All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I'm upgrading my cluster master from version 8.0.3 to 8.2.1. After installing the new version over the old deployment and starting splunk, I get "ERROR: pid xxx terminated with signal 4 (core du... See more...
Hi, I'm upgrading my cluster master from version 8.0.3 to 8.2.1. After installing the new version over the old deployment and starting splunk, I get "ERROR: pid xxx terminated with signal 4 (core dumped)", and the Splunk web server is not available. How can I fix this? My Splunk environment is running on AWS Linux EC2s. This is the information i have about the OS: NAME="Amazon Linux AMI" VERSION="2018.03" ID_LIKE="rhel fedora"
Is it possible to apply for a formula in dashboard? For eg:  Taking a value from a panel1, and using that value in panel2?
Hi  I have a signal that I am updating every 5 seconds, but it jumps to 0 every now and again. The issue is a user can read this and think all the processes are gone off the system What it should ... See more...
Hi  I have a signal that I am updating every 5 seconds, but it jumps to 0 every now and again. The issue is a user can read this and think all the processes are gone off the system What it should look like This happens every now and again, So how do I get it to wait for the job to be 100% finished before it updates the answer?   <panel> <single> <search> <query>| mstats max("mx.process.cpu.utilization") as cpuPerc WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=2m BY pid cmd process.name service.type host.name service.name | table _time pid | stats count(pid) as Cnt by _time | table _time Cnt | timechart max(Cnt) span=2m</query> <earliest>-1h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>5s</refresh> <refreshType>delay</refreshType> </search>  
Need help with a Splunk query  to display % failures for each day during the time range selected, for same index but different search term % failures = A1/A2 *100 A1= Total number of events returne... See more...
Need help with a Splunk query  to display % failures for each day during the time range selected, for same index but different search term % failures = A1/A2 *100 A1= Total number of events returned by the below query: index="abc"  "searchTermForA1"   A2= Total number of events returned by the below query: index="abc"  "searchTermForA2"   Expected Output: -------Date-------|--------A1-------------|------A2----------|-----% failures------- Separate rows in the result set for date 1-Jul, 2-Jul, 3-Jul, 4-Jul, 5-Jul, 6-Jul and 7-Jul, for time range selected as 1Jul to 7-Jul. Please help with the query. Thanks!
Hi All, I have created script for synthetic jobs in EUM with selenium IDE on firefox 54.0.1  and I save the test and add in the script of a synthetic job, it breaks on all browsers except IE 11. A... See more...
Hi All, I have created script for synthetic jobs in EUM with selenium IDE on firefox 54.0.1  and I save the test and add in the script of a synthetic job, it breaks on all browsers except IE 11. Anything I am missing here. Please guide Regards, Tejaswi
Hello I want compare one field values with another when I tried to compare it is coming in this format as shown in below pic In above picture  Project.static_code metric* are the field name... See more...
Hello I want compare one field values with another when I tried to compare it is coming in this format as shown in below pic In above picture  Project.static_code metric* are the field names(left handside).On righthandside are the field values.But I want the format to be in the below pic form.    
Hi, I am kind of new to Splunk and have a problem with my search. I have a dashboard where I have an input field for a ID. I search two different inputlookups with this ID and my dashboard is base... See more...
Hi, I am kind of new to Splunk and have a problem with my search. I have a dashboard where I have an input field for a ID. I search two different inputlookups with this ID and my dashboard is based on this. But not every table entry has the field for this ID, sometimes the field is not existing. I tried to fix this by searching  id!=*, which works fine when I just enter * for ID Inputfield, but in case I want to put an actual ID I don't want to search for all entries with id!=* (not existing).  Is there a way to change my search based on the Tokenvalue I enter in the input field? So if I enter * the search looks for id=* & id!=*, but if I enter an actual id the search only looks for id=$id$?  Any help would be highly appreciated! Thanks
I'm trying to delete specific items from our kv store by using a python custom command. I retrieve the kv store with the following command:   collection = self.service.kvstore[collection_name] ... See more...
I'm trying to delete specific items from our kv store by using a python custom command. I retrieve the kv store with the following command:   collection = self.service.kvstore[collection_name]   I then retrieve all the entries in the kv store with:   data_list = collection.data.query()   This works correctly, however only 50000 of the entries are returned. Is there a parameter I can pass to query() to remove the limit of 50000?   Thanks!
