All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi all! Pretty new to splunk so just seeing if this is even possible. I have 2 lookups I have created, one that is users who are in our privileged access AD group (admins) and the other that is mach... See more...
Hi all! Pretty new to splunk so just seeing if this is even possible. I have 2 lookups I have created, one that is users who are in our privileged access AD group (admins) and the other that is machines that are in the same group. What I am trying to do is see who from the USER lookup has logged into which machine in the MACHINE lookup, by using the auth logs that are pumped into splunk. I am trying the search below but I don't seem to be getting anywhere with it   index=auth EventCodeDescription="An account was successfully logged on" [|inputlookup users.csv][| inputlookup machines.csv]   I've also tried with the below but also no luck   index=auth EventCodeDescription="An account was successfully logged on" user=inputlookup users.csv src=inputlookup machines.csv   Any help from the community would be great!
We are planning to upgrade from Splunk 7.3 to 8.2.3. I am documenting the Python upgrading process. So is Python upgraded once during upgrading from 7.x to 8.x And another time during upgrading from ... See more...
We are planning to upgrade from Splunk 7.3 to 8.2.3. I am documenting the Python upgrading process. So is Python upgraded once during upgrading from 7.x to 8.x And another time during upgrading from 8.x to 8.2.3 ? Meaning Python is upgraded twice for us? And if you would please elaborate Do's & Don't to watch for during Python upgrading. We do have Splunk Ent. plus ES & roughly 60 Apps & TAs. Thanks a million in advance. 
I am new to splunk . I wanted to know how can i parse data for site monitoring for particular URLs. How to know if i have relevant URL data coming in and how to instrument it ? 
Hi Splunk Community, I was wondering if it was possible to have a chart that was made up from 3 fields....  I have already built a chart that has columns for each Account where each column is stack... See more...
Hi Splunk Community, I was wondering if it was possible to have a chart that was made up from 3 fields....  I have already built a chart that has columns for each Account where each column is stacked with the Action -->  | chart count by Account, Action  Can i break down into days using the _time field, so it counts by days?   Example of data: _time Account Action 2021-10-20 10:04:03.778 account1 Delete 2021-10-21 11:04:03.778 account2 Write 2021-10-21 11:05:03.778 account1 Write   Thanks You, Zoe 
Hi Guys, I am getting this error in splund.log ERROR TcpInputProc - Error encountered for connection from src=my_searchhead_ip:36786. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version numbe... See more...
Hi Guys, I am getting this error in splund.log ERROR TcpInputProc - Error encountered for connection from src=my_searchhead_ip:36786. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number. Using Splunk 7.3.3 Enterprise version   We are trying to send logs from one splunk instance (7.3.3) in one geography to another geography (Splunk enterprise security)over the internet. Splunk shows we have established a successful connection between 2 geographies, but data/logs are not getting sent.   We assume that this is the error which is not letting us send the data from one instance to another over the internet.   Any help would be very useful. let me know if you need more info on the same
I have a list of identifers I need to query splunk for results for, and then display the identifiers that Splunk didn't find any results for. Can someone point me in the right direction on how to acc... See more...
I have a list of identifers I need to query splunk for results for, and then display the identifiers that Splunk didn't find any results for. Can someone point me in the right direction on how to accomplish this in a single search?
Hi i have log like this, need to find where unusuall time gap between "Packet Processed" and "Send Packet" that exist this is normal 001 2021-10-25 08:59:50,725 INFO CUS.AbCD-VW2-1234567890 [FlowPr... See more...
