All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

How can i modify the alerting on Splunk Website performance monitoring to ONLY alert on sites that are actually down NOT URLs where the response code = 200 (OK). Please see the alert and alert condit... See more...
How can i modify the alerting on Splunk Website performance monitoring to ONLY alert on sites that are actually down NOT URLs where the response code = 200 (OK). Please see the alert and alert condition below.  Thank You!
hello, Please help me with the rex commands for extracting the below fields from the json data. "resourceName" : "abcd", "hostname" : "ipvalue", "environment" : "development"
Hello Splunkers!       How would one view the parameters of the indexes.conf by using a SPL statement?  The below SPL statement doesn't seem to work.  Any help is greatly appreciated!  | rest spl... See more...
Hello Splunkers!       How would one view the parameters of the indexes.conf by using a SPL statement?  The below SPL statement doesn't seem to work.  Any help is greatly appreciated!  | rest splunk_server=<hostname>/services/configs/conf-indexes | transpose
Hi, We have 3 search heads in a SHC, I am planning to deploy "Splunk_SA_CIM" in my SHC from Deployer. Question 1- Once the "Splunk_SA_CIM" is deployed in SHC members, and then for example i edit ... See more...
Hi, We have 3 search heads in a SHC, I am planning to deploy "Splunk_SA_CIM" in my SHC from Deployer. Question 1- Once the "Splunk_SA_CIM" is deployed in SHC members, and then for example i edit the "cim_Network_Traffic_indexes" macro from Search Head GUI (Search heads are behind LB) and add the firewall index in it and then accelerate the "Network Traffic" DM from GUI, Will this accelerate this DM in all 3 Search Head members and Macro too will be updated in all 3 SH members ? Question 2 - or should i make above changes in "Splunk_SA_CIM" app under "local" folder in macros.conf and datamodels.conf in deployer and push to SHC ? Question 3 - What is the correct way to manage/update datamodels config in "Splunk_SA_CIM" app like adding indexes/enabling acceleration/adding removing fields in a Search head cluster which will have Enterprise Security app installed as well in near future?
After upgrading to 8.2.4, now the Splunk Enterprise cluster is reporting this error Unable to initialize modular input "relaymodaction" defined in the app "Splunk_SA_CIM": Introspecting scheme=rela... See more...
After upgrading to 8.2.4, now the Splunk Enterprise cluster is reporting this error Unable to initialize modular input "relaymodaction" defined in the app "Splunk_SA_CIM": Introspecting scheme=relaymodaction: script running failed (PID 27150 exited with code 1)
We are working on automating the installation and configuration of Splunk DB Connect.  For the purposes of this question we are using DB Connect version 3.6.0 My question is how does the identity.d... See more...
We are working on automating the installation and configuration of Splunk DB Connect.  For the purposes of this question we are using DB Connect version 3.6.0 My question is how does the identity.dat file get generated.  We know it gets generated on a fresh DB Connect install the first time an identity is created manually.  Our issue is the DB Connect API endpoint for creating identities returns a 200 OK when creating an identity for the first time - but it does not get created and no identity.dat file is generated. If after a fresh install of DB Connect we manually though the UI add an identity - the identity.dat file is successfully generated.  We are then able to hit the endpoint to create identities and it creates them correctly. The endpoint that we are hitting is:   /servicesNS/nobody/splunk_app_db_connect/db_connect/dbxproxy/identities   The payload that we are uploading to the endpoint is formatted as such:   def output(self): data = {} data["name"] = self.db_identity_name data["username"] = self.db_username data["password"] = self.db_password data["disabled"] = self.disabled data["domain_name"] = self.domain_name data["use_win_auth"] = self.use_win_auth return data  
Hi,   When using lookup editor app (https://splunkbase.splunk.com/app/1724/), it allows the user to save fields with leading and trailing spaces.   Is there a plan to update the app to trim them ... See more...
