All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to use different linestyles in my chart without using fieldDashStyle because I don't want to make changes when the fieldname (which is a result of my search) changes. If I use linedashstyle A... See more...
I want to use different linestyles in my chart without using fieldDashStyle because I don't want to make changes when the fieldname (which is a result of my search) changes. If I use linedashstyle ALL the lines in the chart have the same style. I wonder if it is possible to let splunk choose different styles for each line within a chart. example: | chart values(cost) by Month Message I want a chart with a different style for each Message without using fieldDashStyle.
Hello Team,   We have installed Crowd strike Add on 1.0.7 and ingested the logs via API in Splunk, Challenge we are facing every week logs are stop reporting to Splunk and manually we need to refre... See more...
Hello Team,   We have installed Crowd strike Add on 1.0.7 and ingested the logs via API in Splunk, Challenge we are facing every week logs are stop reporting to Splunk and manually we need to refresh the connection from Splunk, Can you please help why this issue is happened.   Is there any bug in Add on or do we need to set the limit in Crowdstrike add on to refresh the connection?   Thanks, Sahil  
Hi , I am new to Splunk Community. Currently, my customer already has Splunk server which they are using to export their CUCM's CDR. They are looking into exporting their Cisco VCS-Cs and Expressw... See more...
Hi , I am new to Splunk Community. Currently, my customer already has Splunk server which they are using to export their CUCM's CDR. They are looking into exporting their Cisco VCS-Cs and Expressways CDRs to Splunk server. In addition, the VCS-Cs and being managed by Cisco Telepresence Management Suite. Can someone within the community whom has already exporting their Cisco VCS-Cs and Expressways CDRs to Splunk server, advise me how to export the CDRs to Splunk Server? Is their an API from Splunk server/VCS-C/Expressways which will trigger the CDR export?   Regards, Chris. Regards    
Hi All, I run the 'Testing Connectivity' on all Phantom apps and the response is as follows, showing no information (not even if the connection fails). How do I troubleshoot and resolve this err... See more...
Hi All, I run the 'Testing Connectivity' on all Phantom apps and the response is as follows, showing no information (not even if the connection fails). How do I troubleshoot and resolve this error?
we are running as400 servers with 7.1 version. Can some one suggest how to send data from as400 to splunk?
Hi All, I have recently ingested Cisco Umbrella logs into Splunk Cloud (8.1.2) and everything seems to be working fine, expect for the Network Resolution DNS data model. When I try to accelerate th... See more...
Hi All, I have recently ingested Cisco Umbrella logs into Splunk Cloud (8.1.2) and everything seems to be working fine, expect for the Network Resolution DNS data model. When I try to accelerate the model or pivot, I obtain the following errrors: 1) The search job has failed due to an error. You may be able view the job in the job inspector     2) Error in 'lookup' command: Could not construct lookup 'cim_dns_reply_code_lookup, reply_code_id, AS, reply_code_id, OUTPUT, reply_code, AS, reply_code'. See search.log for more details.   3) Cannot expand lookup field 'action' due to a reference cycle in the lookup configuration. Rewrite the lookup configuration to remove the reference cycle.   I reviewed the search.log but don't see anything related to causing the issue. Has anyone experienced or solved this before? Cheers
Splunk have advised that they're deprecating older versions of JQuery: Make Your App More Secure By Updating to jQuery® Version 3.5 or Newer | Splunk. Are add-ons built using Add-On Builder impacted... See more...
Splunk have advised that they're deprecating older versions of JQuery: Make Your App More Secure By Updating to jQuery® Version 3.5 or Newer | Splunk. Are add-ons built using Add-On Builder impacted? I can see various references to jquery within the AOB-generated appserver\static\ content (common.js, configuration_page.js...) but I have no idea whether there's going to be any impact on my simple modular input apps built using AOB. Posting here as figured many other people would have a similar question.
hello, as of today I am looking for a little help to efficiently detect when an alert stops reporting. My idea is not to generate an alert that monitors the alert (redundant) when the result or count... See more...
hello, as of today I am looking for a little help to efficiently detect when an alert stops reporting. My idea is not to generate an alert that monitors the alert (redundant) when the result or count at a certain time is zero, rather I am a more automated mechanism that helps me, maybe some app or advice that can help me detect when this happens . Thanks
Hello, I see there is a Data Source for Windows.  Is it possible to use Splunk to monitor your own MAC OSX system?  Thank you Kindly, Selena
Hello everyone. We have configured DB Connect on heavy forwarder. We made a user in the database, set up a connection via the web interface in DB Connect, and it seemed to work. That is, I can select... See more...
