All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Powershell script not running always on schedule - Splunk Add On for Microsoft HyperV

by in Getting Data In
‎01-22-2022 09:27 PM
‎01-22-2022 09:27 PM
Hello, I am running Splunk Add for Microsoft Hyper-V  on 10 different Hyper-V hosts with a splunk forwarder each, but not all powershell scripts are executed on schedule.    My problem is with the lo... See more...
Hello, I am running Splunk Add for Microsoft Hyper-V  on 10 different Hyper-V hosts with a splunk forwarder each, but not all powershell scripts are executed on schedule.    My problem is with the long running scripts getvm_inventory.ps1 and getvm_inventoryext.ps1. The rest of the scripts are executed on schedule. I have the following inputs.conf ############# VM ############# [powershell://GetVM_Inventory] script = . "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" schedule = 0 0 4-8/1 ? * * source = microsoft:hyperv:powershell:getvm_inventory.ps1 sourcetype = microsoft:hyperv:vm index = ctc_hyperv_inventory disabled = 0 [powershell://GetVM_InventoryEXT] script = . "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_InventoryEXT.ps1" schedule = 0 20 4-8/1 ? * * source = microsoft:hyperv:powershell:getvm_inventoryext.ps1 sourcetype = microsoft:hyperv:vm:ext index = ctc_hyperv_inventory disabled = 0   from the logs I see that they are executed correctly . The only difference from other scripts is the execution that is much longer.   01-23-2022 06:00:10.4694493+2 INFO End of executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory, execution_time=10.3504674 seconds 01-23-2022 06:00:00.1169827+2 INFO Start executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory 01-23-2022 06:00:00.1139817+2 INFO enqueue job for stanza=GetVM_Inventory 01-23-2022 05:00:10.5518190+2 INFO End of executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory, execution_time=10.4093991 seconds 01-23-2022 05:00:00.1404194+2 INFO Start executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory 01-23-2022 05:00:00.1374214+2 INFO enqueue job for stanza=GetVM_Inventory 01-23-2022 04:00:13.0595973+2 INFO End of executing script=. "$SplunkHome\etc\apps\Splunk_TA_microsoft-hyperv\bin\GetVM_Inventory.ps1" for stanza=GetVM_Inventory, execution_time=11.6046748 seconds   Thank you in advance.

help on row panel

by in Splunk Enterprise
‎01-22-2022 09:18 PM
‎01-22-2022 09:18 PM
Hi I need to display a table panel and 4 chart panel like in the screenshot  could you help please? Here is my xml <form> <row> <panel depends="$alwaysHideCSS$"> <html> <sty... See more...
Hi I need to display a table panel and 4 chart panel like in the screenshot  could you help please? Here is my xml <form> <row> <panel depends="$alwaysHideCSS$"> <html> <style> #map{ width:60% !important; #chart{ width:20% !important; } #chart2{ width:20% !important; } } </style> </html> </panel> <panel id="map"> <map> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="mapping.map.center">(46,2)</option> <option name="mapping.map.zoom">5</option> <option name="mapping.type">marker</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </map> </panel> <panel id="chart4"> <chart> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.text">Bureaux</option> <option name="charting.axisTitleY.text">Nb utilisateurs</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"nbsam":#27B508}</option> <option name="charting.legend.placement">none</option> <option name="height">230</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="chart"> <chart> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.text">Bureaux</option> <option name="charting.axisTitleY.text">Nb utilisateurs</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"nbsam":#f70505}</option> <option name="charting.legend.placement">none</option> <option name="height">230</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="chart2"> <chart> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.text">Bureaux</option> <option name="charting.axisTitleY.text">Nb utilisateurs</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"nbsam":#27B508}</option> <option name="charting.legend.placement">none</option> <option name="height">230</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="chart3"> <chart> <search> <query></query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.text">Bureaux</option> <option name="charting.axisTitleY.text">Nb utilisateurs</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"nbsam":#f70505}</option> <option name="charting.legend.placement">none</option> <option name="height">230</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>  

Restart of Splunk Agent using script

by in Splunk Enterprise
‎01-22-2022 11:58 AM
‎01-22-2022 11:58 AM
Hi All,   We are looking for a script to restart the splunk agent when ever it gets stopped could you please help us if anyone has any script to restart it on both linux & windows servers   THank... See more...
Hi All,   We are looking for a script to restart the splunk agent when ever it gets stopped could you please help us if anyone has any script to restart it on both linux & windows servers   THanks in Advance
Labels

