All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a very basic dashboard that requires my users to put in text inputs.  These inputs are then outputted to a CSV file that can be referenced.  The basics of it are <input type="text" token="use... See more...
I have a very basic dashboard that requires my users to put in text inputs.  These inputs are then outputted to a CSV file that can be referenced.  The basics of it are <input type="text" token="user"> <label>user</label> </input> <input type="text" token="hostname"> <label>Host Name</label> </input> <input type="text" token="switch"> <label>Switchingcommand</label> </input>   I have my form being submitted via a submit button at the top of the form that takes this information and outputs this to a csv file with an append <search> <query> | makeresults | eval user="$user$" | eval hostname="$hostname$" | eval switch="$switch$" | outputlookup tracking.csv append=true </query> </search>   The above works within the dashboard provided that there are no special characters.  Due to the nature of the value for "switch" above, it can contain a long string with various escape characters.  For example a string entered could be almost any special characters (for example it could contain "regex" or "#" or "=" or "$" or "[word]" etc. etc. etc.   I have tried modifying my search query as follows (adding in |s$) after the eval for switch <search> <query> | makeresults | eval user="$user$" | eval hostname="$hostname$" | eval switch="$switch$"|s$ | outputlookup tracking.csv append=true </query> </search>   however this doesn't appear to work and the input silently fails.  Have I used |s$ in the correct place or is this not possible?    
We are trying to get data's from NewRelic to splunk via NewRelic add-on, we installed the NewRelic add-on and configured proxy and inputs. The problem is we are not getting any data into Splunk from ... See more...
We are trying to get data's from NewRelic to splunk via NewRelic add-on, we installed the NewRelic add-on and configured proxy and inputs. The problem is we are not getting any data into Splunk from NewRelic so we need to analyze what could be the error so need to find the log informations. Where could i find the NewRelic add-on logs ?
The default/props.conf for v2.0.2 of the add-on contains two issues - both of which are generating WARNING messages in splunkd.log Issue #1   [mysql:errorLog:mysqld_safe] EXTRACT-queries_in_queue... See more...
The default/props.conf for v2.0.2 of the add-on contains two issues - both of which are generating WARNING messages in splunkd.log Issue #1   [mysql:errorLog:mysqld_safe] EXTRACT-queries_in_queue = (?<queries_in_queue>[\.\d]+) queries \in queue I believe that the slash before the in was an attempt to stop the "in queue" being treated as the 'regex in field' format of an EXTRACT.   I believe that the line should read: EXTRACT-queries_in_queue = (?<queries_in_queue>[\.\d]+) queries\sin\squeue   Issue #2   [mysql:processInfo] FIELDALIAS-cim_builder = thd_id AS process user AS user   Splunk was generating the following warning: WARN  FieldAliaser - Invalid field alias specification in stanza 'mysql:processInfo': FIELDALIAS-cim_builder='thd_id AS process user AS user' I believe it's because of the redundant 'host AS host' and removing it in a local/props.conf appears to have confirmed this.
I have a dropdown that has three options. Depending on the option the search of a panel needs to change. So if the dropdown selected was A, I need the panel to use search A. Is this possible or shoul... See more...
I have a dropdown that has three options. Depending on the option the search of a panel needs to change. So if the dropdown selected was A, I need the panel to use search A. Is this possible or should I just build three of the same panels with a depends clause on that dropdown token?
Hello Can I disable the script input setting with CLI? I'm waiting for your answer.
Hi Everyone, I have one panel which consists of saved search. The query is below: |savedsearch "splunk_data_last_24_hours"   <panel> <single> <search> <query>|savedsearch "splunk_data_last_24... See more...
