All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have a field (Lastsynctime) which outputs time in below format 2021-10-02 09:06:18.173 I want to change the time format like  "%d/%m/%Y %H:%M:%S" I tried with strf command, which is not ... See more...
Hi, I have a field (Lastsynctime) which outputs time in below format 2021-10-02 09:06:18.173 I want to change the time format like  "%d/%m/%Y %H:%M:%S" I tried with strf command, which is not working | eval SyncTime=strftime(Lastsynctime,"%d/%m/%Y %H:%M:%S")
I tried to add a simple JS to a dashboard but nothing i tried works. I have Splunk 8.2.1 single instance on Windows. The script is in C:\Program Files\Splunk\etc\apps\<appname>\appserver\static i ... See more...
I tried to add a simple JS to a dashboard but nothing i tried works. I have Splunk 8.2.1 single instance on Windows. The script is in C:\Program Files\Splunk\etc\apps\<appname>\appserver\static i restartet the splunk service several times and clicked the bump button several times. JS is active in my browser and the cache got cleared several times too. When i go to http://127.0.0.1:8000/de-DE/app/<appname>/<dashboardname>/<scriptname> i just get {} My Dashboard: <form script="btnclick.js"> <label>JS Test</label> <init> </init> <fieldset submitButton="false"> <input type="text" token="field1"> <label>field1</label> <default>$randInt$</default> </input> </fieldset> <row> <panel> <html> <button id="rand" class="btn btn-primary">Random</button> <p> $randInt$ </p> </html> </panel> </row> </form>    My JS: require( [ "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function(mvc) { var tokens = mvc.Components.get("default"); console.log("Test"); $('#rand').on("click",function(){ tokens.set("randInt", 2); }); } );   Why does it not work?
Hi all, I have a TA deployed using the deployment server. The config files are deployed to different folders in bin and local. /opt/splunk/etc/apps/TA/bin/folder/*.conf /opt/splunk/etc/apps/TA/loc... See more...
Hi all, I have a TA deployed using the deployment server. The config files are deployed to different folders in bin and local. /opt/splunk/etc/apps/TA/bin/folder/*.conf /opt/splunk/etc/apps/TA/local/inputs.conf /opt/splunk/etc/apps/TA/bin/*.sh Where can I add files now locally within the TA that remain untouched and will not be overwritten by the Deployment server? Best , N.
I have a alert that should be sent out every 8 am and 4pm everyday even if there is no results. I can only see the email get sent out sometimes even if there is less results then the trigger. I've se... See more...
I have a alert that should be sent out every 8 am and 4pm everyday even if there is no results. I can only see the email get sent out sometimes even if there is less results then the trigger. I've sent it out to several diffrent email addresses to make sure there is no email filter that stops it. Splunk version is 8.0.4.1 we are going to upgrade soon however i would need the alert set up before then. This is my configures: Title: Error Report Alert type: Scheduled - Run on Cron Schedule Time Range: Last 24 Hours Cron Expression: 00 8,16 * * * Expires: 60 min Trigger alert When: Number of Results is less than 999999 Trigger: Once When Triggered: Email Include: Inline Table & Attach CSV When i check in the python.log it says that: sendemail:139 was done for all of the alerts. Does anyone know what there can be that is stopping it from working?
Hi there. There is one thing that's not obvious for me. I understand that if I create a non-accelerated datamodel, the searches from datamodel are converted on the fly to searches on the underlying... See more...
Hi there. There is one thing that's not obvious for me. I understand that if I create a non-accelerated datamodel, the searches from datamodel are converted on the fly to searches on the underlying data and therefore the permissions for the user performing the search should be applied correctly, right? But how about accelerated ones? There are summaries created by "system" user. Does splunk check permission to datamodel summaries the same way as it does to raw indexes? Let's assume I have your typical CIM datamodel Network Sessions. I have a macro cm_Network_Sessions_Indexes defined as "index=internal_juniper OR index=external_cisco". So the CIM Network Sessions datamodel is being created upon events held in two separate indexes (let's say I have two different teams maintaining those two device classes). Now if this datamodel was not accelerated, I assume that my juniper admin preforming a search on it would get only sessions from internal_juniper index and vice versa - cisco admin would get only session from ciscos. But what happens when I turn on the acceleration? Will it still work this way? Or will all admins get to see all sessions because they are retrieved from the accelerated summaries, not the underlying indexes?
