All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello all, I am trying to extract the data from the field evtComponent from the below event, and this has a multiple types of data that is coming in as below. 1) ZENOSS-MIB::evtComponent = STRING: ... See more...
Hello all, I am trying to extract the data from the field evtComponent from the below event, and this has a multiple types of data that is coming in as below. 1) ZENOSS-MIB::evtComponent = STRING: "HostSystem_host-1240" ZENOSS-MIB::evtClass = STRING: "/Status/Ping" 2) ZENOSS-MIB::evtComponent = STRING: "\"London\"" ZENOSS-MIB::evtClass = STRING:   The highlighted fields needs to be extracted, however when I use the below extraction this only satisfies the correct extraction on example 1 but fails to just extract the field from example 2. Can you please suggest. Below is the extraction that I am using. ZENOSS-MIB::evtComponent = STRING: \"(?<component>.*)\"\s+ZENOSS-MIB::evtClass\s   Thank you.
Hi team,  I've signed up for a Splunk enterprise trial to check out the features. I've installed the Fortigate add on.  I've built custom visualizations, eg: number of sessions against srcip, numbe... See more...
Hi team,  I've signed up for a Splunk enterprise trial to check out the features. I've installed the Fortigate add on.  I've built custom visualizations, eg: number of sessions against srcip, number of bytes in against srcip, data usage against fw policy id.      `fgt_traffic` |timechart count by srcip `fgt_traffic` | eval bytes = (bytes/(1024*1024))|timechart sum(bytes) by srcip (index=* OR index=_*) (eventtype=ftnt_fgt_traffic) |eval sum(bytes) = bytes | eval bytes = bytes/(1024*1024*1024) | rename bytes AS RootObject.bytes policyid AS RootObject.policyid | fields "_time" "host" "source" "sourcetype" "RootObject.bytes" "RootObject.policyid" | stats dedup_splitvals=t sum(RootObject.bytes) AS "Sum of bytes" by RootObject.policyid | sort limit=0 RootObject.policyid | fields - _span | rename RootObject.policyid AS "Policy ID" | fields "Policy ID", "Sum of bytes"             What I want to do is to name these so I don't have to refer back to the documentation all the time.  Can someone advise me on how to do this? I am on Splunk Enterprise Version:8.1.2 Build:545206cc9f70 Products:hadoop Thank you!  - Shenath
Hello all! For the life of me, I can't figure this out. By eval commands in the SPL or in Event handlers. Included is a base test dashboard I have been working on. Ultimately, I want the output of m... See more...
Hello all! For the life of me, I can't figure this out. By eval commands in the SPL or in Event handlers. Included is a base test dashboard I have been working on. Ultimately, I want the output of multiple result.fieldname to be delimited by a new line rather than a comma into an HTML field. That would also not remove any comma's that could be included in the result. Current result value1,value1,value1 value2,value2,value2 value3,value3,value3 Desired result value1 value1 value1 value2 value2 value2 value3 value3 value3 Test Dashboard <dashboard> <label>Dashboard token test</label> <row> <panel> <table> <search> <done> <set token="output.field1">$result.field1$</set> <set token="output.field2">$result.field2$</set> <set token="output.field3">$result.field3$</set> </done> <query>index=* sourcetype=* | head 40 | stats values(field1) as field1 values(field2) as field2 values(field3) as field3</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <html> <pre> $output.field1$ $output.field2$ $output.field3$ </pre> </html> </panel> </row> </dashboard>   Thank you!
Hello, We are logging various info during job level. Message filed carries all the info.  I would like to get count of each message occurrence using multiple where clause. Message The job is ... See more...
Hello, We are logging various info during job level. Message filed carries all the info.  I would like to get count of each message occurrence using multiple where clause. Message The job is successful for the user A System exception: failed job B System exception: failed job A Policy issued for the user A Policy issued for the user B Doc cleared for user D The job is successful for the user B Doc cleared for user A Doc cleared for user B Doc cleared for user C   I need counts of each occurrence and total count.  Policy Issued Count : 2 System exception Count : 2 Doc Clear Count : 4 Successful Count  : 2 Total Count:  10 Any help would be much appreciated. Thanks.    
Hi Team, We have provided access to all the Users in our environment via SAML authentication (Using Microsoft Azure) in Splunk. So for one of the user who is having user level access for particular ... See more...
