | Status: 403 | Message: Forbidden | Duration: 166 | x-req-id: ssv5s-ssy67-78vshb | x-correlation-id: vsvsuj-75sys7-sbbjs7   Need to extract value of x-req-id .   Tried this extract pairdelim="|" , kvdelim=":" ,which gives Status & Message & Duration but not able to fetch  x-req-id
Hello all,   I have a scenario where I need to make calculations regarding license consumed, per host. However, since in the license_usage log, host value was squashed and I can not fix it for pa... See more...
Hello all,   I have a scenario where I need to make calculations regarding license consumed, per host. However, since in the license_usage log, host value was squashed and I can not fix it for past events.   My theory to calculate average license consumption per host is: 1 - Calculate license used per index, per day   index=_internal source="*license_usage.log" component=LicenseUsage type=usage (idx=set1_*) | timechart useother=false limit=100 span=1d sum(b) by idx | fillnull value=0   Output Example for daily license consumption: Date set1_index1 set1_index2 set1_index3 22-02-2022 345 354 343 21-02-2022 3463 3463 234   2 - Calculate the distinct number of hosts in each index, using tstats:   | tstats values(host) as hosts, dc(host) as total_hosts where (index=set1_*) by _time,index | timechart useother=false limit=100 span=1d max(total_hosts) as "TotalHosts" by index | fillnull value=0   Output Example for number of hosts per index: Date set1_index1 set1_index2 set1_index3 22-02-2022 2 6 4 21-02-2022 4 1 2   ISSUE: The name of the columns is not static. I can only use a prefix, defined in the index naming conventions.   Objective: If I am able to divide the daily license consumption by the number of hosts, I have the average consumption per host. Doe any of you can help me find how I made divide the values in the first query by the ones in the second query, geting a similar output to the table below? Date set1_index1 set1_index2 set1_index3 22-02-2022 172,5 59 85,75 21-02-2022 865,75 3463 117     Thanks in advance for your help on this issue.    
Hi, struggling why I can't seem to get this working. I want to have an alert evaluate to true (trigger) based on if its deemed active or inactive in a lookup table.  The idea would be SPL would alway... See more...
Hi, struggling why I can't seem to get this working. I want to have an alert evaluate to true (trigger) based on if its deemed active or inactive in a lookup table.  The idea would be SPL would alway check the lookup and if the alert SPL evaluates to true, it would do it normal action. This way, we can have numerous alerts that are disabled (evaluate to false) but just updating one value in a lookup table and not clicking Disable for all alerts.  I was thinking i could do something like        index=main | append [| inputlookup AlertSample.csv where AlertName=MySampleName | fields IsOn]       this and just append the value IsOn to all the events but its not working and I have tried many variants of spl. Suggestions or a better way of doing this? Thank you! Chris
Hi all, Hope you are well. I have a task about getting users'Chrome extension list with Splunk Search with queries. I couldn't figure out how can i do this. I am new on Splunk and sometimes i can as... See more...
Hi all, Hope you are well. I have a task about getting users'Chrome extension list with Splunk Search with queries. I couldn't figure out how can i do this. I am new on Splunk and sometimes i can ask too much questions to the community. Sorry about this. Thanks in advance. Best Regards.
Hi,  I am creating a time chart on the average temperature ranges (max temp - min temp) in the UK over the last 30 years.  This is my current code:    index="midas_temp" MET_DOMAIN_NAME=DLY3... See more...
Hi,  I am creating a time chart on the average temperature ranges (max temp - min temp) in the UK over the last 30 years.  This is my current code:    index="midas_temp" MET_DOMAIN_NAME=DLY3208 |eval trange=MAX_AIR_TEMP - MIN_AIR_TEMP|timechart avg(trange)    Currently the X-axis displays the years 1992-2019 as separate years but I want to convert the X-axis into months of the year (i.e. January - December). So the graph shows the average daily temperature ranges from 1992-2019 over a year interval.  Thanks 
Hello all, I'm trying to connect my indexer cluster to an on premise s3 storage. I'm using the master node to do it. I've tested the access credentials with a standalone instance outside my clu... See more...
Hello all, I'm trying to connect my indexer cluster to an on premise s3 storage. I'm using the master node to do it. I've tested the access credentials with a standalone instance outside my cluster and it works.   Now, I'm trying to use 2 different apps to declare volume and index. Like this : .../master-apps/common_indexers/local/indexes.conf #volume stanza [volume:bucket1] storageType = remote path = s3://bucket1 remote.s3.endpoint = https://mys3.fr remote.s3.access_key = xx remote.s3.secret_key = xx remote.s3.signature_version = v2 remote.s3.supports_versionning = false remote.s3.auth_region = EU .../master-apps/common_indexes/local/indexes.conf #index stanza [index1] homePath = $SPLUNK_DB/$_index_name/db thawedPath = $SPLUNK_DB/$_index_name/thaweddb coldPath = $SPLUNK_DB/$_index_name/colddb remotePath = volume:bucket1/$_index_name   When validating bundle, I have this error : <bundle_validation_errors on peer> [Critical] Unable to load remote volume "bucket1" of scheme "s3" referenced by index "index1": Could not find access_key and/or secret_key in a configuration file [Critical] in environment variables or via the AWS metadata endpoint.   I don't understand what is wrong... File precedence is respected. => ie volumes are read before indexes I verified that splunk is owner of files and has correct access to the files.   I'm out of ideas.   Thank you in advance for your suggestions. Regards,   Ema
Hello  I would like to disable warning showing in SHcluster for non admin users. or is there anyway to hide that warning showing up on DB connect UI. I read few docs in splunk but not able to fi... See more...
Hello  I would like to disable warning showing in SHcluster for non admin users. or is there anyway to hide that warning showing up on DB connect UI. I read few docs in splunk but not able to find accurate answer. So looking for forward for the same . Attaching screenshot for clarification. Thanks, Akhil Shah