All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

How do I remove the Security Essentials app? Just remove the directory from apps/ on the search head?
We are looking for 32-bit version of Splunk UF agent for Debian OS, which we did not find  in the Splunk portal. Is there any binary for the same or if there is any way we can monitor 32-bit Debian ... See more...
We are looking for 32-bit version of Splunk UF agent for Debian OS, which we did not find  in the Splunk portal. Is there any binary for the same or if there is any way we can monitor 32-bit Debian OS performance counters? Please suggest or provide the link to download binaries.
Hi,  I have to display on a dashboard the content of a lookup which is some time empty and so shows the message "no result found".  My query is :  index=A sourcetype="B" id=* | table id name | ou... See more...
Hi,  I have to display on a dashboard the content of a lookup which is some time empty and so shows the message "no result found".  My query is :  index=A sourcetype="B" id=* | table id name | outputlookup example.csv How can I modify this message ? 
Hi, have you tried to do something like this ? I need to calculate the duration and then calculate a % availability line chart(timechart). I could do it with 2 months consecutive but it is not a good... See more...
Hi, have you tried to do something like this ? I need to calculate the duration and then calculate a % availability line chart(timechart). I could do it with 2 months consecutive but it is not a good solution. Input: begin end 2020-03-06 2020-07-06   Expected output: begin end 2020-03-06 2020-03-31 2020-04-01 2020-04-30 2020-05-01 2020-05-31  2020-06-01 2020-06-30  2020-07-01 2020-07-06 Thanks in advance.     | makeresults | eval begin = "2020-01-15" , end ="2020-01-30", id="111" | makemv delim="," id | makemv delim="," begin | makemv delim="," end | append [| makeresults | eval begin = "2020-02-15" , end ="2020-02-28", id="111" | makemv delim="," id | makemv delim="," begin | makemv delim="," end] | append [| makeresults | eval begin = "2020-03-06" , end ="2020-07-06", id="111" | makemv delim="," id | makemv delim="," begin | makemv delim="," end] | append [| makeresults | eval begin = "2020-10-15" , end ="2020-10-30", id="111" | makemv delim="," id | makemv delim="," begin | makemv delim="," end] | append [| makeresults | eval begin = "2020-12-15" , end ="2020-12-30", id="111" | makemv delim="," id | makemv delim="," begin | makemv delim="," end] | eval begin_m = substr(begin,6,2), end_m = substr(end,6,2) | eval x= if('begin_m' != 'end_m' ,1,0) | where x ==1 | fields- begin_m end_m x | eval end_unix=strptime(end,"%Y-%m-%d") | eval begin_unix=strptime(begin,"%Y-%m-%d") | eval begin_new=strftime(relative_time(begin_unix,"+1mon@mon"), "%Y-%m-%d %H:%M:%S+%2Q") | eval end_new=strftime(relative_time(begin_unix,"+1mon@mon-1second@second"), "%Y-%m-%d %H:%M:%S+%2Q") | eval end = mvappend(end,end_new), begin = mvappend(begin,begin_new) | mvexpand end | mvexpand begin | eval begin_m = substr(begin,6,2), end_m = substr(end,6,2) | eval x= if('begin_m' != 'end_m' ,1,0) | where x !=1 | fields - begin_m begin_new begin_unix end_m end_new end_unix | eval end_unix=strptime(end,"%Y-%m-%d") | eval begin_unix=strptime(begin,"%Y-%m-%d") | eval duration_d = round((end_unix-begin_unix)/(3600*24),2) | fields - end_unix begin_unix    
Hi  I have 2 problems on my dashboard which is like that :  The goal of this dashboard is that a user can create maintenance windows. He must enter several values ​​present at the input level a... See more...
