All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, we have a query as below  (index=abc OR index=def) category= * OR NOT blocked =0 AND NOT blocked =2 |rex field=index "(?<Local_Market>[^cita]\w.*?)_" | stats count(Local_Market) by Local_M... See more...
Hi All, we have a query as below  (index=abc OR index=def) category= * OR NOT blocked =0 AND NOT blocked =2 |rex field=index "(?<Local_Market>[^cita]\w.*?)_" | stats count(Local_Market) by Local_Market | rename count(Local_Market) as Total_Blocked | addcoltotals col=t labelfield=Local_Market label="Total Blocked" | append [search (index=abc OR index=def) blocked =0 | rex field=index "(?<Local_Market>\w.*?)_" | stats count by Local_Market | rename count as Detected_Count | addcoltotals col=t labelfield=Local_Market label="Total Detected")] Local_market    total Blocked     total detected Germany            20 ghana                   80 India                     91 total Blocked   191 Germany                                                 10 Ghana                                                       20 India                                                           10 total detected                                        40 i want data like Local_Market        Germany   ghana   India   Total total Blocked         20                80           91      191 Total Detected      10               20            10       40
I am trying to download free trial version of splunk. I have a Windows 10 64 bit. When I download, it takes me to the licensing agreement but from here there is no place to download the software. Any... See more...
I am trying to download free trial version of splunk. I have a Windows 10 64 bit. When I download, it takes me to the licensing agreement but from here there is no place to download the software. Any advice?
Hi,   I have finally got my search to work that compares data between index and lookup (csv) file that contains assets name and provide output of assets found in the index as well as CSV based off ... See more...
Hi,   I have finally got my search to work that compares data between index and lookup (csv) file that contains assets name and provide output of assets found in the index as well as CSV based off some EVALs index=myindex ASSETS [ | inputlookup linuxhostnames.csv | eval hostname="*".hostname."*" | rename hostname as DNS ] | dedup DNS | eval Agent=if(like(TAG, "%NonProd%"), "Yes - NonProd", "No Agent") | eval Location=if(like(TAG, "%DataCenter%"), "Data Center", "Not in DC") | where Agent="No Agent" | table DNS, IP, OS, Location, TAG   even if i remove the eval statements - the asset output is less than the total count in the .csv So it's listing ONLY the assets that are found in BOTH csv and index. How can I generate a table that will show assets that are not in the index but are in the CSV?   Thank you
I want to try a search for "9.com" However the results return 89.com,five9.com,guru99.com   How to execute this. Please help
I'm using the v20.5 java agent. Is there a way to trigger and download a thread dump via the API?  I don't see one. In the UI, we can do something like this: Go to node Go to agent tab Request ... See more...
I'm using the v20.5 java agent. Is there a way to trigger and download a thread dump via the API?  I don't see one. In the UI, we can do something like this: Go to node Go to agent tab Request agent log files Collect x thread dumps y millis apart Download resulting files I would like to automate that. thanks
I am planning an upgrade to version 8.2.0 from 8.0.6. According to the documentation, I should be validating that my add-ons and apps are compatible with Python 3. I ran both the Python Upgrade Readi... See more...
I am planning an upgrade to version 8.2.0 from 8.0.6. According to the documentation, I should be validating that my add-ons and apps are compatible with Python 3. I ran both the Python Upgrade Readiness Check and the Splunk Platform Upgrade Readiness App; they both indicated that even the newest version of the Splunk Add-on for Microsoft Windows, 8.1.2, failed the Python 3 check. Has anyone encountered this, and if you upgraded anyway, have you run into any issues? According to the Splunk Platform Upgrade Readiness App, the add-on failed at: Check 7: Python scripts Status: Warning Required action: Update these Python scripts to be dual-compatible with Python 2 and 3. File path: ...\bin\log.py   Is this something to be concerned about?
