All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Could you please guide me how to use font awesome in splunk dashboard tables. Kindly note i dont want to use status indicator viz. Unicode affects dark theme. So my requirement is to use font aweso... See more...
Could you please guide me how to use font awesome in splunk dashboard tables. Kindly note i dont want to use status indicator viz. Unicode affects dark theme. So my requirement is to use font awesome in splunk dashboard(dark theme) tables without java script. 
Hi there, I'm experiminting with a single machine/single instance of Splunk Enterprise, using a set of static data in CSV format.  I successfully ingested the initial data from the CSV file, however ... See more...
Hi there, I'm experiminting with a single machine/single instance of Splunk Enterprise, using a set of static data in CSV format.  I successfully ingested the initial data from the CSV file, however when I add subsequent records to the CSV file, Splunk seems unaware of the new data.  How can I set things up so that Splunk will recognise the data, and update the dashboards I have created for monitoring the data dynamically? Kind Regards Paul J.
Hi guys, I know this has been asked many times before but it just wont work for me hence the question. I have one index with two sourcetypes.  Both sourcetypes have a field called host.  All I want... See more...
Hi guys, I know this has been asked many times before but it just wont work for me hence the question. I have one index with two sourcetypes.  Both sourcetypes have a field called host.  All I want to do is find hosts that exist in sourcetype 1 but not in sourcetype 2. So index=eventlog.  sourcetype=security and sourcetype=application.  Both have fields called host.  I want to know host that exist in security souretype but not in application. I have tried: Index=eventlog sourcetype=serucurity | search NOT [ sourcetype=application | stats count by host] Index=eventlog sourcetype=security NOT [search sourcetype=applcation | status count by host  ] I was also looking in to the append method but haven't found luck there either. So, how do I find hosts that are in sourceytpe=security but missing in sourcetype=application? Any help is greatly appreciated in advance.
Hi, I need to convert the specific number  from 0 to 23 to 00:00:00 format.  I used the following in my statement by I am getting a blank on my eventHour field. eval HOUR=(if (isnull(HOUR),"0",HOUR... See more...
Hi, I need to convert the specific number  from 0 to 23 to 00:00:00 format.  I used the following in my statement by I am getting a blank on my eventHour field. eval HOUR=(if (isnull(HOUR),"0",HOUR)) | eval eventHour=strftime(strptime(HOUR,"%k"),"%H") This will be used to rebuild the _time eval _time=strptime(DATE." ".HOUR,"%Y-%m-%d %H:%M:%S")
Hello -  When choosing color ranges for table cell values, is there a way to specify the from min to be any other value other than 0?  I would like min to = 70.   I went through this: https://doc... See more...
Hello -  When choosing color ranges for table cell values, is there a way to specify the from min to be any other value other than 0?  I would like min to = 70.   I went through this: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsFormatting#Format_table_columns but I did not see an option.  I I also went through this:  https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsXML and found not mention of it.   Thought I would ask here.  Thanks!  
I have a dataset that shows the logins by date and unique_session_code for each user that visits the webpage of a bakery. I am trying to come a code that allows me to  determine if this is the first,... See more...
I have a dataset that shows the logins by date and unique_session_code for each user that visits the webpage of a bakery. I am trying to come a code that allows me to  determine if this is the first, second, third and so on... visit of this customer in other words the "nth_visit" USER LOG_DATE TX_REV ALEX 30/04/2021 uyjd MARY 30/04/2021 dn89 DOLLY 30/04/2021 nqmd0 FRANK 29/04/2021 nsj456 MARY 29/04/2021 zlpa2 DOLLY 29/04/2021 s09dm ALEX 28/04/2021 jds02 MARY 28/04/2021 kqos98 DOLLY 28/04/2021 uiskk0 |This would be my desired result: USER LOG_DATE TX_REV nth_visit ALEX 44314 jds02 1 ALEX 44316 uyjd 2 DOLLY 44314 uiskk0 1 DOLLY 44315 s09dm 2 DOLLY 44316 nqmd0 3 FRANK 44315 nsj456 1 MARY 44314 kqos98 1 MARY 44315 zlpa2 2 MARY 44316 dn89 3 A  table has the "nth_visit" to the website by each attempt of the visitor Thank you so much guys    
Good Morning Splunk Land, I am looking to ingest an older data set from CISCO known as CISCO TACACS. Does anyone have a good recommendation on the best app out there in Splunkbase? There are multi... See more...
