All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Greetings, as far as we know the SA-AccessProtection app is invisible and all Email search results display a 404 Page not found error. Add-on [default] request.ui_dispatch_app = search in savedsearc... See more...
Greetings, as far as we know the SA-AccessProtection app is invisible and all Email search results display a 404 Page not found error. Add-on [default] request.ui_dispatch_app = search in savedsearches.conf did not help. What are the possible solutions?
I have around 15 columns in table , where i want to have fixed column width for 3columns with 30px and other remaining column with 15px to accommodate in single view 100%
Hi Team   How can we add a blank row to the output. I have a search followed by some outputs in table format. I want to add a blank row in start or any where in the column . index=*  Event Code=46... See more...
Hi Team   How can we add a blank row to the output. I have a search followed by some outputs in table format. I want to add a blank row in start or any where in the column . index=*  Event Code=4624 Logotype=8  earliest=-d@d latest=@d | top user | appendpipe [|head 1 | for each * [eval new=""]]    Tried something like this which gave me a new row with name new. I just want to add a blank row in search results. Can some one help? Thanks in advance  
I am using a table of results    a | b | c | search | d | e =============================================== xx yy zzz index=firstindex bb ppp yyy qqq eeee ind... See more...
I am using a table of results    a | b | c | search | d | e =============================================== xx yy zzz index=firstindex bb ppp yyy qqq eeee index=secondindex rr sss ttt zxc asd index=thirdindex uy mmm   based on each result,  I would like to perform a  foreach command to loop through each row of results based on the "search" field and perform a subsearch based on the VALUES in the "search" field,  from a coding's perspective it would be something like    for each row: if field= search: #use value in search [search value | return index to main search] it should evaluate to something like this for each row if field=search: [search index=index1 | return index]   My desired output is:    index ============== firstindex secondindex thirdindex    Is this possible? I have tried using  foreach * [eval if <<FIELD>>=="search"[search <<FIELD>>] ","[search <<FIELD>>]] but this does not seem to work.  Tried looking around in splunk community forums but the queries do not seem to be the same as what I am intending to do
Hi, I have a search as such but it don't show the results I want   (index="index1") OR (index="index2") |search date_hour>20 OR date_hour<5 |eval MERCHANT_CODE1=mvdedup(mvappend(CODE, MERCHANT_CODE... See more...
Hi, I have a search as such but it don't show the results I want   (index="index1") OR (index="index2") |search date_hour>20 OR date_hour<5 |eval MERCHANT_CODE1=mvdedup(mvappend(CODE, MERCHANT_CODE)) |eval SUCCESS=if(RESPONSE_CODE="0",1,0) |stats count AS Total_night SUM(SUCCESS) AS SUCCESS_TOTAL BY MERCHANT_CODE1, ACQ_BANK |eval SUCCESS_RATE=round(SUCCESS/Total_night*100,2) |search SUCCESS_RATE>=70 |table MERCHANT_CODE1, SUCCESS_RATE, ACQ_BANK, Total_night, Total   The requirement is merchants that have more than 70% success transactions in the time range from 20h to 5h in a month. The table results require as above.  My problem is the transactions data is at index1, the ACQ_BANK for each merchant is at index2, I want to show them at the table without the manual checking for each one, I also want to show the Total success for a month but with the code above I don't have any result. If I don't include index2 and remove ACQ_BANK after the BY, I have the result I want. If anyone have a suggestion I would really appreciate.  
I have the gc logs  printed in a file. It contains data as  S0C        S1C   S0U  ... 74240.   76288.  0.0. ... i want to use Splunk to analyze the data and give me an dashboard saying gc details ... See more...
I have the gc logs  printed in a file. It contains data as  S0C        S1C   S0U  ... 74240.   76288.  0.0. ... i want to use Splunk to analyze the data and give me an dashboard saying gc details like memory size , heap usage, memory leakage etc.  could you please guide me on that
Hi, Installing Splunk UF on FreeBSD 10. Simple steps, extracted the .txz file. Runing the command ./splunk I get the error: libexec/ld-elf.so.1: /opt/splunkforwarder/bin/splunk: Undefined symbol "_... See more...
