All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

What would be considered the Splunk best practice when managing multiple deployment servers in different locations that also act as log collectors, while wanting to keep configurations on each consis... See more...
What would be considered the Splunk best practice when managing multiple deployment servers in different locations that also act as log collectors, while wanting to keep configurations on each consistent as possible? Would it be a tiered deployment setup, utilizing /opt/splunk/etc/apps/ as the repositoryLocation in the serverclass deployed out to the HF/DS systems and also using this serverclass.conf to deploy out to Universal Forwarders that check into them, and then controlling which apps are enabled/disabled when they're distributed to those DS's on a central, top-tier DS? Or does Splunk recommend that something like Ansible or a similar technology be introduced to do this type of configuration deployment?
Hi, I have a query that is giving me results in around 60-70 seconds I wanted to reduce the time, seems NOT is taking more time and my search is parsing for around 35-40 seconds. Please help me to o... See more...
Hi, I have a query that is giving me results in around 60-70 seconds I wanted to reduce the time, seems NOT is taking more time and my search is parsing for around 35-40 seconds. Please help me to optimize the below query so that it will run within 30 seconds. index=syslogs earliest=-5m | fields _time host SYSLOG_mne SYSLOG_message | rename host as device_ip | dedup device_ip | search NOT [| inputlookup my_devices_lookup | dedup device_ip | table device_ip] | fields _time device_ip SYSLOG_mne SYSLOG_message | stats values(device_ip) by _time SYSLOG_mne SYSLOG_message
I can test \\[\w]+\\[\w]+\\(?<File_Path>.+) or simply \\\w+\\\w+\\(?<File_Path>.+) in Rex101 and it works fine In Splunk, | rex field=_raw "\[\w]+\[\w]+\(?<File_Path>.+)" I get Regex: unmatched... See more...
I can test \\[\w]+\\[\w]+\\(?<File_Path>.+) or simply \\\w+\\\w+\\(?<File_Path>.+) in Rex101 and it works fine In Splunk, | rex field=_raw "\[\w]+\[\w]+\(?<File_Path>.+)" I get Regex: unmatched closing parenthesis. What would be the proper way to escape the backslashes in Splunk, I have search for examples but with no definitive answers? Raw data: Application Information: Process ID: 3160 Application Name: \device\harddiskvolume4\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe Network Information: Direction: Outbound I just want the output to be: program files\common files\microsoft shared\clicktorun\officeclicktorun.exe in this example.  
I am using the following eval command. I want the type column to pick up both the sources. index=xyz (source=smf015 OR source=smf014) | stats values(source) as source by JFCBDSNM DATETIME SMF14JBN ... See more...
I am using the following eval command. I want the type column to pick up both the sources. index=xyz (source=smf015 OR source=smf014) | stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN | eval Type= case(source=smf014,Input,source=smf015,Output, (source=smf015 and source=smf014),Both) | table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type   I would appreciate the help.
i am trying to figure out what the output values are not showing up in my pie chart.  i would eventually like to graph at least 12 values in this pie chart but cant even chart 2.  any thoughts? | re... See more...
i am trying to figure out what the output values are not showing up in my pie chart.  i would eventually like to graph at least 12 values in this pie chart but cant even chart 2.  any thoughts? | rename errors_stc as Errors, messages_stc as Messages, linecount as Size | stats count(Size),count(Errors),count(Messages) thank you inadvance!
Hi I have data the two columns in the table, i want to change the cell color of "SAP" acc. to the column value in "SAP_Color", without css and JS. I really need to do this, Any help will much appreci... See more...
Hi I have data the two columns in the table, i want to change the cell color of "SAP" acc. to the column value in "SAP_Color", without css and JS. I really need to do this, Any help will much appreciated.  SAP SAP_Color 243 y 175 y 55 g 162 g 272 g  108 g 88 g 13 r 43 g
Hi,  My issue is that I create 2 html inputs and I did not find a way to clear the value selected before.  <html> <div class="dateContainer"> <div class="dateInput"> <label>From :</label> <inpu... See more...
