All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

For inventory management purposes, I have been running the below splunk search for years.  It first checks Remedy and pulls a few common fields, then compares that against actual firewalls that are a... See more...
For inventory management purposes, I have been running the below splunk search for years.  It first checks Remedy and pulls a few common fields, then compares that against actual firewalls that are actively sending logs into splunk.  The output provided a list of firewalls that sends active logs but not in inventory management, and a list of devices in the inventory database which are not sending any active logs.   |set diff [search source=remedyprod  TYPE=NETWORK CATEGORY=HARDWARE ITEM=FIREWALL Status="Deployed" CONFIGURATION=Production  | dedup CI_Name| table CI_Name | rename CI_Name as Remedy_CI_Name ] [search index=palo source=palo_alto sourcetype=pan:system| dedup dvc_host | table dvc_host | rename dvc_host as PA_Host_Name]   Today, the inventory database is only accessible via an inputlookup.  I tried modifying the above to: |set diff [ |inputlookup ci_netgear  | search source=remedyprod MANAGINGUNIT=ITSNI TYPE=NETWORK CATEGORY=HARDWARE ITEM=FIREWALL Status="Deployed" CONFIGURATION=Production  Manufacturer="Palo Alto Networks"| dedup CI_Name| table CI_Name | rename CI_Name as Remedy_CI_Name ] [search index=pan_logs_traffic source=palo_alto sourcetype=pan:system| dedup dvc_host | table dvc_host | rename dvc_host as PA_Host_Name]   The result shows the full results of each search.  I get a column called Remedy_CI_Name with every firewall and another column called PA_host_name with every firewall.  It's like the "set diff" isn't doing anything at all. any guesses?   thanks d.    
Hi -  Not having any luck testing or finding the answer in documentation so hopefully someone can confirm.   I want to collect a single EventCode=4624 from a Windows Server with a UF (v 8.0.6). I... See more...
Hi -  Not having any luck testing or finding the answer in documentation so hopefully someone can confirm.   I want to collect a single EventCode=4624 from a Windows Server with a UF (v 8.0.6). I am using an inputs.conf stanza like this>>> #2021.4.19 [WinEventLog://Security] disabled = 0 index=foo whitelist1 = EventCode=4624 I am still collecting all wineventlog security EventCodes. Any ideas? TY!
I have a field, SecondsSpentExecuting. A logged event will have that field. I want to visualize my data with a line chart, so the x-axis is _time, and the y-axis is SecondsSpentExecuting, so for a gi... See more...
I have a field, SecondsSpentExecuting. A logged event will have that field. I want to visualize my data with a line chart, so the x-axis is _time, and the y-axis is SecondsSpentExecuting, so for a given event, at a given time on the x-axis, you see on the y-axis visually how long it took compared to other events in that line chart. The current command I am using is: timechart count by SecondsSpentExecuting But in this case, the y-axis is the quantity of events that spent x seconds executing, so it does not work for my purposes. How could I write a command which considers the actual value of the SecondsSpentExecuting field rather than charting by quantity of events?
Hello everyone, I was wondering if any of you know how to change ONLY the color of the number that would be display in a single value radial panel using the new dashboard studio feature... Because wh... See more...
Hello everyone, I was wondering if any of you know how to change ONLY the color of the number that would be display in a single value radial panel using the new dashboard studio feature... Because when I see the available configuration it only allows me to change background color using thersholds... if anyone knows I will be very thankful!!! thank you so much
When looking to update a deployment enterprise instances, we are exploring using a deployment server. Splunk documentation says the below: "When provisioning a deployment server, note the following... See more...
