All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team,   I am very new in Splunk and i need your help to change my query as per requirement     Please validate my syantax  as per requirement How do we get list of server name with count(which... See more...
Hi Team,   I am very new in Splunk and i need your help to change my query as per requirement     Please validate my syantax  as per requirement How do we get list of server name with count(which is change color like grey or Uninitialized) instead of count of server (server name comes under ServerName)   Please find my syntax and result   sourcetype=ABC Category IN ("Support","Patch") HealthValue IN(Grey, Uninitialized,) | bin _time span=1d | dedup ServerName HealthValue _time | timechart count(ServerName) as "QTY Servers" by HealthValue     i am waiting for quick response
Hi All,   In Splunk is it possible to join two joint queries.   I have queries like  1) index=_inter sourcetype=project  | dedup project  server |  eval Pro=project | eval source1 ="Y"  | t... See more...
Hi All,   In Splunk is it possible to join two joint queries.   I have queries like  1) index=_inter sourcetype=project  | dedup project  server |  eval Pro=project | eval source1 ="Y"  | table source1 Pro | join Pro type=outer | [search sourcetype =SA  pronames=* |  dedup  pronames | eval Pro=pronames  ]  | table Pro  which will generate output pro pro1 pro2 pro3 @and I have one query similar one , but changing sourcetype in join . ,index=_inter sourcetype=project  | dedup project  server |  eval Pro=project | eval source1 ="Y"  | table source1 Pro | join Pro type=outer | [search sourcetype =SC  pronames=* |  dedup  pronames | eval Pro=pronames  ]  | table Pro pro pro1 pro2 pro3 Both I'm using for generating alerts, two alerts. now I want to send only one alert by merging both queries,  is it possible. so i can send alerts in a single mail. like below   pro       pros pro1   pro1 pro2   pro2 pro3   pro3              
Hi, I'm currently trying to get the auth token that can be used for rest apis without exposing my password. Since it is a mod input script, I am using passAuth = <user> in inputs.conf. This provides... See more...
Hi, I'm currently trying to get the auth token that can be used for rest apis without exposing my password. Since it is a mod input script, I am using passAuth = <user> in inputs.conf. This provides me the auth token via stdin, but it is exposing some information that I would not like exposed. The stdin that I get is "sessionKey=abcd1234" for example. Is there a way to omit the "sessionKey=" part and only return the session key? https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Inputsconf https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/AdvancedDev/ModInputsIntro Alternatively, is there another way to retrieve the session key / auth token without including the password in my script? Thanks!  
Below are the events:   { "kubernetes" : { "pod_name" : "p1" }, traceId: "t-1" } { "kubernetes" : { "pod_name" : "p1" }, traceId: "t-2" } { "kubernetes" : { "pod_name" : "p2" }, trace... See more...
Below are the events:   { "kubernetes" : { "pod_name" : "p1" }, traceId: "t-1" } { "kubernetes" : { "pod_name" : "p1" }, traceId: "t-2" } { "kubernetes" : { "pod_name" : "p2" }, traceId: "t-4" } { "kubernetes" : { "pod_name" : "p3" }, traceId: "t-5" }   I am looking for a dashboard with 2 panels. 1. Showing the unique # of pods 2. Table with Pod Name, # of Number of unique traces For the above event, panels will be 1. Showing the unique # of pods = 3 2. Table with Pod Name, # of Number of unique traces   ---------------------------------- | POD NAME | # of Traces | ---------------------------------- | p1 | 2 | ---------------------------------- | p2 | 1 | ---------------------------------- | p3 | 1 | ----------------------------------    
All, Just upgraded to 8.2.1 last night and noticed something today with stats. # This search returns 160k+ events index=netfw 162276 # This returns a 0 in Smart mode, this search returned da... See more...
All, Just upgraded to 8.2.1 last night and noticed something today with stats. # This search returns 160k+ events index=netfw 162276 # This returns a 0 in Smart mode, this search returned data in 8.1.x how ever no data in 8.2.1 index=netfw | stats count 0 # Same search in Verbose mode however returns the count index=netfw | stats count 162276 Shouldn't Smart mode have returned the count correctly also? It did work that way in 8.1
I need a few useful Correlation searches (SPLs) to keep a close eye on user (internal or malicious) behavior in ES please? Thank u in advance.
