All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Is there a way to make a panel clickable as if it is a button? I'm trying to figure this out to enable or disable multiple sets of panels using tokens.   For example, if I'm going to click Panel 1,... See more...
Is there a way to make a panel clickable as if it is a button? I'm trying to figure this out to enable or disable multiple sets of panels using tokens.   For example, if I'm going to click Panel 1, four panels will show up. Then if I'm going to click Panel 2, the four panels for Panel 1 will be hidden, and the panels for Panel 2 will now be visible. Thanks!
Hello all... I am trying to use the docker container and it is starting a process under root that writes the splunkd stderr file to stdout, but as root:   splunk tail -n 0 -f /opt/splunkforwarder/... See more...
Hello all... I am trying to use the docker container and it is starting a process under root that writes the splunkd stderr file to stdout, but as root:   splunk tail -n 0 -f /opt/splunkforwarder/var/log/splunk/splunkd_stderr.log   How do I get that process to NOT start? We have a requirement that we cannot run processes as root in our containers. How do I either change the user running this process or stop it altogether? I get it that this means we will not get stderr.log files from the uf. Any help is much appreciated.
Hi everyone, I have a data set such as: Log1:  EventId + EventType1 Log 2: EventId + EventType2 Log 3: EventId + EventType1 Log 4: EventId + EventType2 Log 5: EventId + EventType1 The outcom... See more...
Hi everyone, I have a data set such as: Log1:  EventId + EventType1 Log 2: EventId + EventType2 Log 3: EventId + EventType1 Log 4: EventId + EventType2 Log 5: EventId + EventType1 The outcome I am trying to get is something like: EventId + (evaluatedEvent3) + counts of evaluatedEvents3 per day Where evaluatedEvent is the occurrence of Event1 and Event2 in a sequence. e.g. If one Event1 and one Event2 are present for ID, it will be counted as one. Similarly, if Event1 is +1 more than Event2, It should not be kept in the Event3 bucket for this ID.   TIA
Hi All   Can some one help with Splunk query which can help to find. How many signatures were triggered in given time which were in unassigned, in progress, new status. Please help
I have a search that runs with no issues- ComputerName=CompName* (event_simpleName=*written* OR event_simpleName=DirectoryCreate OR event_simpleName=*CreateFile) *.xls* OR *.csv | rename FileName ... See more...
I have a search that runs with no issues- ComputerName=CompName* (event_simpleName=*written* OR event_simpleName=DirectoryCreate OR event_simpleName=*CreateFile) *.xls* OR *.csv | rename FileName as WrittenFileName, FilePath as SourceFilePath, TargetFileName as DestinationFileName | table _time, ComputerName, WrittenFileName, SourceFilePath, DestinationFileName, sourcetype, ContextProcessId_decimal,TargetProcessId_decimal What I want to do is take the value from ContextProcessId_decimal and use it in a second search as the value for the field TargetProcessId_decimal. event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 TargetProcessId_decimal=ContextProcessid_decimal I've tried doing a search within the first search like the following, but it errors out. I've spent a good hour or two and have been unable to figure this out. -_- ComputerName=CompName* (event_simpleName=*written* OR event_simpleName=DirectoryCreate OR event_simpleName=*CreateFile) *.xls* OR *.csv | rename FileName as WrittenFileName, FilePath as SourceFilePath, TargetFileName as DestinationFileName [|search event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 TargetProcessId_decimal=ContextProcessid_decimal] | table _time, ComputerName, WrittenFileName, SourceFilePath, DestinationFileName, sourcetype, ContextProcessId_decimal,TargetProcessId_decimal If I leave the renames in it gives an error with that, if I take the rename out it finds no results. Any help would be greatly appreciated!!
I have a very complex nested JSON event and need to extract 2 fields. I've managed it with less complicated ones but this one has be a bit stumped. I need to get the avgCycles and totalExecutions fo... See more...
I have a very complex nested JSON event and need to extract 2 fields. I've managed it with less complicated ones but this one has be a bit stumped. I need to get the avgCycles and totalExecutions for each iRule - keeping hold of the name of the iRule.  My event looks like this:     { [-] clientSslProfiles: { [+] } deviceGroups: { [+] } httpProfiles: { [+] } iRules: { [-] /Department/Shared/Department_HTML_rewrite_Rule: { [-] application: Shared events: { [-] CLIENT_ACCEPTED: { [+] } HTML_TAG_MATCHED: { [+] } HTTP_REQUEST: { [+] } HTTP_RESPONSE: { [-] aborts: 0 avgCycles: 28338 failures: 0 maxCycles: 1882653 minCycles: 8898 priority: 550 totalExecutions: 86269 } } name: /Department/Shared/Department_HTML_rewrite_Rule tenant: Department } /Common/Office-Rule: { [+] } /Common/Debug-Rule: { [+] .....        
