All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I am using python SDK to search with this configuration: query_kwargs = {'earliest_time': earliest, 'latest_time': latest, 'results_preview': False, ... See more...
Hi, I am using python SDK to search with this configuration: query_kwargs = {'earliest_time': earliest, 'latest_time': latest, 'results_preview': False, 'search_mode': 'normal', 'status_buckets': 2 } job =splunk_client.jobs.create(query, **query_kwargs) As the Splunk documentation (https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/) I do the follow: while True: while not job.is_ready(): pass stats = { 'isDone': job['isDone'], 'doneProgress': job['doneProgress'], 'scanCount': job['scanCount'], 'eventCount': job['eventCount'], 'resultCount': job['resultCount'] } progress = float(stats['doneProgress'])*100 scanned = int(stats['scanCount']) matched = int(stats['eventCount']) result_count = int(stats['resultCount']) if verbose: status = ("\r%03.1f%% | %d scanned | %d matched | %d results" % (progress, scanned, matched, result_count)) sys.stdout.write(status) sys.stdout.flush() if job["isDone"] == "1": if verbose: sys.stdout.write("\n") break time.sleep(2)  Then once the job is finished I do this: offset = 0 max_event_count = 50000 total_results = [] first_50k_results = self.get_results(job, offset, max_event_count) total_results.extend(first_50k_results) while offset <= number_of_results: offset += max_event_count intermediate_result = self.get_results(job, offset, max_event_count) total_results.extend(intermediate_result) def get_results(self, job, offset, max_event_count): logger.info("collecting results,please wait . . ") results_list = [] kwargs_paginate = {"count": max_event_count, "offset": offset} for result in results.ResultsReader(job.results(**kwargs_paginate)): results_list.append(result) return results_list   The issue is that the number of events that the python search return is different from the number of events that the search in the Splunk console return. Can you please advise what I am doing wrong? Please note that I am using explicit index= in my search  
Hiii Guys I have a situation where im not getting any audit events like if i type index=_audit result shows 0 events. Any solutions
I have created remediation action to run one unix script when the health rule violation occurs as per the document but it is not working. I have given path of the script and required permission and r... See more...
I have created remediation action to run one unix script when the health rule violation occurs as per the document but it is not working. I have given path of the script and required permission and restarted the machine agent but still not working. can someone guide me how do i achieve this.
Hey Everyone, I am new to Splunk and am struggling to create a simple time chart for a query I have made.   I want to create a time chart over the last 3 months of the frequency of a specific sear... See more...
Hey Everyone, I am new to Splunk and am struggling to create a simple time chart for a query I have made.   I want to create a time chart over the last 3 months of the frequency of a specific search I have made. To visualise how frequent the results are created.   My query: index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup*   some help would be greatly appreciated
I need to change my email address. Does someone know where the support email link  for normal splunk.com users is?    
Please advise on how to secure the Splunk Enterprise plus the Splunk Enterprise Security (ES) individually ? I have already prepared BU / DR documents for both. Thank u in advance
I am running into some issues with the ServiceNow app in Phantom. When I run my playbook in our production environment, I continue to get an error stating that my parameters are blank. If I run the s... See more...
I am running into some issues with the ServiceNow app in Phantom. When I run my playbook in our production environment, I continue to get an error stating that my parameters are blank. If I run the same playbook in our development environment and on the same event, it runs without issue. Could this be an issue with the ServiceNow app? The playbook is exactly the same as we are using a GitHub repository to commit all changes. I have tried deleting the assets, uninstalling then reinstalling the app and still have the same issue. I am attaching a screenshot of the error message presented in the debug log.
Hi, My Jenkins sends my testresults data for the same job (Automation regression tests job)  to Splunk in multiple events. For example,  Results of single search query - One event has my job detai... See more...
Hi, My Jenkins sends my testresults data for the same job (Automation regression tests job)  to Splunk in multiple events. For example,  Results of single search query - One event has my job details like job duration, job_start_date etc, another event has my test results details like testcasename, test status etc. Now I would like to fetch job_start_date and job_duration from one event and introduce this as new fields along with my second events. So that I can have one table with all details. These are the data I have, both these results are linked to each other through job_name. Now I would like to have job_Start_Date and job_duration for each of my test case. I tried to use Joins (this would not give me job_duration, job_Start_Date for every record in my table), eval also did not work. Is there any other command that would help in this case ? Can someone guide please.  Thanks.  
