All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello,   I have a backend implementation utilizing Java SDK. I execute a search that is finalized successfully (seach is limited to return first 10 records) as a 1st step of a overall logic. Based ... See more...
Hello,   I have a backend implementation utilizing Java SDK. I execute a search that is finalized successfully (seach is limited to return first 10 records) as a 1st step of a overall logic. Based on this result set I execute another search in a loop that streams its results back to front end application once it gets data (one execution per each record returned by 1st search). In that part I am executing always exactly the same search but with different parameters (results of 1st search). After few executions in that loop, once standard timeout for one execution is reached (60 sec) I receive "...com.splunk.HttpException: HTTP 404 -- Unknown sid" exception. When I debug my code I can see that exception is thrown on a job in RUNNING state. All previous jobs in that loop are marked as DONE, all "ResultsReaders" are closed. It seems that expiration is evaluated on start time of first job in a execution, not based on the actual one (even if a job is in a Java code declared as a new job). How is the job expiration logic working? Note: I am not asking for "why you are calling it in a loop" I am asking for information how to properly close/finalize normal job execution so I reset timer for each execution of this normal job.  Thanks for your answers, notes, updates Jakub
Hi All, I have the below search.  I am being told it appends results to a lookup table called user_ids.      index=ad earliest=-15d |stats latest(_time) as _time, latest(profile.department) as b... See more...
Hi All, I have the below search.  I am being told it appends results to a lookup table called user_ids.      index=ad earliest=-15d |stats latest(_time) as _time, latest(profile.department) as bunit, latest(profile.legacyUsername) as legacyUsername, latest(profile.userType) as category by userID | append [|inputlookup user_ids]   In all the posts i have seen so far, people recommend using outputlookup command to append   Can someone pls explain  how does append [|inputlookup user_identities]  end up appending  in my case ? How is this different than  | outputlookup append=true user_ids.csv 
Hi I have list of error codes that available here: https://www.ibm.com/docs/en/ibm-mq/9.1?topic=exceptions-jms-exception-messages How can I extract and show them on timechart? what is the best... See more...
Hi I have list of error codes that available here: https://www.ibm.com/docs/en/ibm-mq/9.1?topic=exceptions-jms-exception-messages How can I extract and show them on timechart? what is the best way to do this? i mean when we have list of different error codes and doen't extract them one by one.   FYI1: as I see unique errors keyword in this senario are: AMS JMSWMQ MQJCA MQJMS JMSXY JMSMQ JMSIC JMSFMQ JMSCS JMSCMQ JMSCC JMSBM FYI2: these errors are random not fix pattern that extract them easily, some time locate in first part of each line sometimes locate in middle sometime in end.   Any idea? Thanks Thanks
Hello, I'm experiencing some issues with my Cluster Master. The instance for the CM had to be replaced and Splunk was reinstalled on  new instance. Configuration was deployed exactly how it was bef... See more...
Hello, I'm experiencing some issues with my Cluster Master. The instance for the CM had to be replaced and Splunk was reinstalled on  new instance. Configuration was deployed exactly how it was before (CM was working fine) moving to this new instance with the Cluster Master. The issue is the following: Failed to contact license master: reason='Unable to connect to license master=https://xxxxxxxx-mc1:8089 Error resolving: Name or service not known' Thanks to anyone that could lend a helping hand
I think savedsearches.conf contains information about alerts and reports. If you execute the following btool command and check the result, which is the report or the alert? I can't tell. if i use s... See more...
I think savedsearches.conf contains information about alerts and reports. If you execute the following btool command and check the result, which is the report or the alert? I can't tell. if i use splunk btool savedsearches list <Question 1> From the btool results, what parameters can I look at to determine that the stanza is a report? <Question 2> From the btool results, what parameters can I look at to determine that the stanza is an alert?
  I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com". I can refer to host with same name "host" in splunk query. I want t... See more...
  I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com". I can refer to host with same name "host" in splunk query. I want to extract the substring with 4 digits after two dots ,for the above example , it will be "ab1d". How my splunk query should look like for this extraction? Basically I have been given a string, and want to skip two dots and then take the four characters after that.  
I have below logs file i indexed with props below.   type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx m... See more...
