All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I just started a trial of AppDynamics and can't seem to find documented instructions on how to install AppDynamics w/ PHP agent on Red Hat 8 with SELinux enabled (and needs to stay enabled). Can... See more...
Hi, I just started a trial of AppDynamics and can't seem to find documented instructions on how to install AppDynamics w/ PHP agent on Red Hat 8 with SELinux enabled (and needs to stay enabled). Can someone share a link to the instructions?
I need help on splunk query that will count both filled and empty cells in excel spreadsheet differently  and give the values in percentages. I am trying to track down the percentage of the cells lef... See more...
I need help on splunk query that will count both filled and empty cells in excel spreadsheet differently  and give the values in percentages. I am trying to track down the percentage of the cells left to be filled out in the excel spreadsheet using  |inputlookup David_metrics_temp.csv
Is there a SPL query pattern that can perform "hierarchical counting" beyond the two levels of depth outlined in these linked answers? https://community.splunk.com/t5/Splunk-Search/How-to-group-by-... See more...
Is there a SPL query pattern that can perform "hierarchical counting" beyond the two levels of depth outlined in these linked answers? https://community.splunk.com/t5/Splunk-Search/How-to-group-by-host-then-severity-and-include-a-count-for-each/m-p/207971 https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331415 https://community.splunk.com/t5/Splunk-Search/How-do-you-order-stats-by-multiple-hierarchical-fields/m-p/268480#M80753 For example, assume a dataset of car make, model, and transmission type. Show the count by make, then count by make and model, then count by make and model and transmission type. That's 3 levels of depth.
We have the varonis ta and its props has the following section -   [varonis:ta]   However, each varonis server that sends us data has a different time zone and the data doesn't have the time ... See more...
We have the varonis ta and its props has the following section -   [varonis:ta]   However, each varonis server that sends us data has a different time zone and the data doesn't have the time zone as part of it. Therefore, can I have also?   [host::tkvar*] TZ = <Tokyo Time Zone>   Will it work?
I know through a workflow action I can add add a token value to a URL string. Is there any way to populate a value on the web page? For example I want to go to another application where I am unable t... See more...
I know through a workflow action I can add add a token value to a URL string. Is there any way to populate a value on the web page? For example I want to go to another application where I am unable to add the token value to the string but there is a filter within the application I want to use. Is this possible?
I am trying to use power BI's ODBC connector to connect to my company's Splunk instance but no matter what I try I keep getting this error: "ODBC: ERROR [HY000] [Splunk][SplunkODBC] (40) Error with ... See more...
I am trying to use power BI's ODBC connector to connect to my company's Splunk instance but no matter what I try I keep getting this error: "ODBC: ERROR [HY000] [Splunk][SplunkODBC] (40) Error with HTTP API, error code: Couldn't resolve proxy name ERROR [HY000] [Splunk][SplunkODBC] (40) Error with HTTP API, error code: Couldn't resolve proxy name" My coworker was able to access it using the same url and port so I know it isn't the URL but I have edited privacy settings on my local machine, within the ODBC Manager and my Power BI instance but I still can't get it to work. Has anyone experienced this or anything like this before and can provide some help?
Hello, We have a Splunk Cloud that is replacing our On-prem. We currently have firewall logs going to a Syslog server that is then being sent to Splunk Cloud. We have installed the App/Add-on on th... See more...
Hello, We have a Splunk Cloud that is replacing our On-prem. We currently have firewall logs going to a Syslog server that is then being sent to Splunk Cloud. We have installed the App/Add-on on the search head and it is mostly being used for CIM as the rsyslog is doing most of the work. We have an issue where we are not seeing any new data in our Splunk Cloud. I have checked the rsyslog.conf and everything appears right as far as what file path it is monitoring and what IP's it is getting it from. I have checked and confirmed all new logs are still going to the syslog server and data is is still going to our on-prem server.  It would appear to be some disconnect between the Syslog server and our splunk cloud, but not 100% what else to check at this moment
The Splunk Phantom Product Feedback Survey Sweepstakes Official Rules   NO PURCHASE OR PAYMENT OF ANY KIND IS NECESSARY TO ENTER OR WIN THIS SWEEPSTAKES.    A PURCHASE WILL NOT INCREASE YOUR CHAN... See more...
