All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi  I want to monitor my splunk VMs health using PRTG monitoring tool . How can I do that?
Hi All,   I've got a form being built in Splunk Enterprise, its used as a lookup table so we can see if there is a known issue with a host etc... I use the issue field to have a drop down opti... See more...
Hi All,   I've got a form being built in Splunk Enterprise, its used as a lookup table so we can see if there is a known issue with a host etc... I use the issue field to have a drop down option, and the host and IP are manually input.  What I'd like is for the "added by" field to be automatically populated with the signed in users ID/name/Username etc...This is for audit purposes mainly.  I've looked around and can't seem to find out how to do this.  Any/all help is greatly appreciated.
    Need the output of list of usernames and timestamp of the event in the splunk string for below event. We have list of users that I need to see logged in the event. 2021-02-12 03:15:37,681 ERRO... See more...
    Need the output of list of usernames and timestamp of the event in the splunk string for below event. We have list of users that I need to see logged in the event. 2021-02-12 03:15:37,681 ERROR [com.avc.services.avc.service.HoverTextService] - Unexpected exception in hovertext() Message: Invalid 'username' value: user 'test1' does not exist in system"""" Currently I am using search like: index=abc "Invalid 'username'" Message | rex "user\ \'(?<user>[^\']*)\"" But I am not getting the expected results. I am expecting the results like: username timestamp user1 2021-02-12 03:15:37 user2 2021-02-12 03:15:37    
Hi if someone could please help that would be great, I have events showing up in the indexer that are pushing me over my license, alot of it is useless to me information and i have been trying to wra... See more...
Hi if someone could please help that would be great, I have events showing up in the indexer that are pushing me over my license, alot of it is useless to me information and i have been trying to wrap my head around filtering it out using regex but i just cant get my head around it.  Below is a typical event i would like to rid my indexer of, i cant just block all the events with 4634  as some of them are valid, but i would like to block all events where the "Targetusersid" is similar to DOMAIN\ABC-12345$   Can anyone help <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4634</EventID><Version>0</Version><Level>0</Level><Task>12545</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-02-12T08:24:29.977950700Z'/><EventRecordID>314243098</EventRecordID><Correlation/><Execution ProcessID='852' ThreadID='12388'/><Channel>Security</Channel><Computer>domaincontoller.domainname</Computer><Security/></System><EventData><Data Name='TargetUserSid'>DomainName\machine-name$</Data><Data Name='TargetUserName'>Machine-Name$</Data><Data Name='TargetDomainName'>DomainName</Data><Data Name='TargetLogonId'>0x22b9251d</Data><Data Name='LogonType'>3</Data></EventData></Event> Props.conf  [XmlWinEventLog:Security] TRANSFORMS-xml = xmlnull REGEX=(?m)^EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)" REGEX=(?m)^EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)" REGEX=(?m)^EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%" REGEX=(?m)^EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." REGEX=(?m)^EventCode="(4624|4634|4627|4648)" Message="Account\sName:.*[\S\s]*Account\sName:\s+[\S+]+[\$]" Transforms.conf [xmlnull] REGEX= NO idea DEST_KEY = queue FORMAT = nullQueue  
How i create a script to stop receiving data from UDP port on specific hours for  example betwenn 12h until 15h ?
Hi Team, I have sample set of events coming from the same logs and here "x" denotes a digit mostly IP address in this case and my requirement is that to split the data in the existing field "Forwar... See more...
Hi Team, I have sample set of events coming from the same logs and here "x" denotes a digit mostly IP address in this case and my requirement is that to split the data in the existing field "Forwarder"  which is mentioned as "v". So already we have a field extraction in place i.e. the name of field is "Forwarder". And the current output is as below from all the 5 sample events and for the 5th sample event we don't have the "vvv" value itself in the logs. Sample Logs: 2021-02-12 06:23:17 xx.xxx.xxx.xx GET /test/v1/xyz/abc/domainsetting domainName=xx.xxx.xxx.xx 443 - xx.xxx.x.xxx function/xxx.x.x.x - xxx x x xx vv.vvv.vvv.vv 2021-02-12 06:23:26 xx.xxx.xxx.xx GET /Window-2020-def-yy-ab - 443 - xx.xxx.x.xxx Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Linuxx/5.0;+AppInfo) - xxx x x xxx vv.vv.v.v 2021-02-12 06:11:55 xx.xxx.xxx.xx POST /test/abc/api/Control/Match - 443 - xx.xxx.x.xxx Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/88.0.4324.150+Safari/537.36 https://abc.def-mm.com/abc/def/dashboard/DeliveryList/DeliveryDetail?deliveryId=xxxxx&deliverySource=Feed xxx x x xxx vvv.vv.vvv.vvv,+vv.vvv.v.vvv,+vv.vvv.vvv.vv 2021-02-12 01:14:47 xx.xxx.xxx.xx GET /test/Abcdefgh/login+button+with+xyz.jpg - 443 - xx.xxx.x.xxx Mozilla/5.0+(iPhone;+CPU+iPhone+OS+14_4+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Mobile/xxxxx - xxx x x x vvvv:vvvv:vvvv:vvvv:vvvv:vvvv:vvvv:vvvv,+vvv.vvv.vvv.vvv 2021-02-12 07:32:20 xx.xxx.xxx.xx GET / - 443 - xx.xxx.x.xx - - x xx x x -   Forwarder (field name) vv.vvv.vvv.vv vv.vv.v.v vvv.vv.vvv.vvv,+vv.vvv.v.vvv,+vv.vvv.vvv.vv vvvv:vvvv:vvvv:vvvv:vvvv:vvvv:vvvv:vvvv,+vvv.vvv.vvv.vvv   So I want to split them up in the same field name "Forwarder" i.e. Consider the 3rd (vvv.vv.vvv.vvv,+vv.vvv.v.vvv,+vv.vvv.vvv.vv) & 4th output (vvvv:vvvv:vvvv:vvvv:vvvv:vvvv:vvvv:vvvv,+vvv.vvv.vvv.vvv) in which the "Forwarder" field has multiple IP's in the same field for the 3rd and 4th output so we want to extract in separate fields under "Forwarder" with each IP. Eg: Forwarder (field name) 123.456.78.912,+45.675.3.123,+32.123.456.55 Output should be as below for Forwarder Field name as: 123.456.78.912 45.675.3.123 32.123.456.55 So kindly help me with the regex for the same.
