All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I have following Sample Event. Q17CNB_L_0__20210630-235755_5828.html@^@^2021/06/30@^@^23:57:55@^@^ Q17CNB @^@^ I have following REX command to extract ID and DateTime Fields from it rex "(... See more...
Hello, I have following Sample Event. Q17CNB_L_0__20210630-235755_5828.html@^@^2021/06/30@^@^23:57:55@^@^ Q17CNB @^@^ I have following REX command to extract ID and DateTime Fields from it rex "(?<ID>.{6}).*?@\^@\^(?<DateTime>\d\d\d\d\/\d\d\/\d\d@\^@\^\d\d:\d\d:\d\d)   ID looked as expected, but I got DateTime Field as  "2021/06/30@^@^23:57:55" . Is there anyways, we can have DateTime Field like "2021/06/30 23:57:55"....without (@^@^) from this Event. Thank you so much, appreciate your support in these efforts.
I have a custom developed modular input that was developed with an older version of the Add-on builder app.  The custom code itself has always been compatible with python3, however I'm trying to get ... See more...
I have a custom developed modular input that was developed with an older version of the Add-on builder app.  The custom code itself has always been compatible with python3, however I'm trying to get the app fully updated to be compatible with the most recent and upcoming versions of Splunk Enterprise and Cloud.  To do that I'm trying to get past Splunk App certification.  When I attempt the App Pre-certification validation process in Add-on Builder 4.0.0, it gives me the following error Error App Precertification Check that all the modular inputs defined in inputs.conf.spec are explicitly set the python.version to python3. Modular input "example" is defined in README/inputs.conf.spec, python.version should be explicitly set to python3 under each stanza. File: README/inputs.conf.spec Line Number: 3 However, I do have "python.version = python3" specified in the apps inputs.conf.spec file.  No matter what I've tried, it keeps giving me the same error, but I can't find anymore info on what might be wrong.  Any insight or suggestion would be appreciated. 
Howdy, I have searched through the settings and can't seem to find out the parameter needed to disable the little circles in the new Line chart, what am I missing? The circles are quite jarring comp... See more...
Howdy, I have searched through the settings and can't seem to find out the parameter needed to disable the little circles in the new Line chart, what am I missing? The circles are quite jarring compared to what my dashboards used to look like. I can't imagine that they aren't configurable?? New chart: Old chart  
I have a table where the first four columns includes an icon.  I want to have word wrap disabled.  When I disable word wrap my icons disappear from a table.  I can't seem to figure out what's going o... See more...
I have a table where the first four columns includes an icon.  I want to have word wrap disabled.  When I disable word wrap my icons disappear from a table.  I can't seem to figure out what's going on with this.  I tried expanding the table rows (width and height) to see if the icons were hiding, but that does not seem to be the case.   Screenshot of icons with word wrap enabled: Screenshot of icons disappearing with word wrap disabled (preferred configuration):   Here is the code I am using: icons.js require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { /* return cell.field; */ return _(['Column1','Column2','Column3','Column4']).contains(cell.field); }, render: function($td, cell) { var value = cell.value; if(value=="col1data" ) { $td.html("<div class='col1data'> </div>") } else if(value=="col2data") { $td.html("<div class='col2data'> </div>") } else if(value=="col3data") { $td.html("<div class='col3data'> </div>") } else if(value=="col4data") { $td.html("<div class='col4data'> </div>") } } }); var sh = mvc.Components.get("table1"); if(typeof(sh)!="undefined") { sh.getVisualization(function(tableView) { // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRangeRenderer()); tableView.table.render(); }); } });   icons.css #table1 .col1data { background-image: url('/static/app/testapp/images/col1.png') !important; background-repeat: no-repeat !important; background-size: 20px 20px; !important; background-position: center; !important; /* background-color: coral; !important; */ } #table1 .col2data { background-image: url('/static/app/testapp/images/col2.png') !important; background-repeat: no-repeat !important; background-size: 20px 20px; !important; background-position: center; !important; } #table1 .col3data { background-image: url('/static/app/testapp/images/col3.png') !important; background-repeat: no-repeat !important; background-size: 20px 20px; !important; background-position: center; !important; } #table1 .col4data { background-image: url('/static/app/testapp/images/col4.png') !important; background-repeat: no-repeat !important; background-size: 20px 20px; !important; background-position: center; !important; }  
Hi , I want to add a row total=0 in the below table .Can somebody suggest? query used is:  index="monthend" source="Period End Tracker_6Sep'21.csv"|rename "Activity Name" as Activity|dedup Activ... See more...
