All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have installed an add-on to integrate splunk with opsgenie but it is not working. After finishing the set up, none of the functionality is working like the inputs or tenant pages. Add-on inst... See more...
Hi, I have installed an add-on to integrate splunk with opsgenie but it is not working. After finishing the set up, none of the functionality is working like the inputs or tenant pages. Add-on installed : https://splunkbase.splunk.com/app/3759/  Used this link for ref : https://support.atlassian.com/opsgenie/docs/integrate-opsgenie-with-splunk/#:~:text=Opsgenie%20provides%20a%20two%2Dway,forward%20Splunk%20alerts%20to%20Opsgenie Has anyone integrated Splunk with Opsgenie? If yes, please help me with the set up. Thanks in advance 
Hi all, Does anyone know if it's possible to create a file from a field in an artifact? Scenario: We have an alert in Splunk SIEM that sends various bits of, tabulated, info to SOAR. One of the f... See more...
Hi all, Does anyone know if it's possible to create a file from a field in an artifact? Scenario: We have an alert in Splunk SIEM that sends various bits of, tabulated, info to SOAR. One of the fields is a comma delimited list of ID's - this could be 1 or several hundred This kicks off a playbook to process this info and email the info to the 'owner' The ID data must be added to the sent email as an attachment I'm aware of the option to add attachments from the file vault to an email from SOAR using the smtp app but...... How do we get the ID data from the field in the artifact into a file? Any help would be much appreciated. Cheers, Mark.
Hi, I'm Trying to calculate success percentage, for that I'm taking total and request count. but, I'm unable to get count for the request. Please see the attachments to get more insights. Image1 :... See more...
Hi, I'm Trying to calculate success percentage, for that I'm taking total and request count. but, I'm unable to get count for the request. Please see the attachments to get more insights. Image1 :- Gives total count of book appointment  request count. Image2 :-  Unable to get Request count from the total book appointments. Image3 :-  Example of   Successfully getting results.   Please help me to resolve this. 
I want to check in some strings are exist in a column and if they are I want to add another column with the type of the string I found inside. For example: The column - "Company" and inside we can ... See more...
I want to check in some strings are exist in a column and if they are I want to add another column with the type of the string I found inside. For example: The column - "Company" and inside we can found- google inc, amazon llc, Microsoft incorporation, university of china and more. The strings I wand to check- google, amazon, Microsoft. Important thing is that I have ~100 strings that I need to check if exist.  I want to add a column "company_Type" and if one of the strings exist in the column "Company" , it will write "Technology" and if not "other".  The result I want to get: Company Company_Type google inc Technology amazon llc Technology Microsoft incorporation Technology university of china other  
I am passing in the following token host_token=$host_token$ in a URL   <link target="_blank">/app/RTPM/blackwidow_testing__technical_dashboard_19_01_2022_v2?host_token=$host_token$&amp;host_token1=... See more...
I am passing in the following token host_token=$host_token$ in a URL   <link target="_blank">/app/RTPM/blackwidow_testing__technical_dashboard_19_01_2022_v2?host_token=$host_token$&amp;host_token1=$host_token$</link>   However, the Screen that is receiving the token blackwidow_testing__technical_dashboard_19_01_2022_v2 allready has an input for host_token (As the screen can be used on its own, with out someone passing in tokens) It looks like this. Ideally if the host_token comes in from the URL, i want the value to be set to that. However that does not happy, the URL host_token seems to be ignored and the original dropdown works as if nothing happened.    <input type="dropdown" token="host_token"> <label>HOST</label> <fieldForLabel>mx.env</fieldForLabel> <fieldForValue>mx.env</fieldForValue> <search> <query>| mstats avg("mx.process.cpu.utilization") as X WHERE "index"="metrics_test" span=10s BY "mx.env" | dedup mx.env | table mx.env</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input>   As a test I pass in 2 tokens host_token and host_token1 - host_token is set to undefined. This is the one that i need to get set when it come in from the URL      Any help would be amazing - thanks - Robbie
@splunkdevelopemnt I am working on Dashboard studio and I am new to this. There is need to create the Month filter just above the panel as we can do in classic dashboard.   Kindly help me with thi... See more...
