All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I am currently facing a problem when creating services in ITSI. I have created a service but no entities appear even after enabling the service. The service is linked to a service template.
Hi All, I have requirement to do splunk DB connect onboarding in a distributed environment, Do I need to install the splunk DB connect in the search head or heavy forwarder? My second question is c... See more...
Hi All, I have requirement to do splunk DB connect onboarding in a distributed environment, Do I need to install the splunk DB connect in the search head or heavy forwarder? My second question is can we do the identity creation, connection and input configurations using the configs folders  instead web UI
In your environment, one Splunk server has two NICs, each There is a different FQDN. In this case, is it possible to set the certificate and private key for both NICs?
Hello,  We have a CSV Lookup file that is getting populated by a saved search.  We are noticing there are lot of duplicate rows getting created every other day.   The file doesn't open in Lookup Edit... See more...
Hello,  We have a CSV Lookup file that is getting populated by a saved search.  We are noticing there are lot of duplicate rows getting created every other day.   The file doesn't open in Lookup Editor App as its size is >  10MB.    Can someone pls advise how to delete duplicates via a query ?
Hi fellow Splunkers, Good day.  Would there be a way to configure a specific index to be searchable for a specific srchTimeWin? Say the example below. Scenario: Splunk User has a user role wi... See more...
Hi fellow Splunkers, Good day.  Would there be a way to configure a specific index to be searchable for a specific srchTimeWin? Say the example below. Scenario: Splunk User has a user role with a search time win of 1 yr for all non-internal indexes. We wanted a specific index to be searchable for 2 years only for the same user (the rest by 1yr searchable).   Test already done: Create a new role and assign to a test user (with the user role) with the new role being searchable to the index of concern with srchTimeWin of 2years. However, all indexes were made searchable to 2 yrs as a result. Thanks in advance. Kind Regards, Ariel
Hi please help here we are using below base search and we need to see all ssl certificates with days left in EST. index=ssl_certs |rex field=_raw "[^'\n]*'expires=\"(?<expires>[^\\\'\"]+)"| stats... See more...
Hi please help here we are using below base search and we need to see all ssl certificates with days left in EST. index=ssl_certs |rex field=_raw "[^'\n]*'expires=\"(?<expires>[^\\\'\"]+)"| stats c by host expires cert | eval time = strftime( strptime( expires , "%b %d %H:%M:%S %Y %Z" ), "%Y/%m/%d %H:%M:%S %Z") need exact query for this we tried a lot actually. we are using ssl_checker app for this.
Hello, sorry to ask this very noob question. Can i add panel inside a html tag? For example. I have a table command in html and in that cell i want to add a single panel .
Hi, Is there a easy and straight forward way of extracting browser versions from access logs using Useragent string. I've a requirement where I have to list out top browsers and top versions of the... See more...
Hi, Is there a easy and straight forward way of extracting browser versions from access logs using Useragent string. I've a requirement where I have to list out top browsers and top versions of the browser. I was able to manage to extract the browser using the below eval expression  but getting the browser versions are tricky.       | eval browser = case(match(useragent,"Firefox"),"FireFox", match(useragent,"Chrome") AND NOT match(useragent,"Edge"),"Chrome", match(useragent,"Safari") AND NOT match(useragent,"Chrome"),"Safari", match(useragent, "MSIE|Trident|Edge"), "IE", NOT match(useragent, "Chrome|Firefox|Safari|MSIE|Trident|Edge"), "OTHERS")       Has someone done that before and help me steer into right direction. I can't install any app so it has to be done via some regex. Please let me know if someone can help. Very much appreciated in advance Some examples of Useragent Strings - Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15 Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36 Mozilla/5.0 (iPhone; CPU iPhone OS 15_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/198.0.425262635 Mobile/15E148 Safari/604.1 Best Regards, Shashank
Hello, I am new to Splunk and this is probably a basic query. I have a field with an email address and I want to check if the email exists in a look up table and eval it to 1, if found and 0 if not. ... See more...
