All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello community, I apologize in advance, my English being bad, Google Translate is my friend. My business is starting up on Splunk Enterprise and I am having a problem with a search that is probabl... See more...
Hello community, I apologize in advance, my English being bad, Google Translate is my friend. My business is starting up on Splunk Enterprise and I am having a problem with a search that is probably simple but which has blocked me for a few days. I will explain the context to you: One of our tools sends supervision alerts to Enterprise with a code concerning its status (0: OK, 1: Warning, 2: Critical and 3: Unknown). The goal for me is to send these alerts to Splunk OnCall to share these alerts with other tools connected to OnCall. No worries for sending to OnCall but I am blocking the return to OK of my alerts. Here is the query that is sending the alerts currently:     index = events_hp | search state = 2 OR state = 3 | fields hostname service_description output     However, when an alert returns to OK, I cannot send the info to OnCall to close the alert there. I should be able to say in my search to add state OK (state = 0) but only when the previous state was 2 or 3. Basically, I should be able to send an alert when the state is OK (1) but only if before this OK, it was in 2 or 3. Do you have any idea how I could do this? Regards, Rajaion
Hi, I am looking to get the thresholds which are out of the box is there any way I can pull the same from the controller. Microservices/Docker/Kubernetes and also the WEB
need help on eval function of trimming the month  EX : April = APR  all months first 3 letters  thanks   
Hi Last week one of our vulnerability scan found out that our universal forwarders were suspectable to TLS CRIME vulnerability. To fix this vulnerability we updated our server configuration file (to... See more...
Hi Last week one of our vulnerability scan found out that our universal forwarders were suspectable to TLS CRIME vulnerability. To fix this vulnerability we updated our server configuration file (toggled allowSslCompression from True to False). Now we want to update server configuration file on all the servers but we found that server configuration is system specific and we can’t just replace it on every server. We are not using deployment server in our environment. Is there any other way wherein we can go and append server config file? Thank you
Hi Everyone, I've heard many times that it is challenging to get ITSI entities list with a proper alias and informational fields mapping in ITSI. A circulating SPL query is mixing types of the field... See more...
Hi Everyone, I've heard many times that it is challenging to get ITSI entities list with a proper alias and informational fields mapping in ITSI. A circulating SPL query is mixing types of the fields and does not fully solves the issue. Please check out this SPL script I have created for getting the right dataset.         | rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text | eval value=spath(value,"{}") | mvexpand value | eval info_fields=spath(value,"informational.fields{}"), alias_fields=spath(value,"identifier.fields{}"), entity_id=spath(value, "_key"), entity_title=spath(value, "title"), entity_name=spath(value, "identifying_name") | appendpipe [ | mvexpand alias_fields | eval field_value = spath(value,alias_fields."{}"), field_type="alias" | rename alias_fields as field_name ] | appendpipe [ | where isnull(field_type) | mvexpand info_fields | eval field_value = spath(value,info_fields."{}"), field_type="info" | rename info_fields as field_name ] | where isnotnull(field_type) | table entity_id entity_name entity_title field_name field_value field_type        
Hi I try to use this APM agent https://github.com/TeaTips/SplunkJavaAgent but when I run return this error: [root@myserver opt]# ./splunkagent.jar ./splunkagent.jar: line 1: $'PK\003\004': comman... See more...
Hi I try to use this APM agent https://github.com/TeaTips/SplunkJavaAgent but when I run return this error: [root@myserver opt]# ./splunkagent.jar ./splunkagent.jar: line 1: $'PK\003\004': command not found ./splunkagent.jar: line 2: $'\b\272\265\211A': command not found ./splunkagent.jar: line 3▒▒▒A▒3▒▒META-INF/MANIFEST.MFMʱ: No such file or directory ./splunkagent.jar: line 4: syntax error near unexpected token `)' ./splunkagent.jar: line 4: `▒0▒▒=▒wȨC.▒U)▒b'▒▒ ▒ʵ^▒▒ކ$'   any idea? Thanks,
Hi Splunkers, I'm in trouble with a correlation rule creation. The purposes of the rule is the following one: if a User Group related to a Databases is changed by a remote user, the rule must trigg... See more...
