All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, Really new to ITSI. Already installed Splunk and ITSI on my customer site and read a lot of documentation. I created a custom alert action (alert_action.conf and notable_alert_action.conf, don... See more...
Hi, Really new to ITSI. Already installed Splunk and ITSI on my customer site and read a lot of documentation. I created a custom alert action (alert_action.conf and notable_alert_action.conf, don't remember exactly) in order to create a ticket to an external ticketing system accepting REST calls. So also created a script in ../bin directory. When I call the targeted ticketing system with REST POST, I get the INC number of the ticket created. I would like to update the episode with this inc number in a specific field but didn't find similar situation here. Can you help me ? thank you in advance
HI Folks    I have planned to upgrade my splunk environment from 7.3.3 to 8.0.8. Since it is a python upgrade, i need to know whether we shoould update my app which are compatible to the new versio... See more...
HI Folks    I have planned to upgrade my splunk environment from 7.3.3 to 8.0.8. Since it is a python upgrade, i need to know whether we shoould update my app which are compatible to the new version in the current instance and then upgrade the splunk instance in the entire upgradation process We also have a inhouse built in apps running in python 2.7 So please suggest the order either  1. App update --> splunk instance update OR 2. Splunk instance update --> app update
How do I configure Splunk App Mets Woot to work in my environment? I installed it on my cluster master & re-started the server, I keep getting "no results found" .  It is the latest version I just do... See more...
How do I configure Splunk App Mets Woot to work in my environment? I installed it on my cluster master & re-started the server, I keep getting "no results found" .  It is the latest version I just downloaded from Splunk base.
Hello, I have seen eventstats and stats used together, but I’m not clear on why and when the use of the mentioned would need to be used. can you explain why use eventstats and stats together and pr... See more...
Hello, I have seen eventstats and stats used together, but I’m not clear on why and when the use of the mentioned would need to be used. can you explain why use eventstats and stats together and provide an example?
Hello Splunk Community,  Here is my code and explanation of the issue below: I am having a very annoying issue that I cant fix. The issue is that the percentage should be 60 which I can get eas... See more...
Hello Splunk Community,  Here is my code and explanation of the issue below: I am having a very annoying issue that I cant fix. The issue is that the percentage should be 60 which I can get easily, but the issue starts when I group by the logDate. When I group by logDate then my percentage automatically turns to 100% - it obviously should not convert to 100%. Any advise?  index=syz event=object | eval MoveObject=case (event=object, time) Here below is the calcualtions for when I chart percentage: | eval Total=case(LevelMet="Failure",ObjectId) | eval logDate = strftime(strptime(MoveObject, "%Y-%m-%d"),"%d-%b-%Y") | stats dc(Total) as Failed_Docs dc(ObjectId) as Total_Docs by logDate | eval Percentage=round((Failed_Docs / Total_Docs )*100,2) | chart values(Percentage) as Percentage by logDate  
Is it possible to search for an installed app on all my Splunk servers from for example a Search head? Too save searching all the Splunk for an installed app. Is there a SPL that would make this easy?
Hello, I'm reaching out because I have come across one of the old perpetual Enterprise licenses. I am aware that new perpetual licenses are no longer sold. The license was previously in production a... See more...
Hello, I'm reaching out because I have come across one of the old perpetual Enterprise licenses. I am aware that new perpetual licenses are no longer sold. The license was previously in production at a now defunct business, and I am now looking to use the license. Any caveats that I should be aware of before using it?
When i use below query i can see multiple servers in the index. Index=abc  sourcetype=vmstat (host=windows1* OR  host=windows2* OR host=windows3*) | eval cpu_percent_util=(100-pctIdle) | timechart s... See more...
When i use below query i can see multiple servers in the index. Index=abc  sourcetype=vmstat (host=windows1* OR  host=windows2* OR host=windows3*) | eval cpu_percent_util=(100-pctIdle) | timechart span=1m avg(cpu_percent_util) by host i can see graph by windows1, windows2, windows 3 but i want to see the host names like Web1, Web2, Web 3 Please help me on this.
Has anyone tried to run Splunk Enterprise under Rosetta on the new Mac M1 chip? I realize it’s compiled for intel, but supposedly Rosetta works pretty well at interpreting. I am considering purchasin... See more...
Has anyone tried to run Splunk Enterprise under Rosetta on the new Mac M1 chip? I realize it’s compiled for intel, but supposedly Rosetta works pretty well at interpreting. I am considering purchasing a Mac mini but I want to be able to run Splunk on it for development and testing. any insights or experience with this?
