All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi  How much cost of splunk for security perspective.   Please reply to message. Thanks 
Hi Team,   I have my logs for jira,bamboo and ucd in splunk with indexes like index=jira,index=bamboo and index=ucd for all these tools need to build a realtime dashboard .Can someone guide me how ... See more...
Hi Team,   I have my logs for jira,bamboo and ucd in splunk with indexes like index=jira,index=bamboo and index=ucd for all these tools need to build a realtime dashboard .Can someone guide me how to show as a realtime dashboard   Thanks  
Hello,   We have two deployment-App, named A and B.  They both have inputs.conf to monitor path /log/A and /log/B. If I use deployment server to push either A or B, it works fine. But If I push bo... See more...
Hello,   We have two deployment-App, named A and B.  They both have inputs.conf to monitor path /log/A and /log/B. If I use deployment server to push either A or B, it works fine. But If I push both A and B to the clients, only App path /log/A or /log/B is being monitored. Is this because two app's inputs.conf are located in /default folder?   Thanks, Mike
Can you provide an example of a search query or script I can use to tell if a windows server is shutdown or down.i am looking for the best way to set up an shutdown or down status alert for windows s... See more...
Can you provide an example of a search query or script I can use to tell if a windows server is shutdown or down.i am looking for the best way to set up an shutdown or down status alert for windows server.
Hi, In lookup definition, IT_server_list is created in lookup definition which is mapped to CSV named (server_list.csv) In Lookup Table, server_list.csv file is there In automatic lookup, IT_se... See more...
Hi, In lookup definition, IT_server_list is created in lookup definition which is mapped to CSV named (server_list.csv) In Lookup Table, server_list.csv file is there In automatic lookup, IT_server_list is created why do we need automatic lookup?  
I created some of the columns using regex. So all of the codes for the regex needs to be included. I would like to find the total duration based on StationName. StationName          Duration ABC123... See more...
I created some of the columns using regex. So all of the codes for the regex needs to be included. I would like to find the total duration based on StationName. StationName          Duration ABC123                        100 ABC123                        200 ABC456                         50   When I pasted this query at the end of my codes, it only shows the StationName but the sum of Duration column is empty. How can I get the sum of duration based on StationName? | stats sum(Duration) by StationName
Hi, I'm having trouble launching the web server after installing Splunk for Mac OSX (El Capitan version 10.11.6). Once installed and after selecting "Start and Show Splunk" I get the below error mes... See more...
Hi, I'm having trouble launching the web server after installing Splunk for Mac OSX (El Capitan version 10.11.6). Once installed and after selecting "Start and Show Splunk" I get the below error message when attempting to open browser:   When trying to launch from the terminal I get the below error message as well: Any advice would be great!  
Hello, I'm trying to extract some SSID info into a field in Splunk. This info comes after a certain text string in some Cisco WLC logs. Sample logs: Jul 18 15:00:27 10.171.12.44 DA-WLC-03: *Dot1x_NW... See more...
Hello, I'm trying to extract some SSID info into a field in Splunk. This info comes after a certain text string in some Cisco WLC logs. Sample logs: Jul 18 15:00:27 10.171.12.44 DA-WLC-03: *Dot1x_NW_MsgTask_0: Jul 18 15:00:25.919: %APF-3-AUTHENTICATION_TRAP: [SA]apf_80211.c:20019 Client Authenticated: MACAddress:fa:f0:6c:56:34:bf Base Radio MAC:a0:93:51:22:38:b0 Slot:0 User Name:dave2345@ox.ac.uk Ip Address:10.156.4.11 SSID:eduwifi Jul 18 15:20:3510.171.12.44 DA-WLC-03: *Dot1x_NW_MsgTask_0: Jul 18 15:20:33.510: %APF-3-AUTHENTICATION_TRAP: [SA]apf_80211.c:20019 Client Authenticated: MACAddress:b8:27:56:34:cc:d0 Base Radio MAC:a0:93:51:22:38:b0 Slot:0 User Name: unknown Ip Address:10.156.4.11 SSID:W-Guest These logs are often different lengths but the common feature I want to initially capture as a field is what comes after the text SSID: I can use this basic regex string in testing on regex101.com and it seems to do the trick: (?:<=SSID:).* but whenever I try toeither extract the field or use the rex command in splunk it does not work. Please could someone tell me if this is the correct regex expression and what formatting would i need to use in splunk to extract the field ?     wifiThis seems to be a common request but I can't get it to work 
How can I create the alert for if host is power off(I have one windows host I'd,)
Hi I have configured Splunk AWS plugin to get files stored in a s3 bucket. These files come from a Apache server and have Apache access log format.  I use an s3 generic input and it seems to be con... See more...
