All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi community, I need to create Jira issues based on alerts in Splunk and I think that this add-on might be the right one: https://splunkbase.splunk.com/app/5037/#/details I work in a distributed en... See more...
Hi community, I need to create Jira issues based on alerts in Splunk and I think that this add-on might be the right one: https://splunkbase.splunk.com/app/5037/#/details I work in a distributed environment, with a search head cluster. I think that the add-on should be installed on a search head based on its functionality but I couldn't find any doc about it. If that is right, do you know if search head cluster is supported?   Thank you in advanced   Marta    
  Hi, I did a search to change the name of the field with the value of another field (| eval {entity} = "bar") but it is not good for my search, it also displays the events only with | makeresults ... See more...
  Hi, I did a search to change the name of the field with the value of another field (| eval {entity} = "bar") but it is not good for my search, it also displays the events only with | makeresults which is not good for me . I would like to rename the camp based on the month we are in. this is my query: index=ala * sourcetype=segn |fields - _* |search NOT STATO_WFS_LA IN("6261","11084") |eval CST=strptime(CAMBIO_STATO, "%Y-%m-%d") |eval IMA=relative_time(now(), "-0mon@mon") |eval FMP=relative_time(IMA, "-1d@d"), NFMP=strftime(FMP,"%B") |eval DAMA = if(CST>=IMA,1,0) |stats sum(DAMA) as CURRENT_MONTH by STATO_SEGN |transpose 13 column_name=STATO_SEGN header_field=STATO_SEGN I would like CURRENT_MONTH to become May or June based on the NFMP variable. It's possible? I am looking and trying various solutions, to no avail Tks Regards Antonio
hi  I have a column with the following name transactionId: N/A the value after :  it can take on more values  transactionId: start how can I rename it so that it always takes the value transacti... See more...
hi  I have a column with the following name transactionId: N/A the value after :  it can take on more values  transactionId: start how can I rename it so that it always takes the value transactionId ? Thanks for your help Simone    
I want to export data from Splunk via rest API, I've been wondering whether there is a good "Splunk export" solution that can help me to send my query output/result to a third part application with t... See more...
I want to export data from Splunk via rest API, I've been wondering whether there is a good "Splunk export" solution that can help me to send my query output/result to a third part application with the help of rest API I have created saved serah in Splunk , and now I want to export the output of my saved serach to third party application on regular interval(once a week), I have the API details of that application with me. I checked webhook option but that was not much help since payload is fixed in that and can only be used with Alert type, Can anyone please suggest any other way . Demo query: index=main| timechart avg(page) For Example API: https://webhook.site/66e9b123-ee72-4621-98bb-4ab23a46d1e8 Happy to clarify more details if required.
Hi, I just have a quick question. Should I somehow hide the app key when I'm configuring javascript agent? (javascript injection into html) so it won't get stolen or used to send fake data? Cheers,... See more...
Hi, I just have a quick question. Should I somehow hide the app key when I'm configuring javascript agent? (javascript injection into html) so it won't get stolen or used to send fake data? Cheers, Jacek
Hi Are there any plans to upgrade this to Python V3? https://splunkbase.splunk.com/app/3596/ We use it to send alerts to Netcool via snmp traps but it failed the python compatibility  test as belo... See more...
Hi Are there any plans to upgrade this to Python V3? https://splunkbase.splunk.com/app/3596/ We use it to send alerts to Netcool via snmp traps but it failed the python compatibility  test as below...   Netcool SNMP Alert App for Splunk Public App Fail Details This app is not compatible with Python 3. Version 3.0 Application Path C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert Required Action Do one of the following: Petition the developer to update the app. Uninstall the app from the app listing page. Take ownership of the app and override existing code (not recommended).
Please I need detailed step-by-step process on how I can install splunk universal forwarder on 1000 linux red hat servers using ansible.  Is there any automated process to do it?  Please how will you... See more...
Please I need detailed step-by-step process on how I can install splunk universal forwarder on 1000 linux red hat servers using ansible.  Is there any automated process to do it?  Please how will you set up ansible playbook to do this task?
Hi Team, I am having a question regarding log details in Splunk. 1.How response time is generating in logs.? 2.From where it gets configured?
If a panel in dashboard refresh every 1 hour, and want to show what time refreshed in the text area [ like "As of 4pm", "As of 5pm" etc.]. Any idea of how to implement it?    
Hello Everyone !! I am new to splunk and trying to access apache web log for practise but I am unable to access it. Can someone please help me out how to configure my Mac to access log?  Note: 1) ... See more...
Hello Everyone !! I am new to splunk and trying to access apache web log for practise but I am unable to access it. Can someone please help me out how to configure my Mac to access log?  Note: 1) I am unable to find access.log in apache2 in var.
