All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have some events that exceeds the default 10000-byte TRUNCATE limit.  This triggers "truncating line because limit of 10000 bytes has been exceeded."  In Splunk documentation, this is characterized... See more...
I have some events that exceeds the default 10000-byte TRUNCATE limit.  This triggers "truncating line because limit of 10000 bytes has been exceeded."  In Splunk documentation, this is characterized as "line-breaking issues". Because the events are received in JSON, I thought reducing line length would solve this problem without tweaking TRUNCATE.  But this doesn't.  After pretty-print, large JSON documents still get truncated. Does this mean that the "line breaking issue" is really "event breaking issue", that the indexer requires every event to be under TRUNCATE limit?  The JSON documents have the correct syntax including the opening and closing brackets.
which mode does  the splunk  forwarder support  ? If  push or pull mode is all supported, we want to know how to configure   the different mode,and  the  disadvantage and  between them? Thanks
Hello  I want to save hot/warm and cold separately when I make splunk index. Hot/Warm is stored in /tmp/hotwarm and cold is stored in /tmp/cold path. However, it is time to create an index in the ... See more...
Hello  I want to save hot/warm and cold separately when I make splunk index. Hot/Warm is stored in /tmp/hotwarm and cold is stored in /tmp/cold path. However, it is time to create an index in the Splunk UI. I know to separate routes from indexes.conf. It's just that I want to save it in the UI as Default in the path I want to save. What should I do? Thanks
Hello, I have a complex data source (sample events given below).  Is there any way I can write TIME_PREFIX and TIME_FORMAT for this data source? Thank you so much, greatly appreciated.   FOAT     ... See more...
Hello, I have a complex data source (sample events given below).  Is there any way I can write TIME_PREFIX and TIME_FORMAT for this data source? Thank you so much, greatly appreciated.   FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:03:48.165 FOAT     A  RCTID     QMGR NAME      INDS I/P CNT O/P CNT     MQ Series Q name                                2021-06-14 00:03:48.162 FOAT     A -------- ---------------- RCTID     ---- ------- ------- -------------------------------                     2021-06-14 00:03:48.163 FOAT     A                        IOB   FRAME  COMMON     SWB     XWB     ECB     FRM1MB                      2021-06-14 00:08:09.521 FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:28:09.361 FOAT     A      1       0        4        4       20        0.86   499.26     1.68                            2021-06-14 00:28:09.445 FOAT     A      2       0        3        2        3        1.19   498.92     2.19                            2021-06-14 00:28:09.446 FOAT     A      3       0        2        2        2        1.17   498.95     2.20 _                          2021-06-14 00:28:09.447 FOAT     A      4       0        4        2       10        1.24   498.87     2.27                            2021-06-14 00:28:09.448 FAAT     A END OF DISPLAY+                                                                                    2021-06-14 00:28:09.449 DFAT     A Utilization                     OK   .7 - .7 / .3 - .3 _                                           2021-06-14 23:58:11.233 DFAT     A CFCAOL Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.234 FISA    A DASRS Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.235 FISA  A Command Code timeouts past Min  OK   c-0 / i-0 / b-0                                               2021-06-14 23:58:11.236 FIAT     A BTIF Response Time              OK   n-0 / r-0 / t-0                                               2021-06-14 23:58:11.237 FIST     A Serv Ctr or C-Codes Disabled    OK   2                                                             2021-06-14 23:58:11.238 BNAT     A 02303F80       *ENBL* AN AT AU BR CI FR KC ME OG PH                                                2021-06-14 23:30:04.120 PODA     A CFOL         0.0        0.0                                                                        2021-06-14 18:56:09.072 PODA     A IDRS         0.0        0.0                                                                        2021-06-14 18:56:09.073 PODA     A EFTP         0.0        0.0                                                                        2021-06-14 18:56:09.074 TBCA     A AAES0009I 00.00.00 FROM TA 0A : AAER0412I ACT: Variation RASIGN activated from dir F:\TESTAVENVAR     2021-06-15 00:00:00.195
Hi, We have an existing Splunk deployment that uses SSL certs for security. A new STIG has a requirement to use FIPS. If I read through all of the previous FIPS related questions it seems that I n... See more...
