All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Basically the chart is showing blue & green lines, but user needs more distinguishing color. Like Red & Blue.  
In splunk dashboards we want to extract fields from _raw field, we achieved it by  extract pairdelim="{,}" kvdelim=":"  command and displayed the fields using table command.  Now we see events with ... See more...
In splunk dashboards we want to extract fields from _raw field, we achieved it by  extract pairdelim="{,}" kvdelim=":"  command and displayed the fields using table command.  Now we see events with more than 50k characters are skipped in the dashboard. Such events are spitted into 3 or more rows in the splunk logs view.  How to handle such events in the dashboard ? if _raw field can be truncated then which field should be referred for the original message. 
Hello guys, rb_ are replicated buckets of db_ - impacted by replication factor. However how to identify search factor footprint (specific index or bucket name?) on indexers? Thanks.  
Hi, I have this log format on our environment :  2021-12-03 03:28:04.296, EVENT_TIMESTAMP="2021-12-03 03:26:38.039962 Asia/Shanghai", ACTION_NAME="LOGON", AUDIT_TYPE="Standard", RETURN_CODE="1"... See more...
Hi, I have this log format on our environment :  2021-12-03 03:28:04.296, EVENT_TIMESTAMP="2021-12-03 03:26:38.039962 Asia/Shanghai", ACTION_NAME="LOGON", AUDIT_TYPE="Standard", RETURN_CODE="1", AUTHENTICATION_TYPE="(TYPE=(*));(CLIENT ADDRESS=((ADDRESS=(PROTOCOL=*)(HOST=1.1.1.1)(PORT=222))));", CURRENT_USER="my_own_user", DBID="0001111222", DBUSERNAME="my_own_user", INSTANCE_ID="1", OS_PROCESS="12000111", OS_USERNAME="ec2-user", SCN="900000000", SESSIONID="100000000", SYSTEM_PRIVILEGE_USED="CREATE SESSION", TERMINAL="unknown", UNIFIED_AUDIT_POLICIES="unknown", USERHOST="ec2-user", TS="2021-12-03 03:26:38" But it is missing the date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone  fields  this is the PROPS.CONF: [audit_sample] ANNOTATE_PUNCT = false LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 32 TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N TRUNCATE = 2000 i have read the https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields and it says that the date_* fields are only available if the timestamp is properly extracted.  Which in my case is fine  because it have the _time field and when i compare the _time to the actual logs they are similar, and my props configuration is properly working. What might be the reason on why I'm missing those fields. It is not window_event_logs  
I am following the article https://www.splunk.com/en_us/blog/it/splunking-aws-ecs-part-2-sending-ecs-logs-to-splunk.html to enable splunk logging for ECS EC2 running a demo ASP.NET dotnet 5.0 weather... See more...
I am following the article https://www.splunk.com/en_us/blog/it/splunking-aws-ecs-part-2-sending-ecs-logs-to-splunk.html to enable splunk logging for ECS EC2 running a demo ASP.NET dotnet 5.0 weatherforecast webapi image. No logs appear in Splunk Cloud Trail version. When I look at the logs of the splunk/fluentd-hec:1.2.0 container I see the error  " failed to flush the buffer. retry_time=2 next_retry_seconds=2021-12-03 08:25:21 +0000 chunk="5d239a1fb8d1cc285dc139c24de689c5" error_class=SocketError error="Failed to open TCP connection to https:443 (getaddrinfo: Name or service not known)"
during login it shows login failed
Hello everyone, i have the following question. In my environment i have 3 different UF where a scripted input is working with the original servername to extract some data. Thi sscript is ins... See more...
Hello everyone, i have the following question. In my environment i have 3 different UF where a scripted input is working with the original servername to extract some data. Thi sscript is inside one app i deployed the UF, so there is only one inputs.conf working. What i need to do, is to rename the host name. I Know that i can do something with the transforms.conf and props.conf, but i dont know how to do this. example: Original Hostname Needed Hostname slc4E45 EMP slc4P49 PMP slc4L47 LMP   Maybe something like... host = eval(case(host=slc4E45, EMP, host=slc4P49, PMP, host=slc4L47, LMP)) inside the transforms.conf. Thank you for your help.
Hi, We noticed that spaces in license pool names are not escaped for some monitoring console license searches (historic data) For a pool name like : My Pool a license monitoring search will try  ... See more...