The Splunk Phantom Product Feedback Survey Sweepstakes Official Rules   NO PURCHASE OR PAYMENT OF ANY KIND IS NECESSARY TO ENTER OR WIN THIS SWEEPSTAKES.    A PURCHASE WILL NOT INCREASE YOUR CHANCES OF WINNING. VOID WHERE PROHIBITED BY LAW. THIS SWEEPSTAKES IS OPEN ONLY TO CUSTOMERS AND USERS OF SPLUNK PHANTOM WHO ARE LEGAL RESIDENTS OF THE UNITED STATES OF AMERICA.   WINNER[S] MAY BE REQUIRED TO EXECUTE PRIZE ACCEPTANCE DOCUMENTS AND RETURN THEM WITHIN 14 DAYS. FROM DATE OF ISSUANCE OF NOTIFICATION OR PRIZE MAY BE FORFEITED (IN SPONSOR’S SOLE DISCRETION), AS MORE FULLY DETAILED BELOW.     BY ENTERING THIS SWEEPSTAKES, YOU AGREE TO THESE OFFICIAL RULES, WHICH ARE A CONTRACT, SO READ THEM CAREFULLY BEFORE ENTERING. WITHOUT LIMITATION, THIS CONTRACT INCLUDES INDEMNITIES TO THE SPONSOR (DEFINED BELOW) FROM YOU AND A LIMITATION OF YOUR RIGHTS AND REMEDIES.   OVERVIEW:   The Splunk Phantom Product Feedback Survey Sweepstakes (“Sweepstakes”) begins at 8:00 a.m.  Pacific Time (“PDT”) on December 7, 2020 and ends at 9 p.m. PDT on Feburary 15, 2021 (“Sweepstakes Period”). Eligible individuals may enter the Sweepstakes by completing the Splunk Phantom Product Feedback Survey and by sharing their first and last name, email address, and company. Twenty (20) potential winners will be selected from among all eligible entries in a random drawing following the conclusion of the Sweepstakes period, as more fully described below.     ELIGIBILITY:    This Sweepstakes is open only to legal residents of any one (1) of the fifty (50) United States or the District of Columbia (the “Territory”) who are at least the age of majority in their state or jurisdiction of residence on the date of entry into this Sweepstakes.  Corporate entities are not eligible and have no right to claim any prize won by their employees. Employees, officers, directors, members, managers, agents, and representatives and family members of such individuals (or people living in the same household whether related or not) of Splunk Inc. (“Sponsor”), are not eligible. Corporate partners, parent companies, divisions, subsidiaries, affiliates, successors in interest, and advertising, promotion and public relations agencies, federal, state and local government employees, and government contracted agencies (collectively, the “Released Parties”) are not eligible. For purposes of this Sweepstakes, “family members” is defined as spouse, partner, mother, father, legal guardian, in-laws, grandmother, grandfather, brother, sister, children and grandchildren. Participation in this Sweepstakes constitutes entrant’s full and unconditional agreement to and acceptance of these Official Rules and the decisions of Sponsor.  TO ENTER:     Eligible individuals may enter this Sweepstakes by visiting [https://www.surveymonkey.com/r/YVXVYNM, https://www.surveymonkey.com/r/25ML3WC , https://www.surveymonkey.com/r/C9C3HSP , https://www.surveymonkey.com/r/C29X8NC ] (the "Sweepstakes Site") and following all onscreen entry instructions and links to complete and submit the Sweepstakes entry form during the Sweepstakes Period, including providing all required information, such as your first and last name, e-mail address, and company.  Each entrant should review all personal information entered for accuracy purposes and make all corrections necessary to inaccurate data before submitting his/her entry. For purposes of this Sweepstakes, an entry is “received” when Sponsor actually receives the completed entry form.  All entries must be received by Sponsor during the Sweepstakes Period or they will be void.  Proof of sending (such as an automated computer receipt confirming entry or “thanks for entering” screen or message) does not constitute proof of actual receipt of an entry. The Sweepstakes Site’s database clock will be the official timekeeper for entries in the Sweepstakes.  Normal Internet access and usage charges imposed by your Internet Service Provider may apply.  Limit one (1) entry per person and per email address. All entries submitted become the sole property of Sponsor and will neither be acknowledged nor returned. Those who do not provide the required entry information in their entry form or abide by these Official Rules and other instructions of Sponsor and its representatives may, in Sponsor’s sole discretion, be disqualified and all associated entries void. Purported entries that are forged, altered, incomplete, lost, late, misdirected, mutilated, illegitimate, incomprehensible, garbled, or generated by a macro, bot, or other automated means will not be accepted and will be void.  Entries or participation made on your behalf by any other individual, made by any entity or group, or originating at any web site other than the Sweepstakes Site, including, without limitation, through commercial promotion subscription notification or entering services, will be declared invalid and disqualified for this Sweepstakes. In the event of a dispute about the identity of an entrant, the entry will be declared made by the authorized account holder of the e-mail address submitted at time of entry, but only if that person meets all other eligibility criteria for this Sweepstakes. The authorized account holder is defined as the natural person who is assigned to an e-mail address by an Internet Service Provider, online access provider or other organization (e.g., business, educational institution, etc.) that is responsible for assigning e-mail addresses for the domain associated with the submitted e-mail address. With respect to a winning entry, the winner may be required to provide proof that the winner is the authorized account holder of the e-mail address associated with such winning entry. If a dispute cannot be resolved to Sponsor’s satisfaction, the entry will be deemed ineligible.  