All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Guys! Thank you in advance for your help , My data: Events that contain a field named SEGT which may be empty or may contain a unique number that can be repeated for example: SEGT=[1,1," ", 2,... See more...
Hello Guys! Thank you in advance for your help , My data: Events that contain a field named SEGT which may be empty or may contain a unique number that can be repeated for example: SEGT=[1,1," ", 2, " ", 4, 4587, 7856, " "]  what I am trying to do: Create a table with 2 columns first column named Empty which will count all the event with the field SEGT="" and second column named RES with all the distinct count of the values in the field SEGT that are not empty.   My Code:  | Search | stats count(eval(SEGT="")) As Empty | stats dc(eval(SEGT!="")) As RES | Table Empty  RES But I'm not getting the results that I want, and I will really appreciate if you guys could help me out! 
Good day, I have an app that I wish to translate using the UI internationalization method as mentioned here, https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/TranslateSplunk, in the o... See more...
Good day, I have an app that I wish to translate using the UI internationalization method as mentioned here, https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/TranslateSplunk, in the official documentation.  However, after successfully extracting the message.pot file and creating the appropriate messages.mo and messages.po files using POEdit and placing them into the proper directory: $SPLUNK_HOME/etc/apps/$app_name$/locale/de_DE/LC_MESSAGES/ I then restart my Splunk instance and swap my browser local from "en-US" to "de-DE" and find that certain labels, titles and more are not translated at all. What is strange to me is that there are similar labels and titles that are translated and in some cases the label in the dashboard itself is not translated, but it is translated in the nav bar at the top of the app (where search and such appear).  Everything in the .po files are translated and compiled to a .mo file and the xml file and line numbers in the .po are also correct for the various texts and match the original .pot file. I simply want to know if there is something I am missing or a rule that I am overlooking in order to get a fully translated app using this localization method. 
Hi all, I am completely new to Splunk so I apologize if this has been asked/answered. I did review the past discussions but could not find a solution to my question. I have incoming logs that look ... See more...
Hi all, I am completely new to Splunk so I apologize if this has been asked/answered. I did review the past discussions but could not find a solution to my question. I have incoming logs that look similar to this 28 Feb 2021 13:53:23,815[MANDATORY][JAS]Initiating EnterpriseOne startup using configuration location (default_path) as 'C:\jde_home\SCFHA\targets\HTML_PD1_82\config'.   I would like to be able to search for the string "Initiating EnterpriseOne startup " and create a dashboard table showing the date, time and the substring HTML_PD1_82. The idea being, I would like to keep track of when each machine was restarted.   Can anyone help with the Search pattern? Thanks in advance.  Bruce
Hi, Need alert to be triggered for continuous 5 failures and the result should have all the failure transaction ID   transaction = 1a  status=failure transaction = 1b  status = failure transacti... See more...
Hi, Need alert to be triggered for continuous 5 failures and the result should have all the failure transaction ID   transaction = 1a  status=failure transaction = 1b  status = failure transaction = 1c  status = failure transaction = 1d   status =failure Using autoregress command I am able to get alert on continuous failure but only the last transaction ID is visible, I need all the transaction ID's which had continuous failures to be visible in the result  
Good day I would like to know how this type of alert can be solved in the security analyzes in a particular app, do you know something about the subject, we have a linux red hat in house server to m... See more...
Good day I would like to know how this type of alert can be solved in the security analyzes in a particular app, do you know something about the subject, we have a linux red hat in house server to maintain the service through a public IP Regards
My dataset is in a rather strange format. For a given 'event', I have numerous splunk entries all linked by a 'session_id'.  Within those sessions, there exist 2 fields I care about: name, request  ... See more...