Hi Everyone, I have one panel which consists of saved search. The query is below: |savedsearch "splunk_data_last_24_hours"   <panel> <single> <search> <query>|savedsearch "splunk_data_last_24_hours"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="numberPrecision">0.00</option> <option name="rangeColors">["0x53a051","0x53a051"]</option> <option name="rangeValues">[0.175]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="underLabel">Splunk Data - Last 24 hours</option> <option name="unit">GB</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">0</option> </single> </panel> How can I add trend here. Can anyone guide me on this. Thanks in advance
We have around 400+  alerts configured in Splunk. Is there a easy way to add alert action "Add to Triggered Alerts"
i have two fields that are numerical fields.  when I try a search that says:   index="test" AND field1 > field2   i get no results when I know that shouldn't be the case.  Any help would be great... See more...
i have two fields that are numerical fields.  when I try a search that says:   index="test" AND field1 > field2   i get no results when I know that shouldn't be the case.  Any help would be greatly appreciated. thanks -JustAnotherStudent
I managed to hide the default banner which had the splunk logo and the settings option. Now I want to make a new banner with a picture and the app name. I know I have to do this in the dashboard.css ... See more...
I managed to hide the default banner which had the splunk logo and the settings option. Now I want to make a new banner with a picture and the app name. I know I have to do this in the dashboard.css file but my attempts have failed so far. 
I've seen a lot of documents and posts on compatibility between indexers (Idx) and forwarders, but nothing specific on universal forwarders (U-F) to heavy forwarders (H-F).  This is our current archi... See more...
I've seen a lot of documents and posts on compatibility between indexers (Idx) and forwarders, but nothing specific on universal forwarders (U-F) to heavy forwarders (H-F).  This is our current architecture with Splunk Enterprise versions: U-F (6.5)  -->  H-F (7.3)  -->  Idx (7.3) I need to upgrade to 8.1 Given that indexers can be a higher version than then forwarders, I can update the Idx and the H-F before the U-F's are all upgraded?  Or will the 6.5 vs 8.1 incompatibly affect U-Fs to H-Fs?  If it will, and I need to leave the H-F at 7.3 until the U-F are upgraded, can I have the U-Fs upgraded to 8.1,or will that not work because the U-F would be a higher version than the H-F? The other option is to upgrade all of the U-F to 7.3, then upgrade them again after the Idx and H-F are upgraded, but I'm trying to avoid having the U-F upgrade done twice.  I also do not have a test or sandbox environment to do any kind of playing around on, so just trying it to see what happens isn't a good option.
Hey all, I need to have the default time range for a dashboard cover an overnight shift. This necessitates the time range change depending upon when the page is loaded: Time user loads page Tim... See more...
Hey all, I need to have the default time range for a dashboard cover an overnight shift. This necessitates the time range change depending upon when the page is loaded: Time user loads page Time  range Description 00:00 - 17:59 @d-1d+18h  to  @d+6 18:00 yesterday to 06:00 today 18:00 - 23:59 @d+18h  to  @d+1d+6h 18:00 today to 06:00 tomorrow   After a few hours of searching the forums I haven't seen another example where this is done, and I can't for the life of me figure out how to do it. Any help or just a nudge in the right direction would be appreciated!   Thanks,
Hi, I have a table like this: Tag    |   Value aa     |   15.5 bb     |    20 cc     |    23 I want to chart the value "dd = aa + bb" . Seems simple enough, but I haven't been able to find a so... See more...
Hi, I have a table like this: Tag    |   Value aa     |   15.5 bb     |    20 cc     |    23 I want to chart the value "dd = aa + bb" . Seems simple enough, but I haven't been able to find a solution through "sum" or "addtotals".  I tried the below also, but no luck. my_search_query | eval dd = aa + bb | chart latest(dd) Your help is appreciated. Thanks in advance!
Hi, I am totally puzzled. I have two (unrelated) Splunk installations with SAME index and event structure (... everything). - One platform (installed on private linux host) returns perfectly coher... See more...
