All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am trying to determine the length of spike to see if it goes beyond our requirements.   Here is a test of my search: index="database" source = IIQDB:* | fields _time, FileGrpName, source, sourc... See more...
I am trying to determine the length of spike to see if it goes beyond our requirements.   Here is a test of my search: index="database" source = IIQDB:* | fields _time, FileGrpName, source, sourcetype, database,Spaced_Used_Per, AvailSpaceMB, Value, SQL_Server_Process_CPU_Utilization,System_Idle_Process, Other_Process_CPU_Utilization,free_log_space_Perc, lag_seconds, Requests, host, server ,Task_Name, job, recent_failures, last_run, Target | rex field=host "^(?P<hostname>[^\.]+)" | rex field=Value "(?P<pctValue>.*)\%" | eval TasksPaused = if(sourcetype="mssql:AGS:TaskSchP",Task_Name, null()) | search TasksPaused="*" TasksPaused="Intel-TaskSchedule-FullTextIndexRefresh" host="agsprdb1.ed.cps.intel.com" | eval ptime=strptime(last_run,"%Y-%m-%d %H:%M:%S") | eval TimeDiff=(now()-ptime)/60 | sort _time | streamstats reset_on_change=true earliest(_time) as earlyTime latest(_time) as lastTime by TasksPaused | eval duration = (lastTime - earlyTime)/60   Some of it is extra from the whole search. I am trying to narrow down the problem with this section.   Wish we could post a picture of our timeline but I will simulate it here.                  /\                                     ---/\                                                       /--------\ --------/       \--------------------/           \-------------------------------/                   \--------------------------------------------
Hi,  I'm trying to use a lookup file inside an if statement, and it doesn't return any data. I would appreciate it if anyone could help me. Thanks! The lookup file has 4 columns (TenantName, tena... See more...
Hi,  I'm trying to use a lookup file inside an if statement, and it doesn't return any data. I would appreciate it if anyone could help me. Thanks! The lookup file has 4 columns (TenantName, tenantId, Region, DB) and my base search is returning 5 columns (_time, TenantName, tenantId, Region, Status). I need to find the database name (or DB) for each record, and it should be done by using tenantId in base search wherever tenantId is not "Unknown". <base search> | table _time TenantName tenantId Region Status | eval Database=if(tenantId!="Unknown", [| inputlookup myLookup | where tenantId=tenantId | return $DB], [| inputlookup myLookup | where TenantName=TenantName | return $DB])  
Hi everyone. I was watching some events from the internal logs and I saw so many events related to "ERROR AdminManagerDispatch - Admin handler 'alert_manager' not found.". Recently, I upgraded "aler... See more...
Hi everyone. I was watching some events from the internal logs and I saw so many events related to "ERROR AdminManagerDispatch - Admin handler 'alert_manager' not found.". Recently, I upgraded "alert manager" app from v2 to v3 but I do not know if that upgrade has a relation.   Does anyone know what could be happening?   Thank you so much
In my organization we are planning to install heavy forwarders for some domains. What are the hardware requirements for heavy forwarders?  What is the ratio of servers to heavy forwarder?
Hello All! Hope everyone can help. After we upgrade our splunk enterpriste to 8.2 we are getting this messages errors in our search heads clusters regarding to our indexers. Auto Load Balanced TCP ... See more...
Hello All! Hope everyone can help. After we upgrade our splunk enterpriste to 8.2 we are getting this messages errors in our search heads clusters regarding to our indexers. Auto Load Balanced TCP Output Root Cause(s): More than 70% of forwarding destinations have failed. Ensure your hosts and ports in outputs.conf are correct. Also ensure that the indexers are all running, and that any SSL certificates being used for forwarding are correct.
Hello   Is it possible to run the search of a dashboard by using its ID?   Also, can I add fields to the search above? I.e. if a dashboard conducts this search: (index="mysource" earliest=-264h ... See more...
Hello   Is it possible to run the search of a dashboard by using its ID?   Also, can I add fields to the search above? I.e. if a dashboard conducts this search: (index="mysource" earliest=-264h latest=now()) | eval metric=case(index="mysource", '_time') ...   Can I do something like: search $dashboard_id$ = 'my_dashboard' | eval Timestamp=strftime(now(),"%d/%m/%Y %H:%M:00") | table A1 A2  Timestamp   I.e. append additional code?   Thanks!
