All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, i am using below query to get forwarder disk utilization .. but its not working .. index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com | strcat host '@' Filesystem Host_F... See more...
Hi All, i am using below query to get forwarder disk utilization .. but its not working .. index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com | strcat host '@' Filesystem Host_FileSystem | timechart avg(UsePct) by Host_FileSystem basically our forwarder disk space is getting filled because of  some specific intelligence logs.. here we want to highlight respective team that because of their logs its getting sudden surge logs..      
Hello there I'm trying to prepare a dashboard that will query indexes for latest events during a given period (let's say - last 30 minutes) from a list of event sources and will warn users if the la... See more...
Hello there I'm trying to prepare a dashboard that will query indexes for latest events during a given period (let's say - last 30 minutes) from a list of event sources and will warn users if the latest events are older than a given threshold (or maybe I'll apply some more sophisticated logic later; I don't know yet). I also want to know if there are no events whatsoeer The problem is - I don't just want to query everything - I have a lookup  that defines my event sources to monitor. Depending on the type of the source I might distinguish the source by index/host pair, index/source pair; there may be some other method in the future but for now that's it. So what is my problem now? The problem is that I don't like my solution - it's kinda ugly. I need to first do a subsearch with inputlookup to define a set of conditions for tstats, then I have to transform (and probably aggregate some results since - for example - for file-based sources I can have multiple results if I do a tstats over index/source/host trio) and after that I have to do a inputlookup again to create a zero-valued fallback to aggregate with tstats result. So effectively I have something with general structure of: | tstats [ | inputlookup | eval/whatever/prepare conditions] | stats/transform/whatever | append [ | inputlookup | eval/whatever/prepare ] | stats sum and tidy the results | check_for_zeros, check threshold and so on... That's the general idea. It should work but I don't really like the fact that I need to use subsearched inputlookup twice and results of those subsearches will be - I suppose - highly similar to each other. Any idea if it can be performed in a more "tidy" way?
I have Splunk Ent. (8.0.X) & ES (6.4.X). THE UFs are 7.x.x. It looks like I have to upgrade UFs to 8.0.x then to 8.2.2.1 first Correct? Then upg the Splunk instances to 8.2.2.1. Right? Please share s... See more...
I have Splunk Ent. (8.0.X) & ES (6.4.X). THE UFs are 7.x.x. It looks like I have to upgrade UFs to 8.0.x then to 8.2.2.1 first Correct? Then upg the Splunk instances to 8.2.2.1. Right? Please share step by step upgrade to 8.2.2.1 if yo have them. Thank u very much.
Hello Splunk Gurus,    For a given dashboard, which has tables, I create text fields/drop-down to filter table data. Which of-course takes extra space on UI. I was wondering if Splunk provide the wa... See more...
Hello Splunk Gurus,    For a given dashboard, which has tables, I create text fields/drop-down to filter table data. Which of-course takes extra space on UI. I was wondering if Splunk provide the way to create filter on table header like excel without creating separate textbox/drop-down for filter. Any idea? For example, below table got created by this query index=micro host=app150*usa.com "API Timeline" | rex field=_raw "FirstCompTime:(?<FirstComp>[^\,]+)" | rex field=_raw "SecondCompTime:(?<SecondComp>[^\,]+)" | rex field=_raw "ThirdCompTime:(?<ThirdComp>[^\,]+)" | table FirstComp, SecondComp, ThirdComp FirstComp SecondComp ThirdComp 78 25 31 80 22 34 81 26 36   Now i want to create filter on table header; lets say on header name "ThirdComp" like excel as shown below. Thanks  
Hello guys!! help to write the request correctly. otherwise I don't understand how to do it right file.csv username ip_address_old id_old desti John 192.168.11.5 1234 abcd   index... See more...
Hello guys!! help to write the request correctly. otherwise I don't understand how to do it right file.csv username ip_address_old id_old desti John 192.168.11.5 1234 abcd   index = IndexName usernem ip_address_new id_new desti John 172.168.15.10 4321 bsir   Where id_old != id_new. output usernem ip_address_new id_new desti id_old John 172.168.15.10 4321 bsir 1234
I have a eval on a dashboard that used to work but it stopped and I havent been able to figure out why. On the dashboard im taking the _time and turning it into a human readable string using `strfti... See more...