As a condition of entering the Sweepstakes, without limiting any other provision in these Official Rules, each entrant gives consent for Sponsor and its agents to obtain and deliver his or her name, address, and other information and content to third parties for the purpose of administering this Sweepstakes and complying with applicable laws, regulations, and rules.    WINNER SELECTION/NOTIFICATION:    Twenty (20) winner[s] will be selected in a random drawing from among all eligible entries received for the Sweepstakes. The drawing will take place about fourteen (14) business days of the close of the Sweepstakes Period. Decisions of the Sponsor are final on all matters relating to the Sweepstakes, including interpretation of these Official Rules, determining the winners, and awarding of the prizes.  Odds of winning a prize depend on the number of eligible entries received.   Sponsor or its designee will attempt to notify the potential winner[s] in this Sweepstakes approximately three (3) business days after the drawing date by email in Sponsor’s sole discretion.  Each potential winner of a prize may, in Sponsor's sole discretion, be required to complete, sign, have notarized (if applicable), and return an Affidavit of Eligibility and Liability/Publicity Release (unless prohibited by law) and tax documents, if applicable (collectively, “Prize Winner Documents”), any or all of which may require the potential winner to provide his or her Social Security Number, and a copy of a government-issued identification or number therefrom, within the time frame specified and in the form provided by Sponsor, without revision, or prize may be forfeited. The Prize Winner Documents, if applicable, must be received by Sponsor within three (3) business days of Sponsor sending the documents to the potential winner or other time frame as stated in the Prize Winner Documents, or prize may be forfeited and an alternate winner may be selected. If any prize, prize notification, or other Sweepstakes-related communication is returned as undeliverable, or if a selected winner cannot be reached or does not respond as instructed after Sponsor has attempted to notify that potential winner, that selected winner may be disqualified and an alternate winner may be selected (time permitting and in Sponsor’s sole discretion). Sponsor reserves the right to modify the notification procedures in connection with the selection of any alternate potential winner, if any. The prize claim and Prize Winner Documents are subject to verification by Sponsor. The prizes, if legitimately claimed, will be awarded. Prize elements will only be mailed to the winner’s residence within the Territory, unless Sponsor, in its sole discretion, approves shipment elsewhere. Sponsor will not be obligated to pursue more than three (3) alternate winners (time permitting) for any prize for any reason. By accepting a prize in this Sweepstakes, the winner represents that accepting the prize is in compliance with winner’s corporate gift receiving or other policies applicable to the winner.     PRIZES, QUANTITY AND APPROXIMATE RETAIL VALUE (“ARV”):    Twenty (20) winner[s], subject to verification, will each receive a prize, which consists solely of: a $25 gift code to the Splunk Store.    ARV of each prize: $25 USD.    Total ARV of all prizes: $500USD.    Prize details not specifically stated in these Official Rules will be determined in Sponsor’s sole discretion. All taxes (national/federal, state/provincial/territorial, and local), as well as any expenses not specified in these Official Rules as being provided as part of the prize, are the sole responsibility of each winner.  Sponsor is not responsible for and will not replace any lost, mutilated, or stolen prize, or any prize that is undeliverable or does not reach a winner because of incorrect or changed contact information.  If winner does not accept or use the entire prize, the unaccepted or unused part of the prize will be forfeited and Sponsor will have no further obligation with respect to that prize or portion of the prize.  Sponsor is not responsible for any inability of any winner to accept or use any prize (or portion thereof) for any reason.  Winner is strictly prohibited from selling, auctioning, trading or otherwise transferring any part of a prize, except with Sponsor’s permission, which may be granted or withheld for any reason in its sole discretion.  No transfers, prize substitutions or cash redemptions will be made, except at Sponsor’s sole discretion. Sponsor reserves the right to substitute the stated prize or portion thereof with another prize or portion thereof of equal or greater value for any reason, including, without limitation, prize unavailability. No more than the stated prizes will be awarded. By accepting a prize in this Sweepstakes, the winner represents that accepting the prize is in compliance with winner’s corporate gift receiving or similar policy.   