Hi, I am totally puzzled. I have two (unrelated) Splunk installations with SAME index and event structure (... everything). - One platform (installed on private linux host) returns perfectly coherent Search Stat "counts" - The other platform (on a AWS EC2) returns WRONG counts (like x2, x4 depending on the grouping criteria). SCENARIO: - I send 3 JSON events. Each event has one "correlationId" top-level JSON field with the same value. So filtering on that corelationId = xxx does return 3 perfectly coherent events (on both platforms).   See "base-search-local-OK.jpg", "base-search-aws-OK.jpg" attachments. - Then i run a Search "Stat" with a count grouped by correlationId. The result on the AWS platform is very WRONG by a factor of 4 (it returns 12 instead of 3!!!).   See stat-search-local-OK.jpg, stat-search-aws-WRONG.jpg. While i am not an expert at Splunk, i have investigated for hours without understanding the root cause. I am a more advanced ELK user, but never experienced such puzzling questions. ==> There has to be something related to the difference with the platforms HOSTS. Why is Splunk on AWS host result so different to my local linux install. Can this be related to the network configuration?... no clue. Thanks a lot if that rings a bell to you. kind regards. -Florent.  
Hi All, I have a correlation search created where an alert unique ID is generated. That alert id is then used in Episode review which inturn will be used to raise incident. Somehow the alert ID is... See more...
Hi All, I have a correlation search created where an alert unique ID is generated. That alert id is then used in Episode review which inturn will be used to raise incident. Somehow the alert ID is not getting ingested in Episode review. Recently the index name for correlation was changed, will that affect anything ? Please help Thanks & Regards Sumeet Firodia
I have an interesting scenario that I haven't been able to find any guidance on. We use Splunk Cloud, and we have two heavy forwarders in our network which all our universal forwarders send to. Wha... See more...
I have an interesting scenario that I haven't been able to find any guidance on. We use Splunk Cloud, and we have two heavy forwarders in our network which all our universal forwarders send to. What I'd like to do is configure a universal forwarder to either send directly to Splunk Cloud, if the device is outside our network, or send to a heavy forwarder if it is in our network. This would be for devices like laptops that might move between the internal network and the outside, where our heavy forwarders are not accessible. I attempted to do this by putting our heavy forwarders first in a comma-separated list in outputs.conf on the universal forwarder, and then followed it with the Splunk Cloud URLs. Port 9997 out to Splunk Cloud is only open from our heavy forwarders in the network, and our heavy forwarders are only accessible from inside the network, so in this way it seems like it should simply load balance to whichever server it can reach, but sending to Splunk Cloud requires special cert authentication. Because of this, I followed the instructions to enable the forwarder to work with our Splunk Cloud instance, which adds a couple of certs to an app on the forwarder. I suspect this will make it work fine to connect to Splunk Cloud directly, but I can see in the splunkd.log for the forwarder that when it tries to connect to one of our heavy forwarders, it fails, probably because it is trying to use the Splunk Cloud certs. My questions are, is it possible to configure this so that the forwarder can send to either Splunk Cloud directly or a heavy forwarder, and is there some other, better way to handle this than what I'm thinking of? I know another solution would be to just skip the heavy forwarders and have these roaming devices send to Splunk Cloud directly regardless of where they are, but we'd like to avoid that unless that is the only option.
Hello, We are new to Splunk , learning and working customer requirments. You are requested to help on merging these two queries in order to to use Start Time and End Time from Event 1 in JMS Que... See more...
