All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I use splunk together with this addon: https://splunkbase.splunk.com/app/3110/, which reads text log files from azure blobs. The problem is that license manager shows warnings and eventually search i... See more...
I use splunk together with this addon: https://splunkbase.splunk.com/app/3110/, which reads text log files from azure blobs. The problem is that license manager shows warnings and eventually search is blocked. The license manager shows this for my only index:     At the same time I see that this particular index size is only 1.29 GB. And log files are only several MB per day. How is this possible? I'm in trial license, but switching to free license does not change this bechaviour.
Hi,   I have a requirement to export the splunk logs to Azure Blob Storage. Is there a way to do this ?
Hi all, i have a  Splunk Enterprise 8.20 fresh installation ( simple one server deploy) . Splunkd service in running with a domain admin user. my first goal is to setup and test splunk app for windo... See more...
Hi all, i have a  Splunk Enterprise 8.20 fresh installation ( simple one server deploy) . Splunkd service in running with a domain admin user. my first goal is to setup and test splunk app for windows infrastructure. i followed on step by step official guide and checked several times . i also have installed Active Diretory Powershell Module in Splunk server  (in my search i had errors with powershell command not recognized) https://docs.splunk.com/Documentation/MSApp/2.0.2/MSInfra/AbouttheSplunkAppforMSInfrastructure i installed UF on only 2 host ( Domain Controllers) and setup inputs.conf to send data on default indexes. i can see data coming in my splunk server, data on license page grow fast and search for index is working. the app guided setup doesn't enable all features, as below Detecting Event Monitoring ... Windows: Event Monitoring found. Detecting Performance Monitoring ... Windows: Performance Monitoring not found. Detecting Applications and Updates ... Windows: Applications and Updates not found. Detecting Network Monitoring ... Windows: Network Monitoring found. Detecting Print Monitoring ... Windows: Print Monitoring found. Detecting Host Monitoring ... Windows: Host Monitoring found. Detecting Domains ... Active Directory: Domains found. Detecting Domain Controllers ... Active Directory: Domain Controllers not found. Detecting DNS ... Active Directory: DNS not found. Detecting Users ... Active Directory: Users not found. Detecting Computers ... Active Directory: Computers not found. Detecting Groups ... Active Directory: Groups not found. Detecting Group Policy ... Active Directory: Group Policy found. Detecting Organizational Units ... Active Directory: Organizational Units found. i have not network or firewall issues, 8089 and 9997 tcp port are enabled and working. what else can i check? thank you all      
Hi, I am new to AppDynamics. We have ONPREM installation. I went into one of our applications--> Tiers and Nodes to check the App Agent Status at NODE level I have seen some values as 99.4% with U... See more...
Hi, I am new to AppDynamics. We have ONPREM installation. I went into one of our applications--> Tiers and Nodes to check the App Agent Status at NODE level I have seen some values as 99.4% with UP arrow and 11.5% with down arrow. Can someone please explain what it means for availability of the Agents. Example: We have one Tier with 20 Nodes. Some nodes show 52.3% UP arrow, 60.02% UP arrow and some are like 11.81% Down  arrow, 0% Down arrow.
  I am getting the below error while creating a  Splunk Cloud free trial. "An internal error was detected when creating the stack. We're sorry, an internal error was detected when creating the sta... See more...
  I am getting the below error while creating a  Splunk Cloud free trial. "An internal error was detected when creating the stack. We're sorry, an internal error was detected when creating the stack. Please try again later." For the past two days i am getting this error. could anyone suggest a solution for this issue.
i have added a slider to my dashboard. the slider changes the value of a token, but it does not trigger a new search even if the original token is set with "searchWhenChanged"=true   Any ideas? Th... See more...
i have added a slider to my dashboard. the slider changes the value of a token, but it does not trigger a new search even if the original token is set with "searchWhenChanged"=true   Any ideas? Thanks in advance.
I wanted to understand how actually splunk internally stores the events and Matrix data and what is the benefits of Matrix way of storing over events ?
I can see that we are having duplicate events in every index, query used to identify the duplicate events: index=* |eval myID=_cd |search [search index=* |streamstats count by _raw |search count>1|e... See more...