LIMITATION OF LIABILITY:     NOTHING IN THESE OFFICIAL RULES LIMITS, EXCLUDES, OR MODIFIES OR PURPORTS TO LIMIT, EXCLUDE, OR MODIFY ANY STATUTORY CONSUMER GUARANTEES OR ANY IMPLIED CONDITION OR WARRANTY, THE EXCLUSION OF WHICH FROM THESE TERMS AND CONDITIONS WOULD CONTRAVENE ANY STATUTE OR CAUSE ANY PART OF THESE OFFICIAL RULES TO BE VOID ("NON-EXCLUDABLE GUARANTEES"). SUBJECT TO THE LIMITATIONS IN THE PRECEDING SENTENCE, SPONSOR EXCLUDES FROM THESE OFFICIAL RULES ALL CONDITIONS, WARRANTIES, AND TERMS IMPLIED BY STATUTE, GENERAL LAW, OR CUSTOM EXCEPT FOR LIABILITY IN RELATION TO A NON-EXCLUDABLE GUARANTEE. SUBJECT TO ANY NON-EXCLUDABLE GUARANTEES, EACH ENTRANT AGREES TO RELEASE, HOLD HARMLESS, AND INDEMNIFY THE RELEASED PARTIES FOR ANY LIABILITY WHATSOEVER FOR INJURIES OR DAMAGES OF ANY KIND SUSTAINED IN CONNECTION WITH THE USE, ACCEPTANCE, POSSESSION, MISUSE, OR AWARDING OF A PRIZE, WHILE PREPARING FOR, PARTICIPATING IN AND/OR TRAVELING TO OR FROM ANY SWEEPSTAKES OR PRIZE-RELATED ACTIVITY, INCLUDING, WITHOUT LIMITATION, ANY INJURY, DAMAGE, DEATH, LOSS, OR ACCIDENT TO PERSON OR PROPERTY (HOWEVER, ONLY IF REQUIRED BY LAW IN YOUR JURISDICTION, THIS RELEASE, HOLD HARMLESS, AND INDEMNIFICATION COMMITMENT DOES NOT APPLY TO CASES OF BODILY INJURY OR LOSS OF LIFE OR TO THE EXTENT THAT ANY DEATH OR PERSONAL INJURY IS CAUSED BY THE NEGLIGENCE OF SPONSOR OR OTHER THIRD PARTY, WHERE LIABILITY TO THE INJURED PARTY CANNOT BE EXCLUDED BY LAW). EACH WINNER AGREES THAT THE PRIZE IS PROVIDED AS-IS WITHOUT ANY WARRANTY, REPRESENTATION, OR GUARANTEE, EXPRESS OR IMPLIED, IN FACT OR IN LAW, WHETHER NOW KNOWN OR HEREINAFTER ENACTED, RELATIVE TO THE USE OR ENJOYMENT OF THE PRIZE, BEYOND ANY NON-EXCLUDABLE GUARANTEES.    ADDITIONAL DISCLAIMERS:    To the extent permitted by the mandatory provisions of the applicable law, Released Parties are not responsible and/or liable for any of the following, whether caused by a Released Party, the entrant, or by human error (however, only if required by law in your jurisdiction, except to the extent that any of the following occur for reasons within Sponsor's reasonable control, where liability to the injured party cannot be excluded by law): entries made by illegitimate means (such as, without limitation, by an automated computer program) or entries in excess of any stated limits; any lost, late, incomplete, illegible, mutilated, or misdirected e-mail, mail, or Sweepstakes-related correspondence or materials; any error, omission, interruption, defect, or delay in transmission or communication; viruses or technical or mechanical malfunctions; interrupted or unavailable cable or satellite systems; errors, typos or misprints in these Official Rules, in any Sweepstakes-related advertisements or other materials; failures of electronic equipment, computer hardware or software; lost or unavailable network connections, or failed, incorrect, incomplete, inaccurate, garbled or delayed electronic communications. Released Parties are not responsible for electronic communications that are undeliverable as a result of any form of active or passive filtering of any kind, or insufficient space in a person’s e-mail account to receive e-mail messages. Released Parties are not responsible, and may disqualify an entrant, if his or her e-mail address, telephone, or other contact information does not work or is changed without giving prior written notice to Sponsor. Released Parties are not responsible for any changes or unavailability of any web site that may interfere with the Sweepstakes or ability of a person to timely participate, receive notices or communicate with Sponsor, in which case Sponsor, in its sole discretion, may terminate or modify the Sweepstakes. Without limiting any other provision in these Official Rules, Released Parties are not responsible or liable to any entrant or any person claiming through such entrant for failure to supply the prize or any part thereof in the event that any of the Sweepstakes activities or the Released Parties' operations or activities are affected, as determined by Sponsor in its sole discretion, including, without limitation, by reason of any acts of God, any action, regulation, order or request by any governmental or quasi-governmental entity (whether or not the action, regulations, order or request proves to be invalid), equipment failure, threatened terrorist acts, terrorist acts, air raid, blackout, act of public enemy, earthquake, war (declared or undeclared), fire, flood, epidemic, explosion, unusually severe weather, hurricane, embargo, labor dispute or strike (whether legal or illegal), labor or material shortage, transportation interruption of any kind, work slow-down, civil disturbance, insurrection, riot, or any law, rule, regulation, order or other action adopted or taken by any national, federal, state, provincial, territorial, or local government authority, or any other cause, whether or not specifically mentioned above.   