All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I would like to make specific index data  invisible for all searches but not to actually delete it from the indexer and to keep all data integrations active  is it possible  ?  should I do wi... See more...
Hi I would like to make specific index data  invisible for all searches but not to actually delete it from the indexer and to keep all data integrations active  is it possible  ?  should I do with Role configuration  (Restrict search terms )   or there some other way   ? If is am using role configuration , will the user see the data if he runs index=*   ? thanks 
    I am new to Splunk and I am requested by my company to install and configure Splunk enterprise.      I read  a lot of documents and searched the answers website regarding installing the forwa... See more...
    I am new to Splunk and I am requested by my company to install and configure Splunk enterprise.      I read  a lot of documents and searched the answers website regarding installing the forwarder in the devices, I didn't find the answer to the below question: What is easiest way for Installing forwarder for 1000+ host? these hosts include (Active directory, Linux Servers, windows Servers, Two different Firewalls, Laptops, Desktop PC...etc.)     Will I need Admin account for these devices? As we disabled the root admin and we have specific admin for each device.   Your help is appreciated.    
Splunkers, I created a simple alert and now I want to go back and edit the search.  Within the ALERTS, I find the alert and then click "EDIT ALERT".  I don't see anywhere that shows me the original ... See more...
Splunkers, I created a simple alert and now I want to go back and edit the search.  Within the ALERTS, I find the alert and then click "EDIT ALERT".  I don't see anywhere that shows me the original search.   I don't want to have to delete the alert and recreate a new one with the proper search.  I have also tried DISABLING the alert to see if I then get the option to Edit the search but it does not. Is this normal or am I missing something? I am using Splunk Cloud.
Hello, We are running 3 SH and 3 indexers cluster.  wondering how can we restrict indexers to ignore logs older than 30 days? I understand that it can be managed on UF inputs.conf by using ignoreOld... See more...
Hello, We are running 3 SH and 3 indexers cluster.  wondering how can we restrict indexers to ignore logs older than 30 days? I understand that it can be managed on UF inputs.conf by using ignoreOlderThan but is there a way to control this from indexers cluster level settings? Note: sorry for a basic question but I am a beginner in splunking thanks SR  
Could someone please show the difference between nomv and mvcombine with some examples? What I have seen is that both work exactly the same way and delim parameter in mvcombine doesn't work as expect... See more...
Could someone please show the difference between nomv and mvcombine with some examples? What I have seen is that both work exactly the same way and delim parameter in mvcombine doesn't work as expected. Thanks
HI  I have installed the windows forward log on my windows machine with the default installation and I am receiving the event, system logs to the default main index  I have to add a logs directory ... See more...
HI  I have installed the windows forward log on my windows machine with the default installation and I am receiving the event, system logs to the default main index  I have to add a logs directory eg D:/App/system/logs to my Splunk,  I have added through CLI using ./splunk add monitor D:/App/system/logs and restarted the service but unfortunately, still I am not receiving the logs to my Splunk index. can you please your support to provide the details to add the log directory to the Splunk
Hello, I'm struggling with sorting bar chart columns based on a time value. I have the following in my search:   | chart last(duration) as duration over run_id by task_id   and I get the fo... See more...
Hello, I'm struggling with sorting bar chart columns based on a time value. I have the following in my search:   | chart last(duration) as duration over run_id by task_id   and I get the following table:   run_id task_1 task_2 task_3 task_4 1 14.55000000 1.60000000 11.55000000 1.78333333 2 13.93333333 2.73333333 13.55000000 1.91666667   in the stacked chart visualization the tasks are showing from top to bottom in the order of the tasks column (first task_1 then task_2, etc). current bar char stacked: ---------------- | | <- task_1 | | <- task_2 | | <- task_3 | | <- task_4 i want to sort the task_id colums based on a value (start time) which i have on the initial search (pre charting) for each of the tasks. bar char stacked i want to have: --------------- | | <- task with highest start time | | <- task_2 | | <- task_3 | | <- task with lowest start time is it possible to do that? Thank you!
Hi all, I have a problem about _time field. There is difference between event in time and _time field. Like below, Wrong Time: 12/28/20 6:34:28 AM Correct Time: 12/27/2020 07:34:28 PM   Do y... See more...
Hi all, I have a problem about _time field. There is difference between event in time and _time field. Like below, Wrong Time: 12/28/20 6:34:28 AM Correct Time: 12/27/2020 07:34:28 PM   Do you have any idea about it?      