Hey, We have some 1500 servers where splunk forwarders installed. we need the path to find location of data or logs coming from these servers. Is there a simple way to do that?
Hi , can some one help me with the rex command to extract the string included in first [] from below pattern. For example: string to filter from below pattern is Proxy - Zscaler, Teams, Exchange and... See more...
Hi , can some one help me with the rex command to extract the string included in first [] from below pattern. For example: string to filter from below pattern is Proxy - Zscaler, Teams, Exchange and extract it under field "CI_Name" [Proxy - Zscaler] [xxxxxxxr] USA US-22 Peer 2 [Teams] [xxxxxxx] Mexico Login - MX (proxy) [Exchange] [xxxxx] Mexico Outlook Send Email - MX (proxy) Thanks
Hi, Below is my search ,  index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True  False |eval comp="Test1" |append [|search index=cc sourcetype=dd|eval comp=... See more...
Hi, Below is my search ,  index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True  False |eval comp="Test1" |append [|search index=cc sourcetype=dd|eval comp="Test2"] |eventstats count as total_count by comp |stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp |eval "True %"=round((('True'+'Excluded')/total*100),2) |eval "False %"=round((('False'+'Error')/total*100),2) | sort sort_field |fields - sort_field |table Comp "True %" "False %" The result which is get is , Comp            True %      False % Test1              0                 0 Test2             93.00        7.00   I have to get the actual % for Test1 too .  Iam getting "0 " .Not sure my append is wrong with stats Sum() . Please can any one give me right way to get the values for the above search .  
Hi, We use splunk Db connect to pull the DB logs. What will be the impact if we poll the DB every minute from splunk? Is there a way to find the impact?  
Hi Everyone, I created a custom Splunk app, and when using the (un-modified) search dashboard within the app to produce a table, it is text wrapping most of the fields. I.e. single row fields are a... See more...
Hi Everyone, I created a custom Splunk app, and when using the (un-modified) search dashboard within the app to produce a table, it is text wrapping most of the fields. I.e. single row fields are appearing on multiple lines.  When I run the exact same search (literally copy and pasted) in the "Search and Reporting" app, the fields are not word wrapped and show on single lines as expected.  Is there a setting somewhere that I need to enable/disable in my app settings so that when running a search to produce a table in the Search dashboard, it expands the field width, like it does in the Search and Reporting app? Screenshots Below. I basically want my search results in the custom app (first pic), to look like the search results in the Search and Reporting app (second pic), hopefully via a setting or something. Custom App Search   Search and Reporting Search   Thanks in advance.
How can I delay the trigger of the email alert to lets say 5 minutes? Ex. The alert detected the response_code=500, but I would like the email alert to trigger on the 5th minute if the response_cod... See more...
How can I delay the trigger of the email alert to lets say 5 minutes? Ex. The alert detected the response_code=500, but I would like the email alert to trigger on the 5th minute if the response_code is still the same (500). Is it possible? Thanks!
Hi, I am receiving DB connect logs into splunk, but user wants logs to be in MKV format. Is there a setting to parse the logs in MKV format? In DBX box we had option to output the logs in MKV form... See more...
Hi, I am receiving DB connect logs into splunk, but user wants logs to be in MKV format. Is there a setting to parse the logs in MKV format? In DBX box we had option to output the logs in MKV format, I am not finding similar setting in DBconnect app.
Hi Team  I am trying to extract few report from user agent like below  OS details  OS version Browser Browser Version Operating System Operating System Version Mobile device    Curren... See more...