Hi  I have 2 problems on my dashboard which is like that :  The goal of this dashboard is that a user can create maintenance windows. He must enter several values ​​present at the input level and submit send everything in the csv using the "submit" button. First problem: the "submit" button must be included in the panel because I have another panel on the same dashboard with the same principle but for the removal of the maintenance window. However splunk has a limit with the "submit" button which natively cannot be included in a panel ... So I looked and found this use case (https://community.splunk.com/t5/Dashboards-Visualizations/Submit-button-per-panel-in-Simple-XML/m-p/245532#M15281) which gives a .js script but after applying it in my app, I find that it does not work. Actually I don't know how to make the button.js works ... (the button.js has got the code find in the below link) Here is my xml :  <form script="button.js,multiselect_force_default.js"> <label>Maintenance Windows</label> <row> <panel> <title>Create Maintenance Windows</title> <input type="multiselect" token="application_tok" searchWhenChanged="true"> <label>Application</label> <choice value="*">ANY</choice> <default>*</default> <fieldForLabel>app</fieldForLabel> <fieldForValue>app</fieldForValue> <search> <query>index=AAA sourcetype="BBB" | table tags{}.key | rex field=tags{}.key "\[env\]\:(?&lt;env&gt;\S+)|\[app\]\:(?&lt;app&gt;\S+)" | fields app | dedup app | sort app</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <delimiter></delimiter> </input> <input type="multiselect" token="environment_tok" searchWhenChanged="true"> <label>Environment</label> <choice value="*">ANY</choice> <default>*</default> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <search> <query>index=AAA sourcetype="BBB" | table tags{}.key | rex field=tags{}.key "\[env\]\:(?&lt;env&gt;\S+)|\[app\]\:(?&lt;app&gt;\S+)" | search env!="" | fields env | dedup env | sort env</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <delimiter> </delimiter> </input> <input type="text" token="start" searchWhenChanged="false"> <label>Start Time (yyyy-mm-dd HH:MM)</label> </input> <input type="text" token="end" searchWhenChanged="false"> <label>End Time (yyyy-mm-dd HH:MM)</label> </input> <html> <input type="button" value="submit" /> </html> <table> <search> <query>| makeresults | eval dummy="true" | fields - dummy | eval Application="$application_tok$", Environment="$environment_tok$", Start="$start$", End="$end$" | fields - _time | table Application Environment Start End | outputlookup create_maintenance.csv</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> Second problem: I cannot enter multiple lines in the csv : here is the query :  | makeresults | eval dummy="true" | fields - dummy | eval Application="$application_tok$", Environment="$environment_tok$", Start="$start$", End="$end$" | fields - _time | table Application Environment Start End | outputlookup create_maintenance.csv Can you help me please ? 
Hello, I'm trying to get pipeline stage data from Jenkins to Splunk. The extended Splunk plug-in was already installed on Jenkins. As far as I understand it I merely have to  hit the checkbox for... See more...
Hello, I'm trying to get pipeline stage data from Jenkins to Splunk. The extended Splunk plug-in was already installed on Jenkins. As far as I understand it I merely have to  hit the checkbox for "Send All Pipeline Console Logs" in the configuration of Jenkins. I've tried this, but it doesn't seem to work: When I go to a build event of a pipeline in the Jenkins app in Splunk and click on the "Job Stage Pipeline"-tab I get the message "No pipeline data". When I look across the indexes in Splunk I'm not able find any pipeline-data either (though I can find the generic job event). The fact that the 'normal' data seems to come through to Splunk but the pipeline data is missing is confusing me. I've tried some other approaches, but to no avail. Does anyone know what's going on? What index is the data supposed to go into anyway? (Does the configuration change require a restart from Jenkins?)
Hi,   I have a json where not all the elements have all the fields. How can we extract and show this in a table?   For example:   "{ "node" :" node1", "Command_output_interface" : [         ... See more...
Hi,   I have a json where not all the elements have all the fields. How can we extract and show this in a table?   For example:   "{ "node" :" node1", "Command_output_interface" : [         {                   "TABLE_interface" : {                             "ROW_interface" : [                                      {                                                  "interface" : "ethernet1/1",                                                  "description" : "local",                                      }                                     {                                                  "interface" : "ethernet1/2",                                      }                                      {                                                  "interface" : "ethernet1/3",                                                  "description" : "wan",                                      }                             ]              } } ] }"   As you can see, ethernet1/2 is not having description.   When I try to table it using Spath and mvzip and mvextract, it is not working fine because it is shown in this way: node               interface             description node1           ethernet1/1       local node1           ethernet1/2       wan node1           ethernet1/3   And of course I want the following result, where there is no description for ethernet1/2:       node               interface             description node1           ethernet1/1       local node1           ethernet1/2        node1           ethernet1/3       wan   Can you help me? Seems simple but I haven't been able to find the way.   Regards,
Can we use one channel identifier for multiple clients through Splunk HEC to enable indexer acknowledgement
Hi  We have a stand alone environment in which daily 100 GB data will be ingested,  just want to know what would be the best index storage configuration in indexes.conf. i have no. of indexes i w... See more...
Hi  We have a stand alone environment in which daily 100 GB data will be ingested,  just want to know what would be the best index storage configuration in indexes.conf. i have no. of indexes i want to configure like this [active-directory] homePath= $SPLUNK_DB/active_directory/db coldPath= $SPLUNK_DB/active_directory/colddb thawedPath= $SPLUNK_DB/active_directory/thaweddb maxHotBuckets=3 maxDataSize=300 maxWarmDBCount=300 maxTotalDataSizeMB=200000 frozenTimePeriodInSecs=172800  coldToFrozenDir= $SPLUNK_DB/ active_directory /frozendb   Can someone will help with suitable configuration, and what would be the disk space required to storage if i ll config foe all indexes , ll i  face any disk space issue??
