All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm working on a Splunk app which uses Webpack to bundle and compile the Javascript to ES5. I'm generating sourcemaps using the "source-map" devtool option in the webpack.config. As detailed in this... See more...
I'm working on a Splunk app which uses Webpack to bundle and compile the Javascript to ES5. I'm generating sourcemaps using the "source-map" devtool option in the webpack.config. As detailed in this post by @aprummer , Splunk injects some lines of internationalization code during runtime at the top of each page, which throws off the reference points within the sourcemaps. @aprummer solved this by regenerating the sourcemaps with a line offset. I tried this approach offsetting the sourcemaps by the 5 lines added at the beginning of each file, and while I did see some success with some breakpoints being hit closer to the entry point of the JS code, they are still not matching up and variables are not resolving properly. Has anyone else had any success with using Webpack and modern JS tooling within Splunk, and if so, how did you get source maps setup properly?
We are interested in a very targeted integration between App Dynamics and Splunk, namely the ability to push and catch health alert violations.  AppDynamics has an HTTP request action and template c... See more...
We are interested in a very targeted integration between App Dynamics and Splunk, namely the ability to push and catch health alert violations.  AppDynamics has an HTTP request action and template capability and Splunk has the HEC (Http event collector).    Has anyone had success making this work?   We can't seem to figure out how to set up using the Splunk HTTP event token in AppD.    Any hints or insights would be greatly appreciated.   
I created the following alert for finding systems that have recently stopped reporting.  I haven't seen a similar solution to this problem so I thought I would post it here in hopes that it might hel... See more...
I created the following alert for finding systems that have recently stopped reporting.  I haven't seen a similar solution to this problem so I thought I would post it here in hopes that it might help others.   This alert will find hosts that haven't sent data within the last day, but have in the days previous.  It's set for the 3 days prior, but can be changed to a longer duration.  It will report each host for 3 days to allow time for the admins to take action to get the system online.   Suggest that the alert be set to run daily.     index=_internal source=*license_usage.log type=Usage earliest=-5d@d latest=-2d@d | eval HostSource=idx . " / " . h . " / " . st | fields HostSource | dedup HostSource | eval PAST="YES" | join type=outer HostSource [ search index=_internal source=*license_usage.log type=Usage earliest=-2d@d latest=-1d@d | eval HostSource=idx . " / " . h . " / " . st | fields HostSource | dedup HostSource | eval PRESENT="YES" ] | where isnull(PRESENT) | table HostSource | sort by HostSource
Hello, I have the following search but I want it to show me the delay less and more out by more than 1 hour in a better way: index=av | eval index_time=_indextime, event_time=_time | eval delay=r... See more...
Hello, I have the following search but I want it to show me the delay less and more out by more than 1 hour in a better way: index=av | eval index_time=_indextime, event_time=_time | eval delay=round((_indextime - _time)/60, 0) | convert ctime(index_time) ctime(event_time) | where delay<3600 OR delay>3600 | sort - index_time | table event_time index_time delay
Hello, I have SH cluster with Enterprise Security deployed (Splunk version 8.0.4.1, Ent. Security 6.2.0). I created Notable event suppression for particular Notable event (using Incident Review dash... See more...
Hello, I have SH cluster with Enterprise Security deployed (Splunk version 8.0.4.1, Ent. Security 6.2.0). I created Notable event suppression for particular Notable event (using Incident Review dashboard). I set Expiration time for this suppression. Everything worked as expected. But then I found that NE suppression is still active, even after expiration time - no NE visible in Incident Review dashboard.  (But there were Notable Events  in notable index all the time, as expected). In other words, Splunk simply ignored Expiration time of NE suppression and behave as NE suppression was set without Expiration time. Notable Events became visible in Incident Review after NE suppression was manually disabled and from this point everything work as expected. There are few other NE suppressions and all works as expected. I examined Splunk logs, but I cannot see nothing suspicious. I am not able to reproduce this behavior again by any way. Is here someone with similar experience? Could someone give me hint what I should look for to find root cause of this behavior? Best regards Lukas
Hello Splunkers! I have set up a DNS analytical logging on a windows 2012 R2 server with the following configuration:     [WinEventLog://Microsoft-Windows-DNSServer/Audit] sourcetype = MSAD:NT6:D... See more...