Hi I have configured Splunk AWS plugin to get files stored in a s3 bucket. These files come from a Apache server and have Apache access log format.  I use an s3 generic input and it seems to be connected (I tried with only one file) but when I check for searching events I don't see anything ? Internal Splunk logs indicate the s3 bucket is well reached and the file inside well processed without error. Do you have a idea  from which this issue can be due ? Thanks Saïd
I have a few sourcetypes, looking something like this: sourcetype=weather date, location, temperature sourcetype=actions date, machine, location, action sourcetype=repairs date, machine, relace... See more...
I have a few sourcetypes, looking something like this: sourcetype=weather date, location, temperature sourcetype=actions date, machine, location, action sourcetype=repairs date, machine, relacementPart I'd like to be able to pick out a specific machine, and then list all the dates on which it completed actions, and then link those dates and its location at that time to find out what the weather was like when the action was carried out, and also when any repairs were carried out. So I'd end up with the following, for a given machine: date, action, temperature, replacementPart I've done a fair bit of googling and trying out methods given that seemed like they might help, including join, coalesce and transaction commands, but nothing I've tried seems to have quite worked.  I'm pretty new to Splunk, so any help with a bit of an explanation is very much appreciated!
Dear Community Members , In splunk cloud instance : I am trying to get VPN login and logout for users in a single table sorted by Username and Time. The query is as below: eventtype="my_event... See more...
Dear Community Members , In splunk cloud instance : I am trying to get VPN login and logout for users in a single table sorted by Username and Time. The query is as below: eventtype="my_eventtype_1" eventtype="my_eventtype_2" (((EventIDValue=gateway-auth OR EventIDValue=clientlessvpn-login) EventStatus=success SourceUserName!="pre-logon") OR Stage=logout) | stats list(EventIDValue) as Activity,list(_time) as Time by SourceUserName |rename SourceUserName as username|convert ctime(Time)|eval username=upper(username)|sort username,-Time The search is for a period of 24 hours. I am getting the data but along with it, I see junk characters (if I may call them so). Kindly help to understand how to resolve the same. I also tried adding limit=0 along with stats command but no use. Below is the screenshot of the fields. I have not shown the username field for security reasons. I have used a similar query for another VPN and it works fine there and I don't see these characters ! Regards, Abhishek Singh
Hi, I have configured an input through aws splunk plugin to get data from a s3 bucket but when I search for it it don't show me anything. I use the test license (I'm trying a POC with the solution)... See more...
Hi, I have configured an input through aws splunk plugin to get data from a s3 bucket but when I search for it it don't show me anything. I use the test license (I'm trying a POC with the solution) Connection configuration is ok since I can list files in the bucket from splunk interface. Thanks for your help Saïd
Hi i have log file like this:   2021-07-15 00:00:01,869 INFO client.InEE-server1-1234567 [AppListener] Receive Message[A123]: Q[p1.APP], IID[null], Cookie[{"NODE_SRC":"server0"}] 2021-07-15 00:00... See more...