Hello, I am new to Splunk and this is probably a basic query. I have a field with an email address and I want to check if the email exists in a look up table and eval it to 1, if found and 0 if not.  I also have multiple emails in the field and this is what I have come up with so far, any help is much appreciated.       | rename "my_user.user_email" as email | mvexpand email | stats count by email | eval useremail= email."@my_domain.com" | table useremail count | lookup userdomain_email email as useremail OUTPUT user as user       But this gives me counts and Im not sure if the result is accurate either.  Thanks!
how to filter up/down logs on a Nexus switch
 Hi, This is a raw log  Job=[IN-SNMMIS-DLY]],  I am trying to build regex just the words " IN-SNMMIS-DLY]"  and ignore the parenthesis      
to do Splunk search with the help of API I am getting 404 error while doing this call response = self.session.get(self.base_url + '/servicesNS/'+self.username+'/search/auth/login', data=payload)  ... See more...
to do Splunk search with the help of API I am getting 404 error while doing this call response = self.session.get(self.base_url + '/servicesNS/'+self.username+'/search/auth/login', data=payload)   can someone please tell me why this is happening?
Hello, Here's my search:   index="blah" sourcetype="blah" severity="*" dis_name IN ("*") "*" AND NOT 1=0 | rest of the query   Why do they use AND NOT 1=0 here?  Even without this the results ar... See more...
Hello, Here's my search:   index="blah" sourcetype="blah" severity="*" dis_name IN ("*") "*" AND NOT 1=0 | rest of the query   Why do they use AND NOT 1=0 here?  Even without this the results are same. I just want to know why do they use this.  Any help would be appreciated! Thankyou  
We can see ardum calls is being sent with EUM Keys to cdn but still we can’t see any data over APPD controller.
Hello, I am trying to integrate Splunk and Resilient and faced with the following problem: in adaptive response I have mapped all required and interesting fields to be send to Resilient. After ev... See more...
Hello, I am trying to integrate Splunk and Resilient and faced with the following problem: in adaptive response I have mapped all required and interesting fields to be send to Resilient. After event is triggered - only raw data comes to SOAR. I have checked no errors on splunk side. On Resilient side there was error, but I have also fixed it - no luck com.co3.domain.exceptions.FieldsRequiredException: The following fields are required: 'cs_cloud_url','cs_sensor_id' com.ibm.resilient.common.domain.exceptions.Co3IllegalArgumentException: Incident name cannot be null/empty Do you have any ideas why only raw data comes from splunk?   Thank you
I have a dashboard that has 5 single value charts in 4 rows and all these rows display collective information about more than 1 process and now I'm using a drill down to a new dashboard to display de... See more...
I have a dashboard that has 5 single value charts in 4 rows and all these rows display collective information about more than 1 process and now I'm using a drill down to a new dashboard to display detailed info about them. Is there a way we can add a button or split view kind of thing in the same dashboard when someone clicks on that button it should display that and should have hide or unhide functionality rather than using drilldown.Any help is highly appreciated.Thanks
Hi Community, I have a inputs.conf monitor that looks like this [monitor:///var/log/logfiles/.../app.log] index=englogs sourcetype=eng:custom The above monitor will cover these paths to the ap... See more...
Hi Community, I have a inputs.conf monitor that looks like this [monitor:///var/log/logfiles/.../app.log] index=englogs sourcetype=eng:custom The above monitor will cover these paths to the app.log files /var/log/logfiles/database/eng/comm/surface/app.log /var/log/logfiles/trunk/sec/comm/water/app.log /var/log/logfiles/other/fin/app.log And many, many more... I have a file that I want to sourcetype as access_combined (not eng:custom). /var/log/logfiles/scapes/web01/app.log This path falls within the scope of the above monitored stanza. What is the best way to accomplish this? Do I use a blacklist in the .../app.log eng:custom monitor and then create another monitor stanza for the web01/app.log access_combined that immediately follows this? Thank you
I am using python 3.9.5 splunk enterprise version 8+ splunk-python-sdk latest. My enterprise splunk supports TLS1.2 only, is it possible to use a specific TLS version with the splunk-python-sdk... See more...
I am using python 3.9.5 splunk enterprise version 8+ splunk-python-sdk latest. My enterprise splunk supports TLS1.2 only, is it possible to use a specific TLS version with the splunk-python-sdk Can someone help with this?      
Universal forwarder setup wizard ended prematurely on Windows 10. I've tried all the suggestions from the thread that had similar issues and it didn't work. Thanks in advance!
Hello, we are currently trying the add-in "Splunk Add-on for HAProxy". We want to analyse traffic and performance. According to the documentation,  the add-on comes with "prebuilt panels" to anal... See more...
Hello, we are currently trying the add-in "Splunk Add-on for HAProxy". We want to analyse traffic and performance. According to the documentation,  the add-on comes with "prebuilt panels" to analyze data. After not finding them in Splunk various menus, I went into the source code, and there isn't even a single XML in the file (hence not a change to find a prebuilt panels). Are they missing from some versions? are they available separately ? Thank you