All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone I am in need of some old Splunk Universal Forwarder installers, do we have these installers? Microsoft Windows Server 2003 (64-bit) Microsoft Windows Server 2003 (32-bit) Microsoft... See more...
Hello everyone I am in need of some old Splunk Universal Forwarder installers, do we have these installers? Microsoft Windows Server 2003 (64-bit) Microsoft Windows Server 2003 (32-bit) Microsoft Windows Server 2003 Standard (64-bit) Microsoft Windows Server 2003 Standard (32-bit) Microsoft Windows Server 2008 R2 Standard (64-bit) Microsoft Windows Server 2008 R2 Standard (32-bit) Microsoft Windows Server 2012 Standard (64-bit) Microsoft Windows Server 2012 Standard (32-bit) Best Regards.
Dear Sir i've tried to implement the Splunk App for Windows . But i have some problems. 1.Splunk add on for Microsoft Windows 8.0.0 is installed on the master host. 2.Splunk add on for Microsoft W... See more...
Dear Sir i've tried to implement the Splunk App for Windows . But i have some problems. 1.Splunk add on for Microsoft Windows 8.0.0 is installed on the master host. 2.Splunk add on for Microsoft Windows 8.0.0 and Splunk App for Windows Infrastructure 2.02 are installed on the searchhead host. 3. Splunk add on for Microsoft Windows 8.0.0 is installed on the forwarder host. 4.After configuring according to the relevant documents, the following problems appear: 1) can't find task category, type.   2) windows_perfmon_details_collection is null   Does anyone know why?   Thanks in Advance purple1229
My search query finding MAX, AVG response times of API.   | search ("API-1 call start" OR "API-1 response status*" OR "API-1 call failed:*") | reverse | stats first(_time) as Start, last(_time) as ... See more...
My search query finding MAX, AVG response times of API.   | search ("API-1 call start" OR "API-1 response status*" OR "API-1 call failed:*") | reverse | stats first(_time) as Start, last(_time) as End by transactionid | eval duration=End-Start | stats max(duration) as "Max", p95(duration) as "Avg95", p99(duration) as "Avg99"   Currently I chosen Single value visualisation with Trellis layout & it is looking good to see. But when I export to PDF it's not coming as it has Trellis layout. I have multiple APIs like this to show like this. What visualisation is best for these type of data?  
Can someone pls help me on this, Is there any way that we can get the existing tags from Splunk and create new tags using Python Splunklib module.   Thanks  Maheshkumar
Once PaloAlto firewall was upgraded to Version 9.1.6 , Our PaloAlto App Version 6.2.0 stopped showing the Global Protect logs . I Upgraded the Palo Alto Networks Add-on for Splunk and  Palo Alto Netw... See more...
Once PaloAlto firewall was upgraded to Version 9.1.6 , Our PaloAlto App Version 6.2.0 stopped showing the Global Protect logs . I Upgraded the Palo Alto Networks Add-on for Splunk and  Palo Alto Networks App for Splunk to 6.5.0 .  I installed the App+Add-on on Search Heads whereas I installed the Add-on on Indexers and Heavy Forwarders . All the dashboards under Operations are Working but The dashboard for GlobalProtect (PANOS >= 9.1)  is not working at all . The App documentation does not mention on what changes were done for Global protect logs and what to do if you are unable to see it .  Please note that data model pan_firewall is fully build and has data . All other data models are disable as we do not have those products . Any Ideas .
Need to Add blacklist except "*string*" is possible ?
How to configure single site clustered environment?
How can I configure uf and hf in distributed stack ?? Can anyone suggest me ?
Hi, We have a lookup file with some ip addresses. It could be in IPv4 or IPv6 format. There is also could be one or multiple ip addresses. Something like that: asset_name | ip asset_1 | 123.34... See more...
