All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to index a shell script output thro inputs.conf. I have configured the script   [script://$SPLUNK_HOME/etc/apps/search/bin/swapmem.sh] disabled = false host = * index = index_perform inter... See more...
I want to index a shell script output thro inputs.conf. I have configured the script   [script://$SPLUNK_HOME/etc/apps/search/bin/swapmem.sh] disabled = false host = * index = index_perform interval = 30 source = Perform sourcetype = Memory     the output script is    total used free shared buff/cache available Swap: 32767 919 31848    i want to index the first line as header as auto and map the fields vice versa but the output indexes the both lines .  
account Id drop down is not showing Id list in Splunk App for aws. To reflect account id in drop down what configuration we need to follow.   We don't have any Add account option in configure p... See more...
account Id drop down is not showing Id list in Splunk App for aws. To reflect account id in drop down what configuration we need to follow.   We don't have any Add account option in configure page of Splunk App for AWS as document says getting-started-with-splunk-insights-for-aws-cloud-monitoring.pdf   Quick reply is much appreciated. Thanks in advance! 
Hi Everyone, I have one requirement I have created one alert like below: index=abc ns IN ("blazepsfpublish", "blazegateway", "blazegateway-c2","blazepsfsubscribememsql","blazepsfsubscribememsql-c2... See more...
Hi Everyone, I have one requirement I have created one alert like below: index=abc ns IN ("blazepsfpublish", "blazegateway", "blazegateway-c2","blazepsfsubscribememsql","blazepsfsubscribememsql-c2","sidh-bulk-processor","sidh-datagraph3","sidh-datagraph3-c2","sidh-noss") "NullPointerException" | rex "message=(?<ExceptionMessage>[^\n]+)"|dedup ExceptionMessage,ns|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")|table app_name, ExceptionMessage ,_time, environment, pod_name,ns|rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name   The issue I am facing is there are some messages that are similar like below: 2021-03-17T10:39:32.268286963Z app_name=publishpushapi environment=e1 ns=blazepsfpublish pod_container=publishpushapi pod_name=publishpushapi-deployment-66-gz8dm stream=stdout message=java.lang.NullPointerException: null 2021-03-17T10:39:16.982803933Z app_name=publishpushapi environment=e1 ns=blazepsfpublish pod_container=publishpushapi pod_name=publishpushapi-deployment-66-gz8dm stream=stdout message=java.lang.NullPointerException: null I have already used dedup . But I want that count should come proper like if similar messages are 7 then the message display will be 1 and count will be 7. with stats count I am getting only 1 count. Can someone guide me on this
I can't find the version of splunkforwarder for AIX6 on the splunk official website. The oldest is only AIX7. Does anyone have a download of the version of splunkforwarder for AIX6?
I have the below query which works fine in the 'Search' but when I take the same query to a dashboard which has panel with <single> display the query is giving syntax error. <source query> | rex fie... See more...
I have the below query which works fine in the 'Search' but when I take the same query to a dashboard which has panel with <single> display the query is giving syntax error. <source query> | rex field=_raw "\"printerType\":\"(?<prnType>[^\"]+)\"" | table prnType | dedup prnType. Error in dashboard Unexpected close tag Please help me what is wrong with the query @vn50b7z 
Hi All, We have  Indexer cluster configured on AWS EC2 Instances  which is configured with Smart store. Since this is a Dev environment we want to stop the EC2 instances in non-business hours. Coul... See more...
Hi All, We have  Indexer cluster configured on AWS EC2 Instances  which is configured with Smart store. Since this is a Dev environment we want to stop the EC2 instances in non-business hours. Could you please advise if the when we stop an indexer with smart store, the hot buckets are rolled to warm and uploaded to the smart store before the indexer peer stops. Also, what would be the recommended way to stop the splunk service before stopping the EC2 Instance, would it be using splunk stop command or splunk offline command.  
Hi Everyone, I have one requirement. I am creating one alert and the query is below: index=abc ns=blazepsfpublish "NullPointerException" | rex "message=(?<ExceptionMessage>[^\n]+)"|dedup Exception... See more...
Hi Everyone, I have one requirement. I am creating one alert and the query is below: index=abc ns=blazepsfpublish "NullPointerException" | rex "message=(?<ExceptionMessage>[^\n]+)"|dedup ExceptionMessage,ns|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")|table app_name, ExceptionMessage ,_time, environment, pod_name,ns|rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name My requirement is that I have multiple 6-7 ns and I want to include them in same query rather then appending. Can someone guide me on this . Below are my ns names: sidh-datagraph datagraph etc How can I include all ns   in single query
Hello Everyone,   We are having a situation on our Splunk system. We recently noticed that there are several Dashboards which are being created by users and shared only for them. Being an Adminis... See more...