I  have found a dashboard visualisation where we are using eyes on glass alert when one of the hosts is not being ingested into Splunk. I have found out (the hard way) that the below query will of c... See more...
I  have found a dashboard visualisation where we are using eyes on glass alert when one of the hosts is not being ingested into Splunk. I have found out (the hard way) that the below query will of course never alert on a zero count because if one of the hosts is NOT ingesting, it does not return a value. |tstats count where index=prod_s3  sourcetype=WinEventLog:Security (host=host1 OR host=host2 OR host=host3 OR host=host4 ) by host |stats min(count) as count | eval unit=if(count>0, "🗸", "⚠") Any suggestions as to a better way to phrase this statement???
I can't seem to find any splunk add on for this metricbeat log. Currently, how do you parse such log in?  
inputsHello -  I have the following log that will not line break using the traditional ([\r\n)+).  Each event splits between:  "Properties": { Here is what I have tried in my Props.conf: [ mys... See more...
inputsHello -  I have the following log that will not line break using the traditional ([\r\n)+).  Each event splits between:  "Properties": { Here is what I have tried in my Props.conf: [ mysourcetype ] BREAK_ONLY_BEFORE=\"Properties\"\: \{ LINE_BREAKER=^{ CHARSET=UTF-8 DATETIME_CONFIG=CURRENT MAX_EVENTS=40000 SHOULD_LINEMERGE=true disabled=false pulldown_type=true { "computers": [ { "Properties": { "haslaps": false, "highvalue": false, "name": "DATA", "domain": "DATA", "objectid": "DATA", "distinguishedname": "DATA", "description": null, "enabled": true, "unconstraineddelegation": false, "serviceprincipalnames": [ "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA" ], "lastlogontimestamp": 1501470433, "pwdlastset": 1500622271, "operatingsystem": "DATA" }, "AllowedToDelegate": [], "AllowedToAct": [], "PrimaryGroupSid": "DATA", "Sessions": [], "LocalAdmins": [], "RemoteDesktopUsers": [], "DcomUsers": [], "PSRemoteUsers": [], "ObjectIdentifier": "DATA", "Aces": [ { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": DATA }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Unknown", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Unknown", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "WriteDacl", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "WriteOwner", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericWrite", "AceType": "", "IsInherited": true } ] }, { "Properties": { "haslaps": false, "highvalue": false, "name": "DATA", "domain": "DATA", "objectid": "DATA", "distinguishedname": "DATA", "description": null, "enabled": true, "unconstraineddelegation": false, "serviceprincipalnames": [ "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA" ], "lastlogontimestamp": 1506599859, "pwdlastset": 1505682659, "operatingsystem": "DATA" }, "AllowedToDelegate": [], "AllowedToAct": [], "PrimaryGroupSid": "DATA", "Sessions": [], "LocalAdmins": [], "RemoteDesktopUsers": [], "DcomUsers": [], "PSRemoteUsers": [], "ObjectIdentifier": "DATA", "Aces": [ { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "Owner", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericAll", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericAll", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "User", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Unknown", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "WriteDacl", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "WriteOwner", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericWrite", "AceType": "", "IsInherited": true } ] <...truncated...> Any suggestions on how I can get this to break properly & extract the field value pairs?  Thank you!
I would Like to know how I go about change my user name?
Hello,  I have alerts that look like below May 13 17:15:30 11.2.3.22 0000017768: NOXXXXXX10A: May 13 2021 17:15:30.467 -0400: %XYZ_11_6_INFRASTRUCTURE-4-SNMP_CONNECTION_FAILURE: Connection to the S... See more...
Hello,  I have alerts that look like below May 13 17:15:30 11.2.3.22 0000017768: NOXXXXXX10A: May 13 2021 17:15:30.467 -0400: %XYZ_11_6_INFRASTRUCTURE-4-SNMP_CONNECTION_FAILURE: Connection to the SNMP Subagent failed. Retrying next port in specified minutes. [id:9909] host = 11.2.3.22 | source = XYZ | sourcetype = ABCD_syslog May 7 21:29:20 11.2.3.22 0000043782: NOXXXXXX10A: May 07 2021 21:29:20.259 -0400: %XYZ_11_6____________IVR-3-API_INFO: VXML connection RESET RemoteAddress=11.2.3.24,RemotePort=40517,LocalAddress=11.2.3.22,LocalPort=8002 [id:3205] host = 11.2.3.22 | source = XYZ | sourcetype = ABCD_syslog   Basically, I am trying to report a count on unique alerts such as "Connection to the SNMP Subagent failed", "VXML connection RESET" for host 11.2.3.22. So in dashboard when I select host 11.2.3.22, it gives me count of unique alerts for past 24 hours. I also want to create another dashboard that gives me a dropdown of all these unique alerts (it should be substrings such as VXML connection RESET, Connection to the SNMP Subagent failed.) for source XYZ in past 24 hours 
Trying to understand if Splunk app for salesforce has support for real time event monitoring events  from Salesforce as this is a synchronous process and events are captured in big objects. Does Spl... See more...
