All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Splunkers !   i wanted to visualize data on map so i used this command and it worked: index=myFirewall | stats count by src_ip | iplocation src_ip | geostats count by Country   but i want ... See more...
Hello Splunkers !   i wanted to visualize data on map so i used this command and it worked: index=myFirewall | stats count by src_ip | iplocation src_ip | geostats count by Country   but i want to show countries on map from a predefined list, so have a called "blacklisted.csv" that looks like this:   blacklisted_countries 1 country1 2 country2 3 country3 4 country4 5 country5   so i wrote a a search to combine the aforementioned search from the lookup table using this command:   index=myFirewall [ | inputlookup blacklisted.csv | search blacklisted_countries=srccountry] | stats count by src_ip | iplocation src_ip | geostats count by Country   but it didn't give me any results, please help me with it, i want a search the combines visualizing source countries with lookup tables.       Thanks
Hi Splunkers, I am trying to copy the whole text inside textarea to the clipboard when user clicks on a button. I tried implementing suggestions from stackoverflow but nothing worked. It looks like... See more...
Hi Splunkers, I am trying to copy the whole text inside textarea to the clipboard when user clicks on a button. I tried implementing suggestions from stackoverflow but nothing worked. It looks like may be i have hardcoded some text and also using run time token which might be causing issues.       <panel id="Os_details"> <html> <div> <label>Paste the following in your alerting search</label> <button id="clipboard">Copy to Clipboard</button> <textarea name="generateSearchWindow" rows="25" readonly="true" style="width:98%;margin-top:12px;color:black; text-align: left;"> $MainSearch$ | eval p_os = "$os_change_tok$" | eval p_alert_class = "$alert_class_change_tok$" | eval p_monitoring_type = "$monitoring_type_change_tok$" | eval p_monitoring_component = $monitoringComponent$ | eval p_hostname = "$hostnamePattern$" | eval search_name = "$searchName$" | eval unique_id=p_os + ":" + p_alert_class + ":" + p_monitoring_type + ":" + p_monitoring_component + ":" + p_hostname | fields - _raw | collect index=Test_monitoring_test addtime=false report_name="Test_EE_$searchName$_default" </textarea> </div> </html> </panel> </row> <row> <panel>       JS Used:-     'underscore', 'jquery', 'backbone', 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, Backbone, mvc,SearchManager) { //Find your input control and associate tool tip attribute for it. Here data-placement represents the position of tool tip(top,bottom,right,left,auto) $('#textbox1').find('input').attr('title', 'Hovering Example to be added').attr('data-toggle', 'tooltip').attr('data-placement', 'bottom'); $('#monitoringComponent').find('div').attr('title', 'TextArea example').attr('data-toggle', 'tooltip').attr('data-placement', 'bottom'); $('[data-toggle="tooltip"]').tooltip(); // Iitialize Default and Submitted Token Model. var defaultTokenModel = mvc.Components.get("default"); var submittedTokenModel = mvc.Components.get("submitted"); $("#ValidateButton").click(function() { defaultTokenModel.set("show_details","true"); submittedTokenModel.set("show_details","true"); }); var defaultTokenSpace = mvc.Components.getInstance('default'); $('textarea').parent().parent().addClass('textarea_div'); $('textarea').each(function (ta) { $(this).on('input', function(input) { defaultTokenSpace.set($(this).attr('id').replace('ta_' ,'') ,$(this).val()); }); }); document.getElementById("clipboard").onclick = function() { var copyTextarea = document.createElement("textarea"); copyTextarea.style.position = "fixed"; copyTextarea.style.opacity = "0"; copyTextarea.textContent = document.getElementById("generateSearchWindow").value; document.body.appendChild(copyTextarea); copyTextarea.select(); document.execCommand("copy"); document.body.removeChild(copyTextarea); } });     Kindly help me, what am I missing please or where should i focus more. It would be highly appreciated.