Hello- When I run "splunk cmd python scripts\test.py" it outputs data nicely.  When I setup this through Splunk Enterprise Web, it errors out with: File "C:\Program Files\Splunk\bin\scripts\TEST.py... See more...
Hello- When I run "splunk cmd python scripts\test.py" it outputs data nicely.  When I setup this through Splunk Enterprise Web, it errors out with: File "C:\Program Files\Splunk\bin\scripts\TEST.py", line 58 except HTTPError, e:                                      ^ SyntaxError: invalid syntax I tried this from a different machine that had Python installed and from the windows command prompt it outputs the data fine.  Why doesn't this work in Splunk Enterprise?  
I need to be able to display the Authentication.reason field in a |tstats report, but for some reason, when I add the field to the by clause, my search returns no results (as though the field was not... See more...
I need to be able to display the Authentication.reason field in a |tstats report, but for some reason, when I add the field to the by clause, my search returns no results (as though the field was not present in the data). Except when I query the data directly, the field IS there. I have tried this with and without data model acceleration to no avail.   This search returns zero results:     | tstats count from datamodel=Authentication by Authentication.user, Authentication.app, Authentication.reason     This search returns results in the format I need, except I need to query multiple indexes via the data model     index=<indexname> tag=authentication | stats count by user, app, reason      
  It works on RHEL7 andRHEL8. Trying to installing 8.0.2.1 version of splunk UF on "Red Hat Enterprise Linux Server release 6.10 (Santiago)". 2.6.32-754.35.1.el6.x86_64 cammand: "{{ splunk_home ... See more...
  It works on RHEL7 andRHEL8. Trying to installing 8.0.2.1 version of splunk UF on "Red Hat Enterprise Linux Server release 6.10 (Santiago)". 2.6.32-754.35.1.el6.x86_64 cammand: "{{ splunk_home }}/bin/splunk enable boot-start-user {{ splunk_user }} -systemd-managed 0 --answer-yes --auto-ports --no-prompt --accept-license" "stderr": "execve: No such file or directory\n while running command /sbin/chkconfig", "stderr_lines": ["execve: No such file or directory", " while running command /sbin/chkconfig"],
Hi All, We are looking to automate the config file update  for the servers is there any script we can use it which is available.We are looking to Automate using Azure pipelines so we can priovide in... See more...
Hi All, We are looking to automate the config file update  for the servers is there any script we can use it which is available.We are looking to Automate using Azure pipelines so we can priovide inputs like Application name tier name node name etc as variables
We are planning upgrade our clustered deployment (SH-C + IDX-C) from 8.0.5 to 8.2.1 In case we plan to migrate the KVStore engine to WiredTiger, do we have to mandatorily go through the v8.1 step ... See more...
We are planning upgrade our clustered deployment (SH-C + IDX-C) from 8.0.5 to 8.2.1 In case we plan to migrate the KVStore engine to WiredTiger, do we have to mandatorily go through the v8.1 step as mentioned in https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/MigrateKVstore ?  Per my understanding, the steps for this method stands like this Upgrade cluster from 8.0.5 to 8.1.5  Migrate the KV store after an upgrade to Splunk Enterprise 8.1 in a clustered deployment Upgrade cluster from 8.1.5 to 8.2.1 In case we decide not to use WiredTiger for now and complete the upgrade to 8.2.1, can we migrate the KV  Store to WiredTiger at a later point of time?  To elaborate, will the following work:  Upgrade cluster from 8.0.5 to 8.2.1  At a later time, migrate the KV Store as instructed in Migrate the KV store after an upgrade to Splunk Enterprise 8.1 in a clustered deployment We do not use KV Store at all now, apart from whatever internal functions that Splunk Enterprise uses it for (no ITSI or ES as well), but want to plan ahead in case we use it in the future.  Thanks in advance!
Hi, I am trying to upload a custom CSV for Threat Intel within ES. It's a collection of multiples types of IOC's, (domain, url, hash etc) and is in the following column format. There are 343 Ha... See more...
