All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

So this may be a pretty easy task, however I am not getting it to work the way I want it: so here is my problem: I have CSV with 3 columns id,uid,role 1,2342334,master 2,2342334,slave 3,342... See more...
So this may be a pretty easy task, however I am not getting it to work the way I want it: so here is my problem: I have CSV with 3 columns id,uid,role 1,2342334,master 2,2342334,slave 3,34234234,master (...) Now I want a search on my index that returns me all data where the uid is in the csv. What I did so far is the following : index = myindex [ |inputlookup mycsv.csv | fields 10000 $uid ] However this solution is not perfect. What I would wanted to achieve should be like this index= myindex uid=2342334 or uid =34234234 or uid=(..) Any ideas?
Hi Team, I have recently upgraded by Splunk Enterprise instance for my Heavy Forwarder server from  Version 7.3.1.1 to version 8.1.2. So when i navigated to /opt/splunk/bin directory and ran the co... See more...
Hi Team, I have recently upgraded by Splunk Enterprise instance for my Heavy Forwarder server from  Version 7.3.1.1 to version 8.1.2. So when i navigated to /opt/splunk/bin directory and ran the command as "splunk version" i can able to see the output as latest version and in GUI also it is showing up the latest version. Output: Splunk 8.1.2 (build 545206cc9f70)   But when i checked the /opt/splunk/etc/splunk-launch.conf I can able to see the older version details present and not updated with the latest version. # Version 7.3.1.1   Whereas if i checked the /opt/splunk/etc/splunk-launch.conf.default i can able to see with latest version . # Version 8.1.2   So i want to know why the file splunk-launch.conf is not updated with latest version? and also is there any way to fix it. 
Help me to format the below query without the join command. index=sample sourcetype=Sample_1 | fillnull | makemv delim=";" AID | join type=left AID [search index=sam sourcetype=sam_1|fillnull|rename... See more...
Help me to format the below query without the join command. index=sample sourcetype=Sample_1 | fillnull | makemv delim=";" AID | join type=left AID [search index=sam sourcetype=sam_1|fillnull|rename Name as AID] |fillnull value="" Cos|fields * | search Legment="SOFT"|search sev=Y |stats count(VName) the query is too slow for me and I have to run without join.
Hi Splunkers.   I have table like this Number Value 1 Alpha 2 Beta 3 Charlie   I want to get the row on Value column inside the alerf of email body. I expect the alert like t... See more...
Hi Splunkers.   I have table like this Number Value 1 Alpha 2 Beta 3 Charlie   I want to get the row on Value column inside the alerf of email body. I expect the alert like this. "Dear Team, this result on the value column 1. Alpha 2. Beta 3. Charlie Thankyou"   I have tried using $result.Number$. $result.Value$ but the result only show the last of Value "3. Charlie".   Please advice.   Thank you
I basically i want to get a timestamp of when an index created in Splunk...I am aware that the timestamp of when each index was created is placed under "$SPLUNK_HOME/var/lib/splunk/<index_name>/db/Cr... See more...
I basically i want to get a timestamp of when an index created in Splunk...I am aware that the timestamp of when each index was created is placed under "$SPLUNK_HOME/var/lib/splunk/<index_name>/db/CreationTime" Similarly, how do i get when a Search Head cluster app/bundle was created similar to above?      
Hi everyone, we are trying to upload the ta-user-agents apps (version 1.7.4) we have downloaded from the splunkbase, we know that is not compatible with Splunk Cloud but following this article http... See more...
Hi everyone, we are trying to upload the ta-user-agents apps (version 1.7.4) we have downloaded from the splunkbase, we know that is not compatible with Splunk Cloud but following this article https://github.com/aplura/TA-user-agents/issues/8 we have modified it and submitted to the validation. The validation report does not have errors or failure but still the app has been rejected Hash f8e4d676e29335b1642895a20bc9073a AppInspect Request ID c93b0fcb-5bee-42da-9b92-66bdec5c61a2 Failures 0 Warnings 6 Errors 0 Not Applicable 66 Manual Checks 8 Skipped 0 Successes 142   How can we submit this app? Thanks
I am beginner with splunk and want to filter the log lines with matching file name field but file name (Ex. file_name=XXXXXX.abc.XXX.20210326.XXX.txt) have date as part of its value which varies as p... See more...
