All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Dear ALL, I want to insert a value into a subsearch using the search result as a variable. Do the following search to get your own username Is there a way to search again with my username? ======... See more...
Dear ALL, I want to insert a value into a subsearch using the search result as a variable. Do the following search to get your own username Is there a way to search again with my username? ========================================= | rest / services / authentication / current-context | table realname ========================================= rlaname ------------------------------------------ M_sugiyama                               ← Use this value as a variable ========================================= index=AD "M_sugiyama"      ← I want to search by assigning variables to the next subsearch ========================================= Do you have a good idea?
For the below query, searching for the values of 2nd occurence of earliest and latest events so that the timechart would return superimposed data from current time minus 2hrs and last week data for s... See more...
For the below query, searching for the values of 2nd occurence of earliest and latest events so that the timechart would return superimposed data from current time minus 2hrs and last week data for same time frame(2hrs). index=sample sourcetype=hello "*abc*" earliest=-120m@m latest=now | multikv | eval ReportKey="today" | append [ search index=sample sourcetype=hello "*abc*" earliest=... latest=... | multikv | eval ReportKey="lastweek" | eval _time=_time+86400] | timechart span=5m count by ReportKey usenull=false useother=false   Thanks in advance!
How do I maintain my indexer clustering to keep Indexer data intact for disaster recovery sake. Thank u 
How do I backup the Splunk Enterprise Security app. What components needs to be backed up and how often? I have already documented a short plan to backup the Splunk Enterprise. 
I am aiming to provide headers to my generated report. I have 3 hosts, host1 host2 and host3. My report is configured with -7d@d to -1d@d (past 7 days). I would like to makeresults for the following... See more...
I am aiming to provide headers to my generated report. I have 3 hosts, host1 host2 and host3. My report is configured with -7d@d to -1d@d (past 7 days). I would like to makeresults for the following output: HOST   DATE host1   Date1 host1   Date2 host1   Date3 ... host1   Date7 host2   Date1 host2   Date2 ... ... host3    Date7 i have tried the following: | makeresults | eval HOST=“host1 host2 host3” | makemv delims=“ “ HOST | mvexpand HOST and a combination of  | bucket _time span=1d | stats count by HOST, _time appreciate any insights into this, thanks!
Hello, I'm new to Splunk and trying to add a logo/icon to an app. I've followed the guidelines for required filenames and dimensions(also tried to make the dimensions smaller than the max).   I wa... See more...
Hello, I'm new to Splunk and trying to add a logo/icon to an app. I've followed the guidelines for required filenames and dimensions(also tried to make the dimensions smaller than the max).   I was unable to find this -> $SPLUNK_HOME/etc/apps/appname/static/ So I've saved it in /opt/splunk/etc/apps/appname/static - assuming it's the same, but maybe I'm wrong? The folder static didn't exist before i created it. I've restarted my Splunk and nothing, hopefully somebody can tell me what I'm doing wrong.  
I would kindly need some help for a query i am not able to create. I have  inputlookups as source. And i want to filter with rows from another inputlookup Simplified: | inputlookup errmess_dev.... See more...
I would kindly need some help for a query i am not able to create. I have  inputlookups as source. And i want to filter with rows from another inputlookup Simplified: | inputlookup errmess_dev.csv | append [| inputlookup errmess_prod.csv] | table env,msg DEV          we are running out of cola too much sugar PROD      we are running out of wine better take juice PROD      we are running out of beer not so good I have another inputlookup which should be used as a filter. | inputlookup filterlines | table filter   running out of wine   out of cola I want to establish this: build the search filter from the inputlookup. How can i do this? Or is there perhaps a better way? | inputlookup errmess_dev.csv | append [| inputlookup errmess_prod.csv] | table env,msg | search NOT (errmsg="*out of beer*" OR errmsg="*out of wine*") | table, errmsg Any help is appreciated. Regards Harry
Hi All, please help me to install Write HTTP plugin for Collectd for collecting data for Splunk on RHEL 7.9. I found out exact command in https://community.splunk.com/t5/All-Apps-and-Add-ons/Could-... See more...