I have a eval on a dashboard that used to work but it stopped and I havent been able to figure out why. On the dashboard im taking the _time and turning it into a human readable string using `strftime(_time, "%m/%d/%Y %H:%M:%S %Z")` and that works great. The problem comes in when I try to convert it back later for making a link to a search. For example: ``` <eval token="endTimestamp">relative_time(strptime($row.Timestamp$, "%m/%d/%Y %H:%M:%S %Z"), "+30m")</eval> ``` Used to work and return the unix time that I added 30m to, but now `strptime` just returns NaN but this is the right format. I've checked out all the Splunk docs and everything looks right but it still is broke. Any idea what I could be doing wrong? Here is the snippet from my field row im making: ``` <condition field="Search"> <eval token="startTimestamp">$row.Timestamp$</eval> <eval token="endTimestamp">relative_time(strptime($row.Timestamp$, "%m/%d/%Y %H:%M:%S %Z"), "+30m")</eval> <eval token="corKey">$row.Correlation Key$</eval> <link target="_blank">search?q=(index=### OR index=###) earliest=$startTimestamp$ latest=$endTimestamp$ correlationKey=$corKey$</link> </condition> ``` I have taken out everything but the $row.Timestamp$ and that returns something like `10/03/2021 07:41:27 PDT` which is the format that I put into it, I just cant do the reverse. I have copied and pasted the format from the `strftime` and still no luck converting it back so I can do math on it. Any suggestions?
Hi all, new user here. I was getting started on the tutorial and using the start searching page that came up after adding the data successfully I'm seeing behaviour I don't understand. The search i... See more...
Hi all, new user here. I was getting started on the tutorial and using the start searching page that came up after adding the data successfully I'm seeing behaviour I don't understand. The search index="splunktutorial" source="tutorialdata.zip:*"  "categoryid=sports" returns results but index="splunktutorial" source="tutorialdata.zip:*" categoryid="sports" or index="splunktutorial" source="tutorialdata.zip:*" categoryid=sports don't return results. To be more confusing I added the condition  action=purchase  to the search that returned results and it worked as expected to return results where the action was "purchase". https://docs.splunk.com/Documentation/SCS/current/Search/Quotations The splunk documentation for quotation says all string literals must be in double quotes but gives no examples where the field has to be included. Both categoryid and action are classified as strings. Any help understanding what is going on would be appreciated.
Is splunk ITSI and IT Essentials work require a paid subscription ? Is this available for Splunk cloud instance ? Splunk Cloud Version: 8.2.2107.2 Enterprise Security Version: 6.6.0
Hello,  In the past, I have used the checkbox method to hide panels after opening new ones. In this example, I would like to have a panel disappear after I click on the values in the panel. Currentl... See more...
Hello,  In the past, I have used the checkbox method to hide panels after opening new ones. In this example, I would like to have a panel disappear after I click on the values in the panel. Currently, my next panel appears on the click, but the existing panel still exists. I'm wondering if there is any way to hide the panel that exists after i click on what I want to pass as the token. XML preferred.   
Hello All, We have Microsoft log analytics add-on application installed into Splunk forwarder. With which we are ingesting all the Azure log analytics workspace logs into Splunk. But, Since few da... See more...
Hello All, We have Microsoft log analytics add-on application installed into Splunk forwarder. With which we are ingesting all the Azure log analytics workspace logs into Splunk. But, Since few days we have observed following pitfalls. 1. Delay in the azure logs ingestion into Splunk. 2. Duplicate entries of azure logs. And on investigation, we identified the following connection errors. Errors: 10-21-2021 13:44:42.789 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py" raise ConnectionError(err, request=request) 10-21-2021 13:44:42.789 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py" ConnectionError: ('Connection aborted.', BadStatusLine("''",)) Can anyone help us out with the following ask? 1. What is the cause behind this error? 2. How can we resolve this error/issue and get all the azure logs without delay?