When looking to update a deployment enterprise instances, we are exploring using a deployment server. Splunk documentation says the below: "When provisioning a deployment server, note the following: If it will be deploying to more than 50 clients, the deployment server must run on a dedicated Splunk Enterprise instance. The instance cannot double as an indexer or search head." Is this below command the way to view the number of clients? If so, I have 46, but I am looking to confirm, to see if we need to use a dedicated Splunk enterprise instance for updating using a deployment server.       index=_internal source=*metrics.log group=tcpin_connections splunk_server=* | eval host=if(isnull(hostname), sourceHost,hostname) | search (host=*) AND (host!="(ALL)") | eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") | eval Ver=if(isnull(version),"pre 4.2",version) | fields connectionType sourceIp host kb tcp_eps tcp_KBps splunk_server Ver | stats min(_time) as first_time, max(_time) as last_time, max(tcp_KBps) as max_tcp_KBps, avg(tcp_KBps) as avg_tcp_KBps, avg(tcp_eps) as avg_tcp_eps, sum(kb) as sum_kb by host sourceIp Ver | dedup host | eval sum_mb = round(sum_kb/1024,0) | fields - sum_kb | eval avg_tcp_KBps = round(avg_tcp_KBps,0) | eval max_tcp_KBps = round(max_tcp_KBps,0) | eval class=case( avg_tcp_KBps>0 AND avg_tcp_KBps<=128, "Standard Hosts", avg_tcp_KBps>128 AND avg_tcp_KBps<=256, "Better Hosts", avg_tcp_KBps>256, "Special Hosts") | convert ctime(*time) | rename first_time as "First seen", last_time as "Last seen", avg_tcp_KBps as "AVG KB/s", avg_tcp_eps as "AVG Events/s per 30 seconds", sum_mb as "Total MB", max_tcp_KBps as "Peak Kbps" connectionType AS "Forwarder Type" sourceIp as "Source IP" host AS "Host" Ver As "Splunk Version" | sort - "Peak Kbps"    
Hi, I am new to splunk and I am trying to create a dashboard with optimizing the independent queries and by using all the same base queries. Kindly let me know the difference between independent,mas... See more...
Hi, I am new to splunk and I am trying to create a dashboard with optimizing the independent queries and by using all the same base queries. Kindly let me know the difference between independent,master and base queries.
I have a log that that has multiple utc times listed. The logs are ingested into Splunk and I have created a field extraction to show those times in my Splunk table query. Now I am trying to populate... See more...
I have a log that that has multiple utc times listed. The logs are ingested into Splunk and I have created a field extraction to show those times in my Splunk table query. Now I am trying to populate the ProcessingTime with the difference between two of the fields. I'm missing something. Can't get the ProcessingTime to populate. Any help would be great. Query: host=clbflncolp11 index=_* OR index=* sourcetype=ibm:was:icc source="D:\\IBM_ICC_AuditLogs\\ibm.ctms.taskrouting.auditlog-SalesActiveIngestion*.log" | eval ProcessingTime=file_modified-file_created | table ProcessingTime, file_modified, file_created, corp_copy_dt Sample Result: ProcessingTime file_modified file_created corp_copy_dt     +2021-04-19T18:15:19:564+00:00-UTC +2021-04-19T18:15:19:299+00:00-UTC +2021-04-19T15:15:19:000+00:00-UTC     +2021-04-19T18:15:18:955+00:00-UTC +2021-04-19T18:15:18:689+00:00-UTC +2021-04-19T15:15:19:000+00:00-UTC     +2021-04-19T18:15:20:470+00:00-UTC +2021-04-19T18:15:19:924+00:00-UTC +2021-04-19T15:15:20:000+00:00-UTC     +2021-04-19T18:15:21:205+00:00-UTC +2021-04-19T18:15:20:861+00:00-UTC +2021-04-19T15:15:21:000+00:00-UTC            
Hi, we've been using Splunk (SignalFX) APM for about a month now. Our initial implementation is for a .NET Framework stack (4.6.2), utilizing an OpenTelemetry collector, to push traces and metrics to... See more...
Hi, we've been using Splunk (SignalFX) APM for about a month now. Our initial implementation is for a .NET Framework stack (4.6.2), utilizing an OpenTelemetry collector, to push traces and metrics to Splunk. We're utilizing Zipkins as our exporter (previous attempts with the OTLP exporter were unsuccessful). We are able to view our traces within the APM area of Splunk. I am able to drill into various nodes of our application and even click the 'Troubleshoot' link to view additional metrics around latency and errors, however, when we try to use the built in APM Dashboard, none of the metric data is populated. This is odd, considering we can see that same data when we follow the 'Troubleshoot' link of a node. I'm curious to learn more about how the APM Dashboard pulls metrics to try and understand why our Dashboard has no metrics, but the 'Troubleshooting' side of APM does. Thanks!
Hi, guys! I need to get the difference in hours between _time and now(). How can I get this number?