Hi All, please help me to install Write HTTP plugin for Collectd for collecting data for Splunk on RHEL 7.9. I found out exact command in https://community.splunk.com/t5/All-Apps-and-Add-ons/Could-not-find-plugin-quot-write-http-quot-in-usr-lib64-collectd/m-p/341525#M41214  yum -y install collectd collectd-write_http.x86_64 But it fails due to missed package in repository: No package collectd available. No package collectd-write_http.x86_64 available. Where to find exact RPM package?
I want to concatenate strings with special characters like "\t" and Unicode char "\u0006" I tried     | makeresults | eval str="a"."\t"."b"     And got     a\tb     But what I want is ... See more...
I want to concatenate strings with special characters like "\t" and Unicode char "\u0006" I tried     | makeresults | eval str="a"."\t"."b"     And got     a\tb     But what I want is     a b       Also, I tried     | makeresults | eval str="a"."\u0006"."b"     And got     a\u0006b       What should I do?
Hi, I have 2 indexers and I have set them in outputs.conf but my logs are indexed in one of them. I guess load balancing doesn`t work well. I want to know how I can know if load balancing works well... See more...
Hi, I have 2 indexers and I have set them in outputs.conf but my logs are indexed in one of them. I guess load balancing doesn`t work well. I want to know how I can know if load balancing works well as one of my indexers is going full but another is not. We have 2 clustered indexers. Thanks.
Example: field1=ADOBE INC. field2=ADOBE SYSTEMS&sep1; INCORPORATED i want to match this as both fields containing "ADOBE" in string, i am a advanced beginner to splunk  i have tried below conditi... See more...
Example: field1=ADOBE INC. field2=ADOBE SYSTEMS&sep1; INCORPORATED i want to match this as both fields containing "ADOBE" in string, i am a advanced beginner to splunk  i have tried below condition in my splunk search but no luck(did not work) ..........| eval results= if(like(field1,"%".field2."%"),"Yes","No") Please help and it is appreciated. Thank You:)
Because we are unable to use the monitoring console in Splunk Mobile, I would like to create our own monitoring console dashboard of sorts. Beginning with these searches, status, cpu usage, and memor... See more...
Because we are unable to use the monitoring console in Splunk Mobile, I would like to create our own monitoring console dashboard of sorts. Beginning with these searches, status, cpu usage, and memory usage of indexers and search heads. Does anyone have these searches available or know where I can locate them? See attached screenshot for example. Thanks
I have deployed ChargeBack on the Splunk Cloud and the sc_admin is not allowed to have the dispatch_rest_to_indexers capability.  My question is how can I replace the | REST calls on their searches ... See more...
I have deployed ChargeBack on the Splunk Cloud and the sc_admin is not allowed to have the dispatch_rest_to_indexers capability.  My question is how can I replace the | REST calls on their searches to achieve the same results?   the main initial search is | rest /services/data/indexes splunk_server=* thanks, -CC
Hey Splunkers, while I was able to be self sufficient in most cases I have one application log server which is driving me crazy. We have working filemonitor but even all files are in the correct tim... See more...
Hey Splunkers, while I was able to be self sufficient in most cases I have one application log server which is driving me crazy. We have working filemonitor but even all files are in the correct timezone on the sourcesystem the end up 4 hours in the future on Splunk cloud. All other log files from the same middleware application park are correct. We deployed to our UF and  allHF's before sending to Splunk cloud   Our props.conf is : [oid.prod:log] MAX_TIMESTAMP_LOOKAHEAD = 26 TZ = UTC TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%6N LINE_BREAKER = ([\r\n]+)   source event is like : 2021-05-07 20:26:19.3921 "OID" - - - "83270" - - "UserLogout" TRUE - "cn=remedyadmin,cn=service_accounts,dc=dsd,dc=xxxxxx,dc=com" "Operation name: unbind" - "10.3.79.10" - - - - "unbind" - the event time is: 2021-05-07T20:26:19.392-04:00   So how can I fix this so I can avoid to select All Time to display that sourcetype which is 4h in the future, all timezones are set to Easter in Splunk. I am at a loss here and have a similar issue with a syslog source on a different cloud based system.