Hi , I want to add a row total=0 in the below table .Can somebody suggest? query used is:  index="monthend" source="Period End Tracker_6Sep'21.csv"|rename "Activity Name" as Activity|dedup Activity|eval status_1=if(Activity=="Month End Closing for AP,AR & GL","Delay","On Track")|stats count by status_1
Hi, I am using below query to search all correlation ID based on a search string and get the SOAPResponse using map search, But this is returning a partial search results. Is my query looks good ? ... See more...
Hi, I am using below query to search all correlation ID based on a search string and get the SOAPResponse using map search, But this is returning a partial search results. Is my query looks good ? index=pivotal sourcetype=ApplicationTest "SearchString" CorrelationId="*" | table CorrelationId | map search="search index=pivotal sourcetype=ApplicationTest $CorrelationId$ SOAPResponse" Thanks, Bhuvan.  
I have a splunk query that results in a table , while creating alert it just sends the first row of the results ,so we are missing the remaining results. Inorder to address this , i wanted to combine... See more...
I have a splunk query that results in a table , while creating alert it just sends the first row of the results ,so we are missing the remaining results. Inorder to address this , i wanted to combine the results in one row or a message to be sent. QUERY:     | inputlookup gtsnet.csv | fields "dataset_name" | search NOT [search index = asvdataintegration source=piedpiper sts_asvdataintegration_symphony_lambda_clewriter_events | search event.proc_stat_cd = "SCSS" AND event.evt_dtl.EventDesc = "workflow_found" AND event.module_response.requester = "_SUCCESS" AND event.s3_location = "*"s3://cof-data-*/"*"/lake/gtsnet*"*" AND "event.module_name"=LAMBDA | rename event.regrd_dataset_nm as dataset_name | table dataset_name | format]       Current Format:   Expected Format:  
Hi Team, I want to transpose few fields as below .. (index=abc OR index=def) category= * OR NOT blocked =0 AND NOT blocked =2 |rex field=index "(?<Local_Market>[^cita]\w.*?)_" | stats count(Local... See more...
Hi Team, I want to transpose few fields as below .. (index=abc OR index=def) category= * OR NOT blocked =0 AND NOT blocked =2 |rex field=index "(?<Local_Market>[^cita]\w.*?)_" | stats count(Local_Market) as Blocked by Local_Market | addcoltotals col=t labelfield=Local_Market label="Total" | append [search (index=abc OR index=def) blocked =0 | rex field=index "(?<Local_Market>\w.*?)_" | stats count as Detected by Local_Market | addcoltotals col=t labelfield=Local_Market label="Total"] | stats values(*) as * by Local_Market | transpose 0 header_field=Local_Market column_name=Local_Market here i want to add one column of date ( eval Time=strftime(_time,"%m/%d/%y")) which should not be transpose .. date                    Local_Market    Total   a  b   c 05-09-2021       INDIA                     3      1  1  1 05-09-2021       UK                          5       3  2  0
Hi, I have a saved search link to an action of sending an email for each result. The saved search runs every 5 min. If I run the search manually I get 5 results but surprisingly I dont get 5 emails... See more...