Hi i have log file like this:   2021-07-15 00:00:01,869 INFO client.InEE-server1-1234567 [AppListener] Receive Message[A123]: Q[p1.APP], IID[null], Cookie[{"NODE_SRC":"server0"}] 2021-07-15 00:00:01,871 INFO client.InEE-server1-1234567 [AlnProcessorService] Normal Message Received: A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server1] 2021-07-15 00:00:01,892 INFO client.InEE-server1-1234567 [TransactionProcessorService] Message Processed: A[000] TA[client.OutEE-server2] Status[OK-GO,NEXT] 2021-07-15 00:00:01,988 INFO APP.InEE-server1-1234567 [AaaPowerManager] Send Message [X0000A0000] to [APP.p2] with IID[null], LTE[00000] . . . 2021-07-15 00:00:11,714 INFO APP.InE-p2-9876543 [AppListener] Receive Message[Y000000Z00000]: Q[p2.APP], IID[null], Cookie[null 2021-07-15 00:00:11,719 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Normal Message Received:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server2] 2021-07-15 00:00:11,736 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Message Processed:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] TA[client.OutEE-server1] Status[OK-OUT,null] . 2021-07-15 00:00:11,747 INFO APP.InEE-P2-9876543_CLIENT.InEE-server1-1234567 [AaaPowerManager] Send Message [A123] to [APP.p1] with IID[null], LTE[00000] Here is the flow: step1 (Receive Request): Server0> Client.InEE-server1>Client.OutEE-server2>   step2 (Reply to request) Client.InEE-server2> Client.OutEE-server1   expected result: id                                            Source                                   destination                                 State                   duration 1234567                            Server0                                  Client.InEE-server1                Received          00:00:00:002 1234567                            -                                                 -                                                      Processed        00:00:00:021 1234567,9876543        -                                                Client.InEE-server2               Send                    00:00:00:096 9876543                            Client.InEE-server2          -                                                     Receive              00:00:09:726 9876543                            -                                                  -                                                     Received           00:00:00:005 9876543                            -                                                 -                                                      Processed        00:00:00:017 9876543,1234567        -                                                Client.OutEE-server1            Send                    00:00:00:011 Total duration                                                                                                                                                           00:00:09:878        FYI:  SA=source address, TA=target address  Any idea  Thanks,
how to add gap between 2 panel in same row without using the empty panel between them
Hi, I want to install & download on-premise controller on trail basis, but unable to find setup of on-premise controller for windows under AppDynamics Download Center.  let me know from where I will... See more...
Hi, I want to install & download on-premise controller on trail basis, but unable to find setup of on-premise controller for windows under AppDynamics Download Center.  let me know from where I will be able to download setup for the same. Kindly help with this 
Seems like all of our Splunk servers are running the Monitoring Console in what I recon is the Standalone mode. When we go to the Monitoring Console on the Cluster Master it shows all the proper rol... See more...
Seems like all of our Splunk servers are running the Monitoring Console in what I recon is the Standalone mode. When we go to the Monitoring Console on the Cluster Master it shows all the proper roles on all our servers.  For example the Indexers are only running the Indexer role, the Search Heads are just Search Heads, the Deployment Servers are just Deployment Servers. However on each individual server their Monitoring Consoles show each server as having all the roles including License Master. I am a total new with Splunk with less than 2 years experience, and any time I think I know something, I discover something like this that makes me go wth. Can someone explain to me or suggest what I should do, I hate just ignoring things, so should I make all the individual Monitoring Consoles match the roles of the servers as represented on the Cluster Mater?
I just completed the Splunk 7.x Fundamentals Part 1 (eLearning) and passed the exam with 92% score, but when i see my profile it tells me that I have completed only 11/14 modules. Before test I veri... See more...
I just completed the Splunk 7.x Fundamentals Part 1 (eLearning) and passed the exam with 92% score, but when i see my profile it tells me that I have completed only 11/14 modules. Before test I verified that I completed all the modules and all of them showed as completed. Could you please help me by looking into my profile if I am doing anything wrong and let me know? Thank you.   Meghnad 240 344 1890    
Hello,  I am looking to clean up the result data from a Splunk query. How do I remove all the text prior to the user name at the end of the line? Server1234.prod.outlook.com/Microsoft Exchange Hos... See more...
Hello,  I am looking to clean up the result data from a Splunk query. How do I remove all the text prior to the user name at the end of the line? Server1234.prod.outlook.com/Microsoft Exchange Hosted Organizations/MyOrg.onmicrosoft.com/Smith, Joe I want the results to just return "Smith, Joe" thoughts?
Hi There, I have ingested the csv file via Splunk UF and I want to remove certain events that contains same field value, for example, field1 = xyz, abc, pqr,....     field2 = xyz I want to send the... See more...
Hi There, I have ingested the csv file via Splunk UF and I want to remove certain events that contains same field value, for example, field1 = xyz, abc, pqr,....     field2 = xyz I want to send the data to null queue if field1 = xyz and field2 = xyz This is my props.conf : [<sourcetype>] CHARSET = UTF-8 SHOULD_LINEMERGE = false NO_BINARY_CHECK = true LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true INDEXED_EXTRACTIONS = csv KV_MODE = none category = Structured disabled = false pulldown_type = true Any help would be appreciated. Thanks