Good Morning Splunk Land, I am looking to ingest an older data set from CISCO known as CISCO TACACS. Does anyone have a good recommendation on the best app out there in Splunkbase? There are multiple apps for Cisco out there but I am just looking to get parsing done at this point. So if I don't have to re-invent the wheel, I will hold off on that project. My guess is the ACS app, but do not want to assume. Thanks, Dan
Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:31872 [30/Apr/2021:09:13:30.362] verint rest_service/rest-hostname-8780 0/0/0/10/12 302 1973 - X-CSRF-TOKEN=NtOTKgh2hfTpjwTuRmx269ZR5qQhDRUtAOf0 ... See more...
Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:31872 [30/Apr/2021:09:13:30.362] verint rest_service/rest-hostname-8780 0/0/0/10/12 302 1973 - X-CSRF-TOKEN=NtOTKgh2hfTpjwTuRmx269ZR5qQhDRUtAOf0 ---- 32/32/6/0/0 0/0 {} "GET /test/te/ping/login HTTP/1.1" Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:52353 [30/Apr/2021:09:13:30.322] verint rest_service/rest-hostname-8680 0/0/0/1/1 200 11537 - - ---- 32/32/6/1/0 0/0 {} "GET /filterservices/css/filters.css HTTP/1.1" Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:42112 [30/Apr/2021:09:13:30.059] verint rest_service/rest-hostname-8780 0/0/12/143/202 200 122948 - - ---- 32/32/7/0/0 0/0 {} "GET /verintkm/js/tree.jquery.js HTTP/1.1" the below rex expression is working fine until the port number for above events. Now I am trying add expression for "0/0/12/143/202 200". After the port group I need to create another group name (response time) for the value 202 which is the last value after forward slash.[expr/expres/expre/expres/group name]   \[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-(?<port>\d+)\s+  
Using Splunk UF 8.1.1, we've noticed an issue where the Linux x64 forwarder running on RedHat 7.7 did not seem to correctly adjust for daylight saving time; that is, the timestamps after the DST chan... See more...
Using Splunk UF 8.1.1, we've noticed an issue where the Linux x64 forwarder running on RedHat 7.7 did not seem to correctly adjust for daylight saving time; that is, the timestamps after the DST change are 1 hour ahead of where they should be. We are not using any special TZ configuration on the UF or indexer and have until now relied on the Splunk UF picking up the underlying OS timezone to enrich events which, as I understand from the props.conf spec, is a supported approach. Simply restarting the UF has resolved the issue on multiple servers. The same UF version on Windows did not have this issue. Is this expected behavior? Thanks in advance.
Hello, I have a macro that calls other macros in order to have a simple view of the code search. The thing is that when running the macro I'm getting empty values, when I select the key combination... See more...
Hello, I have a macro that calls other macros in order to have a simple view of the code search. The thing is that when running the macro I'm getting empty values, when I select the key combination control+shIft+e then select Open in New search I get all the results, I have only power user, how can I found out what's going on. Thanks.
Hello, I have a macro that calls other macros in order to have a simple view of the code search. The thing is that when running the macro I'm getting empty values, when I select control+shift+e ... See more...
Hello, I have a macro that calls other macros in order to have a simple view of the code search. The thing is that when running the macro I'm getting empty values, when I select control+shift+e then select Open in New search I get all the results, I have only power user, how can I found out what's going on. Thanks.  
Hi there, I am wondering if there is a way to change the defaul line weight used with the Splunk Visualisation tools.   Kind Regards Paul J.
We recently upgraded to version 8.1.2 Splunk and now our email alerts don't appear to be working.  I had this issue in version 6.6.3, but had not seen it since then (we did upgrade to 7.2.6 before mo... See more...
We recently upgraded to version 8.1.2 Splunk and now our email alerts don't appear to be working.  I had this issue in version 6.6.3, but had not seen it since then (we did upgrade to 7.2.6 before moving to 8.1.2--did not see the issue then either).  I have looked at older logs that said to remove a few lines in the sendemail.py file and I found similar lines in the new sendemail and marked them out with a # sign, but it did not fix the issue.  We are delaying our upgrade of the Production system until we solve this email issue.  Any ass
Hi, Currently I am using a lookup table to match an account code to an application. How can I make it in such a way that if the account code does match anything to my lookup table it uses "others" i... See more...