Hi, We have a lookup file with some ip addresses. It could be in IPv4 or IPv6 format. There is also could be one or multiple ip addresses. Something like that: asset_name | ip asset_1 | 123.34.43.12, 2a01:bc02:3d:4500:e6f asset_2 | fe98::7d65:cb43:211a:12bc, 12.56.123.78 asset_3 | asset_4 | 45.123.98.76 asset_5 | ab12::3456:cd78:9e11:12ab asset_6 | 234.123.91.82, 67.12.123.54 We’d like to keep only IPv4 addresses, so the final result should look like that: asset_name | ip asset_1 | 123.34.43.12 asset_2 | 12.56.123.78 asset_3 | asset_4 | 45.123.98.76 asset_5 | asset_6 | 234.123.91.82, 67.12.123.54 Do you have an idea how we can implement this type of filtering? Thanks.
Hi Everyone, Can someone guide me . How I can extract the below highlighted field from the logs: 2021-04-13 23:54:59,614 INFO [NiFi Web Server-54351] o.a.n.w.s. Attempting request for (<kdave7><l.c... See more...
Hi Everyone, Can someone guide me . How I can extract the below highlighted field from the logs: 2021-04-13 23:54:59,614 INFO [NiFi Web Server-54351] o.a.n.w.s. Attempting request for (<kdave7><l.com><CN=.com, OU=Middleware Utilities,L=Phoenix, ST=Arizona, C=US>) PUT https://lpdosputb50088.phx.bvc.com:9091/nifi-api/process-groups/9c673790-e123-1a1b-9c0d-d1adf4af91cb/variable-registry  2021-04-13 23:54:59,617 INFO [NiFi Web Server-201257] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<kdave7>><CN=lpdosputb50090.phx.aexp.com, OU=Middleware Utilities, L=Phoenix, ST=Arizona, C=US>) PUT https://lpdosputb50089.phx.abc.com:9091/nifi-api/process-groups/9c673790-e123-1a1b-9c0d-d1adf4af91cb/variable-registry 2021-04-13 23:54:41,185 INFO [NiFi Web Server-54256] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://ecpnifiblaze-dev.poi.com/nifi-api/processors/cbd8ff04-0178-1000-0000-000035805b48 
I have a 1st query by taking input from the dashboard and where I got id as a result from that. And I want to use that id fetch from the 1st query , in my 2nd query as input and show the required fil... See more...
I have a 1st query by taking input from the dashboard and where I got id as a result from that. And I want to use that id fetch from the 1st query , in my 2nd query as input and show the required fileds which is available in 2nd query on dashboard.   N.B:- I know join but facing issue in how to pass that id as a variable to the 2nd query Actually it need to be work on a dashboard.   Can someone please help. @niketn 
Hi Can someone help me with the splunk query where i need to display only eapply as the key ...|eval key=mvindex(split(nbamboo_buildkey,"="),1) | table key it displays all the bamboo_buildkey al... See more...
Hi Can someone help me with the splunk query where i need to display only eapply as the key ...|eval key=mvindex(split(nbamboo_buildkey,"="),1) | table key it displays all the bamboo_buildkey along with eapply, repository number, etc 
Hey, splunkers! According to my use case, I need the unicode/chinese character in the kvstore lookup. but seems like its not working as expected. My configurations are as following: 1. collect... See more...
Hey, splunkers! According to my use case, I need the unicode/chinese character in the kvstore lookup. but seems like its not working as expected. My configurations are as following: 1. collections.conf [check_master_lookup] field.ioc_value = string field.type = string  2.  trasnforms.conf [check_master_lookup] collection = check_master_lookup external_type = kvstore fields_list = ioc_id, type   Below  steps I am performing to fillup  the check_master_lookup lookup:   1. First I am creating the dummy data in one of the indexes using the following queries:       |makeresults count=1 |eval ioc_value="\u0001\u0011\u0005\u0012\u001e\r\u001e\u001a\u001c\u0016\r\u0016\b\u001e\u001e\u0004\u0011\u0005\u0011\u0006\u0005\u0016\u001d\u001a\u001c\u0002\u001c\u000b\u000e\u0014\f\u0003" | eval type="unicode" |collect index=temp     |makeresults count=1 |eval ioc_value="한싹시스템.doc" | eval type="chinese ch" |collect index=temp   2. Now fillingup the lookup using following query: index=temp |table ioc_value,type | outputlookup check_master_lookup result: I can't see the ioc_value in the lookup table. Can anyone please help me with this?
