All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Guys Wanted to know if anyone knows if you can populate a summary index from a data model. the summary index query requires the si* prefix to transforming commands (sistats) but the datamodel sea... See more...
Hi Guys Wanted to know if anyone knows if you can populate a summary index from a data model. the summary index query requires the si* prefix to transforming commands (sistats) but the datamodel search also requires a tstats command so they cannot be used in conjunction  
I'm trying to fetch the logs to Splunk from AWS Cloudtrail using Splunk Addon for AWS. When I checked the s3 bucket size it shows only 2GB data. But if I enable the Cloudtrail input in Addon, the Spl... See more...
I'm trying to fetch the logs to Splunk from AWS Cloudtrail using Splunk Addon for AWS. When I checked the s3 bucket size it shows only 2GB data. But if I enable the Cloudtrail input in Addon, the Splunk index is consuming over 3 or 4 GB. My configuration is correct in the addon input and I'm only getting the logs in Splunk from the data range that I specified in the addon. Is this something related to the compression of data in AWS and Splunk are different. Please help to resolve this.
Hi team,    Please help with the regex to fetch the values from below payload -  serverName, HostNumber.  "{\n \"process\": \"Monitoring\",\n \"serverName\": \"\",\n \"HostNumber\": \"\",\n \"star... See more...
Hi team,    Please help with the regex to fetch the values from below payload -  serverName, HostNumber.  "{\n \"process\": \"Monitoring\",\n \"serverName\": \"\",\n \"HostNumber\": \"\",\n \"startDate\": \"\",\n \"firstName\": \"person _anusha1234\",\n \"lastName\": \"dev1234\",\n \"emailAddress\": \3423423213213@ada.com\,\n \"personnelNumber\": \"812060\",\n \"status\": \"FAILED\",\n \"code\": \"APP:Login_ERR001\",\n \"message\": \"\\\"218177-123132 does not exist in LDAP\\\"\",\n \"errorRecord\": \"BirthName:|BirthPlace:|ActiveFlag:|Role:PINV|Environment:|PrimaryInRole:|HostNumber:|Reference:123132|AlternateNumber:3223|serverName:abc|SubjectStatus:|CreatedBy:|Department:|DiscontinuedDate:|DiscontinuedFlag:N|EmployeeID:|EmployeeStatus:|EmploymentReason:|EmploymentType:|EndDate:|StartDate:|FirstName:person _anusha1234|LastName:dev1234|NPINumber:812060|AddressLine1:|AddressLine2:|AddressLine3:|City:|CountryISO3Code:|Province:|Zip:|EmailAddress:3423423213213@ada.com|Fax:|PhoneNumber:|PersonnelNumber:812060\"\n}\",\n \"tracePoint\" : \"FLOW\",\n \"priority\" : \"INFO\",\n \"category\" : \"com.wipro.api\",\n \"elapsed\" : 1893,\n \"timestamp\" : \"2021-11-09T11:19:53.943Z\",\n \"applicationName\" : \"Monitoring\",\n \"applicationVersion\" : \"v1\",\n \"environment\" : \"Stage\",\n \"threadName\" : \"[MuleRuntime].uber.70: [wipro-prc-primary-monitoring].log-data-for-splunk-dashboard/processors/1.ps.BLOCKING @a8ff6c0\"\n}   Thanks in Advance RK
hi I use a lookup in order to do a correspondance between the field web_error_code which is my sourcetype and which is an error code and the name of th error code It works perfectly but I just need... See more...
hi I use a lookup in order to do a correspondance between the field web_error_code which is my sourcetype and which is an error code and the name of th error code It works perfectly but I just need to complete the legend timechart with the original web_error code for example I need "400 - Bad gateway", actually I have just bad gateway How to do this please   index=toto sourcetype=tutu web_domain="*" | lookup HttpCode.csv status as web_error_code output status_description | timechart span=1d sum(web_error_count) as web_error_count by status_description    
In props.conf, set the TRANSFORMS-null attribute: [ActiveDirectory] TRANSFORMS-null= setnull Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":... See more...
