All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

In handler 'savedsearch': Expecting different token

by in Alerting
‎09-06-2021 10:04 PM
‎09-06-2021 10:04 PM
In handler 'savedsearch': Expecting different token Above error pop while creating an alert. Is there any fix?
Labels

Regex for last IP Address

by in Splunk Search
‎09-06-2021 09:51 PM
‎09-06-2021 09:51 PM
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the eve... See more...
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the event has one IP ---> then extract that IP If the event has more than one IP ---> then extract the last IP Thanks!

Cluster Agent node name environment variable not found

by in Splunk AppDynamics
‎09-06-2021 09:01 PM
‎09-06-2021 09:01 PM
Hi Community, I provision cluster agent with auto instrument, cluster and nodes information is showing up correctly in the controller. In clusters Pods, Inventory and Events show the correct infor... See more...
Hi Community, I provision cluster agent with auto instrument, cluster and nodes information is showing up correctly in the controller. In clusters Pods, Inventory and Events show the correct information. But the application is not auto instrumentating and I found these error logs in cluster agent pods. Could you guide me on what the cluster agent looking for?  [ERROR]: 2021-09-07 03:45:21 - agentregistrationmodule.go:369 - Cluster Agent node name environment variable not found
Labels

Phantom - McAfee ATD

by in Splunk SOAR
‎09-06-2021 08:00 PM
‎09-06-2021 08:00 PM
I am trying to integrate McAfee ATD app in Phantom. I get the following error when I try to test the connectivity. Firewall burns are complete and when I test the connectivity in the backend its work... See more...
I am trying to integrate McAfee ATD app in Phantom. I get the following error when I try to test the connectivity. Firewall burns are complete and when I test the connectivity in the backend its working fine, Any suggestions ?  

inputlookup field help

by in Splunk Search
‎09-06-2021 06:42 PM
‎09-06-2021 06:42 PM
My index has client_ip. However, I want to use the client_ip that exists in the user_ip.csv field. index="my_index" [ | inputlookup user_ip.csv | search client_ip="*" ] Attempted but failed.... See more...
My index has client_ip. However, I want to use the client_ip that exists in the user_ip.csv field. index="my_index" [ | inputlookup user_ip.csv | search client_ip="*" ] Attempted but failed. After that, I will perform stats.
Labels

Unable to import Windows Event logs

by in Getting Data In
‎09-06-2021 06:25 PM
‎09-06-2021 06:25 PM
Hi, I'm new to Splunk and was unable to find an answer to this exact question so sorry if it has been asked before or if it's a simple question but I'm  unable to import all of my local windows event... See more...
Hi, I'm new to Splunk and was unable to find an answer to this exact question so sorry if it has been asked before or if it's a simple question but I'm  unable to import all of my local windows event logs into Splunk Enterprise.  I'm able to get around 60% of them imported but anymore then that I receive an error stating "Encountered the following error while trying to update: Splunkd Daemon is not responding:('Error connecting to /servicesNS/nobody/launcher/data/inputs/win-event-log-collections/localhost: The read operation timed out',)" . I'm sure the problem is most likely the service timing out because there are so many log channels I'm trying to import but I'm not sure how to increase the timeout timer or if there is a way to create multiple localhost inputs.  Any help you can provide would be appreciated. 
Labels

Cross Cluster Search - Single site vs Multisite

by in Deployment Architecture
‎09-06-2021 03:29 PM
‎09-06-2021 03:29 PM
Hi, I have a task where I need to make my search head cluster to be able to search from two different data center/indexer clusters. One in east and another one in west coast. According to the docs ... See more...
Hi, I have a task where I need to make my search head cluster to be able to search from two different data center/indexer clusters. One in east and another one in west coast. According to the docs below: this can be done in 2 ways; single-site or multisite: https://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Configuremulti-clustersearch I have some ideas of how both work but I need more in-depth explanation why one approach is better than the other (in terms of searching/indexing performance, latency, cost, maintenance, complexity, etc). I do need to bring up that I will enable Smartstore to store data to AWS S3 instead of locally in indexer nodes. Thank you so much in advance!  