I am reading: The following section: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart limitSyntax: limit=(top | bottom) <int>Description: Specifies a limit for th... See more...
I am reading: The following section: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart limitSyntax: limit=(top | bottom) <int>Description: Specifies a limit for the number of distinct values of the split-by field to return. If set to limit=0, all distinct values are used. Setting limit=N or limit=top N keeps the N highest scoring distinct values of the split-by field. Setting limit=bottom N keeps the lowest scoring distinct values of the split-by field. All other values are grouped into 'OTHER', as long as useother is not set to false. The scoring is determined as follows: If a single aggregation is specified, the score is based on the sum of the values in the aggregation for that split-by value. For example, for timechart avg(foo) BY <field>, the avg(foo) values are added up for each value of <field> to determine the scores. If multiple aggregations are specified, the score is based on the frequency of each value of <field>. For example, for timechart avg(foo) max(bar) BY <field>, the top scoring values for <field> are the most common values of <field>. Ties in scoring are broken lexicographically, based on the value of the split-by field. For example, 'BAR' takes precedence over 'bar', which takes precedence over 'foo'. See Usage.Default: top 10 When I try and create a timechart using the limit=top 25 the top is red and I receive the following error in Splunk:  Error in 'SearchProcessor': Invalid option value. Expecting a 'non-negative integer' for option 'limit'. Instead got 'top'. Am I misusing or misinterpreting the documentation?  
I have a dbxquery which pulls some  applicationdata which includes servername. Also I have a inputlookup which fetches the server details from my server inventory. My goal is to match the dbquery se... See more...
I have a dbxquery which pulls some  applicationdata which includes servername. Also I have a inputlookup which fetches the server details from my server inventory. My goal is to match the dbquery server name data with inputlookup data servername to show server status.Using the join type=left. I can see few are matching and returning the server status but others not. I tried to search servername in inputlookup which is not matching and can see the data there .Checked if any space issue but not. Kindly help on this.
Here is my search  index=abc Status=FAILED | eval exception =if(bucket_name=s3-abc, "yes","no") | stats count by bucket_name exception now if my bucket name is s3-abc, it would print bucket_name=s3... See more...
Here is my search  index=abc Status=FAILED | eval exception =if(bucket_name=s3-abc, "yes","no") | stats count by bucket_name exception now if my bucket name is s3-abc, it would print bucket_name=s3-abc and exception=yes, rest all buckets will fall under exception=no. Now i need to do this task through a lookup, i have a lookup which is buckets.csv and fields is there bucket_name, so I need to see that lookup if the bucket is there then it should print exception=yes rest it should print exception=no. i am doing like this but not getting anything index=abc Status=FAILED | eval exception =if(|search [|inputlookup bucket.csv |fields bucket_name], "yes","no") | stats count by bucket_name exception  
Hi there, How can I modify the CSS file to make the table automatically resized? Now I use width:100% for each table but it turns out that it can't adapt to different screen size.  Table table-asset... See more...
Hi there, How can I modify the CSS file to make the table automatically resized? Now I use width:100% for each table but it turns out that it can't adapt to different screen size.  Table table-assets is defined in JS.      #table-assets { width:100% !important; }     Thank you! 
How do I document if Splunk Core / ES cover NIST controls in my DR document?
Hi  I have a table like below and I am looking to have a tooltip for several of its columns. I have looked at some solutions on questions, but nothing seems to answer this one correctly. Any ideas... See more...
Hi  I have a table like below and I am looking to have a tooltip for several of its columns. I have looked at some solutions on questions, but nothing seems to answer this one correctly. Any ideas? Regards Robert Lynch  
Hello together, i am Telefonica Global Solution employee, and we have a company account for SPLUNK. I request a personalized Dev/Test license for Splunk Enterprise and didn't get it. Probably caus... See more...
