All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Dynamic dropdown value using pie chart click

by in Dashboards & Visualizations
‎08-31-2021 08:41 AM
‎08-31-2021 08:41 AM
Hi Splunkers! I have a use case where in my dropdown selection (selected value that shows up in the dropdown) should update on the $click.value$ of a previously displayed pie chart on the same d... See more...
Hi Splunkers! I have a use case where in my dropdown selection (selected value that shows up in the dropdown) should update on the $click.value$ of a previously displayed pie chart on the same dashboard. Any pointers would be appreciated

How do I obtain an API key for an App. in ES please?

by in Splunk Search
‎08-31-2021 08:33 AM
‎08-31-2021 08:33 AM
I am getting an error with MITRE ATT&CK app that the API key needs to be corrected. Please advise. Thanks a million.
Labels

How do I search for a list of Saves searches that don't use index name for searching in Splunk Ent. or ES. Thank u a lot

by in Splunk Search
‎08-31-2021 08:29 AM
‎08-31-2021 08:29 AM
I need to find a list of saved searches that don't use the index name in searching please. Any way to list the name of the users with this list, any cool SPLs ? Thank u in advance. Much appreciated.
Labels

Single value panel with trend based on avg(count)

by in Splunk Search
‎08-31-2021 07:49 AM
‎08-31-2021 07:49 AM
Hello there. What I'm trying to do is the following:   search | bucket span=60s _time | stats count by _time | ...   I want to achive if possible the following:   Calculate the average per mi... See more...
Hello there. What I'm trying to do is the following:   search | bucket span=60s _time | stats count by _time | ...   I want to achive if possible the following:   Calculate the average per minute of count of search (if I concatenate the stats avg(count) I get the actual value) but I can't: Have the Single Value panel inside my dashboard to correctly display the trend based on average values. Is there any way to achive this result?   At the moment each try I do to compare those values is not going well      
Labels

limit the data size in Docker with maxTotalDataSizeMB does not work

by in Getting Data In
‎08-31-2021 06:36 AM
‎08-31-2021 06:36 AM
I am learning Splunk and I have built the following test environment in Docker: Splunk server running in a container, using the official docker image:  image: splunk/splunk:8.2 I have another dock... See more...
I am learning Splunk and I have built the following test environment in Docker: Splunk server running in a container, using the official docker image:  image: splunk/splunk:8.2 I have another docker container, call it client where I installed the forwarder and then I added a file to monitor with the $SPLUNK_HOME/bin/splunk add monitor $MY_LOGFILE -index main -sourcetype mylog command. Everything works fine. If I append $MY_LOGFILE in the client docker container with    echo "hello" >> $MY_LOGFILE   command then I can see the new line in the Splunk web console. Now I am appending/feeding my log file with an endless bash counter-up loop and I can see everything in the Splunk web console. Great. My question: I would like to delete old records from Splunk to save disk space, so I followed the documentation and I did this:   sudo vi /opt/splunk/etc/system/local/indexes.conf   with this content   [main] maxTotalDataSizeMB=1 rozenTimePeriodInSecs=300 disabled=false   As I know this allows Splunk to automatically delete old data when my index hits the 1MB size.  After I have created this new config file, I restarted the Splunk Docker container (and Splunk as well manually). But actually, nothing happens. It seems that this setting is not considered, and I see the increasing number of records in the index and index size is also increasing without limitation in Splunk. I use the following commands to check index size: sourcetype=mylog | stats count as Records index=_internal source=* type=Usage idx=* | eval SIZE=b/1024 | stats sum(SIZE) by st, result: 30756.775390625 But when I stop Splunk then I am able to clean up the index with this command:   splunk stop splunk clean eventdata splunk start   But I have a scenario where I need to limit the size of the index and the disk usage that is used by Splunk index "realtime", without stop and start.  What I am missing here? Thx

