All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I need to extract the image name from a field, but I'm not getting it using the rex. Can you help me identify what the error is? When testing regex via website regex101 is functional. index=teste  |... See more...
I need to extract the image name from a field, but I'm not getting it using the rex. Can you help me identify what the error is? When testing regex via website regex101 is functional. index=teste  | rex field=_raw "kubernetes_container_image: (?<container>.*)"   app: teste-app cluster_account: teste-prod kubernetes_container_image: rw-tested-001 app: teste-app2 cluster_account: teste-homolog kubernetes_container_image: 1232ds-teste--002 app: teste-app3 cluster_account: teste-prod kubernetes_container_image: rwteste-003 app: teste-app4 cluster_account: teste-homolog kubernetes_container_image: teste-001 app: teste-app5 cluster_account: teste-prod kubernetes_container_image: teste-001 app: teste-app6 cluster_account: teste-homolog kubernetes_container_image: teste-001    
Splunk Enterprise v8.21 and the dashboard Export function is still broken when using savedsearch.   What is the timeline for getting this fixed?
Hello, We encounter this type of message in the Splunk Serch Head, which causes the restart of the splunk service and the delays at the level of the Splunk web login page, dashbords display. Have y... See more...
Hello, We encounter this type of message in the Splunk Serch Head, which causes the restart of the splunk service and the delays at the level of the Splunk web login page, dashbords display. Have you encountered this type of problem? if so what is it (this type of messag is not clear)? Splunk Entreprise, Search Head 8.x.x   Thank you [build 545206cc9f70] 2021-08-27 11:21:24 Received fatal signal 11 (Segmentation fault). Cause: No memory mapped at address [0x0000000000000008]. Crashing thread: BundleReplicatorThread Registers: RIP: [0x00007F5BF348CC24] ? (libjemalloc.so.2 + 0x11C24) Sep 21 10:13:16 prpgv-splksh01c kernel: [4960554.728167] splunkd[26359]: segfault at 8 ip 00007f2b51845c24 sp 00007f2b279fc868 error 6 in libjemalloc.so.2[7f2b51834000+49000]  
Hi  I am starting to work with dashboards in the Splunk Dashboard Studio Application(Splunk cloud) I need to increase the font size of text inside the table. Can anyone please help in this? "ds_se... See more...
Hi  I am starting to work with dashboards in the Splunk Dashboard Studio Application(Splunk cloud) I need to increase the font size of text inside the table. Can anyone please help in this? "ds_search_1_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new_new": { "type": "ds.search", "options": { "query": "My Query, "queryParameters": { "earliest": "-15m", "latest": "now" } } },
Hi Team,   Please give some suggestion on how to monitor citrix xenserver for CPU and memory. 
Im working with JSON data and the structure is as per the below   data: { [-] application: { [+] } completedAt: 1636133794444 environments: [ [-] { [-] id: XNu1-... See more...
Im working with JSON data and the structure is as per the below   data: { [-] application: { [+] } completedAt: 1636133794444 environments: [ [-] { [-] id: XNu1-l8oROOOSM5gpoSR0g } { [-] id: _LY0B7VpRq64tHXq7Uy55A } { [-] id: 7KbvgSBMSUSUyAn2hMXSQA } { [-] id: dJ7EuItjSG2M47-zvIvimQ } ]   Now when i use a case function for this like the below: |eval env = case('data.environments{}.id'=="7KbvgSBMSUSUyAn2hMXSQA", "prd-au", 'data.environments{}.id'=="_LY0B7VpRq64tHXq7Uy55A", "prd-gb") It only ever brings me back 1 result and thats whatever is placed first in the case function so the above returns prd-au and if i swap the values around then it will return prd-gb. I presume this is something to do with how the JSON data is working with splunk causing it to error out but unsure how to resolve? any ideas? 
I have a javascript that I will be invoking from a dashboard to perform validation on a field input of user input, such that the field shouldn't contain any doublequotes OR shouldn't contain any padd... See more...