Hi Splunkers, I'm in trouble with a correlation rule creation. The purposes of the rule is the following one: if a User Group related to a Databases is changed by a remote user, the rule must trigger. Here, some addictional data; For change we mean that a user is added or removed to a group and/or an entire Database user group is deleted. We are not focusing on a specific data base product; the fact that the host involved is a database is get by checking 2 lookup table where the database IP and ports are putted. If possible, we had to use Datamodel instead of sourcetype; for this, I checked both Database and Authentication data model but I see that, in the ready field, we are able to extract only data about users, not groups. Any Idea?
Hi, I recently ran into a problem where playbook runs a workflow for a long time (usually hours) without stopping itself. The debug logs didn’t not show much information besides the event was hanging... See more...
Hi, I recently ran into a problem where playbook runs a workflow for a long time (usually hours) without stopping itself. The debug logs didn’t not show much information besides the event was hanging. Is there something we could set up to kill the workflow if it’s running for x amount of time?
Hi ,    i am trying to increase the height of sunburst chart height with below code.  <option name="sunburst_viz.sunburst_viz.height">850</option> but its not working.  could you please help. 
Morning, everyone, Thank you in advance for your help. I would like to remove a part of a character from my results. My query results look like this: j2874a8B$ I'd like to delete the $ to ge... See more...
Morning, everyone, Thank you in advance for your help. I would like to remove a part of a character from my results. My query results look like this: j2874a8B$ I'd like to delete the $ to get it: j2874a8B How do I proceed? Thank you very much.
this is similar to https://community.splunk.com/t5/Splunk-Search/Merging-with-similar-strings-without-eval/m-p/484972 It works perfect if the difference is at the end of the strings. But I do have s... See more...
this is similar to https://community.splunk.com/t5/Splunk-Search/Merging-with-similar-strings-without-eval/m-p/484972 It works perfect if the difference is at the end of the strings. But I do have some additional strings that are slightly different in the middle. My Current Query Base search | eval Error=message | rex mode=sed "s/(?m)^\s+//g" | rex field=Error mode=sed "s/^((?<Msg>.+)\s)\S+/\1*/" | top 25 Error,file_line,level by build | table build level count file_line Error Error String Example 1:  No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomething. Please write a rule * No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomethingElse. Please write a rule * No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomethingElseElse. Please write a rule *   Error String Example 2 Locale is null for the language, es with ec, com.EditingContext@1y3y1u3e. Skip this * Locale is null for the language, en with ec, com.ITEditingContext@2y5f3u3e. Skip this *   ---  I would hope my output to be the following or similar:  Count,  Error 3, No exception occurred when displaying value for task=inspect entity.name=software propertyKey=*. Please write a rule * 2, Locale is null for the language, *  
Hi I want to install Nmon but can't figureout how . NMON Performance Monitor for Unix and Linux Systems | Splunkbase   this is simple senario: 1-splunk server 192.168.1.1 (Nmon already installed... See more...
Hi I want to install Nmon but can't figureout how . NMON Performance Monitor for Unix and Linux Systems | Splunkbase   this is simple senario: 1-splunk server 192.168.1.1 (Nmon already installed) 2-linux server 192.168.1.2 (forwarder already installed)   AFAIK i shoud extract Nmon in this path /opt/splunkforwarder/etc/apps/ on 192.168.1.2 Nmon Performance for Splunk - Quick clients deployment demo - YouTube put can't find Nmon linux agent.   Any idea? Thanks,  
When opening the Data Models page we have the below two errors, related to the SplunkforPaloAltoNetworks app / add-on. These errors have been present for a long time - definitely while on version 7.0... See more...
When opening the Data Models page we have the below two errors, related to the SplunkforPaloAltoNetworks app / add-on. These errors have been present for a long time - definitely while on version 7.0.1, however we also just upgraded to the latest version, 7.0.3 and the errors persist. Any thoughts on how to resolve, or if likely a non-issue (we don't see any issues presently) how to remove? We have Splunk Cloud so will need to request Splunk team to assist. Same errors as in screenshot above, but as plain text; Error in data model "pan_traps" : JSON file contents not available. Error in data model "pan_wildfire_report" : JSON file contents not available.
ORG Month KPI_1 KPI_2 KPI_3 KPI_4 first Sep21 100 NA NA NA first Sep21 NA 100 NA NA first Sep21 NA NA 100 NA first Sep21 NA NA NA 100 how do i convert th... See more...
