All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Splunkers, We created a custom command, to create jira tickets, taking the input from splunk table. The script is working correctly, when triggered from backend, when the values are hard-code... See more...
Hello Splunkers, We created a custom command, to create jira tickets, taking the input from splunk table. The script is working correctly, when triggered from backend, when the values are hard-coded. When changing the hard-coded values, with token, i.e dynamic, and trying to create ticket from UI, it creates 2 tickets with same ticket number. Below is out python code, and error what we are getting while triggering:     TIA,
Hi, App agent is not reporting to the controller after upgrading the machine agent.  On the dashboard application calls are not showing. ^ Post edited by @Ryan.Paredez for formatting
I have a current single instance deployment of Splunk 8.2.3 on Linux Fedora 35, and it keeps encouraging me to update my mmapv1 storageEngine to wiredTiger. However, when I follow the instructions fo... See more...
I have a current single instance deployment of Splunk 8.2.3 on Linux Fedora 35, and it keeps encouraging me to update my mmapv1 storageEngine to wiredTiger. However, when I follow the instructions for a current single instance deployment at https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/MigrateKVstore#Migrate_the_KV_store_after_an_upgrade_to_Splunk_Enterprise_8.1_or_higher_in_a_single-instance_deployment , it always fails after running the migration command. The entire output is: Starting KV Store storage engine upgrade: Phase 1 (dump) of 2: .....ERROR: Failed to migrate to storage engine wiredTiger, reason= where "reason" is blank. I haven't found anyone posting about getting this error without a reason. How should I complete the migration, or at least do further troubleshooting?
Hi Team, We have successfully integrated File Extension from Appdynamics/file-monitoring-extension: The AppDynamics File Watcher Extension can be used to provide metrics from configured files and di... See more...
Hi Team, We have successfully integrated File Extension from Appdynamics/file-monitoring-extension: The AppDynamics File Watcher Extension can be used to provide metrics from configured files and directories. ... (cisco.com) But now we moved to Machine Based agen to Cluster Agent. I want to know how can we deploy the existing extensions in cluster Agent. Cheers Vinay Kumar
(Select all that apply) 1. Virtual SplunkLive! 2. Splunk Workshops 3. Gaming 4. Splunk Events   I am practicing SE I questions and cannot find this online   any Idea??    Thanks in advance... See more...
(Select all that apply) 1. Virtual SplunkLive! 2. Splunk Workshops 3. Gaming 4. Splunk Events   I am practicing SE I questions and cannot find this online   any Idea??    Thanks in advance. 
Is it valid to use a where clause to compare a string value to a multivalue field in order to know if that value is one of the values in the multivalue field?  For example,  my query returns this re... See more...
Is it valid to use a where clause to compare a string value to a multivalue field in order to know if that value is one of the values in the multivalue field?  For example,  my query returns this result where firstName is a multivalued field:   lastName | firstName -------- ----------- Smith | Amy, Barbara, Carol Wilson | Carol, Deanna, Emily   In my query I add the following to the end of my query to find all rows containing "Carol" in the multivalue field.   where firstName="Carol"     The where clause seems to work fine and returns all the row containing "Carol" in the multivalue field.  I'm wondering if its a supported syntax because I didn't find an example that looks like this and the various "mv" functions seemed to be for more complicated operations. In this example, I'm looking to get all last names and any associated first name and then use a where clause to return anyone with a particular first name.
we got A complete with HTTP Event Collector , but now having.... The data is not formatted correctly. To see how to properly format data for Raw or Event HEC endpoints, see Splunk Event Data  i thin... See more...
we got A complete with HTTP Event Collector , but now having.... The data is not formatted correctly. To see how to properly format data for Raw or Event HEC endpoints, see Splunk Event Data  i thinking of using this....??? Splunk App for Stream what you thing???   What a good solution???  
Hi, I have a UNIX server Solaris 8 that ac/behave like a Splunk Proxy server for 2 other UNIX servers Solaris 8. In other words the 2 Solaris servers send the syslog file to the UNIX Solaris Proxy ... See more...
Hi, I have a UNIX server Solaris 8 that ac/behave like a Splunk Proxy server for 2 other UNIX servers Solaris 8. In other words the 2 Solaris servers send the syslog file to the UNIX Solaris Proxy server. I am trying to create a query that will shows the events coming from the 2 UNIX Solaris 8 servers. I run the below query for example: index=nix* serverproxy* | eval Status=if(like(source, "%FirstUNIXSolaris8%"), 1, 0) I am not getting any event that will show the FirstUNIX Solaris8 name/hostname. Please any suggestion how to create the specific query ? Thanks, Regards. Roberto    
Hello, I have some issues with Field Extraction, since there are some inconsistences in the structure of its field values. If we look at the following 2 sample events:  Amt, outputCd, and returnCd a... See more...