Hi, Installing Splunk UF on FreeBSD 10. Simple steps, extracted the .txz file. Runing the command ./splunk I get the error: libexec/ld-elf.so.1: /opt/splunkforwarder/bin/splunk: Undefined symbol "_ThreadRuneLocale" I know it could be something in the libraries missing or something, but not sure how to move forward from here. Is there a document that lists all dependencies?
I'm trying to remove the duplicates in a field as described below EVENT_No     |     Fieldname 1                               a                                   b                             ... See more...
I'm trying to remove the duplicates in a field as described below EVENT_No     |     Fieldname 1                               a                                   b                                   c 2                               a                                   b 3                               c                                   a Is there a way I can make it look like this? EVENT_No     |     Fieldname 1                               a                                   b                                   c
Hey all, I'm new here (so to Splunk) then please be patient  I wanted to know is there a way to collect data from Windows server 2008R2 and to view it through Splunk add-on for Microsoft Window... See more...
Hey all, I'm new here (so to Splunk) then please be patient  I wanted to know is there a way to collect data from Windows server 2008R2 and to view it through Splunk add-on for Microsoft Windows (version 8.0.0)? Is it depend on the powershell version installed? Also - is there a way to monitor Windows feature on those servers (Like Windows DNS Server) ? In the description on Splunk for windows I saw that "Microsoft Active Directory" is a supported product, but is it also supported with unsupported guest OS? Thanks for you all, have a nice week 
Hi, I have below data and would like to get count by country code. Is it possible to get it ? |21/02/2021 12:36:29.048| |INFO| |1234|guest |CA|1.10.1| [END] - DetailsLookUp |21/02/2021 12:26:20.53... See more...
Hi, I have below data and would like to get count by country code. Is it possible to get it ? |21/02/2021 12:36:29.048| |INFO| |1234|guest |CA|1.10.1| [END] - DetailsLookUp |21/02/2021 12:26:20.534| |INFO| |8669|guest |US|1.10.1| [END] - DetailsLookUp Thanks in advance.
hello splunker !   in splunk, i want to print top email sender by the number of attachment, my command is: index=emaileventtype="email-events" action=delivered | top 10 sender by AttachCount but ... See more...
hello splunker !   in splunk, i want to print top email sender by the number of attachment, my command is: index=emaileventtype="email-events" action=delivered | top 10 sender by AttachCount but it produces more fields and they aren't sorted, like this: and as you can see that it produced more than 10 values i've also tried: index=emaileventtype="email-events" action=delivered | top 10 sender by AttachCount | stats sum(AttachCount) as AttachCount by sender | top 10 AttachCount   and here's the result:     please help me, i need two fields only, top sender by AttachCount      Thanks
just created a new data input to be uploaded to a new index I don't see data inside the index how can I troubleshooting this issue?
I used the  below query, here some applications are like appname and some like appname.application.   So I added app1*,app2*,....  Now the counts are perfect and getting the duplicate application na... See more...
I used the  below query, here some applications are like appname and some like appname.application.   So I added app1*,app2*,....  Now the counts are perfect and getting the duplicate application names.      index="index1" ApplicationName IN (app1*,app2*,app3*,app4*,app5*,app6*,app7*,app8*,app9*)      | chart count(ApplicationName) over ApplicationName by Status      | addtotals      | append      [| makeresults      | eval ApplicationName=split("app1,app2,app3,app4,app5,app6,app7,app8,app9", ",")      | mvexpand ApplicationName      | fields - _time ]      | fillnull value=0      | stats max(*) as * by ApplicationName Can anyone please help me on this.
Hello splunker, i want to write an SPL to list email senders excluding emails in a predefined lookup table.   here's my command: index=email eventtype="email-events" action=delivered [ | inputlook... See more...
Hello splunker, i want to write an SPL to list email senders excluding emails in a predefined lookup table.   here's my command: index=email eventtype="email-events" action=delivered [ | inputlookup group_service_emails_csv.csv| fields Emails | where sender != Emails] please help me with it, Thanks  
I have events with two keys area and errortext. Sample event below:    [2021-02-20 19:27:37.599 GMT] ERROR Servlet|test-event| element=PlaceOrder,routine=start,receiptNumber=000006,errortext="Initi... See more...
