All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Everyone!  Could you please help, how to calculate (UP percentage) by app_service  I have the query as:  eval status=if(success="successful .Statuscode:200", "UP", "DOWN" | table   app_service... See more...
Hi Everyone!  Could you please help, how to calculate (UP percentage) by app_service  I have the query as:  eval status=if(success="successful .Statuscode:200", "UP", "DOWN" | table   app_service    status I get the table I need, but I have difficulty calculating the "UP" percentage and total percentage per app_service from the above query Thank you 
Hi All, I think the subject of my questions says it all... I wanted to add numerical data from 2 multivalue fields, and save it to a new field.  Field1 Field2 Field3 4 8 12 8 9 17 ... See more...
Hi All, I think the subject of my questions says it all... I wanted to add numerical data from 2 multivalue fields, and save it to a new field.  Field1 Field2 Field3 4 8 12 8 9 17 3 2 5   I know mvappend is not the one to be used here, but I already tried:   | eval field3=mvappend(field1,field2)   Any ideas are greatly appreciated?
Hi All, I'm not that familiar with DMA as I have not had any exposure really to setting up data models so far but am currently having an issue atm with DMA not saying active. We had to disabled DMA... See more...
Hi All, I'm not that familiar with DMA as I have not had any exposure really to setting up data models so far but am currently having an issue atm with DMA not saying active. We had to disabled DMA on all ES data models where it was enabled due to an incident recently.  Now that the issues have been resolved, we need to re-enable DMA. I have attempted to do this by following the below steps:  1. Go to the ES app 2. Click "Configure" -> "CIM Setup" 3. Check the checkbox next to the "Accelerate" then change the Summary Range to 7 days (- 7 days), then click Save. 4. To verify , click "Configure" -> "Content" -> "Content Management". 5. Filter the type to "Data Model" 6. Check the lightning icon next in the row of the data model if is coloured "yellow". This looked like it was working for a while, but after checking on it after a few hrs - all DMA had been disabled again. Not sure why DMA will not stay enabled - have checked settings, nothing obvious as to why this would be happening. Anyone else out there had this issue or got some idea on something I can check as to why this would be happening?
I need to access these saved searches & change their timing due to them conflicting / running at the same time so many are being skipped. Any helpfu
I have the below query: | inputlookup test.csv | eval epochtime=strptime(_time, "%a %b %d %H:%M:%S %Y") | eval desired_time=strftime(epochtime, "%d/%m/%Y") | rename desired_time as Date | eval d... See more...
I have the below query: | inputlookup test.csv | eval epochtime=strptime(_time, "%a %b %d %H:%M:%S %Y") | eval desired_time=strftime(epochtime, "%d/%m/%Y") | rename desired_time as Date | eval desired_time=strftime(epochtime, "%b%y'") | rename desired_time as Month   am getting this output in user field. user Abcd101 sv23010 ns03621 here i want to remove the user sv48840,ns19075 row in this table.
(index=* OR index=_*) (((index=azuread )) NOT (action=success user=*$)) | eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src... See more...
(index=* OR index=_*) (((index=azuread )) NOT (action=success user=*$)) | eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user) | rename signature AS Authentication.signature signature_id AS Authentication.signature_id action AS Authentication.action app AS Authentication.app src AS Authentication.src src_user AS Authentication.src_user dest AS Authentication.dest user AS Authentication.user | fields "_time" "host" "source" "sourcetype" "Authentication.signature" "Authentication.signature_id" "Authentication.action" "Authentication.app" "Authentication.src" "Authentication.src_user" "Authentication.dest" "Authentication.user"|search Authentication.signature=UserLoginFailed|
I need to change the timing for a few accelerated data model searches (Saved searches) for few apps in Enterprise Security. Thank u in advance.
Hi , In a Splunk Cloud instance - installed Alert Manager with all default settings - The incident setting is all  enabled - User setting is configured to "Both" .   Trying to assign an incident to... See more...
Hi , In a Splunk Cloud instance - installed Alert Manager with all default settings - The incident setting is all  enabled - User setting is configured to "Both" .   Trying to assign an incident to another member - but I can not make any changes to incident workflow in the Edit Incident box.  what files need to be modified on the Splunk cloud instance to allow any member to assign incidents to another member as well as leave comments .  Not sure if that is related to Notification - because that is not functional as well - created the member notifications schemes but can not add the emails address for each member?  Seem to be some files need to be modified on the Splunk cloud instance for these app - any help will be much appreciated.   
Hi , I have splunk_TA_NIX app installed on indexer,Heavy Forwarder and search heads. When i search index=os sourcetype=cpu on indexers i can see below fields.   But same query when i run... See more...