Hello Splunkers! I have set up a DNS analytical logging on a windows 2012 R2 server with the following configuration:     [WinEventLog://Microsoft-Windows-DNSServer/Audit] sourcetype = MSAD:NT6:DNS disabled = 0 index = test start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 renderXml = false       When I search the _internal logs, I do not see any errors but I get the following logs:       03-08-2021 12:26:25.609 +0200 INFO Metrics - group=per_sourcetype_thruput, series="msad:nt6:dns", kbps=0.029, eps=0.129, kb=0.908, ev=4, avg_age=1.000, max_age=1       However, I do not receive any logs for this sourcetype. Are there any clues why I cant see these logs?
Hi Team,   We got an requirement to setup Ping Access and Ping Federate App in Splunk. So when i checked the Splunkbase there are not much information about it. Hence I want to know whether it shou... See more...
Hi Team,   We got an requirement to setup Ping Access and Ping Federate App in Splunk. So when i checked the Splunkbase there are not much information about it. Hence I want to know whether it should be installed in the Search head as well as in Indexers or Heavy Forwarders? And what is the best practice to be followed? Also I want to know how to configure and ingest those logs as well into Splunk.
Hello, I want to compare the value of the week before last with the value of my search (last week) and put the percentage growth/decrease in the result. Currently I can display the value of the pre... See more...
Hello, I want to compare the value of the week before last with the value of my search (last week) and put the percentage growth/decrease in the result. Currently I can display the value of the previous week to me and in another search the value of the week before last. However, I cannot compare the two values. My query looks like this: In search I set last week "..." | stats count as lastweek | append [search"..." earliest=-14d latest=-7d | stats count as lastweek1 Result: Lastweek         lastweek1          XX                                 XX Desired Result: Lastweek             lastweek1            Change XX                             XX                           50% This gives me two values, but I can't compare them, at least I don't know how. Of course it would be even more elegant if I had the value already in the first query without having to use append. Is there a solution, that I have the values of the previous week in the same query, so that I can compare both values?  
I'm trying to create an alert that is triggered when event X is > 20% of a specific event type. Once I have the trigger values, I want to include a CSV file that has the +20% transactions. So far I'... See more...
I'm trying to create an alert that is triggered when event X is > 20% of a specific event type. Once I have the trigger values, I want to include a CSV file that has the +20% transactions. So far I've been able to create the query to get the list for the CSV and a separate query that populates the necessary values for the alert condition, but I can't figure out how to attach a different CSV file to an alert, or to populate the alert with certain values while excluding others from the attachment that are necessary for the trigger condition.
Hi, Is there any way to connect survey results from Microsoft or Google forms to Splunk and build a Customer Satisfaction dashboard out of it?  
Hi, I am trying to figure out how to create an alert when a specific user appears in the output of the lastlog.sh script. The output is a nicely formatted table as follows: Username From Late... See more...
Hi, I am trying to figure out how to create an alert when a specific user appears in the output of the lastlog.sh script. The output is a nicely formatted table as follows: Username From Latest user1 1.1.1.1 fri Mar 4 2:20   I am new to splunk, I cannot figure out how I would create a query that would model something like an object where I can loop through everything under the username column and then do a lookup to see if user1 exists. Any help would be appreciated, the ultimate goal is for the query to show if "user1" appears in the output of: host=our_server sourcetype=lastlog any links to documentation for this would be helpful too 
Hi Splunkers , I'm collecting logs from S3 through heavy forwarder which are in json format . After indexing i see the logs in below format. i want fields inside the message field to be extracted in... See more...
Hi Splunkers , I'm collecting logs from S3 through heavy forwarder which are in json format . After indexing i see the logs in below format. i want fields inside the message field to be extracted into individual fields.  { [-] @timestamp: 2021-03-08T12:55:42.959Z @version: 1 host: XX.XXX.XXX.XXX message: <171>Mar 08 13:09:22 LOGSTASH[-]: {"@version":"1","facility_label":"zyx","program":"CRON","logtype":"syslog-prod","priority":86,"tags":["_grokparsefailure"],"pid":"1234","vmd_name":"abc","host":"XX.XXX.XXX.XXX","severity":6,"facility":10,"beat":{"name":"zxz"},"@timestamp":"","type":"xyz","timestamp":"Mar 8 13:09:22","logsource":"abc","severity_label":"Informational","message":"abc: session closed for user root\n"} port: 1234 }   I have tried the  following transforms config at HF and it didn't work:   props.conf [aws:s3] TRANSFORMS-xyz= s3-trans transforms.conf [s3-trans] REGEX = [\"|\@](\w+)\":[\s]*([^\,\}]+) FORMAT = $1::$2
We are getting the data from Database for every 5mins. Even the field value doesn't change the same value will be indexed with different timestamp for every 5 mins. There is a status field which in... See more...
