All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

In splunk dashboards we want to extract fields from _raw field, we achieved it by  extract pairdelim="{,}" kvdelim=":"  command and displayed the fields using table command.  Now we see events with ... See more...
In splunk dashboards we want to extract fields from _raw field, we achieved it by  extract pairdelim="{,}" kvdelim=":"  command and displayed the fields using table command.  Now we see events with more than 50k characters are skipped in the dashboard. Such events are spitted into 3 or more rows in the splunk logs view.  How to handle such events in the dashboard ? if _raw field can be truncated then which field should be referred for the original message. 
Hello guys, rb_ are replicated buckets of db_ - impacted by replication factor. However how to identify search factor footprint (specific index or bucket name?) on indexers? Thanks.  
Hi, I have this log format on our environment :  2021-12-03 03:28:04.296, EVENT_TIMESTAMP="2021-12-03 03:26:38.039962 Asia/Shanghai", ACTION_NAME="LOGON", AUDIT_TYPE="Standard", RETURN_CODE="1"... See more...
Hi, I have this log format on our environment :  2021-12-03 03:28:04.296, EVENT_TIMESTAMP="2021-12-03 03:26:38.039962 Asia/Shanghai", ACTION_NAME="LOGON", AUDIT_TYPE="Standard", RETURN_CODE="1", AUTHENTICATION_TYPE="(TYPE=(*));(CLIENT ADDRESS=((ADDRESS=(PROTOCOL=*)(HOST=1.1.1.1)(PORT=222))));", CURRENT_USER="my_own_user", DBID="0001111222", DBUSERNAME="my_own_user", INSTANCE_ID="1", OS_PROCESS="12000111", OS_USERNAME="ec2-user", SCN="900000000", SESSIONID="100000000", SYSTEM_PRIVILEGE_USED="CREATE SESSION", TERMINAL="unknown", UNIFIED_AUDIT_POLICIES="unknown", USERHOST="ec2-user", TS="2021-12-03 03:26:38" But it is missing the date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone  fields  this is the PROPS.CONF: [audit_sample] ANNOTATE_PUNCT = false LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 32 TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N TRUNCATE = 2000 i have read the https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields and it says that the date_* fields are only available if the timestamp is properly extracted.  Which in my case is fine  because it have the _time field and when i compare the _time to the actual logs they are similar, and my props configuration is properly working. What might be the reason on why I'm missing those fields. It is not window_event_logs  
I am following the article https://www.splunk.com/en_us/blog/it/splunking-aws-ecs-part-2-sending-ecs-logs-to-splunk.html to enable splunk logging for ECS EC2 running a demo ASP.NET dotnet 5.0 weather... See more...
I am following the article https://www.splunk.com/en_us/blog/it/splunking-aws-ecs-part-2-sending-ecs-logs-to-splunk.html to enable splunk logging for ECS EC2 running a demo ASP.NET dotnet 5.0 weatherforecast webapi image. No logs appear in Splunk Cloud Trail version. When I look at the logs of the splunk/fluentd-hec:1.2.0 container I see the error  " failed to flush the buffer. retry_time=2 next_retry_seconds=2021-12-03 08:25:21 +0000 chunk="5d239a1fb8d1cc285dc139c24de689c5" error_class=SocketError error="Failed to open TCP connection to https:443 (getaddrinfo: Name or service not known)"
during login it shows login failed
Hello everyone, i have the following question. In my environment i have 3 different UF where a scripted input is working with the original servername to extract some data. Thi sscript is ins... See more...
Hello everyone, i have the following question. In my environment i have 3 different UF where a scripted input is working with the original servername to extract some data. Thi sscript is inside one app i deployed the UF, so there is only one inputs.conf working. What i need to do, is to rename the host name. I Know that i can do something with the transforms.conf and props.conf, but i dont know how to do this. example: Original Hostname Needed Hostname slc4E45 EMP slc4P49 PMP slc4L47 LMP   Maybe something like... host = eval(case(host=slc4E45, EMP, host=slc4P49, PMP, host=slc4L47, LMP)) inside the transforms.conf. Thank you for your help.
Hi, We noticed that spaces in license pool names are not escaped for some monitoring console license searches (historic data) For a pool name like : My Pool a license monitoring search will try  ... See more...
Hi, We noticed that spaces in license pool names are not escaped for some monitoring console license searches (historic data) For a pool name like : My Pool a license monitoring search will try  search (index=_internal host=myserver source=*license_usage.log* type="RolloverSummary" earliest=-30d@d pool=My Pool) | eval _time=('_time' - 43200) | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [| search (index=_internal host=myserver source=*license_usage.log* type="RolloverSummary" earliest=-30d@d pool=My Pool) | eval _time=('_time' - 43200) | bin _time span=1d | stats latest(poolsz) AS "pool size" by _time] | fields - _timediff | foreach "*" [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3) ] which produces no results because $pool_clause$ values are not in double quotes (pool="My Pool") or whitespace is not escaped (pool=My\ Pool) Can we modify this behavior somewhere ?