Hi, I am trying to upload a custom CSV for Threat Intel within ES. It's a collection of multiples types of IOC's, (domain, url, hash etc) and is in the following column format. There are 343 Hash values, 20 domains and 8 URL's. Upload goes without any issues and ES collects domains and URL's right away. But Hash values seem to be ignored. Here are the file details under Threat Artifacts. When I check Threat Intel Audit, it seems to be writing to File Intel as well but hash count never gets populated in ES. What could be going wrong here? Splunk version: 8.1.1 ES Version: 6.4.0 Thanks, ~ Abhi
Hi, I need to track the number of times and duration where the CPU used percent is above a threshold number. The search below shows a server that exceeds the threshold for 3 periods over the last 3... See more...
Hi, I need to track the number of times and duration where the CPU used percent is above a threshold number. The search below shows a server that exceeds the threshold for 3 periods over the last 3 days.  What I want to get is a result that shows me the number of times the threshold has been exceeded and for how long. I have tried using 'streamstats' and 'bin' but am not entirely sure how to achieve my goal. Thanks
Hello there, im trying to work with the job.resultCount token, but I can't really figure it out. I have this pretty basic search: Its supposed to return the amount of login attempts, grouped b... See more...
Hello there, im trying to work with the job.resultCount token, but I can't really figure it out. I have this pretty basic search: Its supposed to return the amount of login attempts, grouped by user and with more than 1 attempt per day. I display the result ( 0 ) as a SingleValue panel in my dashboard. Now I want to sump up this result and results from other SingleValue Panels into a new Panel, to see how many patterns returned at least one result. To get that information, I use the below code to set a token for each panel, which will be added up later. <done> <condition match="'job.resultCount' = 0"> <set token="panel_failedLogons">0</set> </condition> <condition> <set token="panel_failedLogons">1</set> </condition> </done>  Problem is, as the | stats count command creates a row displaying 0 results, its counts as a result and therefor the token is set to 1. I also cannot use job.eventCount as there may be single failed login attempts for a user. Any ideas how I can bypass/solve this particular problem?
I am trying to set up inputs on TA-Tenable add on and it fails with error "Argument validation for scheme=tenable_securitycenter: script running failed (killed by signal 9: Killed).". I installed "Te... See more...
I am trying to set up inputs on TA-Tenable add on and it fails with error "Argument validation for scheme=tenable_securitycenter: script running failed (killed by signal 9: Killed).". I installed "Tenable add-on for Splunk" version 3.1.0 on one of our heavy forwarder. Any suggestions what could be wrong here?
Hello everyone! I receive "Page not found" message when I try to search using REST API. My URL: [splunkhost]/en-US/services/search/jobs%20-d%20search="search%20index=enwiki"" Even such very common... See more...
Hello everyone! I receive "Page not found" message when I try to search using REST API. My URL: [splunkhost]/en-US/services/search/jobs%20-d%20search="search%20index=enwiki"" Even such very common search gives nothing, although there is index=enwiki in system and I'm able to  search in it through webui. I was using https://docs.splunk.com/Documentation/Splunk/8.2.1/RESTTUT/RESTsearches as a reference. What should I check?
I want to use the local images on my server in the Developing Views and Apps for Splunk Web But reality cannot be found I put the picture in radial_ meter/appserver/static/visualizations/radial_ Me... See more...
I want to use the local images on my server in the Developing Views and Apps for Splunk Web But reality cannot be found I put the picture in radial_ meter/appserver/static/visualizations/radial_ Meter / icons, but the picture cannot be read
Hello, The Infrastructure overview in Splunk ITSI shows entities list like active, unstable, inactive and N/A. Can you help me what is reference point for all these status, in our environment it is... See more...
Hello, The Infrastructure overview in Splunk ITSI shows entities list like active, unstable, inactive and N/A. Can you help me what is reference point for all these status, in our environment it is showing many in N/A and unstable. But we are still receiving data for whichever showing N/A and unstable, also added recurring import using available modules. But still that is not reflecting as active. Please advise. Regards, Vj
Hello Experts, We need to have Capacity planning and availability reports, already Windows TA, Nix TA and vmware add-on forwarding the data to our Splunk Instance. Is there any default reports that ... See more...
Hello Experts, We need to have Capacity planning and availability reports, already Windows TA, Nix TA and vmware add-on forwarding the data to our Splunk Instance. Is there any default reports that available for capacity planning? How to achieve it?   Regards, Vj
Hi All.. Is there a way to keep the in chart zoom & pan option button to keep visible even on zero zoom selection