GENERAL RULES:    By entering this Sweepstakes (except where prohibited by law), each entrant grants the Released Parties the irrevocable, sublicensable, free of charge, absolute right and permission to use, publish, post or display his or her name, photograph, likeness, voice, entry information, biographical information, any quotes attributable to him or her and any other indicia of persona (regardless of whether altered, changed, modified, edited, used alone, or used with other material in the Released Parties' sole discretion) for advertising, trade, promotional and publicity purposes without further obligation or compensation of any kind to him or her, anywhere, in any medium now known or hereafter discovered or devised (including, without limitation, on the Internet), worldwide, without any limitation of time and without notice, review or approval and each entrant releases all Released Parties from any and all liability related to such authorized uses. Nothing contained in these Official Rules obligates Sponsor to make use of any of the rights granted herein and each entrant waives any right to inspect or approve any such use.   Sponsor's decisions will be final in all matters relating to this Sweepstakes, including interpretation of these Official Rules, selection of the winner[s], and awarding of the prize[s]. All entrants, as a condition of entry, agree to be bound by these Official Rules and the decisions of Sponsor. Failure to comply with these Official Rules may result in disqualification from the Sweepstakes. Participants further agree not to damage or cause interruption of the Sweepstakes and/or prevent others from participating in the Sweepstakes or using the Sweepstakes Site. Sponsor reserves the right to restrict or void participation from any IP address if any suspicious entry and/or participation is detected. Sponsor reserves the right, in its sole discretion, to void participation by any person who Sponsor believes has attempted to tamper with or impair the administration, security, fairness or proper play of this Sweepstakes. Sponsor's failure to or decision not to enforce any provision in these Official Rules will not constitute a waiver of that or any other provision. In the event there is an alleged or actual ambiguity, discrepancy or inconsistency between disclosures or other statements contained in any Sweepstakes-related materials and these Official Rules (including any alleged discrepancy or inconsistency within these Official Rules), it will be resolved by Sponsor in its sole discretion. Participants waive any right to claim ambiguity in the Sweepstakes or these Official Rules. If Sponsor determines (at any time and in its sole discretion) that any winner or potential winner is disqualified, ineligible, in violation of these Official Rules, or engaging in behavior that Sponsor deems obnoxious, inappropriate, threatening, illegal or that is intended to annoy, abuse, threaten or harass any other person, Sponsor reserves the right to disqualify such winner or potential winner, even if the disqualified winner or potential winner may have been notified or displayed or announced anywhere. The invalidity or unenforceability of any provision of these Official Rules will not affect the validity or enforceability of any other provision. In the event that any provision is determined to be invalid or otherwise unenforceable or illegal, these Official Rules will otherwise remain in effect and will be construed in accordance with their terms as if the invalid or illegal provision were not contained herein. If the Sweepstakes is not capable of running as planned for any reason, Sponsor reserves the right, in its sole discretion, to cancel, modify or suspend the Sweepstakes and award the prizes based on eligible entries received prior to cancellation, modification, or suspension, if any, or as otherwise deemed fair and appropriate by Sponsor. If any person supplies false information, participates or obtains entries by fraudulent means, or is otherwise determined to be in violation of these Official Rules in an attempt to obtain a prize, Sponsor may disqualify that person and seek damages from him or her and that person may be prosecuted to the full extent of the law. If a dispute cannot be resolved to Sponsor's satisfaction as to who submitted an entry, such entry will be deemed ineligible. CAUTION: ANY ATTEMPT TO DAMAGE ANY ONLINE SERVICE OR WEB SITE OR UNDERMINE THE LEGITIMATE OPERATIONS OF THE SWEEPSTAKES VIOLATES CRIMINAL AND CIVIL LAWS. IF SUCH AN ATTEMPT IS MADE, SPONSOR MAY DISQUALIFY ANY PARTICIPANT MAKING SUCH ATTEMPT AND MAY SEEK DAMAGES TO THE FULLEST EXTENT PERMITTED BY LAW.   PRIVACY:     Each participant agrees to the use of the personal information submitted when they submit an entry as detailed in Sponsor's Privacy Policy posted at https://www.splunk.com/en_us/legal/privacy/privacy-policy.html. Participants give consent for Sponsor to obtain and deliver his or her name, address and other information to third parties for the purpose of administering this Sweepstakes, as detailed in Sponsor's privacy policy and complying with applicable laws, regulations, and rules. The data provided by participants (including, without limitation, participant’s personal data) will be used for the following purposes: (a) to contact potential winners, and (b) if a participant elects to receive additional information from Sponsor on the entry form, to send additional information to that person. Participants have a right of access to, modification and withdrawal of their personal data. They also have the right of opposition to the data collection, under certain circumstances. To exercise such right, they may write to Sponsor at the address below. The data controller is Sponsor. The recipient of the data is Sponsor. Unless otherwise advised, Sponsor may also use the information for promotional, marketing and publicity purposes. Entrants should direct any request to access, update or correct information to Sponsor. Please note that by participating in the Sweepstakes and accepting these Official Rules, you acknowledge and consent to the use of your data as set out above.   