Hi , I have splunk_TA_NIX app installed on indexer,Heavy Forwarder and search heads. When i search index=os sourcetype=cpu on indexers i can see below fields.   But same query when i run on search heads i dont see any of those fields it is just below fields   Any solution on how to get all the fields on search heads?  
Hello guys, how do you handle missing forwarders (deleted VMs for instance)? Do you go to "Forwarder management" then "Delete record" or you "rebuild forwarder assets" in DMC (this last one seems e... See more...
Hello guys, how do you handle missing forwarders (deleted VMs for instance)? Do you go to "Forwarder management" then "Delete record" or you "rebuild forwarder assets" in DMC (this last one seems enough)? Thanks.  
I am trying to change color of a one row of a panel ONLY if it is found in the lookup table. For example, if I have a lookup table with websites not allowed on the company, and a panel that has all w... See more...
I am trying to change color of a one row of a panel ONLY if it is found in the lookup table. For example, if I have a lookup table with websites not allowed on the company, and a panel that has all websites accessed. Then I would like to see the color Red be for the rows where the website is part of the lookup table AND on the panel.  I would still like to see all the results as well, just the changed color for the ones that are in the lookup table. Is there any way for me to do this?  
I need to run a check on my Indexes making sure they are healthy. Where & how do I do it? Thank u very much in advance. PS I do have monitoring console installed. 
What health check items would you configure for Ent. Security app. for general purpose of for Security watch purposes please? Thank u for a reply.  
Hi - looking for a more efficient way to do this, if anyone has any tips:   index=xyz sourcetype=abc NOT user_email=unauthenticated (user_email=*) | eval day=strftime(_time, "%Y%m%d") | search day=... See more...
Hi - looking for a more efficient way to do this, if anyone has any tips:   index=xyz sourcetype=abc NOT user_email=unauthenticated (user_email=*) | eval day=strftime(_time, "%Y%m%d") | search day=20210723 | ...   Basically, can I filter on _time for a specific day without doing the eval then filter, this seems like an inefficient way to query if I can somehow say dayOf(_time)='20201010' or something like that...
Encountering a very odd issue where I have a daily summary index that has pretty simple key=value pairings for fields, but I can no longer search on the fields specifically.  For instance an event mi... See more...
Encountering a very odd issue where I have a daily summary index that has pretty simple key=value pairings for fields, but I can no longer search on the fields specifically.  For instance an event might have a field included that reads cluster=cluster1A and if I search for cluster=cluster1A, I get no results, but if I search for just the text cluster1A, I get results.  What might I be able to look into here?
I need to set the dashboard so that numbers equal to 0 and above are highlighted in green and all others in red. Splunk automatically marks numbers less than and equal to 0 in red. How do I change th... See more...
I need to set the dashboard so that numbers equal to 0 and above are highlighted in green and all others in red. Splunk automatically marks numbers less than and equal to 0 in red. How do I change this in the "other way"?  
hello all I am fairly new to using Splunk and would like some help with searching for locked accounts and to Setup an search that checks for failed password on daily basis. I want to check for ids wh... See more...
hello all I am fairly new to using Splunk and would like some help with searching for locked accounts and to Setup an search that checks for failed password on daily basis. I want to check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then i may  know if a hacker is trying to break into a particular id using a slow password attack. I have been searching on event ID 4740 but returning no hits even though I have a user that has been locked out, why would this be happening?
Hello guys, do you advice this log format: key=value instead of key="value" ? Thanks.  
Hi! My task is as follows: I want to compare the increment of a certain type of errors: the average value of each type of errors for the last 12 hours to the value for the last hour. If the differenc... See more...
Hi! My task is as follows: I want to compare the increment of a certain type of errors: the average value of each type of errors for the last 12 hours to the value for the last hour. If the difference exceeds the acceptable threshold , I would like to add the error type to the result. Now, my query finds the difference for the total number of errors in the last half hour to 5 minutes without taking into account their type Query:    Query to search errorType + count   Please, help
I have scanned two Splunk packages which is less than 2mb using Splunk AppInspect CLI but when I try to scan another Splunk package i.e more than 100mb size  .It went like an hour then gave me a mess... See more...
I have scanned two Splunk packages which is less than 2mb using Splunk AppInspect CLI but when I try to scan another Splunk package i.e more than 100mb size  .It went like an hour then gave me a message like this LEVEL="CRITICAL" TIME="**********" NAME="root" FILENAME="main.py" MODULE="main" MESSAGE="An unexpected error occurred during the run-time of Splunk App Inspect". is there any size criteria for the Splunk AppInspect CLI  that should be followed?