App Agent not reporting to Controller

by in Splunk AppDynamics
‎08-31-2021 05:53 AM
‎08-31-2021 05:53 AM
Hi there, we have an issue with one of our applications using appdynamics. We are using the java app agent to monitor multiple Websphere Liberty installations. The application has a production env... See more...
Hi there, we have an issue with one of our applications using appdynamics. We are using the java app agent to monitor multiple Websphere Liberty installations. The application has a production environment and multiple staging / test environments. One of the test environments works without any issue (this seems to be the first stage that we installed the app agent on). For the other stages the agent still shows on the controller, but there are no metrics being reported in the UI. Controller Version: 20.11.5-1987 Agent Version: 21.4.0.32403 v21.4.0 I have a debug zip for the agents on production which are not reporting. Could you point us where to look for errors or what might be the configuration error? Regards, Falco
Labels

Tuning ES to environment

by in Security
‎08-31-2021 05:46 AM
‎08-31-2021 05:46 AM
How are you tuning ES to your environment?  Are you overwriting the correlation searches that ship with ES or are you making copies of them and modifying the copies? When there is an update for ES,... See more...
How are you tuning ES to your environment?  Are you overwriting the correlation searches that ship with ES or are you making copies of them and modifying the copies? When there is an update for ES, are you having to go correlation search by correlation search, line by line to comparing them to see what changed? What about ES Content Updates?

Sum of particular field values

by in Splunk Search
‎08-31-2021 03:46 AM
‎08-31-2021 03:46 AM
Hi, Current table Expected fstatus count success 604 Userdefined 39   Need to sum the "password mismach","policy policy constraint violation","reset token expired","unexpected... See more...
Hi, Current table Expected fstatus count success 604 Userdefined 39   Need to sum the "password mismach","policy policy constraint violation","reset token expired","unexpected error setting password" and save it to as new value named "user defined"  and need to rename the empty value in fstatus field to success. Anyone please help on this. Regards, Madhusri R
Labels

Remove spacing from records after inputlookup

by in Splunk Search
‎08-31-2021 03:37 AM
‎08-31-2021 03:37 AM
The contents of my lookup file, test12345.csv is shown below. ProductNumber,SerialNumber,StatusDateTime,Status "A12345 ","MA00000001 ","2021-08-31 01:30:47 ","SHIPPED "   There is some space foun... See more...
The contents of my lookup file, test12345.csv is shown below. ProductNumber,SerialNumber,StatusDateTime,Status "A12345 ","MA00000001 ","2021-08-31 01:30:47 ","SHIPPED "   There is some space found "   " at the end of each record. The inputlookup would capture all the records with a spacing at the end which disrupts my joins to work properly. Is there anyway I can remove the spacing at the end of each record after using inputlookup? ProductNumber =A12345 SerialNumber =MA00000001 StatusDateTime =2021-08-31 01:30:47 Status=SHIPPED
Labels

How to prevent the default logs from being forwarded (Windows UF)

by in Getting Data In
‎08-31-2021 01:52 AM
‎08-31-2021 01:52 AM
  Hello, Whenever I forward something, these logs always get forwarded despite I blacklisted it in the inputs .conf. Is there any way for it to be not forwarded at all Inputs.conf [WinEventLo... See more...
  Hello, Whenever I forward something, these logs always get forwarded despite I blacklisted it in the inputs .conf. Is there any way for it to be not forwarded at all Inputs.conf [WinEventLog://Security] index = windows_test whitelist = EventCode=%^(4634)$% sourcetype = ad:security disabled = 0 [monitor://$SPLUNK_HOME\var\log\splunk] disabled = 1 blacklist = %SplunkUniversalForwarder%    

How to use the result from one function into another function

by in Splunk Search
‎08-31-2021 01:18 AM
‎08-31-2021 01:18 AM
Hello all, I need help with this :(( How to use derivatives of 1st function results into the 2nd function in splunk? Please see the example below: 1st function: for instance, from the first eval, i... See more...
Hello all, I need help with this :(( How to use derivatives of 1st function results into the 2nd function in splunk? Please see the example below: 1st function: for instance, from the first eval, i got the names of the top 100 sold fruits and their respective companies. 2nd function: From this top 100 fruits, I would like to then, search for the fruits import-export countries (ie the export country (origin) and imported (destination) country). Each of the fruits may have more than 1 set of export-import. How do I go about doing it? What's the syntax to get the top 100 fruits into the second function? Any guidance appreciated

