All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm trying to combine 2 CSV files, where: - test-ad has the field "EmailAddress" and "Enabled"; - "Composição das tribos - Relação funcionários.csv") has the field "email" and "rh_status"; So, i... See more...
I'm trying to combine 2 CSV files, where: - test-ad has the field "EmailAddress" and "Enabled"; - "Composição das tribos - Relação funcionários.csv") has the field "email" and "rh_status"; So, i can't combine the results: index="teste-ad" OR (index="tst-compliance" AND source="Composição das tribos - Relação funcionários.csv") | eval em=coalesce(EmailAddress,email) | table em Enabled rh_status
Hello everyone, hope you are all well this afternoon. I am trying to combine 2 searches where the outer search passes a value to the inner search and then appends the results. Let me explain: ... See more...
Hello everyone, hope you are all well this afternoon. I am trying to combine 2 searches where the outer search passes a value to the inner search and then appends the results. Let me explain: As of right now, I am searching a set of logs that happens to include people's names and their request type when they call the bank. The one I am focused on is "withdraw inquiry." So we get a list of all people who try to withdraw money based on the following  base search. index=myIndex sourcetype=mySource request_type="withdraw inquiry" | xmlkv DetailXML | stats count, values(phone_number), values(activity_summary), values(request_type) values(email) by acct_num name_last name_first | where count > 1 | sort - count I have made this into a dash board and then subsequently added a drilldown. You click the panel and it then searches a lookup table called Previously_Compromised_Accounts.csv That search is this: | inputlookup Previously_Compromised_Accounts.csv | search name=*$clickValue$* | table date user How can I combine this search? Basically, I would like to add another column "compromisedUser" to the base search. If the base search is ran, then a secondary search would be performed, using the value of "name_last" and search the lookup table, which then appends the results to the base search as "compromisedUser" if no results come from the search of the Previously_Compromised_Accounts.csv, then that 8th coloumn can remain blank.    accountNumber name_first name_last call count values(phone_number) values(activity_summary) values(email) compromisedUser 123456678 Smith John 3 1235550987 withdraw inquiry JohnSmith@company.com 26DEC2021 jsmith001
Hi team, I have the following table with results ID processing time actor 123 20 actor1 123 30 actor2 123 40 actor3   And I'd like to combine them ... See more...
Hi team, I have the following table with results ID processing time actor 123 20 actor1 123 30 actor2 123 40 actor3   And I'd like to combine them as a single result like :  ID actor1 actor2 actor3 123 20 30 40   The list of actors is not known in advance  Is this possible? Thank you
Hello there, I am attempting to install splunk forwarder version 8.2.3-cd0848707637 on a RHEL 7.8 server using an ansible script.  Here is the ansible script:   - hosts: all vars_prompt: ... See more...
Hello there, I am attempting to install splunk forwarder version 8.2.3-cd0848707637 on a RHEL 7.8 server using an ansible script.  Here is the ansible script:   - hosts: all vars_prompt: - name: splunk_idxcluster prompt: What is the indexer password for symmetric key? - name: splunk_uf_admin prompt: What is the admin password? vars: deploymentserver: *************************** clustermaster: **************************** tasks: - name: Install Splunk UF package become: yes become_method: dzdo yum: name: splunkforwarder state: latest register: splunkpackage - name: Check if ftr file exists stat: path: /opt/splunkforwarder/ansible_splunk.ftr register: splunkftr - name: Set ACL to allow splunk user access to log files become: yes become_method: dzdo acl: path: "/opt/splunkforwarder" recursive: yes permissions: rwx entity: splunk etype: group state: present - name: Create user-seed file become: yes become_method: dzdo copy: dest: "/opt/splunkforwarder/etc/system/local/user-seed.conf" owner: splunk group: splunk content: | [user_info] USERNAME = admin PASSWORD = {{ splunk_uf_admin }} register: seedfile when: splunkftr.stat.exists == False - name: First run to accept license become_user: splunk become_method: dzdo command: /opt/splunkforwarder/bin/splunk start --accept-license --no-prompt register: splunklicense when: splunkftr.stat.exists == False - name: Enable UF to start at boot as user splunk shell: /opt/splunkforwarder/bin/splunk enable boot-start -user splunk register: splunkbootstart when: splunkftr.stat.exists == False - name: Build outputs.conf to check-in with indexer cluster master copy: dest: "/opt/splunkforwarder/etc/system/local/outputs.conf" owner: splunk group: splunk