I have a javascript that I will be invoking from a dashboard to perform validation on a field input of user input, such that the field shouldn't contain any doublequotes OR shouldn't contain any padded spaces in the beginning or the end of the string.  Need help with the regex to match the above condition. The script looks like this , <form script="field_validation.js"> <label>Url Validation</label> <fieldset submitButton="false"> <input type="text" token="tkn_fld" id="tkn_fld_id"> <label>URL</label> </input> </fieldset> </form> ==================================== field_validation.js  require([ 'underscore', 'splunkjs/mvc', 'jquery', "splunkjs/mvc/simplexml/ready!" ], function(_, mvc, $) { var tkn_url = splunkjs.mvc.Components.getInstance("tkn_fld_id");  tkn_fld.on("change", function(e) { console.log(e) // e.preventDefault(); if (!isUrlValid(e)) { alert("Enter Valid URL") return false; } }) function isUrlValid(userInput) { console.log(userInput) var res = userInput.match( NEED HELP TO WRITE THE REGEX HERE ); if (res == null) return false; else return true; } })
Actually I created several dashboards in splunk using chart command to look at aggregation w.r.t multiple fields and it was working. and after my backend team updated the splunk plugins like  https:... See more...
Actually I created several dashboards in splunk using chart command to look at aggregation w.r.t multiple fields and it was working. and after my backend team updated the splunk plugins like  https://splunkbase.splunk.com/app/3117/ https://splunkbase.splunk.com/app/3137/ , none of the dashboards are working where I used "chart" command.. Pls let me know how can I solve this..  Thanks in advance
We are collecting Syslog and Windows Event log information in Azure Log Analytics. Also we're using the Splunk Addon for Microsoft Cloud Service for transferring AD Audit logs to Splunk via Event Hu... See more...
We are collecting Syslog and Windows Event log information in Azure Log Analytics. Also we're using the Splunk Addon for Microsoft Cloud Service for transferring AD Audit logs to Splunk via Event Hub. Does the Addon support the import of Syslog logs via event hub or will they not be parsed properly?  Any other best practices for transferring these type of data? The IT don't want to install any additional agents. 
We've just installed Mandiant Advantage App and I was hoping someone else here could provide some guidance on what to do after installation and configuration of api keys.
I wan to set color  for output of column if it's date matches current or two days before current date. 
While trying to list the base searches, the context menu redirects to http://<search_head_server>.local:8000/en-GB/app/itsi/kpi_base_searches_lister However, an empty page is being returned. The Bro... See more...
While trying to list the base searches, the context menu redirects to http://<search_head_server>.local:8000/en-GB/app/itsi/kpi_base_searches_lister However, an empty page is being returned. The Browser inspector indicated 404 (Not Found) error. Any pointers?  
Hello, till few weeks ago we were using site https://www.splunk.com/page/securityportal to check for Splunk vulnerabilities but the structure of the page changed and now there is no information abou... See more...
Hello, till few weeks ago we were using site https://www.splunk.com/page/securityportal to check for Splunk vulnerabilities but the structure of the page changed and now there is no information about last know vulnerability. Can you redirect me to the new site if it exists or to the different possibilities to check Splunk related vulnerabilities.   Thank you.
I've got the service monitoring in place and now I want to run ad-hoc tests. How do we spoof fake alarms and see how the impact relationship within the service model change? I figured the following ... See more...
I've got the service monitoring in place and now I want to run ad-hoc tests. How do we spoof fake alarms and see how the impact relationship within the service model change? I figured the following two options: Used the stressors (Linux Stressor-ng https://www.mankier.com/1/stress-ng#Examples) on the servers to increase or decrease the resource consumption. This option is not so fast for customer demonstrations when it comes to break and fix things quickly. Ingest fake alarms using HEC towards the itsi_tracked_alerts index. I managed to get this working using curl, however, the event doesn’t seem to associate with the metrics. Do you have any tips for achieving this use case? Are there any other options available?
