All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have the below SPL which gets the count of each value of the field named "subject". I want to be able to select the values whose count is greater than 5. For example, if the search below retur... See more...
Hi, I have the below SPL which gets the count of each value of the field named "subject". I want to be able to select the values whose count is greater than 5. For example, if the search below returned 10 results, but only 2 had a count greater than 5, how can I pick those two values out and store them in new fields that i can reference after.  index=email_log RejType="Virus Signature Detection" | stats count by subject Thanks!
I'm having an issue running a python script to generate the contents of an email body to splunk. I've had to install a Windows UF to a Windows 10 workstation as local admin. I've deployed a python ... See more...
I'm having an issue running a python script to generate the contents of an email body to splunk. I've had to install a Windows UF to a Windows 10 workstation as local admin. I've deployed a python script that works when I manually run it on the Workstation. Since Splunk UFs don't come with Python, I downloaded Python separately and added an environmental variable and path. I consistantly get the following messages: Couldn't start command "Python3.exe "C:\Program Files\SplunkUniversalForwarder\bin\scripts\script1.py"": The system cannot find the file specified. Couldn't start command "Python3.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\custom-app\bin\script2"": The system cannot find the file specified. I've tried: Adding PYTHONPATH to splunk-launch.conf for external Adding .bat wrapper Tried .cmd  Tried Powershell Installing and deploying Splunk for Python Computing and adding the full path of python to the .bat files @woodcock do you have any suggestions? Anyone? Any suggestions?
I have a field in splunk named commandline.  I want to filter this field just by values containing "C:\" This appears sometimes at the beginning of the filed value and other times in the middle.  ... See more...
I have a field in splunk named commandline.  I want to filter this field just by values containing "C:\" This appears sometimes at the beginning of the filed value and other times in the middle.  Can someone help me with a regex statement or other search filter to narrow my results this way?
Is it possible to restrict a user from creating reports, alerts and dashboards from within the search & reporting app? or limiting creation to an app of an admins choosing?  Our splunk platform has ... See more...
Is it possible to restrict a user from creating reports, alerts and dashboards from within the search & reporting app? or limiting creation to an app of an admins choosing?  Our splunk platform has multiple apps built within it for specific areas of the business however in the past, certain departments have created dashboards outside of their area which has been a pain to manage and is generally untidy. 
Hi All, I am currently working as a Splunk Developer and trained on Admin and had some lab work done. Can i shift from developer to Admin role without mush hands on and handle the roles and respons... See more...
Hi All, I am currently working as a Splunk Developer and trained on Admin and had some lab work done. Can i shift from developer to Admin role without mush hands on and handle the roles and responsibilities?    
Hi Splunkers,   I have the below tables generates from the below queries and i'm looking for a consolidated multi-series view of both the tables into one panel with column chart visualisation Quer... See more...
Hi Splunkers,   I have the below tables generates from the below queries and i'm looking for a consolidated multi-series view of both the tables into one panel with column chart visualisation Query : 1   index=abc TYPE="Run bot*"|transaction BOT_NAME startswith=(TYPE="deployed") endswith=(TYPE="finished") |eval min=round((duration/60),2)|eval BOT_RUN_TIME_MINS=round(min,2)|eval BOT_Run_Completed_Timestamp=strftime(_time, "%Y-%m-%dT%H:%M:%S")|eval BOT_RUN_TIME_MINS=round(BOT_RUN_TIME_MINS) | timechart span=1d avg(BOT_RUN_TIME_MINS) as Average_Run_Time by BOT_NAME|     Table :1  _time bot1 bot2 bot3 bot4 2021-03-09   5 123 26.5 2021-03-10 48 5 93 29.5 2021-03-11   5 108 21 2021-03-12   9 116 33 2021-03-13         2021-03-14         2021-03-15   3.75 160 68.5   Query 2 :     index=abc TYPE="Run bot*"|transaction BOT_NAME startswith=(TYPE="Deployed") endswith=(TYPE="finished") |eval min=round((duration/60),2)|eval BOT_RUN_TIME_MINS=round(min,2)|eval BOT_Run_Completed_Timestamp=strftime(_time, "%Y-%m-%dT%H:%M:%S")|eval BOT_RUN_TIME_MINS=round(BOT_RUN_TIME_MINS) | timechart span=1d count by DEVICE     Table 2: _time deviceA deviceB deviceC deviceD 2021-03-09 8 1 3 1 2021-03-10 12 1 5 0 2021-03-11 11 0 6 0 2021-03-12 11 0 8 0 2021-03-13 5 0 1 0 2021-03-14 5 0 2 0 2021-03-15 12 0 5 0 2021-03-16 4 0 3 0   I want both bot info and device which it has run in the same multi series chart. Please help me on this.Thanks in advance.Let me know for any other details.