Hi, I have a problem and I can review event exists a disface between variable time extract and "_time" on SPL file: T_LOGFILE_VORDEL_ANSWER_SLA10_1;0;08/25/2021 09:03:08 on SPLUNK  
Hi folks, I am seeking some assistance with the formatting of forwarded splunk data to a 3rd party collector, we have managed to get everything forwarding fine by configuring C:\Program Files\Splunk... See more...
Hi folks, I am seeking some assistance with the formatting of forwarded splunk data to a 3rd party collector, we have managed to get everything forwarding fine by configuring C:\Program Files\Splunk\etc\system\local\outputs.conf [syslog] defaultGroup=syslogGroup maxEventSize = 65535 [syslog:syslogGroup] server = IPAddress:514 type = tcp   The problem is that all (windows logs only) we get every field of a log as a separate event that multiplies traffic drastically. I read briefly about line breaking but not sure how to configure this and we only have a live environment and wouldn’t want to make any changes that could potentially break our existing Splunk instance as it’s used heavily by all our I.T departments.   Any advice would be appreciated.   Cheers!
I have the following sourcers: "inserted" and "deleted" In the "inserted" i have these fields: Id, Timestamp 1, 2021-08-18T19:39:31.3003273 2, 2021-08-18T02:25:05.786293 3, 2021-08-18T19:39:31.3... See more...
I have the following sourcers: "inserted" and "deleted" In the "inserted" i have these fields: Id, Timestamp 1, 2021-08-18T19:39:31.3003273 2, 2021-08-18T02:25:05.786293 3, 2021-08-18T19:39:31.301158 etc.... In the "deleted" I have the same fields: Id, Timestamp 1, 2021-08-18T19:39:31.3003234 1, 2021-08-18T19:28:00.8425431 1, 2021-08-18T19:27:07.2603396 2, 2021-08-18T18:57:52.3556542 2, 2021-08-18T15:06:19.3365628 3, 2021-08-18T15:06:02.5264226 3, 2021-08-18T12:06:29.5371453 3, 2021-08-18T11:55:40.7562728 3, 2021-08-18T03:22:06.3672773 I need to filter the events in the 'inserted' that are newer than in the 'deleted', where the Id's are the same in both sourcers and the timestamp in the 'inserted' is greater than the Timestamp in the 'deleted'. I've managed to set up a search for one ID and manually setting the last timestamp that I found in the 'deleted', as per below:     index=something source=inserted Id=1 | eval data_inserted = strptime('Timestamp', "%Y-%m-%dT%H:%M:%S.%Q") | eval data_deleted = "2021-08-18T19:39:31.3003234" | eval data_deleted = strptime('data_deleted', "%Y-%m-%dT%H:%M:%S.%Q") | where data_inserted > data_deleted     My goal and help needed is on how to do this automatically for the IDs and Timestamp I have in the source='deleted'. Your help is very much appreciated. Thank you!
I'm watching the Fundamentals 2 course (finally XD) and I've come across the search ending with something like: | sort -field | rename field2 as something_else | fields - field3 And the question is ... See more...
I'm watching the Fundamentals 2 course (finally XD) and I've come across the search ending with something like: | sort -field | rename field2 as something_else | fields - field3 And the question is whether it would be a bit faster to first remove the field and then sort? Or is it the other way around? On the one hand - removing fields should give you less data to manipulate when sorting. On the other hand - I don't expect Splunk to physically rewrite each and every event on each pipe so it might not really matter at all. Side question - let's assume we rewrite it into | search field2=something | fields - field3 In this case - is it better to first trim the event set and then remove field or first remove field and then trim? Of course I know that probably it's completely insignificant compared to the time it takes to get the data from the indexes. But that's just me digging into the internals
ı want time values comes from subsearch to main search for every record, for example my vpn session table have a start and end time. I want to use this start and end time for traffic logs. I wan... See more...
