All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Moving to cloud: Splunk Enterprise to Azure or AWS vs Splunk Cloud

by in Splunk Enterprise
‎09-14-2021 01:01 AM
‎09-14-2021 01:01 AM
Hi, Im relatively new to Splunk, and am looking for some experiences and advice. A company I work for currently have a large (2TB index volume/day) on-prem deployment. It is going to be moved to c... See more...
Hi, Im relatively new to Splunk, and am looking for some experiences and advice. A company I work for currently have a large (2TB index volume/day) on-prem deployment. It is going to be moved to cloud at some point, and I am trying to get an overview over our three options which are to either deploy in Azure, AWS or purchase Splunk Cloud (business reasons). A hybrid solution may be an alternative as well. We are at a very early stage, and we will involve Splunk at some point. Right now Im just trying to get a sense of which aspects we need to consider and where to start looking for information. Has anybody done any assessments of one or more of these alternatives, or perhaps moved their on-prem to one of these clouds? Any main pros/cons, things to think about etc.? Any good source of information is highly appreciated. Thanks in advance!

Multiple different font colors in one cell / string

by in Splunk Search
‎09-14-2021 12:23 AM
‎09-14-2021 12:23 AM
Hello people, I'm very new to Splunk and I'm trying to create a dashboard with the "Statistics Table" Visualisation, that is more compact and takes up less space than what was there before. In orde... See more...
Hello people, I'm very new to Splunk and I'm trying to create a dashboard with the "Statistics Table" Visualisation, that is more compact and takes up less space than what was there before. In order to achieve this, I'm concatenating several strings from different fields, kind of like this: | eval compactfield="1. ".field1." 2. ".field2." 3. ".field3 and while that looks fine and works, it'd be great if I could add some kind of color tag (or maybe even bold, italic and so on) so that there'd be a different color for each line, making it easier to differentiate for people looking at the dashboard. I'm imagining something like this: | eval compactfield="<col="blue">1. ".field1." </col><col="red">2. ".field2." </col><col="purple">3. ".field3."</col>" Is there a way to achieve this? I'm really sorry if this question has been asked before, but I couldn't find anything. Thanks for your time, Cyd 
Labels

Does Splunk Add-on for Microsoft Cloud Services support Azure China?

by in All Apps and Add-ons
‎09-13-2021 11:54 PM
2 Karma
‎09-13-2021 11:54 PM
2 Karma
We are currently wanting to ingest logs from azure china into Splunk, while it seems this app only support public azure and government azure. Is there any changes need to be done to support Azure Ch... See more...
We are currently wanting to ingest logs from azure china into Splunk, while it seems this app only support public azure and government azure. Is there any changes need to be done to support Azure China? Thanks
Labels

Issue in Splunk Cluster

by in Monitoring Splunk
‎09-13-2021 10:45 PM
‎09-13-2021 10:45 PM
Hello Everyone,   I need Help. We have a trouble  in Splunk Cluster and I want to find out and investigate this is bad for our system and what will be the effects. please Help me out
Labels

How do I make the correlation search generate notable event

by in Splunk Enterprise Security
‎09-13-2021 09:13 PM
‎09-13-2021 09:13 PM
Hi, Based on my understanding, from the Splunk Guide, https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Configurecorrelationsearches, I just need to add the notable under adaptive response. I did... See more...
Hi, Based on my understanding, from the Splunk Guide, https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Configurecorrelationsearches, I just need to add the notable under adaptive response. I did   However, I try to fail log in, the notable events shown in the Incident Review dashboard, is 0. But when I run the spl, I embedded in my correlation search, the SPL  can fetch all the fail logged ins that I tried