We are getting the data from Database for every 5mins. Even the field value doesn't change the same value will be indexed with different timestamp for every 5 mins. There is a status field which indicates whether the device is on or off. we want to get the time of the status change for the device with the timestamp. please suggest the query for this
Mar 8 05:53:40 localhost haproxy[1668]: IP:port[08/Mar/2021:05:53:39.081] abc soap_services/soap-hostname-5000 0/0/0/1191/1198 200 517722 - - ---- 6/6/1/0/0 0/0 "POST /connect/StatelessSoapAcceptor/?... See more...
Mar 8 05:53:40 localhost haproxy[1668]: IP:port[08/Mar/2021:05:53:39.081] abc soap_services/soap-hostname-5000 0/0/0/1191/1198 200 517722 - - ---- 6/6/1/0/0 0/0 "POST /connect/StatelessSoapAcceptor/?gtxInitialProcess=FrameworkEVAServices.API.Tag.TagV1 HTTP/1.0" ================================================================================Mar 8 05:53:40 localhost haproxy[328]: IP:port [08/Mar/2021:05:53:39.070] abc rest_service/rest-hostname-5001 0/0/0/1279/1280 200 18794 - - --VN 5/5/1/0/0 0/0 "GET /services/cm/crosstags?sourcetag=kbase_test&targettagset=topic HTTP/1.1" ========================================================================== I have these set of events (soap and rest services). These are the Haproxy (apache logs). I am trying to create response time for each rest and soap calls. I would like to extract below string from the evnts in below table format 1. Type of services (soap_services or rest_service ) 2. hostname 3. status code (200) 4. responsetime ( from above evnts- 517722 and 18794 are millisecond response time). Need in seconds
Hello, we monitor files generated by processes launched by several users on the same server. There is not in the name of the files the reference of the user. On the other hand, the user is informed ... See more...
Hello, we monitor files generated by processes launched by several users on the same server. There is not in the name of the files the reference of the user. On the other hand, the user is informed as the owner in the NTFS rights of the file. Is there a solution to retrieve this information to use it as a field value or to rename the splunk source by adding this information. This would allow us to build dashboards by users. Thanks for your help
Hi,  I saw the same question, but considering that Splunk allows various of customisations I still want to try to solve the issue I have.   I have three values on the chart, I want two of them be ... See more...
Hi,  I saw the same question, but considering that Splunk allows various of customisations I still want to try to solve the issue I have.   I have three values on the chart, I want two of them be displayed as bars and the third one to be put on back and be splayed as Overlay Area chart. For now, I was able to get a third value as a line, is there any workaround for this?
we use splunk light in 7.1.0. I deleted a User last week and did not recocnized that their was a sheduled search of this user. On the attention message i was told today to view the orphaned searche... See more...
we use splunk light in 7.1.0. I deleted a User last week and did not recocnized that their was a sheduled search of this user. On the attention message i was told today to view the orphaned searches. I can see the search but I dont know how to reassign it, since i do not have a „settings Button“ in splunk light. Any Ideas? Kind Regards Daniel
Hi everybody,  i need quick help with this: Please make a corresponding proxy evaluation which servers have accessed which URLs / hosts in the last week.   Thx a lot!! 
Hello, we are uprading EoL Windows Server 2008/r2 to Windows Server 2019. What is the lowest UniversalForwarder app supported version on Windows Server 2019?   Thank you, Pavel
Hello Guys, Good Day!! Can anyone please help me with a question that I have. Can I use a macro in the event type in Splunk. I am trying but looks like there is some issue.  A very small example, ... See more...
Hello Guys, Good Day!! Can anyone please help me with a question that I have. Can I use a macro in the event type in Splunk. I am trying but looks like there is some issue.  A very small example, in my eventtype [abcEventType] search = index=`index` and in the query behind my panel I have: eventtype=abcEventType | stats count I am on Splunk on prem version 8.1.0.1 Thanks