All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello members,   i'm facing an issue with index clustering and indexers peers one of peers has addingbatch status and after a while he goes up then return to batchadding   other peer is going up ... See more...
Hello members,   i'm facing an issue with index clustering and indexers peers one of peers has addingbatch status and after a while he goes up then return to batchadding   other peer is going up and after while pending then going up again   i can't figure out the problem why this occur can any one help...   this picture shows the problem      
こんにちは Splunkのオブザーバビリティプラットフォームでブラウザテスト用の多要素認証シナリオを設定できないかと考えていました。 たとえば、時間ベースのワンタイムパスワード(TOTP)を使用する場合は、秘密鍵またはQRコードを生成してテスト環境に設定します。 秘密鍵またはQRコードをグローバル変数として設定します。 これにより、テスト中に認証コードを自動的に生成できます。 Data... See more...
こんにちは Splunkのオブザーバビリティプラットフォームでブラウザテスト用の多要素認証シナリオを設定できないかと考えていました。 たとえば、時間ベースのワンタイムパスワード(TOTP)を使用する場合は、秘密鍵またはQRコードを生成してテスト環境に設定します。 秘密鍵またはQRコードをグローバル変数として設定します。 これにより、テスト中に認証コードを自動的に生成できます。 Datadog 製品を使用する場合、グローバル変数を作成して秘密鍵を入力したり、認証プロバイダーから QR コードをアップロードしたりできます。 SPLUNK製品を使用する場合、認証プロバイダーから秘密鍵を入力したり、QRコードをアップロードしたりするためのグローバル変数を作成できますか?
Hi Community, How can I access a TI provider's API from Splunk Cloud if the provider has whitelisted IPs but Splunk Cloud's IP is not static?  
Hello guys, I am quite new on the topic so I really need tyour help ^_^. I am ingesting Zscaler logs in a Splunk Cloud instance using a HeavyForwarder and TCP Inputs. As for AUTH logs the volume ... See more...
Hello guys, I am quite new on the topic so I really need tyour help ^_^. I am ingesting Zscaler logs in a Splunk Cloud instance using a HeavyForwarder and TCP Inputs. As for AUTH logs the volume is huge, we want to filter logs by limiting logs on following conditions: if one user is logging in one application today, all following logs for this user logging in that application in this specific day (month/date/year) would be discarded and we would start the ingesting next day using the same conditions. I hope this is pretty clear. I know that this can be done in prop.conf and transform.conf but I am not sure on how I should build the string. Thank you in advance. 
Trying to use splunkcloud, I get The connection has timed out An error occurred during a connection to prd-p-xauy6.splunkcloud.com. Seems to be an SSL cert error because of strict checking. Is the... See more...
Trying to use splunkcloud, I get The connection has timed out An error occurred during a connection to prd-p-xauy6.splunkcloud.com. Seems to be an SSL cert error because of strict checking. Is there a solution?
Splunk add-on for Google Cloud Platform How to add logs/new Input to have Kubernetes Pod Status?   What are the steps? How to add new Input to have Kubernetes Pod Status(highlight below GCP ... See more...
Splunk add-on for Google Cloud Platform How to add logs/new Input to have Kubernetes Pod Status?   What are the steps? How to add new Input to have Kubernetes Pod Status(highlight below GCP picture of Pods) into Splunk?  
Hello, I have a table with several fields that I display in a dashboard. One column is from violation_details field, which contains XML data. Note that I don't want to parse anything from this fie... See more...
Hello, I have a table with several fields that I display in a dashboard. One column is from violation_details field, which contains XML data. Note that I don't want to parse anything from this field, because depending on the violations the tags won't be the same. Here is an example of a value for this field   <?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>58f7c3e96a0c279b-7e3f5f28b0000040</block><alarm>5cf7c3e97b0c6fdb-7e3f5f28b0000040</alarm><learn>5cf2c1e9730c2f5b-3d3c000830000000</learn><staging>0-0</staging></violation_masks><response_violations><violation><viol_index>56</viol_index><viol_name>VIOL_HTTP_RESPONSE_STATUS</viol_name><response_code>500</response_code></violation></response_violations></BAD_MSG>   How could I make this more readable like this :   <?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <violation_masks> <block>58f7c3e96a0c279b-7e3f5f28b0000040</block> <alarm>5cf7c3e97b0c6fdb-7e3f5f28b0000040</alarm> <learn>5cf2c1e9730c2f5b-3d3c000830000000</learn> <staging>0-0</staging> </violation_masks> <response_violations> <violation> <viol_index>56</viol_index> <viol_name>VIOL_HTTP_RESPONSE_STATUS</viol_name> <response_code>500</response_code> </violation> </response_violations> </BAD_MSG>   I've seen this POST XML-to-display-in-a-proper-format-with-tag but it seems to use a deprecated method. Is there a better way ?