Hi, Just wonder If It 's  possible to see how much e.g a running application consumed electricity through Splunk? Is it possible?  Br /RR
Hi, I have a problem in Splunk app for infrastructure. I created an alert in Splunk, once my trigger happen I am getting alert from slack but i am not receive alert from gmail . The configuration is ... See more...
Hi, I have a problem in Splunk app for infrastructure. I created an alert in Splunk, once my trigger happen I am getting alert from slack but i am not receive alert from gmail . The configuration is done for both slack and gmail. The error I am getting  ( "530, b'5.7.0 Authentication Required. Learn more at\n5.7.0 https://support.google.com/mail/?p=WantAuthError")
Hello Everyone, This may be an odd question, but I am wondering how (if possible) to add a useful timerangepicker to a dashboard in which all panels are from existing reports.  In the past, the dash... See more...
Hello Everyone, This may be an odd question, but I am wondering how (if possible) to add a useful timerangepicker to a dashboard in which all panels are from existing reports.  In the past, the dashboard has just been run for "Last 7 Days", which all of the reports are set up for.  Recently, a feature has been desired to allow the user to select the time range for which the data will be presented.  Obviously I can add the timerangepicker and submit button pretty easily, but how do I tie the chosen time range to the reports in the panels without recreating everything? Thank you for your time and assistance!
Is there a way to show in a dashboard in what folder its stored in? There could be at lest three location for a dashboard to open from (exs my.xml) depending on who has changed it . 1. user/app/loc... See more...
Is there a way to show in a dashboard in what folder its stored in? There could be at lest three location for a dashboard to open from (exs my.xml) depending on who has changed it . 1. user/app/local/.../my.xm 2. etc/app/local/.../my.xml 3. etc/app/default/.../my.xml If same dashboard are found in more than one place, it will open the one with lowest number (1.)  It would be nice to show that this is not the default dashboard. Current user can be found with this rest command     | rest /services/authentication/current-context splunk_server=local | fields username     so hopefully current dashboard location could be found using rest.  URL in the browser just show the name of dashboard, not the location.
After upgrading the Microsoft Azure add-on for Splunk from ver. 3.0.1 to 3.1.1, I noticed that some important details are missing in the sign-ins events collected through the  "Microsoft Azure Active... See more...
After upgrading the Microsoft Azure add-on for Splunk from ver. 3.0.1 to 3.1.1, I noticed that some important details are missing in the sign-ins events collected through the  "Microsoft Azure Active Directory Sign-ins" input. For example, the whole authenticationDetails section is no longer visualized. the event from ver. 3.0.1 add-on contains: ..... appId: xxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxx appliedConditionalAccessPolicies: [ [+] ] authenticationDetails: [ [+] ] authenticationMethodsUsed: [ [+] ] authenticationProcessingDetails: [ [+] ] authenticationRequirement: multiFactorAuthentication authenticationRequirementPolicies: [ [+] ] clientAppUsed: Browser .... while the events from ver 3.1.1, doesn't: appId: xxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxx appliedConditionalAccessPolicies: [ [+] ] clientAppUsed: Browser .... Also some other information like  userAgent or userType are missing. Did someone of you experience the same issue?
Hello, We are running DM acceleration, we saw that every time the acceleration is running the disk got full. After investigation, we saw that the data of the old guid does not removed from disk and... See more...
Hello, We are running DM acceleration, we saw that every time the acceleration is running the disk got full. After investigation, we saw that the data of the old guid does not removed from disk and that cause our disk full.  We are running Splunk using Docker image and using ansible. looks like it is an issue with ansible but im not sure.  Any idea anyone ? Thanks
Dear Team, I have a weird scroll issue happening in Lookup Editor App 3.4.6 (Splunk 8.0.5). For a lookup with 289 entries - When I try to filter/search something in the Search Lookup text box and ... See more...
Dear Team, I have a weird scroll issue happening in Lookup Editor App 3.4.6 (Splunk 8.0.5). For a lookup with 289 entries - When I try to filter/search something in the Search Lookup text box and try to scroll to the right, my table entries collapses and I am unable to see any entries- the vertical scroll bar also disappears.  collapsed view with search/filters If I don't use the filter/search option, I don't have any problem.  normal view without any search/filters Issue persists even after clearing cookies/cache and trying out different browsers.  I tried reading @LukeMurphey s lookup editor project bug list and I was unable to find any threads for resolution.  Any fix or workarounds would be highly appreciated, many thanks in advance!  
I have used Splunk setup view as a replacement of setup.xml. For this, I have used Splunk JS SDK. I have a password field on the setup page. JS SDK saves the encrypted password in the 'local/FILENAM... See more...
