All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello people!   I hope you are doing well... Sometimes when we work with unstructured data the only way to visualize  correlations is using the stats command, and only at this point we can " give s... See more...
Hello people!   I hope you are doing well... Sometimes when we work with unstructured data the only way to visualize  correlations is using the stats command, and only at this point we can " give some structure" to the data. There are some instances in which I find myself in need of creating a new variable  using the current information in the stats command Lets suppose I have this stats and it gives me the following  (mind you that TAG1 and TAG2 come from different events/logs/indices) code   | stats list(TAG1) as TAG1 list(TAG2) as TAG2 list(HOTEL) as HOTE list(REVIEW) as REVIEW count(eval(TAG1=="X01")) as total_tag1(X01) by CLIENT   result CLIENT TAG1 total_tag1(X01) TAG2 HOTEL REVIEW ANA X01 X01 2 X05 X09 GRANT-P HOLLIZ 5 3 LUKE X01 1 X05 HOLLIZ 5 ALEX X01 1 X05 UTI 3   at this point this stats command is the only way for me to visualize the correlation or "interaction" between TAG1 and TAG2 due to the fact that they come from different logs so... what if I wanted to create a variable named CHAIN thats just TAG1 and TAG2 joined by a "-" and after that have a count by CLIENT of the combination "X01-X05" so that in the previous table I could see for ANA the column total"X01-X05" to be equal to 1? Thank you everyone! Kindly, Cindy
Hello gorgeous people, I have been trying to create a variable named "promotion" with only two categorical values "YES" and "NO" . To summarize if TAG1="X01" and TAG2 is empty or missing or null or... See more...
Hello gorgeous people, I have been trying to create a variable named "promotion" with only two categorical values "YES" and "NO" . To summarize if TAG1="X01" and TAG2 is empty or missing or null or N.A I want the promotion variable to be "YES" otherwise "NO"... I'd like to kindly let you know that I am using the stats command (by client)  to visualize this results along with several others that I am computing and I have tried the following lines of code without any luck:   | eval promotion=if(TAG1="X01" AND TAG2="","YES","NO") | stats count(eval(promotion=="YES")) as Promotion? by CLIENT   | eval promotion=if(TAG1="X01" AND isnull(TAG2),"YES","NO") | stats count(eval(promotion=="YES")) as Promotion? by CLIENT   | eval promotion=if(isnull(TAG1),"NO", if(TAG1="X01" AND TAG2="","YES","NO")) | stats count(eval(promotion=="YES")) as Promotion? by CLIENT   These lines are not working for me because they return either "NO" when they should be returning "YES" or they just returning "YES" in all posible cases which is incorrect as well... I am aware that because of the nature of my data I have mutilvalue fields.. and I dont know is that is what is causing the issue thank you so much everyone for your help! with kind,   cindy  
Hi, I own a OwnCloud Server with a MariaDB as Database: My db_connection_types.conf based on the Post here from 2017, which has a few errors inside (missing Tokens, wrong supported Versions, serv... See more...
Hi, I own a OwnCloud Server with a MariaDB as Database: My db_connection_types.conf based on the Post here from 2017, which has a few errors inside (missing Tokens, wrong supported Versions, serviceClass with MySQL...)         [mariadb] displayName = MariaDB serviceClass = com.splunk.dbx2.DefaultDBX2JDBC jdbcUrlFormat = jdbc:mariadb://<host>:<port>/<database> jdbcUrlSSLFormat = jdbc:mariadb://<host>:<port>/<database>?useSSL=true&requireSSL=true&verifyServerCertificate=false jdbcDriverClass = org.mariadb.jdbc.Driver supportedMajorVersion = 2 supportedMinorVersion = 7 port = 3306 testQuery = SELECT 1 ui_default_catalog = $database$         anyway. I chose the driver mariadb-java-client-2.7.1.jar because DBeaver downloaded this Version automatically and there I can select my data. With the db_connection_types.conf I can create a connection and receive the catalog.  But in the SQL Explorer I receive every-time a "Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1."  also for very basic querys (like "select * form `d040ddbe`.`5zdza_share`). Tested with same result on jre1.8.0_291 and jdk-11.0.11. Has someone a similar system running and could give me a few hints where I'm wrong? Kind Regards SierraX 
I can not access Splunk server. I get "untitled" or "crashed" using chrome. I know the web link is correct. I have re-started my PC a couple of times. I tried using IE / edge. Still can not access th... See more...
I can not access Splunk server. I get "untitled" or "crashed" using chrome. I know the web link is correct. I have re-started my PC a couple of times. I tried using IE / edge. Still can not access the Splunk servers, non of them.
