All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Example:  errormessages    total                     user a not found.     7                     user b not found.      5                     user c not found.      10 Result should be :        ... See more...
Example:  errormessages    total                     user a not found.     7                     user b not found.      5                     user c not found.      10 Result should be :                      user not found.      22
Hi I have one index -"main" which has index time extracted field-"status" and for status field I have included fields.conf as indexed=true. Now I have created one summary index (abc) by populating ... See more...
Hi I have one index -"main" which has index time extracted field-"status" and for status field I have included fields.conf as indexed=true. Now I have created one summary index (abc) by populating data in using collect command and this summary index(abc) also contain "status" field. Now when I try to search index=abc status="good" it won't provide me any results may be because it is trying to seach in metadata fields. So what solution I could apply to see results. Note- If I use  index=abc| search  status="good" will give me results.   Thanks,
Hello all! Currently I have a custom drilldown in place that takes a line graph, pulls the time field for earliest (and +1h for latest) and pulls the country associated with the line. This informati... See more...
Hello all! Currently I have a custom drilldown in place that takes a line graph, pulls the time field for earliest (and +1h for latest) and pulls the country associated with the line. This information is used to populate the search with click tokens. i.e. index=mysearch parameters=* | iplocation src_ip | search Country="$token$" | stats count by _time, src_ip, Country ... My hope is to not have to useother=f, but instead find a workaround for Country="OTHER" to understand it means not the other countries in the top 10. Any help is much appreciated! So, if I were to click the United States line on the graph, all is fine for Country="United States", Canada would be the same success, but OTHER is not an actual value, but a placeholder for the conglomerate of countries that didn't make the top 10. How can I get that to populate as such for the drilldown, but also if a real country is clicked, it would distinguish that as well?
Hi, I am testing this Add-on to retrieve data from REST API. Connection is good and it pulls the data but every event gets truncated around the same line. Also the response doesn't seem end properly... See more...
Hi, I am testing this Add-on to retrieve data from REST API. Connection is good and it pulls the data but every event gets truncated around the same line. Also the response doesn't seem end properly(a complete page where next can be requested). It seems as if a limit has been reached.   I changed the Add-on logging level to DEBUG but do not see any error messages. Is there anything else I can check? Splunk Version - 7.2.4.2 Add-on Version - 1.9.8 Thanks, ~ Abhi
I'm a new user of Splunk 6.5.7. I have a search but only want results for 288 specific customerIDs.  This would be a very long list of ORs and i don't think 6.5.7 supports an IN function. So I want ... See more...
I'm a new user of Splunk 6.5.7. I have a search but only want results for 288 specific customerIDs.  This would be a very long list of ORs and i don't think 6.5.7 supports an IN function. So I want a table output like with two columns from my search - CustomerName, CustomerID But only where the customerID is in my csv of customerIDs.  I feel I should be able to do this using a lookup but just can't get it right.  Anyone able to help please?         
Hello Community, Rookie here I am looking for some ideas to just monitor a directory for incoming and outgoing files and not the actual data with in the files.  I am wanting to see if I can project... See more...
Hello Community, Rookie here I am looking for some ideas to just monitor a directory for incoming and outgoing files and not the actual data with in the files.  I am wanting to see if I can project this data to a dashboard with the names of files that have come in and processed. /opt/splunk/input/test_in /op/splunk/output/test_out Is it possible with in Splunk, I believe Splunk may be an overkill  but I want to see if I can achieve it. I am in my demo environment, installed splunk server, created an index, installed forwarder on my remote unix server, configured the inputs/outputs files, connected it to the indexer and I see it reporting.   Please let me know.   Cheers !
Hi folks,    I'm trying to figure out if and how I could drop data, or modify data based on a metadata tag. In looking at the props.conf spec, it seems you can only reference sourcetype, source or h... See more...
