All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm trying to pick up the status codes for a given api, 4XX and 5XX.  I've typically done this with something like this: (changed the index, source and sourceUrl to be generic) index="ralph" source=... See more...
I'm trying to pick up the status codes for a given api, 4XX and 5XX.  I've typically done this with something like this: (changed the index, source and sourceUrl to be generic) index="ralph" source="/var/log/containers/api.log" sourceUrl="/url/api/api_name" (statusCode=4* OR statusCode=\5*) | timechart span=15m@m usenull=false count(statusCode) by statusCode This has worked in the past, but I'm running into a situation for some api's where my search is returning values such as: 4, 40, 41 44, 401, 403, 404, 5, 50, 51, 500, 503, 504, etc. My goal is to exclude anything that is NOT three digits (i.e. 4, 40, 41 44, 5, 50, 51) I've tried doing something like: statusCode=40* this excluded everything except 40. I tried statusCode=40\d  Thought i'd try, =40? but nothing is working.  Is there a wildcard combo that would allow me to search where it must contain the 40 and one additional number? So I'd get just 400, 401, 4XX I'm not very experienced with regex, but it seems like that might be the path? Appreciate your help! Thanks, rick
Running the latest release of Lookup Editor, I had an existing KVStore that I added a new field to via Lookup Table Definitions.  I am able to see this via "| inputlookup <kvstorename>" .  I am also ... See more...
Running the latest release of Lookup Editor, I had an existing KVStore that I added a new field to via Lookup Table Definitions.  I am able to see this via "| inputlookup <kvstorename>" .  I am also able to add values to the new field.  However, Lookup Editor will not display the new field.   Any suggestions?
We are in the process increase our daily ingest rate to 2TB, and I want to ask the questions about our storage retention policy design. The hot/warm/cold can be searchable from Splunk, what's the ide... See more...
We are in the process increase our daily ingest rate to 2TB, and I want to ask the questions about our storage retention policy design. The hot/warm/cold can be searchable from Splunk, what's the ideal retention for cold storage? my contractor design the same period which I am a little confused. thank you   Hot/Warm: 90 days Cold: 90 days (  Archive: 3 years
Hi All, I have one requirement.  I have one Dashboard in form of table and have one hyperlink column in it. My hyperlink column is "url" and its like below: https://ecp-dev.aexp.com:444//ni/?proc... See more...
Hi All, I have one requirement.  I have one Dashboard in form of table and have one hyperlink column in it. My hyperlink column is "url" and its like below: https://ecp-dev.aexp.com:444//ni/?processGroupId=ef451556-016d-1000-0000-00005025535d&componentIds=fa1f903a-0174-1000-0000-00007ee9e2ee The issue here is after 444 there are two // it should be only one. How can I parse this string.  Can someone guide me. Thanks in advance
We have a small dashboard and we would like to have a script alert action or a custom alert action. What we would like to do is to send a toast or a pop up notification to the system so when the ale... See more...
We have a small dashboard and we would like to have a script alert action or a custom alert action. What we would like to do is to send a toast or a pop up notification to the system so when the alert is triggered, if the operator is not looking at the dashboard, they will be able to see the pop up or toast in the bottom right corner of screen. Just like an alert you get from MS Outlook for a new email.  Is this possible? Any help would be appreciated. 
I have a correlation search where 'dest' field is present, and in drilldown search I have mentioned      | search dest="$dest$"     however when i click on contributing events and the dri... See more...
I have a correlation search where 'dest' field is present, and in drilldown search I have mentioned      | search dest="$dest$"     however when i click on contributing events and the drill down search opens up with same query      | search dest="$dest$"      instead of the actual value of the 'dest' field, why doesn't this work? Anyone faced this issue?
I have some field value 'foo' and I want to trigger an alert of a different severity depending on its value (e.g a low severity alert when foo > 10, a medium severity alert when foo > 20, and a high ... See more...
I have some field value 'foo' and I want to trigger an alert of a different severity depending on its value (e.g a low severity alert when foo > 10, a medium severity alert when foo > 20, and a high severity alert when foo > 50). I know that this is easy to do by creating separate alerts and changing the count condition and severity for each one, but this feels inefficient and will be a pain to go through and edit when the conditions change. I'm new to Splunk so I'm not aware of a way to trigger an alert with a condition for its severity. Is this possible to achieve?
