All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi everyone,   I know no one knows for sure but just looking for any possible details anyone may have heard. I have been playing with the new dashboard beta but don't want to roll it out to all of ... See more...
Hi everyone,   I know no one knows for sure but just looking for any possible details anyone may have heard. I have been playing with the new dashboard beta but don't want to roll it out to all of our users until it's GA so they don't have to redo any work. Has anyone heard when it will be coming out of beta?
Hi  I want to run python script which will generate an excel file and showing the resulted file content on dashboard. Is it even possible/feasible? Or any other work around would be appreciated. ... See more...
Hi  I want to run python script which will generate an excel file and showing the resulted file content on dashboard. Is it even possible/feasible? Or any other work around would be appreciated.   Much Thanks!!
Hi, I didn't find anything about this while searching so here's my question. I'm working on the proving a negative problem, adding appendpipe after a stats in order to display a result of 0 for eac... See more...
Hi, I didn't find anything about this while searching so here's my question. I'm working on the proving a negative problem, adding appendpipe after a stats in order to display a result of 0 for each day for the period of time I need. I usually do this for a single row, however I need to have multiple rows for multiple days as output for stats or more importantly timechart. I ran into a scenario I cannot explain and wanted to understand further. While testing I created this search:       | makeresults | eval value=0, category="test", _time=strftime(now(), "%H") | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-1d@d") ] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-2d@d")] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-3d@d")] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-4d@d")] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-5d@d")] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-6d@d")] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-7d@d")] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-8d@d")] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-9d@d")] | stats count by _time       The results of this output 256 results for a single date/time, and others follow with smaller amounts but not counts of 1. If I change it to this:       | makeresults | eval value=0, category="test", _time=relative_time(now(), "-2d@d") | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-1d@d") | dedup value category _time] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-2d@d") | dedup value category _time] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-3d@d") | dedup value category _time] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-4d@d") | dedup value category _time] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-5d@d") | dedup value category _time] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-6d@d") | dedup value category _time] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-7d@d") | dedup value category _time] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-8d@d") | dedup value category _time] | appendpipe [| eval value=0, category="test", _time=relative_time(now(), "-9d@d") | dedup value category _time] | stats count by _time       Every row has a single count except for one, which makes sense given how this is written. I can move forward with this, but now I would like to know why this happens.     
Hello Splunk community, I would like to set up a dashboard with information from the Firewall. Indeed, I wish to see the connections coming from outside on my information system according to the co... See more...
Hello Splunk community, I would like to set up a dashboard with information from the Firewall. Indeed, I wish to see the connections coming from outside on my information system according to the countries using the WebGL GLobe. Would you have an idea of how to do this? Regards, Quentin
Bonjour communauté Splunk, Je voudrais mettre en place un tableau de bord avec des informations du pare-feu. En effet, je souhaite voir les connexions venant de l'extérieur sur mon système d'infor... See more...
Bonjour communauté Splunk, Je voudrais mettre en place un tableau de bord avec des informations du pare-feu. En effet, je souhaite voir les connexions venant de l'extérieur sur mon système d'information en fonction des pays utilisant le WebGL GLobe. Auriez-vous une idée de la façon de procéder? Sincèrement, Quentin
I want missile map showing details from one to other location with title. Please help me. Below is my query. index=graphsecurityalert | eval LogonIP=mvindex('userStates{}.logonIp',0) |iplocation ... See more...
I want missile map showing details from one to other location with title. Please help me. Below is my query. index=graphsecurityalert | eval LogonIP=mvindex('userStates{}.logonIp',0) |iplocation LogonIP |iplocation src_ip | stats dc(title) by Country | geom geo_countries featureIdField="Country" |table Country title latitude longitude @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana   @to4kawa   
Hi,   I would like to display my table into a timechart/chart graph instead. Below is the screenshot attached of the table via my search query:   I would like to convert this into a timechar... See more...