Unable to install splunk on my linux VM

by in Installation
‎09-06-2021 11:24 AM
‎09-06-2021 11:24 AM
wget -O splunk-8.2.2-87344edfcdb4-linux-2.6-amd64.deb ' : Read-only file system
Labels

Default Value Dashboard Linechart

by in Dashboards & Visualizations
‎09-06-2021 10:35 AM
‎09-06-2021 10:35 AM
Hi,  Need to create dashboard with visualization type as line chart,  need to have a default value which is as reference line, for this i have added eval Target=1|table Target in splunk query. Now ... See more...
Hi,  Need to create dashboard with visualization type as line chart,  need to have a default value which is as reference line, for this i have added eval Target=1|table Target in splunk query. Now i need to highlight the target/default  line always, and this line is to thicker than remaining lines in visualization and Bold, so that it can be distinct from others.  Need to achieve this only from Splunk , no JS or others is needed. TIA.
Labels

splunk cluster master node replacement

by in Getting Data In
‎09-06-2021 08:48 AM
‎09-06-2021 08:48 AM
Please assist to provide detailed steps to replace cluster master for the indexer cluster.  I've tried few things however peers are not connecting to the new clustermaster.   
Labels

Extracting Office365 ModifiedProperties fields data into table

by in Splunk Search
‎09-06-2021 07:10 AM
‎09-06-2021 07:10 AM
Hello Team, I not sure what I am missing but I am unable to extract or display ModifiedProperties{}.Name fields into table. For example: Under extended fields of ModifiedProperties{}.Name there is ... See more...
Hello Team, I not sure what I am missing but I am unable to extract or display ModifiedProperties{}.Name fields into table. For example: Under extended fields of ModifiedProperties{}.Name there is another field "OtherMail". I would like to display OtherMail field value/data into a table I remember doing sometime back but seems to have completely forgotten. Can someone please help with it. Thanks in advance,
Labels

extract month from a date field

by in Reporting
‎09-06-2021 07:02 AM
‎09-06-2021 07:02 AM
Hi, I hav a "Planned Start date" Field through which I am trying to extract month in the format (e.g January).Can somebody suggest? Below is what i have tried  index="tier1" sourcetype="csv"| st... See more...
Hi, I hav a "Planned Start date" Field through which I am trying to extract month in the format (e.g January).Can somebody suggest? Below is what i have tried  index="tier1" sourcetype="csv"| stats latest("Planned Start Date") AS Time| eval monthdisplay=strftime(strptime('Planned Start Date',"%m-%d-%Y"),"%B")|fields Time monthdisplay    
Labels

Timeformat

by in Splunk Search
‎09-06-2021 07:00 AM
‎09-06-2021 07:00 AM
  Hello Splunkers !!   What timeformat should i use for the below time in props?   [2021-09-06T09:10:01.459-04:00]

RenderXML via wmi stanza

by in Getting Data In
‎09-06-2021 05:34 AM
‎09-06-2021 05:34 AM
  Hi everyone,  is there a possibility to get data in with renderXML=true via wmi.conf stanza? Thanks for helping me.

Experiences with App Deployment on Splunk Cloud

by in Security
‎09-06-2021 04:08 AM
‎09-06-2021 04:08 AM
We currently operate on-prem and are considering moving to Splunk Cloud. A potential blocker is the manual process required to deploy apps in Splunk Cloud. Currently we have a fully automated SDLC p... See more...
We currently operate on-prem and are considering moving to Splunk Cloud. A potential blocker is the manual process required to deploy apps in Splunk Cloud. Currently we have a fully automated SDLC pipeline. We have multiple teams who make changes across multiple apps, currently with a weekly deployment cycle but we are about to move to fully automated deployments. We are informed that we would need to replace this process - where each app would need to be manually assessed and there would be up to two days delay. I'm interesting in other large customers' experience in this respect. Did you need to change your deployment mechanisms/processes when moving to the cloud? Is it cumbersome? Did you find workarounds?  

