All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am working on a fresh install of ES 6.4. I already have a Splunk Ent environment with an indexer tier, apps, single search head, etc. ES has been installed on a standalone search head, but not conf... See more...
I am working on a fresh install of ES 6.4. I already have a Splunk Ent environment with an indexer tier, apps, single search head, etc. ES has been installed on a standalone search head, but not configured. I have configured ES before, but it was a few versions and a few years back.  What are some good resources to get ES configured besides the install docs? Since I already have a Splunk environment with forwarders, add-ons, etc. it looks like my next step might be 'Create the Splunk_TA_ForIndexers and manage deployment manually'. If I go to this step am I skipping something I shouldn't skip? https://docs.splunk.com/Documentation/ES/6.4.0/Install/InstallTechnologyAdd-ons      
User can configure my app anytime he likes with setup.xml. But to make the app compatible with cloud I have to remove the setup.xml and implement setup view. Setup views force the user to configure a... See more...
User can configure my app anytime he likes with setup.xml. But to make the app compatible with cloud I have to remove the setup.xml and implement setup view. Setup views force the user to configure app once, when it is installed and after that no configuration is required. So user will be able to configure it once but not afterwards. But i want the same setup.xml functionality along with setup view implementation. Can anyone help, guide or share anything.
Hi guys, I am currently struggling with making JS work at dashboard. My idea is to have a line graph with some data and add another line based on button clicked. I have set of buttons in html. When ... See more...
Hi guys, I am currently struggling with making JS work at dashboard. My idea is to have a line graph with some data and add another line based on button clicked. I have set of buttons in html. When clicked, it calls JS function and changes token (token_foo) value to given string, which is then used in graph search. Well, this part works just fine. Until... Now let's say I would like to color these buttons based on other tokens. Once I do it, buttons get the right color, but suddenly refuse to call the JS function. The same happens when I try to display token value by <p>$foo_color$</p>. Shortened XML code:   <row> <panel> <html> <input type="button" id="foo" value="Foo" style="background-color:$foo_color$"/> <input type="button" id="boo" value="Boo" style="background-color:$boo_color$"/> </html> </panel> </row> <row> <panel> <event> <search> <done> <condition match="'job.resultCount' == 0"> <set token="foo_color">#00FF00</set> </condition> <condition match="'job.resultCount' &gt; 0"> <set token="foo_color">#FF0000</set> </condition> </done> <query>index="foo_index"</query> <earliest>$time_picker.earliest$</earliest> <latest>$time_picker.latest$</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row>    What am I missing? Thanks.
Hi! Can anyone explain if there are any preconfigured use cases in Splunk dashboard for Identity and Access Management related logs? If yes, where can I see the configurations in Splunk instance? (u... See more...
Hi! Can anyone explain if there are any preconfigured use cases in Splunk dashboard for Identity and Access Management related logs? If yes, where can I see the configurations in Splunk instance? (under Settings--> All Configurations ?) Thanks!
Hello fellow splunkers!   atm I'm trying to break up a huge multiline event that is merged together with &&&. When I try to explicitly tell Splunk to BREAK_ONLY_AFTER = &&& it doesn't work. I also ... See more...
Hello fellow splunkers!   atm I'm trying to break up a huge multiline event that is merged together with &&&. When I try to explicitly tell Splunk to BREAK_ONLY_AFTER = &&& it doesn't work. I also tried BREAK_ONLY_BEFORE = \d+.\d+.\d+.\d+\s-\s- and BREAK_ONLY_AFTER = \d{3}&&& it seems that nothing I try works. please help here is the source log:      141.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - - [13/Jan/2016 21:03:09:167] "GET /product.screen?product_id=RP-LI-02&JSESSIONID=SD9SL9FF8ADFF1 HTTP 1.1" 200 3855 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-20&product_id=RP-LI-02" "Googlebot/2.1 ( http://www.googlebot.com/bot.html) " 929    
Hello Team,   I passed SPLK-2001: Splunk Certified Developer  exam on 6 Dec 2020 . But i am still waiting for SPLK-2002 splunk Artch. exam that not coming on pearson . Could someone help.
