All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone, After adding some data to Splunk and running apply cluster bundle & apply shcluster bundle commands, splunkd stopped working on one of our Search Heads (out of 2 in the cluster). W... See more...
Hello everyone, After adding some data to Splunk and running apply cluster bundle & apply shcluster bundle commands, splunkd stopped working on one of our Search Heads (out of 2 in the cluster). We turned it on manually, but then it switched itself to a restart loop. We have managed to solve the case with adjusting 'conf_deploy_fetch_mode' as suggested here:  https://community.splunk.com/t5/Deployment-Architecture/Why-is-the-Search-Head-Cluster-getting-Caught-in-the-Restart/m-p/337615  However, we are still looking for the exact reason of this issue. We have found the following internal errors on the affected SH: 04-15-2021 13:15:17.244 +0200 ERROR TcpInputProc - Error encountered for connection from src=myipaddress:port. Local side shutting down 04-15-2021 13:15:30.187 +0200 ERROR IndexAdminHandler - already reloading or shutting down, will not reload Could someone please help me out interpreting them? Thank you! 
I have this XML data in one event but there are multiple transactions with same fieldnames . We need to display them all but group per transaction. Sample Data in Splunk:   <?xml version="1.0" enc... See more...
I have this XML data in one event but there are multiple transactions with same fieldnames . We need to display them all but group per transaction. Sample Data in Splunk:   <?xml version="1.0" encoding="UTF-8" standalone="no"?> <TransactionMetaData xmlns=""> <UniqueTransactionID>8G1F1R1C-701G16EC0F32</UniqueTransactionID> <TransactionDateTime>2021-04-16T03:11:26.031+02:00</TransactionDateTime> </TransactionMetaData> <Payload xmlns=""> <ValidatedSalesTransactions> <Transaction> <RetailStoreID>PHP6666</RetailStoreID> <BusinessDayDate>2021-04-15</BusinessDayDate> <BeginDateTime>2021-04-15T07:21:22</BeginDateTime> <CurrencyCode>PHP</CurrencyCode> <ReceiptNumber>8565</ReceiptNumber> <RetailTransaction TransactionStatus="Totaled"> <SaleReturn ReturnFlag="true"> <ItemID>7481036706423787</ItemID> <Quantity>1</Quantity> <Amount>1.67</Amount> <OnlineOrderID>5516054561</OnlineOrderID> <OnlineItemID>6430081131637851</OnlineItemID> </SaleReturn> </RetailTransaction> <Country>Philippines</Country> </Transaction> <Transaction> <RetailStoreID>PHP6666</RetailStoreID> <BusinessDayDate>2021-04-15</BusinessDayDate> <BeginDateTime>2021-04-15T07:30:11</BeginDateTime> <CurrencyCode>PHP</CurrencyCode> <ReceiptNumber>8566</ReceiptNumber> <RetailTransaction TransactionStatus="Totaled"> <SaleReturn ReturnFlag="true"> <ItemID>59874451032500</ItemID> <Quantity>1</Quantity> <Amount>2.84</Amount> <OnlineOrderID>8549756244420</OnlineOrderID> <OnlineItemID>64385647545125144</OnlineItemID> </SaleReturn> </RetailTransaction> <Country>Philippines</Country> </Transaction> </ValidatedSalesTransactions> </Payload>   My Search Query:   index=transaction_index sourcetype=ST_source | xmlkv | table RetailStoreID CurrencyCode ReceiptNumber ItemID Quantity OnlineOrderID OnlineItemID Country   I'm only getting the 1st transaction. But, this is my expected result: what can I add on my search to get all the transaction? Thank you!
Hello, I'm currently creating a Python script which takes a Splunk Phantom Case as input and creates an Incident Response report from the data within the case. One part is to download screenshots w... See more...
Hello, I'm currently creating a Python script which takes a Splunk Phantom Case as input and creates an Incident Response report from the data within the case. One part is to download screenshots which are added as files to the case. Is there a way to get the content of those files? I'm currently using https://phantomurl/rest/vault_document/<id_of_document> but this contains only general data about the file but not the file itsself. I realised that you could use https://phantoumurl/view?id=<id_of_document> but that's not really "REST" and also the authentication does not work the same way as with the REST API. So long story short: How can I download files from Phantom via REST API if I know their document_id?   Thanks!   Mario
Hi Guys,   We have a alert setup for below query with condition when ever there is Number of Result greater than 0.   <query>| table ServerName UserName  SupportTeam   This query runs once in a... See more...
Hi Guys,   We have a alert setup for below query with condition when ever there is Number of Result greater than 0.   <query>| table ServerName UserName  SupportTeam   This query runs once in a day and triggers the alerts perfectly as expected. But now the management wants some modifications in alerting condition in such a way that trigger a alert if any ServerName is present continuously in 3 runs then only it should trigger the alert.   Example : If ServerName "APAC_Japan01” present in output of all 3 days query, then only it should alert for this ServerName, if it presents only on 1st and 2nd day output results then it should not trigger the alert. Can this be possible?