Help please! - linkage analysis in Splunk

by in Splunk Search
‎09-06-2021 03:30 AM
‎09-06-2021 03:30 AM
Hi, I hope someone can help guide me in what type of query or visualisation to use here so show the linkage of access permissions. I have a simple data set like the format below (I have a much bigge... See more...
Hi, I hope someone can help guide me in what type of query or visualisation to use here so show the linkage of access permissions. I have a simple data set like the format below (I have a much bigger dataset) It shows a user ID and the access they have to a folder. Users can have access to more than one folder. I would like to answer the question: Of the users who have access to a specific folder, say "Apple", what other folders to they have access to and what are the associated volumes with that connection. I was thinking Sankey diagram but I am having trouble getting the data in the right format. UserID Folder 1 Apple 1 Banana 2 Apple 3 Apple 3 Orange   Many thanks,    Tim
Labels

Request for a demo

by in Splunk AppDynamics
‎09-06-2021 03:01 AM
‎09-06-2021 03:01 AM
Hello team, Hope you are doing good ! Myself Gowtham from AppViewX Inc , working as SRE. We need to monitoring our application and the infrastructure of our organization, where in we are explori... See more...
Hello team, Hope you are doing good ! Myself Gowtham from AppViewX Inc , working as SRE. We need to monitoring our application and the infrastructure of our organization, where in we are exploring Appdynamics. We need a demo session on the Appdynamics  to our team regarding the setup an use cases of your product. I tried to book for a demo session through the website, but unfortunately I cant register for a demo. Could you please help me on registering the demo session? Regards, Gowtham  SRE  AppViewX
Labels

How to make a search box mandatory to have a value

by in Dashboards & Visualizations
‎09-06-2021 02:09 AM
‎09-06-2021 02:09 AM
I have 2 search boxes. I am using it to make to get parameters to REST API call. Now When there is no value in the search box then also the search gets executed. I want to restrict this and make it m... See more...
I have 2 search boxes. I am using it to make to get parameters to REST API call. Now When there is no value in the search box then also the search gets executed. I want to restrict this and make it mandatory that until the user enters some value the search doesn't gets executed. Attaching the screenshot of the problem where search is getting executed even if there are no values in the search box. Note: I don't want to use submit button for this.

How replication is managed in K8 based deployement?

by in Deployment Architecture
‎09-06-2021 01:20 AM
‎09-06-2021 01:20 AM
In a bare-metal deployment, the indexer keeps three copies of data on three physical nodes for data availability. Even if 2 node goes down, data will be available on the third node. But, in the case ... See more...
In a bare-metal deployment, the indexer keeps three copies of data on three physical nodes for data availability. Even if 2 node goes down, data will be available on the third node. But, in the case of microservices, how do the containers manage the data copies? There can be multiple indexer-containers running on the same physical node and three copies of data might sit on the same physical node. If such node goes down we might lose the data. Now, is there a way to keep three copies of data on the different physical nodes in a container-based deployment?
Labels

8.0.9 indexers all stuck "batchadding" after upgrading cluster master to 8.2.2

by in Installation
‎09-06-2021 01:14 AM
‎09-06-2021 01:14 AM
Hi, I'm trying to upgrade splunk from 8.0.9 to 8.2.2. According to the docs, the upgrade starts with the cluster master. After upgrading the cluster master and removing the maintenance mode, all the... See more...
Hi, I'm trying to upgrade splunk from 8.0.9 to 8.2.2. According to the docs, the upgrade starts with the cluster master. After upgrading the cluster master and removing the maintenance mode, all the indexers are stuck at in the "batchadding" status. Looking at the logs from one indexer, it goes through a cycle of: event=addPeer Batch=1/9 ...success... event=addPeer Batch=2/9 ...success... ... event=addPeer Batch=9/9 ERROR Read Timeout... WARN Master is down! Make sure pass4SymmKey is matching if master is running... WARN Failed to register with cluster master... Master is back up! Rinse and repeat. So basically it talks ok to the cluster master for a while and then get a timeout and starts over. Any idea what's going on? I did check the pass4SymmKey and they are the same everywhere, they haven't changed. Cheers, Gabriel.
Labels