All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Expert Team, Greetings !! I am working on the integration of the Incident Management System with Appdynamics using http Request Action. In my template, I have defined the incident table URL ... See more...
Hello Expert Team, Greetings !! I am working on the integration of the Incident Management System with Appdynamics using http Request Action. In my template, I have defined the incident table URL and post method along with the input in the JSON for creating an incident. After performing the test it fails with connection time out error. I tried running curl command from the controller and I can create an incident ticket with sample input. The only difference here that curl command I am specifying the proxy details whereas Controller UI does not have option. Any help or input is welcome. Thanks Sharad
Hello, This is for Splunk Enterprise 7.2.6. I am trying to separate the time presets so that they are divided into columns of my choice.  Here is what I want (on the left what I currently have, on ... See more...
Hello, This is for Splunk Enterprise 7.2.6. I am trying to separate the time presets so that they are divided into columns of my choice.  Here is what I want (on the left what I currently have, on the right what I would like to have): According to times.conf, I should be able to do this by assigning values to "order".  In this case I am assigning 100, 110, 120, and 130 to the first four, and 800, 810, 820, 830, and 840 to the remaining values. I have noticed, though, that when I change the "latest_time" value for one of the values, then it gets moved to a new column.  In my case the "lastest_time" must always be set to "@d". Have I misunderstood something?  Is there any way to get my desired result? Thank you and best regards, Andrew
Hi, Kind of a splunk newbie here. I’m attempting to setup monitoring on user alerts with long runtimes. I logged on as the admin user, and attempted to query the _audit index. Unfortunately, I’m o... See more...
Hi, Kind of a splunk newbie here. I’m attempting to setup monitoring on user alerts with long runtimes. I logged on as the admin user, and attempted to query the _audit index. Unfortunately, I’m only able to see searches whose privacy is set to either “Global” or “App”.  To verify that behavior, I logged on as a simple user and created a private alert. When I searched for that alert from the admin user, I couldn’t find it.  My current “admin” role settings only inherits from “power”.  My “admin” user has only the “admin” as its selected role.  Tries to play around with both of those settings, to no avail.  Any recommendations?
after installation of splunk enterprise 8.0, the Splunkd Service cannot restart
<Jan 10, 2021 6:58:06 PM CST> <Info> <WorkManager> <BEA-002942> <CMM memory level becomes 0. Setting standby thread pool size to 256.> <Jan 10, 2021 6:58:06,538 PM CST> <Notice> <Log Management> <BE... See more...
<Jan 10, 2021 6:58:06 PM CST> <Info> <WorkManager> <BEA-002942> <CMM memory level becomes 0. Setting standby thread pool size to 256.> <Jan 10, 2021 6:58:06,538 PM CST> <Notice> <Log Management> <BEA-170019> <The server log file weblogic.logging.FileStreamHandler instance=1128635794
Hi guys, I'm quite new about alert manager app. I'm trying to configure a notification for auto-assigned incidents, but it seems it doesn't work. On incident posture dashboard new incidents are co... See more...
Hi guys, I'm quite new about alert manager app. I'm trying to configure a notification for auto-assigned incidents, but it seems it doesn't work. On incident posture dashboard new incidents are correctly assigned to the configured user but no messages arrive from the server. If I try to change status to resolve or closed I get an email. What I'm doing wrong? Thanks for your help
Hello, Is it possible to add fields to the windows event collected by a forwarder ? I would like to add an environment variable before it is indexed. Something like :   [WinEventLog://Applicatio... See more...
Hello, Is it possible to add fields to the windows event collected by a forwarder ? I would like to add an environment variable before it is indexed. Something like :   [WinEventLog://Application] disabled = 0 index=tiktak whitelist=SourceName="Tiktak*" addField=Cluster=$OM_CLUSTER_ID$   Thanks in advance
Hello Folks, I am having some Autosys Job that runs multiple times in a day,  having status lifecycle of Starting, Running, Success . Since I don't have anything to differentiate between each lifec... See more...