Hi, I need to filter out some events from a syslog source. All the events that I need to exclude are like this: Apr 16 11:24:23 **********  2021-04-16T11:24:23.604+02:00 ***************************... See more...
Hi, I need to filter out some events from a syslog source. All the events that I need to exclude are like this: Apr 16 11:24:23 **********  2021-04-16T11:24:23.604+02:00 *************************************** - Modified Query: START TRANSACTION Can anyone could help? Thanks in advance
Hi Splunkers! I'm getting the below message when I try to preview the PDF of a dashboard, but everything  is fine ,up and running. Can anyone please help me out? Service Unavailable The service is... See more...
Hi Splunkers! I'm getting the below message when I try to preview the PDF of a dashboard, but everything  is fine ,up and running. Can anyone please help me out? Service Unavailable The service is temporarily unavailable. Please try again later.   Thanks in Advance! Cheers! 
Hello,   I am trying to update my Service entities rules via SPLUNK ITSI Rest endpoints. Couldn't find and endpoint to update the entity rules for a given service. Does Splunk ITSI support updati... See more...
Hello,   I am trying to update my Service entities rules via SPLUNK ITSI Rest endpoints. Couldn't find and endpoint to update the entity rules for a given service. Does Splunk ITSI support updating/creating entity rules via rest API?
Installing the universal forwarder version 8.1.2 using monitor user on AIX server 7.2 but unable to start splunk on this server due the following errors monitor@fenix:/home/monitor/splunk/splunkforw... See more...
Installing the universal forwarder version 8.1.2 using monitor user on AIX server 7.2 but unable to start splunk on this server due the following errors monitor@fenix:/home/monitor/splunk/splunkforwarder/bin> ./splunk start exec(): 0509-036 Cannot load program splunk because of the following errors: 0509-130 Symbol resolution failed for splunk because: 0509-136 Symbol ___strcmp64 (number 26) is not exported from dependent module /usr/lib/libc.a[shr_64.o]. 0509-136 Symbol ___strcpy64 (number 29) is not exported from dependent module /usr/lib/libc.a[shr_64.o]. 0509-136 Symbol __setjmp (number 32) is not exported from dependent module /usr/lib/libc.a[shr_64.o]. 0509-136 Symbol __get_lc_charmap_ptr (number 40) is not exported from dependent module /usr/lib/libc.a[shr_64.o]. 0509-136 Symbol cur_locale (number 210) is not exported from dependent module /usr/lib/libc.a[shr_64.o]. 0509-192 Examine .loader section symbols with the 'dump -Tv' command.
How can I monitor data from .lfd files on Splunk? 
Dashboard beta is in use. When running a dashboard, it prefers slow motion and inconvenience. Is it because the server specification is low? Can I only see dashboards created in dashboard beta? Or... See more...
Dashboard beta is in use. When running a dashboard, it prefers slow motion and inconvenience. Is it because the server specification is low? Can I only see dashboards created in dashboard beta? Or let me know if there's any other way.
I am trying to blacklist EventCode 5145 with specific message and it is not working. Example Event: LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=5145 EventType=4 ... See more...
I am trying to blacklist EventCode 5145 with specific message and it is not working. Example Event: LogName=Security SourceName=Microsoft-Windows-Security-Auditing EventCode=5145 EventType=4 Type=Success Audit ComputerName=xxxx Category=11111 CategoryString=none RecordNumber=xxxx Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID:  Account Name:  Account Domain:  Logon ID:  Network Information: Object Type: File Source Address:  Source Port:  Share Information: Share Name:  Share Path: \ Relative Target Name: x.dxmdg.com\Policies\{123456789456456456454654464546464558655}\Machine\Preferences\Registry\Registry.xml Access Request Information: Access Mask:  Accesses:  Access Check Results:   With below blacklist and it is not working blacklist4 = EventCode="5145" Message="Relative Target Name:\s.+Registry.xml" Please provide some suggestions
The requirement is, there is a single index . Data in three different format and there is an InputType coming in the raw data to identify . Below is just an exmaple  InputType="mBP" |name|employee i... See more...
The requirement is, there is a single index . Data in three different format and there is an InputType coming in the raw data to identify . Below is just an exmaple  InputType="mBP" |name|employee id|username|address|designation | manager name InputType="eMQ" |designation|years of emp|office location|department  InputType="qCP" |department| department head| employee count | designations  The data format is different in these cases . So the question is , it is posisble to have different parcing based on the InputType ? What is the solution for this ? Do i need to create new 3 indexes ? or wth in same index , how the 3 different parcing can be done ? what are the conf file changes required? Help is appreciated with different  possible solutions on this . 
