All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team, We have one field as Customer=ABC DEF where one space in between  where if i am giving any as Customer = *DEF* then its not giving any value..  
In DB Connect we have situations where we don’t have a rising column. What can we do in such cases?
Hi Team,   We have using Splunk add on for salesforce plugin to inject salesforce logs into splunk . its been 3 months we were able to add inputs and able to see the logs. but recently when we t... See more...
Hi Team,   We have using Splunk add on for salesforce plugin to inject salesforce logs into splunk . its been 3 months we were able to add inputs and able to see the logs. but recently when we trying to open the  splunk add for salesforce ,we were seeing below screen . if any one face isssue .please let us knwo the root cause and its solution attached is the screen shot
Hi Team,   I've a field name uri, which has value like this -- /dev/{AccountNumber}/accountDetail /uat/{ContentID}/content   I want to extract one column like, 'uriwithregex' so that I can use ... See more...
Hi Team,   I've a field name uri, which has value like this -- /dev/{AccountNumber}/accountDetail /uat/{ContentID}/content   I want to extract one column like, 'uriwithregex' so that I can use it later. The value of uriwithregex will be like  /dev/*/accountDetail /uat/*/content So basically want to replace the string with * (Including the curly brackets) Could someone please help ?
I have two results of servers list as per last 30 days and last 12 hrs. I want to compare and find out which servers are not reporting in 12 hrs list. What can be the query for it. Little new in Spl... See more...
I have two results of servers list as per last 30 days and last 12 hrs. I want to compare and find out which servers are not reporting in 12 hrs list. What can be the query for it. Little new in Splunk.
I want to install the office 365 add-on in a distributed architechture with an index cluster and a single search Head Where should this module be installed (is it in the master cluster, in the index... See more...
I want to install the office 365 add-on in a distributed architechture with an index cluster and a single search Head Where should this module be installed (is it in the master cluster, in the indexer, in the search Head?) thank you
I am using syslog-ng  the syslog are configured to create a new file every min  with the below   destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(... See more...
I am using syslog-ng  the syslog are configured to create a new file every min  with the below   destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");}; looks like the files are created are large file  is there an option to create the files every 30 sec for example  didn't find is possible to set  destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $SEC 30).log");}; OR  destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 0.5).log");};  
Dear community, When using a CollorPallete expression on a statistics table the following code works: <format type="color" field="myField"> <colorPalette type="expression">if (value == "DEBUG",... See more...
Dear community, When using a CollorPallete expression on a statistics table the following code works: <format type="color" field="myField"> <colorPalette type="expression">if (value == "DEBUG", "#f54242","#65A637") </colorPalette> </format> #F54242 = RED #65A637 = GREEN Because the data in myField is not exactly "DEBUG" , the table collumns are all green.  So in order to make the collumns with "DEBUG" red and the rest green, I tried the following piece of code: <format type="color" field="myField"> <colorPalette type="expression">if (like(value,"%DEBUG%", "#f54242","#65A637") </colorPalette> </format>   This piece of code is not working at all. I am trying to use the wildcard to find any occurance of "DEBUG" inside myField. Not only are the fields not red, they are not even green, making me think my code is incorrect.  What am I doing wrong?  Thanks.
Hi fellow Splunkers, I have some questions regarding using custom fields in the Splunk Add-on for ServiceNow. When I try to set an alert to resolved (state 6) I seem to be unable to set the resolut... See more...
Hi fellow Splunkers, I have some questions regarding using custom fields in the Splunk Add-on for ServiceNow. When I try to set an alert to resolved (state 6) I seem to be unable to set the resolution information or resolution notes, instead I now place it as a comment. Did someone here manage to arrange this? Upon creating a ticket in SNOW I can set the "short_description" field but I seem to be unable to set the "description" field. As in we can set the description field in Splunk but the content won’t be shown in SNOW, also when i set it as a custom field. Perhaps some mapping/configuration on SNOW side is needed here, but there is no documentation about what needs to be done on SNOW side. So I guess my questions are related to how to make custom fields working on both Splunk and SNOW side as I’m missing some documentation and need some guidance! Would be much appreciated if someone can help  out!
Dear Community, I need help with the creation of a dashboard where: I have 1 row I have 3 panels I want 2 panels stacked on top of each other on the left I want 1 panel in full height on the rig... See more...
Dear Community, I need help with the creation of a dashboard where: I have 1 row I have 3 panels I want 2 panels stacked on top of each other on the left I want 1 panel in full height on the right I have searched different topics on the community but most of those only provide results without context and when I don't get them to work, I don't know what to do. This is what I managed to create so far: Using the following sourcecode: <dashboard> <label>Stack 2 left, 1 right</label> <row> <panel id="topleft"> <title></title> <html> <style> #topleft{ width:15% !important; float: left; } #bottomleft{ width:15% !important; clear: left; float: left; } #right{ width:85% !important; overflow: hidden; } </style> </html> <table> <search> <query>SomeQueryThatReturnsNothing</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel id="bottomleft"> <title></title> <chart> <search> <query>SomeQueryThatReturnsNothing</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="right"> <title></title> <table> <search> <query>SomeQueryThatReturnsNothing</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard>   What I would like to achieve is: The panel with id="right" to be full height so that I have 2 small panels stacked on each other on the left and one big panel on the right that fully populates the screen I have tried playing with height but it doesn't seem to affect the panel in any way. Could anyone help me out with this issue? Thanks in advance.
