All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, I am getting below AWS logs from customer but below logs are taking more than 50 % of license, so please could you find the below AWS sourcetype details and let me know which are required for... See more...
Hi All, I am getting below AWS logs from customer but below logs are taking more than 50 % of license, so please could you find the below AWS sourcetype details and let me know which are required for security perspective ? aws:cloudtrail aws:cloudwatchlogs:vpcflow aws:config aws:config:notification aws:config:rule
Team, I have been using this below commands to verify whether particular print queues have printed from the print server. But I am in need of a query ,filtering the print queues which are offiline ... See more...
Team, I have been using this below commands to verify whether particular print queues have printed from the print server. But I am in need of a query ,filtering the print queues which are offiline \error from many years.   host=USSLCP1OPTIO0* SourceName=*Print* | rex "printed on (?<Printer_queue>\w+)" |rex "port (?<Port>\w+)" |rex "Size in bytes: (?<Size>\w+)" | search Printer_queue = * | timechart count(_raw) by Printer_queue   host=USSLCPRTHPENG0* SourceName=*Print* | rex "printed on (?<Printer_queue>\w+)" |rex "port (?<Port>\w+)" |rex "Size in bytes: (?<Size>\w+)" | search Printer_queue = * | timechart count(_raw) by Printer_queue limit=150
I have created a splunk app and uploaded it on splunkbase. It receives AppInspect Badge but still showing compatiablity with Splunk Enterprises only and not with Splunk Cloud ? How can I get this ap... See more...
I have created a splunk app and uploaded it on splunkbase. It receives AppInspect Badge but still showing compatiablity with Splunk Enterprises only and not with Splunk Cloud ? How can I get this app to be compatible with Splunk Cloud ?  Can you please let me know the process or any documentation for publishing app for Cloud ?
Hi @ppablo  @oprokhorenko_sp   I want to change my primary account email address. Can you please assist me changing my primary account under my profile.  Regards, Mayana Khan 
We have a search head cluster with 8 search head nodes ( captain was set to ad-hoc search only), and replication factor is 2 , we use schedule search to grant user access to the data they need instea... See more...
We have a search head cluster with 8 search head nodes ( captain was set to ad-hoc search only), and replication factor is 2 , we use schedule search to grant user access to the data they need instead of granting user access to index. This method is working for access control , but we are facing performance issue because of the huge amount of artifact(more than 10 thousands of artifact in the cluster). The loadjob command will run 30-40s even if  the saved search only has 1 event ,  we checked the job inspector and found the most of time was spent on loadjob command. Drilling down to the detail log, the most of time were likely spent on finding the artifact according to the owner,app and search name and pull the artifact from the search head it's stored. Then we try to use sid instead in the loadjob command, it's really faster than using "owner:app:search name", runtime is less than 1 second. Do you know the difference between using sid and "owner:app:search name" ?   Thanks
Hello Talented People of the wordl! I hope you are having a great day, I wish to know if there is a way to have a YES or NOT output of the number of digits in each row is greater than a  certain l... See more...
Hello Talented People of the wordl! I hope you are having a great day, I wish to know if there is a way to have a YES or NOT output of the number of digits in each row is greater than a  certain limit, for example: I want the column MET equal to true if the number of digits in the raws of the field ID is greater than 9 .. kind of like this: ID MET 123456789 NOT 548554569362 YES 14521421 NOT 1254 NOT 4858466358475248 YES   lets say that my search begings as follows:  index="medic_dni" ID=* | field ID ####################################################################### STAGE 2= I would wonder how would the code would have to look like if the column ID would show some values witha string followed by the (-) sign and then a string of  numbers something like this:  ID-47855478554 OR IDUSA-47854785545 or something like this: IDSPAIN-7854545454 How can I obtain the following table ID ID_ONLY_NUMBERS NUMBERS_GREATER_THAN_9 ID-47855478554841 47855478554 YES IDUSA-47854785545521972 47854785545 YES IDSPAIN-785454545474588 7854545454 YES THANK YOU SO  SO MUCH TO ANYONE WHO WOULD LIKE TO HELP I TRULLY FROM THE BOTTOM OF MY HEART THANK YOU 
Hi Splunker, I found the following abnormal problems when checking the Splunk system     04-07-2021 05:54:18.961 +0800 INFO PipelineComponent - CallbackRunnerThread is unusually busy, this may ... See more...