.dmg Installation fail mac big sur

by in Installation
‎01-22-2022 06:18 AM
‎01-22-2022 06:18 AM
At the end of the installation I got this in a terminal window: *************************************************** This appears to be your first time running this version of Splunk.   Splunk sof... See more...
At the end of the installation I got this in a terminal window: *************************************************** This appears to be your first time running this version of Splunk.   Splunk software must create an administrator account during startup. Otherwise, you cannot log in. Create credentials for the administrator account. Characters do not appear on the screen when you type in credentials.   Please enter an administrator username: /bin/echo Usernames cannot contain '/' or space characters (base) wel51x@Winstons-MacAir ~ %  *************************************************** Any ideas?
Labels

How can I get multiple output in one cell and upon clicking the output, it should show logs in a table below. Below is t

by in Dashboards & Visualizations
‎01-21-2022 11:44 PM
‎01-21-2022 11:44 PM
How can I get multiple output in one cell and upon clicking the output, it should show logs in a table below. Below is the format. statuscode for success =100, statuscode for warning = 200, sta... See more...
How can I get multiple output in one cell and upon clicking the output, it should show logs in a table below. Below is the format. statuscode for success =100, statuscode for warning = 200, statuscode for failure=300   Country1 Country2 Country3 Application1 Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Application2 Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Application3 Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value Success - #count_value Warning - #count_value Failure - #count_value
Labels

Indexing delays due the monitor input cannot produce data because splunkd's processing queues are full.

by in Installation
‎01-21-2022 11:36 PM
‎01-21-2022 11:36 PM
We are facing indexing delays we see the below error messages on heavuy forwarders. can some on suggest us   01-22-2022 07:32:15.845 +0000 INFO TailReader [9126 tailreader1] - ...continuing. 01-22... See more...
We are facing indexing delays we see the below error messages on heavuy forwarders. can some on suggest us   01-22-2022 07:32:15.845 +0000 INFO TailReader [9126 tailreader1] - ...continuing. 01-22-2022 07:32:10.845 +0000 WARN TailReader [9126 tailreader1] - Could not send data to output queue (parsingQueue), retrying... 01-22-2022 07:31:54.057 +0000 WARN TailReader [9124 tailreader0] - Could not send data to output queue (parsingQueue), retrying... 01-22-2022 07:31:49.056 +0000 INFO TailReader [9124 tailreader0] - ...continuing. 01-22-2022 07:31:44.056 +0000 WARN TailReader [9124 tailreader0] - Could not send data to output queue (parsingQueue), retrying... 01-22-2022 07:31:39.056 +0000 INFO TailReader [9124 tailreader0] - ...continuing. 01-22-2022 07:30:09.054 +0000 WARN TailReader [9124 tailreader0] - Could not send data to output queue (parsingQueue), retrying... 01-22-2022 07:29:59.053 +0000 INFO TailReader [9124 tailreader0] - ...continuing. 01-22-2022 07:29:49.053 +0000 WARN TailReader [9124 tailreader0] - Could not send data to output queue (parsingQueue), retrying...
Labels

result in single row

by in Splunk Search
‎01-21-2022 07:41 PM
‎01-21-2022 07:41 PM
Hi Guys   I have a query like this   <query>| stats avg(CurrentConnections) as CC by host    And the output is as below with multiple rows     But we have a requirement to get all the re... See more...
Hi Guys   I have a query like this   <query>| stats avg(CurrentConnections) as CC by host    And the output is as below with multiple rows     But we have a requirement to get all the results in a single row (all outputs are required but in a single row instead of multiple rows one after one) some thing like this;   host   CC server01 server02 server03 server04 server05 server06 368.333333333333 365.333333333333 345.333333333333 379.666666666666 356.333333333333 381.666666666666   Can someone please guide us how to do this?  

Where clause has syntax error?

by in Dashboards & Visualizations
‎01-21-2022 07:00 PM
‎01-21-2022 07:00 PM
Hi, Splunkers,   | where ENT_CallType=if($t_VQ$ =="*","*",ltrim($t_VQ$,"VQ_")) t_VQ is a dropdown token,  value is either ALL/*  or VQ_abc_efg  (string starting with VQ_) what my code expected is... See more...
Hi, Splunkers,   | where ENT_CallType=if($t_VQ$ =="*","*",ltrim($t_VQ$,"VQ_")) t_VQ is a dropdown token,  value is either ALL/*  or VQ_abc_efg  (string starting with VQ_) what my code expected is when t_VQ = *,  then  |where ENT_CallType=*  when t_VQ = VQ_abc_efg,   then |where ENT_CallType=abc_efg but when I selected ALL/*, has the following error Error in ‘where’ command: The expression is malformed. An unexpected character is reached at ‘* == “*”,”*”, ltrim(*,”VQ_”)   when VQ_abc_efg is selected, doesn't work either.   thx in advance Kevin

