All Topics

Top

All Topics

Our add-on requires dateparser and within dateparser the regex library is required. I added the libraries to my addon (built with Add-on Builder 4.3) however, it fails in Splunk 9.2 with: File "/opt... See more...
Our add-on requires dateparser and within dateparser the regex library is required. I added the libraries to my addon (built with Add-on Builder 4.3) however, it fails in Splunk 9.2 with: File "/opt/splunk/etc/apps/.../regex/_regex_core.py", line 21, in <module> import regex._regex as _regex ModuleNotFoundError: No module named 'regex._regex' If I try on Splunk 9.3 it works fine.  I know Python version changed from 3.7 to 3.9 on Splunk 9.3 but the regex version 2024.4.16 seems to be good for Python 3.7 I will appreciate any insight on how to solve this issue.
Hi everyone, I’m working with Splunk IT Service Intelligence (ITSI) and want to automate the creation of maintenance windows using a scheduled search in SPL. Ideally, I’d like to use the rest comman... See more...
Hi everyone, I’m working with Splunk IT Service Intelligence (ITSI) and want to automate the creation of maintenance windows using a scheduled search in SPL. Ideally, I’d like to use the rest command within SPL to define a maintenance window, assign specific entities and services to it, and have it run on a schedule. Is it possible to set up maintenance windows with entities and services directly from SPL? If anyone has sample SPL code or guidance on setting up automated maintenance windows, it would be very helpful! Thanks in advance!
I am on Splunk 8.2.12. I am trying to get a distinct count of incidents that have happened in each month, year to date. I'd like to compare that to the year prior.  I feel like this should be pre... See more...
I am on Splunk 8.2.12. I am trying to get a distinct count of incidents that have happened in each month, year to date. I'd like to compare that to the year prior.  I feel like this should be pretty easy, but my results aren't showing the current year in comparison to the previous year. This shows the current year data (2024) (earliest=-1@y@y AND latest=now()) | eval date_month=strftime(_time, "%mon") | eval date_year = strftime(_time, "%Y") | timechart span=1mon dc(RMI_MastIncNumb) as "# of Incidents" When I add | timewrap 1year series=exact time_format=%Y it ends up just showing me 2023  
I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "ra... See more...
I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "radius". |inputlookup filename | search (MESSAGE_TEXT="Radius")
Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolume... See more...
Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolumeDataSizeMB = 7602176 [volume:cold] path = /opt/splunk-Colddata maxVolumeDataSizeMB = 4980736 ================================== [Win] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume [FW] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume   ==================================== Notice we have re-configured the below: [diskUsage] minFreeSpace = 20000 Finally, we have reached the bottom of the question  .   I am doubt if this configuration can maintain the below requirements: The data retention period for the online data is 2 months. - Hot/Warm – 1 month - Cold – 1 month        
Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for... See more...
Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for some reason.  Within the event there is the following: "alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777," I need to create 3 fields from this: Host = FL-NS-VPX-INT-1 ServiceGroup = mobileapist Server = vnetapis003 When trying for Host with:  (?<="alias":")[^|]* It never finds it in Splunk.  Can't figure out why.   Extra credit:   Just kidding.  The last field I need, I can't get either with:   (?<="team","name":")[^"]* "team","name":"Monitoring_Admin"}], Here's the full event as well. INFO[2024-11-13T13:37:23.9114215-05:00] Message body: {"actionType":"custom","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","ownerDomain":"integration","ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","discardScriptResponse":true,"sendCallbackToStreamHub":false,"requestId":"18dcdb1b-14d6-4b10-ad62-3f73acaaef2a","action":"Close","productSource":"Opsgenie","customerDomain":"siteone","integrationName":"Opsgenie Edge Connector","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","customerTransitioningOrConsolidated":false,"source":{"name":"","type":"system"},"type":"oec","receivedAt":1731523037863,"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","params":{"type":"oec","alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","integrationName":"Opsgenie Edge Connector","integrationType":"OEC","customerDomain":"siteone","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","receivedAt":1731523037863,"customerConsolidated":false,"customerTransitioningOrConsolidated":false,"productSource":"Opsgenie","source":{"name":"","type":"system"},"alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf"},"integrationType":"OEC","alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"customerConsolidated":false,"customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"}} messageId=7546739e-2bab-414d-94b5-b0f205208932   Thank you for all the help on this one, Thanks, Tom    
This is in request to add the steps for adding Splunk Enterprise Security to my enterprise account, Thanks.  