1. Can I know Blueprint View? 2. What is security authorization? 3.Anaplan add in?
Hi Guys, This is regarding below error that I am getting when I am trying to add Azure Storage Account to configure Splunk_TA_microsoft-cloudservices. "ERROR AdminManagerExternal - Unexpected err... See more...
Hi Guys, This is regarding below error that I am getting when I am trying to add Azure Storage Account to configure Splunk_TA_microsoft-cloudservices. "ERROR AdminManagerExternal - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [400]: Bad Request -- Account authentication failed. Please check your credentials and try again".  We have already tested the the storage account and access key and it works fine. Has anyone come across similar issue?  
Hi All, Below is my Splunk query. I want to only eliminate the result if "UPN" & "Event_title" both are the same for 7 days in my result. And I want to get the other result as it is. Please help ... See more...
Hi All, Below is my Splunk query. I want to only eliminate the result if "UPN" & "Event_title" both are the same for 7 days in my result. And I want to get the other result as it is. Please help me with the Splunk query.   Splunk Query index=myindex "vendorInformation.provider"=myprovider | eval Event_Date=mvindex('eventDateTime',0) | eval UPN=mvindex('userStates{}.userPrincipalName',0) | eval Logon_Location=mvindex('userStates{}.logonLocation',0) | eval Event_Title=mvindex('title',0) | eval Event_Severity=mvindex('severity',0) | eval AAD_Acct=mvindex('userStates{}.aadUserId',0) | eval LogonIP=mvindex('userStates{}.logonIp',0) | table Event_Date, Event_Title, Event_Severity UPN LogonIP Logon_Location @scelikok @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana   @to4kawa   
command: search.... | eval effort=exact(21+31+61+1103+7306+7505+15105+15106+15122) | table tag,effort,16910,21,31,61,1103,7306,7505,15105,15106,15122 how can i get effort = sum of field i... See more...
command: search.... | eval effort=exact(21+31+61+1103+7306+7505+15105+15106+15122) | table tag,effort,16910,21,31,61,1103,7306,7505,15105,15106,15122 how can i get effort = sum of field in same row instead of overall sum. expected output: effort 4 2 2 4 4 4
Is there a simple way to remove everything after website.com Currently I have several urls imported into splunk, some of which has full paths following .com Currently: Would like it to be: f... See more...
Is there a simple way to remove everything after website.com Currently I have several urls imported into splunk, some of which has full paths following .com Currently: Would like it to be: firstwebsite.com/website firstwebsite.com secondwebsite.com secondwebsite.com thirdwebsite.com/jigiiit/jjejjrejr thirdwebsite.com fourthwebsite.com/hjeh fourthwebsite.com   Any pointers would be great!
Hi guys, I want make a chart with the value below. With IP is the separated line, and connections is the value, apache_method is the X-Axis apache_method IP  Connect_time GET 10.10.107.10 10.... See more...
Hi guys, I want make a chart with the value below. With IP is the separated line, and connections is the value, apache_method is the X-Axis apache_method IP  Connect_time GET 10.10.107.10 10.10.107.14 29 13222 HEAD 10.10.107.14 1 OPTIONS 10.10.107.14 ::1 12 15 PMFK 10.10.107.14 1 POST 10.10.107.12 10.10.107.14 5 38636 PROPFIND 10.10.107.14 3
Newbie question - rolled out sysmon along with UF but need to edit the sysmon config file to exclude Splunk processes.  Can this be done through the Deployment Server?