All Topics

sarit_s · ‎09-02-2021

Hello I have a table with 3 columns 1 is strings and 2 columns with numbers is there a way to sort the table from the highest number to lowest from all the values in the table ? for example: ...

Hello I have a table with 3 columns 1 is strings and 2 columns with numbers is there a way to sort the table from the highest number to lowest from all the values in the table ? for example: this is part of my table and i want to sort the numbers in "priority" and "silverpop" regardless if its one of them, just to see the raw with the highest value first

splunknewbie81 · ‎09-02-2021

Hi Guys, I would like to check if it's possible to prevent some data from showing up in the search. Below is what I want to prevent from showing up. ============= Aug 31 23:59:43 a.b.c.d hey_audi...

Hi Guys, I would like to check if it's possible to prevent some data from showing up in the search. Below is what I want to prevent from showing up. ============= Aug 31 23:59:43 a.b.c.d hey_audit: INFO 2021-08-31 23:59:43 12,345 HelloType=External |userName=zzz| |xxxapiversion=1.0| |httpMethod=POST| | restEndPoint=/v1/insights_transport/transfer_data_to_multicluster| |entityUuid=| |queryParams=| |payload= I understand can use regex or eval. Can someone show me how it's done?

Hemnaath · ‎09-02-2021

Hi All, Kindly let me know if there is any document or link which can provide me steps to on-board the open telemetry data in to splunk Enterprise. 1) Do we need to buy the Splunk Observability c...

Hi All, Kindly let me know if there is any document or link which can provide me steps to on-board the open telemetry data in to splunk Enterprise. 1) Do we need to buy the Splunk Observability cloud in-order to monitor/analysis the open telemetry data ? 2) What are the steps or Procedure which we need to follow to on-board the open telemetry data in to Splunk? Kindly provide the link to access the document. 3) I had gone through this link but getting confused on what on the component which are need to perform this task. https://docs.splunk.com/Observability/get-started/welcome.html#nav-Welcome-to-Splunk-Observability-Cloud thanks in advance.

lmjoin115 · ‎09-02-2021

Hello , I need to onboards linux and window to itsi. 1) I have installed UF on linux and addon Unix and splunk Infr. and configured to connect splunk. 2) i am geeting data on splunk but not sho...

Hello , I need to onboards linux and window to itsi. 1) I have installed UF on linux and addon Unix and splunk Infr. and configured to connect splunk. 2) i am geeting data on splunk but not showing anything on ITST. Thanks Lalit

cjasenrobles · ‎09-02-2021

We have Splunk DB Connect Add On connected into a SQL Server, after all connections are successful. We monitor the database activity and we saw queries in sleeping mode, DBAs mentioned that connecti...

We have Splunk DB Connect Add On connected into a SQL Server, after all connections are successful. We monitor the database activity and we saw queries in sleeping mode, DBAs mentioned that connection should be turned off after transacting a query. Is this possible?

AlexK · ‎09-02-2021

Hi all, We have an excisting index cluster which was installed with version 6.x and gradually upgraded to version 8.1.3. In the proces of adding two new Heavy forwarders we can not get the HF to pr...

Hi all, We have an excisting index cluster which was installed with version 6.x and gradually upgraded to version 8.1.3. In the proces of adding two new Heavy forwarders we can not get the HF to properly communicate with the index cluster. The HF are fresh installations using the lates t8.1.3 package. We get the error as shown in the subject. Since we do not use SSL where a bit lost with regards to this message.

jip31 · ‎09-02-2021

Hello I have to search events on many sourcetype with name begin by "ezop:web" So I use a wildcard after "ezop:web*" index="tutu" sourcetype=ezop:web* Is it the good practice or is it bet...

Hello I have to search events on many sourcetype with name begin by "ezop:web" So I use a wildcard after "ezop:web*" index="tutu" sourcetype=ezop:web* Is it the good practice or is it better to do somethin like this : (sourcetype=ezop:web1 OR sourcetype=ezop:web2 OR sourcetype=ezop:web3) Or pearhaps something else? Thanks

bhavneeshvohra · ‎09-02-2021

Hi All, I need to integrate trend micro portable security ( which is an antivirus security program in a portable USB ) with splunk. However the addons available in splunk are for Trend micro deep...