Hi, I'm having trouble grabbing the first event of a specific type and the last consecutive event after that with the same type. For instance, my events for a user might look like this: 2021-04-02 1... See more...
Hi, I'm having trouble grabbing the first event of a specific type and the last consecutive event after that with the same type. For instance, my events for a user might look like this: 2021-04-02 14:45:11  User: 1 Network Error Happens 2021-04-02 14:42:57  User: 1 Error Recover 2021-04-02 14:41:33  User: 1 error id: 02 Happens at Location 1 2021-04-02 14:41:21  User: 1 error id: 02 Happens at Location 1 2021-04-02 14:41:12  User: 1 Error Happens  2021-04-02 14:40:52  User: 1 Software Error Recover 2021-04-02 14:40:24  User: 1 Software Error Happens   In this case, I am trying to grab the 2nd and 5th events for where the latest recovered event happens and recovers so that I can later calculate the duration of the error. Currently, my query looks like this:   index=INDEX host=HOSTNAME sourcetype=SOURCETYPE | rex field=_raw "User:\s(?<user_id>\d+)" | rex field=_raw "(?<error_type>\w+)\sError" | rex field=_raw "(?<error_type>\w+)\serror\sid:\s(?<error_id>\d+)" | rex field=_raw "\d+\s(?<error_type>\w+)\sRecover" | rex field=_raw "\d+\s(?<error_type>\w+)\sHappen" | eval action=if((like(_raw, "%Happen%")), "Happen", (if(like(_raw, "%Recover%"), "Recover", null))) | where isnotnull(action) | eval latest_recover=if(action="Recover", _time, null) | streamstats latest(error_type) as latest_error_type latest(latest_recover) as _time earliest(_time) as early_time values(action) as actions by user_id | where mvcount(actions)=2 | stats latest(error_type) as last_error_type latest(_time) as recovered latest(early_time) as happened by user_id | eval error_duration=tostring((recovered - happened), "duration") | eval happened_time=strftime(happened, "%Y-%m-%d %H:%M:%S") | eval recovered_time=strftime(recovered, "%Y-%m-%d %H:%M:%S") | fields - recovered, happened   However, this query does not appear to be retrieving the appropriate events. Is there something I can do to get the two events (or the range of events --like the 2nd through the 5th events)?
Hi All, is any one created Use case to report on users who are accessing systems or data that is not within their regular usage?
Hey there Splunkers! I've got a quick question:  1.) I'd like to search two indexes:  index=cloud and index=msad 2.) These indexes DO NOT contain the same fields 3.) I only need to pull from one f... See more...
Hey there Splunkers! I've got a quick question:  1.) I'd like to search two indexes:  index=cloud and index=msad 2.) These indexes DO NOT contain the same fields 3.) I only need to pull from one field value in index=cloud:  Field: "protoPayload.metadata.event{}.eventName" 4.) I need to pull four field values from  index=msad:   Fields:  "whenCreated, whenChanged, sAMAccountName, eventtype" I've tried using the below SPL but it isn't working.  Any assistance is greatly appreciated. | set union [search index=cloud | fields protoPayload.metadata.event{}.eventName] [search index=msad | fields whenCreated,whenChanged,sAMAccountName,eventtype] | table whenCreated,whenChanged,sAMAccountName,protoPayload.metadata.event{}.eventName,eventtype | where sAMAccountName="gcp-org-admins"  
Hey Guys,  I am new to Splunk, and want to know if there is an easy way of hiding the value of one filed from one index but keeping it on the other. Both indexes have the same field devApp and color... See more...
Hey Guys,  I am new to Splunk, and want to know if there is an easy way of hiding the value of one filed from one index but keeping it on the other. Both indexes have the same field devApp and color.  I tried NOT and and also color!=blue  that removes the entire event coming from the oranges index. I need both events from both indexes. How can I remove the color filed value from the devApp=XML, while still including the event?   (index = "oranges"  (devApp=XML color!=blue)  OR  (devApp=HMTL color=blue))
when i start apache after the installation, i see the below error $ sudo /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: httpd: Syntax error on line 247 of /***/apps/web/webfarm... See more...
when i start apache after the installation, i see the below error $ sudo /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: httpd: Syntax error on line 247 of /***/apps/web/webfarm/***.com-httpd.conf: Syntax error on line 5 of /***/apps/AppDynamics/webagent/appdynamics_apache_agent.conf: Cannot load /***/apps/AppDynamics/webagent/sdk_lib/lib/libappdynamics_native_sdk.so into server: libzmq.so.3: cannot open shared object file: No such file or directory [FAILED] Any help is appreciated
I've installed the Okta Identity Cloud Add-on for Splunk. There was an attempt to configure it a while ago but wasn't tested much. When looking at it again I noticed that there was a 401 Unauthorized... See more...