content: | [tcpout] defaultGroup = cluster [tcpout:cluster] indexerDiscovery = cluster clientCert = /opt/splunkforwarder/etc/auth/server.pem sslPassword = password sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem sslVerifyServerCert = false useACK = true [indexer_discovery:cluster] pass4SymmKey = {{ splunk_idxcluster }} master_uri = {{ clustermaster }} when: splunkftr.stat.exists == False - name: Configure UF to check-in with the deployment server shell: "sudo -u splunk /opt/splunkforwarder/bin/splunk set deploy-poll {{ deploymentserver}} -auth admin:{{ splunk_uf_admin }}" when: splunkftr.stat.exists == False - name: Create Splunk ftr file to convey Splunk has already been setup before file: path: "/opt/splunkforwarder/ansible_splunk.ftr" state: touch when: splunklicense is succeeded and splunkbootstart is succeeded - name: Set ACL to allow splunk user access to log files acl: path: "/u/log" recursive: yes permissions: rwx entity: splunk etype: group state: present - name: Add /u/log to watched directories shell: /opt/splunkforwarder/bin/splunk add monitor /u/log -index applogs -sourcetype %elasticsearch% ignore_errors: yes   When I get to the "First run to accept license" step, I get an error "Please run 'splunk ftr' as boot-start user".  I have tried running "splunk ftr" as splunk, but then I get the same error, so I'm not sure it's doing anything.  Any help would be greatly appreciated!
Hi  ALL, I  have the below  table  service name      Status /app/test1           Success:90% Warning :8% Failure :2% /app/test2           Success: 80% Warning 2% Failure :18% i want to  col... See more...
Hi  ALL, I  have the below  table  service name      Status /app/test1           Success:90% Warning :8% Failure :2% /app/test2           Success: 80% Warning 2% Failure :18% i want to  color the cell base don  success values  above 90% green 80 to  90% amber etc      
Hello I want to monitor if user run new search in our environment or created new alert  i tried to use this query :   |rest /services/saved/searches | search action.email.to=* OR action.email.... See more...
Hello I want to monitor if user run new search in our environment or created new alert  i tried to use this query :   |rest /services/saved/searches | search action.email.to=* OR action.email.to=* | where disabled=0 | table title , search , updated   the problem is that there is no time field in order to compare the 'updated' value with time to know if there is something new. is there any other way to check new entries ?
Hi. I'm trying to add a new input with the Tenable add-on: https://splunkbase.splunk.com/app/4060/ When adding a new input I can input a "start time" from when the add-on will start collection data... See more...
Hi. I'm trying to add a new input with the Tenable add-on: https://splunkbase.splunk.com/app/4060/ When adding a new input I can input a "start time" from when the add-on will start collection data from Tenable, as opposed to "all time" I suppose, but no matter how I format my timestamp, the add-on won't accept it. See screenshot. I've tried all sort of variations, but all fail. I've also looked at the documentation (https://docs.tenable.com/integrations/Splunk/Content/Splunk2/CreateInput.htm) which suggest another time format than the add-on itself (probably not updated), but that isn't working either. Has anyone gotten this to work, and if so, what is the correct way of formating the timestamp?
Hello all, I have a Japanese language windows server from which I am testing to push the data to Tier1 index. However, although the language settings in the server is Japanese, all the data is pu... See more...
Hello all, I have a Japanese language windows server from which I am testing to push the data to Tier1 index. However, although the language settings in the server is Japanese, all the data is pushed as English. Adding the inputs and props file that is configured as below on the UF in windows server. Please let me know how do I do this. inputs.conf: ###### OS Logs ###### [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,2001-10000 index = acn_infra360-wineventlog_default_tier1_idx _TCP_ROUTING = winevent_dev1 renderXml=false [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,2001-10000 index = acn_infra360-wineventlog_default_tier1_idx _TCP_ROUTING = winevent_dev1 renderXml=false Props.conf: [WinEventLog://Application] description = Windows Event Monitoring CHARSET = SHIFT-JIS BREAK_ONLY_BEFORE = \d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} TIME_FORMAT = %m-%d-%Y %T sourcetype = WinEventLog:Application [WinEventLog://Security] description = Windows Event Monitoring CHARSET = SHIFT-JIS BREAK_ONLY_BEFORE = \d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} TIME_FORMAT = %m-%d-%Y %T sourcetype = WinEventLog:Security Also, attaching the screenshot of the event viewer from the server.