Hi Team, We have provided access to all the Users in our environment via SAML authentication (Using Microsoft Azure) in Splunk. So for one of the user who is having user level access for particular index wants to use REST API . i.e. The user has created alerts in Splunk for their requirement and every weekend they have a scheduled maintenance so he wants to disable and re-enable the alert via POSTMAN script without logging into Splunk Console but it is not working it seems. So how can we achieve this and moreover our Splunk is hosted in Cloud and managed by Splunk Support. So can anyone kindly help on the query.
Hi Team, Is there any way to find out what are the sourcetypes completely reporting in Splunk for both index and as well as for non-internal index for last 30 days so if we have any query to pull ou... See more...
Hi Team, Is there any way to find out what are the sourcetypes completely reporting in Splunk for both index and as well as for non-internal index for last 30 days so if we have any query to pull out those information it would be really helpful.    
Hi Team, In our environment I can see few of the sourcetypes are coming with *small* from both the internal as well as from non-internal indexes. So  hence these logs are not required for us so I wa... See more...
Hi Team, In our environment I can see few of the sourcetypes are coming with *small* from both the internal as well as from non-internal indexes. So  hence these logs are not required for us so I want to disable them before ingestion time itself by placing the props and transforms in the indexer level. So any sourcetype has a keyword with "small" might be like too_small , os_tab_small or anytype then the logs should not be ingested into Splunk. So kindly provide with the props and transforms for the same.      
Hello, Whenever I sign in to the SPLUNK account I receive the following warning from Norton What should I do? Noton keeps blocking the attack every second while I am logged in to SPLUNK. I have... See more...
Hello, Whenever I sign in to the SPLUNK account I receive the following warning from Norton What should I do? Noton keeps blocking the attack every second while I am logged in to SPLUNK. I have free SPLUNK for learning purposes.
Hi,  I have two scheduled searches that aren't running anymore and I've no idea why. The cron is correct, when running the search there are results but I'm not receiving any alerts. Checking the ne... See more...
Hi,  I have two scheduled searches that aren't running anymore and I've no idea why. The cron is correct, when running the search there are results but I'm not receiving any alerts. Checking the next scheduled time today I noticed that the next scheduled search was dated several days in the past. I've tried adjusting the cron schedule but that didn't work I've also tried disabling and renenabling the search but it hasn't resolved it either.   It is Splunk Cloud.
Hi,   I have created a script that authenticates via QSDK token and receiving the following message,   Exception performing request: Unsupported token type: QSDK   Is there a work around that I... See more...
Hi,   I have created a script that authenticates via QSDK token and receiving the following message,   Exception performing request: Unsupported token type: QSDK   Is there a work around that I could implement to get this working.   Thanks 
  Hi  We get the error "500 Internal Server Error" on many pages of ES Splunk server  (Windows) Tried to change this on web.conf [settings] mgmtHostPort = XX.XX.XX.XXX:8089   Spoke with Splunk... See more...
  Hi  We get the error "500 Internal Server Error" on many pages of ES Splunk server  (Windows) Tried to change this on web.conf [settings] mgmtHostPort = XX.XX.XX.XXX:8089   Spoke with Splunk support they suggested to remove unnecessary apps and reduce the acceleration  time for DM. Still didn't help   Any Idea, what is the issue? Please assist.   Thanks, Hen
Hello everyone,   I have a lookup table which have multiple fields, one of the fields is IP Address of an asset. Additionally, I have an index which contain a list of IPs, that I extract with a cer... See more...
Hello everyone,   I have a lookup table which have multiple fields, one of the fields is IP Address of an asset. Additionally, I have an index which contain a list of IPs, that I extract with a certain query. I want to compare the two list of IPs, and then create a new column in my lookup table with ( 0 or 1) value, indicating if there is a match between the IPs. Any idea how to do that?   Thanks
How to have split, i tired many ways but its coming out. Output: A B C 288136957 1 66871812 288137548 1 62919303 288137548 2 69101805 288137548 3 84124302 488136313 ... See more...
How to have split, i tired many ways but its coming out. Output: A B C 288136957 1 66871812 288137548 1 62919303 288137548 2 69101805 288137548 3 84124302 488136313 1 66871812 488136313 2 65252707 488136313 3 65602005 488136313 4 69101805   Thanks for the help.
Hi everyone, Have a version 8.1 Splunk Deployment.  Everything on the Splunk App for Azure works except for the billing.  I am linking the subscriptions in azure to my API.  Is their anything specia... See more...