We recently had an issue with the Splunk scheduler wherein correlation searches weren't running (fixed by simply restarting the SHC members). Due to this, we've lost Notable events. I thought I coul... See more...
We recently had an issue with the Splunk scheduler wherein correlation searches weren't running (fixed by simply restarting the SHC members). Due to this, we've lost Notable events. I thought I could backfill these using the fill_summary_index.py script however it seems this may not be correct? I'm able to successfully kick off "back filling" correlation searches however I'm not seeing any Notable events added to the notable index. splunk cmd fill_summary_index.py -app <app> -name <search> -et <start epoch> -lt <end epoch> -dedup true -nolocal true -j 4 (for example) Can someone please confirm or deny this?
Hi We use the Splunk Cloud which gets logs from two HFs, which get logs from many UFs. A few of those UFs live on our Domain Controllers, which interact to some extend with the LDAP-API and get ... See more...
Hi We use the Splunk Cloud which gets logs from two HFs, which get logs from many UFs. A few of those UFs live on our Domain Controllers, which interact to some extend with the LDAP-API and get notifications, everytime an AD-Object changes (https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-forwarders.html). What now happens is, every time LAPS changes the passwords, the Computer-Object gets updated, the UF gets ahold of those Passwords and we can see them plaintext in Splunk Cloud. After discovering this, i added this to props.conf (Splunk\etc\system\local) on the HF and restarted the HF : [ActiveDirectory] SEDCMD-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/########/g And since this hasn't worked, I tried this : [ActiveDirectory] SEDCMD-anonymiseLaps = 's/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g' (Source: https://www.databl.io/anonymise-your-clear-text-laps-passwords-in-splunk/ - this describes the problem pretty well.) ...which hasn't worked either. We still see those Passwords. Has anybody encountered similar problems and/or has hints or possible solutions? Thanks in advance. 
Hi All Good day! I have question in Windows Event Log monitor. I have configured and got the custom in application dashboard. Now i have to configure alert for particular event in custom. so can you... See more...
Hi All Good day! I have question in Windows Event Log monitor. I have configured and got the custom in application dashboard. Now i have to configure alert for particular event in custom. so can you guys share me step by step configuration on custom event to alert. which need to be choose for alert like creating Http request template or email template or email digest. I have tried with HTTP template and email digest. Http template create separate event but no mails are thrown when custom has data. Kindly help me with this. thanks
I need help with adding an asset input stanza for the lookup source. I created a sample lookup that has the proper headers and and set it up to share with the app however I can’t seem to get my looku... See more...
I need help with adding an asset input stanza for the lookup source. I created a sample lookup that has the proper headers and and set it up to share with the app however I can’t seem to get my lookup to show up within the source drop down on the asset lookup configuration page. Is there a certain way to get the lookup to show up under that dropdown? I am able to see the demo_assets.csv lookup but not the one I configured. I will upload a picture with the steps on the splunk doc where I am stuck.      
Hi experts, I am new to Splunk and came across this requirement at work. Requirement: I want to create a table showing numbers of 2 different versions of recaptcha being successfully and unsuccessf... See more...
Hi experts, I am new to Splunk and came across this requirement at work. Requirement: I want to create a table showing numbers of 2 different versions of recaptcha being successfully and unsuccessfully processed. Current Log info: Each event has a field named "msg" which contains many information, including wording like "Exception: recaptcha v 2 validation failure," "Exception: recaptcha v 3 validation failure", "Recaptcha v2 verification: successful", Recaptcha v3 verification: successful" based on different events. Tasks: How can I create a regex expression to count number of all exceptions and number of different types of exceptions? Same tasks for successful message, but I can figure it out if someone can help with the previous question? Thank you.  
Hi, Has anyone run into this? I am still on DB Connect 3.2 and have used dbxquery successfully for years. I am just trying to use dbxlookup but cannot get even a simple example to work?   | makere... See more...
Hi, Has anyone run into this? I am still on DB Connect 3.2 and have used dbxquery successfully for years. I am just trying to use dbxlookup but cannot get even a simple example to work?   | makeresults count=3 | streamstats count as id | dbxlookup connection="agena_ro" query="SELECT * FROM `agena_production`.`plans`" "id" AS "id" OUTPUT "description" AS "description"   I see this in the logs that looks suspicious? 2021-08-09 15:19:37.141 11088@prod3splunksearchl [main] INFO com.splunk.dbx.connector.logger.AuditLogger - operation= connection_name= stanza_name= state=success sql='SELECT "id", "description" FROM (SELECT * FROM `agena_production`.`plans`) dbxlookup WHERE "id" IN (?,?,?)'   Thanks. phunte
I am using the following query to retrieve events that I then display.  I would like to add another column that is the difference between the two columns. each log event has a field called app_eleme... See more...
