All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, all! How could I edit my search command in order to filter this table which will display the earliest time of the same value(Call_Session_ID)?  Here is my original search command: index="hkciv... See more...
Hi, all! How could I edit my search command in order to filter this table which will display the earliest time of the same value(Call_Session_ID)?  Here is my original search command: index="hkcivr" source="/appvol/wlp/DIVR01HK-AS01/applogs/progresshk.log*"| table Time Call_Session_ID  
Hi I have two result like this   REQ Name                        count  Node1.Node2     100 Node3.Node4     500   RSP Name                        count  Node2.Node1     60 Node4.Node3     ... See more...
Hi I have two result like this   REQ Name                        count  Node1.Node2     100 Node3.Node4     500   RSP Name                        count  Node2.Node1     60 Node4.Node3     400     How can I compare them on timechart ? e.g.  put them on timechart so I can see Node2 recieve 100 REQ but response to 60 of them. need to put them all on timechart.   Any idea? Thanks,
Hi I have two field that extract send & rec like this: | rex "S\[(?<SEND>\w+\.\w+)" | rex "R\[(?<REC>\w+\.\w+)"   now have 2 query like this: |table SEND count SERVER1.HUB       10 |table REC ... See more...
Hi I have two field that extract send & rec like this: | rex "S\[(?<SEND>\w+\.\w+)" | rex "R\[(?<REC>\w+\.\w+)"   now have 2 query like this: |table SEND count SERVER1.HUB       10 |table REC  count HUB.SERVER1      50 need to combine them and excpected result is a sankey diagram like this: SERVER1(10)> HUB(50) >SERVER1   FYI: comon value between result string is HUB. any idea? Thanks,
I've installed Splunk as Standalone and I'm trying to run Splunk commands under /opt/splunk and they didn't work. My question is what is the path/folder that I should be at to run Splunk commands li... See more...
I've installed Splunk as Standalone and I'm trying to run Splunk commands under /opt/splunk and they didn't work. My question is what is the path/folder that I should be at to run Splunk commands like:  splunk show splunkd-port splunk show web-port splunk show servername
Hi Community, I need to move current data from one of my indexes into an S3 bucket. Is that possible? I read about the SmartStore feature. However, I need to move the data into another location a... See more...
Hi Community, I need to move current data from one of my indexes into an S3 bucket. Is that possible? I read about the SmartStore feature. However, I need to move the data into another location after the index reaches a particular size. The problem is that I have an index growing up like crazy. I need to have the data available for at least one year and be able to perform searches for at least six months. And of course, local storage is too expensive.  So, I am getting confused here on what would be the best approach to follow since that's the only index causing me issues. In 60 days, I got around 300GB of data. Thanks,
Hello, I have been trying to find a way to get internet service provider (ISP) information from IPs collected from a honey pot project I'm working on and have them displayed on a dashboard. I have se... See more...
Hello, I have been trying to find a way to get internet service provider (ISP) information from IPs collected from a honey pot project I'm working on and have them displayed on a dashboard. I have seen a few Splunk apps that could do this, however, they all seem to be out of date. If anyone could point me in the right direction that would be much appreciated.  Thank you.
I have a json raw string from which I have to extract the           "Source device","values":[{"ip":            key and pair value. Can you please assist. The log line looks like below: "Source devi... See more...
I have a json raw string from which I have to extract the           "Source device","values":[{"ip":            key and pair value. Can you please assist. The log line looks like below: "Source device","values":[{"ip":"10.10.10.10","mac"  I want to extract the ip address: 10.10.10.10
Hi, I have registered successfully for phantom and also got a link to download phantom but could not find Phantom OVA (blank). Can anyone help me why I have not got the ova file?    
Hi Splunkers, I am integrating Jamf pro logs to splunk using Jamf Pro Add-on for Splunk (https://splunkbase.splunk.com/app/4729/). I have defined the inputs as per the documentation. However, I am ... See more...
Hi Splunkers, I am integrating Jamf pro logs to splunk using Jamf Pro Add-on for Splunk (https://splunkbase.splunk.com/app/4729/). I have defined the inputs as per the documentation. However, I am not getting logs on indexer. I can see below errors in splunkd.log and jamf_pro_addon_for_splunk_jamfcomputers.log.  Any suggestions regarding this will be greatly appreciated. Thanks, Error 1: 2022-01-28 13:44:58,590 ERROR pid=10751 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Error 2:
Looking to get started with Dashboard Studio? Learn more with these great resources:   Demo - See an example of the power of Dashboard Studio! Tech Talk - Watch this to get a great 20 minute intro... See more...