Hi All, I need to integrate trend micro portable security ( which is an antivirus security program in a portable USB ) with splunk. However the addons available in splunk are for Trend micro deepsecurity or trend micro deep discovery. will trend micro deepsecurity addon work for trendmicro portable security logs ?? or is there any other way to integrate trend micro portable security logs with splunk? Detailed answer and suitable links will be appreciated .. Thanks

Harshi1993 · ‎09-01-2021

My query is : index="stage*" source="*record service*" | eval type=case(like(message, "%successful generated account%"),"Success Accounts", like(message, "%Granting failed Accounts%"),"Granting fai...

My query is : index="stage*" source="*record service*" | eval type=case(like(message, "%successful generated account%"),"Success Accounts", like(message, "%Granting failed Accounts%"),"Granting failed Accounts", like(message, "%Inbound setup failed accounts%"),"Inbound failed Accounts")| stats count as Results by type I am getting the result as: type Results Success Accounts 10 Granting failed Accounts 20 I am unable to get the results for the string Inbound failed Accounts as the results are zero. I need the output as type Results Success Accounts 10 Granting failed Accounts 20 Inbound failed Accounts 0 Please help me with the query for displaying the strings with zero count as well

dyeyniyel · ‎09-01-2021

Hello, We get this error and I'm not entirely sure on how we can resolve this? Looks like a timeout issue 2021-09-01 14:07:44,983 level=ERROR pid=12315 tid=Thread-20 logger=splunk_ta_o365.modi...

Hello, We get this error and I'm not entirely sure on how we can resolve this? Looks like a timeout issue 2021-09-01 14:07:44,983 level=ERROR pid=12315 tid=Thread-20 logger=splunk_ta_o365.modinputs.management_activity pos=management_activity.py:do:159 | datainput=b'at_rbi_management_activity_sharepoint' start_time=1630505194 | message="Failed to retrieve content blob." content_id=b'20210901140215154005183$20210901140215154005183$audit_sharepoint$Audit_SharePoint$emea0023' Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/urllib3/connectionpool.py", line 383, in _make_request six.raise_from(e, None) File "<string>", line 2, in raise_from File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/urllib3/connectionpool.py", line 379, in _make_request httplib_response = conn.getresponse() File "/opt/splunk/lib/python3.7/http/client.py", line 1369, in getresponse response.begin() File "/opt/splunk/lib/python3.7/http/client.py", line 310, in begin version, status, reason = self._read_status() File "/opt/splunk/lib/python3.7/http/client.py", line 271, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/opt/splunk/lib/python3.7/socket.py", line 589, in readinto return self._sock.recv_into(b) File "/opt/splunk/lib/python3.7/ssl.py", line 1071, in recv_into return self.read(nbytes, buffer) File "/opt/splunk/lib/python3.7/ssl.py", line 929, in read return self._sslobj.read(len, buffer) socket.timeout: The read operation timed out During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/requests/adapters.py", line 449, in send timeout=timeout File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/urllib3/connectionpool.py", line 637, in urlopen _stacktrace=sys.exc_info()[2]) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/urllib3/util/retry.py", line 368, in increment raise six.reraise(type(error), error, _stacktrace) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/urllib3/packages/six.py", line 686, in reraise raise value File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/urllib3/connectionpool.py", line 599, in urlopen chunked=chunked) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/urllib3/connectionpool.py", line 385, in _make_request self._raise_timeout(err=e, url=url, timeout_value=read_timeout) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/urllib3/connectionpool.py", line 305, in _raise_timeout raise ReadTimeoutError(self, url, "Read timed out. (read timeout=%s)" % timeout_value) urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host='manage.office.com', port=443): Read timed out. (read timeout=60) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 153, in do response = self._subscription.retrieve_content_blob(session, content.uri) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 166, in retrieve_content_blob return self._request(session, 'GET', url) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 179, in _request response = session.request(method, url, params=params, timeout=self._request_timeout) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/requests/sessions.py", line 533, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/requests/sessions.py", line 646, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/3rdparty/requests/adapters.py", line 529, in send raise ReadTimeout(e, request=request) requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='manage.office.com', port=443): Read timed out. (read timeout=60)

chris_barrett · ‎09-01-2021

Before I go and re-invent the wheel, has anyone looked at indexing the results from the running an inspect using the CLI version of splunk-appinspect? The --output-file is, by default, JSON and has ...

