All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Query is to retrieve failed test case matching with exception message. Out of 6 failed test case, one test as exception and rest of them are skipped with message 'Test was skipped'. Below data of ... See more...
Query is to retrieve failed test case matching with exception message. Out of 6 failed test case, one test as exception and rest of them are skipped with message 'Test was skipped'. Below data of one event.      { "suite_build_id": "20241015.12", "suite_build_name": "pipeline_name", "unit_test_name_failed": [ { "message": "Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance.", "test_rail_name": "test_printer_order_placement_magento", "test_result": "fail" }, { "message": "Test was skipped", "test_rail_name": "test_updation_of_access_token", }, { "message": "Test was skipped", "test_name": "test_printer_and_user_details", "test_rail_name": "test_printer_and_user_details", } ] }      Now, I want to display result to show test_rail_name and exception_message which matches exception. Below is the query that I tried.     index="eqt-e2e" suite_build_name="pipeline-name" suite_build_number="20241015.12" | mvexpand unit_test_name_failed{}.message | mvexpand unit_test_name_failed{}.test_rail_name | search unit_test_name_failed{}.message="Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance." | table suite_build_number, suite_build_start_time, unit_test_name_failed{}.test_rail_name, unit_test_name_failed{}.message | rename suite_build_number AS "Pipeline Number", suite_build_start_time AS "Pipeline Date", unit_test_name_failed{}.test_rail_name AS "Test Name", unit_test_name_failed{}.message AS "Exception Message"     In the result, it should have been 1 event, but retrieve 6 events.  I understand, mvexpand works only on one multivalue fields, and here I have 2 multivalue fields. Let me know if there is any solution on retrieving the data.
Hello Splunkers,   I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more. Co... See more...
Hello Splunkers,   I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more. Could you please advise on the most secure method for authorization and authentication? Does the REST API support MFA, or are there other mechanisms available, with or without SAML? Is token generation the only secure way to make these API calls, or are there alternative methods? Thanks  Manish Kumar  
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a str... See more...
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a string. Also I want to count how many of them occured per one day.  Is this possible? index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value="*Load Balancer*" OR "*Endpoints*"
Hi Splunkers, I received a notice about upgrading jQuery to version 3.5 or higher, and I ran a jQuery scan through the Upgrade Readiness dashboard. The incompatibility issue is coming from my custom... See more...
Hi Splunkers, I received a notice about upgrading jQuery to version 3.5 or higher, and I ran a jQuery scan through the Upgrade Readiness dashboard. The incompatibility issue is coming from my custom app. The file in question: C:\Program Files\Splunk\etc\apps\custom_app\appserver\static\help\en-GB\jquery.js needs to be updated. Remediation(Sugested by the dashboard): The jQuery 1.11.1 bundled with the app introduces vulnerabilities. Splunk apps must use jQuery 3.5 or higher, as lower versions are no longer supported in Splunk Cloud Platform. What I’ve done so far: I downloaded the new jQuery.js file from jquery.com, renamed it, and replaced the file in the specified path and restarted splunk, but this hasn't resolved the upgrade issue. I'm unsure of the next steps and would appreciate any guidance or suggestions. Thanks! Upgrade Readiness App  
Currently I am having a Splunk Indexer with multiple Indexes and a Search Head. I would like to have one or two indexes to be available in two splunk indexer and data should be available to access... See more...
Currently I am having a Splunk Indexer with multiple Indexes and a Search Head. I would like to have one or two indexes to be available in two splunk indexer and data should be available to access from Search Head from both Indexer. Thanks
I'm trying to update the Splunklib version in our app because it currently uses an older version that doesn't comply with Splunk's new App Inspect rules. After updating and validating the app, I enco... See more...
I'm trying to update the Splunklib version in our app because it currently uses an older version that doesn't comply with Splunk's new App Inspect rules. After updating and validating the app, I encountered an "unknown error" when attempting to upload the new version to Splunkbase, despite the validation process not showing any errors or failures. Please refer to below image. What could be causing this issue?
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "packa... See more...
