All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi all, I have a scedulated serach every 30 minutes, which extracts a file in csv search | outputcsv MyFile I need to put a daily sequence in the file name file name MyFile_01 (first file of the ... See more...
Hi all, I have a scedulated serach every 30 minutes, which extracts a file in csv search | outputcsv MyFile I need to put a daily sequence in the file name file name MyFile_01 (first file of the day) in the second extraction of the day the file name is MyFile_02 so on for all extractions. can you help me? thanks for any answer Best Regards, Simone  
Hi, I am new to Splunk tool, based on requirement from clients I am trying to create a dashboard for monitoring purpose. Is Splunk has some restriction based on size of the log or no of line. As I h... See more...
Hi, I am new to Splunk tool, based on requirement from clients I am trying to create a dashboard for monitoring purpose. Is Splunk has some restriction based on size of the log or no of line. As I have created a log, which contains the user data, fetched from rest api and injecting it into the Splunk based on log file names allowed in splunk. But somehow it is not reading the whole log file and I could not get the desired count for the fields I required. I could see the error message saying ”the limit has been reached for log messages.” Thanks Shalini Bisht
Hello You all talented people out there,   May I request someone to please help me with a reference link or a video that explains well on usage and setting up Splunk Summary Indexes. I tried findi... See more...
Hello You all talented people out there,   May I request someone to please help me with a reference link or a video that explains well on usage and setting up Splunk Summary Indexes. I tried finding but I don't find a very good detailed or properly explained reference anywhere. I have 4 dashboards that I built which doesn't take a lot of data but using summary index we will be able to faster load it and less load on the server Will I need to make changes to the queries used in the dashboard using it ?  does it use your computer's hard disk when create a dedicated index, do we need to change the 'Index' details in our query with the one we will create for SI purpose...etc  lot of questions better if I can get a step by step guide.   Thanks in advance Nishant
hello I need to parse the kind of logs below     Microsoft Windows [version 10.0.18363.1198] (c) 2019 Microsoft Corporation. Tous droits réservés. C:\WINDOWS\system32>dir C:\Tools\F Le volume d... See more...
hello I need to parse the kind of logs below     Microsoft Windows [version 10.0.18363.1198] (c) 2019 Microsoft Corporation. Tous droits réservés. C:\WINDOWS\system32>dir C:\Tools\F Le volume dans le lecteur C s’appelle OSDisk Le numéro de série du volume est 88FB-20D5 Répertoire de C:\Tools\F 05/10/2020 06:48 0 ABD-UPDATED.$w$ 06/09/2018 13:27 0 Access Runtime 2013 (15.0_32b) EN.$w$ 06/09/2018 13:27 0 Access Runtime 2013 (15.0_32b) ENP00.$w$ 06/09/2018 13:30 0 Acrobat Reader DC (2015.006_32b) ML.$w$ 06/09/2018 13:30 0 Acrobat Reader DC (2015.006_32b) MLP00.$w$ 01/10/2019 08:01 0 User Data Backup (2.2_32b) ML.$w$ 01/10/2019 08:01 0 User Data Backup (2.2_32b) MLP01.$w$     I need to create events for lines just after   Répertoire de C:\Tools\F   It means that i need a new event for each timestamp and that I need to delete the first part of the log how to do this please?
I have vendor whose application is yet not supported on Splunk Cloud but can be installed on HF. I thought to check what error I am getting post uploading the app, so if possible I can tweak and can... See more...
I have vendor whose application is yet not supported on Splunk Cloud but can be installed on HF. I thought to check what error I am getting post uploading the app, so if possible I can tweak and can get that approved. Post uploading I got the below failure summary, I need help to understand the error and if possible to get that resolve I had followed below dev guide as well but not able to get the proper understanding which can help to resolve the error.  [ Failure Summary ] Failures will block the Cloud Vetting. They must be fixed. check_pretrained_sourcetypes_have_only_allowed_transforms Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes. File: default/props.conf Line Number: 3 Dev Guide: https://dev.splunk.com/enterprise/docs/reference/splunkappinspectcheck/        
Hi everyone,  I would like to ask if it's possible to use data from another row, to be set as the value of a different row with the same key... Such as in the table below.  id username statu... See more...
Hi everyone,  I would like to ask if it's possible to use data from another row, to be set as the value of a different row with the same key... Such as in the table below.  id username status XC2345   completed XC2345   in progress XC2345 killjoy started ZC9999   in progress ZC9999 jett started   In the example above, I would like to set the values for usernames of each row with the same id to the same as the one with values, for them to become like this:  id username status XC2345 killjoy completed XC2345 killjoy in progress XC2345 killjoy started ZC9999 jett in progress ZC9999 jett started   Would above be possible through eval or another function? 