I've installed the Okta Identity Cloud Add-on for Splunk. There was an attempt to configure it a while ago but wasn't tested much. When looking at it again I noticed that there was a 401 Unauthorized error when trying to make the API request. I had the admin create a new token and I configured the token and input in the app. I don't see any errors in the logs, in the app log it does show the message "No logs returned". I know there were both failed and successful attempts to log in to that Okta. Is there anything else I can check on the Splunk or Okta side?         2021-04-02 14:44:05,498 INFO pid=7784 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling 2021-04-02 14:44:05,541 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: log_limit 2021-04-02 14:44:05,569 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: log_limit 2021-04-02 14:44:05,582 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_collectLogs sees an existing next link value of: https://[redacted].oktapreview.com/api/v1/logs, picking up from there 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: max_log_batch 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: skip_empty_pages 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: http_request_timeout 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: allow_proxy 2021-04-02 14:44:05,602 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: bypass_verify_ssl_certs 2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_getSetting is looking for values for: custom_ca_cert_bundle_path 2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=setup_util.py:log_info:117 | Customized key can not be found 2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | Use of the proxy has been enabled through explicit definition of allow_proxy 2021-04-02 14:44:05,603 INFO pid=7784 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled! 2021-04-02 14:44:05,821 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_okta_caller n_val does not match our valid pattern with 0 results, store the current URL: https://[redacted].oktapreview.com/api/v1/logs 2021-04-02 14:44:05,822 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=_okta_caller we will now stash n_val with: https://[redacted].oktapreview.com/api/v1/logs 2021-04-02 14:44:05,842 INFO pid=7784 tid=MainThread file=base_modinput.py:log_info:295 | metric=log | message=Zero logs returned        
Salutations, I had a question about the App.Conf file. If i'm going to submit an App to SplunkBase is the install_source_checksum field necessary ? I've read saying it should not be explicitly set. ... See more...
Salutations, I had a question about the App.Conf file. If i'm going to submit an App to SplunkBase is the install_source_checksum field necessary ? I've read saying it should not be explicitly set. https://dev.splunk.com/enterprise/docs/reference/splunkappinspectcheck/ So should I just leave it as install_source_checksum = blank or not include the field at all?   # # Splunk app configuration file # [package] id = Test App [install] is_configured = 0 install_source_checksum = 5496cc42397de0bdcddb4592ab4c2725bfdf947b [ui] is_visible = 1 label = Test App    
I am installing Recorded Future Add on App into my Splunk ES environment I would like to know which Search Head should we install the Recorded Future App. Search head 1 (where Enterprise Security is ... See more...
I am installing Recorded Future Add on App into my Splunk ES environment I would like to know which Search Head should we install the Recorded Future App. Search head 1 (where Enterprise Security is installed) or Search Head 2 where ES is not installed. My better judgement tells me Search Head 2 however what is the Splunk best practice for this?
Hello guys, Custom app is pushed from deployer, ACL are then set from the SHC GUI. User can't share his own report. local.meta shows role has read+write access. Thanks for your help. Splunk 7.3.... See more...
Hello guys, Custom app is pushed from deployer, ACL are then set from the SHC GUI. User can't share his own report. local.meta shows role has read+write access. Thanks for your help. Splunk 7.3.4   user error admin view on app
I am working on configuring a Universal Forwarder to the SPLUNK Cloud. I have everything set up except the cloud is not receiving my data. I am getting a TCP port timeout. My question is where do I f... See more...
I am working on configuring a Universal Forwarder to the SPLUNK Cloud. I have everything set up except the cloud is not receiving my data. I am getting a TCP port timeout. My question is where do I find the web address for the indexers to use to send my SPLUNK Cloud Data too. I have three different portals. One is the main portal (I think) and IDM portal and a ES portal. I am trying to send the data to IDM but unfortunately its just not working. Any help would be apprecieated.
I have freshly installed Splunk_TA_box Add-On and trying to configure account via Web UI but while opening Configuration page, page gets stuck on Loading. Below is the screenshot. Can anyone gu... See more...
I have freshly installed Splunk_TA_box Add-On and trying to configure account via Web UI but while opening Configuration page, page gets stuck on Loading. Below is the screenshot. Can anyone guide me fix this issue? Thanks.