All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Brand new to using the Universal Forwarder, and Splunk in general.   Question: When using the forwarder/monitor, the logs on the forwarding server are still kept locally, correct? They aren't remo... See more...
Brand new to using the Universal Forwarder, and Splunk in general.   Question: When using the forwarder/monitor, the logs on the forwarding server are still kept locally, correct? They aren't removed/modified in any way?
Hi guys. I'm completly new to Splunk. Sorry if my question seems kinda stupid I have some log-data including a GUID. Those are separated in two kinds: "error" and "times". Sometimes, an error-l... See more...
Hi guys. I'm completly new to Splunk. Sorry if my question seems kinda stupid I have some log-data including a GUID. Those are separated in two kinds: "error" and "times". Sometimes, an error-log has the same GUID as a times-log. I need to count those double GUIDs, for that reason I have to extract the GUIDs from their original field und compare them with each other. I managed to extract them with Regex into two new fields. But now I'm searching for an opportunity to compare every error-GUID with every times-GUID. Thanks for your help!
Running Splunk 8.1.4 and Splunk app for Windows Infrastructure 2.0.1. I tried to upgrade to 2.0.4 and after restart splunk service I get the error 404 when I try to access the App. checking splunkd.... See more...
Running Splunk 8.1.4 and Splunk app for Windows Infrastructure 2.0.1. I tried to upgrade to 2.0.4 and after restart splunk service I get the error 404 when I try to access the App. checking splunkd.log I see the following: ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\customize_features.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\guided_setup.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\host_information.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\infra_home.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\lookup_builder.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\lookup_migrator.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\windows_host_inventory.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\windows_perfmon.html: The system cannot find the path specified.   Checking the file system, the folder html is not present . could someone explain me what is happening?   thanks a lot  
Hi All I have a NodeJS application. I have configured the NodeJS app agent to the application and configured it successfully. Now I need my business transaction to be shown in the flow diagram ... See more...
Hi All I have a NodeJS application. I have configured the NodeJS app agent to the application and configured it successfully. Now I need my business transaction to be shown in the flow diagram of the application's main dashboard, but what I see is Node and other connectivity like DB, etc. If I go to tiers and node I see tier as NodeJS as give during app agent installation and Node is process-0 same which is given during installation. What should I do for getting each business transaction to show as a node in the flow diagram? Please share with me some ideas or steps to work on. If no, please share with me some alternates. thanks
Hi All  We are using a hybrid mobile application that is in Web View and runs through REST APIs on both iOS and Android. Which is the best way to install a mobile agent? Is it through SDK or Ja... See more...
Hi All  We are using a hybrid mobile application that is in Web View and runs through REST APIs on both iOS and Android. Which is the best way to install a mobile agent? Is it through SDK or JavaScript? If both are possible, what are the benefits of SDK and JavaScript? Thanks ^ Edited by @Ryan.Paredez for improved clarity
Hi all. Background is I have recently acquired a JSON feed via Kafka but the schema was developed with other uses in mind so it's not working particularly well for our logging requirements. For som... See more...
Hi all. Background is I have recently acquired a JSON feed via Kafka but the schema was developed with other uses in mind so it's not working particularly well for our logging requirements. For some reason the event type is being used as a key name. It annoys me greatly as there's no way to run a search for a specific event type. Its also playing havoc with extractions as the full path to the required value needs to be known, but can not be in a search as the event type can change. We can get the values if we know a specific event type (eg. Eventtype4.request.someKey), however it's very difficult to return the same value when the specific event type is unknown (eg. *.request.someKey) The second issue is all event types are present in the event but all but one has a null value. This can get very messy when there could be several hundred types of events.... I have tried stripping the first level and extracting the name of a key that has a non-null value but nothing works particularly all that well.  Any assistance will be appreciated. { Eventtype1: null Eventtype2: null Eventtype3: null Eventtype4: {    request: {               "someKey": "helloworld"               "anotherKey": "anothervalue"    }    response: {             "datachunk": "a few values here"    } } header: {               "timestamp": 123456789012               "someid": "323abcd" } }
Hello Splunkers, I am unable to make this trellis align, and remove that scrolling? Can you please help me in this? Tried from my end, but unable to. Below is my html for the same:   <panel d... See more...
