All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have 2 reports which I want to combine so that I get 1 email with both information.  1. Total number of hosts index=abcd mysearch | stats count as Hostname 2. List of hosts index=abcd mysearch ... See more...
I have 2 reports which I want to combine so that I get 1 email with both information.  1. Total number of hosts index=abcd mysearch | stats count as Hostname 2. List of hosts index=abcd mysearch | table Hostname Results I expect: Total Hostname: 145 Hostname host1 host2 host3   Please advise.
How can we compare different versions of a file?
Going to be very tough to explain but I'll give it my best shot. I have some fields I'm trying to report on, IP and ID.  There can be multiple duplicate ID's per IP, and vice versa. I would like to r... See more...
Going to be very tough to explain but I'll give it my best shot. I have some fields I'm trying to report on, IP and ID.  There can be multiple duplicate ID's per IP, and vice versa. I would like to remove duplicate ID's per IP, but can't dedup on ID because some IP's could have the same ID. I also tried stats values(ID) by IP, but there are other fields that also need to be reported on and from my research I couldn't find a way to use multiple values. Example: What I currently get IP1     ID1 IP1     ID1 IP1     ID2 IP1     ID2 IP2     ID1 IP2     ID1 IP2     ID2 IP2     ID2   What I want to get IP1     ID1 IP1     ID2 IP2     ID1 IP2     ID2   OR (Preferably) in table format IP 1    ID1     Name             ID2     Name -------------------------| IP 2    ID1     Name             ID2     Name    
Hello, During the health checkup period of our uf connectors, mainly Linux OS's have been seen as sending logs to indexers parsed correctly but cannot be seen when the same host is searched in the D... See more...
Hello, During the health checkup period of our uf connectors, mainly Linux OS's have been seen as sending logs to indexers parsed correctly but cannot be seen when the same host is searched in the Deployment Server's "Forwarder Management" page. A couple of notes to follow up with here: 1. Connections to the deployment server are allowed and seen as traffic is going from the uf to the deployment server without interference 2. No duplicate GUIDs are found relating to the specified hosts What are some other recommendations to troubleshoot this issue? Thanks,
Hi, We are facing problem with links present in Splunk Notifications. We have a custom alert that sends Notification based on some condition. The Notification is sent as expected, but the link prese... See more...
Hi, We are facing problem with links present in Splunk Notifications. We have a custom alert that sends Notification based on some condition. The Notification is sent as expected, but the link present in it doesn't seem to work. PFA the screenshot of a sample Notification. When I try to click the link present in the mail, it takes me to Splunk, and I see an error (pfa the screenshot). A prompt reply would be appreciated.      
Hello, My objective is to exclude anything the user input from an input text in a dashboard. Search string: index = index_string  sourcetype =  stype_string |eval host = mvindex(fields ,10) | wher... See more...
Hello, My objective is to exclude anything the user input from an input text in a dashboard. Search string: index = index_string  sourcetype =  stype_string |eval host = mvindex(fields ,10) | where NOT host in ("$host_token$")   Input xml like this: <input type="text" token="host_token"> <label>Host</label> <default></default> </input> The above works only for a single input in the textbox. ex.  host1 But if multiple host it doesn't work. Nothing is filtered and all below host shows ex. host1,host2,host3
I am receiving below errors after refreshing the Splunk -  Refreshing admin/collections-conf RESTException [HTTP 503] [{​​​​​​​​'text': 'KV Store initialization failed. Please contact your system ad... See more...
I am receiving below errors after refreshing the Splunk -  Refreshing admin/collections-conf RESTException [HTTP 503] [{​​​​​​​​'text': 'KV Store initialization failed. Please contact your system administrator.', 'code': None, 'type': 'ERROR'}​​​​​​​​] Refreshing admin/unix_configured InternalServerError <class 'splunk.admin.BadProgrammerException'>: This handler claims to support this action (2), but has not implemented it.
Hi all,   Can anyone direct me to a post or documentation on the best procedure for importing logs copied off a non-networked linux server? We're looking at copying the log files to a network share... See more...
Hi all,   Can anyone direct me to a post or documentation on the best procedure for importing logs copied off a non-networked linux server? We're looking at copying the log files to a network share and then importing, but we've never done this for a Linux box that doesn't have a forwarder.   cheers.
I inherited a one SH and 2 indexers , 1 LM, one Deployment server supporting forwarders. I have too on board data  and not sure if I have to go to each indexer to update indexes.conf  and props.conf... See more...