Hi,   I would like to display my table into a timechart/chart graph instead. Below is the screenshot attached of the table via my search query:   I would like to convert this into a timechart/chart graph where memFreePct and memUsedPct is shown per time for each host, A to E.   thanks
Currently I am using below query to run my search to get the common event in tc and email, |inputlookup tc | search type=emailaddress| rename indicator as SenderAddress |dedup SenderAddress | tabl... See more...
Currently I am using below query to run my search to get the common event in tc and email, |inputlookup tc | search type=emailaddress| rename indicator as SenderAddress |dedup SenderAddress | table SenderAddress| union [ search sourcetype = "email"| dedup SenderAddress| table SenderAddress ] | stats count by SenderAddress | where count > 1 | table SenderAddress But since my search is heavy, I am getting the below status in job, No results found. Try expanding the time range. No matching fields exist. [subsearch]: The search auto-finalized after it reached its time limit: 30 seconds. Hence I am directed to use lookup command after googling, and I tried the following query but it is not working, sourcetype = "email" |rename SenderAddress as indicator |dedup indicator |lookup tci indicator |stats count by indicator Please suggest.
Hi Splunkers, i have search like this index=pkg_prespvm host IN (*) | dedup _raw | transaction host startswith="[Information] STEP = RequestDa" endswith="[Information] -- START TRANSACTION --" |... See more...
Hi Splunkers, i have search like this index=pkg_prespvm host IN (*) | dedup _raw | transaction host startswith="[Information] STEP = RequestDa" endswith="[Information] -- START TRANSACTION --" | search "Get Da Transaction NOK --> Payment:OK" And i want to display logs 2 logs before searched one and 2 logs after searched one. Thank you
Hi, So I have an issue with my Splunk Enterprise deployment. I have three instances on my architecture, a Search Head, an Indexer and another Search Head dedicated for Splunk Enterprise Security. T... See more...
Hi, So I have an issue with my Splunk Enterprise deployment. I have three instances on my architecture, a Search Head, an Indexer and another Search Head dedicated for Splunk Enterprise Security. The issue is The service of splunk (splunkd) is getting down suddenly. There is no error in the deployments. If someone have any explanation or suggestion I'm open to hear it.   
Below table we have in a dashboard, the cells are highlighted by color using the Javascript. For each cell we wrote the separate javascript file like., <dashboard script="Running.js,Ready.js,Stop.js... See more...
Below table we have in a dashboard, the cells are highlighted by color using the Javascript. For each cell we wrote the separate javascript file like., <dashboard script="Running.js,Ready.js,Stop.js,Pause.js,Emergency.js,CF.js" stylesheet="New.css"> what we expect is the color of each cell should be same when the Match field value is "Good", if the Match field value is "Bad", Need to Highlight the whole Row. //Sample Javascript Code: require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { // Row Coloring Example with custom, client-side range interpretation var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { // Enable this custom cell renderer for the confirm field return _(['CF']).contains(cell.field); }, render: function($td, cell) { // Add a class to the cell based on the returned value var value = parseFloat(cell.value); // Apply interpretation for number of if (cell.field === 'CF') { if (value > 0) { $td.addClass('range-cell').addClass('range-CF'); } else { $td.addClass('range-cell').addClass('range-White'); } } // Update the cell content $td.text(value.toFixed()).addClass('numeric'); } }); mvc.Components.get('highlight').getVisualization(function(tableView) { tableView.addCellRenderer(new CustomRangeRenderer()); }); });   //Sample .CSS Code /* Cell Highlighting */ /* #highlight td { background-color: #c1ffc3 !important; } */ #highlight td.range-stop { background-color: #FF1B09 !important; } #highlight td.range-Emergency { background-color: #CB1708 !important; } #highlight td.range-Pause { background-color: #f7bc38 !important; } #highlight td.range-Run { background-color: #65a637 !important; } #highlight td.range-Ready { background-color: #A2CC3E !important; } #highlight td.range-CF { background-color: #6DB7C6 !important; } #highlight td.range-MS { background-color: #000000 !important; } #highlight td.range-White { background-color: #ffffff !important; } #highlight td.range-severe { background-color: #3358FF !important; font-weight: bold; } How can we do that, can you please help us?