I just started module training enterprise and I got stuck on a silly problem. I don't know where yo go back to modules. T
Hi everyone, I'm currently testing a migration from Splunk 7.2.6 to Splunk 8.1.3. I'm using a realtime search (indexed realtime search to be precise) that is lookup on all my events to look which e... See more...
Hi everyone, I'm currently testing a migration from Splunk 7.2.6 to Splunk 8.1.3. I'm using a realtime search (indexed realtime search to be precise) that is lookup on all my events to look which events have a specific field. This  specific is added thanks to an automatic lookup. I don't have any issue on Splunk 7.2.6 but now I'm stuck with a weird behavior. When I'm running my realtime search, it's like it's having its own context about eventtypes and automatic lookup because if I add new items to my automatic lookup (which by the way is a KVStore), these items are not identified in the logs. Similarly with eventtypes, if I add an eventtype on specific events, if the real-time search identifies one of these events, I don't see the new eventtype. I tried to modify/remove entries from my automatic lookup and add/modify/remove eventtypes without restarting the realtime search and what appears is that the realtime search never updates with this modified information (automatic lookup or eventtype). If I restart the real time search, the changes are taken into account (which validates this "context" hypothesis) From what I have read here (https://docs.splunk.com/Documentation/Splunk/8.1.3/Search/Aboutrealtimesearches), I understand that indexed real-time searches are like standard searches but put together :     This runs searches like historical searches, but also continually updates the search with new events as the events appear on disk.       So if it's working like that, the context should be updated after a few moment but it's not the case ...   Can someone help me on this issue ? Is it something possible ? Do I have to setup some configuration parameters on my settings files ?   Thank you
HI All , I am preparing for splunk admin exam and I want to know what happens when splunk license expires in 8.1.1 does it stop search or not because on splunk doc I can see this   license vi... See more...
HI All , I am preparing for splunk admin exam and I want to know what happens when splunk license expires in 8.1.1 does it stop search or not because on splunk doc I can see this   license violation happens when you exceed the number of warnings allowed on your license. The license violation conditions are based upon the license type. Here is what happens to indexing and search capability during a license violation: Splunk Enterprise continues to index your data. Using search is blocked while you are in violation. This restriction includes scheduled reports and alerts. Searching the internal indexes is not blocked. You can use the monitoring console or run searches against the _internal index to diagnose the licensing problem.   But somewhere I got to know this was happening only splunk 6.5  so please help    https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/Aboutlicenseviolations
Hi all, We have installed "Splunk Security Essentials" on our Splunk Cloud deploymentץ For some reason, in the latest version, the "MITRE ATT&CK Framework" doesn't work as it should. We keep seein... See more...
Hi all, We have installed "Splunk Security Essentials" on our Splunk Cloud deploymentץ For some reason, in the latest version, the "MITRE ATT&CK Framework" doesn't work as it should. We keep seeing "No results found" in the "Available Content"   Did any of you encountered something similar and can assist me?    Thanks in advance!!
I'm working with Threat Hunting App  and i want to develop a python script use Virustotal API to check the process hash and add field to my log so i can display it. I dont know where to begin or is t... See more...
I'm working with Threat Hunting App  and i want to develop a python script use Virustotal API to check the process hash and add field to my log so i can display it. I dont know where to begin or is there any addon out there allow me to do that.
we have installed the Auto Update MaxMind Database https://splunkbase.splunk.com/app/5482/   [splunk@ilissplsh01 splunk]$ /opt/splunk/bin/splunk btool limits list --debug | grep "db_path =" /opt/... See more...
we have installed the Auto Update MaxMind Database https://splunkbase.splunk.com/app/5482/   [splunk@ilissplsh01 splunk]$ /opt/splunk/bin/splunk btool limits list --debug | grep "db_path =" /opt/splunk/etc/apps/AM_all_sh_tuning/local/limits.conf db_path = /opt/splunk/etc/apps/splunk_maxmind_db_auto_update/local/mmdb/GeoLite2-City.mmdb [splunk@ilissplsh01 splunk]$ the update is failing with the below error  Unable to perform file operations on MaxMind database file. [Errno 20] Not a directory: '/opt/splunk/etc/apps/splunk_maxmind_db_auto_update/local/mmdb/GeoLite2-City.mmdb' the process is working only in case I remove the /opt/splunk/etc/apps/splunk_maxmind_db_auto_update/local/mmdb/GeoLite2-City.mmdb file manually how I can automate it  ?  
I have a chart that I can split by myDate or env, but I cannot get it to split by both myDate and env for example I need to see how many urgency events have taken place on a given myDate by each of t... See more...