PROPS Configuration for XML source

by in Splunk Search
‎09-13-2021 09:02 PM
‎09-13-2021 09:02 PM
Hello, I have some issues writing PROPS configuration for XML source file. Sample XML events (2 Events) are given below. Any help will be highly appreciated. Thank you so much. TIME_PREFIX= TIME_F... See more...
Hello, I have some issues writing PROPS configuration for XML source file. Sample XML events (2 Events) are given below. Any help will be highly appreciated. Thank you so much. TIME_PREFIX= TIME_FORMAT= LINE_BREAKER= -------------------------------- <a2ETraceEvent xmlns=http://schemas.test.com/2014/06/a2ETraceEvent>     <System xmlns=http://schemas.test.com/2014/08/windows/events/systems>         <EventID>0</EventID>         <Type>3</Type>         <SubType Name="Error">0</SubType>         <Level>2</Level>         <TimeCreated SystemTime="2021-07-20T04:00:53.4370283Z" />         <Source Name="ATech.Notifications" />         <Correlation ActivityID="{975c26b1-7acd-4ea0-8ad6-d7be1358e5fc}" />         <Execution ProcessName="ATech.JobFramework.Job" ProcessID="292132" ThreadID="1" />         <AssemblyVersion>6.4.10100.1051</AssemblyVersion>         <Channel />         <Computer>XVL0SMEMAPPAGR14</Computer>     </System>     <ApplicationData>         <TraceData>             <DataItem>                 <TraceRecord Severity="Error" xmlns=http://schemas.test.com/2014/10/a2ETraceEvent/TraceRecord>                     <TraceIdentifier>ATech.Notifications</TraceIdentifier>                     <Description>Error sending the email message generated for notification template 'Employee Training - ' with id = '12552'.</Description>                     <AppDomain>ATech.JobFramework.Job.exe</AppDomain>                     <Exception>                         <ExceptionType>ATech.Common.Exceptions.SendEmailNotificationException, ATech.Common, Version=6.4.10100.1051, Culture=neutral, PublicKeyToken=null</ExceptionType>                         <Message>Error sending the email message generated for notification template 'Employee Training - with id = '12552'.</Message>                         <Source />                         <ContextData>                             <Resolution>Please verify that the server configured in the ECPSA is reachable. For further support, please contact your system administrator.</Resolution>                             <ServerAddress>Changeit-mail-relay</ServerAddress>                         </ContextData>                         <StackTrace />                         <InnerException>                             <ExceptionType>System.Net.Mail.SmtpException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934a19</ExceptionType>                             <Message>Failure sending mail.</Message>                             <Source>System</Source>                             <StackTrace>   at System.Net.Mail.SmtpClient.Send(MailMessage message)    at ATech.Notifications.Providers.Mail.DefaultSmtpProvider.Send(MailMessage mailMessage, Notification notification)</StackTrace>                             <InnerException>                                 <ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=c77a52161934e08</ExceptionType>                                 <Message>The remote name could not be resolved</Message>                                 <Source>System</Source>                                 <StackTrace>       at System.Net.Mail.SmtpConnection.GetConnection(ServicePoint servicePoint)    at System.Net.Mail.SmtpClient.GetConnection()    at System.Net.Mail.SmtpClient.Send(MailMessage message)</StackTrace>                             </InnerException>                         </InnerException>                     </Exception>                 </TraceRecord>             </DataItem>         </TraceData>     </ApplicationData> </a2ETraceEvent> <a2ETraceEvent xmlns=http://schemas.test.com/2014/06/a2ETraceEvent>     <System xmlns=http://schemas.test.com/2014/08/windows/events/systems>         <EventID>1</EventID>         <Type>3</Type>         <SubType Name="Error">2</SubType>         <Level>1</Level>         <TimeCreated SystemTime="2021-07-20T04:00:54.4370283Z" />         <Source Name="ATech.Notifications" />         <Correlation ActivityID="{875c26b1-7acd-2ea0-8ad6-d7be1358e5f1}" />         <Execution ProcessName="ATech.JobFramework.Job" ProcessID="122132" ThreadID="1" />         <AssemblyVersion>6.4.10101.1061</AssemblyVersion>         <Channel />         <Computer>XVL0SMEMAPPAGR14</Computer>     </System>     <ApplicationData>         <TraceData>             <DataItem>                 <TraceRecord Severity="Error" xmlns=http://schemas.test.com/2014/10/a2ETraceEvent/TraceRecord>                     <TraceIdentifier>ATech.Notifications</TraceIdentifier>                     <Description>Error sending the email message generated for notification template 'Employee Training - ' with id = '237521.</Description>                     <AppDomain>ATech.JobFramework.Job.exe</AppDomain>                     <Exception>                         <ExceptionType>ATech.Common.Exceptions.SendEmailNotificationException, ATech.Common, Version=6.4.10100.1051, Culture=neutral, PublicKeyToken=null</ExceptionType>                         <Message>Error sending the email message generated for notification template 'Employee Training - with id = '237521'.</Message>                         <Source />                         <ContextData>                             <Resolution>Please verify that the server configured in the ECPSA is reachable. For further support, please contact your system administrator.</Resolution>                             <ServerAddress>Changeit-mail-relay</ServerAddress>                         </ContextData>                         <StackTrace />                         <InnerException>                             <ExceptionType>System.Net.Mail.SmtpException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=g77a5c561944t16</ExceptionType>                             <Message>Failure sending mail.</Message>                             <Source>System</Source>                             <StackTrace>      at ATech.Notifications.Providers.Mail.DefaultSmtpProvider.Send(MailMessage mailMessage, Notification notification)</StackTrace>                             <InnerException>                                 <ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=c77c52161934r19</ExceptionType>                                 <Message>The remote name could not be resolved</Message>                                 <Source>System</Source>                                 <StackTrace>   at System.Net.ServicePoint.GetConnection(PooledStream PooledStream, Object owner, Boolean async, IPAddress&amp; address, Socket&amp; abortSocket, Socket&amp;)    at System.Net.Mail.SmtpConnection.GetConnection(ServicePoint servicePoint)    at System.Net.Mail.SmtpClient.GetConnection()    at System.Net.Mail.SmtpClient.Send(MailMessage message)</StackTrace>                             </InnerException>                         </InnerException>                     </Exception>                 </TraceRecord>             </DataItem>         </TraceData>     </ApplicationData> </a2ETraceEvent>
Labels

