All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

After the installation of IT Essential Works, I started to received the following alert   Received event for unconfigured/disabled/deleted index=firedalerts with source="source::fired_alerts" host=... See more...
After the installation of IT Essential Works, I started to received the following alert   Received event for unconfigured/disabled/deleted index=firedalerts with source="source::fired_alerts" host="host::XXXXXXXXXX" sourcetype="sourcetype::stash". So far received events from 1 missing index(es).   I decided to created the index manually and after a day I saw a few events coming in and digging a bit I found out that they seem to come from the saved search called fired_alerts that is part of the App DA-ITSI-CP-unix-dashboards, which I don't have it enabled. (!). I only enabled the Exchange content. which query is   | rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=firedalerts   is this normal? why the index was not created automatically by ITSI?
Hi folks,  It's been a while since i posted here, but it looks like I'm stuck a bit (again!) I'm trying to exclude a prefix and suffix from my results, which are separated from the main string by a... See more...
Hi folks,  It's been a while since i posted here, but it looks like I'm stuck a bit (again!) I'm trying to exclude a prefix and suffix from my results, which are separated from the main string by a dash "-" .  The issue I have that some of the words in my string also contain -'s. e.g. "Access - My string - July - Splunk" , so the data I'd like to show as my resuls is only My string - July.  I came up with this:  | rex field=rule_name max_match=0 "(?<=-\s)(?<rule_name>[^-]+)(?=-)" | rex field=rule_name mode=sed "s/^s/s/g" | rex field=rule_name mode=sed "s/\s$//g" But then my result shows in 2 separate lines like this:    My string    July   Any tips and hints on how to make them appear in one line?    Thank you !   
how to get this two stats result in one query (earliest=-24h@h index="s_data_sum" (type="c" OR type="s") (sourcetype="ys:ho_sum" OR (sourcetype="ys:vo_cv"))) | stats latest(first) as first lat... See more...
how to get this two stats result in one query (earliest=-24h@h index="s_data_sum" (type="c" OR type="s") (sourcetype="ys:ho_sum" OR (sourcetype="ys:vo_cv"))) | stats latest(first) as first latest(last) as last latest(index) as index by dev_id dq (this dq field is not present in ho_sum) | stats latest(first) as first_vu latest(last) as last_vu latest(index) as index_1 by dev_id sourcetype
Hi Splunker, I'm installed splunk database connect app 3.5.1 on splunk server as heavy forwader. I configured forwarding data to index=AAA but it always forward to index=main, i dont know why, some... See more...
Hi Splunker, I'm installed splunk database connect app 3.5.1 on splunk server as heavy forwader. I configured forwarding data to index=AAA but it always forward to index=main, i dont know why, someone help me plz. Thanks!      
Hi, How do I get APIs for measuring Units that is SVC(Splunk Virtual Compute Unit) and vCPU (Virtual CPU) in splunk? also need to find API for pricing plans (work load pricing, Entity Pricing and i... See more...
Hi, How do I get APIs for measuring Units that is SVC(Splunk Virtual Compute Unit) and vCPU (Virtual CPU) in splunk? also need to find API for pricing plans (work load pricing, Entity Pricing and ingest pricing). Please guide me where can I get these APIs? Thanks
index="*" | stats count by clientip, productId | stats list(productId) AS productId list(count) AS count by clientip   I want to get information that has been released more than 10 times in an ho... See more...
index="*" | stats count by clientip, productId | stats list(productId) AS productId list(count) AS count by clientip   I want to get information that has been released more than 10 times in an hour from the time the log was detected, not the current time standard in the command.
Hi,   i have my query below, i used query from "Solved" questions on community, however its showing NULL result for me. Query -- index=victorops sourcetype="splunk:victorops:incidents:json" "... See more...
Hi,   i have my query below, i used query from "Solved" questions on community, however its showing NULL result for me. Query -- index=victorops sourcetype="splunk:victorops:incidents:json" "PTS" | dedup incidentNumber | eval startTimeFormatted=strptime(startTime,"%Y-%m-%dT%H:%M:%SZ") -18000 | eval SplunkStartTime=strftime(startTimeFormatted,"%m/%d/%y %H:%M:%S") | eval endTimeFormatted=strptime(lastAlertTime,"%Y-%m-%dT%H:%M:%SZ") -18000 | eval SplunkEndTime=strftime(endTimeFormatted,"%m/%d/%y %H:%M:%S") | eval MTTR = round((SplunkEndTime-SplunkStartTime)/86400) | table incidentNumber, SplunkStartTime, routingKey, entityDisplayName, SplunkEndTime, currentPhase, MTTR Above query  showing "NULL" output to "MTTR" field.   Please advise !