Hi folks,    I'm trying to figure out if and how I could drop data, or modify data based on a metadata tag. In looking at the props.conf spec, it seems you can only reference sourcetype, source or host. My inbound data is setting up a metadata tag of "namespace" (It's Splunk Connect for Kubernetes, if it helps any). I did try [namespace::<value>], but it doesn't seem to work. I can't get specific enough with the existing choices of host, source or sourcetype.  My 2 use cases are: 1) Run a props.conf SEDCMD on some "cluster_name" only 2) Drop some "namespace" tags I don't want to ingest And neither one of these appear to work, and may be expected not to, based on documentation? Are there other options? Thanks! Stephen
Is there CIM for Software?  I have different sources.  ePO, ACAS, Windows add-on, and NIX add-on.  Would like to using data model from CIM if possible? Here are the CIM I've already look at:  https:... See more...
Is there CIM for Software?  I have different sources.  ePO, ACAS, Windows add-on, and NIX add-on.  Would like to using data model from CIM if possible? Here are the CIM I've already look at:  https://docs.splunk.com/Documentation/CIM/4.18.0/User/Endpoint Endpoint Inventory  Application State I've also searched Splunk Answers but, no quick results.
Hello;    We ingest IIS logs. Recently some of our iis calls lately haven't included the required username, causing the call to fail. I am trying to find a way in splunk to query the absence of the... See more...
Hello;    We ingest IIS logs. Recently some of our iis calls lately haven't included the required username, causing the call to fail. I am trying to find a way in splunk to query the absence of the cs_username field. But, because the field doesn't populate in the iis call when there's no username present, I'm stuck. So searching for a null value does nothing.   I would greatly appreciate any assistance.  
Hello dear community, I absolutely need your help. I have the following research which allows me to perform an availability calculation. index=index (severity=2 OR severity=0 OR severity="-1") | ... See more...
Hello dear community, I absolutely need your help. I have the following research which allows me to perform an availability calculation. index=index (severity=2 OR severity=0 OR severity="-1") | eval ID=Env+"_"+Apps+"_"+Function+"_"+varname | addinfo | eval periode=info_max_time-info_min_time | transaction ID startswith=(severity=2) maxevents=2 | eval start_time=mvindex(timestamp,0), end_time=mvindex(timestamp,1) | stats sum(duration) AS duration_indispo by Function, periode | eval Percent_Available = round((periode-duration_indispo)*100/periode,3) |rename Function AS "Applications" | fillnull value=100.00 |table Applications, Percent_Available   my research calculates the unavailability of each function (applications) the problem is that I have a button to select the period (previous year, previous month, previous week ... etc) I have exactly 5 functions for which I want to calculate availability but depending on the period chosen it is possible that one or more applications do not return any result and if I display the result on a graph then the applications without result are not taken into account in my graph. how I can do to statically enter the name of my 5 functions and display the results dynamically if the result is not null or display 100% if the result is null. fillnull value = 100.00 does not work in this case    
Hello Spunkers, I am trying to ingest the data using REST APIs and as a response i do see xml response in below format.   <SampleRestAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns... See more...
Hello Spunkers, I am trying to ingest the data using REST APIs and as a response i do see xml response in below format.   <SampleRestAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Method>ProdList</Method> <Result xsi:type="xsd:collection"> <APIList> <API ID="12345" Name="Test Name 1" LastDate="11/5/2020 10:22:34 AM" NextDate="1/1/0001 12:00:00 AM"  Status="1" /> <API ID="65432" Name="Test Name 2" LastDate="2/8/2021 8:47:26 AM" NextDate="2/8/2021 9:02:26 AM"  Status="0" /> <API ID="876433" Name="Test Name 3" LastDate="2/8/2021 8:35:55 AM" NextDate="2/8/2021 8:50:55 AM" Status="0" /> </APIList> </Result> </SampleRestAPI>   In above results, there are three records returned. I would like to have this records as an individual events to use in a search and create dashboards but as of now it shows as single event.   Your help or pointers are highly appreciated.     Regards, Sunil 
Hello, I am trying to get the user who is accessing the dashboard and based on that want to decide if dashboards panel will be display to him or not.   <form theme="dark"> <search> <query> ... See more...