Hi, We noticed that spaces in license pool names are not escaped for some monitoring console license searches (historic data) For a pool name like : My Pool a license monitoring search will try  search (index=_internal host=myserver source=*license_usage.log* type="RolloverSummary" earliest=-30d@d pool=My Pool) | eval _time=('_time' - 43200) | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=false | join type=outer _time [| search (index=_internal host=myserver source=*license_usage.log* type="RolloverSummary" earliest=-30d@d pool=My Pool) | eval _time=('_time' - 43200) | bin _time span=1d | stats latest(poolsz) AS "pool size" by _time] | fields - _timediff | foreach "*" [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3) ] which produces no results because $pool_clause$ values are not in double quotes (pool="My Pool") or whitespace is not escaped (pool=My\ Pool) Can we modify this behavior somewhere ?
Below is the part of  log from which i need to extract data into tabular format in splunk dashboard. Payload:{\"comments\":[{\"isActive\":true,\"sendToGSR\":false,\"confidential\":false,\"profileId\... See more...
Below is the part of  log from which i need to extract data into tabular format in splunk dashboard. Payload:{\"comments\":[{\"isActive\":true,\"sendToGSR\":false,\"confidential\":false,\"profileId\":197229,\"profileCode\":null,\"commentId\":null,\"commentText\" "Value card from package was successfully issued but no Guest email was provided, please resend - N/A, Package code - PC0J0 , For amount - $476.0\",\"commentType\":null,\"commentLevelEnum\" "TC\",\"externalReferences\":[{\"referenceType\" "TC\",\"referenceValue\":1843667077}],\"auditDetails\":null}]}   Expected output: Package Status Package Status Please Resend Package code For amount Reference Value Value card from package was successfully issued but no Guest email was provided N/A PC0J0 $476.0 1843667077     My splunk query: i tried for 2 columns, its displaying rows but not able to load data into table.. index=*wdpr_syw* source="*stage*" "reservation-fulfillment" "comments*" "package" "POST" Logger="com.disney.service.ioc.rest.OutboundRestRequestInterceptor" "Payload*" "externalReferences*" "referenceValue*" | rex field=_raw "commentText*: (?<PackageStatus>.*?\d+)," | rex field=_raw "referenceValue*:(?<referenceValue>.*?\d+),"| table PackageStatus,referenceValue
Hello, How would I check the access role for indexes from web console layer? Any help will be highly appreciated. Thank you.
I want to configure CRC Salt but I am quite not sure how write it on inputs.conf. The directory on splunk is like this: /home/csaops/csasec/NFV/KPG_MIO_HC_Logs_2021-11-10-10.txt How do I config... See more...
I want to configure CRC Salt but I am quite not sure how write it on inputs.conf. The directory on splunk is like this: /home/csaops/csasec/NFV/KPG_MIO_HC_Logs_2021-11-10-10.txt How do I configure this configuration?        
I have a dashboard using simple xml. The dashboard has 5 rows, each row of which contains 2 panels. The first panel is a small table and the second panel is a timechart. I would like the small table ... See more...
I have a dashboard using simple xml. The dashboard has 5 rows, each row of which contains 2 panels. The first panel is a small table and the second panel is a timechart. I would like the small table to be 20% of the width, and the timechart to be 80% of the width. I've tried to create a java script file so that the dashboard will run the java script automatically. The java script only works for the first 2 rows. Here's the js file. Any help appreciated. require(['jquery', 'splunkjs/mvc/simplexml/ready!'], function($) { // Grab the DOM for the panel dashboard row var panelRow = $('.dashboard-row').first(); // Get the dashboard cells (which are the parent elements of the actual panels and define the panel size) var panelCells = $(panelRow).children('.dashboard-cell'); // Adjust the cells' width $(panelCells[0]).css('width', '20%'); $(panelCells[1]).css('width', '80%'); panelRow = $('.dashboard-row').next(); panelCells = $(panelRow).children('.dashboard-cell'); $(panelCells[0]).css('width', '20%'); $(panelCells[1]).css('width', '80%'); panelRow = $('.dashboard-row').next(); panelCells = $(panelRow).children('.dashboard-cell'); $(panelCells[2]).css('width', '20%'); $(panelCells[3]).css('width', '80%'); $(window).trigger('resize'); });  
Hi, I want to find all the dashboards that can potentially use base search to save computing resources. As you know we can use a base search and populate the panels using that base search. I want to... See more...
Hi, I want to find all the dashboards that can potentially use base search to save computing resources. As you know we can use a base search and populate the panels using that base search. I want to find a way where I can automatically check all the dashboards and see if their panels are using duplicate searches so that I can guide users to implement base searches.  Thanks in advance!  
How can I just keep the account name? I tried with replace, but that didn't work, the way I want Here is the search that I am using:     | makeresults | eval Member=" CN=Domain Admins,OU=Users,D... See more...