ı want time values comes from subsearch to main search for every record, for example my vpn session table have a start and end time. I want to use this start and end time for traffic logs. I want to use for time filter this vpn_start and vpn_end fileds But no result has returned.   I want to find traffic logs with in spesified time range on records.   Thank you for helps.   Happy splunking.        
Hi, I have two table. The first have few ip what i switched dotdecimal       splunk_server="xyserver" index=main source="/var/log/ids.log" earliest=-24h | stats count by name, dest_ip, src_ip... See more...
Hi, I have two table. The first have few ip what i switched dotdecimal       splunk_server="xyserver" index=main source="/var/log/ids.log" earliest=-24h | stats count by name, dest_ip, src_ip | sort –count | eval ip_dot_decimal_split=split(src_ip,".") | eval first=mvindex(ip_dot_decimal_split,0),second=mvindex(ip_dot_decimal_split,1),third=mvindex(ip_dot_decimal_split,2),fourth=mvindex(ip_dot_decimal_split,3)| fields - ip_dot_decimal_split | eval first=first*pow(256,3),second=second*pow(256,2),third=third*256 | eval ip_address_integer=first+second+third+fourth | fields - first,second,third,fourth       The second table is a geoIP database (this is a static db)       index=main host="xy2server" sourcetype="geo_ip_locations" earliest="08/24/2021:00:00:00" latest="08/24/2021:00:01:00" | table start_off finish_off "Alpha_2 code" Country       The start_off and finish_off is dotdecimal too. I want to search the ip_address_integer(created dotdecimal) between predefined ip ranges (start_off / finish_off) and give me back the country and alpha2 values in new columns of the first table.  Thanks!
Hi, Access control page is throwing 404 error on search head.I am not able to access it.Whereas it is working fine on HF so version 8.0.5 is not the problem. How do i access the code of this page t... See more...
Hi, Access control page is throwing 404 error on search head.I am not able to access it.Whereas it is working fine on HF so version 8.0.5 is not the problem. How do i access the code of this page through back end.? How do i fix this error?
Would you know how can I display an overlay of two charts that have different time ranges on the X-axis? For example, I would like to compare CPU utilization yesterday with the CPU utilization a wee... See more...
Would you know how can I display an overlay of two charts that have different time ranges on the X-axis? For example, I would like to compare CPU utilization yesterday with the CPU utilization a week ago. Is it possible to combine the results of two searches below into one chart?   | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-2days latest=-1days | timechart min(cpu_idle_pct) span=1hour   | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-9days latest=-8days | timechart min(cpu_idle_pct) span=1hour Thanks !
Hi,  We are using Splunk RPM package for installing splunk but before installing it we want to add some file to that package and  repack it as RPM and then use it to install on other machines.  A... See more...
Hi,  We are using Splunk RPM package for installing splunk but before installing it we want to add some file to that package and  repack it as RPM and then use it to install on other machines.  Anybody please help me on that .. Thanks In Advance
I have a dashboard with around 10 panels in it. There are two filters (input)  on top of my dashboard. 'Index' and 'Source'. The 'Index' dropdown populates all the indices and then the corresponding ... See more...
I have a dashboard with around 10 panels in it. There are two filters (input)  on top of my dashboard. 'Index' and 'Source'. The 'Index' dropdown populates all the indices and then the corresponding sources are populated in the 'Source' dropdown input. Based on these selection the 10 panels are loaded. Current Scenario : Right now, when anyone opens the dashboard, the 'Index' and 'Source' dropdown values defaults to value "ALL"  and all the panels immediately start to load. What I need help with :  1.  I need a "Submit" button in my dashboard. So that when the dashboard is opened, it shouldn't automatically start loading the panels. It should wait until the user presses the "Submit" button. Sometimes user may want to change the value from ALL to other values.  In that case also, (after user changes the input), the dashboard still should wait until "Submit" is pressed to start the searching with the new filter.  What code I have to write in the backend XML to achieve this. 2. Also, is it possible to have another button, say "Stop", and when pressed it should stop loading of the dashboard. 
