All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Community! I have a problem to extract a table in an XML event. The data looks like this     <data type="info" text="sales: VW;1;30.000; Bentley;1;70.000; Seat;1;15.000; Da... See more...
Hi Community! I have a problem to extract a table in an XML event. The data looks like this     <data type="info" text="sales: VW;1;30.000; Bentley;1;70.000; Seat;1;15.000; Dacia;1;10.000; Fiat;1;20.000; "> <customer>Mr.X</customer> <time>2020-11-28 16:21:00</time> </data>     Now I want to have the fields for cartype, quantity and price (VW;1;30.000;). So that I can summarize the whole sellings from one day. Could you please help me with that? Thank you very much! Rob
Hello, i installed the itsi app and also java openjdk 11 on centos.  Assigned my admin user the itso_admin role and take a look inside the app.  The documentation says, i must create entities. So ... See more...
Hello, i installed the itsi app and also java openjdk 11 on centos.  Assigned my admin user the itso_admin role and take a look inside the app.  The documentation says, i must create entities. So i go to configuration -> entitiies -> Create Entity. But i cannot find a button "Create entity".  I tried chrome, and edge as browser. Both the same. Any ideas whats missing, or going wrong ?
Hi,  I am new to splunk and currently doing a POC to create a POC to monitor a DB2 database and an AS400 running on IBM. Does anyone have had the chance to work on the same setup? Basically, the o... See more...
Hi,  I am new to splunk and currently doing a POC to create a POC to monitor a DB2 database and an AS400 running on IBM. Does anyone have had the chance to work on the same setup? Basically, the objective is to have proactive alerts or some kind of monitoring dashboard for DB2 database and if possible self healing mechanism through the report? I would really appreciate if someone have some ideas to share.
Hi Splunkers, Is it possible to send events to subset of indexers among the indexers of a cluster ....for load balancing??? Other indexers are in different network and don't want to punk firewall..... See more...
Hi Splunkers, Is it possible to send events to subset of indexers among the indexers of a cluster ....for load balancing??? Other indexers are in different network and don't want to punk firewall....and not inclined to use gateway forwarders as well.
Im pretty technical... i got splunk installed in centos, everything works ok, but for the life of me i cant figure this out 11-27-2020 23:53:54.093 -0500 WARN TcpOutputProc - The TCP output processo... See more...
Im pretty technical... i got splunk installed in centos, everything works ok, but for the life of me i cant figure this out 11-27-2020 23:53:54.093 -0500 WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to host_dest=192.168.1.109 inside output group default-autolb-group from host_src=splunk has been blocked for blocked_seconds=710. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. Ports are open for 8000, 9997 (receiving port), and opened 8089.  Plenty of disk space, though when i do ss -l | grep 9997 i do not see anything for port 9997, even though ive unblocked the port 1000 times
The below code is throwing error. {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}   r = requests.get(base_url+"/servicesNS/admin/search/auth/login", data={'username':userna... See more...
The below code is throwing error. {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}   r = requests.get(base_url+"/servicesNS/admin/search/auth/login", data={'username':username,'password':password}, verify=False)     sessionkey = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue     print ("Session Key:", sessionkey)   Output: Session Key: im0t_JBlWSnQnaWwFCj016^q_QEYutHbpQMBGLEHlxOesSAVh6iQ0X8Y4tcoQR5a4lwr3I2ayDgBVNx0412THyMkON0iO6^Af_2DCYS1F8Eseo   I see Session Key here. No issues so far.   But when I pass the above session key, to the below requests.post, I see the error. What am I doing wrong here?      url = base_url + "/services/search/jobs?output_mode=json"     headers = {     "content-type": "application/x-www-form-urlencoded",         "Authorization": "Splunk %s" % sessionkey,                }     payload = {         "search": "|rest /servicesNS/%s/search/directory" % kouser,         "count": 0     }     r = requests.post(url, headers=headers, data=payload, verify = False)     print(r.text)   {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}     Is there anything wrong here?