Hi,  My issue is that I create 2 html inputs and I did not find a way to clear the value selected before.  <html> <div class="dateContainer"> <div class="dateInput"> <label>From :</label> <input id="start" type="datetime-local" searchWhenChanged="true"/> <label>To :</label> <input id="end" type="datetime-local" searchWhenChanged="true"/> </div> </div> </html> I tried this : <change> <condition match="isnotnull($value$) AND $value$!=&quot;&quot;"> </condition> </change> but it did not change anything. Can someone help please ? thanks. 
We are using https://splunkbase.splunk.com/app/4460/ to generate Heat-map visualization . This app supports only 4 colors for various severity - Legend: Low/Medium/High/Critical.  We want to have... See more...
We are using https://splunkbase.splunk.com/app/4460/ to generate Heat-map visualization . This app supports only 4 colors for various severity - Legend: Low/Medium/High/Critical.  We want to have capability to extend this to support multiple colors and multiple severity on custom basis. This app is developed by third-party . We want Splunk to support this or similar app and extend this to support multiple legend options instead of current 4
Hi guys! I want to filter data out on my forwarder by using Regular Expression in transforms.conf. The strange thing is, that it only works partially but my regex itself is or should be fine. trans... See more...
Hi guys! I want to filter data out on my forwarder by using Regular Expression in transforms.conf. The strange thing is, that it only works partially but my regex itself is or should be fine. transforms.conf   [deleteAdvertisingTracking] REGEX=(\t)hostname=.*(adnxs|doubleclick|adsafeprotected|pubmatic|xiti|smartadserver|lijit|ads\.yahoo|insurads)\.(com|net) DEST_KEY = queue FORMAT = nullQueue [deleteShopping] REGEX=(\t)hostname=.*(amazon|ebay)\.(com|net) DEST_KEY = queue FORMAT = nullQueue   props.conf   [STANZA_NAME] TRANSFORMS-DeleteStuff = deleteAdvertisingTracking,deleteShopping   The second Stanza named "deleteShopping" works just fine but not the first. I could observe that it stopped working with 3 or more substrings (e.g adnxs|doubleclick|adsafeprotected|pubmatic)  in the regex. I've tried adding "LOOKAHEAD = 65535" but that didn't help. Of course I restarted the forwarder after the changes. Do you have any idea what's going wrong? I'm using Splunk v8.1.1.
Hi  I would like to setup a query to reflect the ApDex Index of an application performance. https://en.wikipedia.org/wiki/Apdex#:~:text=Apdex%20(Application%20Performance%20Index)%20is,measured%... See more...
Hi  I would like to setup a query to reflect the ApDex Index of an application performance. https://en.wikipedia.org/wiki/Apdex#:~:text=Apdex%20(Application%20Performance%20Index)%20is,measured%20performance%20meets%20user%20expectations. i am not able to translate the docu into a proper query - any idea  ? SELECT sum((count(userExperience=Normal)+ count(userExperience=NORMAL)+count(userExperience=SLOW))* 0.5+ count(count(userExperience=VERY SLOW)+count(userExperience=Stall))/count(userExperience) FROM transactions WHERE application = "appname" BR, Reto
hi everyone, how can I set up multiple sourcetypes for a single log file?  I have a Cisco FTD firewall, so I have installed a few apps which needs multiple sourcetypes like this: cisco:asa cisco... See more...
hi everyone, how can I set up multiple sourcetypes for a single log file?  I have a Cisco FTD firewall, so I have installed a few apps which needs multiple sourcetypes like this: cisco:asa cisco:ftd cisco:estreamer any help are really appreciated!  Thank you!
Hi, I would like to create a Dashboard Events widget but I only want to have visible critical events while they are open. Is this possible? Thanks Eddie
i have a field as abc=1\,2\,3\,4\,5\, i need to reemove the backslashes and  have a multivalue field like abc=1,2,3,4,5 How to do this please help.
Hi , I have set of logs from my application instance in which every 4th Line gives the exact error like for example: Application server error:         Date 2021/01/11 23:08:11:         Pid 282606... See more...