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "package": "ABC", "tests": 0, "name": "ABC_test", "id": 0, "time": 0, "errors": 0, "testcase": [ { "classname": "xyz", "name": "foo1", "time": 0, "status": "Passed" }, { "classname": "pqr", "name": "foo2", "time": 0, "status": "Passed" }, . . . ] } ] } This is the data. For a given project there'll be many JSON files like above. So i want to get the unique data while taking the counts. Tried with mvdedup, it did not work. |spath output=jenkins_url path=JenkinsMetaData.JENKINS_URL | spath output=suite path=suite{}.name | spath output=case path=suite{}.case{}.name | spath output=Build_Num path=JenkinsMetaData.buildnumber | spath output=Status path=suite{}.case{}.status | fields - _raw | eventstats max(Build_Num) as Latest_Build by Job_Name | where Latest_Build=Build_Num | stats values(Build_Num) as Build_Num count(eval(Status="Execution Failed" OR Status="Testcase_Failed")) AS Failed_cases, count(eval(Status="Passed")) AS Passed_cases, count(eval(Status="Failed" OR Status="Testcase_Error")) AS Execution_Failed_cases, dc(case) as Total_cases dc(suite) as "Total suite" by Job_Name Build_Variant Jenkins_Server When i do this Total_cases and Total suite are are correct, but other values are not correct. But when i use |Status="Passed"| stats dc(case) as Passed_cases for one project, im getting correct value. But my requirement is to create a table for all the projects. Anyone know how to handle this?
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Pane... See more...
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Panels --> <query>index=ABC | eval fieldA =  If (fieldB = "ABC" ,  fieldB , fieldA )</query> I want to use the value of the fieldA in the dropdown of the input POH_Group. Below query is not working and i am not getting the values of fieldA in the dropdown of POH_Group: <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>POH_Group1</fieldForLabel> <fieldForValue>POH_Group1</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>   Can you please help to fix this issue. 
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line ... See more...
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line 2: token (value: xyznkbejrfhrekfjrltjgltrkgltrkgtkhgythytlhmylth).
Hi Team, I am trying to integrate jenkins/cloudbees with Splunk using the splunk plugin. But I do not want to store the HEC_TOKEN as plain text or hard-coded value in the splunk configuration unde... See more...
Hi Team, I am trying to integrate jenkins/cloudbees with Splunk using the splunk plugin. But I do not want to store the HEC_TOKEN as plain text or hard-coded value in the splunk configuration under Manage jenkins --> System --> Splunk for Jenkins Configuration. I am trying to store it as a credential or environment variable and then use it in Jenkinsfile but it does not work, Is there any work around for this? Please let me know. Thanks.
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(e... See more...
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S") |eval diff = (time_epoch-end_time)/60  
Greetings, Please help!! I need to extract the ID value from the two events below, and I’m kinda banging my head here… . I just need to list Q123456789 and each ID in my dashboard. But it I can’t... See more...
Greetings, Please help!! I need to extract the ID value from the two events below, and I’m kinda banging my head here… . I just need to list Q123456789 and each ID in my dashboard. But it I can’t get past all of the special characters. I’ve tried using different combinations like this: | eval msg=”the event” | rex "msg =(?< policyId >\w+)” | table policyId But what I would really like to have something like this in my dashboard: Starting Controller Q123456789 CallStatus=Success Q123456789 Starting Controller Q123456788 CallStatus=Success Q123456788 Starting Controller Q123456787 CallStatus=Success Q123456787 And so on. Is this possible? Your help is always appreciated. Thanks     Starting Controller=Fall Action=GetFallReportAssessment data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}   API=/api/Fall/reportAssessment/ CallStatus=Success Controller=Fall Action=GetFallReportAssessment Duration=27 data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}
Hi Team, I hope this email finds you well. I am currently working on a task to monitor long-running Apex classes in Salesforce and would like to write a query to help track these. Could you pleas... See more...
Hi Team, I hope this email finds you well. I am currently working on a task to monitor long-running Apex classes in Salesforce and would like to write a query to help track these. Could you please suggest the best approach or share a sample query that would assist in identifying and monitoring these classes effectively? Your guidance on this matter would be greatly appreciated. Thank you for your support. Regards
Hello, I'm just trying to learn SPL and am currently trying to find all sessions with login and logout requests, identified by the SESSION_ID field. So basically I'm trying to find all SESSION_ID va... See more...
Hello, I'm just trying to learn SPL and am currently trying to find all sessions with login and logout requests, identified by the SESSION_ID field. So basically I'm trying to find all SESSION_ID values where within the session the user performs a login and logout operation. Coming from the relational database world, my first step was to write some sort of join operation but I quickly found out that joins are not the best thing to do in Splunk.  This is what I tried:   index=allsessions "*login*" | join type=inner left=L right=R where L.SESSION_ID=R.SESSION_ID [search index=allsessions "*logout*"]   Can someone help me write a better query for the above problem? Thanks!