Hi  We would like to create a splunk alert for long running requests. If the request exceeds 5000ms then we should get an alert. Search Query : sourcetype="access:log" host=hostname* USERID "searc... See more...
Hi  We would like to create a splunk alert for long running requests. If the request exceeds 5000ms then we should get an alert. Search Query : sourcetype="access:log" host=hostname* USERID "search" The out put that we get is: 8/20/21 12:07:07.000 AM 30.X.X.X 7x4697381x3 USERID[20/Aug/2021:00:07:07 -0400] "POST /rest/api/2/search HTTP/1.1" 200 63 243 "-" "APP.Api/10.98.3.17993 APP/10.98.3.17993 (Microsoft Windows NT 6.2.9200.0)" "1duei1d";52.14.54.126, 30.x.x.x, 30.x.x.x https-jsse-nio-8443-exec-142 host = hostnamesource = /access_log.2021-08-20sourcetype = access   Is there a way we can accomplish this?
Getting Following error after Installing & Configuring the Microsoft 365 Defender Add-on HF with Splunk version 8.0.6. Need suuport to fix this below error Error:- 08-20-2021 01:00:04.803 +0000 ERR... See more...
Getting Following error after Installing & Configuring the Microsoft 365 Defender Add-on HF with Splunk version 8.0.6. Need suuport to fix this below error Error:- 08-20-2021 01:00:04.803 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" ERROR'access_token' 08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" KeyError: 'access_token' 08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" return response['access_token'] 08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" raise e 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" access_token = azauth.get_access_token(client_id, client_secret, authorization_server_url, resource, helper) 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" input_module.collect_events(self, ew) 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" self.collect_events(ew) 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" Traceback (most recent call last): ... 2 lines omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events ... 1 line omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events ... 1 line omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events ... 1 line omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token ... 1 line omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token Show all 13 lines 08-20-2021 01:00:04.302 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" ERROR'access_token' 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" KeyError: 'access_token' 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" return response['access_token'] 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" raise e 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token
Hi Team, Can you help me with splunk query which gives  me visualization for scheduled searches spiking top of the hour? Thanks, Sharada
We are using the latest version of Splunk Cloud.  I have configured HTTP Event Collection (HEC) token under "Settings" in the UI.  It is also worth noting that we are using SSO for user authenticatio... See more...
We are using the latest version of Splunk Cloud.  I have configured HTTP Event Collection (HEC) token under "Settings" in the UI.  It is also worth noting that we are using SSO for user authentication. I have attempted (numerous times) and failed to get a connection using curl (leveraging the information contained in this article: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HTTPEventCollectortokenmanagement). All I get is "Failed to connect...". I am wondering if there is something unique I need to do for Splunk Cloud, something unique with SSO, or if I can even send directly to Splunk Cloud (does the connection have to originate from a forwarder for  example). Any advice is appreciated.
I have logs like of this form: [2021-08-19T13:59:05.607] [INFO] collect - [4a2b9170-0130-11ec-95b3-17c017e0ec5d] {"uid":967,"ec":"login","em":"Successful authentication with username: [test123] othe... See more...
I have logs like of this form: [2021-08-19T13:59:05.607] [INFO] collect - [4a2b9170-0130-11ec-95b3-17c017e0ec5d] {"uid":967,"ec":"login","em":"Successful authentication with username: [test123] other data here..." [2021-08-19T13:59:05.607] [INFO] collect - [4a2b9170-0130-11ec-95b3-17c017e0ec5d] {"uid":967,"ec":"login","em":"Successful authentication with username: [test123] other data here..." I would like to run a query that will show all the cases where "username: [specific user]" shows up within 1 second. So the two lines above would be a hit because the test123 appeared in two similar events 1ms apart. I have gotten this far: source="my.log" | rex field=_raw "Successful authentication with username: \[(?<username>.*)] " | streamstats count time_window=1s by username | where count > 1 But this doesn't take the value of username into account and returns all cases of "Successful authentication.." that happen to be within the same second. (Again I want that *only* if the username field is the same.)   Thanks!  - Henrik
Hello, Please let me know how I would break the events, write TIME_PREFIX and TIME_FORMAT for my PROPS Conf.  file  for this sample source data events: TIME_PREFIX= TIME_FORMAT= LINE_BREAKER= BR... See more...