Hey, can someone help me? i'm new to the IT and have absolutly no knowledge about those kind of stuff but i have to find out about the monitoring features of Tripwire and Splunk. Can someone help m... See more...
Hey, can someone help me? i'm new to the IT and have absolutly no knowledge about those kind of stuff but i have to find out about the monitoring features of Tripwire and Splunk. Can someone help me here and fill this Excel with y/n in the Splunk part and if possible add more feature that Splunk have but Tripewire not?   Features Tripwire Splunk Agent-based log collection yes   Logs deliverd over encrypted connection with compression yes   Resiliency when disconnected from management console yes   Offline data collection when disconnected from console yes   Extensive platform support yes   Remote log collection yes   Support for multi-line log file collection yes   Preservation of original log content yes   High compression ratio for storage yes   Ability to store logs centrally yes   Ability to store logs locally yes   Ability to encrypt stored log data yes   Separation of logs by location yes   Role-based access to log data yes   Scheduled archiving of logs yes   Search functionality available via REST API yes   Indexed logs für fast searching yes   Industry standard classification of events for fast searching yes   Simultaneous, multiple results windows for comparing query output yes   Scheduled reports yes   lain text and REGEX searches yes   Visual custom rule builder yes   Extensive fields available for correlation yes   Pre-built correlation rules to detect events of interest or sequences of events yes   Pre-built correlation rules for compliance requirements yes   Correlation with non-log data sources yes   Integration with security configuration management tools like Tripwire Enterprise for asset tag data yes   Dynamic correlation lists yes   Integration with Active Directory for dynamic user lists yes   Correlation Engine rules can execute custom scripts as an action yes   Correlation Engine can store events in an accessible database yes   Log forwarding to multiple destinations yes   Event forwarding from correlation rules yes   Scheduled reporting tasks yes   Pre-built and customizable dashboards yes   Correlation Engine rules can generate E-mails yes   Correlation Engine rules can generate syslog events yes   Correlation Engine rules can generate console notifications yes  
Hi I need to find 90th percentage avg, I tried by this way        base search| mainMethod=LostStolen OR mainMethod=CreditLimit OR mainMethod=LoanCreation| stats max(ResponseTime) avg(Response... See more...
Hi I need to find 90th percentage avg, I tried by this way        base search| mainMethod=LostStolen OR mainMethod=CreditLimit OR mainMethod=LoanCreation| stats max(ResponseTime) avg(ResponseTime) as count by mainMethod| eventstats perc90(avg)       I'm getting like this  mainMethod       Max          avg(ResponseTime)      Avg(90p)   LostStolen            2000          1900                                  1834 CreditLimit          1800             1734                                  1834 LoanCreation       1925             1867                                 1834 The avg 90p is replicating from the first and if I add in eventstats as count by clause it throws error
Hi @renjith_nair  Im trying to join two tables which have a common field but its not giving complete data as the tables have more than a lakh rows .? Is there any other option rather than join to co... See more...
Hi @renjith_nair  Im trying to join two tables which have a common field but its not giving complete data as the tables have more than a lakh rows .? Is there any other option rather than join to combine the two tables
I'm really stucked right now on my configuration for my json data below.   I'm currently building a data collector app in Splunk Add-on Builder. Here's the current configuration   My ... See more...
I'm really stucked right now on my configuration for my json data below.   I'm currently building a data collector app in Splunk Add-on Builder. Here's the current configuration   My goal is to break the Integration_Business_Process_Events_group sub values into another event but should retain parent event details. So instead of having 1 event, I should have 6 events.   Hope for your answers. I already look into to the other similar problem like this by I'm getting more confuse.   Thanks everyone!
Hi @niketn  Greetings.. I have a requirement where.. My first query is as below: index = <my_index> eventtype=" " | table field1 And the values of my first query has to be used in the search of ... See more...
Hi @niketn  Greetings.. I have a requirement where.. My first query is as below: index = <my_index> eventtype=" " | table field1 And the values of my first query has to be used in the search of my second query index=<my_index> source= " " and field1 values.. I tried using join it doesnt seem to help.   Please advice
In Splunk Enterprise Security , Incident Review Dashboard , I am adding 2 different Investigation Option to the notables by clicking on "Add Event to Investigation".  Now , my requirement is to find... See more...
In Splunk Enterprise Security , Incident Review Dashboard , I am adding 2 different Investigation Option to the notables by clicking on "Add Event to Investigation".  Now , my requirement is to find out the metrics of each Invegistation Option. For example , How many notables exist with a particular investigation Option. Is it possible?
I'm a newby to both splunk and itsi.  I think I can figure out how to find the fields in a lookup table and in an index, however, despite the name of this thing (itsi_event_management_group_index), i... See more...
