All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I have log like this: 2022-02-01 11:59:59,869 INFO CUS.AbCD-Host-000000 [AppListener] Receive Packet[0000000*]: Cluster[String1.String2]   How can I extract String1 and String2 separately with ... See more...
Hi I have log like this: 2022-02-01 11:59:59,869 INFO CUS.AbCD-Host-000000 [AppListener] Receive Packet[0000000*]: Cluster[String1.String2]   How can I extract String1 and String2 separately with a single rex like this?  Cluster\[(?<GroupREX>\w+\.\w+)   Any idea? Thanks,
Hi I have two result like this how can I create sankey diagram for it?   SOURCE                                       count Server1.Mainserver               629 Server2.Mainserver              2... See more...
Hi I have two result like this how can I create sankey diagram for it?   SOURCE                                       count Server1.Mainserver               629 Server2.Mainserver              2539 Server3.Mainserver             29668 Server_Name4.Mainserver 6470 Server5.Mainserver             114547 Server6.Mainserver             2 Server7.Mainserver             18 Server8.Mainserver             11 Server9.Mainserver             27 Server10.Mainserver             20375 Server11.Mainserver             698 Server12.Mainserver             61 Server13.Mainserver             10014 Server14.Mainserver             160672 Server15.Mainserver             16 Server16.Mainserver             6643 Server17.Mainserver             4780   TARGET                                          count Mainserver.Server1             624 Mainserver.Server2             2611 Mainserver.Server3             29962 Mainserver.Server_Name4 6503 Mainserver.Server5             115897 Mainserver.Server7             25 Mainserver.Server8             15 Mainserver.Server9             22 Mainserver.Server10             20586 Mainserver.Server11             640 Mainserver.Server12             61 Mainserver.Server13             9899 Mainserver.Server14             158477 Mainserver.Server15             7 Mainserver.Server16             6615 Mainserver.Server17             4777   something like this, Mainserver show in center   Any Idea? Thanks,  
hi I use the search below in order to display the number of events corresponding to my main search on a cluster map There is a gap between the results displayed on my map and the results of the mai... See more...
hi I use the search below in order to display the number of events corresponding to my main search on a cluster map There is a gap between the results displayed on my map and the results of the main search I have identified a first problem Some sites between the lookup and splunk are a little bit differents For example, I have a site calle "LA BA" in Splunk and "LA BAUME" in the csv So what I have to do that the sites match well?   index=toto sourcetype=tutu | stats dc(id) as nbincid by site | where isnotnull(site) | join type=left site [| inputlookup Bp.csv | rename siteName as site | fields site latitude longitude ] | table site nbincid latitude longitude | geostats latfield=latitude longfield=longitude globallimit=0 values(nbincid)    
In timechart command used cont=false and in table statatics its not showing data on empty values but in bar graph . the empty/not present days showing gap in the graph | timechart cont=false span=d ... See more...
In timechart command used cont=false and in table statatics its not showing data on empty values but in bar graph . the empty/not present days showing gap in the graph | timechart cont=false span=d sum(Negotiate) as "Negotiate", sum(Submitted) as "Submitted", sum(Draft) as "Draft",sum(Agreed) as "Agreed" sum(PartlyAgreed) as "Partly Agreed", sum(Empty) as "Empty", sum(Rejected) as "Rejected",sum(Obsolete) as "Obsolete", sum(NA) as "N/A", values(Total) as Total  
Hello, I am new to Splunk and working on getting SC4S setup correctly.  My question is where do I setup the SC4S server? I am the splunk admin and need to help other team to onboard the syslog data.
Hi TEam, Please let me know how the RUM license is calculated, I need for one of the evaluation. Thanks Kamal
Hello, I just recently restarted my splunk enterprise instance in order to add an app and once it was back up, i noticed that one of the health checks was failing.  Also no new logs were showin... See more...
Hello, I just recently restarted my splunk enterprise instance in order to add an app and once it was back up, i noticed that one of the health checks was failing.  Also no new logs were showing up in the search.  I looked at the monitoring console and noticed the parsing queue was full. I also checked the metrics.log and saw some of the queues were full. If I'm understanding the data pipeline hierarchy correctly, it's the parsing queue that's actually blocked and causing the other queues to be blocked.  I also checked the splunkd.log and didn't really anything that seemed related. There were some SSL errors which didn't seem related. And this other error:   ERROR HttpInputDataHandler - Failed processing http input, token name=kube, channel=n/a, source_IP=172.17.8.66, reply=9, events_processed=4, http_input_body_size=7256, parsing_err="Server is busy"   but that seems to be a result of the full queue.  I looked into my resource usage from the monitoring console and top tool and neither cpu or mem go higher than 50% utilization. I also restarted splunk multiple times but the queue always goes to 100% instantly. I did notice a warning on startup: Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features. However, I didn't make any changes to props.conf and everything was working before I restarted the first time so I assume this is not related. Not sure what else to try. Any help would be greatly appreciated!
Hi,   I'd like the users to not be able to create any new dashboards either from the search bar or the "Create New Dashboard" button on the dashboard's page. Only the admin users should be allowed ... See more...