Hi , I have set of logs from my application instance in which every 4th Line gives the exact error like for example: Application server error:         Date 2021/01/11 23:08:11:         Pid 282606         Connection from 127.0.0.1:57039 broken.         Partner exited unexpectedly. Application server info:          2021/01/11 23:08:11 pid 263050 completed .000s 0+0us 0+0io 0+0net 9852k 0pf Application server error:          Date 2020/12/16 23:33:12:          Pid 130563         Connection from 127.0.0.1:39175 broken.         TCP send failed.          write: socket: Broken pipe Application server info:            2020/12/16 23:33:12 pid 130902 completed .026s 20+6us 0+0io 0+0net 11652k 0pf       I should match for the string " Application server error:" and 4th line from this match gives me exact issue like :Partner exited unexpectedly. and TCP send failed.   First I should match the strings from 4th line and negate few Errors which is prone to occur like negate "TCP send failed." but send alert only if other errors are there.   How do I achieve this,any help is highly appreciated.   Thanks,  
Hello Everyone! I have a use case to receive the the year(s) and(or) quarter(s) as inputs from user and calculate the reports with a date field based on them in the Splunk dashboard For example, Y... See more...
Hello Everyone! I have a use case to receive the the year(s) and(or) quarter(s) as inputs from user and calculate the reports with a date field based on them in the Splunk dashboard For example, Year Input multiselect dropdown : y1, y2, y3,y4, y5(current year) Quarter Input multiselect dropdown : q1, q2, q3, q4 Let the date field be d1  Let the values of x - axis be a1, a2, a3, a4,... Let the calculated values of y - axis be b1, b2, b3, b4,.... Input Selection Scenario 1: If the user selects y2, y3 and y5 , Then the report should have 3 three columns for each value of x-axis with one column for one selected year with the values of d1 falling within the respective year x-axis          y-axis - Expected Output Columns a1                                                  y2 - calculated value where d1 falls within y2                                                         y3 - calculated value where d1 falls within y3                                                         y5 - calculated value where d1 falls within y5 a2                                                  y2                                                        y3                                                        y5 a3.... Input Selection Scenario 2: If the user selects y2, y3 , y5, q1, q2,q3 , Then the report should ideally have 9 three columns for each value of x-axis with one column for one selected year and quarter combination with the values of d1 falling within the respective year and quarter combination. x-axis          y-axis - Expected Output Columns a1                                                  y2, q1 - calculated value where d1 falls within q1 of y2                                                         y2, q2 - calculated value where d1 falls within q2 of y2                                                         y2, q3 - calculated value where d1 falls within q3 of y2                                                         y3, q1 - calculated value where d1 falls within q1 of y3                                                         y3, q2 - calculated value where d1 falls within q2 of y3                                                         y3, q3 - calculated value where d1 falls within q3 of y3                                                         y5, q1 - calculated value where d1 falls within q1 of y5 (as y5 is the current year,                                                                           we have data only for q1) a2                                                  y2, q1                                                         y2, q2                                                         y2, q3                                                         y3, q1                                                         y3, q2                                                         y3, q3                                                         y5, q1 a3.... Input Selection Scenario 3: If the user selects q1, q3 and q5 , Then the report should ideally have 3 three columns for each value of x-axis with one column for one selected quarter with the values of d1 falling within the respective quarter for the current year. x-axis          y-axis - Expected Output Columns a1                                                 q1 - calculated value where d1 falls within q1 of y5 (as y5 is the current year,                                                                           we have data only for q1 a2                                                 q1 a3.... Can you please help me on how to receive the inputs, calculate the earliest and latest for input combinations dynamically and display the columns based on the input selection? Thank you in advance.
Hi All I've been putting together a demo-dashboard as part of a blog-post I'm writing, showing how to use Elastic Beat (Heatbeat and Metricbeat) agents with Splunk.  Currently this shows how many ap... See more...
