All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Detecting bucket ID conflicts

by in Splunk Cloud Platform
‎12-16-2021 08:35 AM
‎12-16-2021 08:35 AM
  Hi, this error message started popping up, on Splunk Cloud. As you already know in Splunk Cloud you do not have access by SSH to the internal files of Splunk, bin, etc. Why is it and how can I s... See more...
  Hi, this error message started popping up, on Splunk Cloud. As you already know in Splunk Cloud you do not have access by SSH to the internal files of Splunk, bin, etc. Why is it and how can I solve it?  

Column Chart Stacked based on 4 columns(column 1 has duplicate because of group by 2nd column)

by in Splunk Search
‎12-16-2021 08:20 AM
‎12-16-2021 08:20 AM
e.g query | makeresults | eval application="FSD", val_1="A", val_2=4839, val_3=5000 | append [| makeresults | eval application="ABC", val_1="B", val_2=1000, val_3=3215] | append [| makeresults | eva... See more...
e.g query | makeresults | eval application="FSD", val_1="A", val_2=4839, val_3=5000 | append [| makeresults | eval application="ABC", val_1="B", val_2=1000, val_3=3215] | append [| makeresults | eval application="ABC", val_1="E", val_2=478, val_3=4328] | table application val_1 val_2 val_3 | sort application above query produces result table Table   chart looks like Question: instead of 2 stacked column ABC, i wanted 1 column(ABC) with 4 stacked values(1000,3215,478,4328) and FSD column with 2  stacked values as it is now Please help
Labels

filtering cisco devices with syslog-ng.conf to avoid catchall

by in Getting Data In
‎12-16-2021 07:51 AM
‎12-16-2021 07:51 AM
Hello-  I'm trying to filter cisco logs so that all data shows up in it's own folder in syslog-ng.  However only some of the data is showing up and most of it is going to the catchall directory.   ... See more...
Hello-  I'm trying to filter cisco logs so that all data shows up in it's own folder in syslog-ng.  However only some of the data is showing up and most of it is going to the catchall directory.   Cisco log messages start out with a %.  When adding the asterisk to the filter it seems to ignore it.  Here is a piece of the filter I use in the syslog-ng.conf: filter f_cisco_ios { message("%AUTHMGR") or message("%DOT1X") or message("%MAB") or message("%LINK") or message("%LINE") or message("%DUAL") or message("%ISDN") or message("%EPM") or message("%OSPF") or message("%AUTHPRIV") or message("%LINEPROTO*") or message("%LINK*") }; I'm trying to get any messages with %LINK* to filter to the ciscoios folder but it keeps sending to the catchall directory.  It seems like the syntax I am using is incorrect or maybe there is a better way to filter this without using "message" with filter.   
Labels

Create a request with 2 reseach

by in Splunk Search
‎12-16-2021 07:31 AM
‎12-16-2021 07:31 AM
Hello, Is it possible to create a request in which we ask to give the top requested URL for each IP.   Something like : index="cisco" | foreach src_ip [stats count by cs_url_host]
Labels

Search for *

by in Splunk Search
‎12-16-2021 07:02 AM
‎12-16-2021 07:02 AM
I want to search for "index=*" .... what is the best way to run it  ? I tried to run "index=\*" but it's not working 

Calculate time difference between two events

by in Splunk Search
‎12-16-2021 06:21 AM
‎12-16-2021 06:21 AM
Hi All,   I am using the below search to calculate time difference between two events ie., 6006 and 6005 6006 is event start time and 6006 is event stopped time. If we find the difference we wil... See more...
Hi All,   I am using the below search to calculate time difference between two events ie., 6006 and 6005 6006 is event start time and 6006 is event stopped time. If we find the difference we will get to know the downtime of the system. This is what i have tried. To few systems it is right and for few it is wrong. index="wineventlog" host IN (xxxx) EventCode=6006 OR EventCode="6005" Type=Information | stats latest(_time) as StartUp by host | join host [ search index="wineventlog" host IN (xxxx) | stats latest(_time) as Shutdown by host ] | eval difference=StartUp-Shutdown | eval humanTime = strftime(difference*86400) | table host humanTime Thanks in advance
Labels

Docker Container nodejs agent

by in Splunk AppDynamics
‎12-16-2021 05:49 AM
‎12-16-2021 05:49 AM
Hello I have my docker container running with Nodejs, and  I was reading how to install the agent but still lost. Can someone give me any tips about how to install the agent? thanks. 
Labels