Hello, I am currently using a trial instance of Splunk Cloud. I am running into an issue with the Cloudflare App for Splunk and would like to try removing and reinstalling it. Unfortunately, it look... See more...
Hello, I am currently using a trial instance of Splunk Cloud. I am running into an issue with the Cloudflare App for Splunk and would like to try removing and reinstalling it. Unfortunately, it looks like uninstalling an application requires assistance from tech support. Since this is a trial, I do not have an active support contract. Do I have to simply de-register my account, allow the Splunk Cloud instance to terminate, then request a new trial instance or is there an option to submit a support case for help during a trial? Thank you for any assistance you can provide. -JeffH
I have installed the Security Essentials on the Enterprise Security server. How do I make the KVstores in ES available to the Security Essentials for use?
Hi Splunk Gurus, I would like to know if this is possible. Scenario: I have a webhook alert named Onboarding   The output of that search has a field called Usernames1 which has 1000 entries. I ... See more...
Hi Splunk Gurus, I would like to know if this is possible. Scenario: I have a webhook alert named Onboarding   The output of that search has a field called Usernames1 which has 1000 entries. I want to set up a new Alert called  Leaving and it will have it's own search which outputs another set data into a field called Usernames2 My problem: I want the Alert Leaving to compare it's field Username2 to Alert Onboarding field Usernames1 AND if there is a match, output the matching results to new field called match A bit on the complex side but can that be done? Please help with syntax.
We are having trouble managing the permissions on MLTK models.  The base search will initially write the model to a private file,  when we change this model's permissions to public the search will wr... See more...
We are having trouble managing the permissions on MLTK models.  The base search will initially write the model to a private file,  when we change this model's permissions to public the search will write to a new model back in the private directory of the owner of the base search.  Has anyone else experienced similar issues or has a solution for this?
I have O365 logs in Splunk. I want to find all shared files/folders plus display sensitivity labels of these files.  All valuable information is in the same source type (sourcetype="o365:management:... See more...
I have O365 logs in Splunk. I want to find all shared files/folders plus display sensitivity labels of these files.  All valuable information is in the same source type (sourcetype="o365:management:activity")  but in separate log rows. I want to see on my dashboard: CreationTime; ObjectId; Operation; SensitivityLabelId; Location; ProcessName; ProductVersion  "CreationTime": "2021-05-06T20:19:44"  "ApplicationName": "Microsoft Azure Information Protection Word Add-In"  "EventData": "<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>"  "Location": "On-premises SharePoint"  "EventSource": "SharePoint"  "ProcessName": "WINWORD"  "ItemType": "File"  "ProductVersion": "2.9.116.0"}  "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx"  "CreationTime": "2021-05-06T20:13:57"  "Operation": "AnonymousLinkCreated"  "DataState": "Use"  "RecordType": 14  "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx"  "SiteUrl": "[MY_PERSONAL_DRIVE]"  "Operation": "Access"  "SourceFileExtension": "docx"  "ProtectionEventData": {"IsProtected": true  "SourceFileName": "TEST_SHARE_ANYONE_WITH_THE_LINK.docx"  "ProtectionOwner": "test@mail.com"  "SourceRelativeUrl": "[PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx"  "ProtectionType": "Template"  "UserId": "test@mail.com"  "SensitiveInfoTypeData": []  "Workload": "OneDrive"}  "SensitivityLabelEventData": {"SensitivityLabelId": "70fd9a0e-0d31-4c8e-9c48-fa8ba4ec32c0"}    "UserId": "test@mail.com"    "UserKey": "test@mail.com"    "UserType": 0    "Version": 1    "Workload": "Aip"}
How can I use table cells to make them buttons? I would like the cells in a table to be buttons to then launch a query, is it possible?