@splunkdevelopemnt I am working on Dashboard studio and I am new to this. There is need to create the Month filter just above the panel as we can do in classic dashboard.   Kindly help me with this , if we can create the filters anywhere in the dashboard studio as I can only see the global filter.   Thanks , Sudha Adhvaryu
Hey everyone, I'm a little new to Splunk so bear with me. I have an offline Windows environment (a couple servers and multiple workstations) and prior to implementation, a member of my team download... See more...
Hey everyone, I'm a little new to Splunk so bear with me. I have an offline Windows environment (a couple servers and multiple workstations) and prior to implementation, a member of my team downloaded the Infosec App to provide us with the data we need. This proved to not be the case when testing instances such as failed logons etc. I looked at the syntax and realized that nothing points to windows event logs.  Is there any known way to use the Infosec App by pointing to just the Windows Event Viewer/logs?  If not, does it work with an instance such as Sysmon and if so, how would I point it from Sysmon, to Splunk, to the Infosec App?
Hi,  I need to sum the values of durations found in the Duration_of_Errors column of each error that occur in a user in a certain work shift of the day. I am using the stats command. It happens tha... See more...
Hi,  I need to sum the values of durations found in the Duration_of_Errors column of each error that occur in a user in a certain work shift of the day. I am using the stats command. It happens that the names of my errors start like this: Technical/broken screen Technical/keyboard crashed ... Organizational/absence of personnel Organizational/change of office ..... Quality/Audit Quality/server migration ..... I want to sum the duration of each group of errors per shift and user I have used this but I can't get it to sum, what am I doing wrong? | stats sum(eval(if(Error_Text="Technical*"))) as sum_technical_duration_errors by shift user    Thanks in advance!
Dear Splunkers, I got the following message when configuring CloudTrail SQS S3 Based: An error occurred (SignatureDoesNotMatch) when calling the GetObject operation: The request signature we calcul... See more...
Dear Splunkers, I got the following message when configuring CloudTrail SQS S3 Based: An error occurred (SignatureDoesNotMatch) when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method. I appreciate any help!
I am giving the username@accountname and password while accessing the Rest url of metric browser from browser. I am getting 401(un authorized ) error I am trying like below: username: cat******@c... See more...
I am giving the username@accountname and password while accessing the Rest url of metric browser from browser. I am getting 401(un authorized ) error I am trying like below: username: cat******@cat****** password: cat**** Could some one please help me.
Hello, I have 3 rows with numeric data, trying to visualize this in a pie chart. The first value (totalval) is the total value I want to the other values to be a percentage of the total value ... See more...
Hello, I have 3 rows with numeric data, trying to visualize this in a pie chart. The first value (totalval) is the total value I want to the other values to be a percentage of the total value and so only show the 2 other values (typeA and typeB) type           total --------------------- totalval    4151 typeA       1442 typeB        17 Trying for some hours, i am stuck, any help is appreciated Regards, Harry
Can I repoint universal forwarder to new heavy forwarder in windows without reinstalling the agent?  
Supposed if i have huge data of users i need to check the last status of the each users Like login and logout. If user have last status as log out i need to show user info in the table format with st... See more...
Supposed if i have huge data of users i need to check the last status of the each users Like login and logout. If user have last status as log out i need to show user info in the table format with status sign out 
Dear Splunk Community, I have the following query. The main query looks for errors in certain log files. If they are found, an list of events is returned. The RUNID is fetched from the events and is... See more...
Dear Splunk Community, I have the following query. The main query looks for errors in certain log files. If they are found, an list of events is returned. The RUNID is fetched from the events and is used in the JOIN to fetch profiles that are related to the events. Not all events from the main search have a profile. In that case, the result will be all events from the main search with empty profile collumns. I do not wish to see those events. Example: I have 10 events that show errors. 5 of these events have no profile. An event with no profile looks like this: And an event with a profile looks like this: My question is: How do I exclude events with no profiles attached to it? I want to get rid of the entire row if no profile is found. How do I achieve this/ index="myIndex" host="myHostname1*" OR host="myHostname2*" source="/opt/IBM/taddm/dist/log/sensors/*/*.log" CTJTD3028E | table _time, errorcode, IP, runid, profile, _raw | rex "(?<errorcode>CTJT\w{6})" | rex field=_raw "(?<runid>\w{16}#)" | eval runid = replace(runid,".$","") | eval _time=strftime(_time,"%d/%m/%Y %H:%M:%S") | rex field=_raw "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "CTJTD3028E(?<_raw>.+)" | rename errorcode AS "Foutcode" | rename _raw AS "Foutmelding" | rename runid AS "RUNID" | rename _time AS "Datum" | dedup Foutcode, IP | join type=left RUNID [ search index="myIndex" host="myHostname1*" OR host="myHostname2*" source="/opt/IBM/taddm/dist/log/services/ProcessFlowManager.log" OR source="/opt/IBM/taddm/dist/log/services/ClientProxy.log" "started with profile" myProfileName | rex field=_raw "Discovery\srun,\s(?<RUNID>[^\s]+)\sstarted\swith\sprofile\s(?<profile>[^\s\r]+)" | stats count by profile RUNID | fields profile RUNID] | rename profile AS "Profiel"  
Hi Team,   could you please help to get below query: I  have 2 lookup files. I want to fetch uncommon data from 1 of the lookup file. e.g. 1st Lookup file - abc.csv ID Name 1 abc 2 xyz 2nd L... See more...