Hi there,  I am not sure if I am missing out the obvious but I would pretty much like to be able to run stats count of a certain field and get highest10 results of that field and then be able to see... See more...
Hi there,  I am not sure if I am missing out the obvious but I would pretty much like to be able to run stats count of a certain field and get highest10 results of that field and then be able to see other data specifically related to that 10 results.  To be more specific, I would like to see a list of fieldA by count and with highest value something similar to this index=mysearch | stats count by fieldA | sort count - | head 10  but I would als like to be able to see fieldB values that are related to those ten results however if I run  index=mysearch | stats count by fieldA,fieldB | sort count - | head 10 then the results for the FieldA are not the same as in the previous query Just to sum it up, I would like to see the fieldB values that are related to the head 10 results of fieldA but I am not interested in seeing the stats count of both fieldA and fieldB together.  I really hope this makes sense.  Thank you in advance for your help!
i have a field with several strings like fieldname = AT-field2-field3 fieldname = DE-field2 fieldname = DE-field2-field3-field4 etc...   I try to get a rex to just get the country code: |rex f... See more...
i have a field with several strings like fieldname = AT-field2-field3 fieldname = DE-field2 fieldname = DE-field2-field3-field4 etc...   I try to get a rex to just get the country code: |rex field=fieldname "^(?<country>.*)-.*"   but the result is not just the  Country Code   any ideas?
I have enabled the memory tracker in the limits.conf in an app local directory. System/local does not have this setting.  I would like to increase the frequency that this check occurs since some u... See more...
I have enabled the memory tracker in the limits.conf in an app local directory. System/local does not have this setting.  I would like to increase the frequency that this check occurs since some users tend to run fast queries that exceed the memory limit I have set. Does anyone know how to increase the frequency of the memory tracker check? The documentation does not provide this information: https://docs.splunk.com/Documentation/Splunk/8.1.0/Search/Limitsearchprocessmemoryusage
I have a setup where I have configured Log4j2 within a springboot service and have setup HEC on Splunk. The setup is working brilliantly where the logs are pushed to splunk without any issues.  My q... See more...
I have a setup where I have configured Log4j2 within a springboot service and have setup HEC on Splunk. The setup is working brilliantly where the logs are pushed to splunk without any issues.  My question is, is there a mechanism where i can control the kinds of logs pushed via HEC ? For example, my log file prints a lot of information like queries, logged in user data, application's exception stack traces, etc. and currently everything goes to Splunk. Is there a way where I can control to push maybe just the exceptions or just the logged in user info, etc ? Is this possible ? If not, are there any other options that I should explore ? Appreciate in advance
I need that the "notice" type logs are not forwarded to the indexer I know I should add a line called "blacklist" but I'm not good with regular expressions Another question, why in some threads the... See more...
I need that the "notice" type logs are not forwarded to the indexer I know I should add a line called "blacklist" but I'm not good with regular expressions Another question, why in some threads they talk about modifying the file "props.conf" and "transforms.conf" what is the difference between doing it from inputs.conf and the other way? inputs.log [monitor:///folder/folder/folder/ip_firewall] disabled = false host = namefirewall index = firewalls sourcetype = fgt_log Sample Log date=2019-05-10 time=11:37:47 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1557513467369913239 srcip=10.1.100.11 srcport=58012 srcintf="port12" srcintfrole="undefined" dstip=23.59.154.35 dstport=80 dstintf="port11" dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=105048 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Canada" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=58012 appid=34050 app="HTTP.BROWSER_Firefox" appcat="Web.Client" apprisk="elevated" applist="g-default" duration=116 sentbyte=1188 rcvdbyte=1224 sentpkt=17 rcvdpkt=16 utmaction="allow" countapp=1 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65500-742
I'm getting from my dashboard parameter with '_' value in it, I would like to start my search by evaluating a new parameter without the '_' and then use it in my search. In Addition, I would like to... See more...
I'm getting from my dashboard parameter with '_' value in it, I would like to start my search by evaluating a new parameter without the '_' and then use it in my search. In Addition, I would like to inject this parameter into my regex and do another manipulation on my result. This is my query: index=* |eval temp = ("my_value","_","")| "ERROR" "Exception in script execution" "at scripts.$temp$." [search index=* script_name=my_value tid=* | head 1 | return tid] | rex "at\sscripts.$temp$.(?<stack_trace>[^\t\n\s]+)" | head 1 | table stack_trace I would like it to be searched like that: index=* |eval temp = ("my_value","_","")| "ERROR" "Exception in script execution" "at scripts.myvalue." [search index=* script_name=my_value tid=* | head 1 | return tid] | rex "at\sscripts.myvalue.(?<stack_trace>[^\t\n\s]+)" | head 1 | table stack_trace   I can't seem to figure it out, could somebody help me? Thanks:)
Can a developer license be used on a Mac version of Splunk? If not, what's the best solution to use a developer license on a Mac? VM?
how to check the daily data usage in a particular index and also historical daily data in gb   and more information about the capacity in buckets.