I've created a trial account in Splunk cloud and I am trying to create index using the Splunk client C# SDK and when I try to login it throws "Unexpected DTD declaration. Line 1, position 3."   var... See more...
I've created a trial account in Splunk cloud and I am trying to create index using the Splunk client C# SDK and when I try to login it throws "Unexpected DTD declaration. Line 1, position 3."   var service = new Service(new Uri("https://prd-p-8298m.splunkcloud.com")); service.LogOnAsync("sc_admin", "password").Wait();    I tried to change the port to 8089 as well but this caused "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." error Any help on this would be appreciated.  Thanks in advance
Is there any way to get those header names as field values from lookup files? Please give me any idea with SPL  
Hi, I want to add image inline with my title but i am getting like this below  Any suggestions on how can i add it inline like below     This is my code <row > <panel > <html> <h3><i... See more...
Hi, I want to add image inline with my title but i am getting like this below  Any suggestions on how can i add it inline like below     This is my code <row > <panel > <html> <h3><img src="/static/app/search/icons/info_icon.png" width="22" align="right" title="Details/> </h3> </html> <table> <title>BW TR Exception View</title> <search>
I have a search similar to the following   (Index=myindex) or (index=otherindex) | eval user=coalesce(accountname, id) | mvexpand user | stats values(field1) as field1, values(field2) as field2 ... See more...
I have a search similar to the following   (Index=myindex) or (index=otherindex) | eval user=coalesce(accountname, id) | mvexpand user | stats values(field1) as field1, values(field2) as field2 by user   This gives me my results that I want but I want to now take the results of this to enrich information from the output by pulling other events from another index.  This will then generate an alert so nit being done pin a dashboard.   I could schedule a report and then reference something like a lookup table that wpuld probably work but I am trying to make it a bit more dynamic. I would like to maybe use the result from this and enrich with an ldap query but I dont think I can do that. Join is out of the question (limitations etc.) and I cant coalesce any further with other fields as they are in no way similar of even available.   Thoughts and thanks in advance.
What are the differences between the two? ITSI and Splunk Infrastructure Monitoring
Hello experts, I would like to split the  fourth part of below lines . Please provide your suggestion if I can use REGEX for it.  Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data... See more...
Hello experts, I would like to split the  fourth part of below lines . Please provide your suggestion if I can use REGEX for it.  Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data/abc-NNNN/00000000001 Projects/IMGSD-102/Data/abc-NN/00000000001 Projects/IMGSD-102/Data/abc-N/00000000001   Now I need to get the answer as below. abc-NNN abc-NNN abc-NNNN abc-NN abc-N Kindly provide your suggestion for the same.   
Hello Al!! i have a deployer with 3 search heads. when i deleted all the apps that i dont need anymore the deployer replicates good. Also when i install a new one. But when i try to upgrade an app... See more...
Hello Al!! i have a deployer with 3 search heads. when i deleted all the apps that i dont need anymore the deployer replicates good. Also when i install a new one. But when i try to upgrade an app it doesnt replicate to the search heads.    Any suggestions?   Thanks all!
I want to display the heading of my panel which include time from time peaker field  
I have added some custom notable event statues say a , b , c. I have modified the transition rules for "new" status such that ess_analyst  role should not  be able to make transition from new to a ,... See more...
I have added some custom notable event statues say a , b , c. I have modified the transition rules for "new" status such that ess_analyst  role should not  be able to make transition from new to a ,  b and c statuses.  But the issue is while  status a and b are hidden from the "Edit events" box, the c is not . Though the transition to status c is still disabled for analyst.   the id for a = 14, b =15 and c is 10. Please help me understand why I see this  behaviour.    
Hello,   When trying to execute a savedsearch from the UI , it throws an error :Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Incident Rev... See more...
Hello,   When trying to execute a savedsearch from the UI , it throws an error :Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Incident Review - Main': Error while replacing variable name='type_filter'. Could not find variable in the argument map.. There is no variable by this name - type_filter in the query. We are on the latest version of Splunk cloud 8.2.x.  This search was working fine till yesterday and nothing has changed from our end.  The Splunk cloud team did perform a maintenance for updates last night.  How to resolve this ? Any assistance appreciate.