Hi Team  I am trying to extract few report from user agent like below  OS details  OS version Browser Browser Version Operating System Operating System Version Mobile device    Currently I am using Eval (  IF & Case ) to generate report however its very manual process and more time consuming. Please find below command for example  Can any one help me how do i use lookup command ?   Sample IF & Case  If - val Device =if(match(cs_user_agent, "iPhone"),"iPhone",if(match(cs_user_agent, "Macintosh"),"iPhone",if(match(cs_user_agent, "iPad"),"iPhone",if(match(cs_user_agent, "Android"),"Android",if(match(cs_user_agent, "Win64"),"Windows",if(match(cs_user_agent, "14092"),"Windows",if(match(cs_user_agent, "Windows"),"Windows",if(match(cs_user_agent,"SM-"),"Android",if(match(cs_user_agent,"CPH"),"Android",if(match(cs_user_agent,"Nokia"),"Android",if(match(cs_user_agent,"Pixel"),"Android",if(match(cs_user_agent,"TB-"),"Android",if(match(cs_user_agent,"VFD"),"Android",if(match(cs_user_agent,"HP%20Pro%20Slate"),"Android",if(match(cs_user_agent,"VOG-L09"),"Android",if(match(cs_user_agent,"YAL-L21"),"Android",if(match(cs_user_agent,"ATU-L22"),"Android",if(match(cs_user_agent,"MAR-LX1A"),"Android",if(match(cs_user_agent,"RNE-L22"),"Android",if(match(cs_user_agent,"INE-LX2"),"Android",if(match(cs_user_agent,"AMN-LX2"),"Android",if(match(cs_user_agent,"LYO-LO2"),"Android",if(match(cs_user_agent,"DRA-LX9"),"Android",if(match(cs_user_agent,"LYA-L29"),"Android",if(match(cs_user_agent,"ANE-LX2J"),"Android",if(match(cs_user_agent,"STK-L22"),"Android",if(match(cs_user_agent,"EML-AL00"),"Android",if(match(cs_user_agent,"BLA-L29"),"Android",if(match(cs_user_agent,"X11"),"Linux",if(match(cs_user_agent,"LDN-LX2"),"Android",if(match(cs_user_agent,"TB3-"),"Android",if(match(cs_user_agent,"5033T"),"Android",if(match(cs_user_agent,"5028D"),"Android",if(match(cs_user_agent,"5002X"),"Android",if(match(cs_user_agent,"COR-"),"Android",if(match(cs_user_agent,"MI%20MAX"),"Android",if(match(cs_user_agent,"WAS-LX2"),"Android",if(match(cs_user_agent,"vivo"),"Android",if(match(cs_user_agent,"EML-L29"),"Android",if(match(cs_user_agent,"Moto"),"Android",if(match(cs_user_agent,"MMB"),"Android",if(match(cs_user_agent,"Redmi%20Note%208"),"Android",if(match(cs_user_agent,"M2003J15SC"),"Android",if(match(cs_user_agent,"MI%20MAX"),"Android",if(match(cs_user_agent,"Nexus"),"Android",if(match(cs_user_agent,"ELE-L29"),"Android",if(match(cs_user_agent,"Redmi%20Note%204"),"Android",if(match(cs_user_agent,"rv:89.0"),"Android",if(match(cs_user_agent,"VKY-L09"),"Android",if(match(cs_user_agent,"SmartN11"),"Android",if(match(cs_user_agent,"A330"),"Android",if(match(cs_user_agent,"LM-"),"Android",if(match(cs_user_agent,"G8341"),"Android",if(match(cs_user_agent,"INE-AL00"),"Android",if(match(cs_user_agent,"Mi"),"Android",if(match(cs_user_agent,"CLT"),"Android",if(match(cs_user_agent,"Android"),"Android",if(match(cs_user_agent,"BV9700Pro"),"Android",if(match(cs_user_agent,"5024I"),"Android",if(match(cs_user_agent,"MEIZU"),"Android",if(match(cs_user_agent,"Linux%20X86_64"),"Linux","OTHER"))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) Case - val