Hi i have log like this, need to find where unusuall time gap between "Packet Processed" and "Send Packet" that exist this is normal 001 2021-10-25 08:59:50,725 INFO CUS.AbCD-VW2-1234567890 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:50,726 INFO CUS.AbCD-VW2-1234567890 [AppClientManager] Send Packet this is normal 035 2021-10-25 08:59:52,730 INFO CUS.AbCD-VW2-0987654321 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:52,735 INFO CUS.AbCD-VW2-0987654321 [AppClientManager] Send Packet this is NOT normal 5:230 2021-10-25 08:59:54,725 INFO CUS.AbCD-VW2-1478523699 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:59,955 INFO CUS.AbCD-VW2-1478523699 [AppClientManager] Send Packet this is NOT normal 1:100 2021-10-25 08:59:58,705 INFO CUS.AbCD-VW2-9632587411 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:59,805 INFO CUS.AbCD-VW2-9632587411 [AppClientManager] Send Packet this is NOT normal 100 2021-10-25 08:59:59,800 INFO CUS.AbCD-VW2-3333322222 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:59,950 INFO CUS.AbCD-VW2-3333322222 [AppClientManager] Send Packet this is huge log and imagine lot's of line like this write to log file without order as i sort above need to know when count of unusuall time gaps increase. 2021-10-25 08:59:50,725 INFO CUS.AbCD-VW2-1234567890 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:50,726 INFO CUS.AbCD-VW2-1234567890 [AppClientManager] Send Packet 2021-10-25 08:59:52,730 INFO CUS.AbCD-VW2-0987654321 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:52,735 INFO CUS.AbCD-VW2-0987654321 [AppClientManager] Send Packet 2021-10-25 08:59:54,725 INFO CUS.AbCD-VW2-1478523699 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:58,705 INFO CUS.AbCD-VW2-9632587411 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:59,800 INFO CUS.AbCD-VW2-3333322222 [FlowProcessorService] Packet Processed: 2021-10-25 08:59:59,805 INFO CUS.AbCD-VW2-9632587411 [AppClientManager] Send Packet 2021-10-25 08:59:59,950 INFO CUS.AbCD-VW2-3333322222 [AppClientManager] Send Packet 2021-10-25 08:59:59,955 INFO CUS.AbCD-VW2-1478523699 [AppClientManager] Send Packet FYI: unusuall time gaps means increase time between "Packet Processed" & "Send Packet"   Any idea? Thanks,
i have initial query with one index name(index1)  which show F10N F10W F11 etc values in one chart but for F6 value comes from different index (index2) . how should i combine that F6 value into one c... See more...
i have initial query with one index name(index1)  which show F10N F10W F11 etc values in one chart but for F6 value comes from different index (index2) . how should i combine that F6 value into one chart. index1 : MicronSite IN($input_site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?<AvgTotalTrackoutTime>\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h by MicronSite index2 : MicronSite=F6 index=mfg source=command_times area_id=Fabwide command_name IN (SigmaRunComplete,MESLotTrackOut) | timechart partial=f span=12h aligntime=@d+7h avg(avg) by command_name | addtotals fieldname=AvgTotalTrackoutTime  
[Filter: smut] anonymous_hippo's post body matched "damn", board "splunk-search". Post Subject: How to simply filter out text String from search results that has line breaks/return in it on... See more...
[Filter: smut] anonymous_hippo's post body matched "damn", board "splunk-search". Post Subject: How to simply filter out text String from search results that has line breaks/return in it on SPLUNK Enterprise? Post Body: I'm really annoyed,  I am using SPLUNK Enterprise and I'm literally tryin to parse out some JSON (basically a String) from my Splunk Logs that has linebreaks after each field/key in the JSON string result , i.e. Some random search results here { key1: value1 key2: value2 key3: value3 }, some log message here   .... Like .* and many other REGEX chars work just fine in the search for some damn reason I tried all combinations of [\r\n\s]+ and such and get 0 results despite it working just fine in regex101.com online sandbox environment  I think I read online from my searches that Splunk logs don't preserve the linebreaks, but if it doesn't do that, then what is the final result looking like then? because I tried querying with out whitespaces, or linebreaks, and every combination under the sun, and never got a "hit" back on my search results. Also, I'm not using any of that REX crap as I don't need to extract anything; I just wanted to filter and maybe do a stats count on my results    Can anyone provide a simple solution please thank you! Body text "damn" matched filter pattern "damn". Post by User[id=237938,login=anonymous_hippo] has message uid 573934. Link to post: How to simply filter out text String from search results that has line breaks/return in it on SPLUNK Enterprise?
I'm really annoyed,  I am using SPLUNK Enterprise and I'm literally tryin to parse out some JSON (basically a String) from my Splunk Logs that has linebreaks after each field/key in the JSON string r... See more...
I'm really annoyed,  I am using SPLUNK Enterprise and I'm literally tryin to parse out some JSON (basically a String) from my Splunk Logs that has linebreaks after each field/key in the JSON string result , i.e.   Some random search results here { key1: value1 key2: value2 key3: value3 }, some log message here     .... Like .* and many other REGEX chars work just fine in the search for some reason I tried all combinations of [\r\n\s]+ and such and get 0 results despite it working just fine in regex101.com online sandbox environment  I think I read online from my searches that Splunk logs don't preserve the linebreaks, but if it doesn't do that, then what is the final result looking like then? because I tried querying with out whitespaces, or linebreaks, and every combination under the sun, and never got a "hit" back on my search results. Also, I'm not using any of that REX crap as I don't need to extract anything; I just wanted to filter and maybe do a stats count on my results    Can anyone provide a simple solution please thank you!