I inherited a one SH and 2 indexers , 1 LM, one Deployment server supporting forwarders. I have too on board data  and not sure if I have to go to each indexer to update indexes.conf  and props.conf ? On the Deployment server I created APP , serverclass.conf and configured the UF with serverclass.conf I  configured an current existing  index in the inputs.conf that I distributed to the UF.   The UF was installed as root and owned by root. so I believe i can elimination log file permissions on the UF   It would be greatly appreciated if  you share your knowledge and approach on managing NON - Clustered indexers please. 3 non clustered indexers I have                  
Hi I am getting an error when trying to access the 8089 port for splunk. When I try to access it via chrome I get this message "NET::ERR_CERT_INVALID"   I don't want to post the url here since my c... See more...
Hi I am getting an error when trying to access the 8089 port for splunk. When I try to access it via chrome I get this message "NET::ERR_CERT_INVALID"   I don't want to post the url here since my company might not like that.
I am trying to set up a restricted search for a role so that they can only see data when a field1=customer01. The default way was to do it by field1::customer01 but that didn't show any results when ... See more...
I am trying to set up a restricted search for a role so that they can only see data when a field1=customer01. The default way was to do it by field1::customer01 but that didn't show any results when I previewed the results. Instead I did field1=customer01 and that worked. Is there a reason why field1::customer01 doesn't generate any results?
Hello There,  I am able to use the | rest command to obtain the date that the lookup was last updated in Splunk. However, I can only seem to do that with one lookup and I am not able to add the othe... See more...
Hello There,  I am able to use the | rest command to obtain the date that the lookup was last updated in Splunk. However, I can only seem to do that with one lookup and I am not able to add the other lookups. How can I add more lookups to the | rex command?  Lookups I have to add redSox_Report_.csv, yankees_Report_.csv, dodgers_Report.csv?  I can only add one so far angels_Report_.csv | rest/servicesNS/-/-/data/lookup-table-files/angels_Report.csv | eval updated=strptime(updated,"%FT%T%:z") | eval desired_time=strftime(updated, "%a %m/%d/%Y") | table desired_time  
Hi , I am trying to use splunk-operator to setup a standalone splunk instance on kubernetes which will use an existing splunk license master which is not part of a splunk-operator setup. In the d... See more...
Hi , I am trying to use splunk-operator to setup a standalone splunk instance on kubernetes which will use an existing splunk license master which is not part of a splunk-operator setup. In the documentation (https://splunk.github.io/splunk-operator/CustomResources.html#common-spec-parameters-for-all-resources) licenseUrl configuration parameter only accepts Full path or URL for a Splunk Enterprise license file. How do i go about configuring this . Any help will be very much appreciated
I just upgraded my Splunk Security Essentials app from 3.1.1 to 3.3.3. I'm running Splunk Enterprise 8.1.4. When I access the Analytics Advisor / MITRE ATT&CK Framework page, the MITRE ATT&CK Matrix ... See more...
I just upgraded my Splunk Security Essentials app from 3.1.1 to 3.3.3. I'm running Splunk Enterprise 8.1.4. When I access the Analytics Advisor / MITRE ATT&CK Framework page, the MITRE ATT&CK Matrix just refuses to load. Has anyone encountered this, and do you have any troubleshooting suggestions? 
Hi Everyone, I have two queries as shown below. For both I am doing sorting in different ways but stil there values are coming same. index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"|jo... See more...
Hi Everyone, I have two queries as shown below. For both I am doing sorting in different ways but stil there values are coming same. index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"|join type=outer JOBFLOW_ID [ inputlookup JOB_MDJX_CS_MASTER_E3.csv ]|eval fields=split(_raw,",")|eval Environment=mvindex(fields,11)|eval JOBFLOW_ID=mvindex(fields,0) |eval JOB_EXEC_TIME=mvindex(fields,8)|eval RunDate=mvindex(fields,3)|where Environment="E3"|where JOBFLOW_ID LIKE "%%"|eval RunDate="20".mvindex(fields,3)|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|eval TotalExecTime=round(TotalExecTime,2)|timechart useother=f sum(JOB_EXEC_TIME) as TotalExecTime by JOBFLOW_ID |sort -TotalExecTime limit=10     index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"|join type=outer JOBFLOW_ID [ inputlookup JOB_MDJX_CS_MASTER_E3.csv ]|eval fields=split(_raw,",")|eval Environment=mvindex(fields,11)|eval JOBFLOW_ID=mvindex(fields,0) |eval JOB_EXEC_TIME=mvindex(fields,8)|eval RunDate=mvindex(fields,3)|where Environment="E3"|where JOBFLOW_ID LIKE "%%"|eval RunDate="20".mvindex(fields,3)|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|eval TotalExecTime=round(TotalExecTime,2)|timechart useother=f sum(JOB_EXEC_TIME) as TotalExecTime by JOBFLOW_ID |sort TotalExecTime limit=10 Why there values are coming same can someone guide me. Thanks in advance  
Is there a way to run multiple stats commands on two separate Columns? My data set looks likes this:  Col 1 Col 2 Foo "" "" Bar   I want to count both columns and the sum both colum... See more...