Hello together, i am Telefonica Global Solution employee, and we have a company account for SPLUNK. I request a personalized Dev/Test license for Splunk Enterprise and didn't get it. Probably cause of the wrong company name in my profile ( instead of Telefonica Global Solution  i have Telefinica Global Solution). Could you pls. help to solve this problem. I got following answer from you ( see below )   Hello Oljeg, Thank you for your interest in a personalized Dev/Test license for Splunk Enterprise. These licenses are available to any paying Splunk Enterprise or Splunk Cloud customer; however, we were unable to verify your eligibility. If you feel that there has been an error in the verification process, please check the information on your splunk.com profile and try registering again. One common cause is that you provided a personal email address (e.g., Gmail, Yahoo, Hotmail). Another could be that the email domain on your account does not match that on the corporate account (e.g., xyz.com vs. xyzcorp.com). Please contact your Splunk admin, account executive or Splunk authorized partner if you have any other questions.
Simplest things down, downloaded the msi and installed on windows (Enterprise/free version) and then the Splunkuniversalforwarder as well.  restarted the local host and attempted to get to 127.0.0.1,... See more...
Simplest things down, downloaded the msi and installed on windows (Enterprise/free version) and then the Splunkuniversalforwarder as well.  restarted the local host and attempted to get to 127.0.0.1, cannot connect. Opened up the directory in the C:... /splunk path and selected splunk.exe.  will this fix the issue?
Hello -  I was reading this:  https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers But it is not very clear to me how to use the time modifiers properly. index=blah sourcetyp... See more...
Hello -  I was reading this:  https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers But it is not very clear to me how to use the time modifiers properly. index=blah sourcetype=blah fields _time index sourcetype GB | timechart span=1d sum(GB) as Gigabytes How would I draw my time chart to the end of the previous day over a 7-day period using a time modifier? Would it be:   index=blah sourcetype=blah _index_earliest=-7d@d index_latest=-1d@d Please advise, thank you.
Hi, I'm trying to exclude events that have an old timestamp in a url which look like this -  {"timestamp": 1626739199.964, "c-ip": "178.245.92.14", "time-to-first-byte": 0.002, "sc-status": 404, "s... See more...
Hi, I'm trying to exclude events that have an old timestamp in a url which look like this -  {"timestamp": 1626739199.964, "c-ip": "178.245.92.14", "time-to-first-byte": 0.002, "sc-status": 404, "sc-bytes": 467, "cs-method": "GET", "cs-protocol": "https", "cs-host": "xxxxxxx", "cs-uri-stem": "/out/v1/bac5ea7d5e06476598d34ba48b3f1bd1/index_8_0.m3u8?start=2021-07-16T16:40:07+00:00",   here timestamp and the start date are different.So is there any way to index the events have start date as current day. Thanks in advance
Hi All, At Monitoring Console (MC) --> Search Activity : Instance, there is "top 20 Memory-consuming searches", which is searching from index=_introspection. As I run the search, it is not recogniz... See more...
Hi All, At Monitoring Console (MC) --> Search Activity : Instance, there is "top 20 Memory-consuming searches", which is searching from index=_introspection. As I run the search, it is not recognizing saved search (scheduled search).  Why doesn't the search starting index=_introspection recognize saved search (scheduled search)? It seems not it returns results from all searches. How do I get to know memory consumption of all searches including saved search(scheduled search)? Do I have to join index=_introspection and index=_audit?      
Hi, I have some application logs in the following format:   ERROR | 2021-07-20 06:55:54 EDT | Field1 = Value1 | Field2 = Value2 | Long Error String - Another long error string | Field3 = Value3 | ... See more...
Hi, I have some application logs in the following format:   ERROR | 2021-07-20 06:55:54 EDT | Field1 = Value1 | Field2 = Value2 | Long Error String - Another long error string | Field3 = Value3 | ... | ...     Most of the tokens are in Field=Value format and Splunk is able to extract them just fine except the portion where there is no Field listed. Just two different error strings separated by a " - ".  (These strings may contain other special characters as part of the error) Is there a way I can extract both of them separately, e.g. signature_1, signature_2 without disturbing rest of the extractions? I would prefer doing this with props/transforms. I was thinking of using "DELIMS" option but not sure how to target just that particular part of the log.