Hello Folks, I am having some Autosys Job that runs multiple times in a day,  having status lifecycle of Starting, Running, Success . Since I don't have anything to differentiate between each lifecycle, I need to calculate Start and Endtime of each instance of job run. I tried using streamstats but not getting desired output. ...| streamstats reset_after="("status="SUCCESS"")" first(_time) as StartTime last(_time) as EndTime values(jobname) BY jobname   Appreciate if I can get some help. Cheers  
Hi, I wanna merge two fields into sourcetype as below: props.conf [source::/path/to/folder/*] sourcetype = coalesce(field1,field2)   So, as result, I getting field sourcetype with the value "co... See more...
Hi, I wanna merge two fields into sourcetype as below: props.conf [source::/path/to/folder/*] sourcetype = coalesce(field1,field2)   So, as result, I getting field sourcetype with the value "coalesce(field1,field2)". How to solve an issue? Thanks.
when i upload an app in splunk8, it is not uploading and below error shown There was an error processing the upload.Invalid app contents: archive contains more than one immediate subdirectory: an... See more...
when i upload an app in splunk8, it is not uploading and below error shown There was an error processing the upload.Invalid app contents: archive contains more than one immediate subdirectory: and __MACOSX
Hi, I have around 1000 events in my indexed data. I have to create a DATE dropdown which pulls and shows all the dates of CURRENT MONTH,PREVIOUS 3 MONTHS AND 1 FUTURE MONTH DATE. How do i write a q... See more...
Hi, I have around 1000 events in my indexed data. I have to create a DATE dropdown which pulls and shows all the dates of CURRENT MONTH,PREVIOUS 3 MONTHS AND 1 FUTURE MONTH DATE. How do i write a query for this? P.S: My Date is not index_time/_time.It is sharepoint data which i am indexing it in splunk Thanks in Advance! Happy New year!   Query used to fetch DATE field and ProdDate is in yyyy-mm-dd format(2021-01-09) index = splunk  sourcetype = splunk-sp | spath | fields m:properties_date | rename "m:properties_date" as "ProdDate" | dedup ProdDate | eval temp=split(ProdDate,"T") | eval ProdDate=mvindex(temp, 0) |table ProdDate
Hi, I want to Authenticate a client(written in Python) to Authenticate against Splunk using mTLS.I can use splunklib.client.connect for basic auth but looks like it doesn't accept the client side ce... See more...
Hi, I want to Authenticate a client(written in Python) to Authenticate against Splunk using mTLS.I can use splunklib.client.connect for basic auth but looks like it doesn't accept the client side certificates ? Thank you.  
Hi Team, I would like to get response time and transaction per second in one graph timechart. Kindly help with the right query to get this Thanks
when i type in the command line (cmd not powershell): splunk search "*" -maxout 0 | find /c /v "" I get the return of about 195k records. however when i filter by one of the sourcetype, from one o... See more...
when i type in the command line (cmd not powershell): splunk search "*" -maxout 0 | find /c /v "" I get the return of about 195k records. however when i filter by one of the sourcetype, from one of the splunk free tutorials, by typeing: splunk search "*" 'sourcetype=e' -maxout 0 | find /c /v "" I still get the same result of 195k records. the "| find /c /v "" " should return only the line count. so if i filter by the sourcetype it should return around 165k records which are the number of records associated with that source type currently in my splunk db. can someone help me correct my syntax, i tried google searches but none were able to give me an example, which I think is due to the fact I do not know how the syntax should work in the first place. I am using the windows cmd, and I plan to use the windows cmd, not the website interface, thanks for understanding.
Hi  Due to recent update on "Adobe Flash Player " not supported in any browser Internet explorer, chrome, etc. Is there any option in Splunk which works exactly same like "  Nimsoft " CA. I have fo... See more...
Hi  Due to recent update on "Adobe Flash Player " not supported in any browser Internet explorer, chrome, etc. Is there any option in Splunk which works exactly same like "  Nimsoft " CA. I have found app in Splunk which support AS400 " Splunk for iSeries AS400 ". Could anyone give me more information on this app. Link- https://splunkbase.splunk.com/app/633/#/overview Thanks 
Hi All, I am getting the below error whenever I am trying to setup an alert within splunk: Argument "action.deimos" is not supported by this handler. anyone has any insight to this? Thanks in adv... See more...