Does ES also comes with SSE app features like Analytics Advisor, Content Recommendations, Data inventory, CIM compliance check etc ? I found these features really useful for data source assessment.
My Query : --- | stats count by "response time" | rename "response time" as "time_taken" | rangemap field=time_taken upto_5_sec=0-5000 default=more_then_5_sec | stats sum(count) by range How can i g... See more...
My Query : --- | stats count by "response time" | rename "response time" as "time_taken" | rangemap field=time_taken upto_5_sec=0-5000 default=more_then_5_sec | stats sum(count) by range How can i get this result distributed on daily basis. Current result :  upto_5_sec 100 more_then_5_sec 1   Expected result : 2020-12-05 upto_5_sec 80   more_then_5_sec 0       2020-12-06 upto_5_sec 20   more_then_5_sec 1  
I've been asked to find a solution that will allow me to retain the full details of triggered alerts and the e-mail alerts sent by them. So far I cannot see any clear way to do this bar perhaps outp... See more...
I've been asked to find a solution that will allow me to retain the full details of triggered alerts and the e-mail alerts sent by them. So far I cannot see any clear way to do this bar perhaps outputting the requested details to a lookup and just copying to a retention mailbox appears to also not be an option. Has anyone had to meet this kind of retention policy before?
Hello guys, found out we can set up triggered alert if "greater than or equal to 0", had to use additional stats command to use custom condition  or use reports. You just need to use "less than 100... See more...
Hello guys, found out we can set up triggered alert if "greater than or equal to 0", had to use additional stats command to use custom condition  or use reports. You just need to use "less than 10000" for instance (high number) Hope this helps. Thanks.    
Do we need to create dashboard and not provided with Default dashboard?  Will you provide some training or overview on this.
Dear Splunk users, I am working on an existing dashboard with certain inputs. These inputs are dynamically populated and uses a search query for that. However to filter the events on time, I see a t... See more...
Dear Splunk users, I am working on an existing dashboard with certain inputs. These inputs are dynamically populated and uses a search query for that. However to filter the events on time, I see a token being used with "where" clause and the xml-tags <earliest> and <latest> are removed. I am just curious what is the default time range does the search pick in this case? The original token uses 2weeks span. I have attached source here.  I would really appreciate if you can provide references to your answers on splunk docs. Thanks and happy splunking I am just wondering if the search for this input uses all-time   <input type="multiselect" token="Baseline" searchWhenChanged="true"> <label>Baseline</label> <choice value="*">All (including unplanned)</choice> <choice value="RB*">All (planned only)</choice> <choice value="undefined">Unplanned</choice> <fieldForLabel>Baseline</fieldForLabel> <fieldForValue>Baseline</fieldForValue> <search> <query>index=abcd sourcetype="xyz" | where strftime(_time, "%F")=$TIME_FILTER$ |dedup Baseline |sort Baseline</query> </search> <valuePrefix>Baseline="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <default>*</default> </input>   Token to filter time   <input type="dropdown" searchWhenChanged="true" token="TIME_FILTER"> <selectFirstChoice>true</selectFirstChoice> <label>Time Picker</label> <prefix>"</prefix> <suffix>"</suffix> <fieldForLabel>ttime</fieldForLabel> <fieldForValue>ttime</fieldForValue> <search> <finalized> <condition match="$result.today$!=$result.latestDate$"> <set token="LATEST_DATE">$result.latestDate$</set> </condition> <condition> <unset token="LATEST_DATE"></unset> </condition> </finalized> <query>| loadjob `savedsearch(xyz, $env:app$)` | fields _time | eval ttime = strftime(_time, "%F") | eval today = strftime(now(), "%F") | dedup ttime | eventstats latest(ttime) as latestDate</query> <earliest>-2w</earliest> <latest>now</latest> </search> </input>  
support ticket I want to open but I am getting this,     
Hi Splunker, I have issue, Splunk connected with LDAP server, all users access to Splunk take authentication from LDAP server, and all users which access the ES have the ess_analyst role, and all th... See more...