Hello i'm running this query :   index=prod sourcetype=nim tail_id="*N8*" | transaction startswith="*---- BEGIN IPTABLES ON IO CORE ----*" endswith="*---- END IPTABLES ON COMM CORE ----*" maxeve... See more...
Hello i'm running this query :   index=prod sourcetype=nim tail_id="*N8*" | transaction startswith="*---- BEGIN IPTABLES ON IO CORE ----*" endswith="*---- END IPTABLES ON COMM CORE ----*" maxevents=1100    while running the query for 11 days everything working as expected. while running for more than 11 days i see gaps in the data   any ideas why ?   thanks
Hello,   When I set up inputs "Azure Event Hub" done. I found that status "Error" as per the picture below. But I don't know the reason or error message. What Should I do?   My settings: ... See more...
Hello,   When I set up inputs "Azure Event Hub" done. I found that status "Error" as per the picture below. But I don't know the reason or error message. What Should I do?   My settings:   Last question, How to verify when setup inputs "Azure Event Hub" done and status success.    
Which config files are required to be changed for external lookup .  and What should be the content of the conf files .
I have a search query that gives the supposed following results(just an example). Name WW Name2 Result Type Value Abc 50.5 Prod Pass A 1280 Xyz 47.2 ... See more...
I have a search query that gives the supposed following results(just an example). Name WW Name2 Result Type Value Abc 50.5 Prod Pass A 1280 Xyz 47.2 Prod Pass Dr Sound Abc 51.3 Test Fail     Def 8.2 Test Fail Td Wifi Def 44.2 Prod2 Pass Gf Printer Xyz 6.2 Test1 Fail Fr Audio Abc 451 Prod1 Pass Cs Audio   now i am required to sort out the results in such a way that the top 10 results for ABC as per WW are displayed first, then top 10 results for Def as per WW and so on. Can someone help me out to see if this is possible through queries. 
https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-sort-or-reorder-a-multivalue-field/m-p/39429 I want to make this with SCPversion2, but it doesn't work. my code:   #!/usr/b... See more...
https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-sort-or-reorder-a-multivalue-field/m-p/39429 I want to make this with SCPversion2, but it doesn't work. my code:   #!/usr/bin/env python import sys from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators @Configuration() class mvsortCommand(StreamingCommand): """ sort multivalue """ def stream(self, records): self.logger.debug('mvsortCommand: %s', self) # logs command line for record in records: if isinstance(record[self.fieldnames[0]],(str)): pass else: record[self.fieldnames[0]]=sorted(record[self.fieldnames[0]]) yield record dispatch(mvsortCommand, sys.argv, sys.stdin, sys.stdout, __name__)   I think I'm not handling generators and lists correctly, but I'm not sure. Is there a good example?
Hello team,   I am trying out splunk in my dev environment and want to confugure Splunk DS  and License server on same instance.    Should i create two splunk installation directories? Also, how... See more...
Hello team,   I am trying out splunk in my dev environment and want to confugure Splunk DS  and License server on same instance.    Should i create two splunk installation directories? Also, how can i specify the separate web ports for DS and License server? Thanks Reg, SG    
Hai saya memiliki firewall yang mengirim data syslog ke HF splunk saya masalah saya adalah ketika data aliran syslog menjadi tinggi (lebih dari 130mbps), data. HF pada maksimum 150mbps (berbentuk g... See more...
Hai saya memiliki firewall yang mengirim data syslog ke HF splunk saya masalah saya adalah ketika data aliran syslog menjadi tinggi (lebih dari 130mbps), data. HF pada maksimum 150mbps (berbentuk grafik jaringan) dan peristiwa hilang tidak ada kesalahan atau log yang menunjukkan apa yang terjadi pada data atau peristiwa saya di HF, UF, Pengindeks (tidak ada antrian, bufer atau kesalahan koneksi, tidak ada kesalahan atau kesalahan peringatan splunkd.log) ada banyak Sumber Daya Hardware pada semua S p lunk Clu s ter VM: 12Core CPU (2.4Ghz) 20GB Ram dan SSD di semua splunk VMS catatan (id o nt menggunakan acara penyaringan atau proses khusus pada data di HF dalam belum, hanya data yang masuk dan ke depan)
Hi, (My Splunk Apps are installed on Linux Servers) I would like to restore logs from frozen data and read them So please I need the steps to do it.
