All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have the following data. That I am trying to convert to a time series by Type with the last Status brought forward. Raw data: Timestamp Status Type 10/28/2021 12:00 down B 10/28/2021... See more...
I have the following data. That I am trying to convert to a time series by Type with the last Status brought forward. Raw data: Timestamp Status Type 10/28/2021 12:00 down B 10/28/2021 12:10 up A 10/28/2021 12:30 up B 10/28/2021 13:10 down B 10/28/2021 13:30 up B   After transformation I need a data point every 10 minutes for each Type with the pervious Status brought forward. Note I could have 40-50 different types. Example Transformation: Timestamp Status Type 10/28/2021 12:00 down B 10/28/2021 12:10 down B 10/28/2021 12:20 down B 10/28/2021 12:30 up B 10/28/2021 12:40 up B 10/28/2021 12:50 up B 10/28/2021 13:00 up B 10/28/2021 13:10 down B 10/28/2021 13:20 down B 10/28/2021 13:30 up B 10/28/2021 13:40 up B   Any Ideas?
Hi all, I have two sourcetypes: WinEventLog and XmlWinEventLog. Both were displaying as very hard to read XML data in the events. I was able to correct the WinEventLog data by editing the index.co... See more...
Hi all, I have two sourcetypes: WinEventLog and XmlWinEventLog. Both were displaying as very hard to read XML data in the events. I was able to correct the WinEventLog data by editing the index.conf file from RenederXML=true to false, but it did not fix the XmlWinEventlog sourcetype data.  I think it might be the props.conf > KV_MODE = xml, but it also did not correct the parsing problem.  Any assistance would be greatly appreciated! /Paul  
Hi all I'm trying to get Syslog to send from my Aruba HP-2530-8 switch to Splunk. I installed the Aruba add-ons and have my data input set up for TCP port 514 with source type aruba:syslog. I think ... See more...
Hi all I'm trying to get Syslog to send from my Aruba HP-2530-8 switch to Splunk. I installed the Aruba add-ons and have my data input set up for TCP port 514 with source type aruba:syslog. I think I'm missing something here any help is appreciated and thanks for reading. 
I'm trying to find a way to reverse the order of values for a multivalue field. Use the following SPL as the base search:     | makeresults ``` Create string of characters, separated by comma... See more...
I'm trying to find a way to reverse the order of values for a multivalue field. Use the following SPL as the base search:     | makeresults ``` Create string of characters, separated by comma ``` | eval mv_string = "banana,apple,orange,peach" ``` Split string into multivalue, using comma as the delimiter ``` | eval mv_ascending = split(mv_string, ",")   My goal is to have a multivalue field that I can mvjoin() in this order: "peach,orange,apple,banana" In programming languages, like Python, you can use slicing to reverse the direction of a list (i.e., multivalue). However, it seems mvindex() is a watered down version of this. To my knowledge, this SPL function doesn't allow reversing the order. You can grab different index values with mvindex(), but it's always with the original list order. Anyone else come across this?
I usually get many "skipped searches" reported & the ES is indicated as the host that I understand. Lately I get many skipped searches reported but a Search Head like SH01 is indicated as the host. P... See more...
I usually get many "skipped searches" reported & the ES is indicated as the host that I understand. Lately I get many skipped searches reported but a Search Head like SH01 is indicated as the host. Please help me understand. Thank u 
Hi, I want to insert Timerange picker value like $time$ in my query for a Dynamic input. Requesting help with the query where the $time$ will get injected and will not utilize the GUI Timerange Picke... See more...
Hi, I want to insert Timerange picker value like $time$ in my query for a Dynamic input. Requesting help with the query where the $time$ will get injected and will not utilize the GUI Timerange Picker in the Dynamic input widget. 
Hello, I am using "Splunk_TA_juniper" and I noticed a new problem with timestamp: there is a one hour offset for the timestamp compared to the time in the event. For instance, when I have an event w... See more...
Hello, I am using "Splunk_TA_juniper" and I noticed a new problem with timestamp: there is a one hour offset for the timestamp compared to the time in the event. For instance, when I have an event whose _raw value starts with "Oct 28 15:12:37 fw-01-gra RT_FLOW:  ...", the timestamps is "2021-10-28T16:12:37.000+02:00" (16h instead of 15h). In addition, the event will only appear after an hour after its received by the indexer, in fact when the timestamp value is less than the current time. This behaviour is new. When I examine  events for september (for instance), the timestamp matches the time in the event. I tried to restart Splunk and the forwarder, nothing was changed. I haven't modify the configuration files for a long time, and I don't know what to do. Do you have an idea of what is going on or a possible solution? Regards Denis
Hello Splunk Community ! I have an alert setup to report failed login attempts by a user > 4 times in 5 minutes. Alert query : index=win_os sourcetype="Security" EventCode=4625 | bin span=5m _ti... See more...
