All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I want a placeholder in input text box of Splunk dashboard like attached image. Could any one help me out with this requirement.  Thanks in advance.  
We have a saved search in a search head cluster which returns its results in a KV-Store lookup using append=true. Although the searches run successfully, the results where not stored in the KV-Store... See more...
We have a saved search in a search head cluster which returns its results in a KV-Store lookup using append=true. Although the searches run successfully, the results where not stored in the KV-Store for few executions. Unfortunately, we were not able to locate the issue in the mongod.log or splunkd.log. Any ideas are appreciated.
We save hash values from our ids and I want to search for them. I would expected I can do it this way: index=blub id=sha1("11122233")  But unfurtonaly it doesn't work. Also other attemps failed (fo... See more...
We save hash values from our ids and I want to search for them. I would expected I can do it this way: index=blub id=sha1("11122233")  But unfurtonaly it doesn't work. Also other attemps failed (for exampe to eval it first in a new variable). If I just use the sha1 it return the correct value, but somehow it doesn't work in the search.  Can anybody help here or has suggestion.   
need to extract only the number.. ie., 23 DiskDrive: \\.\PHYSICALDRIVE23
service:jmx:iiop://testsplunk/jndi/corbaname:iiop:testsplunk:9100/WsnAdminNameService#JMXConnector.   used this url with my hostname getting error . and i also tried through soap port and pid too .... See more...
service:jmx:iiop://testsplunk/jndi/corbaname:iiop:testsplunk:9100/WsnAdminNameService#JMXConnector.   used this url with my hostname getting error . and i also tried through soap port and pid too . same error am getting . any help?
I have a table that has batch ID, start & end time of each batch. How can I get the duration i.e. runtime of each batch.   When I am running this query then the duration field is coming blank. ... See more...
I have a table that has batch ID, start & end time of each batch. How can I get the duration i.e. runtime of each batch.   When I am running this query then the duration field is coming blank. index="bodata" | where BEX_TSP_START!="NULL" AND BEX_TSP_END!="NULL" | where BEX_DTE_BSNS=="09-12-2021" | eval Duration=strptime(BEX_TSP_END,"%H:%M.%S")-strptime(BEX_TSP_START,"%H:%M.%S") | table BEX_NUM_JOB,Duration Please help.  
My deployment consists of 2 servers to collect syslog sources. On each server is installed a rsyslog daemon that receives messages in UDP and spool them into log files. These files are monitored by a... See more...
My deployment consists of 2 servers to collect syslog sources. On each server is installed a rsyslog daemon that receives messages in UDP and spool them into log files. These files are monitored by a universal forwarder which sends the messages to indexers. This deployment is a good practice for indexing syslog data. A LB F5 is installed on the front end and routes the flows to both servers. I wanted to set up a mechanism that would allow me to manually add or remove a universal forwarder from the member pool when it is under maintenance or restarted for example. For a search head cluster it is possible by configuring a custom endpoint like the suggested solution https://community.splunk.com/t5/Monitoring-Splunk/F5-Load-balancer-Pool-member-health-monitor/m-p/459497 But it is not possible with a universal forwarer by design (the python library is not embedded) for security reasons So my question is how to manually disable a universal forwarder so that the server does not receive any more data from the LB?
You all are 0/4 on handling my bug reports. If even this doesn't get fixed this will be the last time I will report a bug this way. The context menu to go to the dashboard goes away when you try to ... See more...
You all are 0/4 on handling my bug reports. If even this doesn't get fixed this will be the last time I will report a bug this way. The context menu to go to the dashboard goes away when you try to move your mouse over it. Here is video of the issue: https://cdn.discordapp.com/attachments/919882621503275078/919884566871810099/splunk.m4v
Hello.    Im trying to run a report that'll show me Multiple authenticatoin failures within a certain time frame. For example, 10 authentication failures within the space of 1 minute. Im trying to ... See more...
Hello.    Im trying to run a report that'll show me Multiple authenticatoin failures within a certain time frame. For example, 10 authentication failures within the space of 1 minute. Im trying to get the visualization right, to show me a table view per user that has failed 10 times within the space of a minute.  Also trying to get it to show day/time stamps too. Does anyone know how to do this?    Thankyou    
Hi, I got an error message like this, I can't able to generate an event samples. can anyone help me to get to solve this?  Unable to initialize modular input "eventgen_modinput" defined in the app ... See more...
Hi, I got an error message like this, I can't able to generate an event samples. can anyone help me to get to solve this?  Unable to initialize modular input "eventgen_modinput" defined in the app "datagen": Introspecting scheme=eventgen_modinput: script running failed (exited with code 1)..
Hi, I have two tables and in first table it contains 13 columns and from second table only one column i need to add to table 1. I am getting the data from a database, can you please help me out. th... See more...