How to when Splunk found event will alert also script. Script will send log UDP 514 that found the event to destination device   For more information I'm must send log alert for splunk to raspberry... See more...
How to when Splunk found event will alert also script. Script will send log UDP 514 that found the event to destination device   For more information I'm must send log alert for splunk to raspberry pi   Can someone please share for me?   Thank you
we are facing the below issue for searches  please advise what I can reconfigure to avoid this errors   ? 4 errors occurred while the search was executing. Therefore, search results might be inco... See more...
we are facing the below issue for searches  please advise what I can reconfigure to avoid this errors   ? 4 errors occurred while the search was executing. Therefore, search results might be incomplete.  [ilissplidx01] Events might not be returned in sub-second order due to search memory limits. See search.log for more information. Increase the value of the following limits.conf setting:[search]:max_rawsize_perchunk. [ilissplidx02] Events might not be returned in sub-second order due to search memory limits. See search.log for more information. Increase the value of the following limits.conf setting:[search]:max_rawsize_perchunk. [ilissplidx06] Events might not be returned in sub-second order due to search memory limits. See search.log for more information. Increase the value of the following limits.conf setting:[search]:max_rawsize_perchunk. [splunk@ilisspldepl01 deployment-apps]$ cat ./AM_all_indexers_tuning/local/limits.conf [default] max_mem_usage_mb = 600 # [search] #dispatch_dir_warning_size = 3500 base_max_searches = 60 # # ERROR: Events may not be returned in sub-second order due to memory pressure. max_rawsize_perchunk = 200000000 # [pdf] max_rows_per_table = 10000 # [scheduler] max_searches_perc = 100 # [join] subsearch_maxout = 500000 # [realtime] indexed_realtime_use_by_default = true [splunk@ilisspldepl01 deployment-apps]$ [ilissplidx08] Events might not be returned in sub-second order due to search memory limits. See search.log for more information. Increase the value of the following limits.conf setting:[search]:max_rawsize_perchunk. [splunk@ilissplidx01 ~]$ grep MemTotal /proc/meminfo MemTotal: 65688816 kB [splunk@ilissplidx01 ~]$ [rayar@ilissplidx08 ~]$ grep MemTotal /proc/meminfo MemTotal: 528052452 kB [rayar@ilissplidx08 ~]$
  Hello.  Thank you for reading this Due to license constrictions, we need to eliminate the Event Code 4663 based on the Message field that includes Accesses: ReadData (or ListDirectory). while re... See more...
  Hello.  Thank you for reading this Due to license constrictions, we need to eliminate the Event Code 4663 based on the Message field that includes Accesses: ReadData (or ListDirectory). while retaining the other values from the Accesses field. We are using the Splunk_TA_windows and configuring blacklist in its inputs.conf file. We have tried tried several regex but so far they either blacklist the entire Event Code 4663 or it doesn't Here is an example of the Message field: n attempt was made to access an object. Subject: Security ID: ACA\ACA_SQL_Service Account Name: ACA_SQL_Service Account Domain: ACA Logon ID: 0x1347AFBE1 Object: Object Server: Security Object Type: File Object Name: G:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn Handle ID: 0x55c Resource Attributes: Process Information: Process ID: 0x55cc8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1  
Hi Everyone, I have extracted field  name status using rex. Then I have added dropdown input in which I have all the values of status.  But data is not getting refreshed after selecting any value... See more...