DISPUTES/GOVERNING LAW: Except where prohibited, any and all disputes that cannot be resolved between a participant and any Released Party, claims and causes of action arising out of or connected with this Sweepstakes, or any prize awarded, or the determination of a prize winner must be resolved individually, without resort to any form of class action. Further, in any such dispute, under no circumstances will a participant be permitted or entitled to obtain awards for, and hereby waives all rights to claim punitive, incidental or consequential damages, or any other damages, including attorneys' fees, other than the participant’s actual out-of-pocket expenses (if any), not to exceed ten dollars ($10 USD), and each participant further waives all rights to have damages multiplied or increased.   This Sweepstakes and any dispute arising under or related thereto (whether for breach of contract, tortious conduct or otherwise) will be governed by the internal laws of the State of California, without giving effect to its conflicts of law or choice of law principles or rules that would cause the application of any other state's/province's/federal laws. Any legal actions, suits or proceedings related to this Sweepstakes (whether for breach of contract, tortious conduct or otherwise) will be brought exclusively in the state or federal courts located in San Francisco County, California, and each entrant accepts and submits to the personal jurisdiction of those courts with respect to any legal actions, suits or proceedings arising out of or related to this Sweepstakes.   WINNER’S LIST/OFFICIAL RULES:  To find out who won, send a self-addressed stamped envelope to the following address within three (3) months of the end of the Sweepstakes Period: Splunk Phantom Product Feedback Survey – Winner’s List, c/o: Splunk, 270 Brannan Street, 1st Floor, San Francisco, CA 94107. For a copy of these Official Rules during the Sweepstakes Period, visit https://community.splunk.com/t5/Splunk-Phantom/The-Splunk-Phantom-Product-Feedback-Survey-Sweepstakes-Official/td-p/531580 or send a self-addressed stamped envelope to the following address for receipt during the Sweepstakes Period: Splunk Phantom Product Feedback Survey - Rules, c/o: Splunk, 270 Brannan Street, 1st Floor, San Francisco, CA 94107.  Only one (1) request of either type per outer envelope will be fulfilled. VT residents may omit return postage for rules requests.     THE SPONSOR OF THIS SWEEPSTAKES IS: Splunk Inc., 270 Brannan Street, 1st Floor, San Francisco, CA 94107. 
Good afternoon,  I will like to set up Mcafee Epo to send data to syslog-ng. I have the Mcafee portion setup on to send data to the syslog server on port 6514. The problem that i'm having is that i n... See more...
Good afternoon,  I will like to set up Mcafee Epo to send data to syslog-ng. I have the Mcafee portion setup on to send data to the syslog server on port 6514. The problem that i'm having is that i not sure what needs to be done on the server (centos 7) side to establish the connection.    * The firewall is configured for the port used
Hello, are there any resources available that provide some structured process for manipulating or creating a personalized look-and-feel for the Splunk User Interface (UI)? Is this possible to achieve... See more...
Hello, are there any resources available that provide some structured process for manipulating or creating a personalized look-and-feel for the Splunk User Interface (UI)? Is this possible to achieve? I have seen relatable questions that have gone unanswered, some with timestamps two weeks ago. I would like to provide potential stakeholders with options to pursue this utilizing Enterprise licenses of Splunk.  Thank you for any reply. Nick
Hello,   I am having an issue where sometimes I can see events and sometimes not. An example is: I tested event 4625 with my account and i can see it in Splunk, but a colleague generated the same e... See more...
Hello,   I am having an issue where sometimes I can see events and sometimes not. An example is: I tested event 4625 with my account and i can see it in Splunk, but a colleague generated the same event but it does not show up in Splunk. I can see both events in the event viewer so I am not sure why this is going on. I have made sure the search with correct time selection. Another note: I can see other events from his account in Splunk. Thanks!
Hi All,  We are getting DMC Alert - Near Critical Disk Usage on all our four indexers, we are running Splunk on distributed environment on AWS windows servers, and now due AWS disk space 16 TB limit... See more...
Hi All,  We are getting DMC Alert - Near Critical Disk Usage on all our four indexers, we are running Splunk on distributed environment on AWS windows servers, and now due AWS disk space 16 TB limit, we are unable to extend the drive, can you please suggest suitable solution for this issue.    
I'm trying to optimize this report to successfully run without errors.  It will currently run for 3-5 hours and grow to 750+MB then fails, then starts again and runs for 15 hours and grow to 8MB and ... See more...