In props.conf, set the TRANSFORMS-null attribute: [ActiveDirectory] TRANSFORMS-null= setnull Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue": [setnull] REGEX = \[ms_Mcs_AdmPwdExpirationTime\] DEST_KEY = queue FORMAT = nullQueue Restart Splunk Enterprise. field = ms_Mcs_AdmPwdExpirationTime the values ​​are still in the index Not working.  what did I indicate wrong?
I have list of servers, I need a query to check whether splunk is getting data from the server or not ??
log sources coming in from UniversalForwarderto Heavyforwarder looking to selectively forward to syslog without indexing on the heavyforwarder or index cluster, these selective logs need to only forw... See more...
log sources coming in from UniversalForwarderto Heavyforwarder looking to selectively forward to syslog without indexing on the heavyforwarder or index cluster, these selective logs need to only forward to syslog central logging system only syslog output is working already on the heavyforwarder and indexing on the heavyforwarder is disabled, but events are being indexed on the index host/cluster, is there a configuration/deployment where HeavyForwarder selectively only forwarded to syslog without any indexing ?    
Hi,    I have the following alert set up:  query (roughly):      index="myindex" "the log message that i am interested in" | head 1     Alert type: Scheduled, Run on Cron Schedule */5 * * * ... See more...
Hi,    I have the following alert set up:  query (roughly):      index="myindex" "the log message that i am interested in" | head 1     Alert type: Scheduled, Run on Cron Schedule */5 * * * * (every 5 minutes) for the last 10 minutes. Trigger alert when Number of Results is less than 1. I also added throttling and configured an email to be sent when the alert triggers.    It works fine most of the time, but in irregular intervals, I receive alerts. Some of them are valid, because there just were no events. For others, the saved search doesn't show events, but starting the same search again, will show that there actually were events logged, so I'd consider those alerts false positives. My first idea was that delays in the forwarding and indexing processes lead to this result, but when by checking the _indextime field, this explanation can be ruled out as well.  Does anyone have an idea why these false positives  appear and how I can get rid of them?    Thanks in advance! 
how to create alert custom message in the application log
Is it possible to change the app key of an existing app, and if so, will the previous app key become non functional, or will that continue to be accepted as well? We're looking at options to safely r... See more...
Is it possible to change the app key of an existing app, and if so, will the previous app key become non functional, or will that continue to be accepted as well? We're looking at options to safely rotate the AppD app key, if that's possible. Thanks, Priya
Hello, Our application session is not a plain key-value pair, it contains an object called "UserInfo" and within this object, there are many properties. Can I grab a specific property from this... See more...
Hello, Our application session is not a plain key-value pair, it contains an object called "UserInfo" and within this object, there are many properties. Can I grab a specific property from this object from the HTTP request data collector? Example: UserInfo = { "userId": 123, userName: "BlaBla", ...}
I need help about this subsearch using pivot command  Base search : | pivot  Traffic  All_Traffic FILTER  zone is "$form.srcZone$" sub search: count(src_zone) AS src_zone_count SPLITROW zone AS zon... See more...
I need help about this subsearch using pivot command  Base search : | pivot  Traffic  All_Traffic FILTER  zone is "$form.srcZone$" sub search: count(src_zone) AS src_zone_count SPLITROW zone AS zone TOP 100 count(zone) ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER 1  the problem is that there is a pipeline added by splunk before the subsearch I wnat the subsearch to be  exectuted without the pipline 
Hi, Where does the data sync utility for ServiceNow get installed? Do we need a seperate server? If we need a seperate server then if that server goes down how it will affect the data to servic... See more...
Hi, Where does the data sync utility for ServiceNow get installed? Do we need a seperate server? If we need a seperate server then if that server goes down how it will affect the data to servicenow? Can someone please explain ^ Post edited by @Ryan.Paredez for formatting and title changes
Hello everyone, I have started using splunk enterprise from July , I have created hosts and forwarders for it , I think forwarders may not use data license ?, please give clarity on this.    but ... See more...