How to remove the Clone option for normal users viewing any dashboard.

by in All Apps and Add-ons
‎12-16-2021 04:49 AM
‎12-16-2021 04:49 AM
I want to remove this clone option & the 3 dots option for normal users i.e. for the role = users  
Labels

How to set an image for background in Splunk dashboard

by in Dashboards & Visualizations
‎12-16-2021 03:42 AM
‎12-16-2021 03:42 AM
Hi guys, i want to add an image in background of Splunk dashboard and i am trying with html code but i am getting below error while adding in source code. Please try to help,   below is my cod... See more...
Hi guys, i want to add an image in background of Splunk dashboard and i am trying with html code but i am getting below error while adding in source code. Please try to help,   below is my code which i used,   <dashboard version="1.1"> <label>VLS_Customer Dashboard</label> <row> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |stats count by "DEPARTMENT CODE"</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |stats count by STATUS</query> <earliest>-30m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <table> <search> <query>|inputlookup Samplebanking1.csv |table "CUSTOMER ID" NAME COUNTRY STATUS LENDER BORROWER BENEFICIARY GUARANTOR "DEPARTMENT CODE" "EXPENSE CODE" "BRANCH CODE"</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |stats count by STATUS BORROWER LENDER GUARANTOR BENEFICIARY COUNTRY</query> <earliest>-30m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">bar</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.overlayFields">STATUS</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |chart count over BORROWER by STATUS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |chart count over BENEFICIARY by STATUS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |chart count over LENDER by STATUS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |chart count over GUARANTOR by STATUS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> <html> <head> <style> body { background-image: url('"C:\Users\narendra.jyeshta\Downloads\Splunk image.png"'); } </style> </head> <body> <h2>Background Image</h2> <p>By default, the background image will repeat itself if it is smaller than the element where it is specified, in this case the body element.</p> </body> </html> </dashboard>  
Labels

Field Extraction

by in Dashboards & Visualizations
‎12-16-2021 03:36 AM
‎12-16-2021 03:36 AM
Hi I have requirement to fetch the some value like asf55-hsgf-56bj4b-rdhh-5b4f, this values are sent from the applications in two different ways like  1)message: dhgfsjd{endbjjdfg, country=hongko... See more...
Hi I have requirement to fetch the some value like asf55-hsgf-56bj4b-rdhh-5b4f, this values are sent from the applications in two different ways like  1)message: dhgfsjd{endbjjdfg, country=hongkong, server=gvfhsd, idVal=asf55-hsgf-56bj4b-rdhh-5b4f, error=gvrf hdfhdsf, errorCode=47574} The another format is 2)message: dhgfsjd{endbjjdfg, country=[hongkong], server=[gvfhsd], idVal=[asf55-hsgf-56bj4b-rdhh-5b4f], error=[gvrf hdfhdsf], errorCode=[47574]} I was suppose to extract the idval value which should satisfy the above case.   I have tried with below rex command,   |rex field = message "(idVal={1}(?P<ppid>.+?,))" | eval value =split(ppid,",") output :asf55-hsgf-56bj4b-rdhh-5b4f   the above command is working fine for first case alone but we have the logs with second case it returns output as [asf55-hsgf-56bj4b-rdhh-5b4f]

Help with regex

by in Splunk Search
‎12-16-2021 01:46 AM
‎12-16-2021 01:46 AM
Hello everyone, I need help with regex I have search index=* | regex Commandline="my_regular_expression" How can I add one more regular expression with OR condition? something like this | r... See more...
Hello everyone, I need help with regex I have search index=* | regex Commandline="my_regular_expression" How can I add one more regular expression with OR condition? something like this | regex Commandline="my_regular_expression" OR | regex Commandline="my_regular_expression2"   Tahnk you
Labels

Can a Splunk deployment configured in AWS cloud (IaaS) read and write to both S3 buckets and EBS?