I'm a newby to both splunk and itsi.  I think I can figure out how to find the fields in a lookup table and in an index, however, despite the name of this thing (itsi_event_management_group_index), it seems not to be an index as preceding it with "index=" yields no results, thus I can't figure out how to determine the names of the fields contained within it.  I've been provided with a query which references some of the fields via the 'stats' command, but... 1) How do I identify all such fields, and 2) what is this thing if not an index or lookup table?
I have a dashboard using a custom splunk web framework view which displays some stuff and a tableview of search results.  This works great. I am trying to add the "ResultsLinkView" so that users can... See more...
I have a dashboard using a custom splunk web framework view which displays some stuff and a tableview of search results.  This works great. I am trying to add the "ResultsLinkView" so that users can export these search results and am running into issues. The docs reference a "controlpanel" element the ResultsLinkView should be tied to, but I'm not sure how to translate that reference into what I have to work with in my code.  I dont understand how to tie together the ResultsLinkView to a TableView... or is this the wrong approach? With the below, I see the table view results, and the links for the ResultsLinkView are present but disabled, even if I mouse over. <form script="test.js"> <label>Report</label> <row> <panel> <html> <h3>TEST</h3> <div id="dummy_table"></div> <div id="dummy_resultslink"></div> </html> </panel> </row> </form>   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/tableview", "splunkjs/mvc/resultslinkview", "splunkjs/mvc/simplexml/ready!" ], function( $, mvc, SearchManager, TableView, ResultsLinkView ) { var dummysearch = new SearchManager({ id: "dummysearch", search: mvc.tokenSafe('|makeresults |eval stuff="dummy"'), autostart: "false", preview: false, cache: true }); tvdummy= new TableView({ id: "dummytable", el: $("#dummy_table"), managerid: "dummysearch" }).render(); var resultsLink = new ResultsLinkView({ id: "resultsLink", managerid: "dummytable", el: $("#dummy_resultslink") }); resultsLink.render().$el.appendTo($("dummy_resultslink")); });   if i change  var resultsLink = new ResultsLinkView({ ... el: $("#dummy_table") }); resultsLink.render().$el.appendTo($("dummy_table")); }); then I don't see any search results. Appreciate any suggestions, TIA
in my stand alone environment  indexes.conf: maxDataSize=100mb maxTotalDataSizemb=200000 but in ui one of index current size is 40gb max size is 500gb as i understood that maxdata size =100mb me... See more...
in my stand alone environment  indexes.conf: maxDataSize=100mb maxTotalDataSizemb=200000 but in ui one of index current size is 40gb max size is 500gb as i understood that maxdata size =100mb means when hot bucket ll reach 100mb that ll pass to anaotherbucket and maxtotaldatasizemb=200000=200gb(hot+warm+cold) than current size of 40gb means that data ll b in hot bucket or what ? please clarify this one  
Hi Looking for the advice how to on-board the csv file with comma separated values but each field has pipes around it :   |field1|,|field2|,...,|fieldn| Example: Header: ACTIVITY_LOG_Time,I... See more...
Hi Looking for the advice how to on-board the csv file with comma separated values but each field has pipes around it :   |field1|,|field2|,...,|fieldn| Example: Header: ACTIVITY_LOG_Time,INGRESS_EGRESS_IND,DEST_FMLY_CD,DU_ID,CHANNEL,SBMTR_ID,PRPTY_VALUE_TX,BUSINESS_LINE,TECH_FNCTN_ID,ACTVY_STAT_ID,ACTVY_STAT_DS,ACTVY_SCSFL_IN,SMF_ID,DU_TRKNG_NB,PARTY_ACCT_ID,GROUP_USER,TOPIC_3_VALUE_TX,DU_MQMD_TX Sample Event: |2020-12-21-02.42.14.242001|,|Ingress|,|ABC|,|ZP00119842239341|,|MQ|,|G0000246|,NULL,|TRA|,|TRAM|,1,|MQ Message Queued|,|Y|,|001|,|ZP00119842239341|,||,|G0000246|,||,| (?åë&?áèä&è???<9d>³ú¬^]P?| Thank you in advance
Hello Splunk Community,    I have a multivalue field that outputs "No" after applying if eval statement. I would like to have it output yes if there is more than 1 value for that field.   I be... See more...
Hello Splunk Community,    I have a multivalue field that outputs "No" after applying if eval statement. I would like to have it output yes if there is more than 1 value for that field.   I believe its my eval command that needs to be fixed: | eval Result=if(Doc=DocId, "Yes", "No") (index="XYZ" ) OR (index="123" ) | eval Doc=if(level="RecordCount", DocId,"no_level") |fillnull DocType value=NA |eval Result=if(Doc=DocId,"Yes","No") | stats values(Doc) values(level) values(RecordCount) values(Result) by DocType docType values(DocId) values(level) values(RecordCount) values(Result) PDF 12345, no_level submitted 1 No (this should say yes)