Splunk App for Windows - No Windows Events showing up

by in All Apps and Add-ons
‎08-31-2021 12:49 AM
‎08-31-2021 12:49 AM
I have installed the required apps to get Splunk App for Windows Infrastructure to work. I have the inputs.conf configured with the following:  ###### OS Logs ###### [WinEventLog://Application] di... See more...
I have installed the required apps to get Splunk App for Windows Infrastructure to work. I have the inputs.conf configured with the following:  ###### OS Logs ###### [WinEventLog://Application] disabled = 0 index = wineventlog start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true [WinEventLog://Security] disabled = 0 index = wineventlog start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml=true [WinEventLog://System] disabled = 0 index = wineventlog start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true   If i search for the index wineventlog i see items that have been indexed from all desktops, but for some reason i cant seem  to get the information to show up on the Splunk App for Windows Infrastructure under Windows > Event Monitoring all i get is No Results found....    Any ideas why this would be?  I have tried to run the Build lookups again etc and its the same.  Thanks
Labels

multi lookup If the fields are different

by in Splunk Search
‎08-31-2021 12:21 AM
‎08-31-2021 12:21 AM
I'm going to stats through two lookups. srcip.csv field src_ip , subnetmaks dest.csv field dest_ip,subnetmaks src_ip , dest_ip , is intended to be used in stats. ex) index="myindex" | [ | inpu... See more...
I'm going to stats through two lookups. srcip.csv field src_ip , subnetmaks dest.csv field dest_ip,subnetmaks src_ip , dest_ip , is intended to be used in stats. ex) index="myindex" | [ | inputlookup destip.csv] [ | inputlookup srcip.csv] stats values(src_ip) AS src_ip by dest_ip Or is there another way, and if it's different from my index field, ex) csv = src_ip myfield = srcip csv = dest_ip myfield = destip What should I do if it is?
Labels

regexp in Splunk

by in Getting Data In
‎08-31-2021 12:04 AM
‎08-31-2021 12:04 AM
I tried to find a solution in order to parse some URL to obtain the base but it seems that I cannot succeed. For the between GET/POST and HTTP I want to return the baseurl as in the examples below ... See more...
I tried to find a solution in order to parse some URL to obtain the base but it seems that I cannot succeed. For the between GET/POST and HTTP I want to return the baseurl as in the examples below GET /gw/api/aaa/v1/ HTTP - to return /gw/api/aaa/v1 GET /gw/api/abc/v3 HTTP - to return /gw/api/abc/v3 POST /gw/api/cba/ HTTP - to return /gw/api/cba POST /gw/transactions/swaggers/v2 HTTP - to return /gw/transactions/swaggers/v2 POST /gw/api/swaggers/v1/asd?dssa HTTP - to return /gw/api/swaggers/v1/asd POST /api/swaggers/ HTTP - to return /api/swaggers GET /api/cashAccountOpenings/v3/sadsa-123312-1312 HTTP - to return /api/cashAccountOpenings/v3   I added this examples to regex101.com to be easier to find a solution. https://regex101.com/r/oLXtw8/1/  
Labels

How to ingest Open telemetry data into Splunk?

by in Splunk Observability Cloud
‎08-30-2021 09:28 PM
‎08-30-2021 09:28 PM
Hi, One of our client interested to ingest the open telemetry data in to splunk and  we want to monitor Application performance and I could see Splunk APM module is used to perform this task.  When I... See more...
Hi, One of our client interested to ingest the open telemetry data in to splunk and  we want to monitor Application performance and I could see Splunk APM module is used to perform this task.  When I was going through the Splunk Distribution open telemetry collector documents, I got the following doubts. 1) Do I need to buy any additional modules in-order to ingest the Open telemetry data in to splunk, as we have Splunk Enterprise Licensed version.   2)  Is it possible to ingest the open telemetry data without using the Splunk Observability Cloud module.  3) If it is possible to ingest open telemetry data into splunk than could you please provide the link to access the document. Thanks in advance. 
Labels