Before I go and re-invent the wheel, has anyone looked at indexing the results from the running an inspect using the CLI version of splunk-appinspect? The --output-file is, by default, JSON and has a start_time field in it which could be used for the event's _time. And, if you run it with --generate-feedback, then you get a YAML file which can be converted to JSON using the yq command. The result JSON file also has a start_time field in it which could be used for the event's _time. As for a use-case... I don't know (yet). At this stage, it's really just a wouldn't it be cool to ...

carlos_aguni · ‎09-01-2021

Hi all, can anyone help me where to retrieve my x-api-key? My application is issuing otel-collector_1 | 2021-09-02T05:09:31.554Z info exporterhelper/queued_retry.go:325 Exporting faile...

Hi all, can anyone help me where to retrieve my x-api-key? My application is issuing otel-collector_1 | 2021-09-02T05:09:31.554Z info exporterhelper/queued_retry.go:325 Exporting failed. Will retry the request after interval. {"kind": "exporter", "name": "otlphttp", "error": "error exporting items, request to https://pdx-sls-agent-api.saas.appdynamics.com/v1/traces responded with HTTP Status Code 403", "interval": "15.823926909s"} i got mine from API Clients. is this the right place?

syedabuthahir · ‎09-01-2021

Hi All, One of our indexer is going down very frequently and i have observed this below error in the dmesg logs Out of memory: Kill process 20910 (splunkd) score 801 or sacrifice child Killed pr...

Hi All, One of our indexer is going down very frequently and i have observed this below error in the dmesg logs Out of memory: Kill process 20910 (splunkd) score 801 or sacrifice child Killed process 20914 (splunkd) total-vm:86320kB, anon-rss:9872kB, file-rss:0kB, shmem-res:0kB splunkd: page allocation failure: order:2, mode:0x35600d0 CPU: 2 PID: 20914 Comm: splunkd Not tainted 3.10.0-693.11.6.el7.x86_64 #1 Can you please help me on this issue Thank you

Keith_wgtn · ‎09-01-2021

Hi, I am moving a client from onprem to cloud. One of the apps they use is TA-windows_eventsize_reducer (app number 3500). On Splunkbase that app is marked as Splunk Cloud compatible but it is als...

Hi, I am moving a client from onprem to cloud. One of the apps they use is TA-windows_eventsize_reducer (app number 3500). On Splunkbase that app is marked as Splunk Cloud compatible but it is also marked as Archived. Any idea why it has been archived? Also how can I install it to Splunk Cloud? The usual "Manage Apps > Browse More Apps > Install" doesnt work beause it canty find the app - probably because it is inactive. I tried downloading then installing from file but got rejected and told to use the vetting approach. Should I vet it or should it be loadable from Manage App? Thanks

ebs · ‎09-01-2021

Hi, I'm having an odd issue. I made some field extractions and validated them through Regex101. However only some of the fields are being extracted, not all. Initially they all work and then some di...

Hi, I'm having an odd issue. I made some field extractions and validated them through Regex101. However only some of the fields are being extracted, not all. Initially they all work and then some disappear. Its a single Regex string so if there were any issues I don't know why other fields would be extracting but not others. And the sourcetype has not changed. Does anyone have a solution for this or any inkling of what might be going on? For reference here's my regex: "log":\s"(?<log_source>[^\s]+)\s(?<ISO8601>[^\s+]+)\s+(?<log_level>[^\]]+)\s\[(?<exchangeId>[^\]]+)\]\s(?<RuleType>[^\.]+)\.\[(?<RuleName>[^\]]+)\]\s-\s(?<http_method>[^\|]+)\|(?<site>[^\|]+)\|(?<uri_path>[^\s\?"|]++)\|(?<status>[^\|]+)\|{\\"error_description\\":\\"(?<error_description>[^"]+)\\\",\\"error\\":\\"(?<error>[^\\]+)\\"}\\n Log: "log": "/opt/instance/log/access.log 2021-09-01T14:40:17,493 WARN [wUJHboi800nOHINLKnugbF1rBkcQ] Rule.[ErrorCapture] - POST|site.com|/oauth|400|{\"error_description\":\"Authorization code is invalid or expired.\",\"error\":\"invalid_grant\"}\n" And it seems to only be the site field not extracting for whatever reason

nsingh49 · ‎09-01-2021

This is my splunk query index=xxxxx "searchTerm")|rex "someterm(?<errortype>)" | timechart count by errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total I am adding the total count of the errors over a week in another column named TOTAL as depicted in table below.Here A... B... are error names in alphabetical order, the values are total number of errors that occured on that day for that errortype _time A.... A.... C.... D.... E.... 2021-08-25 11 22 05 23 89 2021-08-26 15 45 45 13 39 2021-08-27 34 05 55 33 85 2021-08-28 56 08 65 53 09 2021-08-29 01 06 95 36 01 TOTAL 117 86 265 158 223 I want these fields sorted by value in TOTAL row in descending order like 265 223 1 58 117 86 But i am always getting this in alphabetical order of the errortype like A... A... B... how can i improve this query to get the sorted result like i want?

eddieddieddie · ‎09-01-2021

Hi I'm trying to use ITSI to use KPI's from IIS servers. The setup of the IIS web servers is they host several different sites and in ITSI I want to break this out into different services. Splunk i...

