All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Need direction, information on any ways like Apps , TAs to work & pull logs from Cloud.gov. Am new at cloud.gov stuff. I appreciate any help. We have Splunk Ent. + ES in our environment.
Hi, I have setup the forwarder, however I get the following when I try to run commands: What am I missing and what would the commands be to add them into Raspberry PI os (32bit) newest version?... See more...
Hi, I have setup the forwarder, however I get the following when I try to run commands: What am I missing and what would the commands be to add them into Raspberry PI os (32bit) newest version? I used the ARM version listed as the newest version Or should I find other linux versions?
| rex field=_raw "(?<dscvIP>[^\.]\d+\.\d+\.\d+\.\d+[\s|\:])" Using the above rex command to try to capture IP addresses, an it works most of the time, but I still get a few false positives for ESX l... See more...
| rex field=_raw "(?<dscvIP>[^\.]\d+\.\d+\.\d+\.\d+[\s|\:])" Using the above rex command to try to capture IP addresses, an it works most of the time, but I still get a few false positives for ESX log entries that contain the following Rcv-tx-10.20.30.45.78.80 The rex field captures 30.45.78.80 as the dscvIP field. I thought by adding the [^\.] to the beginning of the regex match it would not capture an string matching the IP syntax that had a period(.) immediately preceding the string. And I also thought this string would be skipped all together because for it to not start with a period(.) , the match would have to go to the dash(-) following tx, but then would not match because there is not a space or colon after the 4th \d+ match. What am 
Hey guys,   I need some quick help creating a nested stats table and grouping by multiple values within that table. My data contains the following data points that I am trying to correlate / visual... See more...
Hey guys,   I need some quick help creating a nested stats table and grouping by multiple values within that table. My data contains the following data points that I am trying to correlate / visualize: Client IP Address, Unique Hash ID, Unique Document ID, and the count that shows the number of times an IP Address accessed a Unique Hash ID, and Doc ID.   An example data set is:   192.168.1.1 (client IP), abcdefg1 (hash 1),  12948(DocID1), 129584(DocID2), 1029384(DocID3) 192.168.1.1(Client IP), abcdefg2 (hash 2), 10294 (DocID 1), 192.168.1.5(Client IP), abcdefg1 (hash1), 12948(DocID1), 1029484(DocID2)   I'm looking to create the following table to help visualize these relationships | Client IP Unique Hash Document ID Count     192.168.1.1 abcdefg1 12948 5         129584 10         1029384 15                   abcdefg2 12948 2         1029484 3                 192.168.1.5 abcdefg1 12948 1         1029484 4                   I've created nested tables before but I'm really stumping myself on this one. Any advice?
Hi good morning. I am working on concentrating security events in Splunk Cloud and I would like to add a dashboard related to the threats that exist in the security environment, such as issues with... See more...
Hi good morning. I am working on concentrating security events in Splunk Cloud and I would like to add a dashboard related to the threats that exist in the security environment, such as issues with redhat, oracle, payments tech companies, etc.  I would like to know if you know of any way to make connections with sources like SANS, CVE Detail or even with Twitter accounts. Hope you can help me. Thanks!
Hello, I use the following grid structure to define source and destination filters in one of my dashboards. I would like to add a button to each panel to reset the content of the input text box, how... See more...