Splunk Time variable makes irritating search result with standard time Picker

by in Splunk Search
‎09-13-2021 05:30 PM
‎09-13-2021 05:30 PM
Hallo, i am trying to make a Dashboard that takes the time from reports of jobs. That time is not the same as the time in Splunk. So the problem is that the time picker like  "last 7 days" shows m... See more...
Hallo, i am trying to make a Dashboard that takes the time from reports of jobs. That time is not the same as the time in Splunk. So the problem is that the time picker like  "last 7 days" shows more than 7 days and the First and Last are not complete. That is a Problem that i cant fix in the search code itself, i think. Code: | eval NewTime=strptime(StartDateTZ,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | timechart span=1d@d count by TestName limit=0
Labels

Capabilities for edit_tcp with admin role

by in Splunk Enterprise
‎09-13-2021 12:59 PM
‎09-13-2021 12:59 PM
Hello support, I'm planning to use edit_tcp to send data for indexing to an REST endpoint in Splunk (no need to use a forwarder). My question: - Is it possible the send data to a specific Index or... See more...
Hello support, I'm planning to use edit_tcp to send data for indexing to an REST endpoint in Splunk (no need to use a forwarder). My question: - Is it possible the send data to a specific Index or by default, it will send to all indexes ? - Is it possible to restrict sending data to only one index ?   Thank you.

Studio: How to customize the dashboard name in the browser tab?

by in Dashboards & Visualizations
‎09-13-2021 12:43 PM
4 Karma
‎09-13-2021 12:43 PM
4 Karma
The name of each dashboard in the browser tab is merely "Dashboard".  How do I configure a custom name?  I would expect the default name for the tab to be like the dashboard name, like in the xml d... See more...
The name of each dashboard in the browser tab is merely "Dashboard".  How do I configure a custom name?  I would expect the default name for the tab to be like the dashboard name, like in the xml dashboards.
Labels

Regex to extract field value from a response [See below]

by in Splunk Search
‎09-13-2021 12:23 PM
‎09-13-2021 12:23 PM
I have this result response[sample]:   "{\"meta\":{\"code\":400}},[Content-Type:\"application/json\", Transfer-Encoding:\"chunked\", Date:\"Mon, 13 Sep 2021 17:25:12 GMT\", Keep-Alive:\"timeout=60\... See more...
I have this result response[sample]:   "{\"meta\":{\"code\":400}},[Content-Type:\"application/json\", Transfer-Encoding:\"chunked\", Date:\"Mon, 13 Sep 2021 17:25:12 GMT\", Keep-Alive:\"timeout=60\", Connection:\"keep-alive\"]" I want value of  field code to be extracted I tried first to extract json out of this string "{\"meta\":{\"code\":400}},' but it looks i dont need to do these because i just want value of  field code I tried below but got stuck to remove "/" .  It would be nice to extract json and get code value but just getting the field code from above will also suffice | eval responseJson0 = replace(responseJson,"\/", "") | eval responseJson1 = replace(responseJson,"<", "") | eval responseJson2 = replace(responseJson1,">", "") | eval responseJson3 = replace(responseJson2,"200,", "")
Labels