Hello Everyone,   We are having a situation on our Splunk system. We recently noticed that there are several Dashboards which are being created by users and shared only for them. Being an Administrator to the Splunk system we are unable to view those Dashboards in normal way until we query those Dashboard via rest. Is there anyway to set view access for Administrator role to view all the Dashboards/reports/alerts/scheduled search that are being created by users Thank you
configure AWS account id in Splunk using app “SPLUNK App For AWS” and “Splunk Add on For AWS”
Hello, I have been hacking away trying to get a working CSS override for the Highcharts Bar and Column charts. Has anyone managed to get this working? I basically want to remove the sharp square edge... See more...
Hello, I have been hacking away trying to get a working CSS override for the Highcharts Bar and Column charts. Has anyone managed to get this working? I basically want to remove the sharp square edges from these charts to give them a modern feel. Also, I have been looking for a way to apply a gradient to the chart sections. These two things could really make a substantial difference, visually. I can't use JS on my environment & I am hoping for a CSS or a hidden simple XML property/value. Last, I am looking for a donut chart option for the pie charts. It looks like it used to exist but I can't seem to figure out how to enable it on Enterprise Version:7.2.10. I see 3rd party options but I can't use them.  
Hi there, Can I know how to get the record from ver 1.1 by case sensitive excluding record from ver 1.2?   Currently I have data like this: records: ============================================ ... See more...
Hi there, Can I know how to get the record from ver 1.1 by case sensitive excluding record from ver 1.2?   Currently I have data like this: records: ============================================ index=a, ver=1.1, a="halo", b="haha", c="nana" index=a, ver=1.1, a="testing", b="haha", c="nana" index=a, ver=1.1, a="halo", b="kaka", c="testing"   index=a, ver=1.2, a="halo", b="haha", c="nana" index=a, ver=1.2, a="lala", b="haha", c="nana" index=a, ver=1.2, a="halo", b="kaka", c="TESTING" ============================================   Result expected: index=a, ver=1.1, a="testing", b="haha", c="nana" index=a, ver=1.1, a="halo", b="kaka", c="testing"   Is that possible to be done?
I'm working to transition a traditional search to utilize accelerated datamodels my environment has available. My original search is below: (index=firewall sourcetype="vpn-resource" (event_id="authe... See more...
I'm working to transition a traditional search to utilize accelerated datamodels my environment has available. My original search is below: (index=firewall sourcetype="vpn-resource" (event_id="authentication") status=success) OR (index=webapp outcome.result=SUCCESS eventType=user.authentication.sso) OR (index=mfa sourcetype=mfa:authentication result=SUCCESS) | fields type user src_ip targetAppDisplayName ip integration username index | eval user=coalesce(user, username) | eval "Resource Accessed"=coalesce(type, integration, targetAppDisplayName) | eval src_ip=coalesce(ip, src_ip) | iplocation allfields=true src_ip | search City!="" | eval cur_t=_time | streamstats current=t window=5 first(lat) as prev_lat first(lon) as prev_lon first(cur_t) as prev_t first(src_ip) as IP2 first(City) as City2 first(Country) as Country2 first("Resource Accessed") as prev_r first(index) as prev_i by user | rename src_ip as IP1 City as City1 Country as Country1 "Resource Accessed" as first_r index as first_i | eval time_diff=cur_t - prev_t | distance outputField=distance inputFieldLat1=lat inputFieldLat2=prev_lat inputFieldLon1=lon inputFieldLon2=prev_lon My version utilizing tstats follows, however in the tstats command I appear to run into issues with the distance command, as both lat/lon and prev_lat/prev_lon are working from a per event versus a per user basis.  | tstats summariesonly=true prestats=t count fillnull_value=NULL from datamodel=firewall_dm where (log.event_id=gateway-auth) AND log.action=success by sourcetype _time log.action log.src_ip log.user | tstats summariesonly=true append=t prestats=t count fillnull_value=NULL from datamodel=Authentication where (sourcetype=mfa:authentication OR sourcetype=webappIM2:log) AND Authentication.action=success by sourcetype _time Authentication.action Authentication.src Authentication.user Authentication.app | rename log.* as *, Authentication.* as * | eval src_ip=coalesce(src, src_ip) | eval "Resource Accessed"=if(match(sourcetype, "vpn-resource"), "VPN", app) | iplocation allfields=true src_ip | search City!="" | eval cur_t=_time | streamstats current=t window=5 first(lat) as prev_lat first(lon) as prev_lon first(cur_t) as prev_t first(src_ip) as IP2 first(City) as City2 first(Country) as Country2 first("Resource Accessed") as prev_r first(index) as prev_i by user | rename src_ip as IP1 City as City1 Country as Country1 "Resource Accessed" as first_r index as first_i | eval time_diff=cur_t - prev_t | distance outputField=distance inputFieldLat1=lat inputFieldLat2=prev_lat inputFieldLon1=lon inputFieldLon2=prev_lon Based on the input data from both base searches being the same (lines , I would expect the outcome to match, however I believe my use of prestats to be somewhat limiting my ability to manipulate the data downstream?