Hello, I use the following grid structure to define source and destination filters in one of my dashboards. I would like to add a button to each panel to reset the content of the input text box, however I am struggling to create the CSS code to align the link list input correctly. I would like to move them to the top-right corner of the wide input panels (the position is highlighted with a red box on the screenshot). Could someone please help me write the correct CSS code which would align the button correctly? I have added a run anywhere dashboard with the CSS scripts included. <form theme="dark"> <label>Dashboard CSS Alignment Example</label> <fieldset submitButton="false"></fieldset> <row> <panel id="inputFilterFirstColumnRow1"> <title>Filters</title> <html/> </panel> <panel id="inputFilterSecondColumnRow1"> <input type="link" token="tokClearSrcFilter" searchWhenChanged="true" id="button_clear_src_filter"> <label></label> <choice value="clear_src_filter">X</choice> <change> <condition value="clear_src_filter"> <unset token="tokClearSrcFilter"></unset> <unset token="form.tokClearSrcFilter"></unset> <set token="tokSrcFilter">*</set> <set token="form.tokSrcFilter">*</set> </condition> </change> </input> <input type="text" token="tokSrcFilter" searchWhenChanged="true" id="wideInputBox_SourceFilter"> <label>Source Filter</label> <default>*</default> </input> </panel> <panel id="inputFilterThirdColumnRow1"> <input type="link" token="tokClearDestFilter" searchWhenChanged="true" id="button_clear_dest_filter"> <label></label> <choice value="clear_dest_filter">X</choice> <change> <condition value="clear_dest_filter"> <unset token="tokClearDestFilter"></unset> <unset token="form.tokClearDestFilter"></unset> <set token="tokDestFilter">*</set> <set token="form.tokDestFilter">*</set> </condition> </change> </input> <input type="text" token="tokDestFilter" searchWhenChanged="true" id="wideInputBox_DestinationFilter"> <label>Destination Filter</label> <default>*</default> <initialValue>*</initialValue> </input> </panel> </row> <row depends="$alwaysHideCSSStyleOverride$"> <panel> <html> <style> /* Wide text input box style. Use id="wideInputBox_unique_id" in the input header */ div[id^="wideInputBox"] .splunk-textinput { min-width: 20vw !important; width: 40vw !important; max-width: 40vw !important; color: yellow; } div[id^="wideInputBox"] .splunk-textinput input[type="text"] { min-width: 20vw !important; width: 40vw !important; max-width: 40vw !important; color: yellow; } </style> <style> /* This section sets the width of the three columns of secondary filter panels - 10% - 45% - 45% */ div[id^="inputFilterFirstColumn"]{ width:10% !important; } div[id^="inputFilterSecondColumn"]{ width:45% !important; } div[id^="inputFilterThirdColumn"]{ width:45% !important; } </style> <style> /* Clear Button positioned to the right side of the panel */ div[id^="button_clear"]{ width:20px !important; float: right; } div[id^="button_clear"] button[data-test="option"]{ flex-grow: 0; border-radius: 2px; border-width: thin; border-color: lightgrey; border-style: inset; width: 20px; padding: 2px 2px; } div[id^="button_clear"] label{ display:none; } div[id^="button_clear"] span[data-test="label"]:hover{ } div[id^="panel"].fieldset{ padding: 0px; } </style> </html> </panel> </row> <row> <panel> <table> <search> <query> | makeresults | eval src=$tokSrcFilter|s$, dest = $tokDestFilter|s$ | table src, dest </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>  Regards
I'm trying to figure out the Search function to be able to look for a client. It doesn't return any logs that when i put in two strings/words My examples that don't return anything in the search fun... See more...
I'm trying to figure out the Search function to be able to look for a client. It doesn't return any logs that when i put in two strings/words My examples that don't return anything in the search function are as follows. BigTechU and ERROR BigTechU|ERROR BigTechU; ERROR also i don't know how to look for parts of dates in my query. I'm just trying to build a POC to use SPLUNK fully for our support system but i'm new and struggling. any help would be wonderful. regards,   JG
Hi Team, How to hide cloumns in the table the basis of multiselect choices? For example, I have options in multiselect , Critical, high,medium and Low. When i select high and low from multiselect, c... See more...
Hi Team, How to hide cloumns in the table the basis of multiselect choices? For example, I have options in multiselect , Critical, high,medium and Low. When i select high and low from multiselect, critical and low column should be hide from table.Only I need to show High and low column and there respective total in table. Please give me solution on this.Thank you
hello I use a one hour span in my timechart but I dont understand why a two hour span is displayed on the timechart abscissa instead one hour? | timechart span=1h max(debut) as "Début de session", ... See more...
hello I use a one hour span in my timechart but I dont understand why a two hour span is displayed on the timechart abscissa instead one hour? | timechart span=1h max(debut) as "Début de session", max(fin) as "Fin de session" thanks    
Hello, I need a help with a search that seems very easy, but I'm unable to achieve the results I want. The events are recieved in diferrent days, but no more than 3 days and the date is in the fiel... See more...