Hi, I have a saved search link to an action of sending an email for each result. The saved search runs every 5 min. If I run the search manually I get 5 results but surprisingly I dont get 5 emails. Instead I get a random number of emails each time, never 5. looking at logs using the query  index=_internal source="C:\\Program Files\\Splunk\\var\\log\\splunk\\python.log" sendemail I see many ERRORS like ERROR sendemail:522 - (421, b'4.3.2 Service not active', 'XXXXXXXX') while sending mail to: XXX@yyy I searched in google without success for the some hints to solve this issue. But, when I manually connect to each node of the exchange cluster using putty I managed to send emails without any issue . Any idea of what could I check? thanks!      
Hi all! I would like to have only the results in orange and red until August. I don't want to show the September results, however since I am doing this query in September, it automatically appears S... See more...
Hi all! I would like to have only the results in orange and red until August. I don't want to show the September results, however since I am doing this query in September, it automatically appears September. I think the problem is the time range, but I don't know how to fix this. Help please! This is my query: index=events *....* earliest=-1y@y latest=+1y@y | timechart span=1mon count by *...* | timewrap y This is the column chart that i'm getting: Legend is: Blue and green - results from 2020 Orange and red - results from 2021   Thanks a lot!
Hi Team, We build dashboard with 20+ Single Value Panels. We do different in the FONT size when large count of results is displayed.  For example,  when result count is 5 digit, FONT size looks oka... See more...
Hi Team, We build dashboard with 20+ Single Value Panels. We do different in the FONT size when large count of results is displayed.  For example,  when result count is 5 digit, FONT size looks okay.. but when count is 6 digit number FONT size looks smaller for that Panel and looks ODD in dashboard.  Can you suggest way forward to address this.. We use Splunk Cloud Enterprise and latest version of Splunk.
Hello Splunker!   Sometimes my searches on Splunk Enterprise Security Search Head ran into following error (mostly) without any results, sometimes there are only a view results :   [idx1, idx... See more...
Hello Splunker!   Sometimes my searches on Splunk Enterprise Security Search Head ran into following error (mostly) without any results, sometimes there are only a view results :   [idx1, idx4 ...] Streamed search execute failed because: Error in 'lookup' command: Failed to re-open lookup file: '/opt/splunk/var/run/searchpeers/splunksearchhead-1631016538/kvstore_s_SA-IdeRjww0FotymhlCIaS1cqkc05a_identix3UXVbINERGdyPwDBuI5US7E'.   Sometimes the searches work, somtimes they not. There is also a "normal" Splunk Search Head, the same search works all the time. If the error appears also the Incident Review needs about  I already checked the bundle size of both Search Heads and the ES bundle is about 800mb. The "normal" Search Head bundle is  about 1,1gb.   Splunk Enterprise 8.2.1 Splunk Enterprise Security 6.6.0 Splunk Cluster with 2 sites, each site 8 idx.   I would greatly appreciate any help      
Response time for User Identifier for fsreqid: " + fsreqid + SIDKEY + sid + " is "+responseTime Please help us out here . For above query we need the average response time that is in milliseconds.
Hello everyone, I have created a Splunk form which has some html form inputs to update a lookup for me. To get the values from the html form inputs I'm using a Javascript code, such as the one bello... See more...
Hello everyone, I have created a Splunk form which has some html form inputs to update a lookup for me. To get the values from the html form inputs I'm using a Javascript code, such as the one bellow: require(["splunkjs/mvc", "jquery", "splunkjs/ready!", "splunkjs/mvc/simplexml/ready!" ], function( mvc, $){ var tokens = mvc.Components.get("default"); $('#addentry').on("click", function (e){ var field1 = $("input[name=field1]").val(); tokens.set("tok_add_field1", field1); }) }); Once addentry button is clicked the token is filled by the Javascript and a base search should run to update the value in a lookup. Problem is, after the token which the search needs is filled it still doesn't run (It runs if I go to Edit -> Source -> Cancel).   Search: <search id="add_results"> <query> | inputlookup example.csv | append [ makeresults | eval field1="$tok_add_field1$"] | outputlookup example.csv </query> <finalized> <set token="confirmation">Search executed!</set> </finalized> </search> Could someone please tell me what is missing in my search so that it is automatically executed once the tokens are filled?  Thanks a lot! Additionally: I have noticed that once a Splunk input is filled, adding "?" to the URL, javascript will no longer update the tokens. Maybe a problem with the interaction between JS and browser.