Hello, I'm struggling with sorting bar chart columns based on a time value. I have the following in my search:       | chart last(duration) as duration over run_id by task_id       and ... See more...
Hello, I'm struggling with sorting bar chart columns based on a time value. I have the following in my search:       | chart last(duration) as duration over run_id by task_id       and I get the following table:         run_id task_1 task_2 task_3 task_4 1 14.55000000 1.60000000 11.55000000 1.78333333 2 13.93333333 2.73333333 13.55000000 1.91666667     in the stacked chart visualization the tasks are showing from top to bottom in the order of the tasks column (first task_1 then task_2, etc). i want to sort the task_id colums based on a value (start time) which i have on the initial search (pre charting) for each of the tasks. is it possible to do that? Thank you!
Hello, Help will be very appreciated. My splunk index contains a field with codes, and another field with names. Every event contains a code and a name. 1. I need to display all the codes that re... See more...
Hello, Help will be very appreciated. My splunk index contains a field with codes, and another field with names. Every event contains a code and a name. 1. I need to display all the codes that repeat more then once and have different names -  result for example can be code 444 that apear with two names dave and miriam. 2.Farther more, I need to display codes that have events with two specific names. Thank you, Jacob  
How do I get a list of AD groups a specific user was removed from in the last week please.  We had a Helpdesk person accidentally remove AD groups for a user far earlier than they should have and wh... See more...
How do I get a list of AD groups a specific user was removed from in the last week please.  We had a Helpdesk person accidentally remove AD groups for a user far earlier than they should have and whilst we can re-instate some memberships via user location, department knowledge etc there will be a lot more than that. Any ideas please?
Hi,  I want to use condition to set a "show" OR a "hide" panel (if no result) :  <row depends="$panel_hide$"> <panel id="no_result"> <title>List</title> <html> <style> #clear .dashboard-panel ... See more...
Hi,  I want to use condition to set a "show" OR a "hide" panel (if no result) :  <row depends="$panel_hide$"> <panel id="no_result"> <title>List</title> <html> <style> #clear .dashboard-panel {background: white;} </style> <center> <h2>No result<i class="icon-check icon-no-underline" style="font-size:100%;color:#65a637;"/> </h2> </center> </html> </panel> </row> <row depends="$panel_show$"> <panel> <title>List</title> <table> <search> <query>index=A sourcetype="B" id=* | table id name start end | sort - start</query> <earliest>-10m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <finalized> <condition match="$job.resultCount$&gt;0"> <set token="panel_show">true</set> </condition> <condition> <set token="panel_hide"></set> <unset token="panel_show"></unset> </condition> </finalized> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> This code not working... It gives me both panel :    What it is wrong with my code ? Thanks for help.
Hi,  I was trying to create a submit button in a panel based on that link : https://community.splunk.com/t5/Dashboards-Visualizations/Comprehensive-implementation-of-a-WORKING-submit-button/m-p/404... See more...
Hi,  I was trying to create a submit button in a panel based on that link : https://community.splunk.com/t5/Dashboards-Visualizations/Comprehensive-implementation-of-a-WORKING-submit-button/m-p/404125 BUT it is not working at all... Here is my xlm code : <form script="submit_button.js">   <label>Button in panel</label>   <row depends="$alwaysHideHTMLStyle$">     <panel>       <html>          <style>           <!-- button style -->              #submit_button{             width:80px !important;           }           #submit_button div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{             width:80px !important;           }           #submit_button  button{             padding: 6px 15px !important;             border-radius: 3px !important;             font-weight: 500 !important;             background-color: #5cc05c !important;             border: transparent !important;             color: #fff !important;           }           #submit_button  button:hover{             background-color: #40a540 !important;             border-color: transparent !important;           }          </style>        </html>     </panel>   </row>   <row depends="$tokTextFilter$">     <panel id="test">       <title>Create Maintenance Windows</title> <!