All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have deployed Splunk on a CentOS machine and forwarder on Windows Server 2012 R2. After installing the universal forwarder, the host is not showing up in 
Hello, I have a table like that : customer prod_1 prod_2 prod_3 customer_1   green   customer_2 red   orange   and I would like to count customer by product to get a table li... See more...
Hello, I have a table like that : customer prod_1 prod_2 prod_3 customer_1   green   customer_2 red   orange   and I would like to count customer by product to get a table like this :  product count custumer prod_1 1 customer_2 prod_2 1 customer_1 prod_3 1 customer_2   Is it possible ?
Hi 2022-01-04 23:10:43,224 INFO [APP] sessionDestroyed, Session Count: 0 2022-01-04 23:12:34,238 INFO [APP] sessionCreated, Session Count: 1 2022-01-04 23:13:43,224 INFO [APP] sessionDestroyed, Se... See more...
Hi 2022-01-04 23:10:43,224 INFO [APP] sessionDestroyed, Session Count: 0 2022-01-04 23:12:34,238 INFO [APP] sessionCreated, Session Count: 1 2022-01-04 23:13:43,224 INFO [APP] sessionDestroyed, Session Count: 10 2022-01-04 23:14:34,238 INFO [APP] sessionCreated, Session Count: 7   extract output                              sessionCreated            sessionDestroyed 2022-01-04 23:10:43                                                                                0 2022-01-04 23:12:34                           1 2022-01-04 23:13:43                                                                               10 2022-01-04 23:14:34                            7  
Hello Team, I need help with a splunk query where I am trying to get the AWS instance ID via lookup table but I am able to get the instance name with respect to IP , please find the query below and h... See more...
Hello Team, I need help with a splunk query where I am trying to get the AWS instance ID via lookup table but I am able to get the instance name with respect to IP , please find the query below and help me with the suggestion. index=c3d_security host=ip-10-10* rule=corp_deny_all_to_untrust NOT dest_port=4431 | table src_ip dest_ip transport dest_port application | lookup Blocked_Non-httptraffic.csv src_ip as src_ip outputnew dest_ip Note: I have made the csv file with lookup editor " Non-httptraffic.csv src" with two fields src_ip and dest_ip , if I am searching with above query so I am unable to get the instance name like host name with regards to IP Please help..
Hello,  I have a question regarding replication of lookups on a search head cluster containing 3 search heads. The issue is that their is a lookup that is roughly 6gb large, and that is larger ... See more...
Hello,  I have a question regarding replication of lookups on a search head cluster containing 3 search heads. The issue is that their is a lookup that is roughly 6gb large, and that is larger than the replication max bundle size we allow. This lookup will not be changed in the future.  My question is how to you suggest we get the lookup on every search head?  One way is to increase the max size that we allow,  But i'm thinking if we could just manually upload the lookup to every search head instead?   I believe that as long as they share the same properties over all search heads it will be functionally the same as allowing the search heads to automatically replicate it?  Do you relive this would work? 
Hi All, I have a query to get the result of the list of filesystems and their respective disk usage details as below: File_System  Total in GB   Used in GB   Available in GB   Disk_Usage in % /var... See more...
Hi All, I have a query to get the result of the list of filesystems and their respective disk usage details as below: File_System  Total in GB   Used in GB   Available in GB   Disk_Usage in % /var                   10                    9.2                   0.8                           92 /opt                   10                    8.1                   1.9                          81 /logs                 10                    8.7                   1.3                          87 /apps                10                    8.4                   1.6                          84 /pcvs                10                    9.4                    0.6                         94 I need to create a multiselect option with the disk usage values to get the above table for a range of values. For e.g. If I select 80 in the multiselect it will show the table with values of disk usage in the range 76-80, then if I select 80 & 90 in the multiselect it will show the table with values of disk usage in the range 76-80 & 86-90 and so on. I created the multiselect with token as "DU" and created the search query for the table as: .... | where ((Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)) OR (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5))) | table File_System,Total,Used,Available,Disk_Usage | rename Total as "Total in GB" Used as "Used in GB" Available as "Available in GB" Disk_Usage as "Disk_Usage in %" With the above query I am able to get the results when I run a search with two different values (e.g. 100 & 65) for $DU$ in (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)). But with this query I am not able to get the table in the dashboard when I am using multiple values. Please help me with the delimiter to be added or help create a query so that upon selecting multiple options in multiselect will give the table for a range of disk usage values.