Hello, I need a help with a search that seems very easy, but I'm unable to achieve the results I want. The events are recieved in diferrent days, but no more than 3 days and the date is in the field event.Date. The date format is "yyyy-mm-ddT00:00:00". What I need is to search for all the events within the 3 days and then filter by the date. So i've tried the following search: index=something daysago=3 | eval dayOfSearch = strftime(relative(now(), "-2d@d"), "%Y-%m-%dT%H:%M:%S") | search event.Date = dayOfSearch It does not result to what I was expecting, but if I run the search replacing the variable dayOfsearch with the actual date, like "2021-09-05T00:00:00" it works. What am I doing wrong or is that I better way to achieve this results?   Thank you!
Hi folks, I'm trying to put together a dash that will help me find MISSING values.  So I would like to put together a chart that has rows based on values from a CSV, even if the record has no value. ... See more...
Hi folks, I'm trying to put together a dash that will help me find MISSING values.  So I would like to put together a chart that has rows based on values from a CSV, even if the record has no value. So let's say the data are something simple like this: 06:25     foo 06:27     bar 06:27     foo 06:27     foo   And then I want an output that looks like this: Label        count bar             1 foo             3 blah            0 Notice that there is no "blah" row in my sample data.  I would have a CSV with those three rows (in reality my file will have many rows).  I've never used inputlookup for something like this, and I'm wondering if it is even possible.  Any help is most welcome!
Hello community, I'm new to AppDynamics and I'm trying to instrument a simple app using the Python agent, but I'm having some issues in the process. The Agent Proxy is up, but not communicating or s... See more...
Hello community, I'm new to AppDynamics and I'm trying to instrument a simple app using the Python agent, but I'm having some issues in the process. The Agent Proxy is up, but not communicating or sending any data to the controller. I've validated that the settings in the configuration files are correct. The error messages (which continue on a loop) are shown below. One of the messages coming from the proxy agent is that there's Java isn't able to find jzmq, but I've verified it's actually properly installed in my system (macOS Big Sur 11.6 running on Apple Silicon M1). Is there a way in which I could direct the Java proxy agent to use the path (/usr/local/lib) that holds this library?  Exception in thread "main" java.lang.UnsatisfiedLinkError: no jzmq in java.library.path ImportError: cannot import name 'constants' from partially initialized module 'appdynamics_bindeps.zmq.backend.cython' (most likely due to a circular import) (/private/tmp/appd/lib/cp39-cp39-1f01d87b92610d5ab8a368411361e151/site-packages/appdynamics_bindeps/zmq/backend/cython/__init__.py) NameError: name 'appdynamics' is not defined I'd appreciate any input on this matter, thanks in advance. 2021-09-28 18:25:18,733 [ERROR] appdynamics.agent <50988>: Exception in agent startup. Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/appdynamics/autoinject/sitecustomize.py", line 20, in <module> import appdynamics.agent File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/appdynamics/agent/__init__.py", line 137, in <module> from appdynamics.agent.core.agent import Agent File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/appdynamics/agent/core/agent.py", line 24, in <module> from appdynamics.agent.services.config import ConfigService File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/appdynamics/agent/services/config.py", line 15, in <module> from appdynamics.agent.core.transport import ConfigTransport File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/appdynamics/agent/core/transport.py", line 12, in <module> import appdynamics_bindeps.zmq as zmq File "/private/tmp/appd/lib/cp39-cp39-1f01d87b92610d5ab8a368411361e151/site-packages/appdynamics_bindeps/zmq/__init__.py", line 50, in <module> from appdynamics_bindeps.zmq import backend File "/private/tmp/appd/lib/cp39-cp39-1f01d87b92610d5ab8a368411361e151/site-packages/appdynamics_bindeps/zmq/backend/__init__.py", line 40, in <module> reraise(*exc_info) File "/private/tmp/appd/lib/cp39-cp39-1f01d87b92610d5ab8a368411361e151/site-packages/appdynamics_bindeps/zmq/utils/sixcerpt.py", line 34, in reraise raise value File "/private/tmp/appd/lib/cp39-cp39-1f01d87b92610d5ab8a368411361e151/site-packages/appdynamics_bindeps/zmq/backend/__init__.py", line 27, in <module> _ns = select_backend(first) File "/private/tmp/appd/lib/cp39-cp39-1f01d87b92610d5ab8a368411361e151/site-packages/appdynamics_bindeps/zmq/backend/select.py", line 28, in select_backend mod = __import__(name, fromlist=public_api) File "/private/tmp/appd/lib/cp39-cp39-1f01d87b92610d5ab8a368411361e151/site-packages/appdynamics_bindeps/zmq/backend/cython/__init__.py", line 6, in <module> from . import (constants, error, message, context, ImportError: cannot import name 'constants' from partially initialized module 'appdynamics_bindeps.zmq.backend.cython' (most likely due to a circular import) (/private/tmp/appd/lib/cp39-cp39-1f01d87b92610d5ab8a368411361e151/site-packages/appdynamics_bindeps/zmq/backend/cython/__init__.py) Error in sitecustomize; set PYTHONVERBOSE for traceback: NameError: name 'appdynamics' is not defined
    i have noticed this error coming up often and have searched everywhere to find out what it is and if there is a fix for it. 09-29-2021 05:41:07.533 -0500 ERROR ScopedAliveProcessToken [237135... See more...