Hello Splunkers, I am unable to make this trellis align, and remove that scrolling? Can you please help me in this? Tried from my end, but unable to. Below is my html for the same:   <panel depends="$alwaysHideCSS$"> <html> <style> #si1{ width:20% !important; } </style> <style> #si_viz1 .splunk-status-indicator { height: 100px !important; width: 120px !important; border-radius: 15px !important; float: left; padding: 15px 0px 0px 0px; } </style> </html>
How may I automatically generate a file on an on-prem server from the results of a search query
Hello everybody, I'm using an spl query that extracts some values from a lookup and sends them to a web API via POST request (for this i'm using the WebTools add-on). To send data formatted as repo... See more...
Hello everybody, I'm using an spl query that extracts some values from a lookup and sends them to a web API via POST request (for this i'm using the WebTools add-on). To send data formatted as reported in the api swagger, I'm using the Splunk command "tojson" to convert Spl query results to Json in my test instance. Since the tojson command is really new (props to Splunk for adding this!) and was introduced from 8.2, is there a way to do the same in previous Splunk versions? Splunk Query: |inputlookup l2d.csv |eventstats values(tp) as id | table id,code | tojson <...curl using raw field from tojson> Json format expected and produced with tojson command: {"id":["id1","id2"],"code":"00001"}    Thank you for the attention, have a nice day,
After I successfully installed the Splunk Enterprise on my Oracle Vbox, I got a message that says: "The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch". Then I used... See more...
After I successfully installed the Splunk Enterprise on my Oracle Vbox, I got a message that says: "The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch". Then I used the (sudo du -sh /opt) command and I found that the /opt directory resides the space 3.8G (less than 5.0G), even though, I allocated 40G for the machine at all !! My question is how to increase the disk space given for the /opt directory? PS: The health status of IoWalt under the resource usage is RED!!  
Hi, I have different sourcetypes like ( A ,B,C,D) Each sourcetype has have field "Status" with (True,False,Error,Not available) values in it . I am in need of a table structure which show like bel... See more...
Hi, I have different sourcetypes like ( A ,B,C,D) Each sourcetype has have field "Status" with (True,False,Error,Not available) values in it . I am in need of a table structure which show like below , Sourcetypes  True False False % False%(sparkline) A Count (currentday) Count(currentday) False%(currentday) Sparkiine for a week time span B  Count (currentday)  Count (currentday) False%(currentday) Sparkiine for a week time span C  Count (currentday)  Count (currentday) False%(currentday) Sparkiine for a week time span   Please help me with the search for this .  
Hi All, we have lots of dashboards where few of them are visited by user and some are not .. here we want to delete those dashboard which has been not seen by any user since long back. How to find l... See more...
Hi All, we have lots of dashboards where few of them are visited by user and some are not .. here we want to delete those dashboard which has been not seen by any user since long back. How to find last time-stamp of all dashboard when user has seen dashboard? have tried below but its not giving the last visited timestamp.. index="_internal" user!="-" sourcetype=splunkd_ui_access | rex field=uri "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"| stats count by app dashboard user
Hi,   Actually am trying to send data to hec in splunk where the our splunk is mapped with the dns, but am facing the issue while trying with curl command.   curl -k https://<dns>:8088/services/c... See more...
Hi,   Actually am trying to send data to hec in splunk where the our splunk is mapped with the dns, but am facing the issue while trying with curl command.   curl -k https://<dns>:8088/services/collector/event -H "Authorization: Splunk <token> " -d "{\"sourcetype\": \"_json\", "\event\":\"helloworld\"}" [curl: (7) Failed to connect to splunk-dev.accuknox.com port 8088: Timed out]  ERROR  can any one help me??  