Hi, We are trying to setup splunk app for Windows ad object monitoring as per MS Windows AD Objects | Splunkbase. Here we already have Windows TA Infrastructure app configured and sending logs to se... See more...
Hi, We are trying to setup splunk app for Windows ad object monitoring as per MS Windows AD Objects | Splunkbase. Here we already have Windows TA Infrastructure app configured and sending logs to separate indexes rather than default mentioned in the app. Whenever I provide that index name in macro and run autocheck, it is not able to detect the data in that index. When I search that index in splunk search, I can see data coming into that index. We have data configured in xml based log format instead of classic ones. We have following setup. What could be the reason this app is not able to detect the data?  
I have injected adrum.js into my Front End page by modifying Apache following the official guideline. <Location "/"> AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html Subst... See more...
I have injected adrum.js into my Front End page by modifying Apache following the official guideline. <Location "/"> AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html Substitute "s#<head>#<head><script>window['adrum-start-time'] = new Date().getTime();</script><script>(function(config){config.appKey='${APPD_BROWSER_APP_KEY}';})(window['adrum-config'] || (window['adrum-config'] = {}));</script><script src='https://cdn.appdynamics.com/adrum/adrum-latest.js'></script>#inq" </Location> And I can see the adrum-latest.js is successfully replace <head> label with the contents as expected, when I check page's element in browser's development mode. After that I can see some data traffic like calling col.eum-appdynamics.com with /eumcollector/beacons/browser/v1/MY_CORRECT_APP_KEY/adrum And there is always a 200 OK response with no response body. But I can't see anything in my app's dashboard in AppDynamic's controller.  I mean no data at all, every column is 0. And I also try changes this app's APP_KEY into another working perfectly normal app's APP_KEY. But still, no data feeds to the 'working perfectly normal app'. Can anyone gives me a hint that where should I begin troubleshooting this problem?
Im furious............ 2 hosts ( physical ) :: both Ubuntu Server. Read about Splunk and how dibi **bleep**s GHA ( soim)   Host #1: Installed Splunk as in docs, !!!!!!!!!!!!! Host #2: created FRE... See more...
Im furious............ 2 hosts ( physical ) :: both Ubuntu Server. Read about Splunk and how dibi **bleep**s GHA ( soim)   Host #1: Installed Splunk as in docs, !!!!!!!!!!!!! Host #2: created FREE Splunk cloud, Configured everything as in docs.   No **bleep**ing logs.   HELP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Hi Everyone,   I have one requirement.  I have one table Dashboard which consists of multiple Columns. There is one column "url". I want it to be hyperlink so that it can open. Below is my co... See more...
Hi Everyone,   I have one requirement.  I have one table Dashboard which consists of multiple Columns. There is one column "url". I want it to be hyperlink so that it can open. Below is my code: <row> <panel> <table> <search> <query>index=abc sourcetype=xyz source="ser.log" $process_tok1$ | rex field=_raw "(?&lt;id&gt;[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})" | join type=outer id [inputlookup nifi_api_parent_chains_e1.csv]|search $ckey$|search $usr$ | table _time _raw host id parent_chain url </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> I want url column should be a hyperlink . How can I do that. Thanks in advance.
Hi, I want to create a rest api request to create a search in splunk and get the details(logs) of the search result. I have gone through the splunk document provided by the splunk team, but couldn't... See more...
Hi, I want to create a rest api request to create a search in splunk and get the details(logs) of the search result. I have gone through the splunk document provided by the splunk team, but couldn't get the response properly. I am trying all the ways to hit splunk and search, but it isn't work. I am using basic auth for the request in postman .Please help me to get through this. I am attaching the splunk we are using and the search query we have to use and also the postman request to hit the same     I want to use only postman for the search, not a curl command. 
Hey I have the query- index="classroom-students" profile.emailAddress="something" earliest=0 latest=now | join type=outer courseId [search index="courses" courseState="ACTIVE" ] | join type=outer... See more...