Hi I'm trying to use ITSI to use KPI's from IIS servers. The setup of the IIS web servers is they host several different sites and in ITSI I want to break this out into different services. Splunk is ingesting the IIS logs successfully - the data includes the hostname of the server it's running on and the site name. In ITIS I've setup a new service. For the entities of this service I've made a rule to match both the alias fields 'host' and 'site' (and made sure both these fields are set on the Entity record in ITSI). Then I setup a new KPI using a base search to count the number of 5xx errors. This is set to split by the field 'host' - the website is hosted from two separate machines. Then filtered by service entities in field 'site'. This seemed to work until I started creating other services for other websites. I wanted to also monitor the non-production version of this website. So I created a service as above but using the non-prod host names, however the site name is the same. The result of this was really weird: the KPI then listed the production and non-production servers in the entity list for this service (though they are not in the Entities list for that service). ITSI also started giving warnings of duplicate alias's assigned to entities. At this point I thought maybe I was defining the 'site' on the entity in the wrong way. So I moved site from being an alias to 'Info'. But unfortunately ITSI doesn't seem to be able to filter by the info field. I guess the issue I'm facing here is I need a way to filter an entity by two fields - the hostname of the server(s) it's on and the 'site' name in IIS. How is this archived? Thanks, Eddie

Andrew_Nerdahl · ‎09-01-2021

I’m attempting to determine how to identify the distribution of the Java Agent deployed on a server. I know that for the agents that support Java1.7 or lower you can unpack the javaagent.jar and loo...

I’m attempting to determine how to identify the distribution of the Java Agent deployed on a server. I know that for the agents that support Java1.7 or lower you can unpack the javaagent.jar and look at /META-INF/MANIFEST.MF If it’s the IBM specific agent: Then Implementation-Version will read “Server IBM Agent #” Elseif it’s the Sun+JRocket: Then Implementation-Version will read “Server Agent #” However, how do you tell if it’s the Sun+JRocket that supports Java1.7 and lower, or the Sun+JRocket that supports Java1.8 or higher? I have unpacked javaagent.jar for both agents, ran a diff on the entire file structure and it came back with no results.

snehal · ‎09-01-2021

our splunk has retention time is 35 days only.after that we get "No result found " message on dashboard.We want set alert when on dashboard when we get " "No result found " or over the retention tim...

our splunk has retention time is 35 days only.after that we get "No result found " message on dashboard.We want set alert when on dashboard when we get " "No result found " or over the retention time.How we can set the alert on front end?

zyun · ‎09-01-2021

I'm looking to update an artifact in a custom function. The closest thing that's supported is being able to update a container, or delete/add artifacts which is not what we want to do (as the initial...

I'm looking to update an artifact in a custom function. The closest thing that's supported is being able to update a container, or delete/add artifacts which is not what we want to do (as the initial artifact must stay intact). Is there any workaround for updating artifacts in a CF, or are there any plans to include update_artifact into the supported Custom Function API commands?

All Topics

All Topics

sort table values by table values

Filter data from showing up

How to monitor open telemetry Java application data into Splunk ?

I need to onboards linux and window to itsi

Splunk db connect add on creating a sleeping query, Can connection be turned off after dbxquery transactions?

SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

help for requesting on many sourcetype

Integratin of Trend Micro Portable security

Zero count not displaying when stats count is used

Microsoft o365 error: The read operation timed out

Indexing the results from the running an inspect using the CLI version of splunk-appinspect?

Opentracing where to get x-api-key?

Facing issue with indexer

Why is the app TA-windows_eventsize_reducer archived

Why aren't all my field extractions working?

Sorting the fields based on values in a row

ITSI, IIS logs and splitting by sitename

Identifying the deployed Java Agent supported version and distribution

splunk has retention time is 35 days only.after that we get "No result found " message on dashboard.Can we set alert

Phantom: How to update an artifact in a Custom Function

All Topics

Are you a member of the Splunk Community?

All Topics