Splunk UBA search head is down. Even after restarting ui services, status is shown as active in CLI but GUI is not available. Commands used to stop/start ui service: sudo service caspida-ui stop ... See more...
Splunk UBA search head is down. Even after restarting ui services, status is shown as active in CLI but GUI is not available. Commands used to stop/start ui service: sudo service caspida-ui stop  sudo service caspida-ui start   Status when checked in CLI: ● caspida-ui.service Loaded: loaded (/etc/init.d/caspida-ui; bad; vendor preset: enabled) Active: active (exited) since Fri 2021-09-03 05:53:12 UTC; 6min ago I also tried rebooting the VM, but it doesn't help.   Can I please get a suggestion around how to fix this?
We are using DBconnect with JTDS driver. When we enabling the connection in DBconnect we are seeing the below script in SQL Diagnostic Manager every 30mins: SELECT @@MAX_PRECISION SET TRANSACTION IS... See more...
We are using DBconnect with JTDS driver. When we enabling the connection in DBconnect we are seeing the below script in SQL Diagnostic Manager every 30mins: SELECT @@MAX_PRECISION SET TRANSACTION ISOLATION LEVEL READ COMMITTED SET IMPLICIT_TRANSACTIONS OFF SET QUOTED_IDENTIFIER ON SET TEXTSIZE 214###### May we know what is the use of this? Can we get rid of this or at least change the frequency to every hour instead?  In addition, we are seeing the Sleeping Session in SQL Diagnostic Manager. Is this usual or is there a way to complete the session after SQL script run from DBconnect to SQL Diagnostic Manager. We are just getting the data from the database on demand but after triggering the DBXquery the Sleeping session occur.  Please advise.
I'm unable to use the Validate & Package function of Add-on builder. When I run it, it says 'preparing validation' then nothing, empty white results. All I can do is press the validate button again w... See more...
I'm unable to use the Validate & Package function of Add-on builder. When I run it, it says 'preparing validation' then nothing, empty white results. All I can do is press the validate button again with the same result.  I've tried with other apps in the Add-on builder with same results. I have a local instance of Splunk Enterprise running. Fresh install so v8.2.2 and App-builder is on 4.0.0.  I did catch a notification in messages:  Unable to initialize modular input "validation_mi" defined in the app "splunk_app_addon-builder": Introspecting scheme=validation_mi: script running failed (exited with code 1).. Don't know what this means or how to fix it. Any ideas?
Hi, I need to calculate average of response time in seconds for my application.   Query i am using index="prod*_ping*"  source="*splunk-audit.log" "event=SSO" connectionid=* | stats avg(response... See more...
Hi, I need to calculate average of response time in seconds for my application.   Query i am using index="prod*_ping*"  source="*splunk-audit.log" "event=SSO" connectionid=* | stats avg(responsetime) as AvgRespTimeInSec by connectionid In connectionid i will get the application details Please let me know whether my query is correct for calculating the average of response time in seconds?   Regards, Madhusri R    
Hi I try to list the different way to collect Active Directory in Splunk Except if I am mistaken there is 2 main way to do that : Using the Splunk Supporting Add-on for Active Directory:  https:/... See more...
Hi I try to list the different way to collect Active Directory in Splunk Except if I am mistaken there is 2 main way to do that : Using the Splunk Supporting Add-on for Active Directory:  https://splunkbase.splunk.com/app/1151/  Using the splunk-admon.exe process  Is it true? What are the advantages and disadvantages of these solutions please? Is it also possible to install a connector between Splunk and AD in order to store the AD events in a KV Store? Thanks in advance
After building a project/add-on based on the Standard naming convention of Splunk, i am facing the issue where i have to remove the prefix set by the app. Renaming it via the add on builder fails ... See more...
After building a project/add-on based on the Standard naming convention of Splunk, i am facing the issue where i have to remove the prefix set by the app. Renaming it via the add on builder fails and renaming it outside of the app breaks the whole app as it runs based on complex scripts within. Any guidance will be hepful