I have below logs file i indexed with props below.   type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx mode=file,644 type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds mode=file,644 ouid=root type=CWD msg=audit(02/08/2022 15:00:01.749:4321) : cwd=/ type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf ---- type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891 ---- type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891 ---- type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892 ----   Props.conf [src_type] SHOULD_LINEMERGE = false LINE_BREAKER = (----\s) Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values  for example, from the first event values(type) suppose to be multivalue field with  PROCTITLE, PATH, CWD,  SYSCALL but it only has single value PROCTITLE   why type value is not properly getting extracted.    Am i missing something with props configuration???   Thanks for the help in advance )
Hi, I have a last run epoch time and a cron schedule (i.e. : "*/5 * * * *") in an _raw event and I'd like to parse these information to output the next run. Do you have any idea how to do this? ... See more...
Hi, I have a last run epoch time and a cron schedule (i.e. : "*/5 * * * *") in an _raw event and I'd like to parse these information to output the next run. Do you have any idea how to do this? I found this addon :https://splunkbase.splunk.com/app/4078/ but it does not allow me to use a custom "last run time" and always takes the earliest time of my search as an input. Thanks
Hello, I have one question about monitoring HF. I found many ways how to get outgoing data rate on HF (how mach data HF sends to IDX), but how to find incoming data rate on HF? In other words, how ... See more...
Hello, I have one question about monitoring HF. I found many ways how to get outgoing data rate on HF (how mach data HF sends to IDX), but how to find incoming data rate on HF? In other words, how to find how many data coming from sources to HF (in total is enough for me)? Is any metric like this in Splunk log? Thanks for help in advance. Best regards Lukas Mecir
Hi All, We have a requirement to connect to Splunk and send the message logs from the integration flow(Cloud platform integration) in order to monitor/observe flows. For the POC purpose we have c... See more...
Hi All, We have a requirement to connect to Splunk and send the message logs from the integration flow(Cloud platform integration) in order to monitor/observe flows. For the POC purpose we have created a trail account in splunk and we are trying to connect to below URL. This URL points to collector services of splunk. URL: https://prd-p-rtdzg.splunkcloud.com:8088/services/collector/raw/1.0 While trying to connect to this URL we are getting an error stating "java.security.cert.CertificateException: No name matching inputs.prd-p-rtdzg.splunkcloud.com found". This error is due to URL is returning a certificate chain, that doesn't contain above URL itself (prd-p-rtdzg.splunkcloud.com). Kindly let us know if any of you have come across this scenario and let us know if we have a way to return a certificate chain containing its own URL (or at least in "Subject Alternative Name"). Thanks in advance. Regards, Caren  
Hi All, We have a saved search (snippet below) which populates a CSV lookup file.  The search is scheduled to run daily.     index=xyz ... | stats latest(_time) as _time, latest(legacyUserna... See more...
Hi All, We have a saved search (snippet below) which populates a CSV lookup file.  The search is scheduled to run daily.     index=xyz ... | stats latest(_time) as _time, latest(legacyUsername), latest(title), latest(email), latest(endDate), latest(firstname), latest(lastname), by identity | rename latest(*) as * | eval identity = identity+"|"+email+"|"+legacyUsername   What's happening is,  every time the search  runs it creates duplicates as in each subsequent row appends the  results from the previous row to it for the "Identity" column as shown below.   I get that my "eval identity" command is making it do it.  But how can i make it not create new records if the "identity" already exists once in the table?   Hope i am clear.   I tried "Dedup identity" that didn't work.    Result:  Identity time legacyuserName title email enddata first lastname 1001|karen.woo@xyz.com|karen_woo xx xxxx xxx xxx xx Karen Woo 1001|karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo  xx xxxx xxx xxx xx Karen Woo 1001|karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo  xx xxxx xxx xxx xx Karen Woo 1001|karen.woo@xyz.com|karen_woo|karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo|karen.woo@xyz.com|karen_woo |karen.woo@xyz.com|karen_woo         xx Karen Woo
Hello, I am currently facing a problem when creating services in ITSI. I have created a service but no entities appear even after enabling the service. The service is linked to a service template.
Hi All, I have requirement to do splunk DB connect onboarding in a distributed environment, Do I need to install the splunk DB connect in the search head or heavy forwarder? My second question is c... See more...