Chart count by 3 fields

by in Splunk Search
‎09-13-2021 12:18 PM
‎09-13-2021 12:18 PM
Hello,   I am trying to build a chart based on 3 fields: 2 calculated fields and a simple one: |  query="select OPEN_FY, OPEN_QUARTER, CLOSURE_FY, VULNERABILITY_LIFECYCLE, SOURCE, LAYER from tabl... See more...
Hello,   I am trying to build a chart based on 3 fields: 2 calculated fields and a simple one: |  query="select OPEN_FY, OPEN_QUARTER, CLOSURE_FY, VULNERABILITY_LIFECYCLE, SOURCE, LAYER from table | [evaluate] DETECTION_TIME=if((OPEN_FY="21/22" AND OPEN_QUARTER ="Q2"),"new" , "old") | [evaluate]  SOURCE=if((SOURCE!="QUALYS-P"), "Confirmed", "Potential") | chart count(DETECTION_TIME) by SOURCE over(LAYER) the last line won't work. I would need to see the total number of vulnerabilities by source by  detection time and by layer. Is that possible? Thanks
Labels

Azure VM Metrics Dashboards

by in Dashboards & Visualizations
‎09-13-2021 11:51 AM
‎09-13-2021 11:51 AM
What am I missing here? So we have the MSCS TA installed and the data from an Azure Storage Account is been ingested into Splunk as `mscs:vm:metrics` sourcetype. The `CounterName` field has several ... See more...
What am I missing here? So we have the MSCS TA installed and the data from an Azure Storage Account is been ingested into Splunk as `mscs:vm:metrics` sourcetype. The `CounterName` field has several metric names present so that side looks good. I have looked high and low for preconfigured searches and dashboards for said sourcetype but to no avail. There is no Content Pack (yet?) in the ITSI app for Azure and SIM is cloud only. We are running on-prem only. So: one cannot do any dashboards for Azure VM metrics without SIM and paid for ITSI app?
Labels

How to find rolling average for last7 days and fill the time gaps where there is no event in last 7 days

by in Splunk Search
‎09-13-2021 10:20 AM
‎09-13-2021 10:20 AM
Hello, I have a requirement to find the rolling average  and variance % as per below requirement. If there is no event for any date then we should have an 0 events for that missing date so that we'v... See more...
Hello, I have a requirement to find the rolling average  and variance % as per below requirement. If there is no event for any date then we should have an 0 events for that missing date so that we've continuously dates in our report. The "7d Rolling average Daily Event Count" column is the average count of events ingested each day for the last 7 days NOT including today (yesterday thru previous 6 days). "Variance" is the difference in count of events between today's event count and the 7d rolling Avg.  (Today's event count minus the 7d rolling average event count). "% Variance" is the percentage difference between today's event count and the 7d rolling average (Variance divided by 7d rolling average ). "average Daily Variance" is the absolute value of the 7d rolling average of the % Variance values, not including today (yesterday thru previous 6 days). Example: data source Last event time Event Count 7d rolling average event count Variance % Variance average Daily Variance test 9/3/2021 2957 2060 897 44% 24% test 9/2/2021 1438 2064 -626 -30% 24% test 9/1/2021 2906 2055 851 41% 23% test 8/31/2021 2753 2036 718 35% 22% test 8/30/2021 2131 2036 95 5% 22% test 8/29/2021 2235 2010 225 11% 23% test 8/28/2021 3126 1961 1165 59% 21% test 8/27/2021 2785 1931 854 44% 20% test 8/26/2021 1331 1939 -608 -31% 20% test 8/25/2021 1685 1950 -265 -14% 20% test 8/24/2021 1426 1984 -558 -28% 20% test 8/23/2021 1939 1965 -26 -1% 21% test 8/22/2021 2467 1966 501 25% 20% test 8/21/2021 1482 2010 -528 -26% 20% test 8/20/2021 2026 2016 10 0% 20%   Thanks for your help in advance.
Labels

Read from inputs.conf file

by in Getting Data In
‎09-13-2021 09:52 AM
‎09-13-2021 09:52 AM
Hi there, I want to be able to allow a dashboard of my app read the hostname stored in inputs.conf, which is provided by user when setting up the app. Specifically, I have a button on one of my app'... See more...
Hi there, I want to be able to allow a dashboard of my app read the hostname stored in inputs.conf, which is provided by user when setting up the app. Specifically, I have a button on one of my app's dashboard which links to the hostname url user enters. However, I'm not sure how the dashboard can read the hostname so that the button can be dynamically populated with different hostname.  Here is how I store the hostname in inputs.conf. Once done setting up, HOST can be filled in properly.      [modinput://input] API_KEY = HOST = interval = 600     Thank you in advance! 
Labels

Need help with an SPL to create a search for /opt/splunk/etc/apps/meta_woot/lookups/meta_woot_server_guid.csv Thank U

by in Splunk Search
‎09-13-2021 08:44 AM
‎09-13-2021 08:44 AM
Need help with an SPL to create a search for Please. /opt/splunk/etc/apps/meta_woot/lookups/meta_woot_server_guid.csv Running this search am told per Meta Woot! app will enable the Meta Woot! app th... See more...
Need help with an SPL to create a search for Please. /opt/splunk/etc/apps/meta_woot/lookups/meta_woot_server_guid.csv Running this search am told per Meta Woot! app will enable the Meta Woot! app that is not running. When I open the app I get "No Data Found" . Thank u very much in advance.
Labels

Getting data from dynamodb to Splunk

by in Getting Data In
‎09-13-2021 08:25 AM
‎09-13-2021 08:25 AM
Hello, what is the best way to get data from dynamoDB to Splunk?

