All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello all, and thanks for the assistance ahead of time. How can I produce a list of all Splunk index names for indexes in my enterprise Splunk Cloud that contain web access log data? Is there a way t... See more...
Hello all, and thanks for the assistance ahead of time. How can I produce a list of all Splunk index names for indexes in my enterprise Splunk Cloud that contain web access log data? Is there a way to do it without scanning all indexes and inspecting data in each one to figure it out?
i am trying to extract http status from below event row text using search , but could not able to get status, event content -  .. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 2... See more...
i am trying to extract http status from below event row text using search , but could not able to get status, event content -  .. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-" ... search : | rex field=_raw "(?<prevFields>.*)\"PUT /sendmail HTTP/\d+\.\d+\"  (?<statusFieldStart>.*)" | table prevFields statusFieldStart if i remove  \" , that is highlighted one , then i am getting statusFieldStart with content " 400 203 252 "-" ,that having double quote at start , want to remove it so i can extract status field complete. anything am i missing here
Hello, I recently upgraded from Splunk 7.3.2 to Splunk 8.0.5 and I noticed that the newer version does not manage special characters in csv field names.  As a simple exercise I created the following... See more...
Hello, I recently upgraded from Splunk 7.3.2 to Splunk 8.0.5 and I noticed that the newer version does not manage special characters in csv field names.  As a simple exercise I created the following csv saved with Notepad++ wtih UTF-8 encoding: timestamp;field_no_spaces;Field With Spaces;field_with_accented_a_à;field_with_degree_° 2020-01-01 10:00:00;value;value;value;value The field names in the header contain characters that are in my source csv: spaces, accented letters and a special character (in this case °).  I followed the import wizard and left default settings in the "Set Source Type" section.  Without making any changes, here is the difference between the versions: 7.3.2 8.0.5 As you can see, 8.0.5 doesn't seem to handle those characters as standard.  I suspect that it might have to do with Python2 in 7.3.2 vs. Python3 in 8.0.5, but I'm not sure what to do.  I browsed the corresponding version of props.conf, but I wasn't able to find anything useful. Would appreciate if someone could shed some light!  Hopefully someone has faced this issue before me... Thank you and best regards, Andrew
Hi, I have some syslog logs and I need to extract the first words of a field values. The field value starts like this: Site Corporate Windows AM\\Passed\\      My result should be :        Corpo... See more...
Hi, I have some syslog logs and I need to extract the first words of a field values. The field value starts like this: Site Corporate Windows AM\\Passed\\      My result should be :        Corporate Passed Note: I can have also Unmanaged instead of Corporate and Failed insted of Passed, so I have 4 options: Corporate Passed Corporate Failed Unmanaged Passed Unmanaged Failed         
Hi Everyone, Can someone help me, How I can form a Splunk Notable URL when I have Notable id (event_id). The use case is- I am ingesting Notables into Phantom and I need to publish Notable URL for ... See more...
Hi Everyone, Can someone help me, How I can form a Splunk Notable URL when I have Notable id (event_id). The use case is- I am ingesting Notables into Phantom and I need to publish Notable URL for each container in Phantom so that Analyst can click on the URL and can navigate to respective Notable alert in Splunk ES.  
Hi, I have a below search result which shows Violators as red in color. Violators are more than 2 sec I would like to get a resultset which would show the latest month when the violation happen... See more...
Hi, I have a below search result which shows Violators as red in color. Violators are more than 2 sec I would like to get a resultset which would show the latest month when the violation happened, its response time and the number of times it has violated. Something like, Module LastViolatedMonth LastViolatedResponse ViolationCount AppSDK Nov-2020 3.17 10 DocumentExchange Oct-2020 2.29 6 FrieghtAudit Aug-2020 2.18 4   could someone please help me out here. Thanks
Good morning all, I'm leveraging the transaction command in order to gather statistics around the duration of my requests in order to report on them. By default the transaction command leverages the... See more...
