All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,  I need to have  Splunk alert condition trigger email alert where  If 51%  of failure occurred out of total (success + failures ) no. of responses over period of time interval.() For Ex:  If Sp... See more...
Hi,  I need to have  Splunk alert condition trigger email alert where  If 51%  of failure occurred out of total (success + failures ) no. of responses over period of time interval.() For Ex:  If Splunk get total response = 10       if failure response count >=6(more than 50% of total no. of response) then trigger alert.(Success count is 4 or less)  
Hello Team, As per below screen, the red one panels are in trellis format. I need to append drilldown on these panels on class vise. So please guide me how i can use drill down on these panel. So wh... See more...
Hello Team, As per below screen, the red one panels are in trellis format. I need to append drilldown on these panels on class vise. So please guide me how i can use drill down on these panel. So whenever when i will click on any class it shows me the result. Here i used drilldown $trellis.split<fieldname>$ But it us not working.
Hi!   There is another way to create a query with EventID ("user-created") and then EvendID ("user deleted") in 5 min? I just want to create a correlation rule with two operations (one after the o... See more...
Hi!   There is another way to create a query with EventID ("user-created") and then EvendID ("user deleted") in 5 min? I just want to create a correlation rule with two operations (one after the other) and show display the relevant fields (with the "stats" command).     index=ph_windows_sec sourcetype=XmlWinEventLog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) earliest=-14d | stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name | eval status=case(EventCode=630, \"Account%20Deletion\", EventCode=4726, \"Account%20Deletion\", EventCode=624, \"Account%20Creation\", EventCode=4720, \"Account%20Creation\") | transaction user startswith=status=\"Account%20Creation\" endswith=status=\"Account%20Deletion\" maxevents=2 | where duration < 3600    
Hi , I want to set up an alert when our daily volume license usage reaches/crosses 80%. Can someone help me with this. Regards, Rahul
Hi, I have an event that is an entire JSON. It looks something like this.  {                 Key1 : {                                       KEY2: VAL2                                       KEY3:... See more...
Hi, I have an event that is an entire JSON. It looks something like this.  {                 Key1 : {                                       KEY2: VAL2                                       KEY3: VAL3                                       ....                                    },                 KeyX  : {                                       KEY2: VAL2                                       KEY3: VAL3                                       ....                                    },               KeyY : {                                       KEY2: VAL2                                       KEY3: VAL3                                       ....                                    } }   Here Key1 and KeyX and KeyY are unknown to me, meaning they can change all the time. I would get around 100 such sub-dictionaries. I just was the sub-dictionary inside, as separate Splunk events. {                                       KEY2: VAL2                                       KEY3: VAL3                                       ....                                    } I have tried a lot of different search queries using spath, but nothing seems to help.  Could someone please help me with this. I very much appreciate it.
To obtain "list of suspicious IP addresses that attempt to make an unauthorized web connection having a duration of longer than 1 minute" using Splunk search query?
hello, I downloaded and installed Splunk Enterprise 7.3.8 64 bits and Splunk DB Connect on Windows 2012 R2 64 bits. Splunk DB Connect Version: 3.5.1 Build: 4 I keep getting the error when I set up... See more...
hello, I downloaded and installed Splunk Enterprise 7.3.8 64 bits and Splunk DB Connect on Windows 2012 R2 64 bits. Splunk DB Connect Version: 3.5.1 Build: 4 I keep getting the error when I set up Splunk DB  Cannot communicate with task server, please check your settings. I installed  C:\Program Files\Java\jre1.8.0_291 JAVA_HOME C:\Program Files\Java\jdk1.8.0_291 Can anyone give me an advice?  
Hi all, I would like extract from intranet weblog (IIS log) top pages grouped by departments to see which pages are most viewed by each department. I can use the cs_username field to identify the d... See more...
Hi all, I would like extract from intranet weblog (IIS log) top pages grouped by departments to see which pages are most viewed by each department. I can use the cs_username field to identify the department and with the following query I can count the total activity by depertment:   sourcetype="iis" index=intranet | fields cs_username | rex field=cs_username "(?i)mydomain\\\(?<username>[^\s]*)" | stats count as events by username | table username events | lookup address.csv Email as username | fillnull value=- | stats sum(events) as total_events by department     Now I would like to extract the most viewed pages (cs_uri_stem) grouped by department. How can I do that? Thank you in advance!