Hello I upgraded recently to 3.7.0 in doing so I've encountered a few issues.  1. The bulk edit features dont show up in the UI and there arent any checkboxes as shown in docs. 2. the "Edit Incide... See more...
Hello I upgraded recently to 3.7.0 in doing so I've encountered a few issues.  1. The bulk edit features dont show up in the UI and there arent any checkboxes as shown in docs. 2. the "Edit Incident" button doesnt do anything 3. The doexternalworkflowaction field shows when it usually does not as well as the other field names arent the clean field names.   Any ideas on how I can resolve these issues? Thanks for the help.
I am trying to search for a number of events over a select period of time (4 hours) and then expand that to see how much of this traffic is in a 30 day period. I can use the time ranger picker for th... See more...
I am trying to search for a number of events over a select period of time (4 hours) and then expand that to see how much of this traffic is in a 30 day period. I can use the time ranger picker for the initial 4 hours, but when expand it, I am getting too much data.  Search I am using: index="Firewalls" action=blocked | stats count by client_ip | search count > 3500 | sort -count Is there a way to limit the results to be something like "search count > 3500 over 4 hours" and have the time range be 30 days?
Has anyone ever installed the Netwrix addon in Splunk? Having a bit of trouble with how to do so. 
  The file a bug link under the help menu goes here: http://www.splunk.com/r/bugs If you go there it asks you to log in then dumps you to the homepage. If you click on it again it takes you he... See more...
  The file a bug link under the help menu goes here: http://www.splunk.com/r/bugs If you go there it asks you to log in then dumps you to the homepage. If you click on it again it takes you here: https://splunkcommunities.force.com/customers/apex/CP_CaseSubmissionPage?caseID=NewCase  
I am trying to set a regex that works when i use say regexr.com but doesn't apply in my transforms/props file. I am wanting to not ingest any apache logs that contain:  assets/js, assets/css, assets... See more...
I am trying to set a regex that works when i use say regexr.com but doesn't apply in my transforms/props file. I am wanting to not ingest any apache logs that contain:  assets/js, assets/css, assets/img I can set one up singular, and it works fine, but the two commented out lines, even though they work in a regex case, don't seem to apply in my transforms file.  Any insight if I may be doing something wrong? Thank you for any assistance.   [drop_assets] REGEX = .*assets\/js.* #REGEX = .*(assets\/js|assets\/css|assets\/img).* #REGEX = .*assets/js.*|.*assets/css.*|.*assets/img.* DEST_KEY = queue FORMAT = nullQueue   [apache] TRANSFORMS-drop = drop_assets
Hi! I have a dropdown with one of the values being "Unknown", and I would like to have an option in the dropdown to show each value,  All, and also include an option to show "All except for Unknow... See more...
Hi! I have a dropdown with one of the values being "Unknown", and I would like to have an option in the dropdown to show each value,  All, and also include an option to show "All except for Unknown".  Has anyone been able to do so? Thank you very much!
Hi Team,   Wanted to enable SMB server audit logs in Splunk from UF or inputs.conf etc, can anyone please help with the configuration steps or any splunk docs for reference. Thanks in advance!! Th... See more...
Hi Team,   Wanted to enable SMB server audit logs in Splunk from UF or inputs.conf etc, can anyone please help with the configuration steps or any splunk docs for reference. Thanks in advance!! Thanks, Sharada Pandilla
Hi I have lots "Caused by:" in (single or  multiple) events How extract all line that contain "Caused by:" like this: Caused by: java.sql.SQLException: ISAM error: duplicate value for a record wi... See more...
Hi I have lots "Caused by:" in (single or  multiple) events How extract all line that contain "Caused by:" like this: Caused by: java.sql.SQLException: ISAM error: duplicate value for a record with unique key. Any idea? Thanks,
Hi - I have a command to clean fish buckets in a forwarder - if i want to take back in data for testing etc... cd var/lib/splunk/ rm -r fishbucket/ bin/splunk stop; cd var/lib/splunk/ ; rm -r fishbu... See more...
Hi - I have a command to clean fish buckets in a forwarder - if i want to take back in data for testing etc... cd var/lib/splunk/ rm -r fishbucket/ bin/splunk stop; cd var/lib/splunk/ ; rm -r fishbucket/ ;cd - ; rm -r var/ ; bin/splunk start But is there any way to clean fish buckets for only one source type?
We have Splunk Ent. (8.0) & ES.(6.4). What is a proper procedure to upgrade to Splunk Enterprise 8.2.2.1 to retain the settings & configurations we have done to ES (Enterprise Security)? What about S... See more...