I can see that we are having duplicate events in every index, query used to identify the duplicate events: index=* |eval myID=_cd |search [search index=* |streamstats count by _raw |search count>1|eval myID=_cd |fields myID ] |stats c(myID) as dpc by index Query used to get bucket details of these events: index=* | eval cd=_cd | eval bkt= _bkt | table cd bkt index splunk_server _time source host sourcetype _raw   Note: SF and RF are not met and are set to 3:3. We have multisite clustered environment. Could this issue be due to SF RF not met or somehow SH is showing up data from replicated buckets as well? Is there a fix to this?
i am using REST API Modular Input add on to ingest data from PRTG in JSON format which was working fine until yesterday when i tried to add some more configs to better process the data (props.conf an... See more...
i am using REST API Modular Input add on to ingest data from PRTG in JSON format which was working fine until yesterday when i tried to add some more configs to better process the data (props.conf and inputs.conf - a minor change in the endpoint). but strangely the data ingest stopped after the change, the endpoint query works fine since its working in the browser, checked splunkd logs as well there is nothing much that i can see from the time the data stopped coming in, did anyone face similar issues earlier? this is my inputs.conf [rest://PRTG_<IP>] activation_key = <key> auth_password = <username> auth_type = basic auth_user = <password> endpoint = https://<IP>/api/table.json?content=sensors&output=json&columns=objid,probe,group,device,host,sensor,status,message,lastvalue,priority&count=100&username=<user>&passhash=<pass> host = <ip> http_method = GET index = prtg index_error_response_codes = 0 log_level = INFO response_type = json sequential_mode = 0 sourcetype = mysourcetype streaming_request = 0 disabled = 0 this is the props.conf [mysourcetype] KV_MODE = JSON
Good morning every body I'am begginner in splunk, when i try to generate a pdf of my dashboard since splunk Enterprise GUI, if the result is more than 750 i get a empty pdf. this is the log of pdfg... See more...
Good morning every body I'am begginner in splunk, when i try to generate a pdf of my dashboard since splunk Enterprise GUI, if the result is more than 750 i get a empty pdf. this is the log of pdfgen.log : 2021-05-11 09:40:45,752 +0200 INFO pdfrenderer:427 - normalize page settings; elements={'logo': ['pdf.header_left'], 'timestamp': ['pdf.header_right'], 'description': ['pdf.header_center', 'pdf.footer_center'], 'pagination': ['pdf.footer_right']} 2021-05-11 09:40:52,515 +0200 ERROR pdfgen_utils:497 - Error parsing SVG. Exception="Entity 'nbsp' not defined, line 1, column 6827" svgString="<svg version="1.1" class="highcharts-root" style="font-family:&quot;Splunk Platform Sans&quot;, &quot;Proxima Nova&quot;, &quot;Lucinda Grande&quot;, Roboto, Droid, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif;font-size:12px;" xmlns=""><desc>Created with Highcharts 5.0.12</desc><defs><clippath id="highcharts-feg1y35-1"><rect x="0" y="0" width="523" height="256" fill="none"></rect></clippath><clippath id="highcharts-feg1y35-2"></clippath></defs><rect fill="#ffffff" class="highcharts-background" x="0" y="0" width="600" height="350" rx="0" ry="0"></rect><rect fill="none" class="highcharts-plot-background" x="67" y="50" width="523" height="256"></rect><g class="highcharts-pane-group"></g><g class="highcharts-grid highcharts-xaxis-grid "><path fill="none" class="highcharts-grid-line" d="M 131.5 50 L 131.5 306" opacity="1"></path><path fill="none" class="highcharts-grid-line" d="M 197.5 50 L 197.5 306" opacity="1"></path><path fill="none" class="highcharts-grid-line" d="M 262.5 50 L 262.5 306" opacity="1"></path><path fill="none" class="highcharts-grid-line" d="M 328.5 50 L 328.5 306" opacity="1"></path><path fill="none" class="highcharts-grid-line" d="M 393.5 50 L 393.5 306" opacity="1"></path><path fill="none" class="highcharts-grid-line" d="M 458.5 50 L 458.5 306" opacity="1"></path><path fill="none" class="highcharts-grid-line" d="M 524.5 50 L 524.5 306" opacity="1"></path><path fill="none" class="highcharts-grid-line" d="M 589.5 50 L 589.5 306" opacity="1"></path><path fill="none" class="highcharts-grid-line" d="M 66.5 50 L 66.5 306" opacity="1"></path></g><g class="highcharts-grid highcharts-yaxis-grid "><path fill="none" stroke="#e1e6eb" stroke-width="1" class="highcharts-grid-line" d="M 67 306.5 L 590 306.5" opacity="1"></path><path fill="none" stroke="#e1e6eb" stroke-width="1" class="highcharts-grid-line" d="M 67 288.5 L 590 288.5" opacity="1"> So someone have a idea of the type of this error ? ==>ERROR pdfgen_utils:497 - Error parsing SVG. Exception ... Thank for yours answers  
Hi, I have 2 rows in my dashboard. 3 single value elements in a panel in first row and one table in second row. These 3 single values dont seem to align themselves properly. They seem to be left ali... See more...
Hi, I have 2 rows in my dashboard. 3 single value elements in a panel in first row and one table in second row. These 3 single values dont seem to align themselves properly. They seem to be left aligned. Is there a way to center these elements in the panel? Regards
What capabilities should I enable to permit user alert editing?
