All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

There are some keywords that cannot be searched after changing the App. Even more specific keywords within a specific field are not searchable. There is no problem with permissions, but do you know... See more...
There are some keywords that cannot be searched after changing the App. Even more specific keywords within a specific field are not searchable. There is no problem with permissions, but do you know anything about it?
I want to onboard azure signin logs to my splunk. I installed MS azure add-on for splunk on one HF and completed the authentication steps and app registration. Please suggest whats going wrong. Am... See more...
I want to onboard azure signin logs to my splunk. I installed MS azure add-on for splunk on one HF and completed the authentication steps and app registration. Please suggest whats going wrong. Am getting below error.  INFO pid=4495 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling INFO pid=4495 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled! ERROR pid=4495 tid=MainThread file=base_modinput.py:log_error:309 | _Splunk_ Unable to obtain access token
Hi , I want to add a text box in a dashboard panel and the manual input value of that textbox should be added to a new column in an already existing table. I understand that this can be done by loo... See more...
Hi , I want to add a text box in a dashboard panel and the manual input value of that textbox should be added to a new column in an already existing table. I understand that this can be done by lookup to save the values but i am not sure how to go ahead with it. This is the data format of the table i have with sample data(the original data i have is confidential). EMAIL NAME IP ID(new column) nish123@gmail.com Nishanth 10.10.10.0   abc098@gmail.com ABC 224.0.0.0   amit187@gmail.com Amit Sharma 63.125.0.0      I want to add a text box to this panel whose values should be inputted into ID column based on the unique value of EMAIL. and i want to save this table with the new values of ID.  How can this be done?? Any help would be appreciated.thanks
Hi Splunk team, I would like to receive your dedicated help.  I have a string field, the field's structure is name_timestamp.  The name contains underscores between words, after the name, there is ... See more...
Hi Splunk team, I would like to receive your dedicated help.  I have a string field, the field's structure is name_timestamp.  The name contains underscores between words, after the name, there is another underscore. Finally, there is a full date. for example: this_is_an_example_09_13_2021. My goal is to extract the name from this field. for this example, I would like to receive this_is_an_example.  Is it possible? Thanks in advance! 
Hi, We are receiving Cisco ACI System Messages via our syslog infrastructure. I have looked at the Cisco ACI Add-On to get the correct sourcetype and parsing, but nothing seems to match any of the... See more...
Hi, We are receiving Cisco ACI System Messages via our syslog infrastructure. I have looked at the Cisco ACI Add-On to get the correct sourcetype and parsing, but nothing seems to match any of the patterns of the data. Example data: 2021-09-13T06:52:21.666000+02:00 ACI-xxxxx-APIC001 %LOG_-3-SYSTEM_MSG [F1547][raised_clearing][packets-dropped][major][dbgs/ac/svpcpath-115-116-to-167/fault-F1547] 100% of packets were received in excess during the last collection interval 2021-09-13T06:52:21.663000+02:00 ACI-xxxxx-APIC001 %LOG_-3-SYSTEM_MSG [F1545][raised][packets-dropped][major][dbgs/ac/dvpcpath-167-to-117-118/fault-F1545] 100% of packets were dropped during the last collection interval 2021-09-13T06:51:53.326000+02:00 ACI-xxxx-APIC001 %LOG_-3-SYSTEM_MSG [F1547][raised_clearing][packets-dropped][major][dbgs/ac/svpcpath-117-118-to-167/fault-F1547] 100% of packets were received in excess during the last collection interval What sourcetype should this be? Is there an app for this? What am I missing here in my thinking?
So I'm trying to change a token when i click a button. Tried it like this: require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function ... See more...