Hi, I got a splunk search that monitors, how many different hosts there were in the chosen timespan.  | stats dc(host) as hostcount Now I would like to generate a pie chart, that compares succesfu... See more...
Hi, I got a splunk search that monitors, how many different hosts there were in the chosen timespan.  | stats dc(host) as hostcount Now I would like to generate a pie chart, that compares succesful hosts with the unseccesful ones. Therefore I got a field "errors". All hosts with error > 50 should be counted as unseccesful. The others should be counted as succesful. The pie chart should show the succesful/unsuccesful ratio. 
Hello, i think its not that difficult, but i dont know how to do it.   The result is in milliseconds. Is there an easy way to convert these milliseconds into seconds?   Best regards
I'm facing issue with eventhub input on Splunk Add-on for Microsoft Cloud Services ( https://splunkbase.splunk.com/app/3110/) If I try to checkpoint with an Azure blob I keep getting the following e... See more...
I'm facing issue with eventhub input on Splunk Add-on for Microsoft Cloud Services ( https://splunkbase.splunk.com/app/3110/) If I try to checkpoint with an Azure blob I keep getting the following error: Exception is HttpResponseError('The requested URI does not represent any resource on the server.\nRequestId:582d5748-401e-0016-0342-0f41ae000000\nTime:2021-03-02T09:03:59.5903595Z\nErrorCode:InvalidUri\nError:None') Blob checkpoint url input format: blob_checkpoint_url = https://storagename.blob.core.windows.net/eventhub  
Hi, below is the timechart for my search to display CPU utilization of my forwarders and indexer Using the host dropdown box, I would like to search for an individual host at a time to display it... See more...
Hi, below is the timechart for my search to display CPU utilization of my forwarders and indexer Using the host dropdown box, I would like to search for an individual host at a time to display its memFreePct and memUsedPct over a specific period of time (using Time dropdown box).  The search query is as follows:   source="vmstat" | dedup host | eval host=upper(host) | eval FreeGBs=FreeMBytes/1024, TotalGBs=TotalMBytes/1024, UsedGBs=UsedMBytes/1024 | table host memFreePct memUsedPct     Is there a way I can edit this search query to be able to find timechart graph for only one host at a time using the dropdown box? The search query in the Host dropdown box is as follows:   sourcetype=vmstat | dedup host |table host     Thanks in advance for the help.   Regards
Hi, I have Splunk Add-on for Unix and Linux installed on my 3 hosts sending data to an Indexer.   I have created a dashboard of CPU utilization of each host using the vmstat command.   However, ... See more...
Hi, I have Splunk Add-on for Unix and Linux installed on my 3 hosts sending data to an Indexer.   I have created a dashboard of CPU utilization of each host using the vmstat command.   However, I would like to create an alert that will send an alert message every time any of those three forwarders exceed 80% of CPU utilization.   The query for CPU utilization is as follows:       index=os sourcetype=df | dedup host | multikv | table host Filesystem Size Used Avail UsePct     Is there any way I can achieve this?  If so, I'd like to know and edit my search above to cater for my needs.   Thanks in advance to anyone willing to help. Regards
Hi dear Splunkers, i have log like this : 2021-02-11 14:47:51.167 [Error] ** Dummy User with dummyNumb:1111 Plate:AAAAA Country:Dummy paid dummy on DunnoOrder:2222222, but Dum sz: erere:45454545 no... See more...