I need a splunk service for my client buying Bitdefender cyber security but wants a solution to add on to capture HTTP data and JSON.   Thank you
First query index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval _raw = msg | rex "Request\#\:\s*(?<ID1>\d+) with (?<Status... See more...
First query index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval _raw = msg | rex "Request\#\:\s*(?<ID1>\d+) with (?<Status>\w+.\w+)"|rex "CRERequestId\"\:\"(?<ID2>[^\"]+)" | eval ID=coalesce(ID1,ID2) | stats latest(Status) as Status by ID | eval Status=trim(Status, "status ") | stats count by Status Second query index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | search msg="*Rejected*" | eval _raw = msg | rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)" | rex "Request\#\:\s*(?<Rejected_CRE_ID>\d+)" | rex status(?<Rejected>\s\w+) | rex (?<Failed_Reason>Rule.*)$ | eval Failed_Reason=trim(Failed_Reason, "Rule ") | stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason  
Hello, we've installed splunk and after the license expired on december 18th or so. Now we have converted the license into a free license. But the search still doesn't work, everytime i try to sea... See more...
Hello, we've installed splunk and after the license expired on december 18th or so. Now we have converted the license into a free license. But the search still doesn't work, everytime i try to search something "*" or in my other index i get: ----snip--- Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK. ----snip--- Only Searching in "index=_internal" works. Looking in settings->licensing: -----snip---- Free license group Change license group This server is configured to use licenses from the Free license group Add license Usage report Alerts Licensing alerts notify you of excessive indexing warnings and licensing misconfigurations. Learn more Current 1 pool warning reported by 1 indexer Correct by midnight to avoid warning Learn more 1 pool violation reported by 1 indexer Correct by midnight to avoid warning Learn more Permanent 18 pool quota overage warnings reported by 1 indexer 13 hours ago Local server information Indexer name ######### License expiration 19 Jan 2038, 04:14:07 Licensed daily volume 500 MB Volume used today 0 MB (0.007% of quota) Warning count 18 Debug information All license details All indexer details -----snip---- We are evaluating splunk and have only a couple kB per day, to the data amount is not the problem. Do you have an advices? with best Regards Peter  
Hello, I have a specific question concerning translations with i18n. So what I want to do is translate an i18n-token  in a HTML-environenment which contains "normal" Splunk token and resolve them. ... See more...
Hello, I have a specific question concerning translations with i18n. So what I want to do is translate an i18n-token  in a HTML-environenment which contains "normal" Splunk token and resolve them. For example the i18n token "i18n_coil_machine2_vor_x_tagen2": "$tok_coil_machine_2$ vor $tok_latest_stack_time_2$ Tagen". When I insert the token in a dashboard title it works and it resolves the inner token. But when I use it in a HTML it does not: Results in title: "XXX vor YYY Tagen" Results in HTML: $tok_coil_machine_2$ vor $tok_latest_stack_time_2$ Tagen Here is a minimal working example : <dashboard script="translation.js"> <init> <set token="tok_coil_machine_2">XXX</set> <set token="tok_latest_stack_time_2">YYY</set> </init> <label>TEST</label> <row> <panel> <title>i18n_coil_machine2_vor_x_tagen2</title> <html>Only Token: $tok_coil_machine_2$ und $tok_latest_stack_time_2$</html> <html> IN HTML: <span i18ntag="">i18n_coil_machine2_vor_x_tagen2</span></html> </panel> </row> </dashboard> Is there a solution for this? I would be very thankful for any help.
Hi, I tried to configure CloudTrail SQS Based S3 and I got the following message: "Warning: This message does not have a valid SNS Signature None None doesn't match required format '^https://sns\... See more...
Hi, I tried to configure CloudTrail SQS Based S3 and I got the following message: "Warning: This message does not have a valid SNS Signature None None doesn't match required format '^https://sns\\.[-a-z0-9]+\\.amazonaws\\.com(?:\\.cn)?/'" Sometimes I also get: "Failed to delete message" I have no clue where to look in order to solve this issue. I will appreciate any help!