    i have noticed this error coming up often and have searched everywhere to find out what it is and if there is a fix for it. 09-29-2021 05:41:07.533 -0500 ERROR ScopedAliveProcessToken [2371353 BundleLookupIndexingExecutorWorker-0] - Failed to remove alive token file='/opt/splunk/var/run/searchpeers/DFADFAB9-11E6-4297-97DF-9227BFECA4AE-1632912055/apps/live_edge/lookups/LiveEdge_FatalLogs.csv_1632911454.870215.cs.index.lock'. No such file or directory source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd  
How do I locate the missing Index & fix such issues please?
I run a search head cluster with Splunk Enterprise. Typically I update apps via the back end CLI, but am wondering if I can update via the GUI. My question is: does the GUI >> Manage Apps >> Find App... See more...
I run a search head cluster with Splunk Enterprise. Typically I update apps via the back end CLI, but am wondering if I can update via the GUI. My question is: does the GUI >> Manage Apps >> Find App >> Click "Update App to #.##" update the apps on all of my search heads or only on the one I am viewing? I've always been told to go through the cli so never have attempted this.  Thanks.  
I am trying to figure out how to pull fields to show the exact count of numbers and letters in a result. Like, if I have the result 11tt3yyy1, I want the fields to show me that there is 4 numbers and... See more...
I am trying to figure out how to pull fields to show the exact count of numbers and letters in a result. Like, if I have the result 11tt3yyy1, I want the fields to show me that there is 4 numbers and 5 letters. Is there a way to do this? I have tried everything I can think of.
Dear All, Kindly help me am getting error where I find all my splunkforwarder is missing and it shows me it last connected to indexers 02/05/2021. What causes this? how can I fix this?      Thank... See more...
Dear All, Kindly help me am getting error where I find all my splunkforwarder is missing and it shows me it last connected to indexers 02/05/2021. What causes this? how can I fix this?      Thank you in advance!!  
Hello everyone, I hope you all are doing well.   I have been tasked to update Splunk enterprise to the 8.2.1 version and the forwarders to 8.1.4. Does anyone know if this upgrade is going to effect t... See more...
Hello everyone, I hope you all are doing well.   I have been tasked to update Splunk enterprise to the 8.2.1 version and the forwarders to 8.1.4. Does anyone know if this upgrade is going to effect the compatibility for legacy systems? I am worries that RHEL 6 with 7.x version systems will have issues. Just wondering if anyone has had this problem at all. Thank you!
Hello All, Can any one help me on this event injection in Splunk.   sample data 122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT... See more...
Hello All, Can any one help me on this event injection in Splunk.   sample data 122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz - value: ID - unformatted value: vvcsa - formatted value: abcsc - returnType: - boost: 1 - append: False   Here it have to be two events with respective date time.            
Am trying to upgrade many UFs & HFs to 8.2.2. Any issues to watch for? Also, what should be the order? Should the Splunk servers (instances) be upgraded first or last? Thanks a million.