All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to extract the field that are on the left which are status, monitoirng status, monitoring mode and so on. Multikv command can be used when the header is at the first row. What command should I... See more...
I want to extract the field that are on the left which are status, monitoirng status, monitoring mode and so on. Multikv command can be used when the header is at the first row. What command should I use in Splunk search if the header is at the first column?  
i need to parse this field   duser=DOMAIN\\User to only extract user without Domain\\
I have extracted two fields in my non prod splunk account. I want to use the same for the prod splunk account as well. The url for prod and non prod are different. I need these fieldextraction in pro... See more...
I have extracted two fields in my non prod splunk account. I want to use the same for the prod splunk account as well. The url for prod and non prod are different. I need these fieldextraction in prod before hand, even before the logs start falling into splunk(prod), since my splunk alert is dependent on the logs. Is there a way to export extraction from non prod and import them in prod? 
Hi all, I have a multiselect dropdown to list all the  groups, also i have 2 pie charts for the number of tasks per groups and status of the jobs of tasks.Default selection in the multiselect dropdo... See more...
Hi all, I have a multiselect dropdown to list all the  groups, also i have 2 pie charts for the number of tasks per groups and status of the jobs of tasks.Default selection in the multiselect dropdown is "All". How to pass the tokens from the mutiselect to the charts? The queries for 2 charts are, index= "abc" sourcetype="xyz"|chart distinct_count(task) as Tasks by group The status pie chart is drilldown from the first pie chart. Tok_task is passe as token. index= "abc" sourcetype="xyz"| search task= $Tok_task$| chart distinct_count(job) as Jobs by status I just simply passed a token from multiselect to the chart. It is not working as i select multiple options. Does anyone know how to work with this?
I was new to Splunk dashboard studio, I need to auto-refresh my dashboard every 30secounds. below one is the code of my dashboard. can any one help in this? {     "dataSources": {         "ds_sea... See more...
I was new to Splunk dashboard studio, I need to auto-refresh my dashboard every 30secounds. below one is the code of my dashboard. can any one help in this? {     "dataSources": {         "ds_search_1_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new": {             "type": "ds.search",             "options": {                 "query": "my query,                 "queryParameters": {                     "earliest": "-15m",                     "latest": "now"                 }             }         },
Hi I want to exclude the path from search results, i.e.: www.testsite.com www.testsite.com/path1 www.testsite.com/path2 www.testsite.com/path3 www.secondsite.com www.secondsite.com/path1   F... See more...
Hi I want to exclude the path from search results, i.e.: www.testsite.com www.testsite.com/path1 www.testsite.com/path2 www.testsite.com/path3 www.secondsite.com www.secondsite.com/path1   From the above, all the sites are displaying in my search. I only want www.testsite.com and www.secondsite.com to show in search and rest of sites to be excluded. Thanks.
Hi All, I have a field with the following field with values: Field_Values=case(Red="Low", 10, Blue="Medium", 28, Green="High", 14) How can I create a token in the dashboard that will have thes... See more...
Hi All, I have a field with the following field with values: Field_Values=case(Red="Low", 10, Blue="Medium", 28, Green="High", 14) How can I create a token in the dashboard that will have these values? This token will not be used for a filter in the dashboard or a drilldown. I am not sure if there is a default token to assign this to.  I am using the below code, but using job.resultCount is only giving me the highest value which is 3600 I need it to give me the corresponding Field_Value for when its Low, Medium or High..... any advise?  <condition match=" 'job.resultCount' &gt; 0"> <set token="Field_Values">$result.Field_Values</set> </condition>  
For some reason the "Enabled" field is not return "true or false" when running ldapsearch from Splunk.  All the other fields return like sAMAccountName, cn, distinguishedName, etc but all the differe... See more...
For some reason the "Enabled" field is not return "true or false" when running ldapsearch from Splunk.  All the other fields return like sAMAccountName, cn, distinguishedName, etc but all the different combination tried so far have not returned value in the field.  We have confirmed there is a value in the field using cmdlet "get-aduser" so there is either a true or false for all users.   Here is an example of an ldapsearch query we've tried: "| ldapsearch domain="x.xx.xxx.com" search="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName, name, cn, co, st, whenCreated, accountExpires, Enabled, lastLogonTimestamp, title, physicalDeliveryOfficeName, manager, userAccountControl, distinguishedName, userPrincipalName" | table sAMAccountName, name, cn, lastLogonTimestamp, Enabled, distinguishedName,userPrincipalName" Any assistance is greatly appreciated.
Which is beneficial ? Workload / Usage based licensing vs. daily ingest? Any useful SPLs would help a lot. Thax very much in advance.
I have an index with a mv field (parts) that I want to match a value in that field with a csv file, but only return that matching value.  Currently, all parts are returned if any of the parts match t... See more...
I have an index with a mv field (parts) that I want to match a value in that field with a csv file, but only return that matching value.  Currently, all parts are returned if any of the parts match the csv.  This is what I'm using: index=inventory sourcetype=parts [inputlookup xyz.csv | table pnum | rename pnum as parts_num]  | table parts_num year vendor model The problem is parts_num is mv so it will return all parts in the index.  How can I return only the rows with pnum from the csv?  I only want the year vendor and model that matches the csv...  
Hello, I am seeing the below warning on our SH after splunk cloud performed a restart at the backend when i uninstalled an app from our Splunk SH. Error: Root Cause(s): The percentage of non high... See more...