I have this search query:   base search | eval error = if(type="error",1,0) | eval pageView = if(type="pageView",1,0) | timechart sum(error)/sum(pageView) as ratio   But ratio doesn't work. Is ... See more...
I have this search query:   base search | eval error = if(type="error",1,0) | eval pageView = if(type="pageView",1,0) | timechart sum(error)/sum(pageView) as ratio   But ratio doesn't work. Is there a way to see that ratio?
Hello Friends,  I'm trying to generate a table that summarizes the total count of events A, B and C as follows   search 1 | fields A | stats count(A) as Net | eval stage="A" | append [ sea... See more...
Hello Friends,  I'm trying to generate a table that summarizes the total count of events A, B and C as follows   search 1 | fields A | stats count(A) as Net | eval stage="A" | append [ search search 2 | fields B | stats count(B) as Net | eval stage="B"] | append [ search search 3 | fields C | stats count(C) as Net | eval stage="C"] | table stage, Net   But I cannot seem to find a way to the create a field named "conv" that will compute the follow opeacion: take the value of the current Net count subtract the previous value and then devide it by the previous value, in other words find the percentage of conversion between stages, BUT for thw first row it will be zero something like this: Stage Net conv A 100 0 B 80 (80- 100)/100  = -0.2   C 70 (70-80) /80 = -0.125  I was thinking about a way to calculate something with a for loop? but I dont know how ti access the indexes of the table... Thank you so much to everyone that can help me like THANK YOU SO MUCH
Hi, I am using a multi-select input in the dashboard, which displays a list of machines.  I am looking to access this dashboard with  URL having multiple machine comma separated. My requirement is ... See more...
Hi, I am using a multi-select input in the dashboard, which displays a list of machines.  I am looking to access this dashboard with  URL having multiple machine comma separated. My requirement is when I open the link it should have all the machines mentioned in the URL in the multi-select filter example ( "," replaced with %2C in url)  http://<URL>?host_token=xxx&form.time_token.earliest=1618437600&form.time_token.latest=1618610400&form.MACHINE_TOKEN=hp707srv%2Cdell970srv%2Cdell429srv%2Cdell477srv%2Cdell432srv  
I'm trying to configure collection via the vCenter API using an existing HF as the DCN. On the Collection Configuration i have configured: http://x.x.x.x:8000 which is the URL of my HF and the appli... See more...
I'm trying to configure collection via the vCenter API using an existing HF as the DCN. On the Collection Configuration i have configured: http://x.x.x.x:8000 which is the URL of my HF and the applicable username and password but I get the error: "No password found for this node please save a password"    
Hello! I have two searches that return separate data but have a common field. I am trying to filter my first search by excluding results where the common field value matches the field value in my se... See more...
Hello! I have two searches that return separate data but have a common field. I am trying to filter my first search by excluding results where the common field value matches the field value in my second search. However, my results are not being filtered and I am not sure where I am going wrong in this query. They are fairly lengthy queries, so a smaller example is below.   Query 1: index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE | rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" | where user_id < 5000 | table user_id, loc, loc_id, _time   Query 2: index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO | rex field=_raw "User:\s(?<error_user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" | rex field=_raw "User:\s(?<error_user_id>\d+)\sError\sId:\s(?<error_id>\d+)" | where error_user_id < 5000 | table error_user_id, error_type, error_id, _time   Attempt at Filtering: index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE | rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" | where user_id < 5000 | table user_id, loc, loc_id, _time | search [search index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO | rex field=_raw "User:\s(?<error_user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" | rex field=_raw "User:\s(?<error_user_id>\d+)\sError\sId:\s(?<error_id>\d+)" | where error_user_id < 5000 | table user_id, error_type, error_id, _time ] | where user_id != error_user_id | table user_id, loc, loc_id, _time   In this attempt to filter, I am trying to filter the first search and exclude any instances of users where the user_id matches the error_user_id. It isn't working, though. Any ideas on how I can get this to work?
Hi, I have two splunk Enterprise one hosted on AZURE and one on ON-PREM. Basically Two license masters will be present ,so can i share/place the same license on both license masters? i.e. on AZURE L... See more...
Hi, I have two splunk Enterprise one hosted on AZURE and one on ON-PREM. Basically Two license masters will be present ,so can i share/place the same license on both license masters? i.e. on AZURE LICENSE MASTER AND ON PREM LICENSE MASTER can use the same license?  
