All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Using Windows EventCodes I want to find 3 or more users failing to log in. So far my syntax is  | stats values(user) as user count by host which looks good. Now I only want to see > 2 users from th... See more...
Using Windows EventCodes I want to find 3 or more users failing to log in. So far my syntax is  | stats values(user) as user count by host which looks good. Now I only want to see > 2 users from the same host. | where count > 2 counts the total, not the different values in the "user" field.   
<panel><single></single><single></single></panel>     in display value of single tag is in vertical order. so how the value will be displaying side by side
i wnat to generate an alert whenever one of the text string is missing between two in the same log file every 30 min . Please look into the below query for reference: | union maxout=10 [ search inde... See more...
i wnat to generate an alert whenever one of the text string is missing between two in the same log file every 30 min . Please look into the below query for reference: | union maxout=10 [ search index=72434_Taxi host=ah-1125888-001* "Finished Reading file for data Load: "] [search index=72434_Taxi host=ah-1125888-001* "Reading file for data Load:"] I want an alert if any of the string is missing as per above query.
Hi, I am trying to combine data from 2 indexen, but i find it hard to do. I tried several stats values command, but that  did not gave me the solution This is my source: collection        hostn... See more...
Hi, I am trying to combine data from 2 indexen, but i find it hard to do. I tried several stats values command, but that  did not gave me the solution This is my source: collection        hostname        stage          stagedata                                                         st1               A1234;DEF                                                         st1               A3456;XYZ                                                         st2                A7890;XYZ                                                         st3                B1234;ABC COLLA               h1                     st1 COLLA              h2                     st1 COLLB              h3                      st2 COLLB              h4                      st2 COLLC             h5                       st1 COLLD              h6                       st3 An this is what i am trying to accomplice: collection hostname            stage     stagedata COLLA       h1                           st1          A1234;DEF                                                                       A3456;XYZ COLLA       h2                           st1          A1234;DEF                                                                       A3456;XYZ COLLB      h3                           st2           A7890;XYZ COLLB     h4                            st2           A7890;XYZ COLLC    h5                             st1           A1234;DEF                                                                        A3456;XYZ COLLD     h6                           st3            B1234;ABC Any help would be appreciated. Regards, Harry
Hello, I have a three member SHC (splunk 8.0.5.1) and want to replace the members one by one with new instances running on the same IP addresses, so first adding the new and then removing the old on... See more...
Hello, I have a three member SHC (splunk 8.0.5.1) and want to replace the members one by one with new instances running on the same IP addresses, so first adding the new and then removing the old ones is not an option. In my plan A, I set the SHC to static captain and then tried to remove a member on the captain's command line: $ splunk remove shcluster-member -mgmt_uri https://1.2.3.4:8090 Raft is not initialized. This means that dynamic captain mode was not set in server.conf. How can I remove the member without going into dynamic mode? This has been asked before, but I saw no useful answer. Is it possible at all? And if so how? (If not: why?) Plan B would be juggling with ports etc but that may get a bit messy. Thanks in advance Volkmar
Hi All,  I am new to glass tables in ITSI.  We have ITSI glass tables new versions and I am looking how to change background color for individual columns based on value within column.  In Splu... See more...
Hi All,  I am new to glass tables in ITSI.  We have ITSI glass tables new versions and I am looking how to change background color for individual columns based on value within column.  In Splunk enterprise dashboards, it is fairly simple to map value with color. Happy to add few fields in source code of glass table. 
I have DBconnect 3.1.5 running on a 8.1 instance. sometime i got errors below and it will stop ingesting data.      
I want to correlate events between two index Index=A Index = B There are multiple user field(user, src_user, dsuer) under Index A. I have to search user in index A which have  signature=password r... See more...
I want to correlate events between two index Index=A Index = B There are multiple user field(user, src_user, dsuer) under Index A. I have to search user in index A which have  signature=password retrieved and need to check the same user in Index B if there is successful login(action=success) in 30 sec duration when user has retrieved the password.   Thank you in advance.
Hi All, I have two different search criteria & query. First search criteria/query will produce the start time for event 1 and second search criteria/query will be provide End time for event1. Need t... See more...