Hey I have the query- index="classroom-students" profile.emailAddress="something" earliest=0 latest=now | join type=outer courseId [search index="courses" courseState="ACTIVE" ] | join type=outer courseId max=0 [search index="course-work" | rename id as courseWorkId ] | join type=outer userId, courseId, courseWorkId [search index="students-submission" | dedup userId, courseId, courseWorkId sortby -updateTime] | rename profile.name.fullName as StudentName | rename name as Classroom | rename submissionHistory{}.gradeHistory.pointsEarned as pointsEarned | table StudentName, courseId, courseWorkId, userId, Classroom, descriptionHeading, title, workType, maxPoints, pointsEarned, state, late. In late column,i get "true" in some rows.I want to color those rows where I am getting "true" in late column.Like if u look at the imagfe,I want to color the whole second row. Any help would be highlt appreciated.Thanks in advance.
Hello, please, can you tell me how transform and extract value Timeout from next log: [Error] POS Card Validation - Result: Timeout using rex? Thanks a bunch
We want to anonymize the usernames in the following event using sed script. Raw event: {"externalId": null, "statusChanged": "2021-02-09T09:51:42.000Z", "userName": "thisisatestuser@123.pl ", "appi... See more...
We want to anonymize the usernames in the following event using sed script. Raw event: {"externalId": null, "statusChanged": "2021-02-09T09:51:42.000Z", "userName": "thisisatestuser@123.pl ", "appid": "0oa97rn2ymPrbgM430x612344", "lastUpdated": "2021-02-09T09:51:42.000Z", "scope": "", "userid": "00u1a2mn8ouOvSO2A0x71234", "created": "2021-02-09T09:51:42.000Z", "status": "ACTIVE"} However, either the stanza in props.conf is incorrect or we did it in the wrong place. Current config: 1. input is specified on a Heavy Forwarder in an app local folder (we just activated inputs after installing an app in the FrontEnd and that is how this entry was created) 2. we added the following SEDCMD stanza in /opt/splunk/etc/system/local/props.conf on a Heavy Forwarder:  [testapp:appUser] SEDCMD-TestApp_username1=s/userName:(\d{6})/userName:XXXXXX/1 Does anyone have any idea on how to solve it?
Need Query which we can track to find which Log sources are Commissioning and Decommissioning in SPlunk and generate report.    
Hello i have kubernetese environment that contains : 1 SH 1 master 3 indexers in cluster we changed the pass4symkey in all of the components and now the status is that in the indexers the key ... See more...
Hello i have kubernetese environment that contains : 1 SH 1 master 3 indexers in cluster we changed the pass4symkey in all of the components and now the status is that in the indexers the key stays as it should and in the master and SH it restored to something unknown every few hours. what is the reason and how can i solve it ? thanks
Hi all,  I'm creating couple of events with command :  | streamstats window=2 list(PI_Event_Status) as status list(PI_Event_Time) as time list("PI Event Severity") as severity list("PI Event Urgenc... See more...
Hi all,  I'm creating couple of events with command :  | streamstats window=2 list(PI_Event_Status) as status list(PI_Event_Time) as time list("PI Event Severity") as severity list("PI Event Urgency") as urgency by "Record Number", "PI Number" I notice that when i execute my command only on one "Record Number" (record number is an id) the command works as expected :  But when i execute the command on all index the command works partially :  Do you know why ?  Regards, Clément  
Hi ,  I would like to know if we can use SPL commands on configuration files to filter incoming data ? Cause using Regex is out of option.  
I can successfully create a search job with the help of the docs using a Curl command: curl -u "userName" -k https://host:port/services/search/jobs -d search="encodedSearchQuery" I get back the SID... See more...
I can successfully create a search job with the help of the docs using a Curl command: curl -u "userName" -k https://host:port/services/search/jobs -d search="encodedSearchQuery" I get back the SID as expected: <response> <sid>1234567890.123456</sid> </response>   When I try to translate this search to a REST Call with JSON body I cannot get it to work. For example if I use postman: POST https://host:port/services/search/jobs/ Request Body (JSON) { "search": "encodedSearchQuery" }   I get a 200 but no Search job created or SID returned.   Any tips to get this working? Thanks