I set the "Restrict search time range" in the role configuration to 3 days, now for the event index, Splunk only returns 3 days of data, base on the latest time user selected. but for metric search(m... See more...
I set the "Restrict search time range" in the role configuration to 3 days, now for the event index, Splunk only returns 3 days of data, base on the latest time user selected. but for metric search(mstats), it still returns data for a longer period(base on user's selection), wonder if the restriction only works for event index? or is there any other way I could restrict the search window for metric search? 
Good Evening All, I am looking for a solution to a splunk panel when I try to click on any cell value it should open events related to  that cell value, instead its opening all event values. settin... See more...
Good Evening All, I am looking for a solution to a splunk panel when I try to click on any cell value it should open events related to  that cell value, instead its opening all event values. settings on drill down click  is set to cell. Please suggest any workable solution for problem.   Question:  index= xxx  | eval code = some condition | eval Res =  some condition  | Stats count(eval(Res='success')) As Success  count(eval(Res='failure')) As Failures by name | sort by count desc . the below 5 columns are pulled with some row entries.(settings on drilldown is cell enabled but still cant achieve the required solution) name     code.   success       failures  count xxxx        1234     50                      60       110 yyyy       4312      70                      80       150 zzzz        5678      80                      50        130 as mentioned  above when clicked on cell 50 at row1, it should retrieve only 50 success events, similarly when clicked  at 50 at row3, it should retrieve only 50 failures events.     Thanks in Advance
Hi, I have managed to get Process, Memory, LogicalDisk and a few other perfmon counters working. However I can't get the ASP.NET & Paging File to work. Played around with the stanza a bit, but no lu... See more...
Hi, I have managed to get Process, Memory, LogicalDisk and a few other perfmon counters working. However I can't get the ASP.NET & Paging File to work. Played around with the stanza a bit, but no luck. Has anyone managed to get these working? ## ASP.NET [perfmon://ASP.NET] counters = Requests Queued;Requests Rejected index = windows_metrics disabled = 0 instances = * interval = 60 mode = single object = ASP.NET sourcetype = PerfmonMetrics:ASP _meta = entity_type::Windows_Host useEnglishOnly=true ## Paging File [perfmon://Paging File] counters = % Usage index = windows_metrics disabled = 0 instances = * interval = 60 mode = single object = Paging File sourcetype = PerfmonMetrics:PagingFile _meta = entity_type::Windows_Host useEnglishOnly=true  
I am getting statistics like below (only 3 categories)   Category Amount cat1 20 cat2 30 cat3 40   and added total column also with query   | basequery | chart sum(amount) as Amo... See more...
I am getting statistics like below (only 3 categories)   Category Amount cat1 20 cat2 30 cat3 40   and added total column also with query   | basequery | chart sum(amount) as Amount by category | addtotals row=f col=t labelfield=category   which chart I can use to show this data & how to show Total in different color or different location in chart. I tried bar chart but got same color for all bars, pie chart showing totals also in the same chart (misleading)  
We're using DB Connect v3.1.4 Occasionally, an SQL Query in a Data Lab Input gets changed. I need to know where the log files are located and if they are ingested into Splunk. That way, I can alert ... See more...
We're using DB Connect v3.1.4 Occasionally, an SQL Query in a Data Lab Input gets changed. I need to know where the log files are located and if they are ingested into Splunk. That way, I can alert when the query is altered. 
I don't know how to query my duo servers to find out how any users many are set to disabled and some users might have never authentication in the duo itself. I don't see any selected field or intere... See more...
I don't know how to query my duo servers to find out how any users many are set to disabled and some users might have never authentication in the duo itself. I don't see any selected field or interesting stuff field that would help build the query
I'm currently working on indexing data from an external REST API using a python script in Splunk add-on builder. I believe the code I've written is correct and I don't encounter any errors with my ca... See more...
I'm currently working on indexing data from an external REST API using a python script in Splunk add-on builder. I believe the code I've written is correct and I don't encounter any errors with my call to the API but when I try using the 'Test' button, I see the 'Done' status but no sample data entries in the 'Output' section. I know that the query I'm using will return some data since I've tested it in Postman and an IDE on my device but nothing shows up in this test UI. Is there some helper command I need to use to show this data? How can I verify that I'm receiving the data I expect?  
Hi, One of a prospect client has a Splunk license of 2TB for the entire company however on the security front only 500 GB is used.  Is there a way to ensure the license monitoring can only be done f... See more...
Hi, One of a prospect client has a Splunk license of 2TB for the entire company however on the security front only 500 GB is used.  Is there a way to ensure the license monitoring can only be done for this 500 GB.?