All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Remove $ (dollar) characters in field results

by in Splunk Search
‎11-30-2021 01:50 AM
‎11-30-2021 01:50 AM
Morning, everyone, Thank you in advance for your help. I would like to remove a part of a character from my results. My query results look like this: j2874a8B$ I'd like to delete the $ to ge... See more...
Morning, everyone, Thank you in advance for your help. I would like to remove a part of a character from my results. My query results look like this: j2874a8B$ I'd like to delete the $ to get it: j2874a8B How do I proceed? Thank you very much.
Labels

Merging similar error strings

by in Splunk Search
‎11-30-2021 01:38 AM
‎11-30-2021 01:38 AM
this is similar to https://community.splunk.com/t5/Splunk-Search/Merging-with-similar-strings-without-eval/m-p/484972 It works perfect if the difference is at the end of the strings. But I do have s... See more...
this is similar to https://community.splunk.com/t5/Splunk-Search/Merging-with-similar-strings-without-eval/m-p/484972 It works perfect if the difference is at the end of the strings. But I do have some additional strings that are slightly different in the middle. My Current Query Base search | eval Error=message | rex mode=sed "s/(?m)^\s+//g" | rex field=Error mode=sed "s/^((?<Msg>.+)\s)\S+/\1*/" | top 25 Error,file_line,level by build | table build level count file_line Error Error String Example 1:  No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomething. Please write a rule * No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomethingElse. Please write a rule * No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomethingElseElse. Please write a rule *   Error String Example 2 Locale is null for the language, es with ec, com.EditingContext@1y3y1u3e. Skip this * Locale is null for the language, en with ec, com.ITEditingContext@2y5f3u3e. Skip this *   ---  I would hope my output to be the following or similar:  Count,  Error 3, No exception occurred when displaying value for task=inspect entity.name=software propertyKey=*. Please write a rule * 2, Locale is null for the language, *  
Labels

Nmon Performance for Splunk

by in Installation
‎11-30-2021 01:28 AM
‎11-30-2021 01:28 AM
Hi I want to install Nmon but can't figureout how . NMON Performance Monitor for Unix and Linux Systems | Splunkbase   this is simple senario: 1-splunk server 192.168.1.1 (Nmon already installed... See more...
Hi I want to install Nmon but can't figureout how . NMON Performance Monitor for Unix and Linux Systems | Splunkbase   this is simple senario: 1-splunk server 192.168.1.1 (Nmon already installed) 2-linux server 192.168.1.2 (forwarder already installed)   AFAIK i shoud extract Nmon in this path /opt/splunkforwarder/etc/apps/ on 192.168.1.2 Nmon Performance for Splunk - Quick clients deployment demo - YouTube put can't find Nmon linux agent.   Any idea? Thanks,  
Labels

SplunkforPaloAltoNetworks add-on Errors

by in All Apps and Add-ons
‎11-30-2021 01:06 AM
1 Karma
‎11-30-2021 01:06 AM
1 Karma
When opening the Data Models page we have the below two errors, related to the SplunkforPaloAltoNetworks app / add-on. These errors have been present for a long time - definitely while on version 7.0... See more...
When opening the Data Models page we have the below two errors, related to the SplunkforPaloAltoNetworks app / add-on. These errors have been present for a long time - definitely while on version 7.0.1, however we also just upgraded to the latest version, 7.0.3 and the errors persist. Any thoughts on how to resolve, or if likely a non-issue (we don't see any issues presently) how to remove? We have Splunk Cloud so will need to request Splunk team to assist. Same errors as in screenshot above, but as plain text; Error in data model "pan_traps" : JSON file contents not available. Error in data model "pan_wildfire_report" : JSON file contents not available.

result combination

by in Dashboards & Visualizations
‎11-30-2021 12:53 AM
‎11-30-2021 12:53 AM
ORG Month KPI_1 KPI_2 KPI_3 KPI_4 first Sep21 100 NA NA NA first Sep21 NA 100 NA NA first Sep21 NA NA 100 NA first Sep21 NA NA NA 100 how do i convert th... See more...
ORG Month KPI_1 KPI_2 KPI_3 KPI_4 first Sep21 100 NA NA NA first Sep21 NA 100 NA NA first Sep21 NA NA 100 NA first Sep21 NA NA NA 100 how do i convert the table above  to get  the table below: ORG Month KPI_1 KPI_2 KPI_3 KPI_4 first Sep21 100 100 100 100
Labels

How to remove double quotes from an event field

by in Splunk Search
‎11-30-2021 12:28 AM
‎11-30-2021 12:28 AM
Please find the sample event field comment   comment="This is  sample data  "to remove the double quote value" how to remove it?It is for a  "testing purpose" which we need to handle " I have trie... See more...
Please find the sample event field comment   comment="This is  sample data  "to remove the double quote value" how to remove it?It is for a  "testing purpose" which we need to handle " I have tried rex field=_raw  mode=sed "s/\"//g"    But after that when we apply   table  command  |table comment , giving me partial data  "This is  sample data "  Appreciate your help Deev
Labels