Hi All, Overview : I am receiving logs from 40 fortigate firewall devices across the world and all are being indexed into same index , as of now we prepared dashboards and enabled dropdown based on... See more...
Hi All, Overview : I am receiving logs from 40 fortigate firewall devices across the world and all are being indexed into same index , as of now we prepared dashboards and enabled dropdown based on the devicename(location) field present in the log. Question : I have a situation like i need to restrict the dashboards to users based on the "devicename". meaning the user from a location must see only their location specific devicelogs , not others Is it possible to restrict the user access by fieldvalue?
Hi everyone,  I just want to ask about this particular case that I am rather unsure if it's possible to execute in splunk.  So let's say I have 2 sets of forms (which in the future might have more... See more...
Hi everyone,  I just want to ask about this particular case that I am rather unsure if it's possible to execute in splunk.  So let's say I have 2 sets of forms (which in the future might have more).  1. Kitchen  2. Living Room    Each of those forms log text responses in splunk in different ways. The text field for Kitchen forms have  * kitchen diameter * [ 12 sqm] *  sink diameter * [5 sqm] * table color* [blue] Then for the  living room form, it might have the following information *sofa color * [green] *wall color * [black] *tv availability* [none]   ... And so on, (just to emphasize that there can really be a huge variety with what kind of data is in the text) Now, my question is. Would it be possible to break them all down in such a way that the values of the text would be the column names when I select them in the dashboard? I want to retrieve them in accordance to when they're selected from a dropdown. I was hoping to use the dropdown to allow me to select either of those three forms.  Upon selection, what should happen is, the table below it should change in accordance to what was selected.    So table for kitchen would look like sofa color wall color tv availability 12sqm 5sqm none   And when I select the living room form it would look somewhat like  kitchen diameter sink diameter table color green black none   I was thinking of using the rex to extract them, but after extracting them would it be possible to use them as column data?  Also, can rex handle it dynamically, like if a form has 6 types of key value pairs, would it be able to handle it?
I have pivoted my dataset to generate a table. The row and column header are auto generated based on attributes of dataset.  My requirement is instead of each count, I want a percentage. Search Quer... See more...
I have pivoted my dataset to generate a table. The row and column header are auto generated based on attributes of dataset.  My requirement is instead of each count, I want a percentage. Search Query pivot Fill_Latency RootObject count(RootObject) AS "Fill Count" SPLITROW TradeDate AS TradeDate SPLITCOL DurationRangeSec SORT 100 TradeDate ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 Date RangeA RangeB RangeC 19/02/2021 425 1195 1584 10/03/2021 70 0 0 17/03/2021 28002 35927 9839   Expectation> Date RangeA RangeB RangeC 19/02/2021 13.2646692 37.2971286 49.4382022 10/03/2021 100 0 0 17/03/2021 37.9595489 48.7026895 13.3377616   @somesoni2 @tdhellma @Melstrathdee @martin_mueller @okrabbe   
Hi, I am trying to get four panels into a single chart, they are using the same filter condition for getting the count only difference is the timeframe. Can I get the whole data into one single char... See more...
Hi, I am trying to get four panels into a single chart, they are using the same filter condition for getting the count only difference is the timeframe. Can I get the whole data into one single chart based on time frame. The time frame is based on 30 months, 60 days, 180 days and 12 months to get user logged data.
Hi, My filter here is , Which shows the list of unique users with the no of times es they have logged into the system/server as success response. Index=* eventName=* host IN(here is the list of the... See more...
Hi, My filter here is , Which shows the list of unique users with the no of times es they have logged into the system/server as success response. Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by “userId” | sort  - count The result is attached screen shot. My requirement is to get the data for total no of distinct users count to, I can fetch it by dc or distinct_count(userId) by how can I get all three data in the same page. The list of users, the sum of users and no of times they logged in as count.
Hi, I am new to Splunk, just started for few days.  Below is the events that I have searched and sorted, I would like to get the duration between step 1 and step 2 by the same UniqueString, and show... See more...