-- input app -->          <input type="dropdown" token="application_tok" searchWhenChanged="true">         <label>Application</label>         <fieldForLabel>app</fieldForLabel>         <fieldForValue>app</fieldForValue>         <search>           <query>index=A sourcetype="B" | table tags{}.key | rex field=tags{}.key "\[env\]\:(?&lt;env&gt;\S+)|\[app\]\:(?&lt;app&gt;\S+)" | search app!="" | fields app | dedup app | sort app</query>           <earliest>-24h@h</earliest>           <latest>now</latest>         </search>         <change>           <condition match="isnotnull($value$) AND $value$!=&quot;&quot;">             <set token="tokTextFilter">$value$</set>           </condition>         </change>       </input> <!-- input env-->            <input type="dropdown" token="environment_tok" searchWhenChanged="true">         <label>Environment</label>         <fieldForLabel>env</fieldForLabel>         <fieldForValue>env</fieldForValue>         <search>           <query>index=A sourcetype="B" | table tags{}.key | rex field=tags{}.key "\[env\]\:(?&lt;env&gt;\S+)|\[app\]\:(?&lt;app&gt;\S+)" | search app=$application_tok$ | fields env | dedup env | sort env</query>           <earliest>-24h@h</earliest>           <latest>now</latest>         </search>         <change>           <condition match="isnotnull($value$) AND $value$!=&quot;&quot;">             <set token="tokTextFilter">$value$</set>           </condition>         </change>       </input> <!-- input text 1-->            <input type="text" token="start" searchWhenChanged="false">         <label>Start Time (yyyy-mm-dd HH:MM)</label>         <change>           <condition match="isnotnull($value$) AND $value$!=&quot;&quot;">             <set token="tokTextFilter">$value$</set>           </condition>         </change>       </input> <!-- input text 2-->              <input type="text" token="end" searchWhenChanged="false">         <label>End Time (yyyy-mm-dd HH:MM)</label>         <change>           <condition match="isnotnull($value$) AND $value$!=&quot;&quot;">             <set token="tokTextFilter">$value$</set>           </condition>         </change>       </input> <!-- input button -->              <input type="link" id="submit_button">         <label></label>         <choice value="submit">Submit</choice>       </input>       <table>         <search> <!-- my search with both js token -->                  <query>| inputlookup my_lookup.csv | head 5 | append [| makeresults | eval Application="$application_tok$", Environment="$environment_tok$", Start="$start_id$", End="$end_id$"] | fields - _time | table Application Environment Start End | outputlookup append=true my_lookup.csv | sort Start</query>           <earliest>0</earliest>           <latest></latest>           <sampleRatio>1</sampleRatio>           <done>             <unset token="form.start"></unset>             <unset token="form.end"></unset>             <unset token="form.application_tok"></unset>             <unset token="form.environment_tok"></unset>           </done>         </search>         <option name="count">100</option>         <option name="dataOverlayMode">none</option>         <option name="drilldown">none</option>         <option name="percentagesRow">false</option>         <option name="refresh.display">progressbar</option>         <option name="rowNumbers">false</option>         <option name="totalsRow">false</option>         <option name="wrap">true</option>       </table>     </panel>   </row> </form>     Here is my js code :    require([      'jquery',      'splunkjs/mvc',      'splunkjs/mvc/simplexml/ready!'  ], function($,mvc){      var submittedTokens = mvc.Components.get("submitted");      $("#submit_button").click(function(){          submittedTokens.set("start_id",submittedTokens.get("start"));          submittedTokens.set("end_id",submittedTokens.get("end"));      });  });   Can you help me to see what is wrong ?    Thanks a lot.
How to detect Trust license, when اینترنت connection is not available? Do you Know How detect Share license of Crack type? 
I want to use whois lookup with clientip, but I can't get any information with a command like the following "... | lookup whois host as client_ip | table _time, client_ip, asn_cidr, network.name, wh... See more...