Hello, I am trying to get the user who is accessing the dashboard and based on that want to decide if dashboards panel will be display to him or not.   <form theme="dark"> <search> <query> | rest /services/authentication/current-context | table email | eval master_token=email </query> <progress> <condition match="$master_token$==&quot;ss@gmail.com&quot;"> <set token="access">True</set> </condition> </progress> </search> <label>Screen Time</label>     Now, no matter what email is there the access token is always true. Can someone please help me with the right way of doing it ? Also if i can use $env:user_email$ in someway here ?
Hi, we have started to get the following errors on what was a working version of DB connect v 3.4.2. Would appreciate any help figuring out how to resolve this.   Unable to initialize modular inpu... See more...
Hi, we have started to get the following errors on what was a working version of DB connect v 3.4.2. Would appreciate any help figuring out how to resolve this.   Unable to initialize modular input "server" defined in the app "splunk_app_db_connect": Introspecting scheme=server: Unable to run "/opt/splunk/etc/apps/splunk_app_db_connect/linux_x86_64/bin/server.sh --scheme": child failed to start: Permission denied. thanks  
Hi Team,  We are using splunk enterprises.  We can ingest data in below  two formats. 1. json  2. text like "2021-02-08 16:40:39.385 INFO [main ] com.XX.program.Sample:publishToKafka - paymentId:... See more...
Hi Team,  We are using splunk enterprises.  We can ingest data in below  two formats. 1. json  2. text like "2021-02-08 16:40:39.385 INFO [main ] com.XX.program.Sample:publishToKafka - paymentId:12344 received" Wanted to know performance wise which one is preferred.   So while doing a query against the data which one will take less time.   Thanks santos  
Hello, We are in the process of integrating Splunk ITSI with 3rd party ticketing tool where dont have any add-on. Planning to use REST API calls for this integration. Can someone advise what are all... See more...
Hello, We are in the process of integrating Splunk ITSI with 3rd party ticketing tool where dont have any add-on. Planning to use REST API calls for this integration. Can someone advise what are all the REST API can be used to create an incident from Episode and the update. Also, advise the REST API to get the response back. Much appreciate for your suggestions. Thanks, Vj
I got to extract some fields of a JSON log.  Log buildup eksample: {"name":"cookie","Value":"Foo"} {"name":"cookie","Value":"Bar"} {"name":"cookie","Value":"Foobar"} The problem is that I got ... See more...
I got to extract some fields of a JSON log.  Log buildup eksample: {"name":"cookie","Value":"Foo"} {"name":"cookie","Value":"Bar"} {"name":"cookie","Value":"Foobar"} The problem is that I got several loglines that all is called "cookie" but have different values, and I need to extract a mulitvalue field "cookie" with all the different values as a multivalue field. But not every logentry is like this, some is just one "cookie" entry. This is the regex string I'v used, but then the value of the "cookie" field only contains the first cookie record from the log.  | rex field=_raw "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"
Hi Splunkers, I have clustered environment. One of indexer got SSL expired. I have created csr and pem file. Bu submitting that csr I got new SSL certificate from my organization. Now I logged in t... See more...
Hi Splunkers, I have clustered environment. One of indexer got SSL expired. I have created csr and pem file. Bu submitting that csr I got new SSL certificate from my organization. Now I logged in to that indexer , i downloaded the new SSL certificate to the same folder where my pem key is there.  went to , etc/system/local and updated the web.conf file as below.  [settings] startwebserver = 1 caCertPath = etc/auth/cert/sra-index-01-cert.pem privKeyPath = etc/auth/cert/sra-index-01-PassKey.pem sendStrictTransportSecurityHeader = true enableSplunkWebSSL = true   allowSslRenegotiation = false allowSslCompression = false   now , I need to verify SSL is properly applied to Splunk server or not. When I logged in web UI, I am not able to see valid certificate date , it is still showing previous expired certificate date.   How to verify it or Am I missing anything?
