All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, Say we have an action (lets call it Action1) that returns this under data: [ {"type": "type1", "target": "target value1"}, {"type": "type2", "target": "target value2"} ] I want to pass the ... See more...
Hi, Say we have an action (lets call it Action1) that returns this under data: [ {"type": "type1", "target": "target value1"}, {"type": "type2", "target": "target value2"} ] I want to pass the target to another action (Action2) as parameter so I use action_result.data.*.target datapath to do it. the action returns this: [ {"result_from_action": "result_for target value1"}, {"result_from_action": "result_for target value2"} ] Each row corresponds to the input row. We have a third action (lets call it Action3) that accepts two parameters - the type from Action1 and the result_from_action from Action2 , So i pass: - action_result.data.*.type from Action1 - action_result.data.*.result_from_action from Action2 I want the Action3 to be executed 2 times - for two pairs "type1", "result_for target value1" and  "type2", "result_for target value2" but in reality the action will be executed 4 times for all the possible permutations. I understand why is this happening but im curious if there's a good way to force the platform to do what i need (without using custom functions to build another list and use it as input).   Thanks!  
i am trying to integrate dashboard studio with our external app using splunk react components. i am able to see graphs and other components.   only problem is time range component with is giving f... See more...
i am trying to integrate dashboard studio with our external app using splunk react components. i am able to see graphs and other components.   only problem is time range component with is giving following error.   "Cannot access splunkweb."     below is my definition.json { "visualizations": {}, "dataSources": { }, "inputs": { "input_1": { "type": "input.timerange", "title": "Select Time", "options": { "defaultValue": "-5m,now", "token": "trp" } } }, "layout": { "type": "absolute", "options": {}, "structure": [], "globalInputs": [ "input_1" ] }, "description": "", "title": "TRP Input Dash" }   Thanks Shailendra
I am trying to get the 14-day free trial for Splunk Cloud and keep getting the "An internal error was detected when creating the stack" error. I saw that this has been an issue for several other peop... See more...
I am trying to get the 14-day free trial for Splunk Cloud and keep getting the "An internal error was detected when creating the stack" error. I saw that this has been an issue for several other people. How to I get this trial? I need it for a school assignment.
I have the follow situation: queryA returns correlations AAA BBB CCC DDD queryB returns correlations  AAA CCC EEE Expect result is the queryA events with correlations AAA and CCC. i ne... See more...
I have the follow situation: queryA returns correlations AAA BBB CCC DDD queryB returns correlations  AAA CCC EEE Expect result is the queryA events with correlations AAA and CCC. i need a query that compare the field correlation between them and if are equals show me the queryA events. Thanks
I am currently using a lookup to find matching IDs in my data. The lookup table is like 400k rows and if I use inputlookup with a join or append there is a limit to the amount of rows that is searche... See more...
I am currently using a lookup to find matching IDs in my data. The lookup table is like 400k rows and if I use inputlookup with a join or append there is a limit to the amount of rows that is searched for from the lookup table. I am now using just the command "lookup" to find the matching data and it works without any truncating warnings but I'm wondering if there is a limit for this command similar to subsearches. I can't seem to find anything in the lookup documentation. sample search index=some_index | lookup users_list.csv ID OUTPUTNEW username I output a new variable so that I can do " search username=*" since username is a new field and that will give me only matching IDs in my lookup table.
I need to modify the limits.conf for an index cluster. My question is if i modify /$Splunk/etc/system/local/limits.conf can this be done on the cluster manager and pushed out or does this need to be ... See more...
I need to modify the limits.conf for an index cluster. My question is if i modify /$Splunk/etc/system/local/limits.conf can this be done on the cluster manager and pushed out or does this need to be modified on the individual indexers themselves?
First Event INFO | 2021-10-18 05:17 AM | BUSINESS RULE | Payload for ID#: 40658606156551247672591634534230307 with status Approved is published Second Event msg:  INFO | 2021-10-14 10:38 PM |  Mes... See more...
First Event INFO | 2021-10-18 05:17 AM | BUSINESS RULE | Payload for ID#: 40658606156551247672591634534230307 with status Approved is published Second Event msg:  INFO | 2021-10-14 10:38 PM |  Message consumed: {"InputAmountToCredit":"22.67","CurrencyCode":"AUD","Buid":"1401","OrderNumber":"877118406","ID":"58916"}   I want to have sum of InputAmountToCredit based on status . status can vary to different statuses and ID is common field for both the events what is best way to sum the amount with the same status for specified timeframe   Thanks for all the support.