Hi All  I am trying to find out Server Up time & Downtime or offline  However i am using the below command which i am not getting what i want  | mstats max(System.System_Up_Time) AS "Uptime... See more...
Hi All  I am trying to find out Server Up time & Downtime or offline  However i am using the below command which i am not getting what i want  | mstats max(System.System_Up_Time) AS "Uptime" WHERE index="permon_metrics" host=system1* BY host span=1m | dedup host | rex field=host "\w{6}(?<function_abbr>\w{4})" | search function_abbr=ADDS | sort Uptime asc | eval Uptime = round((now() - _time) / (60 * 60), 1) | search Uptime="4.0" I would like to see the output in a single tile like HH:MM:SS
Looking for the best/easiest way to retrieve or reconstruct a splunk url to an event retrieved using python to then post into browser and view the event though the web ui. Thanks!
Need help with creating an interactive drill down with value extracted using the rex command.  I want to monitor users saving files to a certain folder and also sort and look at file extension types ... See more...
Need help with creating an interactive drill down with value extracted using the rex command.  I want to monitor users saving files to a certain folder and also sort and look at file extension types that are saved in folder and by who.  Raw test data has: time, user, computer, directory and document as seen below. Test Data _time                     user_name      computer_name      source_directory                document 10/11/2024      user1                  Destop_user1            \\cpn-local\priv\cus\      document1.pdf 10/11/2024      user4                 Destop_user1             \\cpn-local\priv\cus\      document2.doc 10/10/2024      user1                 Destop_user1             \\cpn-local\priv\cus\      document3.pdf 10/10/2024      user2                 Destop_user2             \\cpn-local\priv\cus\      document4.pdf 10/9/2024         user3                 Destop_user3             \\cpn-local\priv\cus\      document5.pdf 10/9/2024         user4                 Destop_user4             \\cpn-local\priv\cus\      document6.doc 10/9/2024         user2                 Destop_user2             \\cpn-local\priv\cus\      document7.doc I have created a drill using a token value of the queried data from the raw logs which allows me to selecte a user from a pie chart and show all logs in a second table. Those two dashboard panels are below and work. ***User Pie Chart with the drilldown token: token_user=$click.value$ *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(user_name) BY user_name ***User Record Table *** index="user_files" user_name = $token$ | table _time, user_name, computer_name, source_directory, document I am now trying to create a dashboard taking the same raw data, add a rex command to filter out extension and have the pie chart show the specific file extension I have logs from an index which I have done using the following query *** File Extension Pie Chart:  Works *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results. *** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart ** index="user_files" source=$*token$ | table _time, user_name, computer_name, source_directory, document I also tried (index="user_files" extension=$*token$") and ("|where extension="$token$") in the query and still no results are seen in the record table. Any help would be greatly appreciated.  I understand the logic needed, just having problems executing the drill down.   Thanks
My group and I are creating a senior project for a SIEM through a VM. We were planning to implement Splunk dashboards into the project with python code. To give some background we are starting from s... See more...
My group and I are creating a senior project for a SIEM through a VM. We were planning to implement Splunk dashboards into the project with python code. To give some background we are starting from scratch with python code, and we would like to implement Splunk dashboards into that python code. In short, when we run the python code we would like the Splunks GUI to pop up ( which ever one we choose: charts, pie charts, global map) with the data that we are collecting through the python code. Is there a way we can achieve this goal? 
my alert is not triggered even with many matching events here are the details:   while the activity that generate these logs is running the real time alert is processing and found those eve... See more...
my alert is not triggered even with many matching events here are the details:   while the activity that generate these logs is running the real time alert is processing and found those events in the screenshot. i have waited for 5 mins and same issue i have also tries scheduled and still the same issue no triggering
Anyone have a tip on how to have a token(from field)- and then determine which query to run based on that input?  For example (datasources/queries: fruit, meat, vegetable) Field: banana ->run... See more...
Anyone have a tip on how to have a token(from field)- and then determine which query to run based on that input?  For example (datasources/queries: fruit, meat, vegetable) Field: banana ->run query for fruit ->display table about banana from said query.  Struggling with this one- trying to make a dynamic search bar that populates tables based on the input- thus making multiple of my dashboard redundant. Slimming things down.