Currently running Splunk 9.3.0. IT Essentials Work 4.18.1. VMware Dashboards and Reports content pack 1.2.0 All dashboards in the VMware Dashboards and Reports app where there is a "Quick Search" fr... See more...
Currently running Splunk 9.3.0. IT Essentials Work 4.18.1. VMware Dashboards and Reports content pack 1.2.0 All dashboards in the VMware Dashboards and Reports app where there is a "Quick Search" free text option, is not working. It used to provide as list as you typed of matching hosts/VMs depending on the dashboard. Now I can't get it to do anything.  Can anyone provide what the data source is for this input? I think I am probably missing a lookup file but cannot find which one.  For example, this shows the radio button that gets you to the text input. The radio button works but the text input does nothing.   
Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this release we have many awaited features and enhancements for both analysts and admins, helping ... See more...
Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this release we have many awaited features and enhancements for both analysts and admins, helping you further your organizational progress toward digital resilience.  Showing you guided insights - detecting threats and issues with context Federated Analytics on Amazon Security Lake: This premium add-on feature allows admins and security teams to use Federated Analytics to analyze data wherever it resides, in Splunk or Amazon Security Lake, for investigations, detections and threat hunting. This enables your team to leverage the low cost of data lake storage and bring in select data on-demand into Splunk which helps reduce the limitations of data silos and enables a thorough exploration of data to uncover potential threats. Want to learn more? Read the dedicated launch blog about Federated Analytics. Powering you with foundational visibility - to see across your environments Federated Search for Amazon S3: This enhancement simplifies AWS schema setup for common sourcetypes (e.g., CloudTrail, VPC Flow), streamlining access to key AWS data. This automation enables faster, more consistent monitoring and analysis across environments, enhancing security operations with broader, easier access to relevant insights. Splunk Observability Cloud metrics in Splunk Cloud Platform: Enables customers to leverage Splunk Observability Cloud’s powerful metric store by bringing real-time metrics into Splunk Dashboard Studio for a centralized charting experience. Users can now have streaming metrics alongside existing SPL-based charts for a single pane of glass across logs and metrics. Enhanced dashboard usability and performance  Version History: Dashboard Studio now includes version history, allowing users to save, compare, and revert to previous dashboard versions for more flexible iteration and collaboration. Saved Searches Integration: Users can now browse and add saved searches directly within Dashboard Studio, streamlining access to essential data. Improved Rendering Performance: Charts with timeseries or numerical data now render faster, enhancing the dashboard experience for users working with complex data. There are additional updates and enhancements that we’ve released that provide platform stability (KVStore Upgrade to 7.0) and enhanced user experience, supporting the overall usability and performance of Splunk Cloud Platform.  Check out the 9.3.2408 release notes for additional details.  Python 2 is in the process of complete removal and soon will no longer be available in coming releases jQuery v3.5 library is now set as the platform default; prior jQuery libraries are no longer supported
index=replicate category=* action=* Message=* [search index=replicate | eval Msg=substr(Message,1,30)] | stats count by action category Msg | dedup action   This is what I'm trying to do.  ... See more...
index=replicate category=* action=* Message=* [search index=replicate | eval Msg=substr(Message,1,30)] | stats count by action category Msg | dedup action   This is what I'm trying to do.  The Message field is very large and I only need the first sentence of the Message.  How can I do this?  We want it in a sub-search to show the sub-search function for our users. This is Splunk Cloud implementation.
Why do I need to collect the debug-level log file? The Java agent by default logs the entries at the info level. Sometimes, the debug-level log files are necessary to investigate an experienced iss... See more...