Hi, This is default standalone setup. I'm trying to get data in from a network device which sends data as syslog on UDP/5114. I've configured the UDP/5114 on Splunk. Here are the screenshots of con... See more...
Hi, This is default standalone setup. I'm trying to get data in from a network device which sends data as syslog on UDP/5114. I've configured the UDP/5114 on Splunk. Here are the screenshots of config. udp_data_input udp_data_input_details I've confirmed that splunk process is listening on port 5114   udp_listener I've also confirmed that I'm getting data on host so no network routing or firewall issue. Bellow is a screenshot of MS Network monitor showing data received on port UDP/5114. data_on_5114 Yet no data is coming in the splunk instance. no_events_in_splunk   Pls help resolve this.   -- Thanks & Regards.
Hi all, I am really new to this so please bear with me. I have a Indexer cluster , SH and a DS and one server where the UF is sending data to the indexers. It is recommended to install the  "Splun... See more...
Hi all, I am really new to this so please bear with me. I have a Indexer cluster , SH and a DS and one server where the UF is sending data to the indexers. It is recommended to install the  "Splunk Add-on for Unix and Linux" on on the SH right? Now how do I configure it there. I  chose the File and directory input but I only get error messages for the scripted metrics and events inputs. and I can not pick the Index. "Search produced no results." is the error message in the UI. I'm confused. Can someone please help me with this? Thank you so much, Oj.
Hello everyone, I'm new in Splunk. My issue is to make an EXCEPT SQL query in SPL. Something like the following:     index="trainning" sourcetype="userList" | rex field=userId "\w(?<codeId>\w+)"... See more...
Hello everyone, I'm new in Splunk. My issue is to make an EXCEPT SQL query in SPL. Something like the following:     index="trainning" sourcetype="userList" | rex field=userId "\w(?<codeId>\w+)" | WHERE NOT codeId IN [ search index="trainning" sourcetype="adminUserList" | table adminId] | table userId userName userProfile     The problem it's that the subsearch doesn't return its result in appropriated format as ("adminid1", "adminid2", ..., "adminidN"). Thanks in advance for your answers and solutions. Sorry, I modified my question to take into account the real SPL query issue (I wasn't in front of my Pro PC last time)
Hey Splunk Gurus!  have been going in circles trying to get a query going to give me a pie chart on what I would have thought is relatively straightforward JSON data.  Heres what the JSON looks lik... See more...
Hey Splunk Gurus!  have been going in circles trying to get a query going to give me a pie chart on what I would have thought is relatively straightforward JSON data.  Heres what the JSON looks like. Id like the pie chart composed of all the pink arrow field values.    can someone help?  thanks so much!  Keiran. 
how to open a splunk to use ? and what is the command to use to know the device ip adress ?
Hello, i am new to Splunk.I posted it before but didn't get a reply so posting again. currently, I am trying to send one alert to a test website(located as localhost). The web is made by python and... See more...
Hello, i am new to Splunk.I posted it before but didn't get a reply so posting again. currently, I am trying to send one alert to a test website(located as localhost). The web is made by python and flask by the way. is there any way I can do that with workflow? if not then is there other ways? can someone show me the steps? thanks a lot
Hi everyone, I have logs like the line below. I want to split the content of the request_headers field during search time. I tried to use spath, mvexpand, and split command, but without success. C... See more...