Hi dear Splunkers, i have log like this : 2021-02-11 14:47:51.167 [Error] ** Dummy User with dummyNumb:1111 Plate:AAAAA Country:Dummy paid dummy on DunnoOrder:2222222, but Dum sz: erere:45454545 not dispensed for Carouserl_Error !!! And i would like to display everything after [Error] **. I tried like this but i got error: | rex "\[Error\]\s**\s(?<message>)" Please help Thank you
I have a requirement to monitor the below exceptions and send an alert through mail with few fields mentioned below. Since I'm not able to achieve this, I have created 4 individual alerts and have m... See more...
I have a requirement to monitor the below exceptions and send an alert through mail with few fields mentioned below. Since I'm not able to achieve this, I have created 4 individual alerts and have monitored this. But that isn't right. I wish to capture all these within the same alert. Below are sample logs.   TYPE 1: INVALID USERNAME/PASSWORD     2021-03-01 03:36:02,233 [user:*myemail@temp.com] [pipeline:my-pipeline-name (SCH Test Run)/testRun__1234__temp.com__myemail@temp.com] [runner:] [thread:ProductionPipelineRunnable-testRun__1234__temp.com__myemail@temp.com-my-pipeline-name (SCH Test Run)] [stage:] ERROR HikariPool - HikariPool-7333 - Exception during pool initialization. java.sql.SQLException: ORA-01017: invalid username/password; logon denied       TYPE 2: INVALID SERVICE     2021-03-01 04:18:26,910 [user:*myemail@temp.com] [pipeline:my-pipeline-name (SCH Test Run)/testRun__1234__temp.com__myemail@temp.com] [runner:] [thread:ProductionPipelineRunnable-testRun__1234__temp.com__myemail@temp.com-my-pipeline-name (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Listener refused the connection with the following error: ORA-12514, TNS:listener does not currently know of service requested in connect descriptor       TYPE 3: INVALID PORT     2021-03-01 04:43:12,985 [user:*myemail@temp.com] [pipeline:my-pipeline-name (SCH Test Run)/testRun__1234__temp.com__myemail@temp.com] [runner:] [thread:ProductionPipelineRunnable-testRun__1234__temp.com__myemail@temp.com-my-pipeline-name (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: The Network Adapter could not establish the connection com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: The Network Adapter could not establish the connection       TYPE 4: INVALID HOST     2021-03-01 05:02:13,113 [user:*myemail@temp.com] [pipeline:my-pipeline-name (SCH Test Run)/testRun__1234__temp.com__myemail@temp.com] [runner:] [thread:ProductionPipelineRunnable-testRun__1234__temp.com__myemail@temp.com-my-pipelin-name (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: Unknown host specified com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: Unknown host specified   Below are the fields to capture: pipeline - Which is : my-pipeline-name Exception - Which are : 1. invalid username/password; logon denied, 2. TNS:listener does not currently know of service requested in connect descriptor 3. The Network Adapter could not establish the connection 4. Unknown host specified   Please help in achieving this.
Hi Everyone,   Is there anyway to forward Splunk User Activity Data(audit data) to External QRadar Server.   We have find the below reference link but unfortunately not able to implement because ... See more...
Hi Everyone,   Is there anyway to forward Splunk User Activity Data(audit data) to External QRadar Server.   We have find the below reference link but unfortunately not able to implement because we dont have enough documentation for steps https://exchange.xforce.ibmcloud.com/hub/extension/f02b54de6c7cd4a5c66676592c36151b   Pleas help me for this  
Hi All, I need your help urgently, I am facing issue with one of the forwarder as it keeps taking lots of space in /opt directory and due to which sometimes it stops running. Upon checking further I... See more...
Hi All, I need your help urgently, I am facing issue with one of the forwarder as it keeps taking lots of space in /opt directory and due to which sometimes it stops running. Upon checking further I noticed that this directory is taking maximum space. /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db   On further investigation I came to know that if I do changes in limits.conf file I can limit size of this directory. But unfortunately I cannot find this file limits.conf under /opt/splunk/etc/system/local.    Please suggest what can I do about it. Any replies to this will be highly appreciated. Also please correct me if I am using a wrong approach here.   Thanks in advance. Prateek