I'm trying to optimize this report to successfully run without errors.  It will currently run for 3-5 hours and grow to 750+MB then fails, then starts again and runs for 15 hours and grow to 8MB and complete.  After it completes, there are no results in the report. This is the query running over last 30 days. index=web OR index=web_long sourcetype="*iis*" NOT ("HealthCheck" OR "localhost" OR "F5" OR "*LtmActivityMonitor*") NOT cs_uri_stem="/" | eval id=coalesce(upper(app_id), upper(id)) | rename id AS AppId | join type=inner AppId, host overwrite=false [ search index=im sourcetype=db LogType="web" earliest=-45d | eval host=lower(ServerName) ] | head 500000 | eval missing_field=mvappend( case(isnull(c_ip), "c_ip"), case(isnull(cs_bytes), "cs_bytes"), case(isnull(cs_host), "cs_host"), case(isnull(cs_method), "cs_method"), case(isnull(cs_uri_stem), "cs_uri_stem"), case(isnull(cs_version), "cs_version"), case(isnull(date), "date"), case(isnull(s_computername), "s_computername"), case(isnull(s_ip), "s_ip"), case(isnull(s_port), "s_port"), case(isnull(sc_bytes), "sc_bytes"), case(isnull(sc_status), "sc_status"), case(isnull(cs_Referer), "cs_Referer"), case(isnull(cs_User_Agent), "cs_User_Agent"), case(isnull(time), "time"), case(isnull(x_forwarded_for), "x_forwarded_for") ) | fillnull value=None | mvexpand missing_field | where missing_field != "" | stats latest(_raw) AS latest_raw BY AppId, index, sourcetype, missing_field, host, source | stats values(missing_field) AS missing_field BY AppId, index, sourcetype, host, latest_raw, source | table AppId, index, sourcetype, missing_field, host, latest_raw, source | where missing_field!= ""
Hello, I am having a problem with the token initialization in my dashboard. Here is a snippet of my dashboard. The problem comes for the token spd_cft_id. It depends on the previous token and hence ... See more...
Hello, I am having a problem with the token initialization in my dashboard. Here is a snippet of my dashboard. The problem comes for the token spd_cft_id. It depends on the previous token and hence for the moment i just mapped the previous token value. When i do the changes to the code and save it, it works, but when i open the dashboard in a new page or refresh the page, it does not work. The panel hangs saying waiting for input. I tried to set the tokens in init tags as well, but still the same behavior. Am i missing something ? could you please provide some pointers. Thanks   <form theme="dark" refresh="60"> <label>MONITORING</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="envspd" searchWhenChanged="true"> <label>Environment</label> <choice value="r">PROD</choice> <choice value="i">INDUS</choice> <choice value="a">ACCEPTANCE</choice> <choice value="d">DEV</choice> <default>r</default> <initialValue>r</initialValue> <change> <condition value="d"> <set token="spd_idx">igs</set> </condition> <condition value="a"> <set token="spd_idx">idgs</set> </condition> <condition value="i"> <set token="spd_idx">idogs</set> <set token="spd_cft_idx">idinel</set> <set token="spd_cft_src">dbnel*</set> <set token="spd_tws_cpu">IA23*</set> </condition> <condition value="r"> <set token="spd_idx">idgs</set> <set token="spd_cft_idx">idl</set> <set token="spd_cft_src">del*</set> <set token="spd_tws_cpu">RA2*</set> </condition> </change> </input> <input type="dropdown" token="instancespd" searchWhenChanged="true"> <label>Instance</label> <choice value="ple">PLE</choice> <choice value="tce">TCE</choice> <choice value="acj">ACJ</choice> <choice value="core">CORE</choice> <default>ple</default> <initialValue>ple</initialValue> <change> <condition value="core"> <set token="spd_stype">st_splunklog</set> </condition> <condition value="acj"> <set token="spd_stype">st_acj_splunklog</set> </condition> <condition value="tce"> <set token="spd_stype">st_ple_splunklog</set> </condition> <condition value="ple"> <eval token="spd_cft_id">$envspd$</eval> <set token="spd_file_id">PE</set> <set token="spd_in_file_count">5</set> <set token="spd_stype">st_tce_splunklog</set> </condition> </change> </input>    
Hi, I was trying to add 2 rows in to a single row . After combining,I am getting results for 1st column .but not for 2nd result .Something wrong here ? host=t-fus* ("SRCreateRequest" OR "SRPublish... See more...
Hi, I was trying to add 2 rows in to a single row . After combining,I am getting results for 1st column .but not for 2nd result .Something wrong here ? host=t-fus* ("SRCreateRequest" OR "SRPublishRequest" OR "SRUpdateRequest" OR "JNPRCreateSRPublish" OR "JNPRPostSRUpdate" OR "JNPRUpdateSRPublish") (Publisher: Completed OR fallacy ) | rename JNPRCreateSRPublish as SRCreateRequest | rename JNPRPostSRUpdate as SRPublishRequest | rename JNPRUpdateSRPublish as SRUpdateRequest | rex "(?<API> SRCreateRequest | SRPublishRequest | SRUpdateRequest )" | rex "(?<status>Completed| fallacy)" | where isnotnull(status) | append [| makeresults | eval API=split(" SRCreateRequest | SRPublishRequest | SRUpdateRequest ", "|") | mvexpand API] | chart count as count1 by API,status | table API, Completed, Error | fillnull value=0 Error, Completed  
Hi Splunkers, Our customer is demanding to reduce cost on infra with storage aspects on indexers. Initially we had provided RAID 10 configurations (as per Splunk recommendations), but ,now we are m... See more...