Hello Splunk Community ! I have an alert setup to report failed login attempts by a user > 4 times in 5 minutes. Alert query : index=win_os sourcetype="Security" EventCode=4625 | bin span=5m _time| stats count dc(user) by _time, user, Logon_Type,dest, src, Failure_Reason | where count > 3 | sort user | table _time, user, count, Logon_Type,dest, src, Failure_Reason Alert settings: Alert Type: Scheduled. Hourly, at 0 minutes past the hour. Trigger Condition: Number of Results is > 0 Issue : the last time this alert ran, i got results only from 3 PM attempts. the alert PDF did not report the results from 2:55 PM. Actual Query result:   Alert PDF that came in email: Any idea why the complete results were not shown from 2:55 PM when the alert triggered at the hour ? 
Hello  Is it possible to call this service /services/data/lookup_edit/lookup_contents to create a lookup in splunk cloud ?  thanks !
Hello, we receive somewhere between 3-5 messages in every Pod in every 1 minute. We have a situation where some of the pods go Zombie and stops writing messages.  Here's the query: index namespace... See more...
Hello, we receive somewhere between 3-5 messages in every Pod in every 1 minute. We have a situation where some of the pods go Zombie and stops writing messages.  Here's the query: index namespace pod="pod-xyz"  message="incoming events" | timechart count by pod span=1m I want help with this query to detect when the stats count in the minute time interval goes to zero.
Hi there, We have an instance running already on windows server, I am planning to move our Frozen bucket location from a local drive to a share on another server, I just have a few questions regardi... See more...
Hi there, We have an instance running already on windows server, I am planning to move our Frozen bucket location from a local drive to a share on another server, I just have a few questions regarding this. Is it as simple as editing the frozen locations on the indexes on the GUI for this and will a UNC path work ok if the permissions are set or must it be a mapped local drive? Thanks in advance!
Hello, We have a problème with Splunk Search head, the splunk service is restarted randomly when using the launch request or consultation of the dashbord. After the analysis we find kernel message... See more...
Hello, We have a problème with Splunk Search head, the splunk service is restarted randomly when using the launch request or consultation of the dashbord. After the analysis we find kernel messages at the log level. Do you have any idea about this type of message. Sep 21 10:13:16 splksh01c kernel: [4960554.728167] splunkd[26359]: segfault at 8 ip 00007f2b51845c24 sp 00007f2b279fc868 error 6 in libjemalloc.so.2[7f2b51834000+49000] Sep 21 11:10:55 splksh01c kernel: [4964014.055174] splunkd[8210]: segfault at 68 ip 00007f816fdc749f sp 00007f81443f4da0 error 4 in libjemalloc.so.2[7f816fd9b000+49000] Sep 21 11:27:01 splksh01c kernel: [4964980.155146] splunkd[29689]: segfault at 68 ip 00007fa3888013d9 sp 00007fa3571fd200 error 4 in libjemalloc.so.2[7fa3887d5000+49000] Sep 21 12:03:54 splksh01c kernel: [4967193.444921] splunkd[9885]: segfault at 68 ip 00007fb56962b3d9 sp 00007fb5339fd240 error 4 in libjemalloc.so.2[7fb5695ff000+49000] Sep 21 12:54:45 splksh01c kernel: [4970243.694017] splunkd[12378]: segfault at 68 ip 00007f629482f49f sp 00007f626affc930 error 4 in libjemalloc.so.2[7f6294803000+49000] Sep 21 13:23:16 splksh01c kernel: [4971954.661062] splunkd[10366]: segfault at 8 ip 00007f3c111c4c24 sp 00007f3bd73fd568 error 6 in libjemalloc.so.2[7f3c111b3000+49000] Sep 21 14:23:26 splksh01c kernel: [4975565.162362] splunkd[8340]: segfault at 7f713ff89f40 ip 000055981749198f sp 00007f71419fa180 error 6 in splunkd[559814297000+40f3000]        
Hi team, I would like to convert the "DNS App for Splunk" Hosting from Externally hosted to Splunkbase hosted. I contacted the Splunk support team via  splunkbase-admin@splunk.com email address a fe... See more...
Hi team, I would like to convert the "DNS App for Splunk" Hosting from Externally hosted to Splunkbase hosted. I contacted the Splunk support team via  splunkbase-admin@splunk.com email address a few days back, but haven't received a response yet. Are you able to advise how I could achieve this?  Thanks and Kind Regards,
Hello, I have made a search/query to detect the attacks of XSS the problem I have is that it also shows valid requests because there are words (cookie, script) that also appear as invalid requests ... See more...
Hello, I have made a search/query to detect the attacks of XSS the problem I have is that it also shows valid requests because there are words (cookie, script) that also appear as invalid requests ¿How could I filter so that it only shows the attacks?       search "<script>" OR "</script>" OR "&#" OR "script" OR "`" OR "cookie" OR "alert" OR "%00"| append [ datamodel Web search | where like(uri,"http:/%") OR like(uri,"*javascript*") OR like(uri,"*vbscript*") OR like(uri,"*applet*") OR like(uri," *script*") OR like(uri,"*frame*")        
Hi All, I need to build pie chart for three separate fields which should display the field name and its percentage in the same pie chart.  Eg: ial1, ial2 and ial3 are three different fields in Splu... See more...