Hi everyone, Have a version 8.1 Splunk Deployment.  Everything on the Splunk App for Azure works except for the billing.  I am linking the subscriptions in azure to my API.  Is their anything special or ticky with this versus the other API hook-ups?     Thank you,  
Hi All,  I am new to MLTK , I want to use machine learning to predict bank holidays for Europe region. I have past 10-year of data with me to train Machine to predict Holidays for upcoming years. B... See more...
Hi All,  I am new to MLTK , I want to use machine learning to predict bank holidays for Europe region. I have past 10-year of data with me to train Machine to predict Holidays for upcoming years. But with holidays, not all holidays are on same date of years. Like Christmas is on 25th dec of every year but good Friday and black Friday are not constant in terms of dates. How can I achieve this as to not notify users for all alerts and dashboards ? Lookup just consists of Holidays and their corresponding Dates.  
Hi All,  I am planning to upgrade Splunk Enterprise from version 7.3.3 to latest available version in Linux servers . Basically , its a distributed environment with multi-site Splunk Indexer cluster... See more...
Hi All,  I am planning to upgrade Splunk Enterprise from version 7.3.3 to latest available version in Linux servers . Basically , its a distributed environment with multi-site Splunk Indexer cluster, search head cluster with a cluster master, deployment server, , and deployer.  Someone, please show me the exact path for these upgrade procedure. Please reply for the following. 1.  How to upgrade multi-site indexer cluster? 2. how to upgrade search head cluster and cluster master? 3. How to upgrade deployment server? 4. How to upgrade deployer? 5. what are the backup procedures and measures to be taken while upgrading? 6. What are the best practices to be followed while upgrading? 7. What is the order of upgrade? 8. What are the common issues faced while upgrading the license master, indexer, search head and all?   Grab some energy and please help me in answering these questions.  Thanks in Advance.  
Hi All, I have two saved search ; report1, which is shared in app and report3, which is private. Owner of two saved search is admin both. As I see the scheduler.log, seavedsearch_id for report1 is "... See more...
Hi All, I have two saved search ; report1, which is shared in app and report3, which is private. Owner of two saved search is admin both. As I see the scheduler.log, seavedsearch_id for report1 is "nobody; search;report_1 and seavedsearch_id for report3 is "admin; search;report_3". My question is.. 1. If I share the saved search in app, the owner is still admin but the saved search id is changed to "nobody;.....". Does it mean the search is running as nobody when I share the search in app? 2. When I see these saved search activity on DMC -> Search -> Scheduler Activity: Instance, it dose not show  the cron schedule info for report_1. It leads to misinformation for search concurrency on DMC -> Search -> Search Activity: Instance.  --> DMC dose not recognize report_1 as scheduled search. It leads to misinformation below --> 1/4 should be 2/4. Could you please explain why it happens? I think DMC has to recognize two scheduled searched. It seems that if the saved search is shared, DMC don't track the search. Am I correct?  Is it normal behavior? I would appreciate if you give me any thought about it. Thanks.
Hi Team,   I am new of this application. I have downloaded the Splunk for trail version, and installed the same in Windows 10 OS. after installing, the login page comes on the web page. However I a... See more...
Hi Team,   I am new of this application. I have downloaded the Splunk for trail version, and installed the same in Windows 10 OS. after installing, the login page comes on the web page. However I am unable to use now. Please guide me to configure the same that how to monitor and observe in the application.     Thanks & Regards, AI-IT
Hi i have a requirement to create a dashboard to represent total events i have created a panel in the dashboard which refreshes for every 5 mins. I need to add the new results to the existing coun... See more...
Hi i have a requirement to create a dashboard to represent total events i have created a panel in the dashboard which refreshes for every 5 mins. I need to add the new results to the existing count and show it on screen i tried using streamstats and dashboard seems freezing when it tries to refresh  any help or advise is if great help Thanks Sandeep
Hi i have a requirement to create a dashboard to represent total events i have created a panel in the dashboard which refreshes for every 5 mins. I need to add the new results to the existing coun... See more...
Hi i have a requirement to create a dashboard to represent total events i have created a panel in the dashboard which refreshes for every 5 mins. I need to add the new results to the existing count and show it on screen i tried using streamstats and dashboard seems freezing when it tries to refresh  any help or advise is if great help Thanks Sandeep