Is there a way to run multiple stats commands on two separate Columns? My data set looks likes this:  Col 1 Col 2 Foo "" "" Bar   I want to count both columns and the sum both columns and the divide column one by the sum of Col 1 + Col 2. Is this possible, I'm pretty new to Splunk and only have had training for Splunk Fundamentals One.  Anything helps, thanks! 
Hi, can anyone help me to resolve the below issue? [Agent-Monitor-Scheduler-2] 24 May 2021 12:53:11,036 ERROR PeriodicTaskRunner - Error creating environment task java.lang.NoClassDefFoundError: ja... See more...
Hi, can anyone help me to resolve the below issue? [Agent-Monitor-Scheduler-2] 24 May 2021 12:53:11,036 ERROR PeriodicTaskRunner - Error creating environment task java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException at com.appdynamics.extensions.ABaseMonitor.createContextConfiguration(ABaseMonitor.java:148) ~[?:?] at com.appdynamics.extensions.ABaseMonitor.initialize(ABaseMonitor.java:121) ~[?:?] at com.appdynamics.extensions.ABaseMonitor.execute(ABaseMonitor.java:186) ~[?:?] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.MonitorTaskRunner.runTask(MonitorTaskRunner.java:149) ~[machineagent.jar:Machine Agent v21.5.0-3130 GA compatible with 4.4.1.0 Build Date 2021-05-11 18:06:06] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.runTask(PeriodicTaskRunner.java:86) ~[machineagent.jar:Machine Agent v21.5.0-3130 GA compatible with 4.4.1.0 Build Date 2021-05-11 18:06:06] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.run(PeriodicTaskRunner.java:47) [machineagent.jar:Machine Agent v21.5.0-3130 GA compatible with 4.4.1.0 Build Date 2021-05-11 18:06:06] at com.singularity.ee.util.javaspecific.scheduler.AgentScheduledExecutorServiceImpl$SafeRunnable.run(AgentScheduledExecutorServiceImpl.java:122) [agent-21.1.0-2340.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?] at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask$Sync.innerRunAndReset(ADFutureTask.java:335) [agent-21.1.0-2340.jar:?] at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask.runAndReset(ADFutureTask.java:152) [agent-21.1.0-2340.jar:?] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.access$101(ADScheduledThreadPoolExecutor.java:119) [agent-21.1.0-2340.jar:?] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.runPeriodic(ADScheduledThreadPoolExecutor.java:206) [agent-21.1.0-2340.jar:?] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.run(ADScheduledThreadPoolExecutor.java:236) [agent-21.1.0-2340.jar:?] at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.runTask(ADThreadPoolExecutor.java:694) [agent-21.1.0-2340.jar:?] at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.run(ADThreadPoolExecutor.java:726) [agent-21.1.0-2340.jar:?] at java.lang.Thread.run(Unknown Source) [?:?] Caused by: java.lang.ClassNotFoundException: javax.xml.bind.JAXBException at com.singularity.ee.util.loader.FileSystemClassLoader.findClass(FileSystemClassLoader.java:372) ~[agent-21.1.0-2340.jar:?] at java.lang.ClassLoader.loadClass(Unknown Source) ~[?:?] at com.singularity.ee.util.loader.FileSystemClassLoader.loadClass(FileSystemClassLoader.java:320) ~[agent-21.1.0-2340.jar:?] at java.lang.ClassLoader.loadClass(Unknown Source) ~[?:?] ... 16 more Thanks
I'm trying put together a query to find some outlier events with very long values within a complex structure.   index=myindex sourcetype=jsonfile | where len('x.y.z{}.field') > 20 | stats count by ... See more...
I'm trying put together a query to find some outlier events with very long values within a complex structure.   index=myindex sourcetype=jsonfile | where len('x.y.z{}.field') > 20 | stats count by x.y.z{}.field   This is my first stab at how to do this, but it doesn't return any values, even though I know they are there.
I was asked to " update a search to append a final ' | regex PatternStringMatch="[A-Z]" query that will look for anything in that field that has both a letter and a number. Any thoughts?
Hi Team, We have set up the Website Monitoring App in one of our Heavy Forwarders hosted in Azure and it is sending data to Splunk Cloud. The App is monitoring Internet URLs, but the Intranet URLs a... See more...
Hi Team, We have set up the Website Monitoring App in one of our Heavy Forwarders hosted in Azure and it is sending data to Splunk Cloud. The App is monitoring Internet URLs, but the Intranet URLs are not getting monitored. It is throwing a 401 error message even after passing the valid credentials. Please as to whether the Intranet URLs can be monitored using the Website Monitoring App or some additional configuration changes need to be made, so as to enable this monitoring. Thanks!