Hi, I have two tables and in first table it contains 13 columns and from second table only one column i need to add to table 1. I am getting the data from a database, can you please help me out. the below query is using to get first table data, | dbxquery query="SELECT BEX_DTE_BSNS, BEX_NUM_COMPL, BEX_NUM_COMPL_TYPE, BEX_TSP_END, BEX_CNT_EXEC, BEX_NUM_GROUP, BEX_NUM_JOB, BEX_NME_NET, BEX_NUM_RESTART, BEX_TSP_START, BEX_NME_BPR, BEX_NME_LOCATION, BEX_IND_SKIPPED FROM \"LoanIQDB\".\"LS2USER\".\"VLS_BATCH_EXEC\"" connection="loaniq_10_10_2_10" the below query is to get that particular column from that 2nd table, | dbxquery query="SELECT BNT_DSC_JOB FROM \"LoanIQDB\".\"LS2USER\".\"VLS_BATCH_NET\"" connection="loaniq_10_10_2_10"
I have the following data in the table.   I need to get the duration of the batch running time, I have the start & end time of each date. I need to calculate Batch_End-Batch_Start.  Normal eva... See more...
I have the following data in the table.   I need to get the duration of the batch running time, I have the start & end time of each date. I need to calculate Batch_End-Batch_Start.  Normal eval is not giving me any output. Hence I was thinking of converting the timestamps in epoc & then doing eval Duration=(End_epoc-Start_epoc). For this I need to convert timestamp like 2021-12-09 11:46:50.000069 to epoch time. Please help.  
I'm not sure what the purpose of this question.    My license page shows like below:    is it 5 or 1?      
Deployment server is not downloading apps and getting the below error.  12-13-2021 08:38:53.140 +0300 WARN ClientSessionsManager - ip=x.x.x.x name=xxxxxx Updating record for sc=xxxxxx app=xxxxxx : a... See more...
Deployment server is not downloading apps and getting the below error.  12-13-2021 08:38:53.140 +0300 WARN ClientSessionsManager - ip=x.x.x.x name=xxxxxx Updating record for sc=xxxxxx app=xxxxxx : action=Download result=Fail checksum=xxxxxxxxxxx
Hi, We have upgraded our Splunk core version to 8.2.2 which is compatible with python3 Post the upgrade, data has stopped coming from log analytics add on. Can someone pls check.
Hi, We have MCAS integrated with spluk. MCAS logs are ingested into splunk. If we need to ingest salesforce logs that are within MCAS into splunk, does MCAS team need to do any setting from their e... See more...
Hi, We have MCAS integrated with spluk. MCAS logs are ingested into splunk. If we need to ingest salesforce logs that are within MCAS into splunk, does MCAS team need to do any setting from their end? or do we have any splunk add-on to ingest salesforce logs that are inside MCAS?
Hi Team  I am trying to find out recent CVE-2021-44228( log4j) I tried " index=aws *log4j*", nut not sure how to find out and create an alert based on this Vulnerability.  Can anyone help me with ... See more...
Hi Team  I am trying to find out recent CVE-2021-44228( log4j) I tried " index=aws *log4j*", nut not sure how to find out and create an alert based on this Vulnerability.  Can anyone help me with the correct search and explain how to create an alert based on this vulnerability   Thanks     
Hi there, I've got a basic search to provide the most recent timestamp for a successful backup using wineventlog data:   index="wineventlog" source="WinEventLog:Application" SourceName="Symantec S... See more...
Hi there, I've got a basic search to provide the most recent timestamp for a successful backup using wineventlog data:   index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*grp* | search Message=*6C8F1F7E* OR Message=*6C8F1F7D* OR Message=*6C8F1F7A* | dedup host | table host, _time   However, I'm really struggling to come up with a search that shows me all the *grp* hosts whether they have the successful backup strings in the Message field  (*6C8F1F7E* or *6C8F1F7D* or *6C8F1F7A*) or not. My closest attempt seems to be this:   index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*pgrp* | eval success = case(Message like "%6C8F1F7E%",1,Message like "%6C8F1F7D%",1,Message like "%6C8F1F7A%",1,Message like "%",0) | stats sum(success) as Successes by host | where Successes < 1   My hope is for a table with the following columns: Host Last successful backup date/time or "N/A" if there was no successful backup in the selected timerange Days since last backup Any help or advice would be greatly apprecated! Cheers
Hello fellow Splunkers, I'm trying to connect new DB input, but I'm facing a small problem. I've configured a rising column (time) and run my query from the "create new input" screen to make sure t... See more...
Hello fellow Splunkers, I'm trying to connect new DB input, but I'm facing a small problem. I've configured a rising column (time) and run my query from the "create new input" screen to make sure that I get no SQL errors (which I don't) and that I'm getting the data I wanted (which I do) but for some reason Splunk won't let me continue with the creation of the input.  The final part of my query looks like this: "WHERE time>? AND field1='1' ORDER BY time ASC" When trying to create this input, Splunk shows an error saying that my query doesn't accept checkpoint.   My guess is that the "AND" messes-up the expected syntax.   Does anyone have an idea how to work around the problem?   Thanks
Hello Splunkers  How to write stanza to monitor for 2 services...   if I am using this stanza. it will gives 100+ services data... but I need only 2 or 3 services only... [WinHostMon://Service] ... See more...
Hello Splunkers  How to write stanza to monitor for 2 services...   if I am using this stanza. it will gives 100+ services data... but I need only 2 or 3 services only... [WinHostMon://Service] type = service interval = 300 disabled = 0 index = myindex