Hi, I am new to Splunk, just started for few days.  Below is the events that I have searched and sorted, I would like to get the duration between step 1 and step 2 by the same UniqueString, and show it in a new field. The reason to store it in a new field is because I would like to later make a chart to show the before/after 2 eval run. I read many helps and I tried eval, stats but it ends up 0 result. Please help. My search: index=aaa host=aaa*  sourcetype=aaa_logs Command="Step1*" OR Command="Step2*" | sort by _time | dedup UniqueString 210312 12:07:45.619 INFO Step1( "UniqueString2.DAT" ) 210312 12:07:55.609 INFO Step1( "UniqueString1.DAT" ) 210312 12:07:56.015 INFO Step2("M;UniqueString1", "A", "C", "D", "A") 210312 12:07:56.609 INFO Step1( "UniqueString3.DAT" ) 210312 12:15:27.989 INFO Step2("M;UniqueString2", "B", "E", "F", "B")
I am trying to create an alert if Splunk detect anomalies in my log creation rate. For example, my application normally generates about n logs per second, but I would like to be alerted if there is ... See more...
I am trying to create an alert if Splunk detect anomalies in my log creation rate. For example, my application normally generates about n logs per second, but I would like to be alerted if there is a n% increment in my logging compared to my historic volume over time.
Hi, How to create a query to show Active Sprint(JIRA) with Start and end date in my splunk dashboard. I dont have fields with Sprint details Fields which i have are  IssueCreated IssueUpdated P... See more...
Hi, How to create a query to show Active Sprint(JIRA) with Start and end date in my splunk dashboard. I dont have fields with Sprint details Fields which i have are  IssueCreated IssueUpdated ProjectID IssueType eg; story,bug , task Status eg:,to do,done, inprogress Can someone help to create a splunk query for the same  
Hello , I have 5 dashboards in a Splunk Application with same set of filters on top of them. I am trying to figure out a way in which , If a user choses some filters on first dashboard , and they... See more...
Hello , I have 5 dashboards in a Splunk Application with same set of filters on top of them. I am trying to figure out a way in which , If a user choses some filters on first dashboard , and they navigate to next dashboard, same filters values should remain intact and be applied again.  And this should continue with subsequent filter change and dashboard changes. Not sure if at all this feature is possible in splunk or if anyone has done this before. Would like to hear some ideas on the same. Thanks in advance!
Hi There, I have a query that restricts events that were delivered and my search window is from 01/20/21 through 01/23/21. I am only seeing results for events that date from 1/21 through 1/22. This ... See more...
Hi There, I have a query that restricts events that were delivered and my search window is from 01/20/21 through 01/23/21. I am only seeing results for events that date from 1/21 through 1/22. This is because I have restricted the delivered events, so I am assuming no events were delivered on 1/20. However, lets say that within my query I would like to include the date for 1/20. My approach is adding  earliest=@w3 since 1/20 falls on a Wednesday.  Would like to know if my understanding of time modifiers is correct. (index="YYY" earliest=@w3) stats(records) as records by files |where isnull(delivered)  
I have a JSON log entry with  key-value pairs within the field component. I'm trying to transform the field into sub-fields using the key-value pairs.  Example: "msg":{"additionalValues":"{response... See more...
I have a JSON log entry with  key-value pairs within the field component. I'm trying to transform the field into sub-fields using the key-value pairs.  Example: "msg":{"additionalValues":"{responseTime=137, synapseTag=None, serviceName=switching-integration, uri=com.bigcompany.switching, responseCode=200}", <more fields>,...} For Splunk,  I can pull one field, referenced as "msg.additionalValues". But I can't seem to transform the KVP's within that field into sub-fields.  (such as "msg.additionalvalues.responseTime", and msg.additionalvalues.synapseTag, etc )  Any ideas?   
A client is asking for a Security Operational Guide for Splunk or the S.O.  (linux in this case), the operational security guide defines security metrics at operational level. This metrics allows ver... See more...
A client is asking for a Security Operational Guide for Splunk or the S.O.  (linux in this case), the operational security guide defines security metrics at operational level. This metrics allows verify the technical compliance of the Operative System.  
Hi Everyone! My wordcloud is only showing undefined, I'm following a similar search to    |stats count by word   But all it shows is this Can someone please help me?  
In my default.xml file I use  <collection label="My Custom Dashboards"> <view source="unclassified" /> </collection> However this is returning some unwanted dashboards in another app. I know I ca... See more...
In my default.xml file I use  <collection label="My Custom Dashboards"> <view source="unclassified" /> </collection> However this is returning some unwanted dashboards in another app. I know I can add match="dashboard" but is there a way to do match!="some_val" as the unwanted dashboards showing up begin with the same prefix.