All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

One of employee left company. Now all reports & alerts owned by him are not visible in splunk .  We have splunk 7.3.3 in our environment How can i search those alerts / reports as they are very im... See more...
One of employee left company. Now all reports & alerts owned by him are not visible in splunk .  We have splunk 7.3.3 in our environment How can i search those alerts / reports as they are very important for us as we modify those alerts / report periodically Regards, Nilesh  
Hello, I have struggled with alerting a specific search I've made.   EVENT_TYPE="Login" LOGIN_STATUS=* [search EVENT_TYPE="Login" LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT" | stats count by U... See more...
Hello, I have struggled with alerting a specific search I've made.   EVENT_TYPE="Login" LOGIN_STATUS=* [search EVENT_TYPE="Login" LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT" | stats count by USER_ID | table USER_ID] | stats latest(LOGIN_STATUS) AS LOGIN_STATUS latest(USER_NAME) AS USER_NAME latest(UserAccountId) AS "Account Id" latest(USER_TYPE) AS "User Type" latest(TIMESTAMP) AS "Time stamp" by USER_ID | where LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT" Which results in this I have tried number of results > 0 search USER_ID> 0 I tried using field tokens such as $RESULT.userid$ > 0  Does anyone know how I can edit my search or trigger to actually trigger when I receive results?
I am on the cluster master and in the bucket status tab.I see the number of "fixup tasks pending" . for everything the status is "Cannot fix search count as the bucket hasn't rolled yet" . I tried se... See more...
I am on the cluster master and in the bucket status tab.I see the number of "fixup tasks pending" . for everything the status is "Cannot fix search count as the bucket hasn't rolled yet" . I tried selecting action and clicked roll but it is not working.   Any suggestions?....Does restarting cluster master helps? .... I see the SF,RF met and data is searchable but still these bucket fixup tasks are present and the number keeps increasing
Hello. If our Enterprise Splunk license expired and we disabled our ingest, so no license violations were received, would Splunk historical data still be fully searchable, WITHOUT applying free lice... See more...
Hello. If our Enterprise Splunk license expired and we disabled our ingest, so no license violations were received, would Splunk historical data still be fully searchable, WITHOUT applying free license or applying another Enterprise license? Thanks,
Hello, regarding https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/FixDatetimexml2020 - in case we upgrade Splunk version does /etc/datetime.xml is still less priority than pushed patc... See more...
Hello, regarding https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/FixDatetimexml2020 - in case we upgrade Splunk version does /etc/datetime.xml is still less priority than pushed patch app on shc/idxc/UFs ? Looking at https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Wheretofindtheconfigurationfiles I may understand /etc is lowest priority? How do you handle it if you keep V7 universal forwarders and upgrade servers to 8.2.2 version? Thanks.
hi what is the rex for error number and error message of this log:  (separately) 23:43:51.411 app module: 100:  Not Found!    error number= 100 error message=  Not Found!   Thanks
Hi, I am new to dashboard studio . How to create a drill down from bar chart to a single value chart dynamically in dashboard studio.Bar chart has sourcetypes( Pass,fail,error) counts  in y axis an... See more...
Hi, I am new to dashboard studio . How to create a drill down from bar chart to a single value chart dynamically in dashboard studio.Bar chart has sourcetypes( Pass,fail,error) counts  in y axis and count in x-axis. The single value chart have to show independent counts of Pass,fail,error upon selection in bar chart. 
Hi all, I have  indexer clusters at multiple sites, but common Search Heads. I want to remove certain indexes which holds no data. How can I find in which indexer cluster's indexes.conf , the cert... See more...
Hi all, I have  indexer clusters at multiple sites, but common Search Heads. I want to remove certain indexes which holds no data. How can I find in which indexer cluster's indexes.conf , the certain indexes entries are present. Also in which deployment app of which indexer the related monitoring stanza is present. Is there any rest api command to get the details? Thanks in Advance  
Query to see which application has followed which integration method to on board the data on Splunk cloud like HEC,TCP,DB connect
I have a lookup table with a few fields (FirstSeenDate, LastSeenDate, IP, etc...). I have a search created to show me the top 10 events in the table by count. What I want to do is add a part in the s... See more...
I have a lookup table with a few fields (FirstSeenDate, LastSeenDate, IP, etc...). I have a search created to show me the top 10 events in the table by count. What I want to do is add a part in the search to filter out anything that is older than 90 days in the FirstSeenDate column. 
Using fecth in reactjs: fetch('https://[SUBDOMAIN].splunkcloud.com:8088/services/collector/event/1.0', { method: 'POST', headers: { 'Access-Control-Allow-Origin': 'application/json', '... See more...
Using fecth in reactjs: fetch('https://[SUBDOMAIN].splunkcloud.com:8088/services/collector/event/1.0', { method: 'POST', headers: { 'Access-Control-Allow-Origin': 'application/json', 'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Methods': 'OPTIONS, GET, POST', 'Access-Control-Allow-Headers': 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control', Accept: 'application/json', 'Content-Type': 'application/json', Authorization: 'Splunk [TOKEN]' }, body: JSON.stringify({ sourcetype: '_json', index: 'main', host: 'mydata2', event: { foo: 'bar3', b: ['value1_3', 'value1_4'] } }) }) .then((res) => res.json()) .then((json) => { // eslint-disable-next-line no-console console.log('json---->', json); }); Using splunk-logging in reactjs:  import * as SplunkLogging from 'splunk-logging';   const SplunkLogger = SplunkLogging.Logger; const config = { token: [TOKEN], url: '[URL]:8088' }; // eslint-disable-next-line no-var const Logger = new SplunkLogger(config); Logger.requestOptions.strictSSL = true; // eslint-disable-next-line no-var const payload = { // Message can be anything; doesn't have to be an object message: { temperature: '70F', chickenCount: 500 } }; console.info('Sending payload', payload); Logger.send(payload, function (err, resp, body) { // If successful, body will be { text: 'Success', code: 0 } console.info('Response from Splunk', body); });    
Hi, I need to call Js from <a> achor tag can someone please help.   <div id="showMoreRecords" align="right"> <a>Show More Records</a> </div>     JS file code: require([ 'underscore', 'back... See more...