My dataset is in a rather strange format. For a given 'event', I have numerous splunk entries all linked by a 'session_id'.  Within those sessions, there exist 2 fields I care about: name, request   But these all exist independently on one of the numerous entries for a given session_id. For example, we could have 5 events for one session:   {session_id:15,  time: 1600, offset:1} {session_id:15,  time: 1605,  name:bob} {session_id:15,  time: 1607, type: sandwich} {session_id:15,  time: 1608, type: drink} {session_id:15,  time: 1610, offset: 2}   The first question is, for a given name - bob here - how do I do a search that would do the following: Find all events with bob, count how many sandwich orders there were, count how many drink orders there were.   My attempt was to enumerate all session_ids for a given name, so for bob there could be session_ids of 5,7,10,15 Then for each session_id, do a subsearch specifying the session_id, and attempt to count the number of type:sandwich and type:drink fields there were. I couldn't work out how to get this to return to the main query in a good format.         
Unable to Instrument Informatica Powercenter 10.4.1 using Java agent. Has anyone tried it ? Tried to put jvm arguments in setenv.bat / Catalina.bat / infaservice.bat but nowhere it is picking it up ... See more...
Unable to Instrument Informatica Powercenter 10.4.1 using Java agent. Has anyone tried it ? Tried to put jvm arguments in setenv.bat / Catalina.bat / infaservice.bat but nowhere it is picking it up and hooking up with the application. Suggestions are invited
Hello all,  I am having the following list: 1 ais-notification-service-tm-nft-27-9gv6s 642 dk0332-e 2 ais-notification-service-tm-nft-2-snfhl 642 dk0332-e 3 ais-replay-notification-... See more...
Hello all,  I am having the following list: 1 ais-notification-service-tm-nft-27-9gv6s 642 dk0332-e 2 ais-notification-service-tm-nft-2-snfhl 642 dk0332-e 3 ais-replay-notification-service-tm-nft-3-5n876 642 dk0332-e 4 ais-replay-notification-service-tm-nft-34-l4ks2 278 dk0332-e 5 ais-replay-notification-service-tm-nft-30-vnh9s 364 dk0332-e   I need to have the following output: 1 ais-notification-service-tm-nft 642 dk0332-e 2 ais-notification-service-tm-nft 642 dk0332-e 3 ais-replay-notification-service-tm-nft 642 dk0332-e 4 ais-replay-notification-service-tm-nft 278 dk0332-e 5 ais-replay-notification-service-tm-nft 364 dk0332-e   While I do know how to trim the last characters using evaluation below: <search string> | eval pod = substr(pod, 1, len(pod)-8) it doesn't trim them the way I want (because some of the services are being displayed with one more char). How can I make this trimming dynamic, so it automatically trims the extra chars when they're found? Thanks!
I need to print a string array along with one field in my json object.  The data:   { "key1":"val1", "key2":"value2", "codes":["apple","mango","banana","orange"], "key3_conditional":"yes"}    ... See more...
I need to print a string array along with one field in my json object.  The data:   { "key1":"val1", "key2":"value2", "codes":["apple","mango","banana","orange"], "key3_conditional":"yes"}     My Search query:   <My search query> | rex "\|(?<payload>[^\|]*)$" | spath input=payload | rex "\"codes\":\"(?<codes>[^\"]*)" | eval is_unknown=if(isnotnull(key3_conditional), key3_conditional, "no") | table codes, is_unknown     This only displays the 1st value in codes and I need all values of codes as comma separated.    
Hello, I am trying to display couple of Dashboard Panels only to a specific user. For that i am trying to get the username and set the token if its matches with a certain value. But somehow if i us... See more...
Hello, I am trying to display couple of Dashboard Panels only to a specific user. For that i am trying to get the username and set the token if its matches with a certain value. But somehow if i use condition tag its not working and "have_access" token is not getting set.     <row> <panel> <search> <query>| rest /services/authentication/current-context splunk_server=local | eval access=if(username="kkan","True","False") | where access = True</query> <preview> <condition match=" 'job.resultCount' != 0"> <set token="have_access">True</set> </condition> </preview> </search> </panel> </row> <row> <panel depends="$have_access$"> ..............     Anyone , @niketn  please help.