Upload csv file with escaped quotes

by in Getting Data In
‎09-13-2021 07:08 AM
‎09-13-2021 07:08 AM
Hello together, I have a csv file which looks like this:   "Time";"Comment" "15:53:21";"Here stands something \"very\" interesting"   I have nested quotes in the column "Comment". That´s why I ... See more...
Hello together, I have a csv file which looks like this:   "Time";"Comment" "15:53:21";"Here stands something \"very\" interesting"   I have nested quotes in the column "Comment". That´s why I have to escape them by using the "\".  This is what I want to have as output:   "Time";"Comment" "15:53:21";"Here stands something "very" interesting"   What I have tried so far is to use auto_escaped as KV_MODE which can be found in Add Data --> Select Source-->Set Source Type-->Advanced. But without success. The escape character is still there.   I would appreciate any helpful hints.
Labels

Python Connection SDK [Errno 11001] getaddrinfo failed

by in Splunk Enterprise
‎09-13-2021 06:32 AM
‎09-13-2021 06:32 AM
When trying to connect to the Splunk SDK, Python throws me this error: [Errno 11001] getaddrinfo failed My code: import splunklib.client as client HOST = "localhost:" PORT = 8000 USERNAME = "us... See more...
When trying to connect to the Splunk SDK, Python throws me this error: [Errno 11001] getaddrinfo failed My code: import splunklib.client as client HOST = "localhost:" PORT = 8000 USERNAME = "username" PASSWORD = "password" # Create a Service instance and log in service = client.connect( host=HOST, port=PORT, username=USERNAME, password=PASSWORD)   Throwback error is as following File "Z:\BD_PROJ\Studenten_Trainees\BI Team\Eichberger_Sowa\00_NLP_Eichberger\99_Misc\.spyder-py3\NLP_GIT_online\untitled0.py", line 33, in <module> service = client.connect( File "C:\Users\eichberj\Test\lib\site-packages\splunklib\client.py", line 331, in connect s.login() File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 883, in login response = self.http.post( File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1242, in post return self.request(url, message) File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1259, in request response = self.handler(url, message, **kwargs) File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1399, in request connection.request(method, path, body, head) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1255, in request self._send_request(method, url, body, headers, encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1301, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1250, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1010, in _send_output self.send(msg) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 950, in send self.connect() File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1417, in connect super().connect() File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 921, in connect self.sock = self._create_connection( File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\socket.py", line 822, in create_connection for res in getaddrinfo(host, port, 0, SOCK_STREAM): File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\socket.py", line 953, in getaddrinfo for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
Labels

Mobile apps (iOS and Android) logging

by in Splunk Enterprise
‎09-13-2021 06:29 AM
‎09-13-2021 06:29 AM
Hi, We use Splunk Enterprise in our company and I am currently implementing remote(cloud) logging in our iOS and Android apps for error logging purpose.  I understand that Splunk used to have Splun... See more...
Hi, We use Splunk Enterprise in our company and I am currently implementing remote(cloud) logging in our iOS and Android apps for error logging purpose.  I understand that Splunk used to have Splunk MINT for iOS but it is a Legacy now. Do you think is there a replacement for Splunk MINT for iOS ? or could you advise if it is advisable to do mobile apps logging to Splunk please?  Thanks.
Labels

Getting text from raw event with regex

by in Splunk Search
‎09-13-2021 06:28 AM
‎09-13-2021 06:28 AM
  Hi everyone,  I'm trying to get a simple text from a raw event, but I can't make it works. The event looks like this: and my regex looks like this: | rex field=_raw "Allow\s(?<GroupName>\w... See more...
  Hi everyone,  I'm trying to get a simple text from a raw event, but I can't make it works. The event looks like this: and my regex looks like this: | rex field=_raw "Allow\s(?<GroupName>\w.+)\s+Enroll"  my issue is, that I only going to get a few of those groups, but not all... for example I will get the Domain Users but not the Enterprise Users which is in the same raw file... Could please someone help me with this regex?
Labels