Hello, Please let me know how I would break the events, write TIME_PREFIX and TIME_FORMAT for my PROPS Conf.  file  for this sample source data events: TIME_PREFIX= TIME_FORMAT= LINE_BREAKER= BREAK_ONLY_BEFORE= Sample data has 5 events.  I marked the text  as RED to indicate beginning of each events and time as GREEN Thank you so much, greatly appreciated! ---------------------------Sample Data Starts------------------- TCC     A TCU00002I 22.59.00 MFE REPORT LAST 5.0 MINUTES                                                     2021-06-14 00:00:09.420 TCC     A Server            TSID  I PKTS  O PKTS |Server            TSID  I PKTS  O PKTS                     2021-06-14 00:00:09.421 TCC     A VP2SMTBAPPICE10   VQME     607     623 |VP2SMTBAPPICE11   VQMF   629   661 _                       2021-06-14 00:00:09.422 TCC     A VP2SMTBAPPICE12   VQMG     603     605 |LAPKSC            UZ77     6     6                         2021-06-14 00:00:09.423 TCC     A VP2SMTBAPPICCE2   VPQJ     586     595 |VP2SMTBAPPICCE4   VPQK   600   618                         2021-06-14 00:00:09.424 TCC     A VP2SMTBAPPICCE5   VPQM       7       7 |VP2SMTBAPPICCE6   VPQN    11    11                         2021-06-14 00:00:09.425 TCC     A VP2SMTBAPPICCE7   VPQO      15      15 |VP2SMTBAPPCLS02   VXBK    13    13 _                       2021-06-14 00:00:09.426 TCC     A VP2SMTBAPPCLS03   VXBL      20      20 |VP2SMTBAPPCLS04   VXBM    11    11                         2021-06-14 00:00:09.427 TCC     A VP2SMEMAPPICCE1   VXBA     520     528 |VP2SMEMAPPICCE2   VXBB   548   560                         2021-06-14 00:00:09.428 TCC     A VP2SMEMAPPICCE3   VXBC     523     530 |VP2SMEMAPPICCE5   VXBE    28    28                         2021-06-14 00:00:09.429 TCC     A VP2SMEMAPPICCE6   VXBF      40      40 |VP2SMEMAPPICCE8   VXBH    25    28 _                       2021-06-14 00:00:09.430 TCC     A VD2SMEMAPPCLS02   VXBO      35      35 |VD2SMEMAPPCLS03   VXBP    49    49                         2021-06-14 00:00:09.431 TCC     A VD2SMEMAPPCLS04   VXBQ      40      40 |VP2SMEMAPPICE10   VQMB   526   537                         2021-06-14 00:00:09.432 TCC     A VP2SMEMAPPICE11   VQMC     602     609 |VP2SMEMAPPICE12   VQMD   486   486                         2021-06-14 00:00:09.433 TCC     A VP2SMTBAPPICE13   VQMH     565     572 |VP2SMEMAPPICCE4   VXBD   591   597 _                       2021-06-14 00:00:09.434 TCC     A VP2SMTBAPPCLS01   VXBJ      12      12 |VP2SMTBAPPICCE1   VPQI   565   580                         2021-06-14 00:00:09.435 TCC     A VP2SMTBAPPICCE4   VPQL     551     561 |VP2SMEMAPPICCE7   VXBG    40    40                         2021-06-14 00:00:09.436 TCC     A VD2SMEMAPPCLS01   VXBN      42      42 |VP2SMEMAPPICCE9   VQMA   528   535                         2021-06-14 00:00:09.437 TCC     A VP2SMTBAPPICCE8   VPQP       2       2 |                                                           2021-06-14 00:00:09.438 TCC     A                                                                                                    2021-06-14 00:00:09.439 TCC     A PID POOL PIDS IN USE: 1312 OUT OF 3001                                                             2021-06-14 00:00:09.440 TCC     A END OF MFE REPORT+ TCC     A CVZB0001I 22.59.00 LAST FALLBACK COPY OF CP KEYPOINTS ON SYMBOLIC                                  2021-06-14 00:00:09.442 TCC     A MODULE: 010A DEVICE: 710A+                                                                         2021-06-14 00:00:09.443 TCC     A TCPF0001I 22.59.00 TCP KEYPOINTED+                                                                 2021-06-14 00:00:09.444 TCC     A OCC10000I 22.59.02 RMT HOST-A CCMOD DSBL ERSS AT+                                                  2021-06-14 00:00:11.445 TCC     A OCC10013I 22.59.02 *MEH1PRD* COMMAND CODE(S) DISABLED BY RMT HOST+                                 2021-06-14 00:00:11.446 TCC     A COMMAND CODE DISPLAY                                                                               2021-06-14 00:00:11.447  ------------------------Sample Data Ends---------------------------
Need help to get the DHCP logs in Splunk tagged and parsed correctly.  The data is in the index xyz.    1. The IPv6 DHCP data is being tagged correctly, with sourcetype=dchp.  The IPv4 DHCP data is ... See more...