Our earlier set up is , We are pulling the data from cloudwtach to Splunk. There we are getting throttling issues. To avoid throttling issues we are implementing the kinesis firehose implementation.... See more...
Our earlier set up is , We are pulling the data from cloudwtach to Splunk. There we are getting throttling issues. To avoid throttling issues we are implementing the kinesis firehose implementation. For your reference, Below is the new approach diagram       We are trying  sending cloudwatch logs to kinesis firehose, from kinesis firehose to the splunk system. Kinesis firehose is able to send the data to splunk but it was not indexing in the splunk. So far I have done this workaround  Workaround and issues: where we are unable to access Splunk web GUI using Amazon Web Services (AWS) Elastic Load Balancing (ELB) DNS name example:- http://ELB:PORT or https://ELB/en-US/account/login. I mapped elb dns name with domain name - still we are getting the same issue. Details:- Classic Load balancer and Splunk enterprise 7.2.0 version free license & Stand alone We are able to connect port 8000 when trying with http;//IP:8000  we were able to open GUI using the ELB name on HTTP load balancer port 8000 & Instance level port 8000. We are using ACM certificate and attached to ELB Health Checks are passed and Instances is InService  Health Check settings Ping protocol: HTTPS Ping port: 8088 Ping path: HTTPS:8088/services/collector/health/1.0 Timeout: 5 seconds Interval: 30 seconds Unhealthy threshold: 2 Healthy threshold: 10     We deployed in VPC, enabled network Security group rules internally between ELB and EC2 instances. Below are the ELB configurations:- Health Check settings Ping protocol: HTTPS Ping port: 8088 Ping path: HTTPS:8088/services/collector/health/1.0 Timeout: 5 seconds Interval: 30 seconds Unhealthy threshold: 2 Healthy threshold: 10   Listeners:- ELB -HTTP -8000- Instance protocol - HTTP -8000 - We are able to access the UI Listeners:- ELB -HTTP -443- Instance protocol - HTTP -8000 - Not working   -> Also  tested by on enabling the HTTPS on web.conf enableSplunkWebSSL = true, Able to open GUI on Https://IP:PORT but not Https://ELB:PORT   As per Splunk previous answers on the same issues, we did verify web.conf under /splunk_home/splunk/etc/system/default/web.conf for TLS1.2 version cipherSuite. it exists in our splunk web.conf default path Few more questions: Which port we need to give in HEC endpoint 8088 or 8000 or 443 ? In ELB listeners what are loadbalancer port & Instance port ? Note: I am using splunk enterprise free license.     
Dear Team, We have manually deployed the kubernetes-logging manifest files in PKS Kubernetes environment. And we can see the plugins logs in Splunk but not application container logs. Can you pleas... See more...
Dear Team, We have manually deployed the kubernetes-logging manifest files in PKS Kubernetes environment. And we can see the plugins logs in Splunk but not application container logs. Can you please help to identify the issue, what are missing here..??
Hey Everybody,   We started to work with multiple summary indexes. We are filling them up with scheduled searches and what are end with the "collect" command and this cause a lot of inconvenience. ... See more...
Hey Everybody,   We started to work with multiple summary indexes. We are filling them up with scheduled searches and what are end with the "collect" command and this cause a lot of inconvenience. Now we are thinking about that we would like to use alert action for the send-to-the-summary-index step, like when we write out data to a lookup with the "Output results to lookup" alert action.   Do you know any plug and play solution / downloadable alert action what we can use to improve our Splunk infra?    Thank you in advance!
Hi, is there a possibility to create a chart by these two fields? If possible I would like to create a heatmap out of this chart. | eval error= if(count>50, 1, 0) | chart sum(error) by cpwd_nr | ch... See more...