I have events with two keys area and errortext. Sample event below:    [2021-02-20 19:27:37.599 GMT] ERROR Servlet|test-event| element=PlaceOrder,routine=start,receiptNumber=000006,errortext="Initiating ReversePayments for Order, Reason: Inventory reservation failed" I need to find : 1. unique events that match element and errortext values for a time window -1 2. find the same unique events for a time window-2  then  3. find events that are present in time window-1 and NOT in time window-2  To find unique events in time-window-1  --I am using the below query.    index=dev sourcetype!=warn element AND errortext earliest=@w5 latest=+7d@w6 | dedup element,errortext | table element,errortext  I am trying to use search and NOT but not able do so in this case.  SearchOne NOT [ SearchTwo ]  
I just moved over to a docker Splunk set up and im having an issue where Splunk thinks im in UTC even when the preferences are set to pacific, it thinks 15m ago was 12am when its 4pm here. I don't ha... See more...
I just moved over to a docker Splunk set up and im having an issue where Splunk thinks im in UTC even when the preferences are set to pacific, it thinks 15m ago was 12am when its 4pm here. I don't have anything special set up, in fact I carried over most of my settings from my local install but I don't know why this isn't working.  
I have a log that is putting the timestamp in UTC without any timezone, which appears Splunk thinks this is my time and I cannot get it to understand that the timezone is UTC Example log:   Feb 21... See more...
I have a log that is putting the timestamp in UTC without any timezone, which appears Splunk thinks this is my time and I cannot get it to understand that the timezone is UTC Example log:   Feb 21, 2021 00:03:05.973 [0x7f6a027c5700] DEBUG - Completed: [127.0.0.1:42302] 206 PUT ... In my `$SPLUNK_HOME/etc/apps/search/default/props.conf` I have added: [default] TZ=GMT My timezone is set in preferences to -0800 (Pacific) but it still shows these as the same time.
Hi Splunk community, I am trying to determine the impact of removing Adobe Flash from our environment. I have done basic search and the results returned are much higher than expected. This would mo... See more...
Hi Splunk community, I am trying to determine the impact of removing Adobe Flash from our environment. I have done basic search and the results returned are much higher than expected. This would most probably be because staff are accessing external content as well as internally hosted. Is it possible to have a query that tells me which url has invoked flash player? I have tried: event_simpleName=ProcessRollup* FileName=FlashUtil*_ActiveX.exe and FileName=Flash*.ocx The query returns, hostname, timestamp of execution, username, and others but i don't get the dns requests or url that invoked flash player.  So far to get around this I do another separate search (query) on the host, based on the timestamp (of the results of above query) looking up the dns request. Example result: Domainname: host: user: filename: commandline: ssl.gstatic.com computer123 user123 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/spreadsheets/z/xyz/edit?usp=drive_web Most DNS requests are within fraction of the second or +1 second. Finding a computer with useful data is a draw of the luck and very time consuming. Is anyone able to help with the above query? I am trying to have on query that gives me hostname, username, timestamp, app e.g.  FlashUtil*_ActiveX.exe and dns request or url, or commandline.   We use crowdstrike for end-point protection and the logs are feed to splunk by the crowdstrike agent.    
Hi. I am new to Splunk. I want to create a Pie Chart that consists of a particular type of event as a percentage of all events. For example, all events that contain the word Linux, i would like to... See more...
Hi. I am new to Splunk. I want to create a Pie Chart that consists of a particular type of event as a percentage of all events. For example, all events that contain the word Linux, i would like to represent as a percentage of total events. What would the search query be for this? Thank you.
My understanding is that the pipe operator is used for OR and ampersand for AND.  I find no NOT operator, and my testing indicates that "field=*" results in no records rather than only those for whic... See more...
My understanding is that the pipe operator is used for OR and ampersand for AND.  I find no NOT operator, and my testing indicates that "field=*" results in no records rather than only those for which "field" is populated.  I need to filter out all records for which a given field is empty.     Is that possible?