Why do I need to collect the debug-level log file? The Java agent by default logs the entries at the info level. Sometimes, the debug-level log files are necessary to investigate an experienced issue. Debug-level logging logs are more insightful entries that can be later used to identify the root cause of the experienced issue. There are two ways you can collect the agent log files at the desired logging level. From the AppDynamics controller UI. From the server, where the agent was installed. Collect the Java agent log files from the AppDynamics controller UI. Log into the controller UI. Select the problematic app. Open the 'Tiers & Nodes' dashboard. Select the problematic node. Select the 'Agents' tab. Scroll down to the 'Agent Operations' section and click on the 'Request Agent Log Files' button.  Set the logging level properties. Logger Name: com.singularity Logger Level: Debug Duration (minutes): at least 5 Click on the 'Request Agent Log Files' button to start the log files collection. If it is a test environment, please make sure to generate the load on the app during the log file collection. Collect the Java agent log files from the server, where the agent was installed. (optional) Delete the '/<java-agent-home>/<version>/logs/<node-name>/' directory. Edit the '/<java-agent-home>/<version>/conf/logging/log4j2.xml' file. Change the logging level as in the example below. <!-- to control the logging level of the agent log files, use the level attribute below. value="all|trace|debug|info|warn|error"--> <AsyncLogger name="com.singularity" level="debug" additivity="false">     <AppenderRef ref="Default"/>     <AppenderRef ref="RESTAppender"/> </AsyncLogger> Apply the load on the app (if it is a test environment) for at least 5 minutes. Zip the '/<java-agent-home>/<version>/logs/<node-name>/' directory. Revert the change. I hope this article was helpful. Feel free to ask in case of any questions.
The API reference mentions how to install an app that is already local to the splunk instance with apps/local. We can already upload an app manually in the Web console by going Apps->Manage Apps->In... See more...
The API reference mentions how to install an app that is already local to the splunk instance with apps/local. We can already upload an app manually in the Web console by going Apps->Manage Apps->Install App from File. However, for detection-as-code purposes, I need to be able to do that in a programmatic way, using an API, for CI/CD purposes. I have seen no documented way to do that, which can't be true. Surely if we can do that from the web console, there is a way to do that programmatically using an API. How do I install an app outside the Splunk instance from the REST API? Thanks
Hello, Sorry, still trying to get the hang of Search queries.   I am tasked with creating a table that displays a server name from one search, with a team name from another search that corresponds w... See more...
Hello, Sorry, still trying to get the hang of Search queries.   I am tasked with creating a table that displays a server name from one search, with a team name from another search that corresponds with the server name.  In example, 1st Search  index="netscaler | table servername Results in a table like: servername1 servername2   2nd Search index="main | table teamname Results in a table like teamname1 teamname2   I need to make 1 table that will display the corresponding teamname to the servername.  Like If servername = servername2, display teamname2 in the same table row. Does that make sense.   Let me know if any details are needed.  Not sure how to do this one. Thanks for any help, Tom
Trying to find out how to show the error message(hourly) when we hover over spunk sparkline graph in a splunk dashboard. Do we have such an option for sparkline. 
Hey guys, i sometimes have the task of reassigning ownership to certain teams, and at times it can be multiple dashboards/alerts at once. I have the option to select multiple dashboards/alerts , but ... See more...
Hey guys, i sometimes have the task of reassigning ownership to certain teams, and at times it can be multiple dashboards/alerts at once. I have the option to select multiple dashboards/alerts , but when I try to reassign all at once, it doesn't work.  I remember someone mentioning that it can be done, so i wanted to talk with my favorite community. thanks again.
Hello, if you are using _TCP_ROUTING and index rename on target platform, logs may go to "last chance index"       
I found that I had an error in one of my correlation searches because I saw it in the cloud monitoring console. When I fixed the error I suddenly saw that the latency over this specific correlation s... See more...
I found that I had an error in one of my correlation searches because I saw it in the cloud monitoring console. When I fixed the error I suddenly saw that the latency over this specific correlation search was >4 million seconds. Looking into the actual events that the cloud monitoring console is looking at I see scheduled_time is more than a month ago. Did I do something dumb or is Splunk actually just trying to run all those failed scheduled tasks now and I just need to wait it out? Or is there a way to stop them from running? I disabled the correlation search already and did a restart from the server controls....
Hello, Is there possibility of obtaining a Splunk Cloud license for development and integration purposes. Our company is actively working with Splunk APIs, and I’m trying to determine if there’s a ... See more...
Hello, Is there possibility of obtaining a Splunk Cloud license for development and integration purposes. Our company is actively working with Splunk APIs, and I’m trying to determine if there’s a license or partnership program we could leverage to support this work. Many thanks in advance!  
Splunk enterprise certification tutorials and process.
Hello All,    I'm having a timeline chart, I would like to add zoom in to this chart when we drang and select some lines, it needs to zoom.    Can anyone hekp to find this. Thanks in Advance! ... See more...
Hello All,    I'm having a timeline chart, I would like to add zoom in to this chart when we drang and select some lines, it needs to zoom.    Can anyone hekp to find this. Thanks in Advance!