Split matched data to two indexes which is on one as of now

by in Getting Data In
‎11-29-2021 10:50 PM
‎11-29-2021 10:50 PM
Hi SMEs, We need to split event logs into 2 different indexes (index_1 & index_2) which is coming to index_1 only as of now.   FYI - The log source is on AWS cloud and we are using add-on to get t... See more...
Hi SMEs, We need to split event logs into 2 different indexes (index_1 & index_2) which is coming to index_1 only as of now.   FYI - The log source is on AWS cloud and we are using add-on to get those logs through inputs.
Labels

How to get the status wise data

by in Splunk Search
‎11-29-2021 10:50 PM
‎11-29-2021 10:50 PM
Hi, I wrote below query which gives me data per service per min... index=**** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | stats count AS Requests by service, Hour Be... See more...
Hi, I wrote below query which gives me data per service per min... index=**** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | stats count AS Requests by service, Hour Below is the screenshot for same   the requests i wanted to split based on HTTP status code (200, 404, 302, 500 etc). I am using below query for same but i am unabe to get the data. index=*** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | chart count AS Requests,status as HTTP_status by service, Hour error screen shot -    Can someone please help me how to get the number of requests by status code? Thanks, SG  
Labels

share your linux monitoring dashboard

by in Dashboards & Visualizations
‎11-29-2021 10:24 PM
‎11-29-2021 10:24 PM
Hi  i install these app, and need some usful dashboard that monitor linux servers. https://splunkbase.splunk.com/app/833/ https://splunkbase.splunk.com/app/273/   please share your linux monitor... See more...
Hi  i install these app, and need some usful dashboard that monitor linux servers. https://splunkbase.splunk.com/app/833/ https://splunkbase.splunk.com/app/273/   please share your linux monitor dashboard  Thanks,  

TrendMicro deepdicovery app settings

by in Getting Data In
‎11-29-2021 10:04 PM
‎11-29-2021 10:04 PM
Hello Team, I am trying to setup the TrendMicro DeepDiscovery app to process the DDA/DDI events. I also have TrendMicro IWSVA hosts. After the app is installed in SH, I am redirected to the app setu... See more...
Hello Team, I am trying to setup the TrendMicro DeepDiscovery app to process the DDA/DDI events. I also have TrendMicro IWSVA hosts. After the app is installed in SH, I am redirected to the app setup page. Ihave replaced the default index in Deep Discovery Event Type i.e. ddi_index with the index that I had created with custom inputs. Similarly i have replaced the index name for Web Access Log Event Type as well with new index name. But the logs with sourcetype"squid"are still going to the default index log_index. Can someone suggest how we can troubleshoot it. Also, can someone suggest what should be the sourcetype for the DDA/DDI and IWSVA logs.   Any help/suggestion is helpful. Thanks

Profiling .net core application in linux

by in Splunk AppDynamics
‎11-29-2021 09:58 PM
‎11-29-2021 09:58 PM
I am trying to profiler .NET Core application in linux environment. Here, I have installed and configured .NET core agent in my Centos. I given the environmental variable in service file as follo... See more...
I am trying to profiler .NET Core application in linux environment. Here, I have installed and configured .NET core agent in my Centos. I given the environmental variable in service file as follows, Environment=CORECLR_PROFILER={57e1aa68-2229-41aa-9931-a6e93bbc64d8} \ CORECLR_ENABLE_PROFILING=1 \ CORECLR_PROFILER_PATH=/opt/appdynamics/dotnet/libappdprofiler.so Then restarted the app service and apache server. To check appdynamics profiler installation  by running the following command, lsof -p 2268 | grep -i appd dotnet 2268 root mem REG 253,0 6443304 69595618 /opt/appdynamics/dotnet/libappdprofiler_glibc.so dotnet 2268 root mem REG 253,0 6776 69595628 /opt/appdynamics/dotnet/libappdprofiler.so <2268> is my dotnet process id and confirmed profiler loaded successfully. My question is... We have given only one profiler path which is libappdprofiler.so, then How this file "libappdprofiler_glibc" is loading?  What is the use of this file? Thanks in advance.
Labels

Extracting a value from log message

by in Splunk Search
‎11-29-2021 09:49 PM
‎11-29-2021 09:49 PM
Hi, I have a requirement like i need to extract a some card value which was present inside the message body of the log. In this value would come to logs in two different names. Can you please how ca... See more...
Hi, I have a requirement like i need to extract a some card value which was present inside the message body of the log. In this value would come to logs in two different names. Can you please how can i fetch these value and display it in  table.   thanks
Labels

lookup usage in query

by in Splunk Search
‎11-29-2021 09:44 PM
‎11-29-2021 09:44 PM
Hi, I have a requirement like we have a csv file which has the values of functionid and functiondesc, this file was added in lookup also. I get a value eventid from the logs which is same as functio... See more...
Hi, I have a requirement like we have a csv file which has the values of functionid and functiondesc, this file was added in lookup also. I get a value eventid from the logs which is same as functionid. Now,  we need to fetch  the functiondesc of the corresponding eventid. and display it in table.
Labels