I have used Splunk setup view as a replacement of setup.xml. For this, I have used Splunk JS SDK. I have a password field on the setup page. JS SDK saves the encrypted password in the 'local/FILENAME.conf' file. This JS SDK internally calls Splunk API. The password API(https://{HOST_NAME}/en-US/splunkd/__raw/servicesNS/nobody/{TA_NAME}/storage/passwords?count=0&output_mode=json) response returns both plain password & encrypted password. How to avoid plain password in Splunk's password API response? Thanks in advance.
If I want to buy a subscription for on premise Splunk Enterprise Security, what is the way to go about ? Some Questions: 1. Is Enterprise Security just an app that is to be installed on Splunk Ente... See more...
If I want to buy a subscription for on premise Splunk Enterprise Security, what is the way to go about ? Some Questions: 1. Is Enterprise Security just an app that is to be installed on Splunk Enterprise or is it a separate Splunk bundle all together ? 2. If I install Splunk Enterprise Security on Splunk Enterprise, will it use the data ingestion license of Splunk Enterprise or will I have to buy a separate ingestion license for Enterprise Security ? 3. Does Splunk Enterprise Security care about the daily ingestion limit or its a function of the underlying Splunk Enterprise installation ? 4. Can I deploy Splunk Enterprise Security as follows: Install Splunk Enterprise and apply a daily ingestion license of xGB/day. Buy subscription for Splunk Enterprise Security, download the app and install it on my Splunk Enterprise install. In case I need to increase the ingestion limit, buy the upgraded license and install it on the Splunk Enterprise ? 5. Can anyone point out a ballpark figure for the price of Splunk Enterprise Security ?  Thanks, Termcap
Hello  I am new to Splunk and I want to connect my salesfoce org to splunk app, but there is no data retrieved from the Org and this error is shown  ERROR CsvDataProvider - The lookup table 'lookup... See more...
Hello  I am new to Splunk and I want to connect my salesfoce org to splunk app, but there is no data retrieved from the Org and this error is shown  ERROR CsvDataProvider - The lookup table 'lookup_sfdc_objects' does not exist or is not available. in fact it is exist as .csv and .back files exist in the app folder
Hi Splunk, I am using Splunk with the enterprise version, we have a plan to migrate the current Splunk server in AWS to another in Azure. We just want to move data in the last year, so could you sh... See more...
Hi Splunk, I am using Splunk with the enterprise version, we have a plan to migrate the current Splunk server in AWS to another in Azure. We just want to move data in the last year, so could you show me any solution for this? Thank you.
Greetings All, I'm indexing a bunch of metrics files written every 10 minutes. Just after midnight I get a file containing the same format metrics, but each value is the sum for the previous day. Th... See more...
Greetings All, I'm indexing a bunch of metrics files written every 10 minutes. Just after midnight I get a file containing the same format metrics, but each value is the sum for the previous day. This totals file I want to ignore (It messes up all sorts of use cases of the metric data). The only way to reliably identify a totals file is that the third line holds a timestamp, and this will be all zero. Any other file will have a normal ISO timestamp in this point REGEX = ^TimeStamp\s+:\s+0000-00-00\s00.00.00.000 Is there a way to block that file's ingestion based on the content of a single line?    Thanks, R.
I have a bunch of logs contains different table operation, and I want to check how much time each table operation cost. I extract the table name from the message, however, How to use this extracted v... See more...
I have a bunch of logs contains different table operation, and I want to check how much time each table operation cost. I extract the table name from the message, however, How to use this extracted value to calculate the duration of table operation for each. Got stuck here. index=stg_heroku app_env=ppr app_name=datamigration |rex field=_raw "data retrieval for table (?<table_name>\w+) is starting" |transaction 'table_name' startswith="starting" endswith="json is pushed" |stats perc90(duration) as 90%_Consumed_Time I try to extract table_name using rex, and use table_name for transaction for grouping.    Could someone can help on this?  
Hi Splunk Community, I am having some problems with my M365 App and Add-on. Here a Short Overview what the Add-on and the App is intended to do. The Add-on is responible to get the Date from you Az... See more...
Hi Splunk Community, I am having some problems with my M365 App and Add-on. Here a Short Overview what the Add-on and the App is intended to do. The Add-on is responible to get the Date from you Azure API, for that you set a API User on Azure Site and give it read rights and configure this User in the Add-on. Now you need to configure your Inputs that you wonna gather, I have configuered all of them. And now the Add-on is gathering the configured Data from Azure, now its time to switch to the App and get a Overview of the Data in form of Dashboards. The most Dashboards are displaying the right data but these not  Message Category & Teams Security. I allready talked to the support but the App is not offizial support so I dont get any help from the Splunk Support. I also send a Mail to the Dev but nobody responded, so the community is the last try to get this fixed.   Kind Regards, Daniel