Stage(Field name) Capa Capa_india north_Capa checkcapaend NET net_east southNETregion showmeNET us_net   From the field Stage, if the value contains capa 0r Capa I ... See more...
Stage(Field name) Capa Capa_india north_Capa checkcapaend NET net_east southNETregion showmeNET us_net   From the field Stage, if the value contains capa 0r Capa I need to color the bar chart as Blue. Otherwise need to show the bar chart color as Orange.   Thanks in advance.
hi,  I tried to Install google Cloud Platform Add-On, the pubsub input. When I tried to set the input parameters, i got the error "Error response received from server: External handler failed with ... See more...
hi,  I tried to Install google Cloud Platform Add-On, the pubsub input. When I tried to set the input parameters, i got the error "Error response received from server: External handler failed with code '1' and output: '[Errno 104] Connection reset by peer '".   someone can tell me what can it be, and how to solve it?
Hello Splunk Answers, How can I remove this duplicate line? See sample below: From:  row1     row2       row3 1.1.1.1  XXX         alpha.splunk.com                                  alpha 2.2.2.2... See more...
Hello Splunk Answers, How can I remove this duplicate line? See sample below: From:  row1     row2       row3 1.1.1.1  XXX         alpha.splunk.com                                  alpha 2.2.2.2  YYY         beta.splunk.com                                  BETA 3.3.3.3  ZZZ        delta.splunkanswers.com                                  delta 4.4.4.4  AAA        abcdefgh to:  row1     row2       row3 1.1.1.1  XXX         alpha.splunk.com 2.2.2.2  YYY         beta.splunk.com 3.3.3.3  ZZZ        delta.splunkanswers.com 4.4.4.4  AAA        abcdefgh Thanks!
If I use bin _time as time span=15m | stats count by time on 17:20 for the past 1 hour, the result would be like ... time interval      count 16:45 - 17:00    1285 17:00 - 17:15    1352 17:15 - ... See more...
If I use bin _time as time span=15m | stats count by time on 17:20 for the past 1 hour, the result would be like ... time interval      count 16:45 - 17:00    1285 17:00 - 17:15    1352 17:15 - 17:20    362 So for the last time bucket which is incomplete, there will be only 5 mins data. Is there any way to search every 15mins backward from the current time like  ... 16:35 - 16:50 16:50 - 17:05 17:05 - 17:20 Really appreciate your help!    
Hi, I'm currently forwarding files from my forwarder to the Indexer. For the purpose of housekeeping, can I safely delete old files on the forwarder after they're indexed, without affecting the inde... See more...
Hi, I'm currently forwarding files from my forwarder to the Indexer. For the purpose of housekeeping, can I safely delete old files on the forwarder after they're indexed, without affecting the indexed data? These files would still be in the directory that is being monitored by the forwarder. Thank you.
Hi All, In Splunk, is it possible to keep restriction not to edit ownership once the notable already assigned to some other owner ? Thanks in advance.
Hi. I have a dashboard with 80 panels. Panels are numeric value( type:Single Value). I would like to bulid one panel which count panels which are not 0.  In below example i would like build one pa... See more...
Hi. I have a dashboard with 80 panels. Panels are numeric value( type:Single Value). I would like to bulid one panel which count panels which are not 0.  In below example i would like build one panel which will show 1 because one panel is over then 0 and it's red.
We have a process that writes log lines to a log file. Every 15 min the entire log file is overwritten. If there are new lines, those are added. Old lines are retained.   We want the Heavy Forwarder... See more...
We have a process that writes log lines to a log file. Every 15 min the entire log file is overwritten. If there are new lines, those are added. Old lines are retained.   We want the Heavy Forwarder to send to Splunk only the new lines, even though the entire file has got overwritten. Is that possible?
Greetings Splunkers, I have recently started having triggered alerts from a couple of correlation searches that when attempting to fix or troubleshoot the specific rule, the query would actually fai... See more...
Greetings Splunkers, I have recently started having triggered alerts from a couple of correlation searches that when attempting to fix or troubleshoot the specific rule, the query would actually fail for errors relating to the query itself (example: unescaped slashes, lookups that do not exist etc.) How do those Notables even trigger if the query itself fails? How do I audit changes done to a correlation search to make sure no changes were done to the rule? Thanks, Regards,