Hello,   I have a backend implementation utilizing Java SDK. I execute a search that is finalized successfully (seach is limited to return first 10 records) as a 1st step of a overall logic. Based ... See more...
Hello,   I have a backend implementation utilizing Java SDK. I execute a search that is finalized successfully (seach is limited to return first 10 records) as a 1st step of a overall logic. Based on this result set I execute another search in a loop that streams its results back to front end application once it gets data (one execution per each record returned by 1st search). In that part I am executing always exactly the same search but with different parameters (results of 1st search). After few executions in that loop, once standard timeout for one execution is reached (60 sec) I receive "...com.splunk.HttpException: HTTP 404 -- Unknown sid" exception. When I debug my code I can see that exception is thrown on a job in RUNNING state. All previous jobs in that loop are marked as DONE, all "ResultsReaders" are closed. It seems that expiration is evaluated on start time of first job in a execution, not based on the actual one (even if a job is in a Java code declared as a new job). How is the job expiration logic working? Note: I am not asking for "why you are calling it in a loop" I am asking for information how to properly close/finalize normal job execution so I reset timer for each execution of this normal job.  Thanks for your answers, notes, updates Jakub
Hi All, I have the below search.  I am being told it appends results to a lookup table called user_ids.      index=ad earliest=-15d |stats latest(_time) as _time, latest(profile.department) as b... See more...
Hi All, I have the below search.  I am being told it appends results to a lookup table called user_ids.      index=ad earliest=-15d |stats latest(_time) as _time, latest(profile.department) as bunit, latest(profile.legacyUsername) as legacyUsername, latest(profile.userType) as category by userID | append [|inputlookup user_ids]   In all the posts i have seen so far, people recommend using outputlookup command to append   Can someone pls explain  how does append [|inputlookup user_identities]  end up appending  in my case ? How is this different than  | outputlookup append=true user_ids.csv 
Hi I have list of error codes that available here: https://www.ibm.com/docs/en/ibm-mq/9.1?topic=exceptions-jms-exception-messages How can I extract and show them on timechart? what is the best... See more...
Hi I have list of error codes that available here: https://www.ibm.com/docs/en/ibm-mq/9.1?topic=exceptions-jms-exception-messages How can I extract and show them on timechart? what is the best way to do this? i mean when we have list of different error codes and doen't extract them one by one.   FYI1: as I see unique errors keyword in this senario are: AMS JMSWMQ MQJCA MQJMS JMSXY JMSMQ JMSIC JMSFMQ JMSCS JMSCMQ JMSCC JMSBM FYI2: these errors are random not fix pattern that extract them easily, some time locate in first part of each line sometimes locate in middle sometime in end.   Any idea? Thanks Thanks
Hello, I'm experiencing some issues with my Cluster Master. The instance for the CM had to be replaced and Splunk was reinstalled on  new instance. Configuration was deployed exactly how it was bef... See more...
Hello, I'm experiencing some issues with my Cluster Master. The instance for the CM had to be replaced and Splunk was reinstalled on  new instance. Configuration was deployed exactly how it was before (CM was working fine) moving to this new instance with the Cluster Master. The issue is the following: Failed to contact license master: reason='Unable to connect to license master=https://xxxxxxxx-mc1:8089 Error resolving: Name or service not known' Thanks to anyone that could lend a helping hand
I think savedsearches.conf contains information about alerts and reports. If you execute the following btool command and check the result, which is the report or the alert? I can't tell. if i use s... See more...
I think savedsearches.conf contains information about alerts and reports. If you execute the following btool command and check the result, which is the report or the alert? I can't tell. if i use splunk btool savedsearches list <Question 1> From the btool results, what parameters can I look at to determine that the stanza is a report? <Question 2> From the btool results, what parameters can I look at to determine that the stanza is an alert?
  I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com". I can refer to host with same name "host" in splunk query. I want t... See more...