Hello everyone, I have started using splunk enterprise from July , I have created hosts and forwarders for it , I think forwarders may not use data license ?, please give clarity on this.    but we didn't use it for still now and any logs also , but we can see that data license usage is very high  month to month August month 1.1m-->September--> 1.9m ---> October--> 2.8M . And why that's  happening please let me know , any process for this one , please provide some information , and how to check that one and how to find  who are using  that ,    Thanks
I want to extract the substring: "xenmobile" from string:  "update task to xenmobile-2021-11-08-19-created completed!", how can I get that?
Hi, I just started working with Splunk and would ask for some help. I have 3 sources, A, B and C. Source A contains fields Ordernr, Salesvalue  Source B contains fields Ordernr, Status Source C ... See more...
Hi, I just started working with Splunk and would ask for some help. I have 3 sources, A, B and C. Source A contains fields Ordernr, Salesvalue  Source B contains fields Ordernr, Status Source C contains fields Ordernr, Producttype  All sources have around few million records. What i would like to get is a result set with: A.Ordernr, A.Salesvalue, C.Producttype  where A.Ordernr not exists in B.Status=700 and A.Ordernr exists in C.Ordernr Hope my question is clear  Thanks in advance for helping me out!       What i would like to do is to have a resul  
Hi all, i created a report, now i need to create a dashboard that takes data from this report with loadjob savedsearch. the report has as the name of the fields 1_month_previous, 2_month_previous, ... See more...
Hi all, i created a report, now i need to create a dashboard that takes data from this report with loadjob savedsearch. the report has as the name of the fields 1_month_previous, 2_month_previous, ......(I could not rename the names of the months in the command stats sum (DIM) as 1_month_previous, I also followed a post here in the community) I would like to create a filter in the dashboard with the names of the months instead of the previous_month. I tried with this code: <query> | makeresults | eval MPR0 = strftime (relative_time (now (), "-0month @ month"), "% B") | eval MPR1 = strftime (relative_time (now (), "-1month @ month"), "% B") | eval MPR2 = strftime (relative_time (now (), "-2month @ month"), "% B") | eval MPR3 = strftime (relative_time (now (), "-3month @ month"), "% B") | eval MPR4 = strftime (relative_time (now (), "-4month @ month"), "% B") | eval MPR5 = strftime (relative_time (now (), "-5month @ month"), "% B") | eval MPR6 = strftime (relative_time (now (), "-6month @ month"), "% B") | eval MPR7 = strftime (relative_time (now (), "-7month @ month"), "% B") | eval MPR8 = strftime (relative_time (now (), "-8month @ month"), "% B") | eval MPR9 = strftime (relative_time (now (), "-9month @ month"), "% B") | eval MPR10 = strftime (relative_time (now (), "-10month @ month"), "% B") | eval MPR11 = strftime (relative_time (now (), "-11month @ month"), "% B") | eval MONTH = mvappend (MPR0, MPR1, MPR2, MPR3, MPR4, MPR5, MPR6, MPR7, MPR8, MPR9, MPR10, MPR11) | table MONTH </query> but in Dinamic Option -> Search String by inserting this code, it returns me the names of the months separated by commas, all on a single row and not in a column to let me choose the month I need. Do you have any suggestions? I have tried mv append, split, delim, etc .. to no avail. I ask for help from you Splunk gurus. Tks BR Antonio
Hello, why this query does not return any results while there are events ? sourcetype=timekeeper_status host=* | eval offsets=(offsets."0") | timechart span=30s max(abs(offsets."0")) by host
Hello is it possible to get a list of all the dashboards that was running for the last * days ?
I want to extract the field that are on the left which are status, monitoirng status, monitoring mode and so on. Multikv command can be used when the header is at the first row. What command should I... See more...
I want to extract the field that are on the left which are status, monitoirng status, monitoring mode and so on. Multikv command can be used when the header is at the first row. What command should I use in Splunk search if the header is at the first column?