by in Deployment Architecture
‎12-16-2021 01:37 AM
‎12-16-2021 01:37 AM
Hello, I am a bit confused as to how Splunk manages its indexes through AWS cloud services, and I am not sure whether both EBS and S3 services are interchangeable for thsi type of deployment.  For e... See more...
Hello, I am a bit confused as to how Splunk manages its indexes through AWS cloud services, and I am not sure whether both EBS and S3 services are interchangeable for thsi type of deployment.  For example, is S3 only for archiving frozen buckets, or can it be used for hot/warm/cold buckets as well? Is there some documentation about best practices here?  Compare and contrast? Thanks! Andrew  
Labels

Moving warm buckets to cold Buckets manually

by in Deployment Architecture
‎12-16-2021 01:04 AM
‎12-16-2021 01:04 AM
My indexer is totally full now and new items cannot be index.  The previous settings also seems to be not working.  [root@splunk-masternode local]# cat indexes.conf homePath.maxDataSizeMB = 80000 ... See more...
My indexer is totally full now and new items cannot be index.  The previous settings also seems to be not working.  [root@splunk-masternode local]# cat indexes.conf homePath.maxDataSizeMB = 80000   # Hot and Cold - External data sources [volume:secondary] path = /splunk/splunkdata maxVolumeDataSizeMB = 1650000   I have tune the maxDataSizeMB to 40000 instead and the maxVolumeDataSizeMB to 155000 instead and restarted but its not clearing off.    /dev/mapper/splunk_hotbucket-hotbucket 1.8T 1.7T 4.9G 100% /splunk/splunkdata The 1.65T limit also seems to be not working as its now 1.7T.    Anybody have any advise? This is currently my 2 indexes.conf settings.  [root@splunk-masternode local]# cat indexes.conf # VOLUME SETTINGS # In this example, the volume spec here is set to the indexer-specific # path for data storage. It satisfies the "volume:primary" tag used in # the indexes.conf which is shared between SH and indexers. # See also: org_all_indexes # One Volume for Hot and Cold - Splunk default internal indexes [volume:primary] path = /splunk/splunkdata_internal # Note: The *only* reason to use a volume is to set a cumulative size-based # limit across several indexes stored on the same partition. There are *not* # time-based volume limits. # ~5 TB maxVolumeDataSizeMB = 5120 # Hot and Cold - External data sources [volume:secondary] path = /splunk/splunkdata maxVolumeDataSizeMB = 1550000 [volume:cold] path = /splunk/splunkdata_cold #[volume:frozen] #path = /splunk/splunkdata_frozen # This setting changes the storage location for _splunk_summaries, # which should be utilized if you want to use the same partition # as specified for volume settings. Otherwise defaults to $SPLUNK_DB. # # The size setting of the volume shown below would place a limit on the # total size of data model acceleration (DMA) data. Doing so should be # carefully considered as it may have a negative impact on appilcations # like Enterprise Security. # [volume:_splunk_summaries] path = /splunk/splunkdata # ~ 100GB # maxVolumeDataSizeMB = 100000   homePath.maxDataSizeMB = 40000      
Labels

Credentials Encryption in bash script

by in Security
‎12-15-2021 11:12 PM
‎12-15-2021 11:12 PM
Hi All, I have this short bash script, and i want to encrypt the admin and changeme credentials, cause it is displayed on clear text.     #!/bin/bash /opt/splunk/bin/splunk set minfreemb 1000 ... See more...
Hi All, I have this short bash script, and i want to encrypt the admin and changeme credentials, cause it is displayed on clear text.     #!/bin/bash /opt/splunk/bin/splunk set minfreemb 1000 -auth admin:changeme /opt/splunk/bin/splunk edit user test01 -force-change-pass true -auth admin:changeme     Is there any way to achieve this.

I was wondering what is the target server connected with the Splunk server which is getting updates alerts?

by in Alerting
‎12-15-2021 10:47 PM
‎12-15-2021 10:47 PM
Hi,  I was wondering what is the target server connected with the Splunk server which is getting updates alerts? It looks like it is not a Private network because I am still getting updates alert... See more...
Hi,  I was wondering what is the target server connected with the Splunk server which is getting updates alerts? It looks like it is not a Private network because I am still getting updates alerts.  Thanks in advance. 

Splunk cannot read .log file

by in Splunk Search
‎12-15-2021 10:39 PM
‎12-15-2021 10:39 PM
I have health check file with extension .log. When I uploaded it to Splunk, it came out like this. The real file is like this Does anyone know what is the problem?    