Hi,   I'd like the users to not be able to create any new dashboards either from the search bar or the "Create New Dashboard" button on the dashboard's page. Only the admin users should be allowed access to create dashboards. However, the users should be able to run searches on the search bar.  Can anyone help me with this?   Thanks, Megha
Let's say I have a CSV input with the following columns:  _raw,user,src_ip The _raw event is:  "Accepted public key for user $user$ from $src_ip$" Is there a way to replace $user$ and $src_ip$ ... See more...
Let's say I have a CSV input with the following columns:  _raw,user,src_ip The _raw event is:  "Accepted public key for user $user$ from $src_ip$" Is there a way to replace $user$ and $src_ip$ in _raw with the values of the corresponding fields? I tried using "foreach" and "rex" in sedcmd mode, but it doesn't look like rex understands <<FIELD>> and '<<FIELD>>'.   Is there another way to do this?
Hello, We are excited to announce the preview of Splunk Incident Intelligence. What is Splunk Incident Intelligence?  Splunk Incident Intelligence is an effort to develop a solution that will provi... See more...
Hello, We are excited to announce the preview of Splunk Incident Intelligence. What is Splunk Incident Intelligence?  Splunk Incident Intelligence is an effort to develop a solution that will provide an optimal user-experience for enterprises to manage their incident response process for applications and  infrastructure as they navigate their digital transformation and cloud migration initiatives. Want to request more features? Add your ideas and vote on other ideas at   Splunk Incident Intelligence Ideas Portal  Please reply to this thread for any questions or get extra help!
I have a rex built that when plugged into rex101 works fine, but when applied via a Splunk query, returns a blank result. Text: 2022/02/01 23:07:26.979 [ERROR] [nrfClient.Discovery.nrf] Message sen... See more...
I have a rex built that when plugged into rex101 works fine, but when applied via a Splunk query, returns a blank result. Text: 2022/02/01 23:07:26.979 [ERROR] [nrfClient.Discovery.nrf] Message send failed, response [Type:ABC Http2_Status:404 CauseCode:"CONTEXT_NOT_FOUND" RetryExhausted:true MsgType:1434 ServiceName:nabc SelectedProfileName:"abc-profile" FailureProfile:"FHABC" GroupID:"ABC-*" ]   rex: Http2_Status:\d{3}\sCauseCode:\"(?<Error2>\w+)\"\s   rex101 result: CONTEXT_NOT_FOUND   But when plugged into Splunk, it comes back with a blank result.  
Say I have a batch job that pushes JSON records that look like this on Monday:  {    Department: Engineering    Employee_Number: 4642    Employment_Status: Active    Termination_Date:     Ful... See more...
Say I have a batch job that pushes JSON records that look like this on Monday:  {    Department: Engineering    Employee_Number: 4642    Employment_Status: Active    Termination_Date:     Full_Name: Jane Doe } But on Tuesday A new record gets pushed like this:  {    Department: Engineering    Employee_Number: 4642    Employment_Status: Terminated    Termination_Date: 01/31/2022    Full_Name: Jane Doe } How would I create a search that would compare the "Employment Status" For each record, and only return the records that transitioned to "Terminated"  within the last 2 days?  I tried the following, but it's not working.  index=myinventory sourcetype=HR earliest=-2d@d | eventstats earliest(_time) as earliestEventTime by Employment_Status | dedup FullName, Employment_Status | where Employment_Status!="Active" | table _time, earliestEventTime, FullName, Employment_Status
I have a json data from file generated from the okla speedtest -f json command. I have tried to cast it or eval in different ways but I am doing something wrong.  Error in 'eval' command: Type check... See more...
I have a json data from file generated from the okla speedtest -f json command. I have tried to cast it or eval in different ways but I am doing something wrong.  Error in 'eval' command: Type checking failed. '*' only takes numbers. My search command is:  sourcetype="SpeedTest" | eval dmbs=(download.bandwidth)*8/1000000 | table _time download.bandwidth dmbs And the example json is injected like this: { [-] download: { [-] bandwidth: 10420951 bytes: 81587520 elapsed: 7908 } interface: { [+] } isp: Vivo packetLoss: 0 ping: { [+] } result: { [+] } server: { [+] } timestamp: 2022-02-01T22:00:31Z type: result upload: { [-] bandwidth: 5706691 bytes: 80526240 elapsed: 14946 } }      
I have an automated script that creates a log file that marks the beginning and end of specific events during a web page process that I am wanting to monitor how long each process takes. I have put f... See more...
I have an automated script that creates a log file that marks the beginning and end of specific events during a web page process that I am wanting to monitor how long each process takes. I have put flags in the log file to notate the beginning of a process and the end of that process. OpenPage, Login, Search, Book, CustomerInfo, Seats, ClosePage. I can monitor that a certain process runs and the duration with the transaction command transaction startswith="LoginProcessStart" endswith="LoginProcessEnd" I don't know how to monitor several processes to add to the same table/chart. I have tried using multiple transaction commands, but I get an error stating the preceding search does not guarantee time-ordered events. Any ideas of how to approach this problem? Thank you for any ideas you may have.  