How can I just keep the account name? I tried with replace, but that didn't work, the way I want Here is the search that I am using:     | makeresults | eval Member=" CN=Domain Admins,OU=Users,DC=Lab,DC=com CN=Account Report,OU=Users,DC=Lab,DC=com CN=Report,OU=Users,DC=Lab,DC=com CN=HelpDesk,OU=Users,DC=Lab,DC=com " |eval change=replace(Member,"CN=","") | table Member,change       My goal is to keep the name of the account only, to be like: Domain Admins Account Report Report HelpDesk   Thanks in advance,    
I have a dhasboard which should show buckets with number of machines by span of time.  Machine A to F is used for 2 mins Machines D-T was used for 2hrs Machine s-Z was used for more than 4hrs So ... See more...
I have a dhasboard which should show buckets with number of machines by span of time.  Machine A to F is used for 2 mins Machines D-T was used for 2hrs Machine s-Z was used for more than 4hrs So my graph should show the buckets with time range as a standard set.  XAxis <5 mins, 5-30mins 30min - 2hrs 2-4hrs  > 4hrs YAxis  No of machines logged on for <2mins No of machines logged on for 5-30mins  and so on. Logon Time Logoff Time MachineName SessionTimeinMins 12/1/2021 19:33 12/1/2021 19:36 A 3 12/1/2021 16:46 12/1/2021 17:04 B 18 12/1/2021 15:35 12/1/2021 15:38 C 3 12/1/2021 11:35 12/1/2021 11:38 D 120 12/1/2021 16:35 12/1/2021 21:35 E 300   Base Search | bucket SessionTimeinMins span=20 | chart count(MachineName) by sessionSpan But this do not help in achieving what i wanted. Any help is much appreciated.  Ho do I set my X-Axis to show standard buckets like <2min, 30-1h and bring the count into this bucket.    Thanks    
Hello, I have a need to run a search for MAC OUI matches against a .csv file containing 1000+ MAC OUIs? Can anyone provide example as I have not had any luck building a search using inpulookup that w... See more...
Hello, I have a need to run a search for MAC OUI matches against a .csv file containing 1000+ MAC OUIs? Can anyone provide example as I have not had any luck building a search using inpulookup that works. Thank you! Splunkster21
Hi,   Does a dashboard with a setting to refresh every 2 mins mean, there will be a new search launched every 2 mins? Isn't it a resource consumption, especially when all the users keep on setting... See more...
Hi,   Does a dashboard with a setting to refresh every 2 mins mean, there will be a new search launched every 2 mins? Isn't it a resource consumption, especially when all the users keep on setting their dashboards to refresh without any legit reason? How can I search all the dashboards which are using this setting so that I can chase those users to remove the refresh setting if not really needed?  
I need to extract the contents of the message field, but the first strings must be ignored, I need to get from the stdout field. Any ideas how to do this? Examples:   message: 2021-12-02T20... See more...
I need to extract the contents of the message field, but the first strings must be ignored, I need to get from the stdout field. Any ideas how to do this? Examples:   message: 2021-12-02T20:06:11.541111542Z stdout F 2021-12-02 17:06:11,540 Completed 200 OK message: 2021-12-02T20:06:11.540863953Z stdout F contract: txt (truncated)...] message: 2021-12-02T20:06:11.540857713Z stdout F clientDocument: txt    
I have an alert set up to run every hour to look for any latency of :45 minutes. If over that send a "Please Investigate" message Index=...  | stats count max(_time) as lastTime by host | eval now=... See more...
I have an alert set up to run every hour to look for any latency of :45 minutes. If over that send a "Please Investigate" message Index=...  | stats count max(_time) as lastTime by host | eval now=now() | eval timedelta=round((now-lastTime)/60/60,2) | eval timedelta=if(timedelta > .75,"Please Investigate", timedelta) | convert ctime(lastTime) ctime(now) | sort - timedelta The problem is that I get this alert email even when the latency is 0.00. What I really need is for the alert to trigger and run when it sees the phrase "Please Investigate" . I have been unsuccessful in setting this up in the Splunk Alert GUI as a trigger.  
Hello, I am trying to export the results from an api search, currently I am using the curl command:  curl -k -u user:pass https://hostname:8089/services/search/jobs/export?search=$NewQ -o Output-fil... See more...
Hello, I am trying to export the results from an api search, currently I am using the curl command:  curl -k -u user:pass https://hostname:8089/services/search/jobs/export?search=$NewQ -o Output-file.csv I can see that the search completed in the splunk webclient but am not able to find the output csv file that should result from this command. I have checked the $SPLUNK_HOME/var/run/splunk/csv folder after each attempt at using this command and there has never been a file created there (which to my understanding is where this file is supposed to be created). Any help is greatly appreciated thank you.