Hello, I am seeing the below warning on our SH after splunk cloud performed a restart at the backend when i uninstalled an app from our Splunk SH. Error: Root Cause(s): The percentage of non high priority searches skipped (100%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=12. Total skipped Searches=12   I identified the searches that were skipped using the cloud monitoring console, Is there any troubleshooting steps  to fix this message since we are still seeing the SH health condition as RED.   Thanks
How to extract values from below log file using rex? Log: {Attribute(name=xyz, values={'1'}), Attribute(name=attempts, values={'2'}), Attribute(name=Count, values={'0'}), Attribute(name=MemberNumbe... See more...
How to extract values from below log file using rex? Log: {Attribute(name=xyz, values={'1'}), Attribute(name=attempts, values={'2'}), Attribute(name=Count, values={'0'}), Attribute(name=MemberNumber, values={'31234'})}   Result in table: 1 2 0 31234
Hello Team ,   We have a Splunk ITSI version running on 4.7.1 in Splunk Production and the plan is to upgrade to Splunk 4.9.1 in QA and DEV first followed by Splunk Production and I have upgraded t... See more...
Hello Team ,   We have a Splunk ITSI version running on 4.7.1 in Splunk Production and the plan is to upgrade to Splunk 4.9.1 in QA and DEV first followed by Splunk Production and I have upgraded to new version 4.9.1 in DEV ,when i am trying to restore the prod and setup in QA restore job is failing so that I can perform the complete Upgrade with KPI and Entity.   I even tried reverting the older version(4.7.1) and tried to restore the configurations in QA but still job is failing where as the backup was working fine so need your suggestions.              
We need to get Windows Print Spooler logs into splunk but not sure where to start. The specific event codes are generated and viewable from Windows Event Viewer (Applications and Services\Microsoft\W... See more...
We need to get Windows Print Spooler logs into splunk but not sure where to start. The specific event codes are generated and viewable from Windows Event Viewer (Applications and Services\Microsoft\Windows\PrintService\Operational) codes 307 and 800. If anyone can point me in the right direction that would be great. Thanks! 
I am trying to look for accounts which are not active anywhere in network. (index=network user=*) OR (index=okta SamAccountName=*) | eval InActive_Accounts=if(user==SamAccountName, "Active" , "NotAc... See more...
I am trying to look for accounts which are not active anywhere in network. (index=network user=*) OR (index=okta SamAccountName=*) | eval InActive_Accounts=if(user==SamAccountName, "Active" , "NotActive") | table user, SamAccountName, InActive_Accounts I tried it with coalesce as well but not getting any result.
I have a request that the version of Java on the HFs need to be updated, or have Java removed. Is Java needed to the functional operation of the Heavy Forwarders?   [xxxxxxxxxxxx ~]$ java -version... See more...
I have a request that the version of Java on the HFs need to be updated, or have Java removed. Is Java needed to the functional operation of the Heavy Forwarders?   [xxxxxxxxxxxx ~]$ java -version openjdk version "1.8.0_302" OpenJDK Runtime Environment (build 1.8.0_302-b08) OpenJDK 64-Bit Server VM (build 25.302-b08, mixed mode)   [xxxxxxxxxx ~]$ which java /usr/bin/java    
Splunk Searches Skipped on the Cluster master console error messages   The percentage of non high priority searches skipped (44%) over the last 24 hours is very high and exceeded the red threshold... See more...
Splunk Searches Skipped on the Cluster master console error messages   The percentage of non high priority searches skipped (44%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=1608..... Total skipped Searches=720...
These are dashboards which are scheduled to be emailed out at 8am every morning. The dashboard widgets contain data from the previous 24 hours. Occasionally, certain panels in the emailed report will... See more...
These are dashboards which are scheduled to be emailed out at 8am every morning. The dashboard widgets contain data from the previous 24 hours. Occasionally, certain panels in the emailed report will show "No results found.". If I go to the dashboard immediately after it is emailed out and this message is displayed, the results are populated within seconds, no problem. It seems for some reason the results are not making it to the report. Again: within seconds of the emailed report being sent out with the "No results found", the dashboard can be run manually and the results will populate quickly. So it appears the results are available at the time of report generation. It is not always the same panel that displays "No results found".   
I'm configuring the SOAR/Phantom app - Splunk HTTP. I've set it up to use OAuth, provided the authentication URL and the clientID & secret. When I test connectivity it says the action failed with: "1... See more...
I'm configuring the SOAR/Phantom app - Splunk HTTP. I've set it up to use OAuth, provided the authentication URL and the clientID & secret. When I test connectivity it says the action failed with: "1 action failed Error fetching token from https://api.domain/oauth2/token. Server returned 201". The thing is the API is supposed to return a 201 when the authentication succeeds.  Is there a place to edit the app to allow a 201 response as a successful request? 
More for anyone else who runs into this issue than myself. I experienced an issue where my custom NAV menu on my app was not displaying on my dashboards. (The entire app menu bar was gone actually... See more...
More for anyone else who runs into this issue than myself. I experienced an issue where my custom NAV menu on my app was not displaying on my dashboards. (The entire app menu bar was gone actually so it didn't even show the App logo/name). For reference the screen shot below is the portion I am referring to.   I had a nav/default.xml like the following below: <nav> <view name="your_app_3.0_here_dashboard1" default='true' /> <view name="your_app_3.0_here_dashboard2" /> </nav>   I combed through the entire app, permissions, local/default precedence, etc. After hours, I just ended up creating a new app and cloning the dashboard with a random name and the nav menu worked as expected. I did it again but with the original view name and it stopped working again - that's how I came to the solution. The issue was having a . in the view name. I didn't go as far as to identify if it was the view name itself having an issue or the nav xml not recognizing it for whatever reason. Renaming to "your_app_3_here_dashboard1" resolved the issue. TLDR: if your dashboard isn't displaying your nav menu, try getting rid of special characters in your view name.