Hi, We have an existing Splunk deployment that uses SSL certs for security. A new STIG has a requirement to use FIPS. If I read through all of the previous FIPS related questions it seems that I need to reinstall the same version, or upgrade the version of Splunk enterprise/ Splunk Universal Forwarder. I hit a snag with the reinstall the same version, and maybe someone can give a suggestion. When I try to reinstall over the current installation, the installer is too smart. It notices the same version is installed and exits instead of asking if the user wishes to continue. Does anyone know of a way to get the installer to reinstall over itself? this is a Windows installation. Any help will be useful. thx, Ken    
I have the Splunk Add-On for Windows installed on my deployment server in order to help collect data from my windows machines (forwarders). However, when the data comes in - it is all condensed down ... See more...
I have the Splunk Add-On for Windows installed on my deployment server in order to help collect data from my windows machines (forwarders). However, when the data comes in - it is all condensed down into a block and more or less unreadable. The entries from it have the tags like <Event>, <System>, etc but it isn't spaced out at all and bunched together. Was curious if anyone knows how to make the data from this add-on look like how all other data usually comes into splunk - spaced out and indented and more readable to the human eye essentially. Not sure if this would be a splunk configuration or a configuration that has to be done specifically to my Windows Add-On settings on my deployment server. Thanks!
Hello everyone, When I install Splunk enterprise on my personal Ubuntu machine, it directly changed the default python bin. It means that after the install when I type :    which python   I... See more...
Hello everyone, When I install Splunk enterprise on my personal Ubuntu machine, it directly changed the default python bin. It means that after the install when I type :    which python   It will return a bin located in /opt/splunk/bin/python, which is not the default python I want for my system. I'm having trouble to find information about what is done during the install and how to change this behavior... Thanks a lot for your help! 
Is the Splunk Add-On for Sophos compatible with getting data from my Macs? I have a deployment server (on Windows, the only OS compatible with hosting the Sophos Add-On) with Macs and Windows machine... See more...
Is the Splunk Add-On for Sophos compatible with getting data from my Macs? I have a deployment server (on Windows, the only OS compatible with hosting the Sophos Add-On) with Macs and Windows machines in my environment w/ the Universal Forwarder installed. I want to use this add-on to collect Sophos data from both my macs and windows machines but can't find anywhere if it will work. 
Hello! I was asked to find what IP addressable devices are listening on port 80 on our network. Can I find this information through a query? I'm new to Splunk analysis so I apologize if this seems b... See more...
Hello! I was asked to find what IP addressable devices are listening on port 80 on our network. Can I find this information through a query? I'm new to Splunk analysis so I apologize if this seems basic. Any and all help is greatly appreciated. Thanks!
Upgrade to Splunk 8.2 from 7.3 we must install 8.1 first before 8.2. So is it okay to run the rpm -U for 8.1 and then 8.2 right after 8.1 finishes or should we wait until the entire 8.1 environment ... See more...
Upgrade to Splunk 8.2 from 7.3 we must install 8.1 first before 8.2. So is it okay to run the rpm -U for 8.1 and then 8.2 right after 8.1 finishes or should we wait until the entire 8.1 environment has been running for a few days?  Any suggestions would be greatly appreciated. 
Hi, I have the following search that works against a datamodel to plot a timechart. How can I use predict command with this output?     | tstats summariesonly=true count FROM datamodel="modelname... See more...
Hi, I have the following search that works against a datamodel to plot a timechart. How can I use predict command with this output?     | tstats summariesonly=true count FROM datamodel="modelname.dataset" where dataset.field="xyz" by dataset.field, _time span=1h prestats=t | timechart span=1h count by dataset.field usenull=f useother=f     If I try to do following,     | predict dataset.field      search failed with this error. command="predict", Unknown field: dataset.field   What is the correct way to do this?   UPDATE: Turns out, | predict "xyz" works, but this would mean it is working just for that one value of the field.   Thanks
Hello Experts, We need to get the IP Address under the Network tab from all the Servers where AppD MA are running through Dexter. Some of the servers configured with different host name so getting ... See more...
Hello Experts, We need to get the IP Address under the Network tab from all the Servers where AppD MA are running through Dexter. Some of the servers configured with different host name so getting the IP Address will be helpful to find the misconfiguration and fix the issue. Please share your knowledge! Thanks, Selvaganesh E
Is there any splunk supported app/add-on for 8.2.X cloud version, which can be used for maps implementation on splunk dashboards? I need to visualize the data in clusters on the dashboard panel us... See more...