Hi, I am looking for help for the following My Panel intakes a combination of two inputs 'index' and 'customerID' in the query. It has a dropdown with static 'index' and 'customerID' values.  The r... See more...
Hi, I am looking for help for the following My Panel intakes a combination of two inputs 'index' and 'customerID' in the query. It has a dropdown with static 'index' and 'customerID' values.  The requirement is how can i enable search for a customerID value which is outside these static values. For e.g. when i enter '123456' in the dropdown, it should pass value 'index=*,customerID='123456' in the query(considering '123456' was not in static drop down values). Appreciate your help on this!
Why are most of my Ent. Security Dashboards are blank? How do I open the flood gates of data or events into ES. Matter what options I pick or which dashboard, says no result  found. We have a large e... See more...
Why are most of my Ent. Security Dashboards are blank? How do I open the flood gates of data or events into ES. Matter what options I pick or which dashboard, says no result  found. We have a large environment, where are the events & all the goods & incidents?
I saw a few examples https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-search-results-from-two-different-time-periods/m-p/221177 https://community.splunk.com/t5/Splunk-Search/How-to-co... See more...
I saw a few examples https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-search-results-from-two-different-time-periods/m-p/221177 https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-time-same-time-frames-with-different-day-s/m-p/504217 But these queries arent exact doing what I want to do. I basically want to do a 10min interval from now to 10 minutes ago. And compare it against the value from -24h and -24h (and 10 minutes before that) to do a comparison between the values. Whether it is in day to day trend for that 10min period         index=oms sourcetype="oms-dashboard" logType="transaction" stage="end" earliest=-24h latest=-1h | eval period=if(_time>=relative_time(now(),"-23h"),"current","previous") | chart count(request) over request by period | eval difference=abs(previous-current)/previous*100 | table request difference previous current     Does anyone has an idea?
I have a CSV with the following data   19,john doe,blue car,NAY,NA,YAY,,NIL,,,,NA,,   There are 14 fields in the above line, but when I try the automatic field extractor via "Extract more fields"... See more...
I have a CSV with the following data   19,john doe,blue car,NAY,NA,YAY,,NIL,,,,NA,,   There are 14 fields in the above line, but when I try the automatic field extractor via "Extract more fields", It only recognizes 13 fields. Why is the field extractor dropping the last field ?
Hi all,   I'm trying to get two depends in for one panel. I created a Link Switcher based on the code used in Splunk Dashboard Examples. Whenever I click on one of the links I want to see the resul... See more...
Hi all,   I'm trying to get two depends in for one panel. I created a Link Switcher based on the code used in Splunk Dashboard Examples. Whenever I click on one of the links I want to see the results filtered for it, but only if there are results available otherwise I want the panel to be hidden. This is what I got so far, but this only works for the Link Switcher part. <form theme="dark"> <label>Hidden panel</label> <search id="base"> <query>(index=dummy...not important for this case)</query><earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <fieldset submitButton="false"> <input type="time" token="field1"> <label>Period</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="link" token="unused"> <label>Chose a view</label> <choice value="info">Info</choice> <choice value="exception">Exception</choice> <default>Table</default> <change> <condition value="info"> <set token="showInfo">true</set> <unset token="showException"></unset> </condition> <condition value="exception"> <set token="showException">true</set> <unset token="showInfo"></unset> </condition> </change> <row> <panel> <table depends="$showException$, $showPanel$"> <title>Exceptions</title> <search base="base"> <query>| where ....not relevant"</query> <progress> <condition match="'job.resultCount' &lt; 0"> <set token="showPanel">true</set> </condition> <condition> <unset token="showPanel"></unset> </condition> </progress> </search> <option name="drilldown">none</option> </table> </panel> </row>
I know splunk manages its own internal logs and there is log.cf and local-log.cfg. I am wondering can we manage log files we monitor e.g /var/log/mylog.log via splunk inbuilt log management. I mean j... See more...
I know splunk manages its own internal logs and there is log.cf and local-log.cfg. I am wondering can we manage log files we monitor e.g /var/log/mylog.log via splunk inbuilt log management. I mean just adding entries in local-log.cfg ? thanks a lot
Is there a way to share Dashboard panels between Splunk Enterprise & ES ? So a user can check Dashboards from one spot?
Hello everybody, I would like to know if it is possible to edit a lookup file directly in Splunk without dowloading the CSV ? Thank you in advance. Regards