Hi Splunker, I found the following abnormal problems when checking the Splunk system     04-07-2021 05:54:18.961 +0800 INFO PipelineComponent - CallbackRunnerThread is unusually busy, this may cause service delays: time_ms=0 new=0 null=0 total=2119 {'name':'DistributedRestCallerCallback','valid':'1','null':'0','last':'3','time_ms':'0'},{'name':'HTTPAuthManager:timeoutCallback','valid':'1','null':'0','last':'1','time_ms':'0'},{'name':'HttpInputMetrics:timerCallback','valid':'2','null':'0','last':'2113','time_ms':'0'},{'name':'IndexProcessor:ipCallback-0','valid':'1','null':'0','last':'6','time_ms':'0'},{'name':'MetricsManager:probeandreport','valid':'1','null':'0','last':'0','time_ms':'0'},{'name':'PullBasedPubSubSvr:timerCallback','valid':'1','null':'0','last':'2','time_ms':'0'},{'name':'ThreadedOutputProcessor:timerCallback','valid':'1','null':'0','last':'5','time_ms':'0'},{'name':'triggerCollection','valid':'2111','null':'0','last':'2118','time_ms':'0'} 04-07-2021 05:55:19.961 +0800 INFO PipelineComponent - CallbackRunnerThread is unusually busy, this may cause service delays: time_ms=0 new=0 null=0 total=2119 {'name':'DistributedRestCallerCallback','valid':'1','null':'0','last':'3','time_ms':'0'},{'name':'HTTPAuthManager:timeoutCallback','valid':'1','null':'0','last':'1','time_ms':'0'},{'name':'HttpInputMetrics:timerCallback','valid':'2','null':'0','last':'2113','time_ms':'0'},{'name':'IndexProcessor:ipCallback-0','valid':'1','null':'0','last':'6','time_ms':'0'},{'name':'MetricsManager:probeandreport','valid':'1','null':'0','last':'0','time_ms':'0'},{'name':'PullBasedPubSubSvr:timerCallback','valid':'1','null':'0','last':'2','time_ms':'0'},{'name':'ThreadedOutputProcessor:timerCallback','valid':'1','null':'0','last':'5','time_ms':'0'},{'name':'triggerCollection','valid':'2111','null':'0','last':'2118','time_ms':'0'}     I don't know what caused it.Which part should I start to find out the reason.
Hi Everyone, I have one requirement. I have multiple dashboards and data is not coming from last 60 days. So I have remove DATE/Time range drop down. what I want is suppose for one of the Dashboa... See more...
Hi Everyone, I have one requirement. I have multiple dashboards and data is not coming from last 60 days. So I have remove DATE/Time range drop down. what I want is suppose for one of the Dashboard the data is last available is on 26th Feb. So it should display data of 26th Feb. How can I pass Date parameter so that it can display the latest last data available Below is my query for one panel <row> <panel> <chart> <title>Overall Salesforce User Licenses</title> <search> <query>index="abc" sourcetype="xyz" $type$ TotalLicenses!=0 | lookup Org_Alias.csv OrgFolderName OUTPUT OrgName as OrgName | search $OrgName$ |dedup OrgFolderName, LicenseName, SalesforceOrgId |chart sum(TotalLicenses) as "Total Licenses" sum(UnusedLicenses) as "Unused Licenses" sum(UsedLicenses) as "Used Licenses" by LicenseName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">Count</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.maximumNumber">999999</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">log</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">top</option> <option name="height">400</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> I will remove the earliest and latest as I have remove the Date/Time dropdown Can anyone guide me on this.
I'm looking for a way of typecasting ASCII characters (A,B,C,D,etc) into their decimal or hexadecimal formats. I've tried     |makeresults |eval fielda="a" |eval char=printf("%d",fielda) |table f... See more...
I'm looking for a way of typecasting ASCII characters (A,B,C,D,etc) into their decimal or hexadecimal formats. I've tried     |makeresults |eval fielda="a" |eval char=printf("%d",fielda) |table fielda char      This gives me an empty field for "char". Then tried tonumber() and tostring() but both require strings which are numbers, not letters and so they come back with Null values. Is there a way of typecasting ASCII to Hex/Dec/Oct?
The issue is there are 3 tabs Home dataset and error   when i click dataset there appears panel showing dataset related panel   and similarly when i click error panel it shows the error related p... See more...