I downloaded the file from https://splunkbase.splunk.com/app/3669/#/details  and want to install it in my splunk server. Then a popup displays and told me to view the details page to install the pac... See more...
I downloaded the file from https://splunkbase.splunk.com/app/3669/#/details  and want to install it in my splunk server. Then a popup displays and told me to view the details page to install the package. But I didn't find anything that told me how to install anything in the details page, please help.
Hello Everyone, I have a question. I have events like: Mon Mar 19 20:16:03 2018 Info: Delayed: DCID 8414309 MID 19410908 From: <WeiZhang@example.com> To: <mcintosh@buttercupgames.com> RID 0 - 4.3.2... See more...
Hello Everyone, I have a question. I have events like: Mon Mar 19 20:16:03 2018 Info: Delayed: DCID 8414309 MID 19410908 From: <WeiZhang@example.com> To: <mcintosh@buttercupgames.com> RID 0 - 4.3.2 - Not accepting messages at this time ('421', ['4.3.2 try again later']) I wrote a regex expression to cut email adresses from the events - <\w+@\w+.\w+> How can I set this expression to get ONLY email addresses from logs? I need to do it on gettind data in phase, not after (I download data from simple txt file). Thank you.
I have a dashboard panel with a table that show 3 fields, each of which contain numeric values. A) "Backups started (count)" B) "Backups completed successfully (count)" C) "Backups failed (count)"... See more...
I have a dashboard panel with a table that show 3 fields, each of which contain numeric values. A) "Backups started (count)" B) "Backups completed successfully (count)" C) "Backups failed (count)" I want to create a 4th field (D) "Backups in-progress" that simply calculates B-A. I already have the logic to change the color of (D) if it's less than (A). Thanks
Hi  All, Can you please help to understand the challenges on boarding auto-scaling application data into splunk on prem environment? we use intermediate forwarders. 
Hi everyone, I am stuck in a situation where in my app logs there are two important values(one is a number and other is a text string) are being captured and I need to draw a stats count using these... See more...
Hi everyone, I am stuck in a situation where in my app logs there are two important values(one is a number and other is a text string) are being captured and I need to draw a stats count using these two values. so here is the base query: index=Myapp sourcetype=weblogic "ReservationConfirmRS returned errors for TrainId" | dedup requestId sortBy -_time | timechart count span=1d the log looks like below: ReservId=30010632019 billingCurrency=“INR”,Status=7000, Error='ReservationConfirmRS returned errors for TrainId 45732 and reference number null[The trxn could not been confirmed. Please try again. Cause: ]’,travelerType=3 so the 'TrainId' and text in bracket [text-string] would be different, and I need to draw a stats count for these two values. Please help!
Hi All, I am trying to join fields from two separate log entries in the same index. There is a common field called sessionid in both log entries. I wanted to get the groupname from one log entry an... See more...
Hi All, I am trying to join fields from two separate log entries in the same index. There is a common field called sessionid in both log entries. I wanted to get the groupname from one log entry and the username from a different log entry that correlated to the sessionid. The username can also differ between short name and UPN in the logs so I wanted to ensure that the username displayed in the output would be UPN (user@domain). I want a simple table output showing time, sessionid, groupname, username I've tried using transaction, stats and join but have not been able to get the search working correctly. I think I'm missing something obvious but it's eluding me at present. Thanks, Andy
Hi i got trial link given username is sc_admin It was failed for second time I wanted to change the password. To whom i should address this too?    
I have a set of results with _time, many single value fields, and a multivalue field which contains a large set of epoch values (mv_epoch). I want an eval to test if any of the mv_epoch values are be... See more...