Eval If Multiple Date Values Match or Do Not Match

by in Splunk Search
‎01-21-2022 06:33 PM
‎01-21-2022 06:33 PM
Hello, I have a script gathering the last updated timestamp of three different files and I'm ingesting that data into Splunk to help identify when one of the three files fails to update.  What I am ... See more...
Hello, I have a script gathering the last updated timestamp of three different files and I'm ingesting that data into Splunk to help identify when one of the three files fails to update.  What I am trying to do is build a dashboard table view of all of the dates and eval any that do match the others as "Not_Matching". In the below screenshot i'd like to identify Servername2.file as "Not_Matching" (since it has a Timestamp of 2022-01-21 12:XX, instead of 2022-01-21 15:XX like the other two files) using an eval statement if possible. Note that all three files live within the same Index/Source/Sourcetype. Thanks for any help!
Labels

Splunk REST API | Validate SPL

by in Splunk Dev
‎01-21-2022 02:18 PM
‎01-21-2022 02:18 PM
Hi all, I am working on a project that take SPL input from user. So, i need to be sure that SPL has a correct syntax without making a search with the SPL. I could not see but is there a validator fo... See more...
Hi all, I am working on a project that take SPL input from user. So, i need to be sure that SPL has a correct syntax without making a search with the SPL. I could not see but is there a validator for SPLs?
Labels

Proofpoint support for jQuery 3.5

by in All Apps and Add-ons
‎01-21-2022 02:07 PM
‎01-21-2022 02:07 PM
Is there an ETA on when Proofpoint 2.0 add-on's/apps will be updated to support jQuery 3.5? These two are failing the upgrade readiness test in Splunk Cloud: splunkbase.splunk.com/app/4327/ splunk... See more...
Is there an ETA on when Proofpoint 2.0 add-on's/apps will be updated to support jQuery 3.5? These two are failing the upgrade readiness test in Splunk Cloud: splunkbase.splunk.com/app/4327/ splunkbase.splunk.com/app/4328/  Thank you!
Labels

Which timestamp is used when piping a transaction result into timechart command

by in Splunk Search
‎01-21-2022 01:59 PM
‎01-21-2022 01:59 PM
I have a transaction command which correlates two log entries. If I pipe this result into a timechart command, which log entry's timestamp does it use to bucketize the results (the first or the secon... See more...
I have a transaction command which correlates two log entries. If I pipe this result into a timechart command, which log entry's timestamp does it use to bucketize the results (the first or the second)? Also, is there a way to specify this? Thanks! Jonathan
Labels

How do you use a calculated "_time" field for a timechart query

by in Splunk Search
‎01-21-2022 01:29 PM
‎01-21-2022 01:29 PM
I have a Splunk query that does a lot of computation and eventually returns only two calculated fields:  _time and STORE_ID via the table command. The _time field is formatted exactly like the the b... See more...
I have a Splunk query that does a lot of computation and eventually returns only two calculated fields:  _time and STORE_ID via the table command. The _time field is formatted exactly like the the built-in _time field (e.g., "2022-01-17 23:50:25,897"). I want to do a timechart showing the count of how many times each unique STORE_ID appears in a given time bucket, using my calculated _time variable to fill the buckets.  What do I put in the timechart clause to accomplish this?  Thanks! Jonathan
Labels

Timestamping different formats in same sourcetype

by in Getting Data In
‎01-21-2022 01:14 PM
‎01-21-2022 01:14 PM
All... Looking to see if anyone has any thoughts on trying to bring in different timestamp formats inside of the same sourcetype.  I am working on an issue where we are bringing Crowdstrike data whe... See more...
All... Looking to see if anyone has any thoughts on trying to bring in different timestamp formats inside of the same sourcetype.  I am working on an issue where we are bringing Crowdstrike data where they are just dumping data into S3 bucket.  Some of the data comes into buckets that have specific directories, so I can set sourcetyping at the source level for those:   However we have some data coming into the same bucket and the same file, but they may have different formats.  Examples of what we are seeing: "modified_time":"2022-01-10T23:58:25.865570789Z" "timestamp":"2022-01-21T20:37:37Z" We have tried defining a datetime.xml and have used the following props settings: [crowdstrike:edr] LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 30 SHOULD_LINEMERGE = false #TIME_FORMAT = %s%3N TIME_PREFIX = "timestamp":|"modified_time":|"_time":|"Time": #TIME_PREFIX = timestamp DATETIME_CONFIG = /etc/apps/fmac_crowdstrike_props/datetime.xml TRANSFORMS-filter-edr-splunkd = crowdstrike_filter_splunk,crowdstrike_filter_splunkforwarder,crowdstrike_filter_endofprocess TRUNCATE = 999999 disabled = false kv_mode = json Please let me know if you have any thoughts on this or ideas that will help.  Thanks!
Labels