Hello! My objective is to be able to use JavaScript to overlay buttons onto a Splunk table viz, listen for a click, and then do something upon clicking.  I've managed to overlay the buttons but I'm ... See more...
Hello! My objective is to be able to use JavaScript to overlay buttons onto a Splunk table viz, listen for a click, and then do something upon clicking.  I've managed to overlay the buttons but I'm not sure how to listen for a click.  If I add buttons to the dashboard via an html tag then it seems that the listener gets added automatically.  Below is a run anywhere dashboard + JavaScript containing: An HTML table with two buttons added to the cells in dashboard XML A Splunk table with two buttons added to the cells using JavaScript All buttons have been assigned the class "html_button".  The click listener that I associated to the "html_button" class only works with the HTML table. How do I add a listener to the JavaScript overlay buttons? Thank you and best regards, Andrew --------------------------------------- Dashboard   <dashboard script="overlayTable.js"> <label>Buttons and Listeners</label> <row> <panel> <title>Buttons added to HTML table</title> <html> <table> <tr> <th>Button</th> </tr> <tr> <td> <button type="button" class="html_button">x</button> </td> </tr> <tr> <td> <button type="button" class="html_button">x</button> </td> </tr> </table> </html> </panel> <panel> <title>Buttons added to Splunk table using Javascript overlay</title> <table id="tableVizualization"> <search id="searchObject"> <query>| makeresults | eval Button = "x" | append [| makeresults | eval Button = "x"] | table Button</query> <earliest>0</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </dashboard>    overlayTable.js   require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { // Add overlay buttons to table var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { return _(["Button"]).contains(cell.field); }, render: function($td, cell) { var strCellValue = cell.value; if (cell.field === "Button") { var strHtmlInput="<button type='button' class='html_button'>x</button>" $td.append(strHtmlInput); } } }); // Render table mvc.Components.get('tableVizualization').getVisualization(function(tableView) { tableView.addCellRenderer(new CustomRangeRenderer()); }); // Listener for html_button class $('.html_button').on("click", function (e) { alert("Button clicked!") }); });    
Hi Appdynamics Gurus, I am new here and using a trial license trying Appdynamics. I have installed machine agent via rpm way on my 3 linux servers: 2 of them had Javahardwaremonitor enabled and... See more...
Hi Appdynamics Gurus, I am new here and using a trial license trying Appdynamics. I have installed machine agent via rpm way on my 3 linux servers: 2 of them had Javahardwaremonitor enabled and the rest had Hardwaremonitor enabled. All of the 3 machine agents had been started successfully from log files. However, there is nothing displayed in the controller dashboard: From the log files, all of the agents are at: INFO ServersDataCollector - Started servers data collector - DataCollectorConfig(samplingInterval=30001, componentNames=[remote.volumes, partitions]) INFO ServersDataCollector - Started servers data collector - DataCollectorConfig(samplingInterval=3000, componentNames=[memory, partitions, volumes, cpus]). May I know what I should do to have the data displayed? Btw, the machine agent I am using is appdynamics-machine-agent-21.10.0.3188.x86_64.rpm. Thanks. Jason
Hi All, @ehaddad_splunk We have recently upgraded splunk core version to 8.2 and upgraded the solarwinds add on to 1.2.0 but since the configuration page is not loading and i see this error  "Unable... See more...