Hello, We are new to Splunk , learning and working customer requirments. You are requested to help on merging these two queries in order to to use Start Time and End Time from Event 1 in JMS Queue pending messages count > 0 after startTime and < 0 after endTime as Publisher and Subscribers are two seperate Java Applications in PCF: Search - 1 ========== cf_org_name="####" cf_app_name="APP1" sourcetype="cf:logmessage" OR source = "XXXXX.EMS.STAT.QUEUES.SPLUNK.0.2021022312" | fields msg.message msg.timestamp | spath | rename msg.message as message | rename msg.timestamp as timestamp | search message = "*Start of scheduler job cron:*" OR "*End of scheduler job executed in*" | eval startMessage=case( match(message, "Start of scheduler job cron:"), message) | eval endMessage=case(match(message, "End of scheduler job executed in"), message) | rex field=startMessage "[^\#]+\#(?<schedulerJobStartTime>.*)" | rex field=endMessage "[^\#]+\#(?<schedulerJobEndTime>.*)" | stats max(schedulerJobStartTime) as latestJobStartTime max(schedulerJobEndTime) as latestJobEndTime | eval latestJobStartTimeExpanded=strftime(latestJobStartTime/pow(10,3),"%Y-%m-%dT%H:%M:%S.%Q") | eval latestJobEndTimeExpanded=strftime(latestJobEndTime/pow(10,3),"%Y-%m-%dT%H:%M:%S.%Q") | eval duration=((latestJobEndTime - latestJobStartTime)/1000)/60/60 | spath output=pendingMessageCount path=queues{0}.pendingMessageCount | spath output=msgTimeStampField path=key{0}.msgTimeStamp Search - 2 ========== sourcetype=fedex:jms:queues| spath "queues.name" | search "queues.name"="XXXXPLAN.QNX" | spath output=pendingMessageCount path=queues{0}.pendingMessageCount | spath output=msgTimeStampField path=key{0}.msgTimeStamp | search pendingMessageCount = "0" | eval msgTimeStampFieldExpanded=strftime(msgTimeStampField/pow(10,3),"%Y-%m-%dT%H:%M:%S.%Q") | stats min(msgTimeStampFieldExpanded) as msgTimeStampFieldExpandedMin max(msgTimeStampFieldExpanded) as msgTimeStampFieldExpandedMax Regards, Bojja
Hello together, i had the following example table: Time Host1 Host2 HostN Total 00:00 4 8 0 12 01:00 4 7 0 11 02:00 9 5 0 14   I search a simple solution to highlig... See more...
Hello together, i had the following example table: Time Host1 Host2 HostN Total 00:00 4 8 0 12 01:00 4 7 0 11 02:00 9 5 0 14   I search a simple solution to highlight only the highest value in a row, except the column Total (and time). So in my exmple highlight for row 00:00 the 8, 01:00 the 7, 02:00 the 9. I probed with different table format options but the most are for columns and failed also with expressions. Is there any way to accomplish this with splunk v7.3.3 and hopefully without javascript?
Hi,    I am new to CSS for creating Dashboard in Splunk Enterprise. I want to create a table type panel in a dashboard with background color as blue. But after applying css, I am unable to assig... See more...
Hi,    I am new to CSS for creating Dashboard in Splunk Enterprise. I want to create a table type panel in a dashboard with background color as blue. But after applying css, I am unable to assign different color to different values in a column of table.  For instance: Table A Column1 Column2 Column3 A                  ball            date1 B                   bat           date2   I  want to color all "ball" in column2  as green and bat as red after changing background as Blue for table. Please help
Hello, I copied some apps from one instance to another and surprisingly the name of the app is not shown anymore. When I expand the App-dropdown, the app is there and I can choose it, but I would li... See more...
Hello, I copied some apps from one instance to another and surprisingly the name of the app is not shown anymore. When I expand the App-dropdown, the app is there and I can choose it, but I would like to have the app-name permanently displayed that the users knows which app they are in. I am not able to figure out what is the issue here. This is the case for both my own apps but also for the standard Splunk apps, like the ML Toolkit, see the screenshots below. Is it because of copying? I did not install it new, just copied the folder from the os unix "splunk" account. Perhaps this is about the Splunk version:  I am copying from 8.0.6 to 8.1.2. Could anyone help? Kind Regards, Kamil    
Hi All,  Does anyone know if it is possible to use the evt_resolve_ad_obj windows monitor parameter with the PowerShell event channel to resolve the Active Directory Security IDentifier (SID) to can... See more...
Hi All,  Does anyone know if it is possible to use the evt_resolve_ad_obj windows monitor parameter with the PowerShell event channel to resolve the Active Directory Security IDentifier (SID) to canonical name? I know it works under the [WinEventLog://Security] stanza but it doesn't seem to work for me with the PowerShell stanza.   [WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = 0 start_from = oldest evt_resolve_ad_obj = 1 current_only = 0 checkpointInterval = 5 renderXml = 1 whitelist = 4104 index = powershell   A normal security event, 4688 for example, shows the SID under the <EventData> tag:    <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> ... </EventData>   PowerShell events 4104 for example show the SID under the <System> tag:    <System> ... <Security UserID="S-1-5-18" /> </System>   Not sure if this would cause it not to be able to extract it and resolve it or if anyone has this working? Much appreciated.