Hi All, I have an issue while trying to reconcile events from 3 different source types, the events from each sourcetype below is from DBConnect, they run every 1 hour. I tried to schedule the alert ... See more...
Hi All, I have an issue while trying to reconcile events from 3 different source types, the events from each sourcetype below is from DBConnect, they run every 1 hour. I tried to schedule the alert to look into events last 3 hours, i get all the events instead of just the difference.  tried mvexpand as well but didnt help much. the whole idea is to reconcile events from 3 different sourcetypes and get the result od missing SMS_RECORD out to team to look into.  index=month source=XYZ sourcetype=OVERDRAFT_REC1 | dedup SMS_RECORD | eval TIMESTAMP=strftime(strptime(TIMESTAMP,"%d-%b-%y %H:%M:%S"),"%d-%m-%Y %H:%M") | stats values(SMS_RECORD) AS IN_T1 BY TIMESTAMP | append [ search index=month source=XYZ sourcetype=OVERDRAFT_REC2 | dedup SMS_RECORD | eval TIMESTAMP=strftime(strptime(TIMESTAMP,"%Y-%m-%d %H:%M:%S.%6Q"),"%d-%m-%Y %H:%M") | stats values(SMS_RECORD) AS IN_I1 BY TIMESTAMP ] | append [ search index=month source=XYZ sourcetype=OVERDRAFT_REC3 | dedup SMS_RECORD | eval TIMESTAMP=strftime(strptime(TIMESTAMP,"%Y-%m-%d %H:%M:%S.%6Q"),"%d-%m-%Y %H:%M") | stats values(SMS_RECORD) AS IN_TXT1 BY TIMESTAMP ] | mvexpand IN_T1  | mvexpand IN_I1  | mvexpand IN_TXT1 | stats values(IN_T1) AS T1,values(IN_I1) AS I1,values(IN_TXT1) AS TXT1 BY TIMESTAMP | where T1!=I1 OR I1!=TXT1 OR TXT1!=T1  
I have an array that would be presented in an API response which is being logged in Splunk and the array format is like this: "Indicators": [                 "HAS_ACOUNT",                 "NON_ZE... See more...
I have an array that would be presented in an API response which is being logged in Splunk and the array format is like this: "Indicators": [                 "HAS_ACOUNT",                 "NON_ZERO_BALANCE_ACCOUNT",                 "JOINT_ACCOUNT",                 "NOT_EXPIRED",                 "REGISTERED"             ]   The number of values within the array will not always have same pattern. i.e. There may be responses where there may be 10 values within 'Indicators' array.   Now, I want to extract distinct values within "Indicators" array (with the value that has the text "ACCOUNT") logged in Splunk for last 30 days from that specific API response. Could someone help me how to get that?   I wrote like this, but is didn't quite capture all possible values.. index="index_name" Env=test "........./API" | rex field=_raw "\"Indicators\"\:\[(?<planInd>[^\,]*)\]" max_match=0 | where like (planInd,"%PCP%") | dedup planInd | table planInd
I tried to create splunk logging in AWS ECS FARGATE but it doesn't work. Please kindly let me know what's wrong with my code below. Many thanks in advance! $LogOptions=New-Object "System.Collecti... See more...
I tried to create splunk logging in AWS ECS FARGATE but it doesn't work. Please kindly let me know what's wrong with my code below. Many thanks in advance! $LogOptions=New-Object "System.Collections.Generic.Dictionary[System.String,System.String]" $LogOptions.Add('splunk-url',"https://http-inputs-xxxxxx.splunkcloud.com:443") $LogOptions.Add('splunk-token','xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx') $LogOptions.Add('splunk-sourcetype','_json') $LogOptions.Add('splunk-source','fargate') $LogOptions.Add('splunk-format','raw') $containerLogConfiguration = New-Object -TypeName Amazon.ECS.Model.LogConfiguration $containerLogConfiguration.LogDriver = [Amazon.ECS.LogDriver]::Splunk $containerLogConfiguration.Options = $LogOptions