So I'm trying to change a token when i click a button. Tried it like this: require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function ( $,mvc,TableView) { var tokens = mvc.Components.get('default'); var sub_tok = mvc.Components.get("submitted"); $(document).on("click","#testbtn",function(){ tokens.set("btnClick", "Click"); sub_tok.set("btnClick", "Click"); }); }); And like this: require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function ( $,mvc,TableView) { var tokens = mvc.Components.get('default'); var sub_tok = mvc.Components.get("submitted"); $("#testbtn").on("click",function(){ tokens.set("btnClick", "Click"); sub_tok.set("btnClick", "Click"); }); }); But its not working. When i try the code in jsFiddle it works as intended. (leaving out the splunk stuff) It's just a jQuery click event, so I don't know what I'm doing wrong. Further more when I try the whole think with a slider, it works. require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function ( $,mvc,TableView) { var tokens = mvc.Components.get('default'); var sub_tok = mvc.Components.get("submitted"); $("#slider-range").on("input change", function () { tokens.set("slider_value", $(this).val()); sub_tok.set("slider_value", $(this).val()); }); });  Here ist the xml code: <dashboard script="testscript.js" theme="dark"> <label></label> <fieldset submitButton="false"> <html> <label>Slider</label> <input type="range" id="slider_input" value="10" min="0" max="20" step="1"/> <button id="testbtn">ghfhfhfhfh</button> </html> </fieldset> <row> <panel> <title>$slider_value$____$btnClick$</title> <table> <search> <query>|makeresults | eval slider_value=$slider_value$</query> <earliest>-1h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard> I there is a simple solution to this and thanks in advance.
The error is  ;- ( Clustering: Peer Node The cluster peer is unable to handle request at this time. This means either the cluster peer unable to communicate w/ the cluster manager OR the clust... See more...
The error is  ;- ( Clustering: Peer Node The cluster peer is unable to handle request at this time. This means either the cluster peer unable to communicate w/ the cluster manager OR the cluster manager does not have <repFactor> peers added to the cluster. Check the cluster manager dashboard and/or manager_uri/secret settings.    
Hi @gcusello , Background: We tried to upgrade our existing environment(7.1.3) to higher version 8.1 but we were unable to do so because of some issue and failed multiple times to upgrade our Index... See more...
Hi @gcusello , Background: We tried to upgrade our existing environment(7.1.3) to higher version 8.1 but we were unable to do so because of some issue and failed multiple times to upgrade our Indexer and also we couldn't get much help from Splunk support. Present scenario: Instead of upgrading, we planned to install Splunk on new servers (Indexer & SH) and we were able to do so and luckily we also able to map Indexer and SH. Mainly we intend to built everything in Splunk from scratch(Replica to our existing Splunk environment). Next step I did was to find the hosts from where the indexes are getting data but its difficult to get all the indexes that are used by different apps(Number of Dashboard is high). Is there any query to get index/s that are being used by different Apps? Also, can you please help me to guide how to achieve this(Steps)? Regards, Rahul  
I need to make a list of Default Indexes assigned to each user role by default & where do I look to edit the settings? I need to learn how to specify Indexes to Splunk user roles please. Thank u very... See more...
I need to make a list of Default Indexes assigned to each user role by default & where do I look to edit the settings? I need to learn how to specify Indexes to Splunk user roles please. Thank u very much in advance.
Is there a security issue or problem if a saved search don't use index name for searching? Should all saved searches use index names for searching? Thank u very much in advance.
I have not modified it's settings. It worked once & it just broke down.  It is installed on the Cluster Master server. Need your help please.
Hello, Pls could you provide the integration steps for Kaspersky EDR Optimum and Kaspersky Sandbox with Splunk
Hi all, I know it is possible to only show rows / panels if a token is set,   <row depends="$token$">   Is it possible to only show the row if the token has a specific value?   <row depends="... See more...
Hi all, I know it is possible to only show rows / panels if a token is set,   <row depends="$token$">   Is it possible to only show the row if the token has a specific value?   <row depends="$token$ == 1">   Thanks for any help
Hi all I am new to Splunk. I want to learn Search Processing. Can anyone give me some example of Search Processing Query. Like filter of IP Range , Outbound communication, Inbound communication by t... See more...
Hi all I am new to Splunk. I want to learn Search Processing. Can anyone give me some example of Search Processing Query. Like filter of IP Range , Outbound communication, Inbound communication by the Public IP.  
Hi there! I am trying to join an event table (E1) with a summary table (S1). S1 is just a summary table containing stats derived from the event table (E1). I am trying to accomplish this cause I hav... See more...