I have a chart that I can split by myDate or env, but I cannot get it to split by both myDate and env for example I need to see how many urgency events have taken place on a given myDate by each of the env (environments). I have used multiple versions of splitting the code and just cannot get this right - any help will be great, this is related to Splunk ES. `notable` | eval env=coalesce(src_bunit, dvc_bunit, dest_bunit) | eval env=upper(env) | fillnull value="Unknown" env | search NOT `suppression` AND env=* | eval myDate=strftime(_time, "%Y-%m-%d") | chart count by env urgency | table myDate env critical high medium low informational | fillnull critical high medium low informational | rename env AS Environment, critical AS Critical, high AS High, medium AS Medium, low AS Low, informational AS Informational | addtotals col=true labelfield=Environment label="Total(s)" row=true
Hi All, I want a small addition to the output values. Code am using :    | inputlookup ONMS_nodes.csv | table nodelabel | join type=outer nodelabel [ search index=opennms "uei.opennms.org/node... See more...
Hi All, I want a small addition to the output values. Code am using :    | inputlookup ONMS_nodes.csv | table nodelabel | join type=outer nodelabel [ search index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)" | stats max(_time) as Time latest(Status) as Status by nodelabel | table nodelabel Status ] | table nodelabel Status     Output table :  nodelabel Status INBLR-LANCCO001 Up INBLR-LANCUA002 Up INBLR-LANCUA004 Up INBLR-LANCUA006 Up INBLR-LANCUA007   INBLR-LANCUA008 Up INBLR-WANRTC001 Up INBLR-WANRTC002 Up INBLR-WANRTC003     Reason some device not having status is, SNMP polling didnt happened for that device. I want a simplified output as expected below. Additional line of code:    | eval Device= nodelabel." [".Status."]"     Device INBLR-LANCCO001 [Up] INBLR-LANCUA002 [Up] INBLR-LANCUA004 [Up] INBLR-LANCUA006 [Up]   INBLR-LANCUA008 [Up] INBLR-WANRTC001 [Up] INBLR-WANRTC002 [Up]     Am not getting values for that missing SNMP devices. But i need that devices too in the table with [Failed] marked.  please help me with it.
Trying to run splunk in a docker container - which I can successfully get running. however... Once I try to add a persistent volume for /splunkhome/var and /splunkhome/etc, the kvstore fails to sta... See more...
Trying to run splunk in a docker container - which I can successfully get running. however... Once I try to add a persistent volume for /splunkhome/var and /splunkhome/etc, the kvstore fails to start. The persistent volume is being hosted on a NAS (synology diskstation) which is being mounted to my linux host via SMB (cifs) with the local admin of the NAS - so I should have full permissions to the share. I've been able to observe the following error "homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem." are SMB file shares not supposed by splunk? I can get past this error by adding "OPSIMISTIC_ABOUT_FILE_LOCKING = 1" to splunk-launch.conf but then I get stuck with where kvstore failing to start.  kvstore logs indicate it's because the permissions are too open - even though I've changed them to 400.   Any insight from your beautiful minds?
I am using Splunk Add-on for JMX over the years but in sudden it stopped working and below is the error. So then i have installed  latest version in different server and copied inputs, it's workin... See more...
I am using Splunk Add-on for JMX over the years but in sudden it stopped working and below is the error. So then i have installed  latest version in different server and copied inputs, it's working well without any issues.  Any idea? why it stopped working and why we are seeing below errors? 2021-04-25 05:51:45,043 - com.splunk.modinput.ModularInput -0 [main] ERROR - Error executing modular input : null : java.lang.NullPointerException at com.splunk.jmx.InfoManager.isJMXAccount(Unknown Source) at com.splunk.jmx.InfoManager.getAccounts(Unknown Source) at com.splunk.jmx.JMXModularInputV3.doRun(Unknown Source) at com.splunk.modinput.ModularInput.init(Unknown Source) at com.splunk.jmx.JMXModularInputV3.main(Unknown Source) 2021-04-25 05:52:55,658 - com.splunk.modinput.ModularInput -0 [main] ERROR - Error executing modular input : null : java.lang.NullPointerException at com.splunk.jmx.InfoManager.isJMXAccount(Unknown Source) at com.splunk.jmx.InfoManager.getAccounts(Unknown Source) at com.splunk.jmx.JMXModularInputV3.doRun(Unknown Source) at com.splunk.modinput.ModularInput.init(Unknown Source) at com.splunk.jmx.JMXModularInputV3.main(Unknown Source)
Hello SMEs: I need some assistance extracting everything between the 1st and 2nd semi-colon ; (FROM THE RIGHT)  from a string like this: SITES;Bypass;Whitelist;Finance;User Business Accept In this ... See more...