Hello, I have some issues with Field Extraction, since there are some inconsistences in the structure of its field values. If we look at the following 2 sample events:  Amt, outputCd, and returnCd are null in one event and have some values for other event, and also values are within " " . I used following extraction codes which work fine (separately) with null and Values. But we can only use one extraction code to extract field values from the same field. Are there any ways I can write One field extraction code that will satisfy both conditions? Thank you so much, any help will be highly appreciated: Field Extraction Code: outputCd":(?P<outputCd>\w*)  [work with null] Amt":"(?P<Amt>\w*)                      [work with values]   Sample Events "timeStamp":"2021-12-09 08:55:30 EST","appName":"DEV","userType":"DBA","caseStatCd":null,"Amt":"100","errorMsg":null,"eventId":"VIEW_LIST_RESPONSE","eventType":"PENDING","fileSourceCd":null, "mftCd":null,"outputCd":null,"planNum":null,"reasonCd":null,"returnCd":null,"sessionId":"acMgt/dev” , "Period":”2021”, userId":"28f526d4-3464-4766-DBA " "timeStamp":"2021-12-09 08:55:32 EST","appName":"SYS","userType":"ADM","caseStatCd":null,"Amt":null,"errorMsg":null,"eventId":"VIEW_LIST","eventType":"PENDING","fileSourceCd":”09”, "mftCd":null,"outputCd":"09","planNum":null,"reasonCd":null,"returnCd":”01”,"sessionId":"acMgt/dev” , "Period":null, userId":"28f526d4-3464-4766-ADM"
Same as https://community.splunk.com/t5/All-Apps-and-Add-ons/Eventtype-errors-using-splunk-app-for-windows-infrastructure/m-p/503500/thread-id/62002   https://splunkbase.splunk.com/app/1680/ is dep... See more...
Same as https://community.splunk.com/t5/All-Apps-and-Add-ons/Eventtype-errors-using-splunk-app-for-windows-infrastructure/m-p/503500/thread-id/62002   https://splunkbase.splunk.com/app/1680/ is deprecated. What is the solution?
Looking for a device that can monitor power usage that is compatible with splunk. Looking to place it connected to an outlet or something like that to detect if the power goes out in a building or no... See more...
Looking for a device that can monitor power usage that is compatible with splunk. Looking to place it connected to an outlet or something like that to detect if the power goes out in a building or not. I see lots of articles about combining Splunk with smart home products that could do something like this but nobody ever says explicitly what to buy if you want to set it up to do something like that. If anyone has any ideas please let me know
I have duration for multiple websites. How can I get 3 least duration for each websites.  So here is example Duration_in_min website ExtraColumn 10.0 x.com A 2.0 x.com B 2.0 x.c... See more...
I have duration for multiple websites. How can I get 3 least duration for each websites.  So here is example Duration_in_min website ExtraColumn 10.0 x.com A 2.0 x.com B 2.0 x.com AA 3.0 x.com C 4.0 x.com ABC 15.0  Y.com BB 1.0  Y.com CAV 1.0  Y.com XY 3.0  Y.com A 4.0  Y.com B 5.0  Y.com BB    So I only want these rows ( 3 least duration for each website).  Duration_in_min website ExtraColumn 2.0 x.com B 2.0 x.com AA 3.0 x.com C 4.0 x.com ABC 1.0  Y.com CAV 1.0  Y.com XY 3.0  Y.com A 4.0  Y.com B   Thanks.
I have Splunk table output as below. for every different id 1st occurrence, I want to keep id value here, but for all following records, I want to change the value to null.   time id value ... See more...