ORG Month KPI_1 KPI_2 KPI_3 KPI_4 first Sep21 100 NA NA NA first Sep21 NA 100 NA NA first Sep21 NA NA 100 NA first Sep21 NA NA NA 100 how do i convert the table above  to get  the table below: ORG Month KPI_1 KPI_2 KPI_3 KPI_4 first Sep21 100 100 100 100
Please find the sample event field comment   comment="This is  sample data  "to remove the double quote value" how to remove it?It is for a  "testing purpose" which we need to handle " I have trie... See more...
Please find the sample event field comment   comment="This is  sample data  "to remove the double quote value" how to remove it?It is for a  "testing purpose" which we need to handle " I have tried rex field=_raw  mode=sed "s/\"//g"    But after that when we apply   table  command  |table comment , giving me partial data  "This is  sample data "  Appreciate your help Deev
Hi SMEs, We need to split event logs into 2 different indexes (index_1 & index_2) which is coming to index_1 only as of now.   FYI - The log source is on AWS cloud and we are using add-on to get t... See more...
Hi SMEs, We need to split event logs into 2 different indexes (index_1 & index_2) which is coming to index_1 only as of now.   FYI - The log source is on AWS cloud and we are using add-on to get those logs through inputs.
Hi, I wrote below query which gives me data per service per min... index=**** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | stats count AS Requests by service, Hour Be... See more...
Hi, I wrote below query which gives me data per service per min... index=**** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | stats count AS Requests by service, Hour Below is the screenshot for same   the requests i wanted to split based on HTTP status code (200, 404, 302, 500 etc). I am using below query for same but i am unabe to get the data. index=*** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | chart count AS Requests,status as HTTP_status by service, Hour error screen shot -    Can someone please help me how to get the number of requests by status code? Thanks, SG  
Hi  i install these app, and need some usful dashboard that monitor linux servers. https://splunkbase.splunk.com/app/833/ https://splunkbase.splunk.com/app/273/   please share your linux monitor... See more...
Hi  i install these app, and need some usful dashboard that monitor linux servers. https://splunkbase.splunk.com/app/833/ https://splunkbase.splunk.com/app/273/   please share your linux monitor dashboard  Thanks,  
Hello Team, I am trying to setup the TrendMicro DeepDiscovery app to process the DDA/DDI events. I also have TrendMicro IWSVA hosts. After the app is installed in SH, I am redirected to the app setu... See more...
Hello Team, I am trying to setup the TrendMicro DeepDiscovery app to process the DDA/DDI events. I also have TrendMicro IWSVA hosts. After the app is installed in SH, I am redirected to the app setup page. Ihave replaced the default index in Deep Discovery Event Type i.e. ddi_index with the index that I had created with custom inputs. Similarly i have replaced the index name for Web Access Log Event Type as well with new index name. But the logs with sourcetype"squid"are still going to the default index log_index. Can someone suggest how we can troubleshoot it. Also, can someone suggest what should be the sourcetype for the DDA/DDI and IWSVA logs.   Any help/suggestion is helpful. Thanks
I am trying to profiler .NET Core application in linux environment. Here, I have installed and configured .NET core agent in my Centos. I given the environmental variable in service file as follo... See more...
I am trying to profiler .NET Core application in linux environment. Here, I have installed and configured .NET core agent in my Centos. I given the environmental variable in service file as follows, Environment=CORECLR_PROFILER={57e1aa68-2229-41aa-9931-a6e93bbc64d8} \ CORECLR_ENABLE_PROFILING=1 \ CORECLR_PROFILER_PATH=/opt/appdynamics/dotnet/libappdprofiler.so Then restarted the app service and apache server. To check appdynamics profiler installation  by running the following command, lsof -p 2268 | grep -i appd dotnet 2268 root mem REG 253,0 6443304 69595618 /opt/appdynamics/dotnet/libappdprofiler_glibc.so dotnet 2268 root mem REG 253,0 6776 69595628 /opt/appdynamics/dotnet/libappdprofiler.so <2268> is my dotnet process id and confirmed profiler loaded successfully. My question is... We have given only one profiler path which is libappdprofiler.so, then How this file "libappdprofiler_glibc" is loading?  What is the use of this file? Thanks in advance.