I want to use whois lookup with clientip, but I can't get any information with a command like the following "... | lookup whois host as client_ip | table _time, client_ip, asn_cidr, network.name, whois_server, path, user_id, status_code" The following error appears in the search log. Does anyone know the cause of this error? 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': Exception in thread ping_lookup: 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': Traceback (most recent call last): 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': File "C:\Program Files\Splunk\Python-3.7\lib\threading.py", line 926, in _bootstrap_inner 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': self.run() 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': File "C:\Program Files\Splunk\Python-3.7\lib\threading.py", line 870, in run 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': self._target(*self._args, **self._kwargs) 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': File "C:\Program Files\Splunk\etc\apps\network_tools\bin\network_tools_app\custom_lookup.py", line 253, in do_lookup 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': self.execute_lookup(result, w, fieldnames) 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': File "C:\Program Files\Splunk\etc\apps\network_tools\bin\network_tools_app\custom_lookup.py", line 210, in execute_lookup 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': output = self.do_lookup(**keyword_arguments) 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': File "C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py", line 55, in do_lookup 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': index = get_default_index() 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': File "C:\Program Files\Splunk\etc\apps\network_tools\bin\network_tools_app\__init__.py", line 133, in get_default_index 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': app_config = get_app_config(session_key) 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': File "C:\Program Files\Splunk\etc\apps\network_tools\bin\network_tools_app\__init__.py", line 106, in get_app_config 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': conf = ConfigParser.SafeConfigParser() 12-27-2020 15:52:21.672 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\etc\apps\network_tools\bin\whois_lookup.py host': AttributeError: type object 'ConfigParser' has no attribute 'SafeConfigParser'  
``` Dec 27 01:47:46 pvlpfSense01 unbound: [91480:1] info: resolving acceptor.mcafee-mvision-mobile[.]com. A IN Dec 27 01:47:46 pvlpfSense01 unbound: [91480:0] info: resolving ns-1608.awsdns-09[.]c... See more...
``` Dec 27 01:47:46 pvlpfSense01 unbound: [91480:1] info: resolving acceptor.mcafee-mvision-mobile[.]com. A IN Dec 27 01:47:46 pvlpfSense01 unbound: [91480:0] info: resolving ns-1608.awsdns-09[.]co[.]uk. AAAA IN ``` Above I have included 2 separate events. Note * I added brackets for sanitization in this post, the real events have no square brackets. These are from a DNS Resolver. I've been using a splunk app I've modified to handle extraction of fields. The current stanza in props.conf is: EXTRACT-queries = info: resolving (?P<query>(?:.[^\.\s]+)*)\.\s(?P<query_type>\S+) Ive also tried: EXTRACT-queries = info: resolving (?P<query>[\S?]+)\.\s(?P<query_type>\S+) Both of these work fine testing outside splunk. But have strange behavior when used in splunk. This annoyingly is including the ending period in the query field. Which I specifically wrote the regex to exclude. query = "acceptor.mcafee-mvision-mobile[.]com.", query_type = "A" query = "ns-1608.awsdns-09[.]co[.]uk.", query_type = "AAAA" I'm no splunk expert nor am I a regex expert but I don't see how the match for the query group is including the last period after the TLD. Any help or suggestions would be appreciated. I think ive given enough info but if you need more let me know.
Hi!  I am trying to explore Dash Studio. I was able to click on the Add button to get a new default dashboard entry created. However, I am not able to make any changes to it as there is no edit bu... See more...
Hi!  I am trying to explore Dash Studio. I was able to click on the Add button to get a new default dashboard entry created. However, I am not able to make any changes to it as there is no edit button/properties there. Am I missing something?  ^ Edited by @Ryan.Paredez to alter the title for easier searching and identification of content. 
Hi Splunkees, Suppose I have this event time.   Where can I find out what time zone my search head is reported as so that I can convert it to my local time (US Pacific Standard)?  I am using s... See more...
Hi Splunkees, Suppose I have this event time.   Where can I find out what time zone my search head is reported as so that I can convert it to my local time (US Pacific Standard)?  I am using splunk cloud.
Hello  I have this query that works to exclude IP 5.5.5.5 from the list. index=blah event.ts_detail=*blahblah* event.src_ip!=5.5.5.5 Now I want to also exclude 5.5.5.6.  What would I append to the... See more...
Hello  I have this query that works to exclude IP 5.5.5.5 from the list. index=blah event.ts_detail=*blahblah* event.src_ip!=5.5.5.5 Now I want to also exclude 5.5.5.6.  What would I append to the syntax to accomplish this? Basically, if the event.src_IP is 5.5.5.5 OR 5.5.5.6 I don't want it to trigger this alert. 
I would like to predict when a task is going to get completed and present that as a forecast graph. here is what i have got so far      <<my search>> |  timechart span=1d count(path) as path | predi... See more...
I would like to predict when a task is going to get completed and present that as a forecast graph. here is what i have got so far      <<my search>> |  timechart span=1d count(path) as path | predict path  I am getting an average count of 10000 per day and the goal of my task is to reach 100000 (as an example).  Basic math shows it would take 100000/10000 = 10 days but is there a way i can show that in a splunk chart ? --Sunray