Hi Splunker, I have issue, Splunk connected with LDAP server, all users access to Splunk take authentication from LDAP server, and all users which access the ES have the ess_analyst role, and all these users appearing under the owner label when click edit for specific incident, but there one user sometimes her name appeared in the list and sometimes not appeared? Why this behavior occurring, how can I resolve this?  Please your support in that?   Best Regards;
Hello,  I have an issue when I am trying to start the free access to Splunk Cloud. The message is "We're sorry, an internal error was detected when creating the stack. Please try again later." Can... See more...
Hello,  I have an issue when I am trying to start the free access to Splunk Cloud. The message is "We're sorry, an internal error was detected when creating the stack. Please try again later." Can you have a look or give me another way to start it? Thank you in advance ! JB
Query : index=_internal sourcetype=scheduler thread_id="AlertNotifier*" "email" | fillnull Sample Log : 12-06-2020 08:05:11.189 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;TimeDelayI... See more...
Query : index=_internal sourcetype=scheduler thread_id="AlertNotifier*" "email" | fillnull Sample Log : 12-06-2020 08:05:11.189 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;TimeDelayInCiscoEstreamerLogsFromHost-"10.90.78.45"", search_type="", user="abc", app="search", savedsearch_name="TimeDelayInCiscoEstreamerLogsFromHost-"10.90.78.45"", priority=default, status=success, digest_mode=1, scheduled_time=1607241900, window_time=0, dispatch_time=1607241903, run_time=6.113, result_count=2, alert_actions="email", sid="scheduler_dmFybNyaS5hZG1pbkBiY2cuY29t__search__RMD5e388bf8114eaecc6_at_160900_26417_8B358556-EC52-4F41-A194-1A98CFD37560", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool="" Issue : Actual log has alert_actions="email" value , when checked in selected fields the value is either 0 or empty even after using fillnull. What does this mean? In which scenarios does this occur? My use case is to find out the number of email alerts triggered in the last 24 hours , but few of them are missing in my report because alert_actions is either showing 0 or empty value.  
I need to change the E-Mail of my Splunk account to my work E-Mail do they can give me access to Splunk Fundamentals 2. I don’t have an option, only to change my password. How can I do this?
Hi Splunkers,   I am writing on SPL in the report which has lookup. And if the lookup has less number of rows then overwrite the lookup with existing static lookup.   Example: <myseach> | outpu... See more...
Hi Splunkers,   I am writing on SPL in the report which has lookup. And if the lookup has less number of rows then overwrite the lookup with existing static lookup.   Example: <myseach> | outputlookup test1.csv | stats count | < if/where condition , where i need to check if the count < 100 , then overwrite existing static lookup into test1.csv else remain as-is"                          count < 100 , "| inputlookup testlookup.csv | outputlookup test1.csv" , "test1.csv" 
Hi Splunkers! Hope you guys are doing good.  I'm working on a usecase where I have to show daily chart of overall results of search. I'm attaching a screenshot below.  I'm trying to show a dail... See more...
Hi Splunkers! Hope you guys are doing good.  I'm working on a usecase where I have to show daily chart of overall results of search. I'm attaching a screenshot below.  I'm trying to show a daily count of the number in a line graph. For Example (see screenshot): I got 1350 dest statistics today and 1200 dest statistics yesteday. I want to show both on the line graph with dates. by doing timechart count by dest is not giving accurate results. Thanks in advance.
we have a server A Linux box (HF) (AWS cloud )  this server is a primary server i copied conf files in LOCAL folder to S3 bucket  through python  script ,and scheduled a job daily to copy files ,now ... See more...
we have a server A Linux box (HF) (AWS cloud )  this server is a primary server i copied conf files in LOCAL folder to S3 bucket  through python  script ,and scheduled a job daily to copy files ,now i need to copy the same configuration files to server B (HF) (AWS cloud ) this server is a DR server  Scenario: if some thing happened to primary server we need to copy config files in S3 bucket and paste in DR server local folder and should restart Splunk  this should be done in automation way    can some one help best way to do it??   Thanks in advance