Is there any splunk supported app/add-on for 8.2.X cloud version, which can be used for maps implementation on splunk dashboards? I need to visualize the data in clusters on the dashboard panel using map.
I have the following data of red, green, and blue light levels over time that I would like to plot on a scatter plot graph.  _time Red_level Green_level Blue_level 2021-06-08 17:53:06 0.20... See more...
I have the following data of red, green, and blue light levels over time that I would like to plot on a scatter plot graph.  _time Red_level Green_level Blue_level 2021-06-08 17:53:06 0.205 -8.315 -14.669 2021-06-02 16:54:59 1.313 -6.571 -13.389 2021-06-04 14:50:49 1.564 -6.006 -13.012 2021-06-07 17:47:38 0.362 -7.853 -13.681 2021-05-28 14:25:15 1.440 -6.460 -12.511 2021-05-27 13:43:02 0.789 -7.264 -12.751 2021-05-26 19:20:34 1.018 -6.511 -12.391 2021-05-31 14:11:25 1.187 -6.226 -13.192 2021-05-30 14:48:10 1.042 -6.254 -12.654 2021-05-29 13:48:41 1.023 -6.355 -12.649   Current search:  index=aaa | table _time Red_level Green_level Blue_level    
Hi all, I have the following dataset: Name  Title DaysRemaining Tom West 50 Martin error error Billy  Winter 5103 Will Fable 2   I was wondering if there is a way to o... See more...
Hi all, I have the following dataset: Name  Title DaysRemaining Tom West 50 Martin error error Billy  Winter 5103 Will Fable 2   I was wondering if there is a way to order the DaysRemaining field by first showing the 'error' value on the top and then ordering in ascending order - i.e. 2,50 and 5103? In addition, is there a way to only highlight the DaysRemaining field, in which 'error' is highlighted red, values between 0-30 are also red, values between 30 - 100 are orange and values above 100 are green? Desired outcome:   Appreciate any and all help greatly!
Hi Folks, I have two lookup files which contain the user information such as username, email and company. for example: 1. First lookup file. user               email                              ... See more...
Hi Folks, I have two lookup files which contain the user information such as username, email and company. for example: 1. First lookup file. user               email                               company siva              siva11@gmail.com     google arun              arun11@gmail.com 2. Second lookup file. user             email                                company arun            arun11@gmail.com   yahoo how to merge the two lookup files and merge the value. the expected output should be like this. user     email                                company siva    siva11@gmail.com      google arun   arun11@gmail.com    yahoo   Could you please anyone suggest to get the expected results.  
Hi Experts, I have specific requirement to split the contents of a file and ingest it as a separate events. In that events, a filter to be applied and ingest the filtered data to Splunk indexer. I ... See more...
Hi Experts, I have specific requirement to split the contents of a file and ingest it as a separate events. In that events, a filter to be applied and ingest the filtered data to Splunk indexer. I have created a REGEX pattern which split the contents of the file and ingesting the data in to separate events as desired. Now, my issue is with the filtering of ingested data. In each event, I need to filter fro AGGREGATED_EXECUTION and ingest only the event which has that content. I set the configuration as below. props.conf: [expensive_statements] TRANSFORMS-set= send_events   transforms.conf: [send_events] REGEX = AGGREGATED_EXECUTION DEST_KEY = queue FORMAT = indexQueue   Above settings is made on HF. Still the filtering is not happening as expected. Kindly help in resolving the issue with filtering.   Regards, Karthikeyan.SV
I am trying to create a dashboard that contains a textbox. When a ticket reference is given to the textbox and a user clicks submit, a search is run in the background that appends the ticket informat... See more...