Hi, I have a requirement where my search displays the below result and the out is stored in CSV Now in another query I am inputting the CSV from the first search and trying to send an email for... See more...
Hi, I have a requirement where my search displays the below result and the out is stored in CSV Now in another query I am inputting the CSV from the first search and trying to send an email for each filed value of "email_ID" with 20 line email body content, I have tried with the below query (without a email body as I don't know how to insert 20line email body ) but it is giving me an error. Also, please help me with how to insert 20line email body Search result :      email_ID                    Head_ID ----------------------------------------- abc@abc.com           abc_head@abc.com shri@abc.com           shri_head@abc.com xyz@abc.com           xyz_head@abc.com   query : | inputlookup email_ID.csv append=t | fields email_ID Head_ID  | sendemail from="emailaddress@abc.com" to="$email_ID$" cc="$Head_ID $" subject="emailtest" sendresults=true inline=true query  error:  command="sendemail", {} while sending mail to:
I have a json formatted output, which according to jsonlint.com is valid JSON.... but, am having problems extracting out the data into relevant "fields", for indexing... { "code": null, "msg": nul... See more...
I have a json formatted output, which according to jsonlint.com is valid JSON.... but, am having problems extracting out the data into relevant "fields", for indexing... { "code": null, "msg": null, "success": true, "requestId": "XXX", "deviceSn": "XXX", "deviceId": "XXX", "deviceType": "INVERTER", "deviceState": 1, "dataList": [{ "key": "SN1", "value": "XXX", "unit": null, "name": "SN" }, { "key": "PM1", "value": "F6", "unit": null, "name": "Product Type" }, { "key": "SS_CY1", "value": "G99", "unit": null, "name": "Production Compliance Country" }, { "key": "P_CURVv1", "value": "0", "unit": null, "name": "Power Curve Version" }, { "key": "Pr1", "value": "4000", "unit": "W", "name": "Rated Power" }, { "key": "B_PTC1", "value": "1", "unit": null, "name": "Battery Protocol" }, { "key": "PTCv1", "value": "0001", "unit": null, "name": "Protocol Version" }, { "key": "HCIv1", "value": "0033", "unit": null, "name": "HMI Version" }, { "key": "DSPv1", "value": "0022", "unit": null, "name": "DSP Version" }, { "key": "DV1", "value": "290.30", "unit": "V", "name": "DC Voltage PV1" }, { "key": "DV2", "value": "301.60", "unit": "V", "name": "DC Voltage PV2" }, { "key": "DV3", "value": "0.00", "unit": "V", "name": "DC Voltage PV3" }, { "key": "DV4", "value": "0.00", "unit": "V", "name": "DC Voltage PV4" }, { "key": "DC1", "value": "8.00", "unit": "A", "name": "DC Current PV1" }, { "key": "DC2", "value": "7.60", "unit": "A", "name": "DC Current PV2" }, { "key": "DC3", "value": "0.00", "unit": "A", "name": "DC Current PV3" }, { "key": "DC4", "value": "0.00", "unit": "A", "name": "DC Current PV4" }, { "key": "DP1", "value": "2322.40", "unit": "W", "name": "DC Power PV1" }, { "key": "DP2", "value": "2292.16", "unit": "W", "name": "DC Power PV2" }, { "key": "DP3", "value": "0", "unit": "W", "name": "DC Power PV3" }, { "key": "DP4", "value": "0", "unit": "W", "name": "DC Power PV4" }, { "key": "AV1", "value": "238.60", "unit": "V", "name": "AC Voltage R/U/A" }, { "key": "AV2", "value": "0.00", "unit": "V", "name": "AC Voltage