Hi, I need to call Js from <a> achor tag can someone please help.   <div id="showMoreRecords" align="right"> <a>Show More Records</a> </div>     JS file code: require([ 'underscore', 'backbone', '../app/monitorPro/components/ModalView', 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/simplexml/ready!' ], function(_, Backbone, ModalView, mvc, SearchManager) { var order = mvc.Components.get("showMoreRecords"); // getting error here var tokens = mvc.Components.getInstance("submitted"); var poNumber = tokens.get("PONumber_ord"); var detailSearch = new SearchManager({ id: "detailSearch", earliest_time: "0", latest_time: "", preview: true, cache: false, search: 'index=testIndex source="testsource" PONumber=$PONumber_ord$ |table PONumber,CustomerName,RequestDate,shipperTimestamp' }, {tokens: true, tokenNamespace: "submitted"}); order.on("click", function(e) { e.preventDefault(); var modal = new ModalView({ title: poNumber, search: detailSearch }); modal.show(); }); });
Hello Splunkers, https://splunkbase.splunk.com/app/5037/ i am using this add-on to create a ticket in Jira, as an alert action. But after the set-up giving the JIRA URL and Credentials, it gives an... See more...
Hello Splunkers, https://splunkbase.splunk.com/app/5037/ i am using this add-on to create a ticket in Jira, as an alert action. But after the set-up giving the JIRA URL and Credentials, it gives an error for this query: index=_internal sourcetype=splunkd component=sendmodalert  
Hi All, Actually in our splunk environment there is no test environment prior and now its present, So i need to replicate all the alerts,dashboards and reports present in production to test enviro... See more...
Hi All, Actually in our splunk environment there is no test environment prior and now its present, So i need to replicate all the alerts,dashboards and reports present in production to test environment. I didnt have access to backend environment of Splunk. Is there any smarter way to do that instead of cloning each and every alert. Waiting for response. Thanks in Advance.
Hi, I have several files on a AWS s3 bucket and I have configured an input to get data from these files. Is there a way to make Splunk process them without unzip them manually ?  I use Splunk Entep... See more...
Hi, I have several files on a AWS s3 bucket and I have configured an input to get data from these files. Is there a way to make Splunk process them without unzip them manually ?  I use Splunk Enteprise 8.2.2.1 and AWS plugin. Thanks for your help Saïd  
I need a way to evaluate a simple math expression. The following query works, and expr evaluates to result with a value of 44.   | makeresults | eval result= [| makeresults count=1 | noop | ... See more...
I need a way to evaluate a simple math expression. The following query works, and expr evaluates to result with a value of 44.   | makeresults | eval result= [| makeresults count=1 | noop | head 1 | eval expr = "1*2+3*4+5*6" | return $expr]   But, I need to make the following type of query work.   | gentimes start=-1 | eval expr = "1*2+3*4+5*6" | table expr, $expr   Is there a way to do this ? Thanks.
Dear ALL, Is it possible to display a "yes" or "no" pop-up window before performing a search from the dashboard drilldown? To prevent operational mistakes, I would like to stop opening the search S... See more...
Dear ALL, Is it possible to display a "yes" or "no" pop-up window before performing a search from the dashboard drilldown? To prevent operational mistakes, I would like to stop opening the search SPL if there is a problem.
Hi team, I am using below  query  to display the value for perc25, perc50, perc75 and perc95  for 'latency' field for different subscribers. <base query> |chart perc25(latency) perc50(latency) per... See more...
Hi team, I am using below  query  to display the value for perc25, perc50, perc75 and perc95  for 'latency' field for different subscribers. <base query> |chart perc25(latency) perc50(latency) perc75(latency) perc95(latency) by subscriber the chart splunk returned is below, but it is not what I want.   My expected chart is below. I want : 1.  25, 50, 75 and 95 as the rating scale of x-axis, instead of subscribers. 2. Y axis to display the value returned by perc25, perc50, perc75 and perc95 2. subscribers as legends, instead of perc25, perc50, perc75 and perc95.   How to get this chart?  
Hi Team,   Thanks for your reply..!!   My question was:   I am having F5 waf device and we have done configured on f5 waf for sending logs to syslog server (which is splunk) with port 514. Now... See more...
Hi Team,   Thanks for your reply..!!   My question was:   I am having F5 waf device and we have done configured on f5 waf for sending logs to syslog server (which is splunk) with port 514. Now I want to know, if my device sending logs to splunk(syslog) then which type of forward is my waf device. In this case my waf will be UF or HF or else?   Regards, Suraj
I want to get below installer. splunk-add-on-for-unix-and-linux_523.tgz It seems same add-on with below URL because the downloaded file name for ver 8.3.0/8.3.1 is  similar with above an add-on ins... See more...
I want to get below installer. splunk-add-on-for-unix-and-linux_523.tgz It seems same add-on with below URL because the downloaded file name for ver 8.3.0/8.3.1 is  similar with above an add-on installer name what I want. https://splunkbase.splunk.com/app/833/ I also checked release history. But I was not able to find the way of getting past add-on files. Maybe install file for 5.2.3 is too old and Splunk won't support.. If there is the way of get pas released install file, please share me.. Thank you!