I am using the following query to retrieve events that I then display.  I would like to add another column that is the difference between the two columns. each log event has a field called app_elements={eventtype='event1','widget'='apple'), for example The query: index="aws" level="info"  env="dev" earliest=-72h latest=-48h| spath input=app_elements | stats count by eventtype | eval Period="Before" | append [search index="aws" level="info" env="dev" earliest=-24h latest=now| spath input=app_elements | stats count by eventtype | eval Period="Now" ] | chart sum(count) over eventtype by Period The current result: eventtype                             Before                    Now event1                                       10                           20 event2                                       15                           12 event3                                       22                           20 event4                                       5                                8   The desired result: eventtype                             Before                    Now                Difference event1                                       10                           20                         10 event2                                       15                           12                          -3 event3                                       22                           20                          -2 event4                                       5                                8                            3
This seems to be an odd issue or at least I've been searching for the wrong thing.  My event sourcetype is json and they log and display just fine.  However, one of the fields of the event contains m... See more...
This seems to be an odd issue or at least I've been searching for the wrong thing.  My event sourcetype is json and they log and display just fine.  However, one of the fields of the event contains more JSON that is just being displayed like it is a string.  How can I extract the fields from this string of JSON?   Raw event:     {"Level":"Trace","MessageTemplate":"{\"Id\":\"000000000000000000000000\",\"HttpTracker\":{\"Method\":\"GET\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0\",\"TimeOfCall\":\"2021-08-09T20:08:29.6311024Z\",\"StatusCode\":200,\"Url\":\"http://localhost:45705/Job/JobSelectionTableData?page=0&size=25&sort=col[4]=1&filter=filter&jobType=0\",\"Action\":\"JobSelectionTableData\",\"Controller\":\"Job\",\"Parameters\":{\"page\":\"0\",\"size\":\"25\",\"sort\":\"col[4]=1\",\"filter\":\"filter\",\"jobType\":\"UserCreated\"}},\"Notes\":\"\",\"UserId\":\"5b759c5cbb67fd479489f1ab\",\"Properties\":{\"ServerName\":\"LCS-AL-HNXX8Y2\",\"JobId\":\"000000000000000000000000\",\"TimeTaken\":\"1.998\"},\"HasBeenRead\":false,\"CallType\":1}","RenderedMessage":"{\"Id\":\"000000000000000000000000\",\"HttpTracker\":{\"Method\":\"GET\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0\",\"TimeOfCall\":\"2021-08-09T20:08:29.6311024Z\",\"StatusCode\":200,\"Url\":\"http://localhost:45705/Job/JobSelectionTableData?page=0&size=25&sort=col[4]=1&filter=filter&jobType=0\",\"Action\":\"JobSelectionTableData\",\"Controller\":\"Job\",\"Parameters\":{\"page\":\"0\",\"size\":\"25\",\"sort\":\"col[4]=1\",\"filter\":\"filter\",\"jobType\":\"UserCreated\"}},\"Notes\":\"\",\"UserId\":\"5b759c5cbb67fd479489f1ab\",\"Properties\":{\"ServerName\":\"LCS-AL-HNXX8Y2\",\"JobId\":\"000000000000000000000000\",\"TimeTaken\":\"1.998\"},\"HasBeenRead\":false,\"CallType\":1}","Properties":{"host":"LCS-AL-HNXX8Y2","threadid":"6","logger":"TOPSS.UserLogger.ActionTrackerContext"}}       Splunk recognizes this as JSON and displays as: Notice the MessageTemplate field contains more JSON.  That is what I'm trying to extract fields from and coming up empty thus far. A few things I've tried that don't work:     MYSEARCH | spath output=Id path=MessageTemplate.Id           MYSEARCH | spath MessageTemplate       Any help would be much appreciated.  This type of extraction is very new to me!
I'm seeking to make a spunk timechart of values that match a certain filter: source="/var/log/bcore/ws_metric*" event="WsMetricConnectEventType.connect_end" duration_seconds < 60*60 | timechart p95(... See more...
I'm seeking to make a spunk timechart of values that match a certain filter: source="/var/log/bcore/ws_metric*" event="WsMetricConnectEventType.connect_end" duration_seconds < 60*60 | timechart p95(duration_seconds) span=5m  Unfortunately, I'm clearly getting values that are longer than 60*60=3600 seconds. Many of the values for p95(duration_seconds) are actually somewhere in the range of 397k seconds.  How can I actually filter the data going into timechart?
If a saved search in ES data model. Should I be giving user permission to edit to the search & permission to the edit the data models?