S/V/B" }, { "key": "AV3", "value": "0.00", "unit": "V", "name": "AC Voltage T/W/C" }, { "key": "AC1", "value": "12.10", "unit": "A", "name": "AC Current R/U/A" }, { "key": "AC2", "value": "0.00", "unit": "A", "name": "AC Current S/V/B" }, { "key": "AC3", "value": "0.00", "unit": "A", "name": "AC Current T/W/C" }, { "key": "APo_t1", "value": "4610", "unit": "W", "name": "Total AC Output Power (Active)" }, { "key": "PI_AC", "value": "0.00", "unit": "A", "name": "Paralleling Inverter AC Current" }, { "key": "PI_AV", "value": "0.00", "unit": "V", "name": "Paralleling Inverter AC Voltage" }, { "key": "PI_p", "value": "0.00", "unit": "W", "name": "Paralleling Inverter Power" }, { "key": "PI_CTS", "value": "0", "unit": null, "name": "Paralleling Inverter CT Test Switch" }, { "key": "A_Fo1", "value": "50.04", "unit": "Hz", "name": "AC Output Frequency R" }, { "key": "Eydy1", "value": "7.30", "unit": "kWh", "name": "Yesterday Production" }, { "key": "Et_ge0", "value": "891.00", "unit": "kWh", "name": "Cumulative Production (Active)" }, { "key": "Elast_mon1", "value": "728", "unit": "kWh", "name": "Production Last Month (Active)" }, { "key": "Etdy_ge1", "value": "8.70", "unit": "kWh", "name": "Daily Production (Active)" }, { "key": "Emon1", "value": "86", "unit": "kWh", "name": "Monthly Production (Active)" }, { "key": "Eyr1", "value": "891", "unit": "kWh", "name": "Yearly Production (Active)" }, { "key": "ST_PG1", "value": "Grid connected", "unit": null, "name": "Grid Status" }, { "key": "PG_V1", "value": "239.60", "unit": "V", "name": "Grid Voltage R/U/A" }, { "key": "PG_C1", "value": "1.92", "unit": "A", "name": "Grid Current R/U/A" }, { "key": "PG_Pt1", "value": "210", "unit": "W", "name": "Total Grid Power" }, { "key": "Q_PG1", "value": "655340", "unit": "Var", "name": "Total Grid Reactive Power" }, { "key": "PG_PF1", "value": "1.00", "unit": null, "name": "Grid Power Factor" }, { "key": "t_gc1", "value": "271", "unit": "kWh", "name": "Cumulative Grid Feed-in" }, { "key": "Et_pu1", "value": "752", "unit": "kWh", "name": "Cumulative Energy Purchased" }, { "key": "t_gc_tdy1", "value": "0.00", "unit": "kWh", "name": "Daily Grid Feed-in" }, { "key": "Etdy_pu1", "value": "0.10", "unit": "kWh", "name": "Daily Energy Purchased" }, { "key": "P_METER0", "value": "210", "unit": "W", "name": "Meter Power" }, { "key": "Pgc1", "value": "213", "unit": "W", "name": "Grid-tied Power" }, { "key": "Pog1", "value": "0", "unit": "W", "name": "Purchased Power" }, { "key": "S_PGt1", "value": "2910", "unit": "VA", "name": "Total Grid Apparent Power" }, { "key": "E_Puse_t1", "value": "2650", "unit": "W", "name": "Total Consumption Power" }, { "key": "Et_use1", "value": "1371", "unit": "kWh", "name": "Cumulative Consumption" }, { "key": "Eydy_ge1", "value": "57.10", "unit": "kWh", "name": "Yesterday Consumption" }, { "key": "Etdy_use1", "value": "8.60", "unit": "kWh", "name": "Daily Consumption" }, { "key": "B_ST1", "value": "Charging", "unit": null, "name": "Battery Status" }, { "key": "B_V1", "value": "51.90", "unit": "V", "name": "Battery Voltage" }, { "key": "B_C1", "value": "28.00", "unit": "A", "name": "Battery Current" }, { "key": "B_left_cap1", "value": "96", "unit": "%", "name": "SoC" }, { "key": "B_HLT_EXP1", "value": "100", "unit": "%", "name": "SoH" }, { "key": "t_cg_n1", "value": "304", "unit": "kWh", "name": "Total Charging Energy" }, { "key": "t_dcg_n1", "value": "301", "unit": "kWh", "name": "Total