Hi everyone, I have logs like the line below. I want to split the content of the request_headers field during search time. I tried to use spath, mvexpand, and split command, but without success. Could you help me? This log was anonymized using the scrub command. {"account_id":"000000000aaaa","audience":"qhau812n","caller":"christopher/logging.az:272","duration_seconds":5.1q-07,"forwarded_for":"43.021.022.16","host":"blue_car.n1l-prod.com","cassaundra":{"annotations":{"irmgard.p2z.coy/wxcmfcoKsdhourfZjjnnoe":"disabled","checksum/margarita":"721637kh01d24w0ww0kum20552n0vuuo0dih06y01061pmbq06223004f30230b1","cluster-marquerite.cassaundra.ws/safe-to-evict":"true","nga.christene.com/role":"aqsmvuyjwazaff-role-zlm912-0a","denisha.cassaundra.ws/guillermiNa":"1010-04-00I03:18:07-04:00","cassaundra.ws/bee":"ena.privileged","reloader.valentin.com/auto":"true"},"container_hash":"205509154532.blue.john.zzabc.christene.com/aqsmvuyjwazaff@rzv013:02vn2k3o301sql10le02ysn1jb42050gt2100k1b112lq72f1243v0601ao8j34x","container_image":"205509154532.eva.ken.zlm912-0a.christene.com/aqsmvuyjwazaff:10123u1","container_name":"aqsmvuyjwazaff","tressa_id":"2w0z641dn0155r0jn0e126ozu0be001uvb1ebz0470g55u11401x0zj1dt000djq","host":"ip-00-116-16-002.js1.internal","labels":{"app":"aqsmvuyjwazaff","app.cassaundra.ws/component":"yolando","app.cassaundra.ws/instance":"aqsmvuyjwazaff","app.cassaundra.ws/managed-by":"Helm","app.cassaundra.ws/name":"aqsmvuyjwazaff","app.cassaundra.ws/version":"10123u1","chart":"yolando-0.11.5","helm.sh/chart":"yolando-0.11.5","helm.sh/timestamp":"10200111020100","heritage":"Helm","pod-template-hash":"543312340d","n1l-architecture":"az-kit","n1l-cluster":"ena-svc","n1l-peter":"true","n1l-https":"true","n1l-yq":"false","n1l-hildegarde":"true","n1l-service-version":"10123u1","n1l-splunk":"true","n1l-tier":"yolando","grocerystore.ami/architecture":"az-kit","grocerystore.ami/cluster":"ena-svc","grocerystore.ami/peter":"true","grocerystore.ami/https":"true","grocerystore.ami/yq":"false","grocerystore.ami/hildegarde":"true","grocerystore.ami/selector-label":"aqsmvuyjwazaff","grocerystore.ami/splunk":"true"},"alexandra_name":"n1l","pod_id":"z50s6323-x5zm-435e-p1m2-tdqr6383m030","pod_name":"aqsmvuyjwazaff-deployment-543312340d-gc0is"},"level":"error","method":"GET","method_name":"AlrYcgwqpofDngmftgihrqpZzmhcWbXnsbhmpl","msg":"completed request","proto":"HTTP/1.1","remote_address":"12.10.21.0:25004","request_headers":"{\"Accept-Encoding\":[\"gzip\"],\"Origin\":[\"www.grocerystore.ami\"],\"User-Agent\":[\"Evelia AufroSuwbg\"],\"Via\":[\"1.1 0010z4437f3bd4031q6cfn0051l0h10b.aufrosuwbg.net (AufroSuwbg)\"],\"X-Bob-Mk-Id\":[\"MlxVFb3Yiob0Qh5l_wPlZf_kmtQiRAkvLSBvxIYQR1NhgR46KuE1ct==\"],\"X-Forwarded-For\":[\"43.021.022.16\",\"12.10.20.14\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Oe-Fingerprint\":[\"y-lue-db-l-x-x-013wj11b-00000000-471uga2k-00000000-p2wcw222-n-x-1.1-u-x-x-n-n\"]}","request_path":"/tad/x-mens/availability/bear/113202/month?start_date=1010-07-00J00:00:00.000H","response_code":400,"response_size":0,"felicitas_body_strings":[],"stacktrace":"*errors.charlEsetta client:query not encoded\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/blue_car/shared/helper_functions.az:226 (0n01g02n7)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/blue_car-server/rest-blue_car/transport_availability.az:005 (0d02p000c)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.cgmwskbczdos.com/N1L/H0IFrylh/christopher/server_options_http.az:021 (0tkg64ou)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/az-kit/kit/transport/http/server.az:102 (0jo23322)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/azrilla/lan/lan.az:100 (0m0332102)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/azrilla/handlers/russ.az:106 (0m602mx7)\n/usr/local/az/src/net/http/server.az:1830 (0y10q110)\n/usr/local/az/src/net/http/server.az:0620 (0e70433a)\n/usr/local/az/src/runtime/rae_qmd51.s:1310 (0t150fa0)","stream":"marlon","time":"1010-04-02B00:59:08.056537201B","transaction_id":"00v0002j-1n7s-3m23-5kw4-264164hj13p0","ts":"1010-04-02B00:59:08.083V","type":"HTTP"}  Thanks.