Hi Splunkers, Our customer is demanding to reduce cost on infra with storage aspects on indexers. Initially we had provided RAID 10 configurations (as per Splunk recommendations), but ,now we are moving forward with RAID 0 configuration as it will halve our storage requirement and will provide good IOPS atleast. Is anyone using RAID 0 on prods for indexers? I managed few with reducing on data retention policy....we have estimated 400 GB of daily ingestion by 400UFs. Indexer cluster with 2 indexers. And 1 search head....we may not have more than 2 users on search head and limit amount of searching (mostly scheduled searches? Infra service provider are providing some integrated disk backup to the indexers, this where I will currently be investigating about what exactly are they using as disk backup.   I doubt if we can request to provide RAID 10 for hot and warm and RAID0 of cold... this is what again worrying me right now. But can anyone let me know if they are using successfully RAID 0 for indexers on prod?
Trying to test out the Jenkins Plugin for Splunk, but keep getting "Connection Reset" when I do a test.  I'm able to curl to the HTTP Endpoint Collector with no issue. For the curl, I am not using t... See more...
Trying to test out the Jenkins Plugin for Splunk, but keep getting "Connection Reset" when I do a test.  I'm able to curl to the HTTP Endpoint Collector with no issue. For the curl, I am not using the input nor the http-inputs before the hostname:  curl -k https://prd-xxxx.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk mytoken" -d "{\"event\": \"testing curl\"}" result: {"text":"Success","code":0} The Jenkins plugin seems to want me to use the input/http-inputs wording in the URL before the hostname.  I get this as a warning message: "You are using Splunk Cloud, please provide host name starts input- or http-inputs-, please try input-prd-xxxx.splunkcloud.com or http-inputs-prd-xxxx.splunkcloud.com. See also http://dev.splunk.com/view/event-collector/SP-CAAAE7G" (The link it gives is not helpful).  When I use the input-prd-xxxx.splunkcloud.com or http-input-prd-xxxx.splunkcloud.com along with 443 as the port, I get "name or service not known".  The curl reacts the same way when these parameters are used. When I use just prd-xxxx.splunkcloud.com with 8088 as the port, I get "Connection Reset". I'm running Jenkins Enterprise 2.222.4.3-rolling and Splunk is 8.0.2006. Thanks in advance.
Like the title says - how are individual searches in a multisearch handled? Are they distributed across any/all available search slots on any/all available Search Heads? Or do they only run on the S... See more...
Like the title says - how are individual searches in a multisearch handled? Are they distributed across any/all available search slots on any/all available Search Heads? Or do they only run on the Search Head that initiates the search? Say you have several Search Heads in a Search Head Cluster. And you have a multisearch like the following:             | multisearch [| search index=ndxA sourcetype=srctpA fieldA=* | fields fieldA ] [| search index=ndxB sourcetype=srctpB fieldA=* fieldB=* | fields fieldA fieldB ] [| search index=ndxC sourcetype=srctpC fieldB=* | fields fieldB ] [| inputlookup MyFancyLookup where myLField1=G* | fields myLField1 fieldA fieldB ] | fillnull value="-" fieldA fieldB myLField1 | stats count by fieldA fieldB myLField1             Will each of the | search or | inputlookup lines run, potentially, on a different Search Head? Or will they all be run from the initiating Search Head?
I understand that I should obtain results if I also consult only specifying the sourcetype and the rest of the search criteria, but I don't know why it does not bring results, how could I solve it? ... See more...
I understand that I should obtain results if I also consult only specifying the sourcetype and the rest of the search criteria, but I don't know why it does not bring results, how could I solve it? there are results index = myindex sourcetype = my sourcetype  no results sourcetype = my sourcetype 
Our system logs an event when it receives a message (with a unique key) Some time later our system also logs an event when we are ready (same unique key) There are also messages in between. I want... See more...
Our system logs an event when it receives a message (with a unique key) Some time later our system also logs an event when we are ready (same unique key) There are also messages in between. I want to be able to find which messages have already arrived, but for which we do not (yet) have a "ready" event . I now have this query index = <our index> ApplicationName = <our application> | sort DOCID | stats first (_time) as start last (_time) as end by DOCID And that gives a table with 3 columns, in which sometimes there is an equal value of start and end. But I now want a list of DOCIDs that do have a start event but no end event.