Splunk log4j

by in Security
‎12-15-2021 09:36 PM
‎12-15-2021 09:36 PM
We are using splunk version 6.2.4. Recently, I received a call saying that a vulnerability was also found in the 1.2.xx version of log4j. log4j-1.2.14jar and log4j-1.2.15jar files were found on spl... See more...
We are using splunk version 6.2.4. Recently, I received a call saying that a vulnerability was also found in the 1.2.xx version of log4j. log4j-1.2.14jar and log4j-1.2.15jar files were found on splunk. I want to know if that jar file is used and if it is vulnerable to security. thank you.
Labels

Help explain Log4Shell baseline query

by in Splunk Search
‎12-15-2021 09:33 PM
‎12-15-2021 09:33 PM
Hello all.   I was reading over the article at https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html   Specifically at the New Outbound ... See more...
Hello all.   I was reading over the article at https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html   Specifically at the New Outbound Traffic Detection with Baseline section.   Can someone explain to me the appendpipe's subsearch (I split it into parts but its actually one search) purpose and how it works?      | tstats summariesonly=false allow_old_summaries=true earliest(_time) as earliest latest(_time) as latest values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (NOT (All_Traffic.dest_category="internal" OR All_Traffic.dest_ip=10.0.0.0/8 OR All_Traffic.dest_ip=172.16.0.0/12 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip=100.64.0.0/10)) by All_Traffic.src_ip All_Traffic.dest_ip | rename "All_Traffic.*" as * | lookup egress_src_dest_tracker.csv dest_ip src_ip OUTPUT earliest AS previous_earliest latest AS previous_latest | eval earliest=min(earliest, previous_earliest), latest=max(latest, previous_latest) | fields - previous_* | appendpipe [ | fields src_ip dest_ip latest earliest | stats min(earliest) as earliest max(latest) as latest by src_ip, dest_ip | inputlookup append=t egress_src_dest_tracker.csv | stats min(earliest) as earliest max(latest) as latest by src_ip, dest_ip | outputlookup egress_src_dest_tracker.csv | where a=b ] | eventstats max(latest) as maxlatest | eval comparisonTime="-1h@h" | eval isOutlier=if(earliest >= relative_time(maxlatest, comparisonTime), 1, 0) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(earliest),ctime(latest) ,ctime(maxlatest) | where isOutlier=1     I am trying to understand what this appendpipe portion is doing. Here is my current thought process: 0) It would take the result from the previous set of commands 1) summarize: latest/earlist by src/dest. 2) append the lookup 3) get the earliest/latest by src/dest again. (would the result be the same if we skipped #1?) 4) save the results 5) what does this where clause mean? There is no a or b  field that I can see.   Thanks!  
Labels

A question about using the "collect" command.

by in Splunk Search
‎12-15-2021 08:24 PM
‎12-15-2021 08:24 PM
index="my_index" |eval check=if(html_code==200,"error","OK") |stats count values(clientip) as src_ip by ip , check |table src_ip , ip, check , count |collect index=error_ip_count I'm going t... See more...
index="my_index" |eval check=if(html_code==200,"error","OK") |stats count values(clientip) as src_ip by ip , check |table src_ip , ip, check , count |collect index=error_ip_count I'm going to call up "error_ip_count" after using that command. I used index=error_ip_count, but I couldn't call it up. Is there a wrong way to use it?
Labels

Unable to hide y-axis in outlier graph (Splunk_ML_Toolkit.OutliersViz)

by in Splunk Search
‎12-15-2021 08:23 PM
‎12-15-2021 08:23 PM
I'm try to disable the y-axis using similar option in line chart graph but using outlier graph it cant not hide the y-axis. Is it any method to disable this y-axis.  <panel> <viz type="Splunk_ML_To... See more...
I'm try to disable the y-axis using similar option in line chart graph but using outlier graph it cant not hide the y-axis. Is it any method to disable this y-axis.  <panel> <viz type="Splunk_ML_Toolkit.OutliersViz"> <title>abc</title> <search> <query>index="abc" data_type="real_data" label=abc=$os$ | lookup outlier_value.csv label, operating_system OUTPUTNEW upper_bound lower_bound | eval rndoff_avg_rt = round(avg_rt,2) | rename rndoff_avg_rt as t | table _time t lower_bound upper_bound</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> <option name="charting.axisLabelsY.majorLabelVisibility">hide</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> </viz> </panel>   Thanks
Labels