Hello everyone. We have configured DB Connect on heavy forwarder. We made a user in the database, set up a connection via the web interface in DB Connect, and it seemed to work. That is, I can select "Connection", go to my directory, and I can even see the tables from my directories. But there is one thing. When I send a request via "Execute SQL" or do "new input", the request is supposedly sent, reaches 20 percent and then nothing happens.   It just stands in one place. Please tell me, perhaps someone has already faced a similar situation and how did you find a way out of it? what should I do? 
Hey, We look for an elegant way to set _meta field in inputs.conf of SAI application [splunk app for infrastructure] We now have the following line in inputs.conf of the SAI application _meta = os... See more...
Hey, We look for an elegant way to set _meta field in inputs.conf of SAI application [splunk app for infrastructure] We now have the following line in inputs.conf of the SAI application _meta = os::'windows server 2016' os_version::10.0.14393 ip:'10.0.0.1' We are looking for a way to set up this line automatically when running splunk reload deploy server Any suggestions?
I'm developing custom search commands to access the Neo4j Aura SAAS graph database. I want this app to also be working on Splunk Cloud.  The Neo4j Aura database can be reached by a single IP address... See more...
I'm developing custom search commands to access the Neo4j Aura SAAS graph database. I want this app to also be working on Splunk Cloud.  The Neo4j Aura database can be reached by a single IP address and a single TCP port. All data over this port is fully encrypted and full certificates are used. Questions I have: - Can this be done at all?  - What should be requested for a Splunk Cloud customer if they want this? - Are there any things I have to watch for or need to know as a developer of this app( with the search commands ) related to TCP communication? Background for the search commands. With these new search commands Splunk users can query content and context from the Neo4j graph database and use that within Splunk to correlate, analyze and report. One of the use cases will be to integrate CMDB like content and context into Splunk via 
We have 2 events OTP generated  through SMS with UUID=123123 OTP generated through EMAIL with UUID=432432 OTP Verified for UUID=123123 How to join events to find how many OTPs generated throu... See more...
We have 2 events OTP generated  through SMS with UUID=123123 OTP generated through EMAIL with UUID=432432 OTP Verified for UUID=123123 How to join events to find how many OTPs generated through different mediums (SMS/EMAIL) and how many successfully verified.
My task is show to Instance id, Instance type and Cpu credit balance but It shows only Cpu credit balance and instance id unable to show the instance type ? my query is  index=main metric_name=CP... See more...
My task is show to Instance id, Instance type and Cpu credit balance but It shows only Cpu credit balance and instance id unable to show the instance type ? my query is  index=main metric_name=CPUCreditBalance | timechart eval(round(avg(Average),2)) by metric_dimensions where max in top10 shall add or change this query ?
I'm pretty new at this so I apologize if the question seems stupid. I have a printer that sends syslogs to Splunk, and whenever the printer processes a job, it sends 2 identical items to Splunk. It'... See more...
I'm pretty new at this so I apologize if the question seems stupid. I have a printer that sends syslogs to Splunk, and whenever the printer processes a job, it sends 2 identical items to Splunk. It's simple enough to get the total count, but dividing it in half is driving me crazy. source = "hp printing" | chart count by host Because of how the printer sends its logs, whatever the above outputs is double the actual number of print jobs the device has processed. I've tried so many combinations and just can't seem to figure it out. source="hp printing" "printing" | chart eval(count/2) by host Above returns "Error in 'chart' command: The eval expression has no fields: 'count/2'." source="hp printing" "printing" | eval print_jobs = count/2 | chart eval(print_jobs) by host Above returns "Error in 'chart command: The eval expression has no fields: 'print_jobs'." I feel like this should be a simple task but just can't seem to nail it down.