Hi,   When using lookup editor app (https://splunkbase.splunk.com/app/1724/), it allows the user to save fields with leading and trailing spaces.   Is there a plan to update the app to trim them and/or alternatively is there a quick fix, apart from user training? thanks laks  @Anonymous  - Any thoughts pls? thx 
hi, I have a event ----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="50G" SCSIHOST="0" CHANNEL="0"... See more...
hi, I have a event ----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="50G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="500G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE" i have mutilple DISK, NAME ETC  in a single event.. I tried below query from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc" | extract pairdelim="{=}" kvdelim=" " | table host DISK NAME TYPE but am getting only /dev/sda.. i need /dev/sdb as well Thanks in advance
Hi The <Selection> in the bottom code is not working correctly and I can't figure out why. I am looking to select the time when I click on a bar on the graph. To give me the time of the bar, howe... See more...
Hi The <Selection> in the bottom code is not working correctly and I can't figure out why. I am looking to select the time when I click on a bar on the graph. To give me the time of the bar, however, it is always giving me the start time of the graph and not the zoomed-in time of the bar.   <panel depends="$host_token$"> <chart> <title>Sig Events Error Count by MX Component</title> <search> <query>| mstats max("mx.process.errors") prestats=true WHERE "index"="metrics_test" AND mx.env=$host_token$ AND log.type=sig-event span=60s BY "log.type" pid replica.name service.name | search "psrsvd_nx_mx.process.errors" &gt; 0 | rename "service.name" as service_name | rename "replica.name" as replica_name | eval Process_Name=((service_name . " # ") . replica_name) | timechart max("mx.process.errors") AS Error_Log_Nb by Process_Name limit=10000 | eval Error_Log_Nb=substr(Error_Log_Nb, 1, len(Error_Log_Nb)-7)</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">column</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> <selection> <set token="time_token_selection.earliest">$start$</set> <!--set token="time_token_selection.latest">$end$</set--> <eval token="time_token_selection.latest">$time_token_selection.earliest$+5</eval> </selection> </chart> </panel>   IN the below we can see i am click on the bar However, the time in the tokens is the start and end, not the time on the bar that i have clicked on. Regards Robert 
Hi,  I have missed DB collector credential while re-installing controller and i have back file of older controller folders. Kindly let me where can i find those DB collector configuration file in o... See more...
Hi,  I have missed DB collector credential while re-installing controller and i have back file of older controller folders. Kindly let me where can i find those DB collector configuration file in older controller folder. thanks
Hello - What version of Java/JDK is AppDynamics licensed to use with their software WRT to agents?  There's some concern with Oracle lawyers going after organizations using their Java JDK software. ... See more...
Hello - What version of Java/JDK is AppDynamics licensed to use with their software WRT to agents?  There's some concern with Oracle lawyers going after organizations using their Java JDK software.  Does AppDynamics have a license/agreement with Oracle?  Can we use OpenJDK, or Corretto instead? Thanks.
Hi Team, i have one abc.csv file with  only one colunm as Source_IP where values are in10.10.10.0/24 format . next i have  index=xyz which has multiple column as dst,city,counrty , src is one of ... See more...
Hi Team, i have one abc.csv file with  only one colunm as Source_IP where values are in10.10.10.0/24 format . next i have  index=xyz which has multiple column as dst,city,counrty , src is one of the  column . here i need all data from index=xyz where Source_IP from abc.csv matches with src column of index=xyz. i have uploaded the file successfully but unable to find the relevant query to fetch data ..    
This is my first post here! _I am new and I am learning Hi Experts, I have data like below coming into a csv file. ref1 toref1 16YcK36 bc46 20Sdj60 fg64 13Nbc46 ... See more...