Hi Everyone, I have extracted field  name status using rex. Then I have added dropdown input in which I have all the values of status.  But data is not getting refreshed after selecting any value from dropdown. Though i have tried highlighted (status = $status$ ) in base query, where another dropdown with name level is working fine. PFB snippet of my code: <form> <search id="base_search"> <query> index=abc sourcetype=xyz earliest = $earliest$ latest = now() id = $id$ level = $level$ status = $status$ | sort id asc | rex field=msg "\{\"status\"\:\s+\"(?&lt;status&gt;[^\"\}]+)" </query> </search> <fieldset submitButton="false" autoRun="false"> <input type="dropdown" token="id" searchWhenChanged="true"> <label>Request Id</label> <choice value="*">ALL</choice> <fieldForLabel>id</fieldForLabel> <fieldForValue>id</fieldForValue> <search base="base_search_filter"> <query>search | dedup id | table id</query> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="status" searchWhenChanged="true"> <label>Status</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>status</fieldForLabel> <fieldForValue>status</fieldForValue> <search base="base_search_filter"> <query> search | dedup status | table status</query> </search> </input> </fieldset> <row> <panel> <table> <search base="base_search"> <query> search | table id,  status, </query> </search> <option name="drilldown">row</option> </table> </panel> </row> </form>
Hi, I want to find the duration of time for only one sourcetype where as the other values for both the sourcetype.. stats range(_time),values(field_a) by sourcetype,field_b |search sourcetype=abc ... See more...
Hi, I want to find the duration of time for only one sourcetype where as the other values for both the sourcetype.. stats range(_time),values(field_a) by sourcetype,field_b |search sourcetype=abc The above is not helping,coz field_a value is not present in sourcetype abc,so am recieving null value . Suggestions please   
Hi  I have multiple panels and when i click on some value in one panel the other panels shouldnt be displayed so i unset all tokens. But is there a way to unset all/multiple the token in a easier w... See more...
Hi  I have multiple panels and when i click on some value in one panel the other panels shouldnt be displayed so i unset all tokens. But is there a way to unset all/multiple the token in a easier way @niketn @woodcock 
I need to fetch the value 'app_mot_auto_toyota_cars_SOA' from the below string.  I tried with the rex - rex field=_raw "[INFO ]\s[(?P<Applname>)]\s+".   But it is not working.  Can anyone please h... See more...
I need to fetch the value 'app_mot_auto_toyota_cars_SOA' from the below string.  I tried with the rex - rex field=_raw "[INFO ]\s[(?P<Applname>)]\s+".   But it is not working.  Can anyone please help me with the regex expression. > [INFO ] [app_mot_auto_toyota_cars_SOA]
I have a single value chart,who statistical date is as below <Field_name> _____________ <field_value>   Now when i click on it,the field name has to be passed as the token value to another panel... See more...
I have a single value chart,who statistical date is as below <Field_name> _____________ <field_value>   Now when i click on it,the field name has to be passed as the token value to another panel. How to make that possible. Please advice
Hi i have a firewall that send syslog data to my splunk HF my problem is that when syslog stream data go high (over than 130mbps) , HF forward data at maximum 150mbps (shaped on network graph) and ... See more...
Hi i have a firewall that send syslog data to my splunk HF my problem is that when syslog stream data go high (over than 130mbps) , HF forward data at maximum 150mbps (shaped on network graph) and events loses there is no error or log that show what happen to my data or events on HF,UF,Indexers(no queue,bufer or connection error ,no splunkd.log error or warning) there is much Hardware Resource on all Splunk Cluster VMs: 12Core CPU(2.4Ghz) 20GB of Ram and SSD in all splunk VMs note (i dont use any event filtering or special process on data in HF in yet , just data get in and forward) is there any limit ? if yes what can i do with this scenario ?
Hello, After the update to 8.1.0.1 the Export button is missing from all reports. I'm using the free license, however the Export was available before the upgrade. Thanks! NJ