Brand= case(match(cs_user_agent, "CPH"),"Oppo",match(cs_user_agent, "SM-"),"Samsung",match(cs_user_agent, "VFD"),"Vodafone",match(cs_user_agent, "VFD"),"Vodafone",match(cs_user_agent, "VOG"),"Huawei",match(cs_user_agent, "ELE"),"Huawei",match(cs_user_agent, "CLT"),"Huawei",match(cs_user_agent, "EML"),"Huawei",match(cs_user_agent, "LYA"),"Huawei",match(cs_user_agent, "EVR"),"Huawei",match(cs_user_agent, "BLA"),"Huawei",match(cs_user_agent, "DRA"),"Huawei",match(cs_user_agent, "LDN"),"Huawei",match(cs_user_agent, "YAL-L21"),"Huawei",match(cs_user_agent, "ATU-L22"),"Huawei",match(cs_user_agent, "MAR-LX1A"),"Huawei",match(cs_user_agent, "X11"),"Linux",match(cs_user_agent, "INE-LX2"),"Huawei",match(cs_user_agent, "AMN-"),"Huawei",match(cs_user_agent, "RNE-L22"),"Honor",match(cs_user_agent, "LYO"),"Huawei",match(cs_user_agent, "ANE"),"Huawei",match(cs_user_agent, "STK"),"Huawei",match(cs_user_agent, "BLA"),"Huawei",match(cs_user_agent, "TB3-"),"Lenovo",match(cs_user_agent, "5033T"),"Alcatel",match(cs_user_agent, "5028D"),"Alcatel",match(cs_user_agent, "5002X"),"Alcatel",match(cs_user_agent, "iPhone"),"iPhone",match(cs_user_agent, "20Win64"),"Desktop",1=1,"other")
Good day, As mentioned in the subject, I want to retrieve results from 2 searches, both containing JOIN. The purpose of this is to join search results on different time ranges (i.e. now, and 1 day a... See more...
Good day, As mentioned in the subject, I want to retrieve results from 2 searches, both containing JOIN. The purpose of this is to join search results on different time ranges (i.e. now, and 1 day ago).  I used multisearch. However, I am getting this error:   Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command).   I also/already tried append, but I am not getting the results of the 2nd main search, just the first one. (i.e. count_ago has values, but count_now). I placed the | append in between the 2 main searches To, hopefully, be clearer, here's my actual search using multisearch with comments:   | multisearch `comment("1st main search")` [ search index="<index>" earliest=-0d@d latest=now | rename <join_field> as tmp | join tmp [ search index=<other_index> | table <ret_id> ] | where <ret_id>=<some_value> | eval key="now" | stats list(<vals>) as <vals> | eventstats count(<vals>) as count_vals by <group_name> | sort -count_vals | head 20 | eval count_now=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals)) ] `comment("2nd main search")` [ search index="<index>" earliest=-1d@d latest=-0d@d | rename <join_field> as tmp | join tmp [ search index=<other_index> | table <ret_id> ] | where <ret_id>=<some_value> | eval key="ago" | stats list(<vals>) as <vals> | eventstats count(<vals>) as count_vals by <group_name> | sort -count_vals | head 20 | eval count_ago=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals)) ] | fields <group_name>, count_now, count_ago   This is my code for using append:   `comment("1st main search")` index="<index>" earliest=-0d@d latest=now | rename <join_field> as tmp | join tmp [ search index=<other_index> | table <ret_id> ] | where <ret_id>=<some_value> | eval key="now" | stats list(<vals>) as <vals> | eventstats count(<vals>) as count_vals by <group_name> | sort -count_vals | head 20 | eval count_now=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals)) | append `comment("2nd main search")` [ search index="<index>" earliest=-1d@d latest=-0d@d | rename <join_field> as tmp | join tmp [ search index=<other_index> | table <ret_id> ] | where <ret_id>=<some_value> | eval key="ago" | stats list(<vals>) as <vals> | eventstats count(<vals>) as count_vals by <group_name> | sort -count_vals | head 20 | eval count_ago=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals)) | fields <group_name>, count_now, count_ago   Anybody have ideas on how to do this correctly? Thanks a lot in advance!