I have Splunk table output as below. for every different id 1st occurrence, I want to keep id value here, but for all following records, I want to change the value to null.   time id value 40:56.1 00J7ER7SGO8PHCAU4O2CM2LAES0006CA eree334 40:56.2 00J7ER7SGO8PHCAU4O2CM2LAES0006CA face 41:27.6 00J7ER7SGO8PHCAU4O2CM2LAES0006CA face 41:27.7 00J7ER7SGO8PHCAU4O2CM2LAES0006CA dsafasdf 41:27.8 00J7ER7SGO8PHCAU4O2CM2LAES0006CA earweraw 49:02.1 00J7ER7SGO8PHCAU4O2CM2LAES0006CF eqtdzgta 49:02.2 00J7ER7SGO8PHCAU4O2CM2LAES0006CF 12341234 49:03.1 00J7ER7SGO8PHCAU4O2CM2LAES0006CF efgwerwe 49:03.2 00J7ER7SGO8PHCAU4O2CM2LAES0006CF dafdsaf 49:03.3 00J7ER7SGO8PHCAU4O2CM2LAES0006CF erwqerqw 50:08.0 00J7ER7SGO8PHCAU4O2CM2LAES0006CF daadsfad 50:08.7 00J7ER7SGO8PHCAU4O2CM2LAES0006CF qerqwer 50:08.7 00J7ER7SGO8PHCAU4O2CM2LAES0006CF ewrqwerqr 50:08.8 00J7ER7SGO8PHCAU4O2CM2LAES0006CF dfasdfsad 50:08.9 00J7ER7SGO8PHCAU4O2CM2LAES0006CF ewqrqewr   after change,  it should be like this,  anyone knows how to do this? thanks in advance. time id value 40:56.1 00J7ER7SGO8PHCAU4O2CM2LAES0006CA eree334 40:56.2   face 41:27.6   face 41:27.7   face 41:27.8   earweraw 49:02.1 00J7ER7SGO8PHCAU4O2CM2LAES0006CF eqtdzgta 49:02.2   12341234 49:03.1   face 49:03.2   face 49:03.3   face 50:08.0   face 50:08.7   face 50:08.7   face 50:08.8   face 50:08.9   face       Kevin
Hi, i have read the instruction that you cannot install the Splunk enterprises version 8.x to windows server 2012 R2. i need to know what is the correct way to install the Splunk enterprises version... See more...
Hi, i have read the instruction that you cannot install the Splunk enterprises version 8.x to windows server 2012 R2. i need to know what is the correct way to install the Splunk enterprises version 8.x . should I need to install new host 2016 or any other method.  As i have 1 deployment server, 2 indexers, search head, universal forwarder. please share your thoughts  Thanks
Hi,  I'm attempting to build a query to find destination IP addresses that became source IPs for traffic in a 5min window.  What is the best way to do this? Given that it's IDS data, I don't think... See more...
Hi,  I'm attempting to build a query to find destination IP addresses that became source IPs for traffic in a 5min window.  What is the best way to do this? Given that it's IDS data, I don't think a join with subsearch would be good because of the 10,000 record limitation and the map function takes forever just looking at 15mins worth of data.  Any ideas or help is greatly appreciated!
I have some records that show interface utilization across multiple devices.  I would like to add the utilization from two different devices so that two series are presented on my timechart, summary ... See more...
I have some records that show interface utilization across multiple devices.  I would like to add the utilization from two different devices so that two series are presented on my timechart, summary of inbound utilization for devices A + B, and summary of outbound utilization for devices A+B. index=nnmperf "Interface Name"="Te0/1/0" "Node Name"="A" OR "Node Name"="B" | rename "Utilization In" as In | rename "Utilization Out" as Out | eval In=In*100 | eval Out=Out*100 | timechart span=30m avg(In) avg(Out) by "Node Name" I've tried to pipe the chart to addTotals, but I can't figure out how to split the total into two series one for inbound and one for outbound.  Could someone help me out?  Thank you!    
After timechart can the columns be sorted either in Ascending/Descending order    
Hi Folks, Getting error while run the # ./hwf-Splunk-Connect-for-Syslog.sh       sc4s script  curl: (3) Bad URL, colon is first character SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid ... See more...
Hi Folks, Getting error while run the # ./hwf-Splunk-Connect-for-Syslog.sh       sc4s script  curl: (3) Bad URL, colon is first character SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid token, or other HEC connectivity issue index=main. sourcetype=sc4s:fallback Startup will continue to prevent data loss if this is a transient failure.
Hello all, I'm having a time parsing issue that I don't know how to fix and am looking for some help. My inputs on the syslog looks like this: [monitor] index = * no_appending_timestamp = true ... See more...
Hello all, I'm having a time parsing issue that I don't know how to fix and am looking for some help. My inputs on the syslog looks like this: [monitor] index = * no_appending_timestamp = true host_segment = 5 disabled = false My Props for this source type is configured by a TA.  But the problem I'm having in the logs were from changes in our syslog system. The new log looks like Dec 14 08:50:19 bxxm-itb.net.xxx.xxx 1,2021/12/14 08:50:18, How do I configure props to tell splunk to ignore the first timestamp, skip the host fqdn and then parse the second time?
Hi  Actually i made  lookup with the list of ip address in .csv file. I want to write a query if there is traffic from the ip address which i had given in the lookups. Please help me woth the query... See more...
Hi  Actually i made  lookup with the list of ip address in .csv file. I want to write a query if there is traffic from the ip address which i had given in the lookups. Please help me woth the query. i have the Web datamodel as well   Thanks & Regards, Umesh Chandra Reddy