Below is the part of  log from which i need to extract data into tabular format in splunk dashboard. Payload:{\"comments\":[{\"isActive\":true,\"sendToGSR\":false,\"confidential\":false,\"profileId\... See more...
Below is the part of  log from which i need to extract data into tabular format in splunk dashboard. Payload:{\"comments\":[{\"isActive\":true,\"sendToGSR\":false,\"confidential\":false,\"profileId\":197229,\"profileCode\":null,\"commentId\":null,\"commentText\" "Value card from package was successfully issued but no Guest email was provided, please resend - N/A, Package code - PC0J0 , For amount - $476.0\",\"commentType\":null,\"commentLevelEnum\" "TC\",\"externalReferences\":[{\"referenceType\" "TC\",\"referenceValue\":1843667077}],\"auditDetails\":null}]}   Expected output: Package Status Package Status Please Resend Package code For amount Reference Value Value card from package was successfully issued but no Guest email was provided N/A PC0J0 $476.0 1843667077     My splunk query: i tried for 2 columns, its displaying rows but not able to load data into table.. index=*wdpr_syw* source="*stage*" "reservation-fulfillment" "comments*" "package" "POST" Logger="com.disney.service.ioc.rest.OutboundRestRequestInterceptor" "Payload*" "externalReferences*" "referenceValue*" | rex field=_raw "commentText*: (?<PackageStatus>.*?\d+)," | rex field=_raw "referenceValue*:(?<referenceValue>.*?\d+),"| table PackageStatus,referenceValue
Hello, How would I check the access role for indexes from web console layer? Any help will be highly appreciated. Thank you.
I want to configure CRC Salt but I am quite not sure how write it on inputs.conf. The directory on splunk is like this: /home/csaops/csasec/NFV/KPG_MIO_HC_Logs_2021-11-10-10.txt How do I config... See more...
I want to configure CRC Salt but I am quite not sure how write it on inputs.conf. The directory on splunk is like this: /home/csaops/csasec/NFV/KPG_MIO_HC_Logs_2021-11-10-10.txt How do I configure this configuration?        
I have a dashboard using simple xml. The dashboard has 5 rows, each row of which contains 2 panels. The first panel is a small table and the second panel is a timechart. I would like the small table ... See more...
I have a dashboard using simple xml. The dashboard has 5 rows, each row of which contains 2 panels. The first panel is a small table and the second panel is a timechart. I would like the small table to be 20% of the width, and the timechart to be 80% of the width. I've tried to create a java script file so that the dashboard will run the java script automatically. The java script only works for the first 2 rows. Here's the js file. Any help appreciated. require(['jquery', 'splunkjs/mvc/simplexml/ready!'], function($) { // Grab the DOM for the panel dashboard row var panelRow = $('.dashboard-row').first(); // Get the dashboard cells (which are the parent elements of the actual panels and define the panel size) var panelCells = $(panelRow).children('.dashboard-cell'); // Adjust the cells' width $(panelCells[0]).css('width', '20%'); $(panelCells[1]).css('width', '80%'); panelRow = $('.dashboard-row').next(); panelCells = $(panelRow).children('.dashboard-cell'); $(panelCells[0]).css('width', '20%'); $(panelCells[1]).css('width', '80%'); panelRow = $('.dashboard-row').next(); panelCells = $(panelRow).children('.dashboard-cell'); $(panelCells[2]).css('width', '20%'); $(panelCells[3]).css('width', '80%'); $(window).trigger('resize'); });  
Hi, I want to find all the dashboards that can potentially use base search to save computing resources. As you know we can use a base search and populate the panels using that base search. I want to... See more...
Hi, I want to find all the dashboards that can potentially use base search to save computing resources. As you know we can use a base search and populate the panels using that base search. I want to find a way where I can automatically check all the dashboards and see if their panels are using duplicate searches so that I can guide users to implement base searches.  Thanks in advance!  
How can I just keep the account name? I tried with replace, but that didn't work, the way I want Here is the search that I am using:     | makeresults | eval Member=" CN=Domain Admins,OU=Users,D... See more...
How can I just keep the account name? I tried with replace, but that didn't work, the way I want Here is the search that I am using:     | makeresults | eval Member=" CN=Domain Admins,OU=Users,DC=Lab,DC=com CN=Account Report,OU=Users,DC=Lab,DC=com CN=Report,OU=Users,DC=Lab,DC=com CN=HelpDesk,OU=Users,DC=Lab,DC=com " |eval change=replace(Member,"CN=","") | table Member,change       My goal is to keep the name of the account only, to be like: Domain Admins Account Report Report HelpDesk   Thanks in advance,    
I have a dhasboard which should show buckets with number of machines by span of time.  Machine A to F is used for 2 mins Machines D-T was used for 2hrs Machine s-Z was used for more than 4hrs So ... See more...
