All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have Splunk Ent. (8.0.X) & ES (6.4.X). THE UFs are 7.x.x. It looks like I have to upgrade UFs to 8.0.x then to 8.2.2.1 first Correct? Then upg the Splunk instances to 8.2.2.1. Right? Please share s... See more...
I have Splunk Ent. (8.0.X) & ES (6.4.X). THE UFs are 7.x.x. It looks like I have to upgrade UFs to 8.0.x then to 8.2.2.1 first Correct? Then upg the Splunk instances to 8.2.2.1. Right? Please share step by step upgrade to 8.2.2.1 if yo have them. Thank u very much.
Hello Splunk Gurus,    For a given dashboard, which has tables, I create text fields/drop-down to filter table data. Which of-course takes extra space on UI. I was wondering if Splunk provide the wa... See more...
Hello Splunk Gurus,    For a given dashboard, which has tables, I create text fields/drop-down to filter table data. Which of-course takes extra space on UI. I was wondering if Splunk provide the way to create filter on table header like excel without creating separate textbox/drop-down for filter. Any idea? For example, below table got created by this query index=micro host=app150*usa.com "API Timeline" | rex field=_raw "FirstCompTime:(?<FirstComp>[^\,]+)" | rex field=_raw "SecondCompTime:(?<SecondComp>[^\,]+)" | rex field=_raw "ThirdCompTime:(?<ThirdComp>[^\,]+)" | table FirstComp, SecondComp, ThirdComp FirstComp SecondComp ThirdComp 78 25 31 80 22 34 81 26 36   Now i want to create filter on table header; lets say on header name "ThirdComp" like excel as shown below. Thanks  
Hello guys!! help to write the request correctly. otherwise I don't understand how to do it right file.csv username ip_address_old id_old desti John 192.168.11.5 1234 abcd   index... See more...
Hello guys!! help to write the request correctly. otherwise I don't understand how to do it right file.csv username ip_address_old id_old desti John 192.168.11.5 1234 abcd   index = IndexName usernem ip_address_new id_new desti John 172.168.15.10 4321 bsir   Where id_old != id_new. output usernem ip_address_new id_new desti id_old John 172.168.15.10 4321 bsir 1234
I have a eval on a dashboard that used to work but it stopped and I havent been able to figure out why. On the dashboard im taking the _time and turning it into a human readable string using `strfti... See more...
I have a eval on a dashboard that used to work but it stopped and I havent been able to figure out why. On the dashboard im taking the _time and turning it into a human readable string using `strftime(_time, "%m/%d/%Y %H:%M:%S %Z")` and that works great. The problem comes in when I try to convert it back later for making a link to a search. For example: ``` <eval token="endTimestamp">relative_time(strptime($row.Timestamp$, "%m/%d/%Y %H:%M:%S %Z"), "+30m")</eval> ``` Used to work and return the unix time that I added 30m to, but now `strptime` just returns NaN but this is the right format. I've checked out all the Splunk docs and everything looks right but it still is broke. Any idea what I could be doing wrong? Here is the snippet from my field row im making: ``` <condition field="Search"> <eval token="startTimestamp">$row.Timestamp$</eval> <eval token="endTimestamp">relative_time(strptime($row.Timestamp$, "%m/%d/%Y %H:%M:%S %Z"), "+30m")</eval> <eval token="corKey">$row.Correlation Key$</eval> <link target="_blank">search?q=(index=### OR index=###) earliest=$startTimestamp$ latest=$endTimestamp$ correlationKey=$corKey$</link> </condition> ``` I have taken out everything but the $row.Timestamp$ and that returns something like `10/03/2021 07:41:27 PDT` which is the format that I put into it, I just cant do the reverse. I have copied and pasted the format from the `strftime` and still no luck converting it back so I can do math on it. Any suggestions?
Hi all, new user here. I was getting started on the tutorial and using the start searching page that came up after adding the data successfully I'm seeing behaviour I don't understand. The search i... See more...
Hi all, new user here. I was getting started on the tutorial and using the start searching page that came up after adding the data successfully I'm seeing behaviour I don't understand. The search index="splunktutorial" source="tutorialdata.zip:*"  "categoryid=sports" returns results but index="splunktutorial" source="tutorialdata.zip:*" categoryid="sports" or index="splunktutorial" source="tutorialdata.zip:*" categoryid=sports don't return results. To be more confusing I added the condition  action=purchase  to the search that returned results and it worked as expected to return results where the action was "purchase". https://docs.splunk.com/Documentation/SCS/current/Search/Quotations The splunk documentation for quotation says all string literals must be in double quotes but gives no examples where the field has to be included. Both categoryid and action are classified as strings. Any help understanding what is going on would be appreciated.
Is splunk ITSI and IT Essentials work require a paid subscription ? Is this available for Splunk cloud instance ? Splunk Cloud Version: 8.2.2107.2 Enterprise Security Version: 6.6.0
Hello,  In the past, I have used the checkbox method to hide panels after opening new ones. In this example, I would like to have a panel disappear after I click on the values in the panel. Currentl... See more...
Hello,  In the past, I have used the checkbox method to hide panels after opening new ones. In this example, I would like to have a panel disappear after I click on the values in the panel. Currently, my next panel appears on the click, but the existing panel still exists. I'm wondering if there is any way to hide the panel that exists after i click on what I want to pass as the token. XML preferred.   
Hello All, We have Microsoft log analytics add-on application installed into Splunk forwarder. With which we are ingesting all the Azure log analytics workspace logs into Splunk. But, Since few da... See more...