The issue is there are 3 tabs Home dataset and error   when i click dataset there appears panel showing dataset related panel   and similarly when i click error panel it shows the error related panel    but when i click home i want both panels of dataset and error to appear for home    i have tried using multiple token in panel depends based on the condition values but it seems not working     Below is the my sourcecode for the dashboard   <form> <label>test_token</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label>field1</label> </input> <input id = "input_link_split_by" type="link" token="unused" searchWhenChanged="true"> <label>Click</label> <choice value="home">Home</choice> <choice value="table">DATASET</choice> <choice value="map">ERRORS</choice> <default>home</default> <change> <condition value="home"> <set token="showHome">true</set> <unset token="showTable"></unset> <unset token="showMap"></unset> </condition> <condition value="table"> <set token="showTable">true</set> <unset token="showHome"></unset> <unset token="showMap"></unset> </condition> <condition value="map"> <set token="showMap">true</set> <unset token="showTable"></unset> <unset token="showHome"></unset> </condition> </change> <initialValue>home</initialValue> </input> </fieldset> <row> <panel id="panel_layout"> <html> <style> /* This Layout Panel Bottom Padding removed to merge Link Input with horizontal line */ #panel_layout .fieldset{ padding: 10px 12px 0px 12px !important; } /* Increase width of Link input to have options in Single Line */ #input_link_split_by.input-link{ width: 720px !important; } /* Change from flex to -webkit-box for side by side layout */ #input_radio_split_by.input-link div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ display: -webkit-box !important; } /* Create Button Border to make them appear as Tabs */ #input_link_split_by.input-link button{ width: 120px !important; border-top-color: black; border-top-style: black; border-top-width: 1px; border-right-color: black; border-right-style: black; border-right-width: 1px; border-left-color: black; border-left-style: black; border-left-width: 1px; border-top-left-radius: 10px; border-top-right-radius: 10px; } /* Hide link input bottom message section to merge with Horizontal line */ .dashboard-panel #input_link_split_by label, #input_link_split_by .splunk-choice-input-message{ display: none !important; } /* Remove padding from horizontal line */ #panel_layout .panel-body.html{ padding: 0px !important; } </style> <hr style="height:1px;border-width:0;color: black;background-color: white;margin: 0px;"/> </html> </panel> </row> <row> <panel depends="$showTable$"> <html> <div style="text-align:center;"> <h1>Application DATASET</h1> </div> </html> </panel> </row> <row> <panel depends="$showMap$"> <html> <div style="text-align:center;"> <h1>Application Errors</h1> </div> </html> </panel> </row> </form>
Hello, I have a lookup table that contains some words: ANGEL, DEVIL, CHURCH, KING, LOVE etc. I have a search that returns a list of garbled letters: GJKLSER, WIUPAF, NVSDEVILDFP, QNJSANGELW, KINGGV... See more...
Hello, I have a lookup table that contains some words: ANGEL, DEVIL, CHURCH, KING, LOVE etc. I have a search that returns a list of garbled letters: GJKLSER, WIUPAF, NVSDEVILDFP, QNJSANGELW, KINGGVSCHURCH, TRANGELOVEMGX, etc. Need to find when the word from the lookup is contained in the list of garbled letters (highlighted red above). Also need to know which word(s) were found, as in the green example above; including if the lookup words overlap, as in the purple letter example above. Each word in the lookup table has a corresponding score, which needs to be included in the results.  Lastly, the lookup table contains over 1000 words/scores. Otherwise, I would think a foreach would work. Thanks in advance for ideas, thoughts, direction. God bless and safe and healthy to you and yours, Genesius  
Need help configuring a secure connection between Google Apigee Edge and Splunk.  What parameters need to be set on the Apigee end and how does one configure the Splunk side? William
Is there a way to get field's background color by compare with 2 fields numbers? for example: If "POST IPTV CALLS"'s value > "PRE IPTV CALLS"'s value, then its background become in red.  As I k... See more...
Is there a way to get field's background color by compare with 2 fields numbers? for example: If "POST IPTV CALLS"'s value > "PRE IPTV CALLS"'s value, then its background become in red.  As I know JS can do it, but somehow we need to keep the dashboard as Simple XML. Any idea?   
I have a really simple query that I'd like to join with Enterprise Security's Identity inputlookup and grab a field from there.  Here is the simple SPL: index=pan sourcetype="pan:system" log_subtyp... See more...
I have a really simple query that I'd like to join with Enterprise Security's Identity inputlookup and grab a field from there.  Here is the simple SPL: index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*") | table _time user Trying to use a join to grab the data: index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*") | join type=left overwrite=true user [ |inputlookup my_identity_lookup | search identity=user | fields priority ] | table _time user priority   But the priority field returns blank. Would appreciate any help fixing this!  Thanks in advance!
I have successfully configured the Add-On, and I am pulling down data in a test environment. I added my Azure application account successfully. This includes adding the Azure assigned Client ID, Clie... See more...
I have successfully configured the Add-On, and I am pulling down data in a test environment. I added my Azure application account successfully. This includes adding the Azure assigned Client ID, Client Secret, and Tenant ID.  Will the add be updated in the future to pull data down using certificates for authentication vs. the Client ID, Client Secret, and Tenant ID?   