I have a dhasboard which should show buckets with number of machines by span of time.  Machine A to F is used for 2 mins Machines D-T was used for 2hrs Machine s-Z was used for more than 4hrs So my graph should show the buckets with time range as a standard set.  XAxis <5 mins, 5-30mins 30min - 2hrs 2-4hrs  > 4hrs YAxis  No of machines logged on for <2mins No of machines logged on for 5-30mins  and so on. Logon Time Logoff Time MachineName SessionTimeinMins 12/1/2021 19:33 12/1/2021 19:36 A 3 12/1/2021 16:46 12/1/2021 17:04 B 18 12/1/2021 15:35 12/1/2021 15:38 C 3 12/1/2021 11:35 12/1/2021 11:38 D 120 12/1/2021 16:35 12/1/2021 21:35 E 300   Base Search | bucket SessionTimeinMins span=20 | chart count(MachineName) by sessionSpan But this do not help in achieving what i wanted. Any help is much appreciated.  Ho do I set my X-Axis to show standard buckets like <2min, 30-1h and bring the count into this bucket.    Thanks    
Hello, I have a need to run a search for MAC OUI matches against a .csv file containing 1000+ MAC OUIs? Can anyone provide example as I have not had any luck building a search using inpulookup that w... See more...
Hello, I have a need to run a search for MAC OUI matches against a .csv file containing 1000+ MAC OUIs? Can anyone provide example as I have not had any luck building a search using inpulookup that works. Thank you! Splunkster21
Hi,   Does a dashboard with a setting to refresh every 2 mins mean, there will be a new search launched every 2 mins? Isn't it a resource consumption, especially when all the users keep on setting... See more...
Hi,   Does a dashboard with a setting to refresh every 2 mins mean, there will be a new search launched every 2 mins? Isn't it a resource consumption, especially when all the users keep on setting their dashboards to refresh without any legit reason? How can I search all the dashboards which are using this setting so that I can chase those users to remove the refresh setting if not really needed?  
I need to extract the contents of the message field, but the first strings must be ignored, I need to get from the stdout field. Any ideas how to do this? Examples:   message: 2021-12-02T20... See more...
I need to extract the contents of the message field, but the first strings must be ignored, I need to get from the stdout field. Any ideas how to do this? Examples:   message: 2021-12-02T20:06:11.541111542Z stdout F 2021-12-02 17:06:11,540 Completed 200 OK message: 2021-12-02T20:06:11.540863953Z stdout F contract: txt (truncated)...] message: 2021-12-02T20:06:11.540857713Z stdout F clientDocument: txt    
I have an alert set up to run every hour to look for any latency of :45 minutes. If over that send a "Please Investigate" message Index=...  | stats count max(_time) as lastTime by host | eval now=... See more...
I have an alert set up to run every hour to look for any latency of :45 minutes. If over that send a "Please Investigate" message Index=...  | stats count max(_time) as lastTime by host | eval now=now() | eval timedelta=round((now-lastTime)/60/60,2) | eval timedelta=if(timedelta > .75,"Please Investigate", timedelta) | convert ctime(lastTime) ctime(now) | sort - timedelta The problem is that I get this alert email even when the latency is 0.00. What I really need is for the alert to trigger and run when it sees the phrase "Please Investigate" . I have been unsuccessful in setting this up in the Splunk Alert GUI as a trigger.  
Hello, I am trying to export the results from an api search, currently I am using the curl command:  curl -k -u user:pass https://hostname:8089/services/search/jobs/export?search=$NewQ -o Output-fil... See more...
Hello, I am trying to export the results from an api search, currently I am using the curl command:  curl -k -u user:pass https://hostname:8089/services/search/jobs/export?search=$NewQ -o Output-file.csv I can see that the search completed in the splunk webclient but am not able to find the output csv file that should result from this command. I have checked the $SPLUNK_HOME/var/run/splunk/csv folder after each attempt at using this command and there has never been a file created there (which to my understanding is where this file is supposed to be created). Any help is greatly appreciated thank you.
Hello, How would I implement inline or Uses Transform Field extraction (please see screenshot below) for following event (please see sample event below). Any help will be highly appreciated, thank y... See more...
Hello, How would I implement inline or Uses Transform Field extraction (please see screenshot below) for following event (please see sample event below). Any help will be highly appreciated, thank you so much. Screenshot (inline field extraction option)   One Sample Event {"log":"\u001b[0m\u001b[0m05:14:09,516 INFO  [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO  [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}