Hello,   I have an on-prem Splunk cluster and an AWS cluster. Each one has its own indexers and clustermaster, though only the on-prem setup has a search head and a deployment server.    When I u... See more...
Hello,   I have an on-prem Splunk cluster and an AWS cluster. Each one has its own indexers and clustermaster, though only the on-prem setup has a search head and a deployment server.    When I use the deployment server to deploy configurations to a splunk forwarder in AWS, it keeps failing to deploy. I have checked: Forwarder is installed on machine to send logs DS can contact the machine to send apps via port 8089 I used TCPDump on the forwarder machine on port 8089 and can see packets from the deployment server  Unfortunately all I can get from the internal logs is this delightfully descriptive error message: 05-19-2021 08:04:42.818 +0200 WARN ClientSessionsManager - ip=<omitted> name=<omitted> Updating record for sc=<serverclass name> app=<app name>: action=Download result=Fail checksum=0   Can anyone suggest more areas to look at? I can't figure out why it is not deploying properly.
In an existing alert I found the following code: ... | fillnull Foo value="bar" | search Foo!=none … It seems that the result of the first line is that Foo always has a value. If that is so, th... See more...
In an existing alert I found the following code: ... | fillnull Foo value="bar" | search Foo!=none … It seems that the result of the first line is that Foo always has a value. If that is so, then in which case could the second line have any effect? Does it really filters anything out? It seems that none is a reserved word in Splunk, but I was not able to find any definition of it in the Splunk reference manual.  Any pointers to official Splunk documentation?
Hello, How can I check to see if value is in one field first, if not check the next field? I have so far the below, it works, but I would like to use an if statement to check if team_name is in... See more...
Hello, How can I check to see if value is in one field first, if not check the next field? I have so far the below, it works, but I would like to use an if statement to check if team_name is in Blue first and if not then get the team_name from Red. | eval Team_Color=case(team=“Blue”, team_name OR team=“Red”, team_name) any advice on how to use if statement instead of case? 
Hi All, I am running Splunk version 8.0.0 (Windows) on a single instance and want to install IT Essentials Work. I have download the package and changed the name of it from spl to tgz and then used... See more...
Hi All, I am running Splunk version 8.0.0 (Windows) on a single instance and want to install IT Essentials Work. I have download the package and changed the name of it from spl to tgz and then used 7-zip to extract the files as mentioned in the documentation. I then stop Splunk and move the folders\files to the '\splunk\etc\apps' folder and start Splunk again  Within the Splunk Apps drop down the App does not appear when I click on Manage apps I see the app but there is no version number associated to it Any assistance would be appreciated   Kind Regards, 
I am looking to get a regex to remove the double quotes in the middle of the below string . message="filtername prefix "8610: ABCD: test purpose" message="filtername prefix "CP9832: ABCD: test purp... See more...
I am looking to get a regex to remove the double quotes in the middle of the below string . message="filtername prefix "8610: ABCD: test purpose" message="filtername prefix "CP9832: ABCD: test purpose"   I need to get as message="filtername prefix 8610: ABCD: test purpose" message="filtername prefix CP9832: ABCD: test purpose" In Props conf file i have updated as  SEDCMD-removeDoubleQuotes = s/(\")\d/g will this help ? I am learning Regex   
We've been trying to set up the CIM datamodels in our environment.   One that seems particularly useful is Network_Resolution (DNS).  Network Resolution has just one dataset for DNS and the events lo... See more...
We've been trying to set up the CIM datamodels in our environment.   One that seems particularly useful is Network_Resolution (DNS).  Network Resolution has just one dataset for DNS and the events look like they intend to capture request and response data answer dest message_type query query_type reply code   src of these some are clearly related to the request and some are clearly related to an answer.   Is the idea that the datamodel should be populated with just query data (no answer) for message type=query? and just response data (no query/query type) for message_type=response? Or is there some effort that should be made to correlate the request and responses? so that each record contains everything where possible?   We did set up Splunk Stream to handle DNS.  Splunk stream tries to pair up request and response but seems to miss some pairings: I find that about 30% of DNS events from Splunk Stream have both request and response, ~40% have only query, and ~30% have only response so it would be possible to add 30% of DNS events to Network Resolution with both query and response, but then the rest would have to be just query or just response events -- missing the other fields.  Or I could just split out the query and response from the joint records.  Does anyone who uses Network Resolution (especially in ES) have a recommendation on how to do this?
Is it possible to do restricted searches for a role based on an extracted field? I can see it can be done by index but I would like to do it for an extracted field. I have roles for each customer and... See more...
Is it possible to do restricted searches for a role based on an extracted field? I can see it can be done by index but I would like to do it for an extracted field. I have roles for each customer and there is a field called customer so customer#1 should only see data when customer=cust01.