  I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com". I can refer to host with same name "host" in splunk query. I want to extract the substring with 4 digits after two dots ,for the above example , it will be "ab1d". How my splunk query should look like for this extraction? Basically I have been given a string, and want to skip two dots and then take the four characters after that.  
I have below logs file i indexed with props below.   type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx m... See more...
I have below logs file i indexed with props below.   type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx mode=file,644 type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds mode=file,644 ouid=root type=CWD msg=audit(02/08/2022 15:00:01.749:4321) : cwd=/ type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf ---- type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891 ---- type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891 ---- type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892 ----   Props.conf [src_type] SHOULD_LINEMERGE = false LINE_BREAKER = (----\s) Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values  for example, from the first event values(type) suppose to be multivalue field with  PROCTITLE, PATH, CWD,  SYSCALL but it only has single value PROCTITLE   why type value is not properly getting extracted.    Am i missing something with props configuration???   Thanks for the help in advance )
Hi, I have a last run epoch time and a cron schedule (i.e. : "*/5 * * * *") in an _raw event and I'd like to parse these information to output the next run. Do you have any idea how to do this? ... See more...
Hi, I have a last run epoch time and a cron schedule (i.e. : "*/5 * * * *") in an _raw event and I'd like to parse these information to output the next run. Do you have any idea how to do this? I found this addon :https://splunkbase.splunk.com/app/4078/ but it does not allow me to use a custom "last run time" and always takes the earliest time of my search as an input. Thanks
Hello, I have one question about monitoring HF. I found many ways how to get outgoing data rate on HF (how mach data HF sends to IDX), but how to find incoming data rate on HF? In other words, how ... See more...
Hello, I have one question about monitoring HF. I found many ways how to get outgoing data rate on HF (how mach data HF sends to IDX), but how to find incoming data rate on HF? In other words, how to find how many data coming from sources to HF (in total is enough for me)? Is any metric like this in Splunk log? Thanks for help in advance. Best regards Lukas Mecir
Hi All, We have a requirement to connect to Splunk and send the message logs from the integration flow(Cloud platform integration) in order to monitor/observe flows. For the POC purpose we have c... See more...
Hi All, We have a requirement to connect to Splunk and send the message logs from the integration flow(Cloud platform integration) in order to monitor/observe flows. For the POC purpose we have created a trail account in splunk and we are trying to connect to below URL. This URL points to collector services of splunk. URL: https://prd-p-rtdzg.splunkcloud.com:8088/services/collector/raw/1.0 While trying to connect to this URL we are getting an error stating "java.security.cert.CertificateException: No name matching inputs.prd-p-rtdzg.splunkcloud.com found". This error is due to URL is returning a certificate chain, that doesn't contain above URL itself (prd-p-rtdzg.splunkcloud.com). Kindly let us know if any of you have come across this scenario and let us know if we have a way to return a certificate chain containing its own URL (or at least in "Subject Alternative Name"). Thanks in advance. Regards, Caren  
Hi All, We have a saved search (snippet below) which populates a CSV lookup file.  The search is scheduled to run daily.     index=xyz ... | stats latest(_time) as _time, latest(legacyUserna... See more...
Hi All, We have a saved search (snippet below) which populates a CSV lookup file.  The search is scheduled to run daily.     index=xyz ... | stats latest(_time) as _time, latest(legacyUsername), latest(title), latest(email), latest(endDate), latest(firstname), latest(lastname), by identity | rename latest(*) as * | eval identity = identity+"|"+email+"|"+legacyUsername   What's happening is,  every time the search  runs it creates duplicates as in each subsequent row appends the  results from the previous row to it for the "Identity" column as shown below.   I get that my "eval identity" command is making it do it.  But how can i make it not create new records if the "identity" already exists once in the table?   Hope i am clear.   I tried "Dedup identity" that didn't work.    Result:  Identity time legacyuserName title email enddata first lastname 1001|karen.woo@xyz.com|karen_woo xx xxxx xxx xxx xx Karen Woo 1001|karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo  xx xxxx xxx xxx xx Karen Woo 1001|karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo  xx xxxx xxx xxx xx Karen Woo 1001|karen.woo@xyz.com|karen_woo|karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo|karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo         xx Karen Woo
Hello, I am currently facing a problem when creating services in ITSI. I have created a service but no entities appear even after enabling the service. The service is linked to a service template.