Need help to get the DHCP logs in Splunk tagged and parsed correctly.  The data is in the index xyz.    1. The IPv6 DHCP data is being tagged correctly, with sourcetype=dchp.  The IPv4 DHCP data is being tagged with sourcetype=xyz:bind:query.  Can we get that corrected to dhcp?  I believe all of the DHCP servers also provide DNS.  All of those log entries appear to have the correct sourcetype xyz:bind:query.   2. The DHCP request type is not being parsed in index=xyz sourcetype=dhcp.  I'd like this to be stored in a field.  It could be named type, action, or whatever you think is appropriate.  Sample values are: DHCP_GrantLease, DHCP_RenewLease, DHCP_RebindLease.
Hi All, We have an install of Splunk on Redhat 8 with SELinux on as enforcing.  Well all of the services start but the webpage for splunk does not work while SELinux is enforcing.  If I simply turn o... See more...
Hi All, We have an install of Splunk on Redhat 8 with SELinux on as enforcing.  Well all of the services start but the webpage for splunk does not work while SELinux is enforcing.  If I simply turn off SELinux and reboot everything works great.  My question is, what SELinux modules either need to be turn off specifically or do I have to do a SELinux chcon (Change context) on what files and set them to what.  If anyone has had to do this and can help, I would appreciate it.  Thanks
Hi All, Can someone please help me if our subsearch has results more than 50000 and we need to append those as well to our main search. As splunk subsearch has maxout 50000 whats the best way to o... See more...
Hi All, Can someone please help me if our subsearch has results more than 50000 and we need to append those as well to our main search. As splunk subsearch has maxout 50000 whats the best way to optimize them? to increase the limit in limits.conf or is there any better way to do it by optimizing the query itself to allow the results for more than 50000. Thanks, Dave
Hi, I currently have the bellow Search to find the 99% Percentile for Response Time:   index=test sourcetype=test |eval response_time=round(response_time/1000,2) | timechart span=1mon perc99(res... See more...
Hi, I currently have the bellow Search to find the 99% Percentile for Response Time:   index=test sourcetype=test |eval response_time=round(response_time/1000,2) | timechart span=1mon perc99(response_time) AS "99%"   I need to find the AVG response time with in the 99% Percentile and the single worst Response within the 99% Percentile. Any help would be greatly Appreciated.   Thanks
When ingesting csv files we get the warning and error in _internal - ERROR TailReader [5588 tailreader0] - error from read call from <file name> WARN FileClassifierManager [5588 tailreader0] - The ... See more...
When ingesting csv files we get the warning and error in _internal - ERROR TailReader [5588 tailreader0] - error from read call from <file name> WARN FileClassifierManager [5588 tailreader0] - The file <file name> is invalid. Reason: cannot_open. It happens when the new file, placed in the directory has the same 70 or so characters as an existing file. Shorting the file name and the ingestion worked just fine. Is there a limit for comparison?
I've read all the suggestion on importing bash history logs and tried variation of fschange, followTail and ignoreOlderThan.  For user logs this works just fine: [monitor:///home/*/.bash_history] ... See more...
I've read all the suggestion on importing bash history logs and tried variation of fschange, followTail and ignoreOlderThan.  For user logs this works just fine: [monitor:///home/*/.bash_history] disabled = false sourcetype = bash_history index = linux followTail = 1 ignoreOlderThan = 1d   For root logs. Nothing works unless I monitor the whole file and that has no value to me since Splunk forwards the full log file each time a change occurs. So if the history size is 1000, then 1000 events are sent to splunk if I run a single "who" command. Any suggestions? 
  Hi I have two linux virtual machines and i am trying to use splunk forwarder one linux to another. I am getting that "waiting for the results problem". How can i fix this ? Thnx a lot   ... See more...
  Hi I have two linux virtual machines and i am trying to use splunk forwarder one linux to another. I am getting that "waiting for the results problem". How can i fix this ? Thnx a lot