All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

With SOAR's Splunk app (Splunk | Splunkbase), you can pull the SID of your search and append that to your Splunk instance's base URL. This is the same format as if you had clicked the share button in... See more...
With SOAR's Splunk app (Splunk | Splunkbase), you can pull the SID of your search and append that to your Splunk instance's base URL. This is the same format as if you had clicked the share button in Splunk. Unfortunately, using the link returns "Permission Denied" because the SID hasn't actually been shared.   Does anyone know how to make the results of a search run by the Splunk app shareable?
I created the following query to check the status of ldap service but i was wonder if there a better query  tag=NAME "AuthenticationResult=Passed" "Authentication failed" NOT "Identity Groups" NOT... See more...
I created the following query to check the status of ldap service but i was wonder if there a better query  tag=NAME "AuthenticationResult=Passed" "Authentication failed" NOT "Identity Groups" NOT "ExternalGroups=CN" | stats count by host | search count > 15   Eventually I would like to add this search to my dashboard 
Hi, I am trying to install API gateway extension. For this I have installed machine agent independently on a server with SIM Enabled. The server does not have an App agent. Then I cloned and extracte... See more...
Hi, I am trying to install API gateway extension. For this I have installed machine agent independently on a server with SIM Enabled. The server does not have an App agent. Then I cloned and extracted the API gateway extension from github in /machineagent/monitors. After extraction i couldn't find yml file. I have installed java 8 in server. Machine agent version os 24.9. Please let me know where this is wrong and whether any additional things to be done. Regards Fadil
Hi Guys. I've configured the Splunk_TA_nix plug-in running on a Linux server and this is providing data for a Metric Based Index in Splunk Enterprise v9.2.1 I've configured the most basic (Classi... See more...
Hi Guys. I've configured the Splunk_TA_nix plug-in running on a Linux server and this is providing data for a Metric Based Index in Splunk Enterprise v9.2.1 I've configured the most basic (Classic) Dashboard with just a dropdown and search based on this Index. The drop down never populates, so my question is whether dropdown searches can be based on Metric Indexes? My search works in the Search and Reporting field: |mstat min(df_metric.*) WHERE (host=myhost) span=1h index="linux_os_metric" BY MountedOn |stats values(MountedOn) as MountedOn |sort MountedOn |table MountedOn It says populating and does not return an error, but the dropdown is greyed out and not selectable. I was hoping it was going to present a list of mounted Filesystems thanks in advance if anyone can solve this.  
I have a splunk search that returns two columns, SESSION and URI. How can I show the sequence of URIs visited by each SESSION as columns, with a separate row for each SESSION? Thanks! 
Hi, I have an use case in which I need to assess the storage difference of the index. Like for example, I have an index which has around 100.15 GB of data in it with Searchable Retention Days as 10... See more...
Hi, I have an use case in which I need to assess the storage difference of the index. Like for example, I have an index which has around 100.15 GB of data in it with Searchable Retention Days as 1095 Days. Now, if I reduce the Searchable Retention Days to let's say 365 Days, then what would be the approximate storage utilization on the Index. I need to output these results onto a tabular form on a dashboard for the same. Please assist me on this. Thank you in advance.  
Hello, I am reaching out to inquire whether Splunk SOAR currently supports Red Hat Enterprise Linux 9 (RHEL9). We are considering an upgrade to our infrastructure and want to ensure compatibility wi... See more...
Hello, I am reaching out to inquire whether Splunk SOAR currently supports Red Hat Enterprise Linux 9 (RHEL9). We are considering an upgrade to our infrastructure and want to ensure compatibility with Splunk SOAR. Thank you!
I have a 3 node search head cluster and distributed indexers we are getting below error when running any type of search . suggest any ways to avoid it error: (indexers)..........of 41 peers omitted]... See more...
I have a 3 node search head cluster and distributed indexers we are getting below error when running any type of search . suggest any ways to avoid it error: (indexers)..........of 41 peers omitted] Could not load lookup=LOOKUP-connect_glpi
How we can check the data coming to Splunk creating problem to CM making it unstable leading the peers to reach more than 2k+ and also RF and SF are red .
Hello, I have a deployment server and deploy an app on an Universal Forwarder, like I usually do (Create an app folder -> create local folder -> write input.conf -> setup app, server class on DS, ti... See more...
Hello, I have a deployment server and deploy an app on an Universal Forwarder, like I usually do (Create an app folder -> create local folder -> write input.conf -> setup app, server class on DS, tick disable/enable app, tick restart Splunkd). But after make sure the log path and permission of the log file (664), I don't see the log forwarded.  I'm only manage the Splunk Deloyment but not the server that host universal forwarder so I asked the system team to check it for me. After sometime, they get back to me and said there is no change on the input.conf file. They have to manually restart splunk on the Universal Forwarder and after that I see the log finally ingested.  So I want to know if there is an app, or a way to check if the app or the input.conf was changed according to my config on the DS or not, I can't ask the system team to check for it for me all time time.  Thank you. 
Hello, We are experiencing an issue with the SOCRadar Threat Feed app in our Splunk cluster. The app is configured to download threat feeds every 4 hours; however, each feed pull results in duplicat... See more...
Hello, We are experiencing an issue with the SOCRadar Threat Feed app in our Splunk cluster. The app is configured to download threat feeds every 4 hours; however, each feed pull results in duplicate events being downloaded and indexed. We need assistance in configuring the app to prevent this duplication and ensure data deduplication before being saved to the indexers.
Hey guys, so i was basically trying to set up Splunk to work with terminal (bad idea). ended up moving directories using the CLI and boom! doesn't work anymore, and i have no way to undo in the chan... See more...