I need to index a file: /var/log/file.txt. This file runs every day, but sometimes the content doesn't change. This leaves me with no events on days that remain the same. I need it to index every tim... See more...
I need to index a file: /var/log/file.txt. This file runs every day, but sometimes the content doesn't change. This leaves me with no events on days that remain the same. I need it to index every time the timestamp changes on the file. I believe I need to add crcSalt =<SOURCE> to the inputs.conf in order to reindex it. However, my inputs monitors all files in /var/log. So if I add that to that input monitor, it would likely apply to all files in var log reindexing them all every time. Something I don't want. How can I reindex just this file daily while leaving the other files in the directory unchanged?  Many thanks
I am trying to extract the messages of a commonly used error log:   Creating review recommendations service case activity with errorMessage:  example message one here Creating review recommendatio... See more...
I am trying to extract the messages of a commonly used error log:   Creating review recommendations service case activity with errorMessage:  example message one here Creating review recommendations service case activity with errorMessage:  example message two over here    I want to do some graphing of counts of the totals of each individual message, so would like to extract the string and stats count by message. Having trouble extracting the string. How do I do this cleanly? The goal would be to have results for "example message one here" :  X number of results "example message two over here": Y number of results
Hi All, We wanted to do POC for our client and wanted to ingest open telemetry data logs and trace into splunk and I have following questions?  Is it possible to do them in Splunk Enterprise trail... See more...
Hi All, We wanted to do POC for our client and wanted to ingest open telemetry data logs and trace into splunk and I have following questions?  Is it possible to do them in Splunk Enterprise trail license? Or Do we need to buy Splunk Observability module to monitor the open telemetry data? Can we use universal forwarder to collect the logs and trace or do we need to have the Splunk OpenTelemetry Connector? Share the link or document to ingest the open telemetry data logs into splunk.
Hello, I am trying to extract the system IDs from single event into the multiple events, I mean that each SID is in a separate line. I try to deploy a regex for this, without success. Could perhaps... See more...
Hello, I am trying to extract the system IDs from single event into the multiple events, I mean that each SID is in a separate line. I try to deploy a regex for this, without success. Could perhaps anyone help with the below? Kind Regards, Kamil   | makeresults | eval SID="I32 DYR DZ1 MHW DYN I58 ICZ ICN I69 I8Y IAE I6J I71 SLG I9Z I7T I7Z I5Y I5U I5T I3I I3G TCX I5O DZX DZC DYQ DYO DYM OGO OJ8 OK8 OKQ OKX DXF DYE DYF SS4 QMW I24 R9H O67 OP0 SP9 I4I I4M" | rex field=SID "^(?<SID2>[^\r\n].+)"  
Hi Team,  I've created a Splunk dashboard and I'm able to see the data, also I have created few users and given the permissions(admin) for the users to see the dashboard data. But somehow the users ... See more...
Hi Team,  I've created a Splunk dashboard and I'm able to see the data, also I have created few users and given the permissions(admin) for the users to see the dashboard data. But somehow the users are able to see the dashboard but unable to see data inside the dashboards. Other users are able to see the data coming from the index by search manually but are unable to see the data in the dashboard which is created by the admin user. Can you please guide me if I'm missing anything?
Hey Splunkers,  I am quite new to Splunk and want to create a heat map that displays average values per Hour grouped per day over a week. Below you can see what i got so far. My problem is that the... See more...
Hey Splunkers,  I am quite new to Splunk and want to create a heat map that displays average values per Hour grouped per day over a week. Below you can see what i got so far. My problem is that the columns and rows seem to be inverted and that the current y-axis shows values from 6 to ohter instead of 1 to 24 hours. Can anyone lend me a hand with this? Thanks in advance  Nico  EDIT: What i am looking for should look somewhat like this:     
Hi All, We have configured multiple inputs in our Splunk IDM Layer and few of them are Microsoft Add-ons. Each of these add-ons have multiple inputs with varied time frequency to pull data from Azur... See more...
Hi All, We have configured multiple inputs in our Splunk IDM Layer and few of them are Microsoft Add-ons. Each of these add-ons have multiple inputs with varied time frequency to pull data from Azure resources. Hence, we would like to know the limit on configuring the inputs or the limit of apps & add-ons that can be installed in the Splunk IDM layer. Also, we would like to know if the performance can be monitored by us through some means? Thanks!
Good Morning, I am using the http_poller logstash input filter to connect to the AppDynamics OAUTH API that I will then use to pass to the http filter plugin to retrieve AppDynamics REST API metri... See more...