Good morning all, I'm leveraging the transaction command in order to gather statistics around the duration of my requests in order to report on them. By default the transaction command leverages the _time field (timestamp) to calculate the duration for the transaction. However, the issue I'm facing is the timestamp appear to have intermittent jumps in it that's skewing my numbers. I'd assume it's just forwarded config perhaps. I do have a second, more accurate, timestamps available to me that I'd like to leverage "ServerTime" which has been added to our events. I'm just trying to understand if I can override the transaction command to use the ServerTime field I have rather than the timestamp? See attached screenshots demonstrating the issue. Thx in advance everyone   
Hello In order to create a F5 availability dashboard I installed the F5 extension which is working fine and shows data as expected. I created a custom health rule for F5 extension. the extension w... See more...
Hello In order to create a F5 availability dashboard I installed the F5 extension which is working fine and shows data as expected. I created a custom health rule for F5 extension. the extension works fine and I can see the data successfully in the "metric browser". however after I created a health rule for a specific metric, the health rule doesnt work and is always grayed with "?"  the metric Im trying to monitor is: Application Infrastructure Performance|Root|Individual Nodes|node00-java-MA|Custom Metrics|F5 LAN|Pools|~Common~vipaaa_443|Members|~Common~172.16.10.10-443|Availability any idea ? please assist thanks
Hi,  I'm trying to integrate an API feed into our threat intelligence collections via powershell, however I can't seem to get the syntax correctly to update records. I know the API and authenticatio... See more...
Hi,  I'm trying to integrate an API feed into our threat intelligence collections via powershell, however I can't seem to get the syntax correctly to update records. I know the API and authentication is working as GET and DELETE requests are successful, but when attempting to execute a PUT request i receive the error "item argument missing". I've tested below successfully, however I'd like to run this via powershell to encrypt credentials during authentication. curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel/e83fa2c5036d4c85bd5669a48ca134c5 -d item='{"ip":"0.0.0.0"}' -X PUT I've attempted several different JSON formats, hoping the one below would work: {   "item": {        "ip": "0.0.0.0"          } } Or even  item='[{"ip":"0.0.0.0"}]'  from the initial curl format, however it won't seem to work. I am still receiving the following error Invoke-WebRequest : {"status": false, "message": "item argument missing."}. Any suggestions?
Hi all, I'm a new Splunk user and I would like to have some help from you. I have two query: First query: index=osb source=/applog/MtRot/ROT/proxy.log 3548 PS_WS_OM_NOTIFY | xmlkv maxinputs=10000... See more...
Hi all, I'm a new Splunk user and I would like to have some help from you. I have two query: First query: index=osb source=/applog/MtRot/ROT/proxy.log 3548 PS_WS_OM_NOTIFY | xmlkv maxinputs=10000 | table OrderID transactionID StatusCode StatusDescription    Result: OrderID transactionID StatusCode StatusDescription  3548      98f02a              5                       Completed Second query (executed after the first query result): index=osb source=/applog/MtRot/ROT/proxy.log PS_WS_OM_NOTIFY 98f02a(from the first query) | xmlkv maxinputs=10000 | table transactionID ResultCode ResultDescription The two query have the "transactionID" as a common value, so I'd like to create a unique query in order to show one raw with all these field table OrderID transactionID StatusCode StatusDescription ResultCode ResultDescription Any suggestion? Thank you very much
Hi, I have a HF which is use to ingest cloud data using API/Modular input to Splunk cloud. This HF acts as a Slave to Deployment server which is also a License Master. The license got expired on De... See more...
Hi, I have a HF which is use to ingest cloud data using API/Modular input to Splunk cloud. This HF acts as a Slave to Deployment server which is also a License Master. The license got expired on Deployment server and since than I am not seeing logs getting ingested to Splunk Cloud. Though I am seeing _internal logs from this HF, making me believe that there is not connectivity issue between HF and Cloud. As of now, we have uploaded Splunk cloud subscription license with 0Mb on Deployment server, which is valid. for apps and addon, I am seeing authentication error in the internal logs.   Please can someone help me,  what could be the issue, do wee need to install a separate license on HF or what should we do...