Hi  I have a year data and i want to create a search query to find the week tread. want to highlight week wise trend e.g. activity is high on 3rd week of every month or 1week on most of the months ... See more...
Hi  I have a year data and i want to create a search query to find the week tread. want to highlight week wise trend e.g. activity is high on 3rd week of every month or 1week on most of the months followed by 4th week. I am using is  ("index="index" source in ("source") | timechart span=1w count by activity"), which gives me data weekly for the months. Thanks
I'm working on an indexer to try to forward all data ingested with IT Essentials Work + Splunk Add-on for Unix & Linux to a remote indexer cluster. Until now, that indexer is receiving events into al... See more...
I'm working on an indexer to try to forward all data ingested with IT Essentials Work + Splunk Add-on for Unix & Linux to a remote indexer cluster. Until now, that indexer is receiving events into all itsi_* indexes, but, when I try to setup the forwarding option into that indexer, I cannot set the forwardedindex.n.whitelist and blacklist to forward only the itsi_* indexes to the IDX Cluster. I've try to overwrite all default whitelists and blacklists on local and reset whitelists with itsi_* indexes, but, this still forwarding all indexes, nor only itsi_* indexes. My outputs.conf file is like following: [tcpout] defaultGroup = default-autolb-group forwardedindex.0.whitelist = forwardedindex.1.blacklist = forwardedindex.2.whitelist = forwardedindex.0.whitelist = (itsi_grouped_alerts|itsi_im_meta|itsi_im_metrics|itsi_import_objects|itsi_notable_archive|itsi_notable_audit|itsi_summary|itsi_summary_metrics|itsi_tracked_alerts) indexAndForward = 1 [tcpout:default-autolb-group] disabled = false server = HFtoIDXCluster:9997 useACK = true If I use a "default" config option, overwriting the lists not resetting (not declaring the default 3 lists empty on the tcpout stanza) I have the same behaviour. This is the first time I try to set forwarding options from an indexer. I need to forward this data because it's used for administration of each Splunk instances, and it's required to get into a specific Splunk Enterprise cluster, but, all other indexes it's not required to be forwarded. Have I miss something to specify into config files? Best regards
I have an mvfield  of type string in my results.  I want to search and match all values of this field for words that come from a csv lookup.  LookupRows:  {row1, "mary white"}  {row2, "Tom White"... See more...
I have an mvfield  of type string in my results.  I want to search and match all values of this field for words that come from a csv lookup.  LookupRows:  {row1, "mary white"}  {row2, "Tom White"}  Results Astring="Mary had a white lamb" , "tom had none" , "Joe was here"  Astring="No match here" , "tom thumb"  Searching with the lookup values against the full text of the event is not an acceptable answer. 
When using input link, the default selected input appear like this: Then, when you select any of them, it gets like this: I would like to apply the css style of a selected input link button... See more...
When using input link, the default selected input appear like this: Then, when you select any of them, it gets like this: I would like to apply the css style of a selected input link button to the default when loading the dashboard. I can play with tokens to do this, I just cannot find the applied css. I know it might be found be inspecting the page somehow, but I cannot locate it. I have this run anywhere example: <form> <label>TEST</label> <row> <panel> <html> <style> #button button{ background-color: #F7F8FA !important; margin-right: 10px; } .dashboard-panel, .panel-body.html{ background: #F2F4F5 !important; } </style> <center> TEST </center> </html> </panel> </row> <row> <panel> <input id="button" type="link"> <label></label> <choice value="A">A</choice> <choice value="B">B</choice> <default>A</default> <change> <condition value="A"> <set token="show_pabel_a">true</set> <unset token="show_pabel_b"></unset> </condition> <condition value="B"> <unset token="show_pabel_a"></unset> <set token="show_pabel_b">true</set> </condition> </change> </input> <single depends="$show_pabel_a$"> <search> <progress> <condition match="'job.resultCount' &gt; 0"> <set token="show_panel_a">true</set> </condition> </progress> <query>| makeresults | eval test="A" | fields - _time</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </single> <single depends="$show_pabel_b$"> <search> <progress> <condition match="'job.resultCount' &gt; 0"> <set token="show_panel_a">true</set> </condition> </progress> <query>| makeresults | eval test="B"</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </single> </panel> </row> </form>  
If you have a dashboard that has a panel with a  search like the one below: | rest splunk_server=* /services/-/-/admin/......../appName/local | table name splunk_server title How can you make it s... See more...
If you have a dashboard that has a panel with a  search like the one below: | rest splunk_server=* /services/-/-/admin/......../appName/local | table name splunk_server title How can you make it so that it searches the other search heads? (a search like the one above returns values for the current search head and its peers - indexers)   
Hello all, we're configuring Splunk Enterprise security app within our environment, while testing alerts  the alert actions for sending email notifications are not working. Checked the internal erro... See more...
Hello all, we're configuring Splunk Enterprise security app within our environment, while testing alerts  the alert actions for sending email notifications are not working. Checked the internal error logs and observed the below. Any idea what is causing this error? ERROR:root:(501, b'Syntax error, parameters in command "mail FROM:<internal server> size=9571" unrecognized or missing' ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/search/bin/sendemail.py Thank you.