How to check if apps/add-on running in splunk cloud which are dependent on python versions < 3.9?
Hi Team, As per business requirement, need to get below details from same autosys batch and corresponding outputs to be displayed on the single row in a table: 1. Last execution time  2. Execution... See more...
Hi Team, As per business requirement, need to get below details from same autosys batch and corresponding outputs to be displayed on the single row in a table: 1. Last execution time  2. Execution time of specific search keyword i.e., Completed invokexPressionJob and obtained queue id :: 3. Number of times "ERROR" keyword present index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" | stats latest(_time) as latest_time | convert ctime(latest_time) | append [search index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" | search "Completed invokexPressionJob and obtained queue id ::" | stats latest(_time) as last_success_time | convert ctime(last_success_time)] | append [search index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" | rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]" | stats count(level) by level | WHERE level IN ("ERROR")] | append [| makeresults | eval job_name="Print Job"] | table latest_time last_success_time count(level) job_name | stats list(*) as * Above query works fine. From query performance prospective, am I achieving the output right way? Is there any other better to achieve it? Because, similar set to query I need to apply to 10 other batch jobs inside the Splunk dashboard. Kindly suggest!!
My apologies for such a noob question.  I literally got dropped into a Splunk environment and I know little to nothing about it. I have an index (foo as an example) and I'm told it's based on Oracle... See more...
My apologies for such a noob question.  I literally got dropped into a Splunk environment and I know little to nothing about it. I have an index (foo as an example) and I'm told it's based on Oracle audit logs.  However, the index was built for us by the Admin and all I get is blank looks when I asked what exactly is IN the index.  So my question is...how can I interrogate the index to find out what is in it? I ran across these commands : | metadata type=sourcetypes index="foo" | metadata type=hosts index="foo" This is a start, so now I have some sourcetype "keywords" (is that right?) and I can see some hosts.  But I suspect that's just the tip of the iceberg as it were given the index itself is pretty darn big. I'm an Oracle guy and if I wanted to get familiar w/ an Oracle structure I would start w/ looking at the table structures, note the fields in all the tables, get a diagram if one was available.  I don't have that option here.  I don't have the rights to "manage" the index or even create my own. So I have an index and no real clue as to what is in it...
Hello, I just upgraded my Splunk Enterprise from 9.2.1 to 9.2.2, and I saw that the OpenSSL used is in version 1.0.2zj. This version is vulnerable to the CVE-2024-5535 critical vulnerability. Is t... See more...
Hello, I just upgraded my Splunk Enterprise from 9.2.1 to 9.2.2, and I saw that the OpenSSL used is in version 1.0.2zj. This version is vulnerable to the CVE-2024-5535 critical vulnerability. Is there a future patch for Splunk Enterprise 9.2.x which upgrades the embedded OpenSSL ? Best regards, LAIRES Jordan
Good day,  I have a query to check my Entra logs to see what Conditional access policies gets hit. The returns results like this but I would like it to display only the policies that were success ... See more...
Good day,  I have a query to check my Entra logs to see what Conditional access policies gets hit. The returns results like this but I would like it to display only the policies that were success or Applied and not the ones that was not applied. CA CAName success failure failure CA-Office-MFA   CA-Signin-LocationBased CA-HybridJoined notApplied success failure CA-Office-MFA   CA-Signin-LocationBased CA-HybridJoined notApplied success success CA-Office-MFA   CA-Signin-LocationBased CA-HybridJoined What I want instead   success failure failure CA-Office-MFA   CA-Signin-LocationBased CA-HybridJoined success success CA-Signin-LocationBased CA-HybridJoined success failure CA-Signin-LocationBased CA-HybridJoined index=db_azure_entraid sourcetype="azure:monitor:aad" command="Sign-in activity" category=SignInLogs "properties.clientAppUsed"!=null NOT app="Windows Sign In" | spath "properties.appliedConditionalAccessPolicies{}.result" | search "properties.appliedConditionalAccessPolicies{}.result"=notApplied | rename "properties.appliedConditionalAccessPolicies{}.result" as CA | rename "properties.appliedConditionalAccessPolicies{}.displayName" as CAName | dedup CA | table CA CAName
We are developing a Splunk app that uses an authenticated external API. In order to support the Cloud Platform, we need to pass the manual check for the cloud tag, but the following error occurred, a... See more...