Hi All, I need to build pie chart for three separate fields which should display the field name and its percentage in the same pie chart.  Eg: ial1, ial2 and ial3 are three different fields in Splunk. It should display in the attached format. Could someone help me on this.  
We have a Cluster master which we are using as the monitoring console as well. We have created a dashboard to collect Cluster master status. This is working fine for 'admin' role and we are getting ... See more...
We have a Cluster master which we are using as the monitoring console as well. We have created a dashboard to collect Cluster master status. This is working fine for 'admin' role and we are getting below error for the custom role which has inherited capabilities from 'user' role. Error message - Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/cluster/master/generation/master?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API.   Query used for the dashboard-  | rest splunk_server=<Cluster master hostname> /services/cluster/master/generation/master | fields title pending_last_reason splunk_server search_factor_met replication_factor_met | eval all_data_searchable=if(isnull(pending_last_reason) OR pending_last_reason=="","All Data is Searchable","Some Data is Not Searchable") | eval search_factor_met=if(search_factor_met==1 OR search_factor_met=="1","Search Factor is Met","Search Factor is Not Met") | eval replication_factor_met=if(replication_factor_met==1 OR replication_factor_met=="1","Replication Factor is Met","Replication Factor is Not Met") | table title splunk_server search_factor_met replication_factor_met all_data_searchable | rename title as Title splunk_server as "Splunk Server" search_factor_met as "Search Factor Status" replication_factor_met as "Replication Factor Status" all_data_searchable as "All Data Searchable Status"     What capability I need to enable so that users can access this dashboard? Any help would be appreciated.
Hi, I want to get all syslog data from a large Logpoint implementation to forward to Splunk. Is there a recommended approach available to do this? Thank you O.
I have data in the following structure received for every event. Some events have just one or two sub calls and some have more sub calls. I need to calculate the sum of the total duration.     ... See more...
I have data in the following structure received for every event. Some events have just one or two sub calls and some have more sub calls. I need to calculate the sum of the total duration.       subCalls: [ [-] { [-] completionTimeMs: 69 method: GET statusCode: 200 } { [-] completionTimeMs: 77 method: GET statusCode: 200 } { [-] completionTimeMs: 956 method: POST statusCode: 200 } { [-] completionTimeMs: 201 method: PATCH statusCode: 204 } ]       The below search calculates the sum of all the values in all the events instead of every event. Please suggest on how to proceed further.       mysearch | eventstats sum(processRelevantFields.eventDetails.subCalls{}.completionTimeMs) as totalDuration | table traceId, totalDuration          
Hi Everyone, If I have 2 metrics one is cpu.1 2nd one is cpu.2 And i am using the below Query to get the metric percentages | mstats max(_value) avg(_value) min(_value) prestats=true WHERE met... See more...
Hi Everyone, If I have 2 metrics one is cpu.1 2nd one is cpu.2 And i am using the below Query to get the metric percentages | mstats max(_value) avg(_value) min(_value) prestats=true WHERE metric_name="cpu.1" AND "index"="myindex" AND [| inputlookup metrics.csv] BY host span=30min | stats Max(_value) AS Max Avg(_value) AS Avg Min(_value) AS Min BY host | eval Status=if(Avg<75,"good",if(Avg>=75 AND Avg>=90,"critical","Warning")) Now my question is I need both toatlcpu=(cpu.1+cpu.2) in one query, and it should shows max(totalcpu), avg(totalcpu), min(totalcpu) Can guide me please.ThankQ
SPL Query: index=_internal sourcetype=splunkd component=sendmodalert action=notable Output: 10-27-2021 16:31:01.962 +0200 WARN  sendmodalert - action=notable - Alert action script returned error c... See more...
SPL Query: index=_internal sourcetype=splunkd component=sendmodalert action=notable Output: 10-27-2021 16:31:01.962 +0200 WARN  sendmodalert - action=notable - Alert action script returned error code=3 10-27-2021 16:31:01.962 +0200 INFO  sendmodalert - action=notable - Alert action script completed in duration=103 ms with exit code=3 10-27-2021 16:31:01.962 +0200 ERROR  sendmodalert - action=notable STDERR - ERROR: [Errno 13] Permission denied 10-27-2021 16:31:01.858 +0200 INFO  sendmodalert - Invoking modular alert action=notable for search="Threat - ....... - Rule" sid="......" in app="SplunkEnterpriseSecuritySuite" owner="......" type="saved"  Dear all, does someone know why permissions are denied for creating notable events in Enterprise Security (6.4.1) after a correlation search is triggered? The owner of the search has an ess_admin role.