Good Morning, I am using the http_poller logstash input filter to connect to the AppDynamics OAUTH API that I will then use to pass to the http filter plugin to retrieve AppDynamics REST API metric data to insert into Elasticsearch. My logstash http_poller configuration is: ``` input { http_poller { urls => { AppDynamics => { method => post url => "https://*appdynamics-test-account*/controller/api/oauth/access_token" headers => { "Accept" => "application/json" "Content-Type" => "application/vnd.appd.cntrl+protobuf;v=1" "Authorizations" => "*AppDynamics bearer token*" "grant_type" => "client_credentials" "client_id" => "Stage-CurlTest" "client_secret" => "*AppDynamics Client Secret*" } } } request_timeout => 60 schedule => { every => "1h"} codec => "json" metadata_target => "appd-token" type => "AppDynamics" } } } ``` I am getting the following error response when the poller tries to connect to AppDynamics ``` { "type": "AppDynamics", "@timestamp": "2021-10-18T14:02:11.191Z", "appd-token": { "request": { "method": "post", "url": "https://*appdynamics-test-account*/controller/api/oauth/access_token", "headers": { "Authorizations": "AppDynamics Bearer Token", "grant_type": "client_credentials", "client_secret": "`AppDynamics Client Secret`", "client_id": "Stage-CurlTest", "Content-Type": "application/vnd.appd.cntrl+protobuf;v=1", "Accept": "application/json" } }, "response_headers": { "x-content-type-options": "nosniff", "x-frame-options": "SAMEORIGIN", "x-xss-protection": "1; mode=block", "connection": "keep-alive", "server": "AppDynamics", "date": "Mon, 18 Oct 2021 14:02:10 GMT" }, "runtime_seconds": 0.36, "host": "SAPPLOG03", "name": "AppDynamics", "response_message": "Not Acceptable", "code": 406, "times_retried": 0 }, "@version": "1", "tags": [ "_httprequestfailure" ] } ``` New to both the http_poller filter and the AppDynamics Metric REST API so not sure what I have configured wrong. I have also posted to the Elastic Community forum. I have removed any account-specific information for security reasons so any additional information that would be helpful let me know and I'll get it for this post. Thanks, Bill
Hi, I created an app using the Add-on Builder v.4.0.0 to use custom Alert Actions on Splunk. I created two Add-on Setup parameters: username and password. When I enter the information on these fiel... See more...
Hi, I created an app using the Add-on Builder v.4.0.0 to use custom Alert Actions on Splunk. I created two Add-on Setup parameters: username and password. When I enter the information on these fields and click on the "Save" button, it seems that these information were not saved (no UI changes) and if I close and re-open the UI some fields are not filled. This same app was working on the previous version of the Add-on Builder and the fields were being filled. However, it seem that this info is being saved on the .conf files. In the attachment there is a screenshot with the "password" field not being filled when I re-opened the UI screen. Could someone help me? I am using Splunk version 8.2.1 and tried with different web browsers. Thanks.  
on the output I get the result with users. the username is similar to the name of the mail. how do i call the username variable in the sendemail command  username abc abc1 abc2 John 1 2 ... See more...
on the output I get the result with users. the username is similar to the name of the mail. how do i call the username variable in the sendemail command  username abc abc1 abc2 John 1 2 3 Smith 3 1 2 Georgy 2 3 1 | sendemail to="$username$@gmail.com" sendresults=true subject="Test sub" message="message" error  command="sendemail", {u'@gmail.com': (501, '5.1.3 Invalid address')} while sending mail to: @gmail.com in the output, the variable takes the username, gets everyone's name and sends a message to everyone And is it possible to make everyone get only their own line of output? Thanks !!!
hello I dont succeed to round the fiel ResponseTime which is a decimaf field with a point instaed a comma   index=tutu | eval web_duration_ms=round('web_duration_ms', 0) | timechart avg(web_durat... See more...
hello I dont succeed to round the fiel ResponseTime which is a decimaf field with a point instaed a comma   index=tutu | eval web_duration_ms=round('web_duration_ms', 0) | timechart avg(web_duration_ms) as ResponseTime by Url    what is wrong please?
I appreciate any help in preventing license usage warnings ? One item I thought of was to create a Dashboard of Indexes Data & License utilization. What other items do I need to watch to prevent Lice... See more...
I appreciate any help in preventing license usage warnings ? One item I thought of was to create a Dashboard of Indexes Data & License utilization. What other items do I need to watch to prevent License usage warnings please? Thank u in advance.
I have a field name Sec_field i want to know list of dashboards are using this field <Sec_field> is it possible to get using a SPL