Hi All, I have requirement to do splunk DB connect onboarding in a distributed environment, Do I need to install the splunk DB connect in the search head or heavy forwarder? My second question is can we do the identity creation, connection and input configurations using the configs folders  instead web UI
In your environment, one Splunk server has two NICs, each There is a different FQDN. In this case, is it possible to set the certificate and private key for both NICs?
Hello,  We have a CSV Lookup file that is getting populated by a saved search.  We are noticing there are lot of duplicate rows getting created every other day.   The file doesn't open in Lookup Edit... See more...
Hello,  We have a CSV Lookup file that is getting populated by a saved search.  We are noticing there are lot of duplicate rows getting created every other day.   The file doesn't open in Lookup Editor App as its size is >  10MB.    Can someone pls advise how to delete duplicates via a query ?
Hi fellow Splunkers, Good day.  Would there be a way to configure a specific index to be searchable for a specific srchTimeWin? Say the example below. Scenario: Splunk User has a user role wi... See more...
Hi fellow Splunkers, Good day.  Would there be a way to configure a specific index to be searchable for a specific srchTimeWin? Say the example below. Scenario: Splunk User has a user role with a search time win of 1 yr for all non-internal indexes. We wanted a specific index to be searchable for 2 years only for the same user (the rest by 1yr searchable).   Test already done: Create a new role and assign to a test user (with the user role) with the new role being searchable to the index of concern with srchTimeWin of 2years. However, all indexes were made searchable to 2 yrs as a result. Thanks in advance. Kind Regards, Ariel
Hi please help here we are using below base search and we need to see all ssl certificates with days left in EST. index=ssl_certs |rex field=_raw "[^'\n]*'expires=\"(?<expires>[^\\\'\"]+)"| stats... See more...
Hi please help here we are using below base search and we need to see all ssl certificates with days left in EST. index=ssl_certs |rex field=_raw "[^'\n]*'expires=\"(?<expires>[^\\\'\"]+)"| stats c by host expires cert | eval time = strftime( strptime( expires , "%b %d %H:%M:%S %Y %Z" ), "%Y/%m/%d %H:%M:%S %Z") need exact query for this we tried a lot actually. we are using ssl_checker app for this.
Hello, sorry to ask this very noob question. Can i add panel inside a html tag? For example. I have a table command in html and in that cell i want to add a single panel .
Hi, Is there a easy and straight forward way of extracting browser versions from access logs using Useragent string. I've a requirement where I have to list out top browsers and top versions of the... See more...
Hi, Is there a easy and straight forward way of extracting browser versions from access logs using Useragent string. I've a requirement where I have to list out top browsers and top versions of the browser. I was able to manage to extract the browser using the below eval expression  but getting the browser versions are tricky.       | eval browser = case(match(useragent,"Firefox"),"FireFox", match(useragent,"Chrome") AND NOT match(useragent,"Edge"),"Chrome", match(useragent,"Safari") AND NOT match(useragent,"Chrome"),"Safari", match(useragent, "MSIE|Trident|Edge"), "IE", NOT match(useragent, "Chrome|Firefox|Safari|MSIE|Trident|Edge"), "OTHERS")       Has someone done that before and help me steer into right direction. I can't install any app so it has to be done via some regex. Please let me know if someone can help. Very much appreciated in advance Some examples of Useragent Strings - Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15 Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36 Mozilla/5.0 (iPhone; CPU iPhone OS 15_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/198.0.425262635 Mobile/15E148 Safari/604.1 Best Regards, Shashank
Hello, I am new to Splunk and this is probably a basic query. I have a field with an email address and I want to check if the email exists in a look up table and eval it to 1, if found and 0 if not. ... See more...
Hello, I am new to Splunk and this is probably a basic query. I have a field with an email address and I want to check if the email exists in a look up table and eval it to 1, if found and 0 if not.  I also have multiple emails in the field and this is what I have come up with so far, any help is much appreciated.       | rename "my_user.user_email" as email | mvexpand email | stats count by email | eval useremail= email."@my_domain.com" | table useremail count | lookup userdomain_email email as useremail OUTPUT user as user       But this gives me counts and Im not sure if the result is accurate either.  Thanks!