Trying to understand if Splunk app for salesforce has support for real time event monitoring events  from Salesforce as this is a synchronous process and events are captured in big objects. Does Splunk app for salesforce supports reading logs from big objects?
I want to keep the Windows Remote Registry service turned off on my Windows machines.  I decided to use Splunk to monitor the service and see if anything turns it on.  It turns out that Splunk is act... See more...
I want to keep the Windows Remote Registry service turned off on my Windows machines.  I decided to use Splunk to monitor the service and see if anything turns it on.  It turns out that Splunk is actually turning on and off the service throughout the day.  This is probably because I'm using WinRegMon to monitor the registry.   Does Splunk actually require the Remote Registry service?  Or is this something I can disable?  I was wondering why Splunk turns the service on for remote use when the Splunk forwarder is installed locally on the Windows machine.   Here is an example of what I have in my inputs.conf:     [WinRegMon://RegistryMonitor] baseline = 0 disabled = 0 hive = HKEY_USERS\\.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.* proc = C:\\.* type = rename|close|set|delete|open|create|query    
Hello guys I hope you are doing great! Stay safe during these times.   I was wondering if it was possible to correlate events after using the stats commands.. I have encountered this issue I have t... See more...
Hello guys I hope you are doing great! Stay safe during these times.   I was wondering if it was possible to correlate events after using the stats commands.. I have encountered this issue I have to run a multisearch to keep track of all of my cx reservation codes, payment status and destinations. Because of the way this was implemented in our system, I extract the reservations codes  and the payments' status from two different indexes like so:     | multisearch [| search index=rev | fields rev_code, id, destination] [| search index=pay_cx | fields rev_code, id, pay_status] | stats values(pay_status)as pay_status values(destination) as destination by id, rev_code   Which gives me the destination and payment status by id and reservation code which is important since one id can be linked to multiple reservation codes... But now I want to add to this table the category of the customer "A" "B" or "C" to get this I can use this:   index=cx_pers_info | fields category, id   but if I run stats again or other search I get either an error or nothing..I know this is  because the events of "category"  do not have a rev_code but how can I add the category field to my previous table? Thank you so much for the help you guys I am sending you the biggest hug     Kindly, Cindy
I have a CSV with multiple hundred email addresses and I am trying to run a report to determine which accounts are active, and their username within our domain. Is there a way to do this simply withi... See more...
I have a CSV with multiple hundred email addresses and I am trying to run a report to determine which accounts are active, and their username within our domain. Is there a way to do this simply within Splunk?
Hi All, I am a newbie in Splunk world and looking for some help in structuring my query. I have an index with data like this -           index="something" sourcetype="Datas" State="Agreed" _... See more...
Hi All, I am a newbie in Splunk world and looking for some help in structuring my query. I have an index with data like this -           index="something" sourcetype="Datas" State="Agreed" _tim ID State 13/05/2021 01 Agreed 13/05/2021 02 Draft 13/05/2021 03 Agreed 13/05/2021 04 Agreed 13/05/2021 05 Agreed 12/05/2021 01 Agreed 12/05/2021 02 Draft 12/05/2021 03 Agreed 12/05/2021 04 Agreed 12/05/2021 05 Agreed 11/05/2021 01 Agreed 11/05/2021 02 Draft 11/05/2021 03 Agreed 11/05/2021 04 Agreed 11/05/2021 05 Draft 10/05/2021 01 Agreed 10/05/2021 02 Agreed 10/05/2021 03 Agreed 10/05/2021 04 Agreed 10/05/2021 05 Darft 09/05/2021 01 Agreed 09/05/2021 02 Agreed 09/05/2021 03 Agreed 09/05/2021 04 Agreed 09/05/2021 05 Draft         I am looking to build a query that will show me all the fields that have changed from last 7 days and today (13/05/2021) based on the ID. The output will be like this           _tim ID 13/05/2021 05 10/05/2021 02           I can able to compare todays to tomorrow, but if i need to monitor what was the changes the last  7 days index="something" sourcetype="Datas" State="Agreed" earliest=-0d@d latest=now | append [search index="something" sourcetype="Datas" State="Agreed" earliest=-1d@d latest=-0d@d ] | eventstats count by DoorsUUID | where count="1"