Where do I find the settings for Splunk SmartStore? Can they be viewed via GUI? Is the setting set for all in one place? Should the settings be modified when we have ES in the picture?
My infoSec app is not showing IDS logs coming from my Meraki Security appliance. I am able to see the rest of the data such as flows CIM_Intrusion Detection acceleration shows 100% but the data mode... See more...
My infoSec app is not showing IDS logs coming from my Meraki Security appliance. I am able to see the rest of the data such as flows CIM_Intrusion Detection acceleration shows 100% but the data model shows 0.  CIM Network Traffic is showing information.  Any help would be appreciated. 
Hi @gcusello , We are planning to upgrade our Splunk environment from 7.1.x(current version) to 8.1 version. We have single-instance Splunk environment. Just read in one of the doc that it needs to... See more...
Hi @gcusello , We are planning to upgrade our Splunk environment from 7.1.x(current version) to 8.1 version. We have single-instance Splunk environment. Just read in one of the doc that it needs to be in three following phases. But could not find steps/commands to upgrade it. Backup Upgradation Testing We have a search head ( axxxxxhd01 ), Indexer ( xxxxxhd01 ) and a forwarder ( xxxxxfw01). Can you please guide us on upgrading to version 8.1 on Unix.? (Commands) Do we need to upgrade all i.e SH, Indexer and Forwarder, If yes what should be sequence to upgrade it. Regards, Rahul
Hi Team, Our Splunk License is going to get expired and we are working to get a new license .Our current environment is a clustered one with 12 indexers ,1 SH ,1 CM and 1 DS . However we have deci... See more...
Hi Team, Our Splunk License is going to get expired and we are working to get a new license .Our current environment is a clustered one with 12 indexers ,1 SH ,1 CM and 1 DS . However we have decided to stop the ingestion of data and would like to keep Splunk intact only for searching of the already indexed data . As a result we are planning to move to Free-license for time being . We do understand in free license clustered model wont work and each splunk instance become standalone but we are okay to perform the search on individual indexer if required . However our concern is the log retention configuration is currently placed in the following directory in all of the indexers that is /files0/splunk/etc/Master-app /_cluster/local/indexer.conf , will this still have higher precedence over /files0/splunk/etc/system/default/indexer.conf or do we need to make changes ?
Hello everybody. I need your help. I do not know so well about all the functionality of the Splunk, but I was given the task of monitoring the VPN connection. I've been sitting on this task for a w... See more...
Hello everybody. I need your help. I do not know so well about all the functionality of the Splunk, but I was given the task of monitoring the VPN connection. I've been sitting on this task for a while now, and I'm almost done. But I cannot decide the last point. As in the picture below, I was able to collect some information. As in the first picture, I was able to subtract the time from the start to the end of each session. But if you start the search as "for the whole day", then there is no information about sessions that have not yet closed and that start at 23:00 and end at 2:00 for example. Search string: sourcetype=cisco:asa message_id=722051 OR message_id=113019 OR message_id=722011 user=zhanali | eval session_info = if((message_id = "113019" OR message_id = "722011"), "session_end", "session_start") | transaction startswith=eval(session_info="session_start") endswith=eval(session_info="session_end") | eval end_time = _time + duration | eval duration1 = tostring(duration, "duration") | stats count as "all session number" list(_time) as "start of sessions" list(end_time) as "end of sessions" list(duration1) as "durations per session" sum(duration) as secund by Username | eval "full time for tuday" = tostring(secund, "duration") | fields - secund | convert ctime("start of sessions") | convert ctime("end of sessions") Result: Here 113019 means disconnect, 722011 reconnect and 722051 session assigned. This means after reconnect again come syslog as session assigned. How can i get and display the previously mentioned time intervals as start - 23:00 and end 00:00, start - 00:00 and end - 2:00? And more about active sessions like session active?   Below is the information about the first and last activity: Please, HELP ME!