Hi, is there a possibility to create a chart by these two fields? If possible I would like to create a heatmap out of this chart. | eval error= if(count>50, 1, 0) | chart sum(error) by cpwd_nr | chart sum(error) by host  
Hi Support, Is there a way to filter application log file events and keyword with out loading entire file to splunk indexer server. Please share us if there is any supportable document.   Thank... See more...
Hi Support, Is there a way to filter application log file events and keyword with out loading entire file to splunk indexer server. Please share us if there is any supportable document.   Thanks & Regards, Hari 82857322 Harihara.MOHANTHY@uobgroup.com
We are planning to install Splunk enterprise on our client network. For the discovery phase we are installing Splunk on the staging instance. Once the discovery phase is over we would like to move th... See more...
We are planning to install Splunk enterprise on our client network. For the discovery phase we are installing Splunk on the staging instance. Once the discovery phase is over we would like to move the entire setup to production. Would it be possible to reuse the same Splunk license on the production instance. The staging splunk setup will be terminated. 
Hi there. I'm relatively new to searching in Splunk so I can't sometimes get my head wrapped up around some Splunk concepts Anyway. I'm trying to achieve something and I can't seem to be able to... See more...
Hi there. I'm relatively new to searching in Splunk so I can't sometimes get my head wrapped up around some Splunk concepts Anyway. I'm trying to achieve something and I can't seem to be able to get it right. Let's assume I have an index containing some login events into the system. It contains a username column, a timestamp (obviously) and an IP of a remote endpoint. What I need is to make a table containing last n login entries for each user. So I'd love to have something like (assuming limiting to 3 latest entries): login1 IP1 time1 login1 IP2 time2 login1 IP3 time3 login2 IP4 time4 login2 IP5 time5 ... ... ...   I tried using "| stats list" but (apart from splunk shouting at me for exceeding some list limits) it makes a multivalue field which I cannot further process (for example by geoip). Any attempt to combine sort and head ends up with limiting the data without taking into account distinct values of a login column. So that's not what I want. Time should indeed be monotonic and sorted but only within single login. In the case above, there is no strict rule between times 1-3 and, let's say, 4-6. So simple sorting doesn't work. Foreach sounded nicely but it seems it's for completely different use cases (it iterates over columns, not over values). Any other hints?
Hello I have  a query that contains some conditions and one of them is "AND NOT eventtype=..." the eventtype is not configured in our system so it is not supposed to return results..  my question ... See more...
Hello I have  a query that contains some conditions and one of them is "AND NOT eventtype=..." the eventtype is not configured in our system so it is not supposed to return results..  my question is - if the condition is "AND NOT" but the eventtype not configured the query should return results or not ?   thanks
Hi, I got a timechart that shows the number of critical package losses per day. Additionally I calculate the average of critical package losses within the chosen timespan and show it as a straight l... See more...
Hi, I got a timechart that shows the number of critical package losses per day. Additionally I calculate the average of critical package losses within the chosen timespan and show it as a straight line in the timechart. Now I would like to add a line, that tells me, how many different hosts were used on every single day. (E.g Monday 36, Tuesday 64, Wednesday 55, ...) Thats the code that calculates the number of critical package losses per day and the average within the chosen timespan. | eval Amount= numberLostPackages | timechart span=24h count(Amount) as Count sum(Amount) as Total aligntime=@d | eventstats sum(Count) as TotalCount | addinfo | eval Duration=(info_max_time-info_min_time)/86400 | eval Average=TotalCount/Duration  
Hi, team I want to fetch output like shown below. I want to fetch amount of data consumed by particular index (for eg. index="abc") on different dates. Could anyone help me out for this issue In... See more...
Hi, team I want to fetch output like shown below. I want to fetch amount of data consumed by particular index (for eg. index="abc") on different dates. Could anyone help me out for this issue Index Date GB abc 27-02-2021 10.09   28-02-2021 11.54   01-03-2021 09.00   Thanks