I am trying to set up HEC for my indexer cluster (v8.0.7), with 2 indexers (and 3 search heads) managed by a master node. I read multiple docs and articles already, but I want to make sure I get som... See more...
I am trying to set up HEC for my indexer cluster (v8.0.7), with 2 indexers (and 3 search heads) managed by a master node. I read multiple docs and articles already, but I want to make sure I get some basic ideas correct first. In a non-clustered env, it's simple and each HEC client will talk to port 8088 of one indexer.  But in an indexer cluster environment: Which server will an HEC client talk to?  How can "load balancing of indexing" be achieved? Is the master node in any way involved?
Hi, Is there someone who can help me with this one. I had setup TA-Akamai_SIEM on our heavy forwarders. I do not see any data getting pulled after configuring API's but rather messages regarding SSL... See more...
Hi, Is there someone who can help me with this one. I had setup TA-Akamai_SIEM on our heavy forwarders. I do not see any data getting pulled after configuring API's but rather messages regarding SSL on the _internal. Anybody had this kind of issue? We are using this java versions java version "1.8.0_291" Java(TM) SE Runtime Environment (build 1.8.0_291-b10) Java HotSpot(TM) 64-Bit Server VM (build 25.291-b10, mixed mode)   Appreciate the help message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" ... 25 more message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.SocketOutputStream.socketWrite(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.SocketOutputStream.socketWrite0(Native Method) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.SocketOutputStream.write(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLSocketOutputRecord.encodeAlert(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" ... 22 more message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Suppressed: java.net.SocketException: Broken pipe (Write failed) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.main(Main.java:116) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.streamEvents(Main.java:474) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:48) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:74) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.SocketInputStream.read(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.Alert.createSSLException(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLSocketInputRecord.decode(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLSocketInputRecord.read(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLSocketInputRecord.readHeader(Unknown Source) message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLTransport.decode(Unknown Source)
Hi Team, I am trying to upgrade Splunk from 7.3.1 to Splunk 8.1, using the following steps :- Stoping Splunk on the server tar -xzf ${SPLUNK_HOME}/splunk-8.1.5-9c0c082e4596-Linux-x86_64.tgz -C ${S... See more...
Hi Team, I am trying to upgrade Splunk from 7.3.1 to Splunk 8.1, using the following steps :- Stoping Splunk on the server tar -xzf ${SPLUNK_HOME}/splunk-8.1.5-9c0c082e4596-Linux-x86_64.tgz -C ${SPLUNK_HOME}/ ${SPLUNK_HOME}/bin/splunk start --accept-license --answer-yes When the splunk is getting started on this server its still showing splunk 7.3 version.   The python version on the linux machine is 2.7.5,  can you please confirm if that is the root cause for this behavior. Thanks in advance !!      
Hello, The Tenable Add-on for Splunk stores data with the following sources and source types. Tenable.sc Source Sourcetype Description <username>|<address> tenable:sc:vuln This collects all ... See more...
Hello, The Tenable Add-on for Splunk stores data with the following sources and source types. Tenable.sc Source Sourcetype Description <username>|<address> tenable:sc:vuln This collects all vulnerability data. <username>|<address> tenable:sc:assets This collects pull assets data. <username>|<address> tenable:sc:plugin This collects all plugin data.   Tenable.io Source Sourcetype Description tenable_io://<data input name> tenable:io:vuln This collects all vulnerability data. tenable_io://<data input name> tenable:io:assets This collects all asset data. tenable_io://<data input name> tenable:io:plugin This collects all plugin data.   In my production environment i am getting logs from sourcetype Tenable.sc (tenable:sc:vuln, tenable:sc:assets, tenable:sc:plugin)) and these sourcetypes are visible in in my data summary however sourcetype Tenable.io (tenable:io:vuln, tenable:io:assets, tenable:io:plugin) are not visible in data summary and not getting logs from these sourcetype. Question:- 1)need help to be confirmed for sourcetype Tenable.io either it is configure or not and if it is configured then why not visible in data summary sourcetype lists. 2)how can i identify ,where is my Tenable add-on is installed . 3)Tenable vulnerability dashboard not working.   Requesting answer for above mentioned question. Thanks in advance    
Hi, LOOKUP-asset_lookup = server_summary host OUTPUTNEW   serveros AS asset_os I have a lookup where serveros is one of the field asset_os is one of the enriched field from serveros Now, I need o... See more...