Hey there, I  created a field extraction from UI,using regular expression method,where regular expression got created automatically,but when is use that extracted field in my search,most values for ... See more...
Hey there, I  created a field extraction from UI,using regular expression method,where regular expression got created automatically,but when is use that extracted field in my search,most values for that field are null where in they are available in raw data here`s my raw data and i need to extract the value of medicareId(which is combination of letters and numbers).please advise,any help appreciated. Message Started processing in Async: MtmCaseActivity(clinicalProgramName=sample, identificationDate=sample, caseID=sample, branding=sample, cycleYear=2021, status=Closed, closingDate=sample, workedBy=sample, reworkReason=, fulfillmentId=, identifiers=MtmCaseIdentifierDto(externalMemberId=null, carrierId=sample, accountId=sample, groupId=sample, memberId=sample, medicareId=sample, contractId=sample, pbp=sample), memberDemographics=MtmMemberDemographicsDto(memberFirstName=sample, memberLastName=sample, memberDOB=sample, memberAddress1=sample, memberAddress2=, memberCity=sample, memberState=sample, memberZip=sample, patientGender=F), eligibility=MtmEligibilityDto(effectiveDate=sample, termDate=sample), consultationDetails=null)
Hello everyone! I'm trying to create a time chart of a variable that I have to compute as a global percentage between two searches, but after reading the documentation in splunk I cant seem to find ... See more...
Hello everyone! I'm trying to create a time chart of a variable that I have to compute as a global percentage between two searches, but after reading the documentation in splunk I cant seem to find a way to do it right. My orginal code looks like this: | multisearch [| search index="portalA" | search py="X_O1"] [| search index="portalA" | search px="X_O3"] | stats c(py) as START, c(px) as END | eval P=round(100*END/START,1) | fields P  now that I have calculated P (as the percestage) I would like to have this plot as a time chart that shows P for the last 10 days...  so I was including  | timechart count by R limit=10 span=1d at the end of my code, I will truly appreciate if someone can kindly help me thank you SO MUCH
Hi Team,   I am trying to extract complete URL from the below splunk search i tried many ways can you please help me on this. Splunk log:  [2021-04-13 04:36:49.556 GMT] ERROR PipelineCallServlet|... See more...
Hi Team,   I am trying to extract complete URL from the below splunk search i tried many ways can you please help me on this. Splunk log:  [2021-04-13 04:36:49.556 GMT] ERROR PipelineCallServlet|116901075255|Search-RemoteShow|PipelineCall|y6j3wsyHh1 custom [] component=Search,routine=Show,errorMessage="Out of stock products",URL=https://www.xyz.com/on/demandware.servlet/Sites-Bull-Site/default/Search-RemoteShow?queryDW=true&cgid=juniors&pmax=10&pmin=9.99&prefn2=eventCodeID&prefv2=21DXDB07&sz=84   But I am unable to get complete URL as a result , i am getting half of the URL. Can you please help me on this.
Good morning all,  I am still new to Splunk configuration and was lucky enough to inherit a mostly functional setup. Right now, the main issue I am having is converting the SIDs to their respective ... See more...
Good morning all,  I am still new to Splunk configuration and was lucky enough to inherit a mostly functional setup. Right now, the main issue I am having is converting the SIDs to their respective user names.  The evt_resolve_ad_obj = 1 fix did not work. Any other insight as to what could fix this problem would help me a lot. Thanks in advance! 
Hi, How can I add colors to the table based on the search below? I wanted to have a alternating colors to make the view better. <panel> <table> <search> <query>index=index1 sourcetype=sourcetype... See more...
Hi, How can I add colors to the table based on the search below? I wanted to have a alternating colors to make the view better. <panel> <table> <search> <query>index=index1 sourcetype=sourcetype1 ACCOUNT_CODE!=ACCOUNT_CODE | multikv forceheader=1 | dedup ACCOUNT_CODE Application BusinessUnit | table ACCOUNT_CODE Application BusinessUnit ApplicationRTO | chart values(Application) as Application by BusinessUnit</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">false</option> <drilldown> <link target="_blank">/app/mainframe-platform/average_mips_per_application_bu?BusinessUnit=$click.value$</link> </drilldown> </table> </panel>   Thanks and Regards,