Hey guys, so i was basically trying to set up Splunk to work with terminal (bad idea). ended up moving directories using the CLI and boom! doesn't work anymore, and i have no way to undo in the change via terminal. i tried deleting and redownloading from Splunk but doesnt work. please tell me someone has an answer or a way to reset the directories for the version i once had i had so much data and apps to practice with. P.S. even if there isnt a way to get my old version back, i still would like to know why its not working when i try to redownload a new instance.
I am setting up a monitor on the log file for my Dolphin Gamecube emulator. Dolphin and Splunk Enterprise are both running locally on my machine (Windows 11). Splunk is ingesting multiple lines per e... See more...
I am setting up a monitor on the log file for my Dolphin Gamecube emulator. Dolphin and Splunk Enterprise are both running locally on my machine (Windows 11). Splunk is ingesting multiple lines per event, and my hope is to get each line to ingest as a separate event. I have tried all kinds of different props.conf configurations including SHOULD_LINEMERGE, LINE_BREAKER, BREAK_ONLY_BEFORE, etc. I'll paste a sample of the log file below. In this example, Splunk is ingesting lines 1 & 2 as an event, and then 3 & 4 as an event. When I turn on more verbose logging, it will lump even more lines into an event, sometimes 10+ 21:23:310 Common\FileUtil.cpp:796 I[COMMON]: CreateSysDirectoryPath: Setting to C:\Users\whjar\mnt\file-system\opt\dolphin\dolphin-2409-x64\Dolphin-x64/Sys/ 21:23:323 DolphinQt\Translation.cpp:155 W[COMMON]: Error reading MO file 'C:\Users\whjar\mnt\file-system\opt\dolphin\dolphin-2409-x64\Dolphin-x64/Languages/en_US.mo' 21:24:906 UICommon\AutoUpdate.cpp:212 I[COMMON]: Auto-update JSON response: {"status": "up-to-date"} 21:24:906 UICommon\AutoUpdate.cpp:227 I[COMMON]: Auto-update status: we are up to date.  
Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "... See more...
Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "winevent" logs for user accounts (created, enabled, disabled, deleted, etc...)  Current search I have for my various Single Value panel using the stats command in my search is seen below. (for this example, I used the win event code 4720 to count of "User Account Created" on the network) and extracted the EventCode. Acct Enable: index="wineventlog " EventCode=4720 | dedup user | _rex=field _raw "(?m)EventCode=(?<eventcode>[\S]*)" | stats count Output gives me a Single Value Count for window event codes that = 4720 ignoring duplicate user records.    I am now trying to capture the extracted "eventcode" using a drilldown in a token for each respective count panel.  I have setup the token as: (Set $token_eventcode$ = $click.value$) in my drill down editor in my second query table.  Using that token, I want to display the respective records in a second query panel to display the record(s) info in a table as seen below:    Acct Enable: index="wineventlog " EventCode=$token_eventcode$ | table _time, user, src_user, EventCodeDescription As I am still learning how to use the rex command, having problems in this instance in capturing the EventCode from the _raw logs, setting it to the ($token_eventcode$) token in the Single Value County query and passing that value down through a token to the table while maintaining the stats count value.  Any assistance with be greatly appreciated.
I am trying to route my windows security logs to another specified index but it has to meet certain criteria. EventCode has to be 4688 and the Token Elevation Level equals either %%1936, %%1938, T... See more...
I am trying to route my windows security logs to another specified index but it has to meet certain criteria. EventCode has to be 4688 and the Token Elevation Level equals either %%1936, %%1938, TokenElevationTypeDefault, TokenElevationTypeLimited. So far i have written these regular expressions 1. REGEX = ((?s).*EventCode=4688*.)((?si).*(%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited)*.) 2. REGEX = EventCode=4688.*TokenElevationType=(%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited) When using 1, All eventcodes 4688 come to the specified index when i only wanted 1936 and 1938. I wanted to leave the %%1937 token in its original index. When using 2, no data at all comes to the index even though its seems to be a much simpler regex. What am i missing to ensure 4688 is properly filter using transforms and props?
What replaces Splunk TV?
Previously created war room template fail to load and attempting to recreated them gives errors.  I've tried as both SAML and Local user accounts, both with admin rights.  
I am planning on upgrading our Splunk infrastructure which requires our Splunk indexers to go offline for few minutes.   I am using smartstore for splunk indexing.  Before I start the upgrade and tak... See more...
I am planning on upgrading our Splunk infrastructure which requires our Splunk indexers to go offline for few minutes.   I am using smartstore for splunk indexing.  Before I start the upgrade and take down our indexers, I want to roll over all the data that is in hot bucket to the smartstore and then start the upgrade.  What is the best way to do this ?      
Hi, I need help to fetch field based on other field condition. I have lookup table  as below, NAME STATE abc-a-0 host1 master abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b... See more...
Hi, I need help to fetch field based on other field condition. I have lookup table  as below, NAME STATE abc-a-0 host1 master abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b-1 host4 local abc-b-2 host4 local I want to retrieve abc-a-* NAME based on STATE which it is as master. The master STATE is dynamic, it will be abc-b-* group also sometimes. Example: NAME HOST STATE abc-a-0 host1 local abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b-1 host5 master abc-b-2 host6 local The problem is, 1. Retrieve the current master STATE if it is abc-a-* or abc-b* NAME 2. Then fetch 3 NAMEs based on condition if it is abc-a-* or abc-b-*  
I want to be able to change the color of a text input border when you focus on the input box.  I want to change the blue border to red when the field is empty.  I have the javascript logic but not th... See more...
I want to be able to change the color of a text input border when you focus on the input box.  I want to change the blue border to red when the field is empty.  I have the javascript logic but not the css that would change the blue border.  Here is the css I have so far but all it does is put a border around the whole input panel, not just the text box. .required button{ border: 2px solid #f6685e !important; }