In my logs I have different url and i need to fins a smart way to get the base_url. The urls are: /gw/api/request/assets?AccountId=710534357902&reportDate=2021-08-25     - I want to obtain  /gw/ap... See more...
In my logs I have different url and i need to fins a smart way to get the base_url. The urls are: /gw/api/request/assets?AccountId=710534357902&reportDate=2021-08-25     - I want to obtain  /gw/api/request/assets /gw/api/oidc/client/v1     - I want to obtain  /gw/api/oidc/client/v1 /gw/api/oidc/client/v1/     - I want to obtain  /gw/api/oidc/client/v1 /gw/api/AccountOpenings/423423423-32sdf-34243    - I want to obtain /gw/api/AccountOpenings /gw/api/AccountOpenings/345645fgh5-54hju-45565- I want to obtain /gw/api/AccountOpenings Can I use a single regexp to do that ? Now I use something like this but I don't think that is the right way   | eval a=split(URL,"?")|eval URL=mvindex(a,0) | rex field=URL "(?<base_url>.*AccountOpenings/v[0-9]).*" | eval URL=if(match(URL,"AccountOpenings" ),base_url,URL)    
Hi,  I have 2 multivalue fields I want to make a simple line chart out of them.  Each event looks like this  x: [0.1,0.2,0.3,0.4,0.5] , y: [1.7, 1.4, 2.4, 5.5 ,4.7]  Where x and y are multivalu... See more...
Hi,  I have 2 multivalue fields I want to make a simple line chart out of them.  Each event looks like this  x: [0.1,0.2,0.3,0.4,0.5] , y: [1.7, 1.4, 2.4, 5.5 ,4.7]  Where x and y are multivalue fields in the event.  The line chart should be an average graph of those values in the selected time range. I tried using mvexpand and it didn't work.
Hi Team, I have a dashboard in which I have 2 dropdowns.  1 SELECT API : - PARTY INTERACTION -TICKET MANAGAMENT   2.SELECT OPERATION -this second dropdown needs to be populated based on first ... See more...
Hi Team, I have a dashboard in which I have 2 dropdowns.  1 SELECT API : - PARTY INTERACTION -TICKET MANAGAMENT   2.SELECT OPERATION -this second dropdown needs to be populated based on first one a. If API = PARTY INTERACTION  then values here - <choice value="*">Alle</choice> <choice value="LISTTROUBLETICKETS">LISTTROUBLETICKETS</choice> <choice value="RETRIEVETROUBLETICKET">RETRIEVETROUBLETICKET</choice> <choice value="CREATETICKET">CREATETICKET</choice> <choice value="UPDATETICKET">UPDATETICKET</choice> <choice value="RETRIEVETICKETTHEME">RETRIEVETICKETTHEME</choice> <choice value="GETINBOXDETAILSFORUSER">GETINBOXDETAILSFORUSER</choice> b.If API=TICKET MANAGAMENT <choice value="*">Alle</choice> <choice value="LISTPARTYINTERACTIONS">LISTPARTYINTERACTIONS</choice> <choice value="RETRIEVEPARTYINTERACTION">RETRIEVEPARTYINTERACTION</choice> Please help me to do this .  
Hi All, One of the user account has been changed by someone and it got reflected in our Active Directory as well so we want to know who has changed it.  Consider an example i.e. I am Anandh Alagara... See more...
Hi All, One of the user account has been changed by someone and it got reflected in our Active Directory as well so we want to know who has changed it.  Consider an example i.e. I am Anandh Alagarasan and my Firstname would be Anandh and Lastname would be Alagarasan. So recently someone has updated my Firstname to Venkat. So in Active Directory when we checked the account i could see that my account is reflecting as Venkat Alagarasan.  So we want to know who had changed the FirstName of the user. Hence we want to know will it be captured in Wineventlogs ? If yes, We want to find out who is the user who had changed the First name of the user account Anandh Alagarasan?   So kindly help to know how to pull the information using Search query.