Hi All, @ehaddad_splunk We have recently upgraded splunk core version to 8.2 and upgraded the solarwinds add on to 1.2.0 but since the configuration page is not loading and i see this error  "Unable to initialize modular input "solwarwinds_query" defined in the app "Splunk_TA_SolarWinds": Introspecting scheme=solwarwinds_query: script running failed (PID 7531 exited with code 1).." also there are other errors in the Splunk Logs "11-08-2021 17:06:29.732 +1100 ERROR AdminManagerExternal [8127 TcpChannelThread] - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunktaucclib/rest_handler/handler.py", line 117, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunktaucclib/rest_handler/handler.py", line 179, in all\n **query\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 289, in wrapper\n return request_fun(self, *args, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 71, in new_f\n val = f(*args, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 679, in get\n response = self.http.get(path, all_headers, **query)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 1183, in get\n return self.request(url, { 'method': "GET", 'headers': headers })\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 1244, in request\n raise HTTPError(response)\nsolnlib.packages.splunklib.binding.HTTPError: HTTP 404 Not Found -- {"messages":[{"type":"ERROR","text":"Not Found"}]}\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 151, in init\n hand.execute(info)\n File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 637, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunk_aoblib/rest_migration.py", line 39, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunktaucclib/rest_handler/handler.py", line 122, in wrapper\n raise RestError(exc.status, str(exc))\nsplunktaucclib.rest_handler.error.RestError: REST Error [404]: Not Found -- HTTP 404 Not Found -- {"messages":[{"type":"ERROR","text":"Not Found"}]}\n   11-08-2021 17:06:29.823 +1100 ERROR AdminManagerExternal [8131 TcpChannelThread] - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunktaucclib/rest_handler/handler.py", line 117, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunktaucclib/rest_handler/handler.py", line 179, in all\n **query\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 289, in wrapper\n return request_fun(self, *args, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 71, in new_f\n val = f(*args, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 679, in get\n response = self.http.get(path, all_headers, **query)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 1183, in get\n return self.request(url, { 'method': "GET", 'headers': headers })\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/solnlib/packages/splunklib/binding.py", line 1244, in request\n raise HTTPError(response)\nsolnlib.packages.splunklib.binding.HTTPError: HTTP 404 Not Found -- {"messages":[{"type":"ERROR","text":"Not Found"}]}\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 151, in init\n hand.execute(info)\n File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 637, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunk_aoblib/rest_migration.py", line 39, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/splunktaucclib/rest_handler/handler.py", line 122, in wrapper\n raise RestError(exc.status, str(exc))\nsplunktaucclib.rest_handler.error.RestError: REST Error [404]: Not Found -- HTTP 404 Not Found -- {"messages":[{"type":"ERROR","text":"Not Found"}]}\n 11-08-2021 17:05:49.497 +1100 ERROR ModularInputs [7481 MainThread] - Unable to initialize modular input "solwarwinds_query" defined in the app "Splunk_TA_SolarWinds": Introspecting scheme=solwarwinds_query: script running failed (PID 7531 exited with code 1).."  
We are trying to Install the universal forwarder version 8.0.9 but unable to start splunk on this server due the following errors. Please find the below screenshot  $ cd /splunk/splunkforwarder/bin ... See more...
We are trying to Install the universal forwarder version 8.0.9 but unable to start splunk on this server due the following errors. Please find the below screenshot  $ cd /splunk/splunkforwarder/bin $ ./splunk start --accept-license   Went in the shared article, but it ended with no solution.  Unable to start Splunk universal forwarder on AIX ... - Splunk Community    Kindly advise us   
Hello everyone, I installed Telegram Alert Action app (https://splunkbase.splunk.com/app/3703/) for my SearchHead server (Splunk Enterprise 8.0.6) successfully. But when i add Telegram Alert action ... See more...
Hello everyone, I installed Telegram Alert Action app (https://splunkbase.splunk.com/app/3703/) for my SearchHead server (Splunk Enterprise 8.0.6) successfully. But when i add Telegram Alert action for all alerts, i can not see any its configurations as below image: Could any one tell me what is this issue? Thanks very much!
Need help to extract value between 2 fields eg: below "status":"Active", "birthDate":"xxxx-03-06", I am trying below rex field=details "\"status\"\:\"(?<contactStatus>[^\n\r\",]+)*\"birthDate\"" ... See more...
Need help to extract value between 2 fields eg: below "status":"Active", "birthDate":"xxxx-03-06", I am trying below rex field=details "\"status\"\:\"(?<contactStatus>[^\n\r\",]+)*\"birthDate\"" NOTE: there is another status field, so I am trying to use this option, as I know "birthDate " follows "status" field. Thanks for you help in advance