Hi Team,   could you please help to get below query: I  have 2 lookup files. I want to fetch uncommon data from 1 of the lookup file. e.g. 1st Lookup file - abc.csv ID Name 1 abc 2 xyz 2nd Lookup file PQR.csv ID NAme 1 abc   I want to fetch below uncommon data   output :  ID NAme 2 xyz   Kindly help to get this.   Thanks. ND  
Hi How can I extract duration with below condition? (it is important to check these condition to find correct match) 1)A=A+10 2)B=B FYI: AFAIK stat command is faster than transaction command. I w... See more...
Hi How can I extract duration with below condition? (it is important to check these condition to find correct match) 1)A=A+10 2)B=B FYI: AFAIK stat command is faster than transaction command. I want to extract duration in large dataset. Here is the log: 2022-01-17 00:14:19,600 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Normal Packet Received: A[000] B[9999] C[000000] 2022-01-17 00:14:20,622 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Packet Processed: A[010] B[9999] 2022-01-17 16:50:48,383 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Normal Packet Received: A[900] B[33322] 2022-01-17 16:50:48,414 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Packet Processed: A[910] B[33322] C[000000] expected output: name                                                    duration CUS.AbCD-APP1-12345      1.022 CUS.AbCD-APP1-54321       0.031 Any idea? Thanks
What is    "NodeType " terms in kafka_consumer and kafka_producer  with splunk otel collector setup . I have done  the setup with zookeeper.     link : https://docs.splunk.com/Observability/gdi/... See more...
What is    "NodeType " terms in kafka_consumer and kafka_producer  with splunk otel collector setup . I have done  the setup with zookeeper.     link : https://docs.splunk.com/Observability/gdi/collectd/collectd-kafka-consumer.html
Hi, We are using Splunk Cloud and DBConnect App is installed on IDM. I have noticed that some of the DB Inputs stop indexing data after Splunk Cloud Monthly Maintenance Activity. I first observed t... See more...
Hi, We are using Splunk Cloud and DBConnect App is installed on IDM. I have noticed that some of the DB Inputs stop indexing data after Splunk Cloud Monthly Maintenance Activity. I first observed this on 22nd Dec - DBConnect version was 3.4.2 DBConnect was upgraded to 3.7.0 on 4th Jan and again after the Splunk Cloud Maintenance Activity on 10th Jan, some of the DB Inputs have stopped indexing data. Can someone please suggest if this is an expected behavior for some specific types of DB Inputs (if yes, what?) and/or what logs I could check to analyze this issue further? We are using MySQL and SQL Server DB Inputs. Thank you very much. Regards, Madhav
Hello Splunkers, for our email alerts i want a custom footer, but it seems no linebreak works. i already tried \ like it is in the standard footer, \r\n and just pressing enter and shift + enter. ... See more...
Hello Splunkers, for our email alerts i want a custom footer, but it seems no linebreak works. i already tried \ like it is in the standard footer, \r\n and just pressing enter and shift + enter. If it matters, i use the config explorer for that in Splunk Enterprise 8.2.0. thanks for help
I have been getting this email notification every week, and went to "Upgrade Readiness App" to see what is going on. I saw one of the app "Data Manager" is failing. I also went in and request to upgr... See more...
I have been getting this email notification every week, and went to "Upgrade Readiness App" to see what is going on. I saw one of the app "Data Manager" is failing. I also went in and request to upgrade to Python 3 for more than two weeks, but still we are getting the notification every week, and also it is not being changed. Can someone guide us what needs to do? Thanks in advance.