Change time field to show 'x' minutes ago?

by in Splunk Search
‎11-29-2021 08:23 PM
‎11-29-2021 08:23 PM
Hello Splunk Community,  I have a stats table I have created and I want to change the time field ("%Y-%m-%d %H:%M:%S") to present 'x' minutes ago.  Can anyone help with this?  Many Thanks,  Zoe
Labels

AWS Add-on: No data input has been configured.

by in All Apps and Add-ons
‎11-29-2021 07:41 PM
‎11-29-2021 07:41 PM
Hi Experts, We got two AWS platforms, we are collecting cloudwatch vpcflow logs, one of them works perfectly, we created the inputs to collect the Cloudwatch VPCflow log directly (not using kinesis)... See more...
Hi Experts, We got two AWS platforms, we are collecting cloudwatch vpcflow logs, one of them works perfectly, we created the inputs to collect the Cloudwatch VPCflow log directly (not using kinesis). However another one does not collect any vpcflow logs, when we checked the _internal logs, it just keeps throwing "Start to describe streams. region=ap-southeast-1, log_group=XXX",   "No data input has been configured.", "Previous job of the same task still running. Exit current job." (after 10mins) We checked the cloudwatch in AWS, the corresponding log groups do have logs, and the permissions are set correctly Thanks
Labels

Simply query, failes with field specificity

by in Splunk Search
‎11-29-2021 07:04 PM
‎11-29-2021 07:04 PM
I have what should be a simple problem, but I don't have an answer without burning some brain cells Simple query example:  index=some_index sourcetype=some_sourcetype.  Returns 140k events Output o... See more...
I have what should be a simple problem, but I don't have an answer without burning some brain cells Simple query example:  index=some_index sourcetype=some_sourcetype.  Returns 140k events Output of the query above contains the field 'tag', with 7 values, x 30K+ events  But if I use the query: index=some_index sourcetype=some_sourcetype tag="*" I get 'zero', no results
Labels

Exporting Reports Automatically to Specific Location

by in Getting Data In
‎11-29-2021 03:11 PM
‎11-29-2021 03:11 PM
Hi all, I am looking for an automated way to export reports on a recurring schedule and to a location other than the the default where the outputscsv command saves them to. I found a few older quest... See more...
Hi all, I am looking for an automated way to export reports on a recurring schedule and to a location other than the the default where the outputscsv command saves them to. I found a few older questions and answers posted but I wanted to see if there was an updated answer to this. Thanks splunkers!
Labels

Is it possible to output Splunk alert via API other than email?

by in Dashboards & Visualizations
‎11-29-2021 02:47 PM
‎11-29-2021 02:47 PM
I found that we can create alerts in Splunk and output the alert to specific email recipients. Is there a way to send alerts or dashboard values to 3rd party apps other than email? 

How to pair Github app for Splunk with Github Audit log monitoring app?

by in All Apps and Add-ons
‎11-29-2021 02:15 PM
1 Karma
‎11-29-2021 02:15 PM
1 Karma
Hello, I am new to the Splunk and my first task is to pair "github app for splunk" with "Github Audit log monitoring app", to get the visualization for the logs. Can anyone help me or guid me what sh... See more...
Hello, I am new to the Splunk and my first task is to pair "github app for splunk" with "Github Audit log monitoring app", to get the visualization for the logs. Can anyone help me or guid me what should be done once the Github App for Splunk is installed?  "Github Audit log Monitoring Add on for Splunk" is capturing the logs but need some guidance on how Github App for Splunk can be paired with it for visualization.  Thanks in advance, 

Get New event and it's count

by in Splunk Search
‎11-29-2021 01:47 PM
‎11-29-2021 01:47 PM
I want to simply get new exceptions that occur within last 30 minutes which did not happened anytime last week on the same day. I have this query to get exceptions for last weekday.        earli... See more...
I want to simply get new exceptions that occur within last 30 minutes which did not happened anytime last week on the same day. I have this query to get exceptions for last weekday.        earliest=-7d@d latest=-6d@d index=production "java.lang.NullPointerException*" | stats count by field6       Which gives me result ::    abcd.handler.CreateBankHandler 26 abcd.cr.RequestProcessor 34 abcd.cr.SessionInfo 1 abcd.cr.SSOServlet 2 abcd.impl.ExportManagerImpl 1 abcd.impl.ImportFileProcessor 1       The second query        earliest=-1d@d latest=now index=production "java.lang.NullPointerException*" | stats count by field6         Which gives me result ::  abcd.handler.CreateBankHandler 27 abcd.cr.RequestProcessor 7 abcd.cr.SessionInfo 1 abcd.cr.BaseServlet 6 abcd.cr.SSOServlet     So, the result should be new events from the second query. Name ::  abcd.cr.BaseServlet    
Labels