if else conditions in query

by in Splunk Search
‎08-30-2021 09:19 PM
‎08-30-2021 09:19 PM
Hi Team, Current table column row1 row2 status failure success   My Requirement- 1------if the row 1 has value as failure and if row 2 itself itself does not exists then row1 has to... See more...
Hi Team, Current table column row1 row2 status failure success   My Requirement- 1------if the row 1 has value as failure and if row 2 itself itself does not exists then row1 has to be renamed to failure 2------if the row 1 has value as success and if row 2 itself itself does not exists then row1 has to be renamed to success 3------if the row 1 has value as success and if row 2 has the value as failure ,then row 1 wants to renamed to as success and row 2 as failure. 4------if the row 1 has value as failure and if row 2 has the value as success, then row 1 wants to renamed to as failure and row 2 as success.   All these cases need in single query. Can anyone help on this? Regards, Madhu R

How to get a notable event's drilldown URL

by in Splunk Enterprise Security
‎08-30-2021 04:39 PM
‎08-30-2021 04:39 PM
We're currently using Splunk ES, and would like to grab the link to a notable event's drilldown link on the ES Incident Review page without having to manually copy it.  The closest solution that I... See more...
We're currently using Splunk ES, and would like to grab the link to a notable event's drilldown link on the ES Incident Review page without having to manually copy it.  The closest solution that I've come across is automatically building the URL by using a `notable` search and piecing together the earliest/latest times and drilldown search, but I feel like there might be a more elegant solution out there.

Health Checks

by in Splunk Enterprise Security
‎08-30-2021 03:46 PM
‎08-30-2021 03:46 PM
from a SOC perspective what health checks are important for them to perform? i understand the basic checks from splunk monitoring console but are there better checks or more relevant checks a SOC sho... See more...
from a SOC perspective what health checks are important for them to perform? i understand the basic checks from splunk monitoring console but are there better checks or more relevant checks a SOC should be focusing on? 
Labels

How to exclude blank rows with time being displayed

by in Splunk Search
‎08-30-2021 03:34 PM
‎08-30-2021 03:34 PM
Hello Splunk Community, I've a query which lists accountNumber , targetAccountNumber, eventType, eventTime The query is working just fine..but it is displaying empty rows with eventTime being displ... See more...
Hello Splunk Community, I've a query which lists accountNumber , targetAccountNumber, eventType, eventTime The query is working just fine..but it is displaying empty rows with eventTime being displayed accountNumber   targetAccountNumber    eventType      eventTime 123456                         789123                               apple               09/02/2020:12:00                                                                                         banana           09/02/2020:13:00   111111                        763333                                 mango               09/03/2020:15:00                                                                                        watermelon       09/03/2020:16:00   212121                         999999                              Texas                   09/04/2020 :18:00                                                                                                                        09/04/2020:19:00                                                                                                                       09/04/2020:20:00                                                                                                                       09/04/2020:21:00 I do not want the empty eventTime being displayed. It should display only there is an eventType for particular time. How should I exclude the empty eventTime My query is as follows index=newyork data | stats values(eventType) as eventTypes,values(eventTime) as "Event Time" by accountNumber, targetAccountNumber   Please help                                                                                                                        
Labels

Why am I getting this error when installing the Tripwire App?

by in All Apps and Add-ons
‎08-30-2021 02:59 PM
‎08-30-2021 02:59 PM
Trying to install Tripwire app and getting the following errors : error:335 - Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 628, in ... See more...
Trying to install Tripwire app and getting the following errors : error:335 - Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 628, in respond self._do_respond(path_info) File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 687, in _do_respond response.body = self.handler() File "/opt/splunk/lib/python3.7/site-packages/cherrypy/lib/encoding.py", line 219, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/htmlinjectiontoolfactory.py", line 75, in wrapper resp = handler(*args, **kwargs) File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpdispatch.py", line 54, in __call__ return self.callable(*self.args, **self.kwargs) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/routes.py", line 383, in default return route.target(self, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-486>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 40, in rundecs return fn(*a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-484>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 118, in check return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-483>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 166, in validate_ip return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-482>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 245, in preform_sso_check return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-481>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 284, in check_login return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-480>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 304, in handle_exceptions return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-475>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 359, in apply_cache_headers response = fn(self, *a, **kw) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/admin.py", line 1738, in listEntities app_name = eai_acl.get('app') AttributeError: 'NoneType' object has no attribute 'get'