Looking to get started with Dashboard Studio? Learn more with these great resources:   Demo - See an example of the power of Dashboard Studio! Tech Talk - Watch this to get a great 20 minute introduction Blogs - Read more about our newest features Conf21 Breakout Session - Learn how you can reimagine your data visualizations Conf22 Breakout Session - Learn how to level up your dashboards with interactivity Conf23 Breakout Session - Learn how to rebuild Classic (SimpleXML) dashboards in Dashboard Studio Documentation - Find more details! EDU Courses - Two courses are available for learning the basics, as well as more advanced editing Tutorial - Try it out yourself with this step-by-step guide to create this dashboard: Dashboard Studio tutorial dashboard See more examples in the in-product Examples Hub! 
Hi I'm a huge noob with respect to SPLUNK I have to create a update, create, delete and get details of saved searches. create - post with this url is working with name= abc https://<host>:<mPort... See more...
Hi I'm a huge noob with respect to SPLUNK I have to create a update, create, delete and get details of saved searches. create - post with this url is working with name= abc https://<host>:<mPort>/services/saved/searches  get detais - with this url is working with name= abc https://<host>:<mPort>/services/saved/searches/{name} update - not working: getting an error as "<msg type="ERROR">Could not find object id=abc</msg>" https://<host>:<mPort>/services/saved/searches/{name} delete- not working: getting an error as "<msg type="ERROR">Could not find object id=abc</msg>" https://<host>:<mPort>/services/saved/searches/{name}
I'm trying to address the new "check_for_vulnerable_javascript_library_usage" check in AppInspect as it's required for apps to run in Splunk Cloud after February. However, I get results like: 3rd p... See more...
I'm trying to address the new "check_for_vulnerable_javascript_library_usage" check in AppInspect as it's required for apps to run in Splunk Cloud after February. However, I get results like: 3rd party CORS request may execute parseHTML() executes scripts in event handlers jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution Regex in its jQuery.htmlPrefilter sometimes may introduce XSS Regex in its jQuery.htmlPrefilter sometimes may introduce XSS  which doesn't really tell me how to proceed. Is there a way I can figure out what's actually causing these errors?
I need to write a Splunk alert to check number of connections on a server. Using below Linux command I can get the results on the server. But help me out in creating an alert on Splunk with the comma... See more...
I need to write a Splunk alert to check number of connections on a server. Using below Linux command I can get the results on the server. But help me out in creating an alert on Splunk with the command. ps -ef | grep '[s]shd' | grep -v ^root | grep -i file* | wc -l
Hello there,  I get different results when I run a rest call.  For example I ran a rest command to bring all the dashboards on h1 search head it brings 300 to me and for my colleague it brings 30... See more...
Hello there,  I get different results when I run a rest call.  For example I ran a rest command to bring all the dashboards on h1 search head it brings 300 to me and for my colleague it brings 305 on same h1 search head. What may be the problem ? Also if I get 300 results on SH H1, I see different count on H2 with 310 results.. what is the issue here for this inconsistencies ? 
Hi, Iam a newbie and have just started exploring the power of splunk. My below query works fine except that I need the output ONLY for a specific time period ie 2pm and 4pm with a span of 15m and no... See more...
Hi, Iam a newbie and have just started exploring the power of splunk. My below query works fine except that I need the output ONLY for a specific time period ie 2pm and 4pm with a span of 15m and not for entire day index=xxxx pod=xxxx CASE(xxxxx) `logRecordType(xxxx)` logName="xxxxxx" earliest=-3d@d latest=@d|timechart span=30m count|timewrap d So basically my output only list me 4 rows with "2days_before","1day_before" and "latest_day".A   Thanks, Bhaggs
I have 3 CSV files. The 1st holds one item/column of data I need. The 2nd holds several items related to the 1st and I only need that column related to file #1. The 3rd goes deeper and needs to be re... See more...