Hi All, I have two different search criteria & query. First search criteria/query will produce the start time for event 1 and second search criteria/query will be provide End time for event1. Need to calculate the duration between Start and End time using Splunk.
Machine agent is not starting and crashes with an error: [Agent-Monitor-Scheduler-2] 26 Aug 2021 00:02:14,981 INFO MonitorExecutorServiceModule - Initializing the ThreadPool with size 2 [Agent-Moni... See more...
Machine agent is not starting and crashes with an error: [Agent-Monitor-Scheduler-2] 26 Aug 2021 00:02:14,981 INFO MonitorExecutorServiceModule - Initializing the ThreadPool with size 2 [Agent-Monitor-Scheduler-2] 26 Aug 2021 00:02:14,982 ERROR PeriodicTaskRunner - Error creating environment task java.lang.ClassCastException: java.util.LinkedHashMap cannot be cast to java.util.List at com.appdynamics.extensions.conf.modules.HttpClientModule.initHttpClient(HttpClientModule.java:29) at com.appdynamics.extensions.conf.MonitorConfiguration.loadConfigYml(MonitorConfiguration.java:181) at com.appdynamics.extensions.conf.MonitorConfiguration$1.onFileChange(MonitorConfiguration.java:106) at com.appdynamics.extensions.conf.modules.FileWatchListenerModule.createListener(FileWatchListenerModule.java:37) at com.appdynamics.extensions.conf.MonitorConfiguration.setConfigYml(MonitorConfiguration.java:112) at com.appdynamics.extensions.conf.MonitorConfiguration.setConfigYml(MonitorConfiguration.java:116) at com.appdynamics.extensions.ABaseMonitor.initialize(ABaseMonitor.java:94) at com.appdynamics.extensions.ABaseMonitor.execute(ABaseMonitor.java:127) at com.singularity.ee.agent.systemagent.components.monitormanager.managed.MonitorTaskRunner.runTask(MonitorTaskRunner.java:148) at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.runTask(PeriodicTaskRunner.java:86) at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.run(PeriodicTaskRunner.java:47) at com.singularity.ee.util.javaspecific.scheduler.AgentScheduledExecutorServiceImpl$SafeRunnable.run(AgentScheduledExecutorServiceImpl.java:122) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask$Sync.innerRunAndReset(ADFutureTask.java:335) at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask.runAndReset(ADFutureTask.java:152) at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.access$101(ADScheduledThreadPoolExecutor.java:119) at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.runPeriodic(ADScheduledThreadPoolExecutor.java:206) at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.run(ADScheduledThreadPoolExecutor.java:236) at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.runTask(ADThreadPoolExecutor.java:694) at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.run(ADThreadPoolExecutor.java:726) at java.lang.Thread.run(Thread.java:745)
Hi All, Can anyone advise me on below I have Windows Application logs disabled already but I need one event ID that should be allowed. 
I have setup an event collector and have endpoints configured in cloud trial version. I am unable to send request to the endpoint unless SSL certificate verification is disabled. I need SSL to be ena... See more...
I have setup an event collector and have endpoints configured in cloud trial version. I am unable to send request to the endpoint unless SSL certificate verification is disabled. I need SSL to be enabled so that I can make external requests.   Is there any way we could enable SSL in cloud free trial account? It seems like there is no option to do so. Any help is appreciated. Thanks in advance.
I'm going to check the permission and rejection of the scan attack per hour. At this point, what I wrote... Which is appropriate, Vlaues or the list?
Also, which one is suitable, stats or stream st... See more...
I'm going to check the permission and rejection of the scan attack per hour. At this point, what I wrote... Which is appropriate, Vlaues or the list?
Also, which one is suitable, stats or stream stats? index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan") | bin _time span=1d | stats count by _time,src_ip,dest_ip,app | stats values(dest_ip) AS dest_ip , values(count) AS count by _time,src_ip,app | table _time, src_ip ,app, dest_ip , count
Hi, I have a lookupfile that contains a list of hosts, (one column named hosts), this list maybe subject to change. I want to complete a search that will compare this lookup file to hosts in an... See more...