Hi, Currently I am using a lookup table to match an account code to an application. How can I make it in such a way that if the account code does match anything to my lookup table it uses "others" instead.   Thanks and Regards,
Hi All, I am trying to extract a field from the below log. log1: esbgc_as_uat2_dom|ESB/Monitoring/ESB_HealthCheck|esbgc_as_uat2_dom|Synchronized|Thu 29-Apr-2021 07:18:55 EST|1 esbgc_as_uat2_dom|E... See more...
Hi All, I am trying to extract a field from the below log. log1: esbgc_as_uat2_dom|ESB/Monitoring/ESB_HealthCheck|esbgc_as_uat2_dom|Synchronized|Thu 29-Apr-2021 07:18:55 EST|1 esbgc_as_uat2_dom|ESB/Framework/Dispatcher/InterfaceDispatcher_SG_IDT2_CPG_A|esbgc_as_uat2_dom|Synchronized|Thu 29-Apr-2021 04:59:40 EST|2 esbgc_as_uat2_dom|ESB/Framework/Dispatcher/InterfaceDispatcher_SG_IDT2_CPG_B|esbgc_as_uat2_dom|Synchronized|Thu 29-Apr-2021 05:01:45 EST|2   I created the below query to extract the field "App_Name" which is "ESB_HealthCheck|esbgc_as_uat2_dom"from the log: | rex field=_raw "^[^\|\n]*\|(?P<App_Name>[^\|]+)" Here, I am getting the value from the line one only. How will I be able to extract the value from all the lines in the log. Please help me creating the query to get the desired output. Your kind support will be highly appreciated.   Thank you.
How to compare the incoming data with dynamic date and time with the lookup table, example i have incoming data in below format where the date and time keeps changing for every new entry *abc -04/3... See more...
How to compare the incoming data with dynamic date and time with the lookup table, example i have incoming data in below format where the date and time keeps changing for every new entry *abc -04/30 08:14:07 - c *abc -04/30 08:03:20 -c *abc -04/29 07:06:22 -c and so on, I have to consolidate all the above data excluding the date and time and need to count how many times it is occurring. In my lookup table I have the same data in below format. *abc -mm/dd hh:mm:ss -c *abc -mm/dd hh:mm:ss-c is there a way to get the desired results. ? Kindly advise 
Hi all,  I am just learning Splunk because the need for applying our addon to be cloud vetted ( therefore I really don't know much splunk development yet, but need to get this done soon) . It is an ... See more...
Hi all,  I am just learning Splunk because the need for applying our addon to be cloud vetted ( therefore I really don't know much splunk development yet, but need to get this done soon) . It is an addon to connect to our server and pulling in logs. Each pull would have to auth first, therefore we save token locally so only need auth once for certain interval ( lifetime of the token). But that won't do for cloud based addon. (Vetting report says " Storing authentication token in checkpoint which is not allowed in Splunk cloud. Please don't store such sensitive information") Any other way I can save token for addon functionality purpose? . I heard mentioning of storage/passwords endpoint, is that only for user credential or it can be used for saving application token as well?   Thanks in advance! I searched whole day, still not clear the direction. 
I'm trying to configure Splunk to analyze logs coming from ClamAV. I have a shared folder where the logs are coming in. On the machine where the shared folder is located, I set the universalforward... See more...
I'm trying to configure Splunk to analyze logs coming from ClamAV. I have a shared folder where the logs are coming in. On the machine where the shared folder is located, I set the universalforwarder to monitor that folder with this command: /opt/splunkforwarder/bin/splunk add monitor /shared/avlogs/ -index clamav -sourcetype clamav Now it's happening that when I try to search index="clamav" _raw="*FOUND*" I don't get results everytime, but depends on the content of the logfile, like if the parsing was not done correctly. What am I missing?
I have the prtg input tool installed but when I want the other user to see it, it gives me this error:" Error in 'PivotProcessor': Error in 'PivotRowCol': The dataset 'RootObject' has no field 'Date'."
Tengo instalada la herramienta prtg inpu pero cuando quiero que el otro usuario la vea, me da este error:" Error en 'PivotProcessor': Error en 'PivotRowCol': El conjunto de datos 'RootObject' no tien... See more...
Tengo instalada la herramienta prtg inpu pero cuando quiero que el otro usuario la vea, me da este error:" Error en 'PivotProcessor': Error en 'PivotRowCol': El conjunto de datos 'RootObject' no tiene ningún campo 'Date'."