Hello All, We have Microsoft log analytics add-on application installed into Splunk forwarder. With which we are ingesting all the Azure log analytics workspace logs into Splunk. But, Since few days we have observed following pitfalls. 1. Delay in the azure logs ingestion into Splunk. 2. Duplicate entries of azure logs. And on investigation, we identified the following connection errors. Errors: 10-21-2021 13:44:42.789 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py" raise ConnectionError(err, request=request) 10-21-2021 13:44:42.789 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py" ConnectionError: ('Connection aborted.', BadStatusLine("''",)) Can anyone help us out with the following ask? 1. What is the cause behind this error? 2. How can we resolve this error/issue and get all the azure logs without delay?
I've created a trial account in Splunk cloud and I am trying to create index using the Splunk client C# SDK and when I try to login it throws "Unexpected DTD declaration. Line 1, position 3."   var... See more...
I've created a trial account in Splunk cloud and I am trying to create index using the Splunk client C# SDK and when I try to login it throws "Unexpected DTD declaration. Line 1, position 3."   var service = new Service(new Uri("https://prd-p-8298m.splunkcloud.com")); service.LogOnAsync("sc_admin", "password").Wait();    I tried to change the port to 8089 as well but this caused "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." error Any help on this would be appreciated.  Thanks in advance
Is there any way to get those header names as field values from lookup files? Please give me any idea with SPL  
Hi, I want to add image inline with my title but i am getting like this below  Any suggestions on how can i add it inline like below     This is my code <row > <panel > <html> <h3><i... See more...
Hi, I want to add image inline with my title but i am getting like this below  Any suggestions on how can i add it inline like below     This is my code <row > <panel > <html> <h3><img src="/static/app/search/icons/info_icon.png" width="22" align="right" title="Details/> </h3> </html> <table> <title>BW TR Exception View</title> <search>
I have a search similar to the following   (Index=myindex) or (index=otherindex) | eval user=coalesce(accountname, id) | mvexpand user | stats values(field1) as field1, values(field2) as field2 ... See more...
I have a search similar to the following   (Index=myindex) or (index=otherindex) | eval user=coalesce(accountname, id) | mvexpand user | stats values(field1) as field1, values(field2) as field2 by user   This gives me my results that I want but I want to now take the results of this to enrich information from the output by pulling other events from another index.  This will then generate an alert so nit being done pin a dashboard.   I could schedule a report and then reference something like a lookup table that wpuld probably work but I am trying to make it a bit more dynamic. I would like to maybe use the result from this and enrich with an ldap query but I dont think I can do that. Join is out of the question (limitations etc.) and I cant coalesce any further with other fields as they are in no way similar of even available.   Thoughts and thanks in advance.
What are the differences between the two? ITSI and Splunk Infrastructure Monitoring
Hello experts, I would like to split the  fourth part of below lines . Please provide your suggestion if I can use REGEX for it.  Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data... See more...
Hello experts, I would like to split the  fourth part of below lines . Please provide your suggestion if I can use REGEX for it.  Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data/abc-NNNN/00000000001 Projects/IMGSD-102/Data/abc-NN/00000000001 Projects/IMGSD-102/Data/abc-N/00000000001   Now I need to get the answer as below. abc-NNN abc-NNN abc-NNNN abc-NN abc-N Kindly provide your suggestion for the same.   
Hello Al!! i have a deployer with 3 search heads. when i deleted all the apps that i dont need anymore the deployer replicates good. Also when i install a new one. But when i try to upgrade an app... See more...
Hello Al!! i have a deployer with 3 search heads. when i deleted all the apps that i dont need anymore the deployer replicates good. Also when i install a new one. But when i try to upgrade an app it doesnt replicate to the search heads.    Any suggestions?   Thanks all!
I want to display the heading of my panel which include time from time peaker field  
I have added some custom notable event statues say a , b , c. I have modified the transition rules for "new" status such that ess_analyst  role should not  be able to make transition from new to a ,... See more...
I have added some custom notable event statues say a , b , c. I have modified the transition rules for "new" status such that ess_analyst  role should not  be able to make transition from new to a ,  b and c statuses.  But the issue is while  status a and b are hidden from the "Edit events" box, the c is not . Though the transition to status c is still disabled for analyst.   the id for a = 14, b =15 and c is 10. Please help me understand why I see this  behaviour.    
Hello,   When trying to execute a savedsearch from the UI , it throws an error :Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Incident Rev... See more...
Hello,   When trying to execute a savedsearch from the UI , it throws an error :Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Incident Review - Main': Error while replacing variable name='type_filter'. Could not find variable in the argument map.. There is no variable by this name - type_filter in the query. We are on the latest version of Splunk cloud 8.2.x.  This search was working fine till yesterday and nothing has changed from our end.  The Splunk cloud team did perform a maintenance for updates last night.  How to resolve this ? Any assistance appreciate.
i want to show the count from host as zero if the process is not found however not able to find 0 count the host disappears if process is not found index=oslogs sourcetype=ps COMMAND="process1" |st... See more...
i want to show the count from host as zero if the process is not found however not able to find 0 count the host disappears if process is not found index=oslogs sourcetype=ps COMMAND="process1" |stats count by host,COMMAND result :- host1  java 12 host2  java 3 host4  java 4 Expected result host1 12 host2 3 host3 0 host4 4
after launching a search request, Splunk displays the progress bar with an EN message, such as below : "<n> of <total> events matched" in FR version, the translated message is : "sur <n>,  <tota... See more...
after launching a search request, Splunk displays the progress bar with an EN message, such as below : "<n> of <total> events matched" in FR version, the translated message is : "sur <n>,  <total> qui correspondent" this means the EXACT inverse :  "<total> of <n> events matched" !! This has to be changed... thx, Hervé.