Discharging Energy" }, { "key": "ydy_cg1", "value": "6.70", "unit": "kWh", "name": "Yesterday Charging Energy" }, { "key": "ydy_dcg1", "value": "7.20", "unit": "kWh", "name": "Yesterday Discharging Energy" }, { "key": "Etdy_cg1", "value": "5.40", "unit": "kWh", "name": "Daily Charging Energy" }, { "key": "Etdy_dcg1", "value": "5.20", "unit": "kWh", "name": "Daily Discharging Energy" }, { "key": "BMS_B_V1", "value": "51.14", "unit": "V", "name": "BMS Voltage" }, { "key": "BMS_B_C1", "value": "27.80", "unit": "A", "name": "BMS Current" }, { "key": "BMS_B_Ccg_thd1", "value": "29.60", "unit": "A", "name": "BMS Battery Current Limiting Charging" }, { "key": "BMS_B_Cdcg_thd1", "value": "74.00", "unit": "A", "name": "BMS Battery Current Limiting Discharging" }, { "key": "INV_T0", "value": "52.10", "unit": "℃", "name": "Temperature- Inverter" }, { "key": "SYSTIM1", "value": "21-09-07 12:25:19", "unit": null, "name": "System Time" }, { "key": "MODE_E_MNG1", "value": "35", "unit": null, "name": "Energy Management Mode" }, { "key": "AVb1", "value": "238.70", "unit": "V", "name": "Bypass AC Voltage" }, { "key": "Pb_lo1", "value": "20", "unit": "W", "name": "Bypass Load Power" }] } For each key in the data list, I'd like to parse it out into an indexable/reportable field... and, if I was really lucky, the extraction routine would use the name field from each key.. "key": "DP3", "value": "0", "unit": "W", "name": "DC Power PV3" Am reasonably comfortable with field extractions usually, and have searched various existing posts, but I don't seem to have come across a solution for this specific scenario. Any/all help really appreciated. Thanks  
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the eve... See more...
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the event has one IP ---> then extract that IP If the event has more than one IP ---> then extract the last IP Thanks!
Hi All,   I want to get list of users using the splunk api to get the data from splunk, can you please guide how we can do that.    
Hi all,     I have two indexes,  and I want to check whether the data from one index=a exists in the other index=b, and extract the data from the other index=a     index=a id 1 1 2 3 3 inde... See more...
Hi all,     I have two indexes,  and I want to check whether the data from one index=a exists in the other index=b, and extract the data from the other index=a     index=a id 1 1 2 3 3 index=b id,name1,name2 1,10,a1 1,9,a2 3,9,a1 4,10,a1 4,12,a2 i want the result= id,name1,name2 1,10,a1 1,9,a2 3,9,a1             Anyone, have a good way to guide        Thank you!
Hello!   is it possible to search a field value and then count it for example first the current week and then add the count of the same search from the week before ?  something like:  index=index... See more...
Hello!   is it possible to search a field value and then count it for example first the current week and then add the count of the same search from the week before ?  something like:  index=indexa action=allowed app=DNS dest="8.8.8.8" earliest=-14d latest=-7d | eval flag="count1" | append [search index=indexa action=allowed app=DNS dest="8.8.8.8" earliest=-7d latest=now() | eval flag="count2"] | stats count(eval(flag="count1")) as count1 count(eval(flag="count2")) as count2 | eval count = count1+count2 Something in my use of the earliest/latest doesn't seem to work. what am I doing wrong?