Hello SMEs: I need some assistance extracting everything between the 1st and 2nd semi-colon ; (FROM THE RIGHT)  from a string like this: SITES;Bypass;Whitelist;Finance;User Business Accept In this case, the output would be Finance. Note: text between the semi-colon's may change  Any assistance would be appreciated. Regards, Mac
Does anyone have this dashboard created that they could export for me? https://www.appdynamics.com/blog/product/software-reliability-metrics/ I'm trying to build Error Budget dashboards and am stru... See more...
Does anyone have this dashboard created that they could export for me? https://www.appdynamics.com/blog/product/software-reliability-metrics/ I'm trying to build Error Budget dashboards and am struggling. Thanks.
** edit: ** if i add dedup _time,clientip to the left (upper) search, i get 2580 events.   Hi, ive got this search: host=tutorialdata _time=* clientip=* | eval test1=0 | fields clientip _time t... See more...
** edit: ** if i add dedup _time,clientip to the left (upper) search, i get 2580 events.   Hi, ive got this search: host=tutorialdata _time=* clientip=* | eval test1=0 | fields clientip _time test1 | join type=left clientip, _time [ search host=tutorialdata _time=* clientip=* | transaction clientip maxspan=6h | eval test2=1 | fields clientip _time test2] | eval testFinal= if(test2 == "1","1","0") | stats sum(testFinal)   the search left to the join alone, returns 39532 events. the right one, alone, 2580. i added the test1, 2, and testFinal to verify the results,  but if i run the whole search it sums up 3457 instead of 2580. whats going on? thanks
Hi, Need help. I want to run a query to identify if errors are increased over 10%. Data is : Servername errorcode1 errorcode2 count Abcd.1.1.1000 Pqrs.1.2.1100 If errorcode2 value 1 txns are e... See more...
Hi, Need help. I want to run a query to identify if errors are increased over 10%. Data is : Servername errorcode1 errorcode2 count Abcd.1.1.1000 Pqrs.1.2.1100 If errorcode2 value 1 txns are exceeding 10% of average count of its historical(7 days) count then show alert. I need to do this for all types of available errors in a single query. I could do it for a single error code.. but i want query for all error code at once. Index=abcd errorcode2 in (1) earliest=-1d@d latest=@d |Stats coubt as t1 by errorcode2 |Table t1 | where t1 > 【 search index=abcd errorcode2 in (1) earliest=-8d@d latest=-2d@d Bucket _time span=1d |Stats count as total by _time |Stats avg(total)as avgt |Eval chk = 1.1* avgt |Table chk | return $chk】   Kindky help me understand how can I compare complete table in where condition like we do in python pandas.
Hi,  I have a splunk query as below: index=platform env=sandbox http_method="GET" This gave me 1 result back. Now, when I am applying transaction command to it index=platform env=sandbox http... See more...
Hi,  I have a splunk query as below: index=platform env=sandbox http_method="GET" This gave me 1 result back. Now, when I am applying transaction command to it index=platform env=sandbox http_method="GET" | transaction startswith="GET" It is returning 0 results.  However, if I do like this: index=platform env=sandbox http_method="GET" | transaction startswith="GET" keepevicted=true It returns my 1 result back. Value of `closed_txn`  is 1. Also, if I do like below, still it returns my 1 result back. What is going on ? index=platform env=sandbox http_method="GET" | transaction CorrelationId startswith="GET"   "GET" is present in my event `_raw` otherwise  first search command would not have returned me 1 result. 
Hi All, I have a code, that gives below output. CODE:  | inputlookup ONMS_nodes.csv | table nodelabel OUTPUT :  nodelabel LANCUA005 LANCUA008 LANCUA012 LANCUA014 LANCUA016 L... See more...
Hi All, I have a code, that gives below output. CODE:  | inputlookup ONMS_nodes.csv | table nodelabel OUTPUT :  nodelabel LANCUA005 LANCUA008 LANCUA012 LANCUA014 LANCUA016 LANCUA018 LANCUA019 LANCUA020 LANCUA022 LANCUA023   This is a sample output. List can goes more than 600 or 700 devices.  Requirement is like :  Can we split this into multiple columns within the panel. nodelabel nodelabel LANCUA005 LANCUA016 LANCUA008 LANCUA018 LANCUA012 LANCUA019 LANCUA014 LANCUA020 LANCUA023 LANCUA022   SO that the content can be used the whole single panel  page to display the entire content.