We have Splunk Ent. (8.0) & ES.(6.4). What is a proper procedure to upgrade to Splunk Enterprise 8.2.2.1 to retain the settings & configurations we have done to ES (Enterprise Security)? What about Security Essentials we have installed. Any directions are much appreciated. Thanks a million.
Currently running ES 8.2.2.1 and Visual SPL shows as not compatible with python 3.  Visual SPL is version 1.0.1.   The app shows in fail state and want to know if this will be updated at some point... See more...
Currently running ES 8.2.2.1 and Visual SPL shows as not compatible with python 3.  Visual SPL is version 1.0.1.   The app shows in fail state and want to know if this will be updated at some point, couldn't find anything searching so posting here for some possible guidance. Thanks!
https://docs.splunk.com/Documentation/SCS/current/Search/Comments says that we may use block comments or line comments in SPL2. When trying to learn how to count the number of objects in a JSON arra... See more...
https://docs.splunk.com/Documentation/SCS/current/Search/Comments says that we may use block comments or line comments in SPL2. When trying to learn how to count the number of objects in a JSON array returned from json_extract, I came across this post, which has an extended multiline splunk query. I wanted to see how the command worked, so I tried using both block and line comments to comment out the end of the query and replace it with a comand to view the intermediate output, e.g.     index=_internal | head 1 | fields _raw _time | eval _raw="{ \"cities\": [ { \"name\": \"London\", \"Bridges\": [ { \"name\": \"Tower Bridge\", \"length\": 801 }, { \"name\": \"Millennium Bridge\", \"length\": 1066 } ] }, { \"name\": \"Venice\", \"Bridges\": [ { \"name\": \"Rialto Bridge\", \"length\": 157 }, { \"name\": \"Bridge of Sighs\", \"length\": 36 }, { \"name\": \"Ponte della Paglia\" } ] }, { \"name\": \"San Francisco\", \"Bridges\": [ { \"name\": \"Golden Gate Bridge\", \"length\": 8981 }, { \"name\": \"Bay Bridge\", \"length\": 23556 } ] } ] }" | rename COMMENT as "the logic" | spath cities{} output=cities /* | stats count by cities | spath input=cities Bridges{} output=Bridges | mvexpand Bridges | spath input=cities name output=city | spath input=Bridges | table city name length */ | table cities     Both commenting schemes generate an error: Error in 'spath' command: Invalid argument: '/*'   This error occurs no matter which step I try to introspect.   The error is prevented by cutting the commented code out.  For now, my workaround is to keep another text editor open, and gradually copy and paste in the lines I want. This works, but it's slower than it needs to be, relative to other programming and query languages.   Key question: How can I use block or line comments to test the intermediate output of a multiline splunk query?
Hello everyone,  I have installed Splunk Stream on a distributed environment. All stream forwarders talk to the deployment server and have the "es" template applied/enabled as I use Enterprise Secur... See more...
Hello everyone,  I have installed Splunk Stream on a distributed environment. All stream forwarders talk to the deployment server and have the "es" template applied/enabled as I use Enterprise Security. Streams are normally populated (tcp, http, dns and many more). I have added on my correlation searches a Stream Capture as an adaptive response action (a 15min capture for dest_ip). A notable event is triggered and under Adaptive Responses, I see mode:saved and status:success. When I click though on the "Stream Capture" link, I get zero results. I followed this answer  and I saw that there was already an event_type modmakestreams_results tagged as modaction_result as it was expected. My final search is like: tag=modaction_result orig_sid=scheduler__admin_REE.................... orig_rid=2 orig_action_name=makestreams I see though that the event type of interest:   source=stream:makestreams_* orig_sid=* brings no results. If I remove the orig_sid=* part I get results related to notable but not related to a stream capture. As last information, stream capture on demand is working fine and pcaps are stored in the created NFS being able to download them. Any help would be appreciated. With kind regards, Chris
Work in a large environment including Splunk Ent. & ES. Planning to upgrade from 7.x.x to 8.2.2.1. Any optimizations to perform ? Any best practices to follow? Should we upgrade the ES (Enterprise Se... See more...
Work in a large environment including Splunk Ent. & ES. Planning to upgrade from 7.x.x to 8.2.2.1. Any optimizations to perform ? Any best practices to follow? Should we upgrade the ES (Enterprise Security 6.4) before or after the Splunk Enterprise upgrade. Thanks a million for your help in advance.