Hello I am a user of some dashboards and not admin/dev.   Is it possible that I get an email whenever the search code of a dashboard changes?   Thanks!
Hi folks, Splunk Enterprise. Version:7.1.0 I have a dashboard with many daily scheduled report, one panel for each. The report scheduling works normally, I can see the latest report in "view recen... See more...
Hi folks, Splunk Enterprise. Version:7.1.0 I have a dashboard with many daily scheduled report, one panel for each. The report scheduling works normally, I can see the latest report in "view recent" but my dashboard does not load the latest report. I tried add autorefresh, or manually clicking the refresh button on each panel but it still display the old report.   <dashboard refresh="30"> <label>My Dashboard</label> <row> <panel> <title>Panel 1 title</title> <table> <search ref="Report - Panel 1"></search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>Panel 2</title> <table> <search ref="Report - Panel 2"></search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row>     Checked around Splunk forum, but non solution work for me. What should I do to have this work properly? TIA.    
Hello, I am looking for Splunk 7.2.1 to simulate a customer environment for troubleshooting and upgrade simulation. Appreciate if anyone can share the download links or share the binaries, that woul... See more...
Hello, I am looking for Splunk 7.2.1 to simulate a customer environment for troubleshooting and upgrade simulation. Appreciate if anyone can share the download links or share the binaries, that would be really helpful. TIA. mvRishipur.
How will i use Splunk to investigate an Excessive Failed login alert and what are things to look for? Thanks,
Actually i was downloaded to trial version but i can't login showing one error username and password wrong. how can i get log in Splunk trial version.
Hi Everyone, I need to compare 2 fields with like command but I cant do it even if I tried many solutions. For Example; event1 field1="raceCar" field2="car" event2 field1="trying" field2="hell... See more...
Hi Everyone, I need to compare 2 fields with like command but I cant do it even if I tried many solutions. For Example; event1 field1="raceCar" field2="car" event2 field1="trying" field2="hello" event3 field1="splunk" field2="helloSplunkEnterprise" Desired result: event1 result=hit event2 result=miss event3 result=hit  I tried | eval results= if (match()) but didnt work Is there any suggestion about this SPL? Thanks alot for your helps
Hello all, I have an issue with my DB connect. It won't fetch rows from any table in a Postgres database, but it will show table names and rows included in the table. When I select a table, the loa... See more...
Hello all, I have an issue with my DB connect. It won't fetch rows from any table in a Postgres database, but it will show table names and rows included in the table. When I select a table, the loading bar goes to 20 percent, and it will stick there.        
Hello, I have a HF running in Linux machine. I have root access to that machine using sudo bash  as sudo - splunk or su - splunk is  not allowing me to get root access. But, when I copy files to the... See more...
Hello, I have a HF running in Linux machine. I have root access to that machine using sudo bash  as sudo - splunk or su - splunk is  not allowing me to get root access. But, when I copy files to the folders  where monitor command pointing to pickup the files,  it is not forwarding events to the SPLUNK indexer since I cannot see those events within SPLUNK. However, when I type chown -R splunk: splunk/opt/splunk and then restart SPLUNK, it's working as expected, that means I can see those events within SPLUNK. So, every time when I copy  files within HF folders, I need to use chown command and restart SPLUNK to make them available within SPLUNK. Is there anyway this can be resolved that I don't need to type chown command and restart SPLUNK to forward events.  Thank you so much.
I have a current output in the form of a table with rows representing the time spent in various checkpoints and the last row being the total time.  I would like to calculate the percentage of each ro... See more...
I have a current output in the form of a table with rows representing the time spent in various checkpoints and the last row being the total time.  I would like to calculate the percentage of each row in relation to the total row "Total Duration" row.  if this is not possible, I am ok with calculated the percentage based on the sum of all the p50/p90 column values as well.  Marker                           P50         P90 ------------------------------------------- Point 1 Duration         10            20 Point 2 Duration         40            100 Point 3 Duration         50            80 Total Duration             100         200 and I would like to insert a column for the percentage like this (the 100% in the bottom row is optional) Marker                           P50         P50%             P90            P90% -------------------------------------------------------------------------------------- Point 1 Duration         10             10%              20                10% Point 2 Duration         40            40%               100             50% Point 3 Duration         50            50%               80                40% Total Duration             100         100%            200             100% Thank you very much
Hello   Can I use XML for searches/alerts? Is there any reference? Can you provide an example to perform a search for a particular view?   Thanks!