We are developing a Splunk app that uses an authenticated external API. In order to support the Cloud Platform, we need to pass the manual check for the cloud tag, but the following error occurred, and we couldn't pass.   ================ [ manual_check ] check_for_secret_disclosure - Check for passwords and secrets. details: [ FAILED ] key1 value is being passed in the url which gets exposed in the network. Kindly add sensitive data in the headers to make the network communications secure. ================   code: req = urllib.request.Request(f"https://api.docodoco.jp/v6/search?key1={self.apikeys['apikey1']}... req.add_header('Authorization', self.apikeys['apikey2'])   We understand that confidential information should not be transmitted via HTTP headers or POST and should not be included in URLs. Since "key1" is not confidential information, we believe there should be no issue with including it in the URL. Due to the external API's specifications, "key1" must always be included in the URL, so we are looking for a way to pass this manual check. For example, if there is a support desk, we would like to explain that there is no issue with the part flagged in the manual check. Does anyone know of such a support channel? Alternatively, if there is a way to provide additional information to reviewers conducting this manual review, we would like to know. (For example, adding comments to the source code, etc.)
Hi All, Am  trying to pantag search results  to a dynamic address group, but getting below error.Please support if anyone come across the same . External search command 'pantag' returned error code... See more...
Hi All, Am  trying to pantag search results  to a dynamic address group, but getting below error.Please support if anyone come across the same . External search command 'pantag' returned error code 2. Script output = "ERROR URLError: code: 401 reason: Key Expired: LUFR...dHc9 has expired. ".
When we are trying to run a report in deployment server to get the hosts that are reporting to Splunk, it is giving below error Unable to determine response format from HTTP Header Connection fail... See more...
When we are trying to run a report in deployment server to get the hosts that are reporting to Splunk, it is giving below error Unable to determine response format from HTTP Header Connection failed with Read Timeout The REST request on the endpoint URI /services/deployment/server/clients?count=0 returned HTTP 'status not OK': code=502, Read Timeout. Can anyone please suggest any work around.
Hi at all, I tried to use this visualization to display a process tree and it runs, but I have an issue: some leaves of the tree aren't displayed: I have only around 1,900 rows, so I haven't t... See more...
Hi at all, I tried to use this visualization to display a process tree and it runs, but I have an issue: some leaves of the tree aren't displayed: I have only around 1,900 rows, so I haven't the limit of 250,000 rows and neither the limit of 1,000 levels because I have max 5 levels. What could it be the issue? Thank you for your help. Ciao. Giuseppe
Hi  I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head ca... See more...
Hi  I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do" Do anybody know if this is somehow available or doable in 2024? My case is that I need a Standalone Searchhead with access to a subset of all indexes in the Cluster. But at the same time full control of the Searchhead (Splunk Admin capabilities except changes to the searchable index list)  The aim is to separate the SH to be managed by a 3 party.
Question 1: The last column is longer than the others, it's not aesthetic. I know I can adjust the height by editing "<option name="height">" this label, but the return data would be changed all t... See more...
Question 1: The last column is longer than the others, it's not aesthetic. I know I can adjust the height by editing "<option name="height">" this label, but the return data would be changed all the time. If I set "too high", it would seem weird. I want to solve two problem. 1. Don't show the "web scroll", meaning that can have a automatic size to accommodate my column data no matter how much data I have. 2. I want my every column averagely share the space. Question 2 : If my event exists too short, it seems like too small and narrow. It's also not aesthetic. Can I make a "minimum bar chart or a circle" defined by myself. (like what I draw on the image)
Hi  Can anyone please advice the search query to find out overall health status of VMware using metric log. index - vmware_metric SPL - | mstats avg("vsphere.usage") prestats=true WHERE "index"=... See more...
Hi  Can anyone please advice the search query to find out overall health status of VMware using metric log. index - vmware_metric SPL - | mstats avg("vsphere.usage") prestats=true WHERE "index"="vmware-metrics" AND "host"="system1.local" AND ("host"="system2" OR "uuid"="12457896) span=10s | timechart avg("vsphere.vm.cpu.usage") AS Avg span=10s | fields - _span*  
Hi all,  I am a bit of a newbie here, and am trying to setup HEC on splink cloud, however the URL I have created following the event collector documentation ( https://docs.splunk.com/Documentation/S... See more...
Hi all,  I am a bit of a newbie here, and am trying to setup HEC on splink cloud, however the URL I have created following the event collector documentation ( https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Data/UsetheHTTPEventCollector)  doesn't appear to be working. Looking at the HEC dashboard occasionally there is some activity showing, but it tells me the URL is incorrect. I have tried numerous changes to the URL, and followed tons of advice on here, but nothing appears to be working. I am clearly missing something, and would really appreciate some guidance. https://http-inputs-myhostname.splunkcloud.com:443//services/collector/event/authorisationheader I have tried replacing event for raw, changed the port, although using a Splunk Cloud Platform instance rather then free trial. I have removed SSL and re-enabled. I would be very grateful of any advice and support here. Thank you