I have 3 CSV files. The 1st holds one item/column of data I need. The 2nd holds several items related to the 1st and I only need that column related to file #1. The 3rd goes deeper and needs to be related to each item in file #2.  IE:  Data1                       Data2                                     Data3                                     Data3                  Data2                                     Data3                                     Data3                                     Data3   Anyone have any ideas? If I can't find a way to do this with a search I'll be stuck with a lot of copy/paste manual work.                  
Hello, Trying to align a checkbox input to the top by removing the label on top. Even if i leave the label tag empty, it takes up space (&nbsp).     This css does not seem to work. Would appre... See more...
Hello, Trying to align a checkbox input to the top by removing the label on top. Even if i leave the label tag empty, it takes up space (&nbsp).     This css does not seem to work. Would appreciate any suggestions. div[id^="showSummary"] >label { display:none !important; }   Below is the complete xml source. <form hideChrome="true" hideSplunkBar="true" hideAppBar="true" hideEdit="false" hideTitle="false" theme="dark"> <label>Checkbox test</label> <fieldset submitButton="false" autoRun="true"></fieldset> <row> <panel id="viewDetail"> <input type="checkbox" id="showSummary" token="show_summary" searchWhenChanged="true"> <label>x</label> <choice value="summary">Summary</choice> </input> </panel> </row> <row depends="$alwaysHideCSSStyle$"> <panel> <html> <style> div[id^="showSummary"] >label { display:none !important; } </style> </html> </panel> </row> </form>
Hi all! I've always had a pretty straight forward approach to bringing in my Palo logs straight to an on-prem Search Head / Indexer just via port 514 / syslog. That's a pretty straight forward setup.... See more...
Hi all! I've always had a pretty straight forward approach to bringing in my Palo logs straight to an on-prem Search Head / Indexer just via port 514 / syslog. That's a pretty straight forward setup. I'm trying to set up the more recommended way, now that my Splunk Search Head / Indexer is hosted at AWS. SO, I set up a Universal Forwarder on an Ubuntu Server on the same network as my Panorama instance and am sending the Panorama syslog feed to the UF - running syslog-ng. I see those log files coming in and saving to /var/log/udp514.log. I set up the UF to connect as a forwarder to the Splunk instance on port 9997 and have added /var/log/514.log to be monitored via "./splunk/add monitor /var/log/udp514.log". I see that logging on the UF and then coming in to Splunk, but it is all logging to the main index.  Logically I know that either on the UF or on the Splunk indexer I need to use the PA app to tell it to log to my paloalto index, but I don't know where. I can't seem to add a data input to also listen on 9997. That seems to be a conflict and my normal method of looking for logs on port 514 doesn't apply anymore...  So how do I tell my Splunk indexer to look at the stream coming in on 9997 and move the logs associated with Palo Alto over where the app is looking for it (index=paloalto)? I'll also be logging much more to the UF soon as well...
Hi, This is not quite an unusual issue: I want to do an ADQL query, but limit it to business hours (or rather, in this case, 8 am to 8 pm), as the traffic pattern shifts dramatically in the off-ho... See more...
Hi, This is not quite an unusual issue: I want to do an ADQL query, but limit it to business hours (or rather, in this case, 8 am to 8 pm), as the traffic pattern shifts dramatically in the off-hours.  The idea would be to have that query run so I could ADQL query metrics for (for example) end-user response time for 8 am to 8 pm every day for the past week. I've tried where "timestamp between ", but that requires a full date to be set (including the day). How can I do this?
As follows if <condition-based-on-token-value> then query_1 else query_2where query_1 and query_2 may be a series of statements producing different sets of data.   Given a search query can be em... See more...
As follows if <condition-based-on-token-value> then query_1 else query_2where query_1 and query_2 may be a series of statements producing different sets of data.   Given a search query can be embedded in a panel, it might achieve the equivalent results, if there were a way to have conditional panel selection: if <condition-based-on-token-value> then panel_with_query_1 else panel_with_query_2 (The above idea is inspired by @mmccul) but I don't know if it's possible to have such panel selection mechanism with Simple XML of Splunk?Or alternatively, if I could control the visibility of a panel based token value, then I might also achieve the panel selection mechanism: define two panels with visibility control by the token value the controls are mutually exclusive, so that only one panel will be shown I'd appreciate some pointers or examples. (edited)