Hello, I need to move old logs for a specific logsource(host) to be indexed in another splunk cluster. When I use the dbinspect in the actual splunk cluster, for that specific index, the logs seems to... See more...
Hello, I need to move old logs for a specific logsource(host) to be indexed in another splunk cluster. When I use the dbinspect in the actual splunk cluster, for that specific index, the logs seems to be in the cold buckets. Is it possible to extract logs of a specific host from cold buckets so it can be moved to another splunk cluster?
How do I investigate / understand Time-sync difference reported by Meta Woot! Between host & Splunk? Meta Woot! reports latency of say many hours between hosts & Splunk (marked in red). I have checke... See more...
How do I investigate / understand Time-sync difference reported by Meta Woot! Between host & Splunk? Meta Woot! reports latency of say many hours between hosts & Splunk (marked in red). I have checked the time settings + time zones on the hosts. They are all current & accurate.
Hey all, I want to take the content of a lookup and populate it in a dashboard panel in a simple table view. I tried the simple |inputlookup command which works in the search head but not within th... See more...
Hey all, I want to take the content of a lookup and populate it in a dashboard panel in a simple table view. I tried the simple |inputlookup command which works in the search head but not within the panels. Is there an easy way to get this done?
Hi all, I'm trying to reuse an svg image multiple times on the same page but its not working. When i use chrome inspect, i noticed the <use /> is getting removed. Any help would be greatly appreciat... See more...
Hi all, I'm trying to reuse an svg image multiple times on the same page but its not working. When i use chrome inspect, i noticed the <use /> is getting removed. Any help would be greatly appreciated. In the example below, it should create a fire svg above the logs, but it never gets rendered.       <form> <label>testsvg</label> <row> <panel> <html> <svg width="300" height="300" viewBox="0 0 300 300"> <title>Campfire</title> <desc>A campfire burning in a pit</desc> <g style="fill: #777;"> <title>Fire Pit</title> <desc>The fire pit in which the campfire is burning</desc> <path d="M26.851,222.754 L0,222.754 L0,271.758 C0,286.751 14.555,299 32.443,299 L267.52,299 C285.408,299 300,286.751 300,271.758 L300,222.754 L273.112,222.754 L273.112,266.534 C273.112,272.067 267.816,276.484 261.27,276.484 L38.693,276.484 C32.147,276.484 26.851,272.058 26.851,266.534 L26.851,222.754 z" /> </g> <defs> <g id="fire" transform="translate(0,10)"> <title>Flames</title> <desc>The crackling flames of a campfire</desc> <path d="M101.138,160.949 C94.916,154.464 53.538,110.17 95.277,71.802 C130.054,39.868 135.137,13.003 123.434,-0 C123.434,-0 211.959,33.692 159.877,111.877 C150.998,125.163 128.702,140.843 140.369,173.129 L101.138,160.949 z" /> <path d="M155.503,171.572 C153.624,165.019 145.142,150.746 171.021,122.303 C184.873,107.172 190.104,84.742 191.308,76.301 C191.308,76.301 237.167,100.662 191.576,160.215 L155.503,171.572 z" /> </g> </defs> <!-- <g transform="translate(0,10)" fill="#530" stroke="#310" stroke-width="0">--> <g transform="translate(0,10)" fill="#530" stroke="#310" stroke-width="0"> <title>Logs</title> <desc>The logs burning in the campfire</desc> <path d="M240.344,255.473 L240.344,216.874 L59.378,160.915 L59.378,199.513 z"/> <path d="M165.259,180.707 L240.321,157.488 L240.321,196.087 L227.627,199.99 z"/> <path d="M134.519,235.715 L59.419,258.9 L59.419,220.301 L72.151,216.433 z"/> </g> <use href="#fire" /> </svg> <div> TESTING <svg viewBox="0 0 30 10" xmlns="http://www.w3.org/2000/svg"> <use href="#fire" /> </svg> </div> </html> </panel> </row> </form>      
Hello Guys, I want one as shell script in which i want to extract only sourcetype name and TIME_FORMAT attribute from the props.conf. I tried to extract but some how it is not exactly extracting the... See more...
Hello Guys, I want one as shell script in which i want to extract only sourcetype name and TIME_FORMAT attribute from the props.conf. I tried to extract but some how it is not exactly extracting the results.   ls l grep 'TIME_FORM*' props.conf | awk '{print $0}' | sed 's/E_FORMAT=/ / I tried for timeformat but i want sourcetype ne and its respective timeformat.Can anyone suggest this.