Hello, I need to set the java version to be used by "Splunk_TA_jmx" without changing the configuration for other apps which use another Java version. The documentation (https://docs.splunk.com/Docu... See more...
Hello, I need to set the java version to be used by "Splunk_TA_jmx" without changing the configuration for other apps which use another Java version. The documentation (https://docs.splunk.com/Documentation/AddOns/released/JMX/Installationsteps)  indicates that the variable $ JAVA_HOME should be modified but where should I do it without disturbing other apps? Thanks Christian
Hi guys, I have the following event: [DefaultMessageHistory[routeId=Receive, node=to618]], CamelToEndpoint=log://nl.vvv.kip.interfaces.timetellinboundtimecards.Receive?level=INFO&multiline=true&sho... See more...
Hi guys, I have the following event: [DefaultMessageHistory[routeId=Receive, node=to618]], CamelToEndpoint=log://nl.vvv.kip.interfaces.timetellinboundtimecards.Receive?level=INFO&multiline=true&showAll=true&style=Fixed} Headers {breadcrumbId=ID-localhost-2206437765421-19-3, CamelFileAbsolute=true, CamelFileAbsolutePath=/data/bamba/Simebards   What I need is a regular expression to extract the word timetellinboundtimecards and I want to rename it service-name. Furthermore, i need another regular expression to extract the word Receive (or Request or send or Failed)  and rename it to status.   Please let me know if you have the solution for this problem. Kind regards, K.C.    
Hi, I am getting crazy with a simply JOIN statement to use Tenable data in Splunk. The goal is to enrich the KV store collection for Tenable.sc asset data with the baseScore of a vulnerability. that... See more...
Hi, I am getting crazy with a simply JOIN statement to use Tenable data in Splunk. The goal is to enrich the KV store collection for Tenable.sc asset data with the baseScore of a vulnerability. that information is raw events in a dedicate sourcetype this query gets a list of plugin_id with the baseScore     index=nessus sourcetype="tenable:sc:plugin" | rename id as plugin_id | table plugin_id baseScore     this query gets a some fields from that tenable KV store     | inputlookup sc_vuln_data_lookup | fields dns_name, first_found, last_found, plugin_id,state     When I try to do a join, I simple get no results at all.     | inputlookup sc_vuln_data_lookup | fields dns_name, first_found, last_found, plugin_id,state | join plugin_id [ search index=nessus sourcetype="tenable:sc:plugin" | rename id as plugin_id | table plugin_id baseScore]     I guess it is something simple I am missing but I am not capable to see it. could anyone point me to the mistake? many thanks
Good day, Just installed Splunk Enterprise 8.1.0.1 onto New (all-in-one) (moved drive from old system to new) Windows DataCenter Server 2019 Core over top of 8.0.0.  Initially got some Splunkd Cra... See more...
Good day, Just installed Splunk Enterprise 8.1.0.1 onto New (all-in-one) (moved drive from old system to new) Windows DataCenter Server 2019 Core over top of 8.0.0.  Initially got some Splunkd Crashes related to incompatible Python2 code in Apps that prevented splund from starting.  Disabled offending apps from command-line and... all good.   New System is 56GB memory, 16 vCPUs.  I have two indexes (colddb paths) set to F: and G: while Warm/Hot indexes still exist on E: drives. Today I noticed that splunkd is still crashing but on a different thread from the one that halted splunkd.        Access violation, cannot read at address [0x000002EC99CBE6F8] Exception address:          [0x00007FF65CF8EAB6] Crashing thread: BucketSummaryActorThread The only 'direct' reference I found to this was for Transparent huge memory pages (THP)  being disabled on a Linux System but nothing relevant to a Windows 2019 Core system.  I'm sure there are some parallels here between memory management on Linux and Core but I don't see them. Any assistance is appreciated. Best regards, Greg
Hi Team, we have a customer requirement to display the Active BT count in the custom dashboard. I don't find anything related to count the number of BT's. Does anyone have any idea on how to ach... See more...
Hi Team, we have a customer requirement to display the Active BT count in the custom dashboard. I don't find anything related to count the number of BT's. Does anyone have any idea on how to achieve the requirement?
Hi @ All, i know, ther are many diskussions about this topic, but nobody sent his solution MY CODE: <input type="text" token="Source_Folder_Input"> <label>Source Folder</label> <change> <e... See more...
Hi @ All, i know, ther are many diskussions about this topic, but nobody sent his solution MY CODE: <input type="text" token="Source_Folder_Input"> <label>Source Folder</label> <change> <eval token="Source_Folder_Input_Replace">replace($Source_Folder_Input,"\\","\\\\")</eval> </change> <default>C:\SHARE</default> </input> I want to replace single backslash to doubble. Now my Dashboard says "Search is waiting for input... ". If i change for testing change from "TEST" to "SHARE" it works <i´m confused>