I am trying to create a dashboard that contains a textbox. When a ticket reference is given to the textbox and a user clicks submit, a search is run in the background that appends the ticket information to a kvstore. This is my dashboard -   <form script="run_action.js"> <label>QA Manual Submission</label> <description>A dashboard that allows for the manual submission of QA Samples.</description> <fieldset submitButton="false"></fieldset> <row> <panel> <input type="text" token="tokRef" searchWhenChanged="true"> <label>Ticket Reference</label> <default>[Letter][number]_SOC</default> <initialValue>[Letter][number]_SOC</initialValue> </input> <html> <p>Click "Add to QA" to manually add the ticket number to the QA App</p> <button class="btn btn-primary button1">Add to QA</button> </html> </panel> </row> </form>   This is javascript I am using -   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/tableview", "splunkjs/mvc/textinputview", "splunkjs/mvc/simplexml/ready!" ],function( mvc, $, SearchManager, TableView, TextInputView ) { //debug testing console.log("I get this far!"); //Add after some research on Splunk Anwsers. Since removed. //var SearchManager = require("splunkjs/mvc"); //var SearchManager = require("splunkjs/mvc/searchmanager"); //var TextInputView = require("splunkjs/mvc/textinputview"); //var TableView = require("splunkjs/mvc/tableview"); //var $ = require("jquery"); var mysearch = new SearchManager({ id: "mysearch", autostart: "false", search: mvc.tokenSafe("| jira jqlsearch \"project IN projectMatch(\\\".+_SOC.+\\\") AND assignee was in(membersOf(\"GG_JIRA_Filter\")) AND status=Closed AND created >= startOfMonth()\" fields \"project,summary,status,resolution,resolutiondate,updated,created,issuetype,assignee\" \r\n| table Summary, Key, \"Issue Type\", Resolution, Assignee, Resolved, Created, \"QA Commentary\", \"QA By\", \"Perceived Ticket Quality\", \"QA Pass\/Fail\"\r\n| rename Key as Ticket_Ref, \"Issue Type\" As Issue_Type\r\n| rex field=Resolved \"(?<date>\\d{4}\\-\\d{2}\\-\\d{2})T(?<time>\\d{2}:\\d{2}:\\d{2})\" \r\n| eval extracted_time=date+\" \"+time \r\n| eval Resolved=strptime(extracted_time,\"%Y-%m-%d %H:%M:%S\") \r\n| eval Resolved=round(Resolved,0) \r\n| rex field=Created \"(?<created_date>\\d{4}\\-\\d{2}\\-\\d{2})T(?<created_time>\\d{2}:\\d{2}:\\d{2})\" \r\n| eval created_extracted_time=created_date+\" \"+created_time \r\n| eval Created=strptime(created_extracted_time,\"%Y-%m-%d %H:%M:%S\") \r\n| eval Created=round(Created,0)\r\n| table Ticket_Ref, Summary, \"Issue_Type\", Resolution, Assignee, Resolved, Created, \"QA Commentary\", \"QA By\", \"Perceived Ticket Quality\", \"QA Pass\/Fail\", \"Manual QA Add\"\r\n| eval \"Manual QAA dd\"=\"True\"\r\n| search Ticket_Ref=$tokRef$\r\n| outputlookup qa_lookup append=True") }); $(".button1").on("click", function (){ var ok = confirm("Are you sure?"); if (ok){ mysearch.startSearch(); alert('attempted restart!'); } //else { // alert('user did not click ok!'); //} }); });   When I try to run the dashboard I get the following errors on the console - Limited knowledge of JS and I've done my best to follow guidance on splunk anwsers. Would appreciate any insight. Many thanks Christopher
My fields have values like, UTR998760071.unot.utrl.accorda.net RANWA80A8881.cnet.utrl.matrixia.net ANNA00A0071.tron.utrl.zimbaw.net BP87DF087071.cnet.trzn.netisha.net I want the fist part ... See more...
My fields have values like, UTR998760071.unot.utrl.accorda.net RANWA80A8881.cnet.utrl.matrixia.net ANNA00A0071.tron.utrl.zimbaw.net BP87DF087071.cnet.trzn.netisha.net I want the fist part of the string to be extracted. The part before the first .(dot) output be like  UTR998760071 RANWA80A8881 ANNA00A0071 BP87DF087071 Not with substr but with a regex preferably. Thank you
I have been trying for almost a week to get in touch with someone regarding my trial license. I am unable to use Splunk without it. I have left numerous voicemails and no one has returned my call. An... See more...
I have been trying for almost a week to get in touch with someone regarding my trial license. I am unable to use Splunk without it. I have left numerous voicemails and no one has returned my call. Any assistance would be appreciated. Thank you.