Hi,      I am ingesting json data using log2metrics_json source type into a metrics index. Everything is working fine when the json is ingested from a file, but when the json is received over udp, ... See more...
Hi,      I am ingesting json data using log2metrics_json source type into a metrics index. Everything is working fine when the json is ingested from a file, but when the json is received over udp, I am getting errors like this: INFO MetricSchemaProcessor [665036 typing] - channel confkey=source::udp:5514|host::1.1.1.1|log2metrics_json| has an event with no measure, will be skipped. WARN IndexProcessor [664977 indexerPipe] - The metric event is not properly structured, source=5514, sourcetype=log2metrics_json, host=1.1.1.1, index=j2m. Metric event data without a metric name and preoperly formated numerical values are invalid and cannot be indexed. Ensure the input metric data is not malformed, have one or more keys of the form "metric_name:<metric>" (e.g..."metric_name:cpu.idle") with corresponding floating point values. raw=   What could be the root cause? Why is there this error when the source is udp, but works fine when read from file?
Hello dears, I have switches, ip address,ports and i want list with users which are connected to the ports. Users informations include lookup file which name is list.csv, so; list.csv contains : ip... See more...
Hello dears, I have switches, ip address,ports and i want list with users which are connected to the ports. Users informations include lookup file which name is list.csv, so; list.csv contains : ip,port,user <base_search>  | lookup list.csv ip as host AND port as if_name OUTPUT user |stats count by host,if_name,user
Hi, I am trying to change/control many multi-select dropdowns by one Master_multi-select dropdown value/checks. So I am trying to use more than one value in the set-token tag. But it is not working... See more...
Hi, I am trying to change/control many multi-select dropdowns by one Master_multi-select dropdown value/checks. So I am trying to use more than one value in the set-token tag. But it is not working, if I give 2 values in the Set-token tag. then it will get merge but if I give a single value then it is working fine. I tried multiple ways like double quotes, single quotes, and many symbols, but I could not find the solution.   Please find the below example and help me to find a solution.   <set token="form.Filter1"> "rejected" , "new" </set> out put will be like below.    But the expectation is like below     Example in multiselect code:- <input type="dropdown" token="MasterFilter_Token"> <label>MasterFilter</label> ..., <change> <condition> <set token="form.Filter1"> "new", "rejected", "closed" </set> ..., </condition> </change> ...,   @token1 @Anonymous @splunk 
Hi i have xml file like this, how can i table it with xpath or spath?   <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <erro... See more...
Hi i have xml file like this, how can i table it with xpath or spath?   <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <error-codes> <error-code code="000" message="Exceeded" severity="1" InfoCode="0000" action="" description=""/> <error-code code="001" message="Not Found" severity="1" InfoCode="0000" action="" description=" nope"/> </error-codes> </info>     excpected output: ....  | table code message severity InfoCode  action description
How do I replace a value for a field if the value is lesser than 0.02 by "Good"? Value Key date 0.02 1 1/1/2017 0.02 1 1/2/2017 0.05 1 1/3/2017 0.02 1 1/4/2017 0.02 1 1... See more...
How do I replace a value for a field if the value is lesser than 0.02 by "Good"? Value Key date 0.02 1 1/1/2017 0.02 1 1/2/2017 0.05 1 1/3/2017 0.02 1 1/4/2017 0.02 1 1/5/2017 0.02 1 1/6/2017   Suppose the value is lesser than 0.02, I want to replace the value by string "Good"   Value Key date Good 1 1/1/2017 Good 1 1/2/2017 0.05 1 1/3/2017 Good 1 1/4/2017 Good 1 1/5/2017 Good 1 1/6/2017
    i have installed Splunk on a Linux server made all the verifications to make sure its working. however, when i go on the browser the web page will not load