Tracking state changes for a day

by in Dashboards & Visualizations
‎01-21-2022 01:03 PM
‎01-21-2022 01:03 PM
Here is some background on what I am trying to accomplish, I have 3 separate devices that will be in any of 6 stages of activities throughout a day. I have a base search that will tell when a device ... See more...
Here is some background on what I am trying to accomplish, I have 3 separate devices that will be in any of 6 stages of activities throughout a day. I have a base search that will tell when a device changes states, what state it changes to, and what time this occurs. I would like to have a chart or graph that will tell me how long each device was in each state for a given day.  I can't put my search or data on the forum. 
Labels

Search for users Splunk login activity for * days

by in Splunk Search
‎01-21-2022 12:34 PM
‎01-21-2022 12:34 PM
Hello, I'm trying to search Splunk for user activity pertaining to logging into Splunk for X # of days. Everything I've tried so far returns some results but not all.  I've searched the _audit index... See more...
Hello, I'm trying to search Splunk for user activity pertaining to logging into Splunk for X # of days. Everything I've tried so far returns some results but not all.  I've searched the _audit index as well as |rest /services/authentication/httpauth-tokens | fields userName, timeAccessed |dedup userName sortby timeAccessed.  Does anyone have a search for this or a dashboard that would pull this information? I need: user, date last accessed at a minimum.   Thanks, Craig          
Labels

Dynamically populate dashboard panel title

by in Dashboards & Visualizations
‎01-21-2022 11:17 AM
‎01-21-2022 11:17 AM
I have a dashboard that has 3 Inputs - "Change Type", time and text box. The "Change Type" is dynamically populated using "choice value" based on a search string. There are two change types, Config ... See more...
I have a dashboard that has 3 Inputs - "Change Type", time and text box. The "Change Type" is dynamically populated using "choice value" based on a search string. There are two change types, Config and Admin. Example: <form theme="dark"> <label>Admin and Config Change Reports</label> <description>Change Events</description> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="tok_change" searchWhenChanged="true"> <label>Change Type:</label> <choice value="index=admin_changes <some other spl>">Admin change</choice> <choice value="index=config_changes <some other spl>">Config change</choice> The users much choose from a drop down, one of the above change choices. Once the choice is made a table is populated with the results. What I want to do is when the panel (table) is populated I want the "change type" to be the panel title. Thanks in advance.
Labels

case match command

by in Splunk Search
‎01-21-2022 11:09 AM
‎01-21-2022 11:09 AM
I am trying to use the case match command with more than one option. I keep getting an error message regarding the parenthesis.. nothing is working.. Do not understand whats missing from the syntax. ... See more...
I am trying to use the case match command with more than one option. I keep getting an error message regarding the parenthesis.. nothing is working.. Do not understand whats missing from the syntax.   Here is the search --> | eval state_ack_error=case(match(_raw, "ACK\-CODE\=AA"), 1, match(_raw matches "STATUS\=SENT"), 1, 1=1, 0) Error message: Error in 'eval' command: The expression is malformed.
Labels

Windows Server 2022/Windows 11 Support

by in Installation
‎01-21-2022 10:00 AM
‎01-21-2022 10:00 AM
Would like to know timetable of Splunk Enterprise and the Splunk Universal Forwarder being support/compatible with Windows Server 2022/Windows 11?   Thank you

Hi Experts, I would like to count the multifield in the table where it has similar values

by in Splunk Search
‎01-21-2022 09:54 AM
‎01-21-2022 09:54 AM
I would like to count the multifield in the table where it has similar values.  For Ex:  I need output like below for the COMPLETED_CERT_COUNT, It should only show the count of NOT_Expired training ... See more...
I would like to count the multifield in the table where it has similar values.  For Ex:  I need output like below for the COMPLETED_CERT_COUNT, It should only show the count of NOT_Expired training status.    I have tried |eval COMPLETED_CERT_COUNT=mvcount(if(TRAINING_STATUS=="Not_Expired")) and   | stats mvcount(eval(TRAINING_STATUS="Not_Expired")) as certcount by name . But Nothing worked out. Kindly share your suggestion 
Labels