Hi there! I am trying to join an event table (E1) with a summary table (S1). S1 is just a summary table containing stats derived from the event table (E1). I am trying to accomplish this cause I have to compare the stats to each event. The query runs smoothly but won't give me the correct stats. Whenever I try to run them separately, the results are correct but when joined together as with the query below, it gives the wrong answer. For context, it gives bigger values for the stats. Hope anybody can help! Thank you in advance! Please see query below.      index=test sourcetype=aws* earliest=-0.5d@d | search source=*RDS* metric_name=AbortedClients | bin span=5m _time | stats count as DataCount by _time, metric_name | table _time, metric_name, DataCount | join left=L right=R where L.metric_name = R.metric_name [ | search source=*RDS* metric_name=AbortedClients | bin span=5m _time | stats count as DataCount by _time, metric_name | stats sum(DataCount) as TotalCount, avg(DataCount) as Average, stdev(DataCount) as StanDev, p25(DataCount) as P_25, p50(DataCount) as P_50, p75(DataCount) as P_75 by metric_name | eval IQR = P_75 - P_50 | eval LB = P_25 - (IQR*1.5) | eval UB = P_75 + (IQR*1.5) | eval OneThres = Average + (2 * StanDev) | table metric_name, TotalCount, Average, StanDev, P_25, P_50, P_75, IQR, LB, UB, OneThres ]      
Hi I am trying to understand how indexes and sourcetype are defined. Let's say I have an app with a web component and a database component. Should the web component and db component be different in... See more...
Hi I am trying to understand how indexes and sourcetype are defined. Let's say I have an app with a web component and a database component. Should the web component and db component be different indexes?  And the sourcetype is a category within each index? Does Splunk automatically determine the sourcetype based on the data it ingested? Or is this something that is manually done?
hi all, I have multiple string that are regex, i want to find logs that match with this string. this is a example of my regex: (?i)union.*?select.*?from (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objec... See more...
hi all, I have multiple string that are regex, i want to find logs that match with this string. this is a example of my regex: (?i)union.*?select.*?from (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?) and when i write  index="xyz" | regex "(?i)union.*?select.*?from | (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)" didn't show true result. how can i write it? please help me.
I have following events in the log. Although there are lot of rows in it but I interested in these rows only and in extracting "time: and anything after "subject:"     --- 2020.1.02 Windows Server... See more...
I have following events in the log. Although there are lot of rows in it but I interested in these rows only and in extracting "time: and anything after "subject:"     --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: RE: Hello this is first email --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is second email --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is third email ---     So need to a create a report like this - Time Subject 2016 2021-09-11 11:01:19 RE: Hello this is first email 2016 2021-09-11 11:01:21 Re: Hello this is second email 2016 2021-09-11 11:01:22 Re: Hello this is third email   Thanks!
I want to anonymize one sourcetype before routing it to 3rd party system with Syslog. what is the proper config for props, transforms, and outputs config files? When is use SEDCMD in props.conf, all... See more...
I want to anonymize one sourcetype before routing it to 3rd party system with Syslog. what is the proper config for props, transforms, and outputs config files? When is use SEDCMD in props.conf, all events (for me and 3rd party system) will be anonymized, and when I use REGEX in transforms.conf for anonymizing, I  can't route events to another system at the same transform stanza because FORMAT field should be used with _raw value.
I have the below test raw logs CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User... See more...
I have the below test raw logs CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=testuser1 sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-01 15:58:50.624 destinationHosts=N/A eventId=4762037341417287789 CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=domain\\testuser sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-02 15:58:50.624 destinationHosts=N/A eventId=4762037341417287788 CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=tuser sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-04 15:58:50.624 destinationHosts=N/A eventId=4762037341417287787 CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=N/A sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-03 15:58:50.624 destinationHosts=N/A eventId=4762037341417287786   I am trying to use rex to extract a field called loginName, in which the regex will capture all entries after the "loginName=" text. I have tried ...| rex field=_raw "(loginName=)(?<loginName>[^\=]+)(?=\s)", but it does not capture all events. Please assist.