I am beginner with splunk and want to filter the log lines with matching file name field but file name (Ex. file_name=XXXXXX.abc.XXX.20210326.XXX.txt) have date as part of its value which varies as per current day.  I tried the below approach and it didn't help.  index=xyz source="/logs/logfile.log" | eval filename_expr="%abc%".strftime(now(), "%Y%m%d")."%" | regex file_name=filename_expr | stats count by source Please advise.
how to truncate logs to 10K for all the sources in SPLUNK (cloud)? The default setting is not applicable for HTTP and TCP logs. I tried using some regex with sed command but it doesn't work out also ... See more...
how to truncate logs to 10K for all the sources in SPLUNK (cloud)? The default setting is not applicable for HTTP and TCP logs. I tried using some regex with sed command but it doesn't work out also there is operator precedence while adding any regex in the prop. conf, so when I add the regex it took that, ignoring the default truncate. Any help in this
Hi, There is an alarm monitoring the 4733(A member was removed from a security-enabled local group ) events. When this alarm is triggered, I want the user to be deleted from the users.cvs lookup. ... See more...
Hi, There is an alarm monitoring the 4733(A member was removed from a security-enabled local group ) events. When this alarm is triggered, I want the user to be deleted from the users.cvs lookup. how can I do it? Thanks,  
Hi Splunkers,   I'm trying to install ITSI, but I don't see an install button. I can install it by downloading it manually from Splunk.com and install it, but what defer it from other apps while I ... See more...
Hi Splunkers,   I'm trying to install ITSI, but I don't see an install button. I can install it by downloading it manually from Splunk.com and install it, but what defer it from other apps while I can install UBA which is an enhanced app as well.   Thanks in advance!
ERROR [DBAgent-1] ControllerHttpRequestResponse:25 - Fatal transport error while connecting to URL [/controller/instance/UNKNOWN_MACHINE_ID/systemagentregistration] THIS ERROR I WAS GETTING WHEN STA... See more...
ERROR [DBAgent-1] ControllerHttpRequestResponse:25 - Fatal transport error while connecting to URL [/controller/instance/UNKNOWN_MACHINE_ID/systemagentregistration] THIS ERROR I WAS GETTING WHEN STARTED DB-AGENT FROM COMMAND PROMPT. COMMAND ->> java -jar db-agent.jar CONTROLLER NOT RECEIVING RESPONSE.  THIS IS ON-PREMISE CONTROLLER CONNECTIVITY. THE DATABASE I HAVE TO CONNECT IS MICROSOFT SQL SERVER
I need SHA512 checksum/hash for testing the newly downloaded one. 
hello guys.. I am having a HUGE trouble when downloading my results as a CVS file. this is my query | search .... | table A B C I see on Splunk that the results are shown as 3 colummns with... See more...
hello guys.. I am having a HUGE trouble when downloading my results as a CVS file. this is my query | search .... | table A B C I see on Splunk that the results are shown as 3 colummns with its values in vertical fashion... like this A B C 1 5 9 2 6 7 3 8 10 but when I download these results as a cvs file and I open it The results are shown in this weird manner:     (IN THE FIRST row which is ok)     A,B,C                                                                                   ( the second row)                     1 2 3 4 5 67 9 7 10 which is not ok... can someone please help me thank you so much!!!!!! so so much
Hello my unafraid nerve of steel fellas! I hope you are having a lot of fun this week... I have been loosing my sleep and sanity trying to create a table with some values that come from search que... See more...
Hello my unafraid nerve of steel fellas! I hope you are having a lot of fun this week... I have been loosing my sleep and sanity trying to create a table with some values that come from search queries and then add some fields (columms) to this table that will be teh result of some simple math operations, here is an example of what I am trying to achieve and in advace I thank you and praise you for your help I REALLY DO! [| search 1 | fields A | stats  count(A) as  Total 1] [| search 2 | fields A | stats  count(B) as  Total 2] [| search 3 | fields A | stats  count(C) as  Total 3] I will be obtaining the values Total 1, Total 3 and Total 3 then I want to build this table Stage  Net Conversión A Total 1 0 B Total 2  (Total 2 - Total 1) / Total 2 C Total 3  (Total 3 - Total 1) / Total 3 I will be so thankful if anyone can help me build this !!! THANKS SO MUCH IN ADVANCE or if you can reference some documentation as well!!! thank you so much
Hello - I have JSON events that have multiple items nested inside them.  Each item has fields with the same name.  I'm trying to report with stats and timechart on specifically "lastvalue_raw" for ea... See more...