Hi All I've been putting together a demo-dashboard as part of a blog-post I'm writing, showing how to use Elastic Beat (Heatbeat and Metricbeat) agents with Splunk.  Currently this shows how many apps are up/down, how many VMs are up/down etc,  this main relies upon the Status Indicator viz. But I'm wondering, if anybody could assist with some styling. By default Status Indicator outputs as follows: Default style   I'm looking to present it stacked, like this: Is this possible?   This is was butchered together using paint, but hopefully it gives the idea. I'd have several of these in a row (Apps, VM's, Network Interfaces, APs etc). The dashboard viz code is as follows:       <viz id="app_panel" type="status_indicator_app.status_indicator"> <title>APPLICATIONS:</title> <search> <query>`beats_http_icmp_macro` | where monitor_tags in ("app", "media") | stats latest(monitor_name) as name latest(monitor_status) as status BY monitor_name, monitor_type | stats count(name) as " UP" sum(eval(if(status=="down",1,0))) as " DOWN" | eval fn = "value" | transpose column_name="category" header_field=fn | eval color = if(category==" UP", "#006d9c", "#dc4e41") | eval icon = if(category==" UP", "cloud", "times-circle") | sort category | stats last(value) as value last(icon) as icon last(color) as color by category</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="height">144</option> <option name="refresh.display">progressbar</option> <option name="status_indicator_app.status_indicator.colorBy">field_value</option> <option name="status_indicator_app.status_indicator.fillTarget">text</option> <option name="status_indicator_app.status_indicator.fixIcon">cloud</option> <option name="status_indicator_app.status_indicator.icon">field_value</option> <option name="status_indicator_app.status_indicator.precision">0</option> <option name="status_indicator_app.status_indicator.showOption">1</option> <option name="status_indicator_app.status_indicator.staticColor">#555</option> <option name="status_indicator_app.status_indicator.useColors">true</option> <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">category</option> </viz>        Many Thanks
Hello, I'm having trouble figuring out how to properly set up JMS Modular Inputs in Splunk Enterprise (8.0.6). Here is what I've done so far :  - Installation of the app (https://splunkbase.splunk... See more...
Hello, I'm having trouble figuring out how to properly set up JMS Modular Inputs in Splunk Enterprise (8.0.6). Here is what I've done so far :  - Installation of the app (https://splunkbase.splunk.com/app/1317/) into my Indexer server. Got the app and the libs correctly installed, in etc/apps/jms_ta/bin/lib - Adding the following IBM jars into the previous /lib directory :   com.ibm.mq.allclient-9.0.4.jar fscontext-4.4.2.jar providerutil-1.2.1.jar - Restart Indexer - Got the BaboonBones activation key - Access to Data Inputs to create a JMS Messaging endpoint Then I started to fill in the required settings parameters.  However, I don't really know what to fill in for "JNDI Initial Context Factory Name" and "JNDI Provider URL" (I have the IP address and port of the MQ server, but don't know the exact syntax for this). As of the JNDI Initial Context Factory Name, I've tried to follow documentations on IBM side but all the classes I've tried to use ended up with NoClassDefFound or other errors.  Could anyone please guide me step by step how to properly set up this module ? What I'm I missing ? Thank you.
Hello Splunk community! Since a few days I am trying to adjust the output JSON file of the AWS SNS alert. The alert template for the AWS SNS alert gives me only a specific amount of fields I can "e... See more...
Hello Splunk community! Since a few days I am trying to adjust the output JSON file of the AWS SNS alert. The alert template for the AWS SNS alert gives me only a specific amount of fields I can "export" into the AWS bucket as a JSON file (to the AWS topic). But I would like to enter more fields manually. I have already tried to adjust the .py files on the server itself, but I would like to use a self-defined JSON format. The used search contains all the needed fields, but they are not used by the .py script for sending the alert to AWS. Has anyone an idea or have already had the same question?   Thanks a lot and happy splunking
I have a Java exceptions table in a dashboard and I would like to invoke Jira REST API calls per row to find out if a Jira defect already exists for the exception.  So, is it possible to invoke a RE... See more...
I have a Java exceptions table in a dashboard and I would like to invoke Jira REST API calls per row to find out if a Jira defect already exists for the exception.  So, is it possible to invoke a REST API per table event and render the result in Splunk dashboard?
I have  a requirement where I have to show a pie chart which shows pending/opened/assigned service request from last Feb to till now but the time span should be 40, as well as which services are olde... See more...
I have  a requirement where I have to show a pie chart which shows pending/opened/assigned service request from last Feb to till now but the time span should be 40, as well as which services are older than 80 days. it will come in ">80" legend. Like in this way only (0-40, 40-80, >80)   My Search query is :  index a | table a b c d        [a b c d stands for a=user, b=date, c=service request number and d=days] | chart count(c) by d span=40     My Output : days                 count(number) 0-40                          3111 40-80                       2252 80-120                      478 120-160                 2757 But I want my output in manner : days                 count(number) 0-40                          3111 40-80                       2252 >80                           3235 (478+2757)   Is it possible to get my desired output in the pie chart? Please give me an example with a search query if we can do that.