Hi, LOOKUP-asset_lookup = server_summary host OUTPUTNEW   serveros AS asset_os I have a lookup where serveros is one of the field asset_os is one of the enriched field from serveros Now, I need one more field called os (for datamodelling) which is same as asset_os I tried below but its not working out ( I need both asset_os and os field) 1) I tried asset_os as os in field alias --> didnt work 2) I created a calculated field,  case(isnotnull(asset_os),asset_os,1==1,"unkown") - asset_os is not showing in fields 3) I added the below line into props.conf - Also here asset_os is not showing in fields LOOKUP-asset_lookup1 = server_summary host OUTPUTNEW   serveros AS os  Is there any other way I can get both asset_os and os field in the fields? We cannot go for field extraction as the required field value is not available in logs, the value is taken from lookup table.
How can you delete reports that have been created on the /reports page? I have administrator rights but can't see any option to delete, only create. Thanks
Hi folks, I need to create an alert action in C #, how can I do that? I have an alert_actions.conf that describes a Python alert action, how can I add a new alert action using C #? [send_mail] is... See more...
Hi folks, I need to create an alert action in C #, how can I do that? I have an alert_actions.conf that describes a Python alert action, how can I add a new alert action using C #? [send_mail] is_custom = 1 python.version = python3 label =  Send mail icon_path = appIcon.png payload_format = json     Thanks and have a nice day!
I have a json in a field which i like to show on the dashboard as pretty formatted rather single line string. Is there an option in Splunk dashboard to do this? Currently i have the below   {"A":"... See more...
I have a json in a field which i like to show on the dashboard as pretty formatted rather single line string. Is there an option in Splunk dashboard to do this? Currently i have the below   {"A":"NAME", "B":"AGE"}   In dashboard one of the column value will be this json which i like to render as    { "A": "NAME", "B": "AGE" }    
Hi everyone! Maybe someone faced such a problem: I want to build a Layer 2 network topology, I have enough data for this. I am working with the Network Diagram Viz app. And I have a table of links,... See more...
Hi everyone! Maybe someone faced such a problem: I want to build a Layer 2 network topology, I have enough data for this. I am working with the Network Diagram Viz app. And I have a table of links, something like this: from to local_int remote_int linkcolor type linktext value AIC-switch-2960.aic.kz SW9300test.aic.kz Gi0/1 Gi1/0/23 green deployment-server Gi0/1 to Gi1/0/23 AIC-switch-2960.aic.kz SW9300test.aic.kz AIC-switch-2960.aic.kz Gi1/0/23 Gi0/1 green deployment-server Gi1/0/23 to Gi0/1 SW9300test.aic.kz SW9300test.aic.kz SW3850test.aic.kz Gi1/0/9 Gi1/0/9  green deployment-server Gi1/0/9 to Gi1/0/9 SW9300test.aic.kz SW9300test.aic.kz SW3850test.aic.kz Gi1/0/10 Gi1/0/10  green deployment-server Gi1/0/10 to Gi1/0/10 SW9300test.aic.kz SW3850test.aic.kz SW9300test.aic.kz Gi1/0/9 Gi1/0/9  green deployment-server Gi1/0/9 to Gi1/0/9 SW3850test.aic.kz SW3850test.aic.kz SW9300test.aic.kz Gi1/0/10 Gi1/0/10  green deployment-server Gi1/0/10 to Gi1/0/10 SW3850test.aic.kz AIC-switch-2960.aic.kz SIP-W60B Gi0/12 WAN PORT green phone-square Gi0/12 to WAN PORT AIC-switch-2960.aic.kz   And, accordingly, in the topology, this is:   I took information about connected devices from AIC-switch-2960.aic.kz, SW9300test.aic.kz and SW3850test.aic.kz. I just need to remove non-redundant links from the table. What solution can you advise to delete such entries automatically or some other way? Thanks!
Hi, We are exploring splunkjs for displaying charts and data from splunk.  we use splunk enterprise and it was recently changed to SSO login. can i authenticate splunkjs with SSO or with authenticat... See more...
Hi, We are exploring splunkjs for displaying charts and data from splunk.  we use splunk enterprise and it was recently changed to SSO login. can i authenticate splunkjs with SSO or with authentication bearer token. what other possibilities do we have. Thanks in advance.
Hi all i need some help with my splunk query… basically I need to exclude all jobs from output with job name ending in _fw as shown below:     jobname Abc_token_fw def_file_fw