Hello - I have JSON events that have multiple items nested inside them.  Each item has fields with the same name.  I'm trying to report with stats and timechart on specifically "lastvalue_raw" for each "sensor" however when trying a few different things my query still chooses the first "lastvalue_raw" for any of the sensors.  The JSON event could have any number of nested items within it depending on the type of sensor.  Below is an example event:         { "prtg-version": "21.1.65.1767", "treesize": 2, "sensor": [ { "device": "Colo Palo Alto FW1", "device_raw": "Colo Palo Alto FW1", "objid": 8219, "objid_raw": 8219, "sensor": "Comcast (1Gbit/s - Circuit ID)", "sensor_raw": "Comcast (1Gbit/s - Circuit ID)", "status": "Unusual", "status_raw": 10, "lastvalue": "37 Mbit/s", "lastvalue_raw": 4637266.8945 }, { "device": "Colo Palo Alto FW1", "device_raw": "Colo Palo Alto FW1", "objid": 33904, "objid_raw": 33904, "sensor": "Verizon Business (1Gbit/s - Circuit ID)", "sensor_raw": "Verizon Business (1Gbit/s - Circuit ID)", "status": "Up", "status_raw": 3, "lastvalue": "163 Mbit/s", "lastvalue_raw": 20343218.0333 } ] }         And here is an example of a query I have tried to separate them:         index=prtg_test sourcetype=_json | spath | rename "sensor{}.lastvalue_raw" AS lastvalue, "sensor{}.sensor" AS sensor | timechart span=1m latest(lastvalue) by sensor         Any help is greatly appreciated!
Hi, I am having trouble with radar viz visualization. The viz itself is working great, however I can't seem to find a way to alter the axis text color. When used on a dark theme background the text ... See more...
Hi, I am having trouble with radar viz visualization. The viz itself is working great, however I can't seem to find a way to alter the axis text color. When used on a dark theme background the text is black and can't be seen. Light theme shows up ok. Is there an attribute I am missing? Many thanks, David
Hello, I am trying to configure alerting for a Failover Cluster by verifying the running server name, then confirming that the windows services on said server is running as expected.  We have two se... See more...
Hello, I am trying to configure alerting for a Failover Cluster by verifying the running server name, then confirming that the windows services on said server is running as expected.  We have two servers in the cluster that could change anytime, where the one that is active should always have the windows services running (and alert if they are not and it is the active host) and the passive server should have the services stopped (expected, no alert). The two WMI events that I have running on the two hosts are below: This event shows the active failover server: Server=Server1 ComputerName=Cluster wmi_type=PIAnalysisCluster The below events shows the Windows Service events on either host: Caption=Cluster Service DisplayName=Cluster Service Name=ClusSvc ProcessId=3192 StartName=LocalSystem State=Running Status=OK SystemName=Server1 wmi_type=ClusterService 20210325160700.359614 Caption=Cluster Service DisplayName=Cluster Service Name=ClusSvc ProcessId=3040 StartName=LocalSystem State=Running Status=OK SystemName=Server2 wmi_type=ClusterService What i am trying to do is just show where Server=Server1 is active, then show just the status of the Windows Server from SystemName=Server1. I've tried with "eval Server=coalesce(SystemName,Server)", evals on match (Server==SystemName) as well "where Server=SystemName", but I have been unable to find a way to just show the active server based on the first event, and match the server name based on the second event with the status of the Windows Service. Example attached of what the data looks like without attempting to join the values.    
We are trying to use the fill_summary_index.py script to backfill times when the data isn't populated in a metrics based index. The script is not detecting gaps, it is re-running the searches for the... See more...
We are trying to use the fill_summary_index.py script to backfill times when the data isn't populated in a metrics based index. The script is not detecting gaps, it is re-running the searches for the defined time range. I would assume  that the issue might be with the default dedupsearch: dedupsearch = 'search splunk_server=local index=$index$ $namefield$="$name$" | stats count by $timefield$' which is not compatible with metrics based indexes. Any recommendations?  
Hello, Need to find null values from multivalue field. I am using mvcount to get all the values I am interested for the the events field I have filtered for. However, I get all the events I am filte... See more...
Hello, Need to find null values from multivalue field. I am using mvcount to get all the values I am interested for the the events field I have filtered for. However, I get all the events I am filtering for. What I am really after is seeing where event=A is null. Would like to see event output the value that is null, like: Null, B, C, D wherever A is null. Any suggestions?   | index="dc_green_idx" event=A OR event=B OR event=C OR event=D | eval Unsupp=case(event="A", TimeSubmitted) | eval BUnsupp=if(isnull(Unsupp),"yes","no") | stats latest(TimeSubmitted) as TimeSubmitted values(event) as event max(BUnsupp) as BUnsupp by invite | sort -TimeSubmitted | where mvcount(event)>3 AND isnull(Unsupp)    
I'm wondering if there are any Splunkbase apps that interact between Veracode and Splunk?