Hi, I have a lookupfile that contains a list of hosts, (one column named hosts), this list maybe subject to change. I want to complete a search that will compare this lookup file to hosts in any specific index and return a table showing ok or missing if there is no match. All searches I have attempted so far are happy to return either or, is the only option here to rename the field in the hostfile or any suggestions on how to complete this? host (from lookup file) host (from index) match host1 host1 ok host2   missing host3 host3 ok
I have a multisite (specifically, two site) indexer cluster running 7.3, and a search head cluster with search affinity disabled per the recommendation here. I obviously need to upgrade all of those ... See more...
I have a multisite (specifically, two site) indexer cluster running 7.3, and a search head cluster with search affinity disabled per the recommendation here. I obviously need to upgrade all of those tiers to 8.1 very soon, given the end-of-support dates for 7.3 and 8.0. Ideally I would like to perform that upgrade without an outage. The best option for this appears to be a site-by-site upgrade, especially as I happen not to have any metrics indexes. Those instructions state that I must first upgrade my cluster manager node to 8.0, then upgrade the indexers in one site to 8.0, and then upgrade the search heads in that same site to 8.0 (then repeat for the other site, then repeat the whole thing to get to 8.1). How does this apply when the search heads are all set to site0? In contrast, the instructions for upgrading each tier separately say to upgrade the manager, then the search heads, then the indexers. In what order should I do this upgrade? Do the search heads also have to go from version 7.3 to 8.0 to 8.1 like the cluster manager and indexers do?
I need to learn the process of configuring an app to use a certain Index please. Thank u 
I have this log { [-]    duration: 3005    finishTime: 2021-08-25T15:47:26.838196    logger: splunk    startTime: 2021-08-25T15:47:23.832269    stepTransitionDuration: [ [+]    ]    traceStep... See more...
I have this log { [-]    duration: 3005    finishTime: 2021-08-25T15:47:26.838196    logger: splunk    startTime: 2021-08-25T15:47:23.832269    stepTransitionDuration: [ [+]    ]    traceSteps: [ [-]      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [+]      }      { [-]        logType: info        message: Response        res: { [-]          httpStatus: 400        }        timestamp: 2021-08-25T15:47:26.838195        title: Response      }    ]    xrayTraceId: }   How can i access only the last item (in bold letter)? I tried to access with mvindex but return blank results.
F.ex. when using NLog file target: https://github.com/NLog/NLog/wiki/File-target   What's the optimal performance way for creating log files for the Forwarder? One record per file (timestamp + gui... See more...
F.ex. when using NLog file target: https://github.com/NLog/NLog/wiki/File-target   What's the optimal performance way for creating log files for the Forwarder? One record per file (timestamp + guid.json)...which would create a lot of files. Or perhaps logging every second (multiple records per log file), but what about file locks? I don't want Splunk Forwarder to fight with nlog about who has a lock on the file.   What's the optimal best performance solution for creating log files to avoid file locks?
Hello,   I have a simple dashboard that has 2 panels: 1)Types of dashboards (single value component defining count of each type) 2)Drilldown for 1st panel to show details  I want to convert ... See more...
Hello,   I have a simple dashboard that has 2 panels: 1)Types of dashboards (single value component defining count of each type) 2)Drilldown for 1st panel to show details  I want to convert 1st panel such that,  the font size of name of the dashboard type should vary according to the count.   color would be the category of dashboard and the count (number of times it has been accessed) would lead to size of the text.   I checked for dashboard studio for this purpose but couldn't find out perfect solution. Tried to make one sample dashboard that i want in below screenshot     Thanks in advance!    
Hey Splunk gang,  I have a dashboard that I am creating and it will ingest a file every 5 minutes.  I need to create a search that will accumulate the value of an extracted field.  ie.) Extracted fi... See more...
Hey Splunk gang,  I have a dashboard that I am creating and it will ingest a file every 5 minutes.  I need to create a search that will accumulate the value of an extracted field.  ie.) Extracted field = ACA, and it comes in the first time at 10, and then the second time(5 minutes later) at 15 and the dashboard displays 25.  Ideally in a single value panel.  Here is the search that produces the original value, but it does not accumulate a total: | rename "Amt Credits Acc" as "ACA" | fieldformat ACA = ("$".ACA) | table "ACA"