Hello All, I have been struggling with what seems to be a very simple concept. Can someone please help me correct this eval statement with OR and AND? I would like to display: if name is in All - i... See more...
Hello All, I have been struggling with what seems to be a very simple concept. Can someone please help me correct this eval statement with OR and AND? I would like to display: if name is in All - in both Department and Station = 0 If name is not in Department =1 if name is in Station =2 I mainly want to get clarity on the structure of my eval statement using OR and AND.  | eval Name=if(((All=="No" OR All=="Yes") AND Department=="No" AND Station=="Yes"), "0","1", "2")  
Hi All Is there any "Cheat-Sheet" with some common searches for Splunk ES ?    
Search: index="test" "This is a error with IP Address *.*.*.*" we have the above search query where the IP address keeps changing, so we want to fire an alert if there are 10 events for the same IP... See more...
Search: index="test" "This is a error with IP Address *.*.*.*" we have the above search query where the IP address keeps changing, so we want to fire an alert if there are 10 events for the same IP address in the last 1 hour.
We are currently using an inputlookup command to populate a list based on some wild card searches using input tokens from a KV store lookup with customer details like below     | inputlookup $site... See more...
We are currently using an inputlookup command to populate a list based on some wild card searches using input tokens from a KV store lookup with customer details like below     | inputlookup $site$-patrondetails WHERE FirstName=$firstname|s$ patron = $patron_id|s$ LastName = $patron_surname|s$ ResAddr = $patron_address|s$ MobilePhone = $patron_mobile|s$     where the token values are based on the value the user types into an input text box and the site token is a drop down value.   until recently we havinputlookup e had 2 sites where all the data in the source system is stored in uppercase but we have recently onboarded a 3rd site where the data is stored in both upper and lower case values.  as it turns out the where clause in is case sensitive.  I have tried adding case_sensitive_match = false to the transform.conf stanza for this patrondetails lookup definition but this has not seemed to have any effect on the results being returned from the search. Have I missed something with this config or is there something else I need to add Any help would be appreciated, Tom
Hi all, I am having data as follows: REPORT RequestId: xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 i want a field as CorrelationId3 which is having xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 value
Hi Experts, I am getting error during I tried to create new ms-sql connection on my Splunk server (i.e Amazon Linux 2). Connection Type: MS-SQL Server Using MS Generic Driver With Windows Authent... See more...
Hi Experts, I am getting error during I tried to create new ms-sql connection on my Splunk server (i.e Amazon Linux 2). Connection Type: MS-SQL Server Using MS Generic Driver With Windows Authentication JDBC URL : jdbc:sqlserver://xx.xx.xxx.xx:1433;databaseName=master;selectMethod=cursor;integratedSecurity=true ERROR : This driver is not configured for integrated authentication. ClientConnectionId:d3c9028f-187a-492f-89da-68dfceadceb1 Java version on my splunk server : java version "1.8.0_201" Splunk DB Connect version: DBX:3.1.4 Splunk Server OS: Amazon Linux 2 AMI The driver present in my machine are:  
So I'd like to have one custom rest handler that allows for URLs like /myapp/files /myapp/files/0 restmap.conf [script:myapp_files] match=/myapp/files* python.version=python3 handler=m... See more...
So I'd like to have one custom rest handler that allows for URLs like /myapp/files /myapp/files/0 restmap.conf [script:myapp_files] match=/myapp/files* python.version=python3 handler=myapp_files.req methods=GET,POST,PUT,DELETE script = myapp_files.py scripttype = persist   web.conf   [expose:myapp_files] pattern=myapp/files* methods=GET,POST,PUT,DELETE   https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Restmapconf#restmap.conf.example doesn't appear to say anything about "match" being a regular expression.