Hi Everyone, I have one requirement I have one CSV file JOB_MDJX_CS_EXTR_STATS_2.csv from where I am getting Rundate2 field in below format: 210510 210507 so  I have added  variable 20 and creat... See more...
Hi Everyone, I have one requirement I have one CSV file JOB_MDJX_CS_EXTR_STATS_2.csv from where I am getting Rundate2 field in below format: 210510 210507 so  I have added  variable 20 and created a new field as Run_date1  like this I have used below query |inputlookup JOB_MDJX_CS_EXTR_STATS_2.csv|eval y=20|eval Run_date1= y."".RUNDATE2|stats count by Run_date1 My result is this Run_date1                              count 20210429                                2 20210430                               21 20210501                              15 20210503                              29 20210504                              26 20210507                               5 20210510                               2 Now I have convert Run_date1 into date format and also created nowdate column in date format as shown in below query and then compare them as shown in below query: |inputlookup JOB_MDJX_CS_EXTR_STATS_2.csv|where Environment="E1"|where JOBFLOW_ID LIKE "%%"|eval y=20|eval Run_date1= y."".RUNDATE2|eval Run_Date=strftime(strptime(Run_date1,"%Y%m%d"),"%d/%b/%Y")|eval nowdate=strftime(relative_time(now(), "-7d@d" ), "%d/%b/%Y")|where Run_Date>=nowdate|table nowdate Run_Date But the issue I am facing is I am getting the result like this: If the nowdate is 7thMay as per the query it should show only the result equal and greater then 7thMay  but why it is showing 30thApril and 29thApril.It should show only 7thMay and 10th May. Is my date format for Rundate and nowdate not correct in query. Can someone please guide me on this nowdate              Run_Date 07/May/2021  10/May/2021 07/May/2021 10/May/2021 07/May/2021 07/May/2021 07/May/2021 07/May/2021 07/May/2021 07/May/2021 07/May/2021 07/May/2021 07/May/2021 07/May/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 30/Apr/2021 07/May/2021 29/Apr/2021 07/May/2021 29/Apr/2021
Greetings: I inherited a splunk instance.    We use CyberArk to manage our passwords  Web GUI and CLI.   Here is my problem both passwords in CyberArk allow me successful login to both interfaces.... See more...
Greetings: I inherited a splunk instance.    We use CyberArk to manage our passwords  Web GUI and CLI.   Here is my problem both passwords in CyberArk allow me successful login to both interfaces. For the CLI , I log in as the splunk user and run some commands and I am prompted for the username: admin password: XXXXX The passwords fail to log in. i.e. is the admin account managed somewhere else ,other than CyberArk ?    
Hi All, On the internal logs i see this eval command error -  ERROR EvalCommand - Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*)/86400)'. but it doe... See more...
Hi All, On the internal logs i see this eval command error -  ERROR EvalCommand - Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*)/86400)'. but it does not provide more details like which search query / search report / alert caused this error msg.  searched about this, but no luck. could someone provide some suggestions please. thanks..
Hi Everyone, I am trying to add a banner in the splunk login page, though we can add it using html & css under login_content in web.conf file but we are trying to pass the banner message dynamically... See more...
Hi Everyone, I am trying to add a banner in the splunk login page, though we can add it using html & css under login_content in web.conf file but we are trying to pass the banner message dynamically. Currently we are using lookup to store the banner message and update it uniformly in all the dashboards, is there any way we can use same lookup in the web.conf file. Thank you.
I have scheduled reports which sends pdf via sendemail. But After upgrading Splunk to 8.1.3 its not working, I am  seeing "Invalid address" error as below 112 -0400 ERROR sendemail:522 - (501, b'5.1... See more...
I have scheduled reports which sends pdf via sendemail. But After upgrading Splunk to 8.1.3 its not working, I am  seeing "Invalid address" error as below 112 -0400 ERROR sendemail:522 - (501, b'5.1.7 Invalid address', 'SPLUNK@serverdomainname') while sending mail to: abc@xyz.com   Is there any way that I can change the "From" address?   Thanks in advance!