This is my first post here! _I am new and I am learning Hi Experts, I have data like below coming into a csv file. ref1 toref1 16YcK36 bc46 20Sdj60 fg64 13Nbc46 dj60 15Nfg64 nf32 13Tnf32 cK36     and my end result, I would like the table to be like below: (Edited: My search should be sorted (column no 2) - should match the last 4 with column 1). Please refer to below table. Thanks in Advance. ref1_tobe toref1_tobe 16YcK36 cK36 20Sdj60 dj60 13Nbc46 bc46 15Nfg64 fg64 13Tnf32 nf32
----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="210G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOT... See more...
----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="210G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="100G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"   My log (multiline event) looks like this but Splunk is automatically extracting just the first line . I want to extract all the values.  for example: NAME=sda NAME=sdb     Could someone please help me with it  
host="SPL-SH-DC" sourcetype="csv" source="****"  Severity!="Info" Severity!="low" Plugin_Name!="SSL Certificate with Wrong Hostname" Plugin_Name!="Unix Operating System Unsupported Version Detect... See more...
host="SPL-SH-DC" sourcetype="csv" source="****"  Severity!="Info" Severity!="low" Plugin_Name!="SSL Certificate with Wrong Hostname" Plugin_Name!="Unix Operating System Unsupported Version Detection" Plugin_Name!="SSL Self-Signed Certificate" Plugin_Name!="SSL Certificate Cannot Be Trusted" Port!="8089" Port!="6502" | table IP_Address,device_name,Plugin_Name, Severity,model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE,Plugin Thanks for your help!
I am looking to format ldap extracted distinguishedName to a domain. Example CN=Username,OU=Folder,OU=Folder,DC=domain,DC=com Output domain.com
Hi there all. I am in a bit of a catch 22.  I have a process that cannot send data over HTTPS data because the HEC is using a self-signed certificate and the process I am using will not allow that. ... See more...
Hi there all. I am in a bit of a catch 22.  I have a process that cannot send data over HTTPS data because the HEC is using a self-signed certificate and the process I am using will not allow that.  However, I cannot send HTTP because the HEC is set for HTTPS input and so is getting rejected by the Splunk HEC. Is there a way to have the HEC collect BOTH HTTP and HTTPS and set the requirement based on the input? Thanks
Hi everyone, i have in a table the result of a scanning script. Of course, the cells are much too large. Is there a way to minimize them and maximize them if necessary? A drill down to a new page w... See more...
Hi everyone, i have in a table the result of a scanning script. Of course, the cells are much too large. Is there a way to minimize them and maximize them if necessary? A drill down to a new page would be also ok, but how can I shorten or change the text in the cell so that the drilldown function is still possible since I use "clickvalue".  
Hi All, I am working on Splunk cloud classic and got a request to onboard the MySQL server database logs to splunk. I have gone through the documentation and aware of creating the identity, conne... See more...
Hi All, I am working on Splunk cloud classic and got a request to onboard the MySQL server database logs to splunk. I have gone through the documentation and aware of creating the identity, connection and input. Q1. where do I place these configurations, in heavy forwarder or on splunk cloud. Q2.From where do I get the JRE path and where do I install the JDBC drivers?As it's a cloud environment I am quite confused about this and we are not allowed to change any configurations using the web UI everything is done using the configs file in bitbucket. Q3: How do I setup the server class for this? Thankyou.
We are getting /var/log files monitored from the endpoints and sent to Splunk using syslog-ng on a single TCP port. Now when we see the vents in Splunk its combination of all the /var/log/secure, /va... See more...
We are getting /var/log files monitored from the endpoints and sent to Splunk using syslog-ng on a single TCP port. Now when we see the vents in Splunk its combination of all the /var/log/secure, /var/log/messages etc. into a single index and syslog source type. How can I identify just the /var/log/secure of out it and send to a other index from Splunk side? I am trying make use of props like below but not sure what the regex would be for identifying just /var/log/secure. Any help is appreciated. ####props [linux_secure] SOURCE_KEY = _raw REGEX = ***Need REX for /var/log/secure events**** DEST_KEY = _MetaData:Index FORMAT = abc_index