I have a set of results with _time, many single value fields, and a multivalue field which contains a large set of epoch values (mv_epoch). I want an eval to test if any of the mv_epoch values are between relative_time(_time, "-30d@d") and _time. So something like: ....search results | stats values(mv_epoch) AS mv_epoch values(field_a)... BY _time | eval test=if((relative_time(_time, "-30d@d")<=mv_epoch AND mv_epoch<=_time),"yes","no") Looking to solve this without using |mvexand. Any help is greatly appreciated, thanks!
I am trying to construct an alert for someone when there is a duplex-mismatch on our network switches. When it happens, both switches send an event that references their own interface, and the device... See more...
I am trying to construct an alert for someone when there is a duplex-mismatch on our network switches. When it happens, both switches send an event that references their own interface, and the device and interface on the other side of the connection. So there are two events, but I only want a single alert. Imagine conceptually there are two switches connected directly to each other and when there is a duplex mismatch, I get two events: from host=host_a: there is a problem on interface_a, which is connected to host_b, interface_b from host=host_b: there is a problem on interface_b, which is connected to host_a, interface_a Each event extracted these three fields: src_interface dest_host dest_interface I'm trying to construct that would understand the correlation between these two events and trigger one alert. I want to include the body from both messages (message_text) in the text of the alert. And ideally, I would have some mechanism to determine which of the two events to trigger on, but I guess that's not a requirement at this point. I'm staring at this |stats table, but I can't come up with any methodology to correlate the two events: | stats values(message_text) as message_text by host, src_interface, dest_host, dest_interface  
I'm having trouble understanding how to set a Health Rule schedule that runs from 11:00pm-6:00am, Monday - Friday, since it starts on one day and ends on another. The Schedule editor doesn't seem to ... See more...
I'm having trouble understanding how to set a Health Rule schedule that runs from 11:00pm-6:00am, Monday - Friday, since it starts on one day and ends on another. The Schedule editor doesn't seem to provide a way to do that. Is the only option to use Cron Expressions? Any guidance would be much appreciated. Thanks. (Sorry if this is in the wrong category, I wasn't sure where to post this topic.) ^ Edited by @Ryan.Paredez to update the title of the post.
Hello I have a dashboard that uses base searches, and variables.  We export this dashboard often with a variety of variables, rarely reporting on the exact same data.  It has functioned well since w... See more...
Hello I have a dashboard that uses base searches, and variables.  We export this dashboard often with a variety of variables, rarely reporting on the exact same data.  It has functioned well since we created it.  At the beginning of January 2021 this dashboard started exporting more data than we want.  More than what is on the web UI.   This dashboard export, in PDF format, is typically 6-10 pages. Right now its around 26 pages. One of the tables on the report appears to be expanding beyond what the web UI shows.  In the export, It is showing the good data that we want on this table however a myriad of rows are added with previous row names as column names now, and all the data is 0s. I checked the query that populates that table and there's really nothing special about it and it has not changed in months, possibly a year. Has anyone experienced anything like this before?
I've got a non-standard CSV log file that has no headers. Depending on the first field of each line determines what number and order of the fields are behind it. How can I have splunk assign field na... See more...
I've got a non-standard CSV log file that has no headers. Depending on the first field of each line determines what number and order of the fields are behind it. How can I have splunk assign field names to the data depending on the first field in a given row? An example would be: Operation Record,Timestamp,Tagname,Decription,Station Alarm Confirm,Timestamp,Tagname,Station,Severity, Process Alarm,Timestamp,Tagname,Description,Value
Trying build a time chart for Top 10 CPU consuming Processes for a Linux host for a given timeframe.     index=os host=xxxxxx source=top pctCPU != 0.0 | table COMMAND, pctCPU _time | sort - pctCP... See more...
Trying build a time chart for Top 10 CPU consuming Processes for a Linux host for a given timeframe.     index=os host=xxxxxx source=top pctCPU != 0.0 | table COMMAND, pctCPU _time | sort - pctCPU | dedup COMMAND | head 10       I am trying to get a timechart based for the pctCPU  usage only for these 10 COMMANDS.    Thanks
Howdy Splunkers! First post here. I am looking for any information on the amount of resources a Universal Forwarder potentially uses on the server it is installed on when we are collecting IIS and/o... See more...
Howdy Splunkers! First post here. I am looking for any information on the amount of resources a Universal Forwarder potentially uses on the server it is installed on when we are collecting IIS and/or winevent logs. All I can find in Splunk Community is "Universal forwarders use limited resources" which doesn't help me much. As part of my onboarding process of bringing server logging into Splunk, I want to make sure that we consider the host resource usage as part of the considerations in the deployment planning in addition to the customary storage capacity those logs will need. Currently, I need to install a UF on an IIS server which is extremely over-used and I want to try to understand how much the UF will add to the host server as I need to make sure the extra resource usage won't negatively affect or bring down the server. I appreciate your time and hope this makes sense. Thank you so much for your help!