Hi All, I am getting the below error whenever I am trying to setup an alert within splunk: Argument "action.deimos" is not supported by this handler. anyone has any insight to this? Thanks in advance -Rohit
Hi,   I have two searches   Search 1 = index="appv" sourcetype="AppV-User" *PUT /package* Search 2 = index="appv_latest" sourcetype=sql_appv_latest   Search 1 results: 2021-01-12 17:28:51 IP ... See more...
Hi,   I have two searches   Search 1 = index="appv" sourcetype="AppV-User" *PUT /package* Search 2 = index="appv_latest" sourcetype=sql_appv_latest   Search 1 results: 2021-01-12 17:28:51 IP PUT /packags/version/463 - 8080 UserX Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.111+Safari/537.36 ** 200 0 0 31   Search 2 results: 2021-01-12 16:07:00.006, ID="463", PkgName="SnagIT-v2102-V1", Status="Published", TimeChanged="2021-01-13 00:06:17.1970000"   now i need to match "463" in both the events and send out an alert   Table can be something like below,   Id          PkgName                                       User                                        Status 463       SnagIT-v2102-V1                      UserX                                           Published @gcusello 
Hello, Here is my search output. I want see , if Count of "Down" > "Up" criteria. Than I can  understand, interface is stil down! index=syslog field7="nw_ra_m016_02.34bhsr" "%%01ISIS" AdjState="1" ... See more...
Hello, Here is my search output. I want see , if Count of "Down" > "Up" criteria. Than I can  understand, interface is stil down! index=syslog field7="nw_ra_m016_02.34bhsr" "%%01ISIS" AdjState="1" OR AdjState="3" OR AdjState="Down" OR AdjState="Up" |stats count by field7,IfName,AdjState   Field7 which is host IfName : Interface name AdjState : Protocol state which is IS-IS 
I have taken over deployed Splunk with Master node, several indexers and search heads. I want to update TLS cert for web splunk we have, so I place them into folder wherethey belong and want to resta... See more...
I have taken over deployed Splunk with Master node, several indexers and search heads. I want to update TLS cert for web splunk we have, so I place them into folder wherethey belong and want to restart splunkweb only. I run ps aux | grep "splunk"  to see what user the splunk services run under - it's splunkadmin. I navigate to $SPLUNK_HOME/bin and try running both of these:     sudo ./splunk restart splunkweb # prompts for authentication (which I do with administrator account I confirm that exists in $SPLUNK_HOME/etc/passwd # gives me simple output: Can't create directory "/root/.splunk": Permission denied sudo -u splunkadmin ./splunk restart splunkweb # i authenticate as above and receive: # Can't create directory "/dev/null/.splunk": Not a directory       Can you think of a different way to restart only splunkweb? And if not, can you help me figure out what is the problem here? Where do I find the logs that tell me more about the error that I get?   Thank you for your time and help.
Hi, I'm trying to create a dashboard which shows various stats for a list of servers. It will pull it's data from several indexes as some of the data is stored as metrics and others in standard inde... See more...
Hi, I'm trying to create a dashboard which shows various stats for a list of servers. It will pull it's data from several indexes as some of the data is stored as metrics and others in standard indexes. I started creating the dashboard using the metric data first - that's all fine. Now I'm trying to get some data from a different index and am using a JOIN to link it to the first. Whilst the Join works one of the fields - "Uptime_seconds" - in the initial search generates becomes empty. My initial query is:   | mstats latest(System.System_Up_Time) as Uptime_seconds latest(Processor.%_Processor_Time) as CPUusage latest(LogicalDisk.Free_Megabytes) as FreeDisk latest(LogicalDisk.%_Free_Space) as FreePercentSpace WHERE index=em_metrics by host   This returns everything as expected. When I add the join command - the following query:   | mstats latest(System.System_Up_Time) as Uptime_seconds latest(Processor.%_Processor_Time) as CPUusage latest(LogicalDisk.Free_Megabytes) as FreeDisk latest(LogicalDisk.%_Free_Space) as FreePercentSpace WHERE index=em_metrics by host | join host [search index=wineventlog | stats count as EventCount by host | fields host, EventCount]   The Uptime_seconds field disappears - the column is still there in the resulting table but it's always empty. I assume something from the Join sub search is overwriting it - hence my use of the fields command to remove everything but the fields I need, but this hasn't helped. Is there something I don't understand about the Join command which is removing this data? Thanks, Eddie