Hi, When I am ingesting a csv file to splunk cloud, few events gets truncated from the file. How to resolve this? sourcetype=csv I have used forwarder level props.conf  [csv] INDEXED_EXTRAC... See more...
Hi, When I am ingesting a csv file to splunk cloud, few events gets truncated from the file. How to resolve this? sourcetype=csv I have used forwarder level props.conf  [csv] INDEXED_EXTRACTIONS=csv
I'm not able to visulize a list of values as I would. My input is a lookup with values of kindergardens, the location (longitude, latitude), and the number of available places, like Kindergarden... See more...
I'm not able to visulize a list of values as I would. My input is a lookup with values of kindergardens, the location (longitude, latitude), and the number of available places, like Kindergarden Latitude Longitude AvailPlaces Misty Gardens 15.5534 10.5432 12 Dragon's den 15.6342 10.6533 4 Mighty Duck 15.1342 10.5423 0   I would like to show a map of the kindergardens with the available places as a value. In theory, I think this should be possible using geostats, but I can't get it to work. It almost seems like I need to split the list entries e.g. so that Dragon's den has 4 events - to use "geostat count by Kindergarden". Is there another way of achieving this?  
Hi at all, I upgraded a Splunk Enterprise from 6.5.2 to 8.1.0 passing through 7.1.10, running on Windows 2019. I upgraded Lookup Editor to the last version but when I try to open a lookup the centr... See more...
Hi at all, I upgraded a Splunk Enterprise from 6.5.2 to 8.1.0 passing through 7.1.10, running on Windows 2019. I upgraded Lookup Editor to the last version but when I try to open a lookup the central part of the dashboard is missing the other buttons are ok, but I don't have the central part of the dashboard. Does anyone encountered the same problem? Where could I search the problem and the solution? Ciao and thanks. Giuseppe
Hello to all, I have a problem with the Splunk Platform Upgrade Readiness App. When I launch it the window is entirely white with no objects and no error messages. I am using Splunk 8.1.0 on windo... See more...
Hello to all, I have a problem with the Splunk Platform Upgrade Readiness App. When I launch it the window is entirely white with no objects and no error messages. I am using Splunk 8.1.0 on windows 2019. Has anyone had similar problems? Where could I go to look for the problem? Ciao. Giuseppe
I recently had access to my Splunk web interface with morning. It said an update was required so I did that and then restarted Splunk. After the restart, the web interface never came back, Splunk wou... See more...
I recently had access to my Splunk web interface with morning. It said an update was required so I did that and then restarted Splunk. After the restart, the web interface never came back, Splunk would say it was running with ./splunk status command, and it was even listening on ports 8089 and 9997, which had been configured earlier. I tried everything to get it to work again and it just would not. My computers firewall was completely disabled and Splunk would continue to have an inactive web interface. I completely uninstalled it and reinstalled Splunk, and to my surprise: This frustrating message appeared. SO it seems I will no longer have access to the web interface even after a complete reinstall. Is this just a broken application now? Wouldn't a reinstall have gotten my Splunk back online when it worked only this morning?   
My search is | inputlookup "edgarlog2.csv" The lookup file has no events attached to it, what is a way to add events from a lookup file whilst viewing it in the main search and reporting app? Any h... See more...
My search is | inputlookup "edgarlog2.csv" The lookup file has no events attached to it, what is a way to add events from a lookup file whilst viewing it in the main search and reporting app? Any help would be great, thanks.
I created an account for education purposes for my company this morning. I can't install splunk locally due to work requirements so I was opting for the splunk cloud 15 day trial option. When I initi... See more...
I created an account for education purposes for my company this morning. I can't install splunk locally due to work requirements so I was opting for the splunk cloud 15 day trial option. When I initialized the free trial, I never received the initial email it referenced and now I cannot login. I have also tried to reset my password twice and while I did get "reset password" emails, neither of those temporary passwords worked with my username.  What should I do?
Glass table was showing tiles with search result number.depends on the color which has been set.it was showing properly.,All of a sudden from today the red colored ones is showing as grey with N/A in... See more...
Glass table was showing tiles with search result number.depends on the color which has been set.it was showing properly.,All of a sudden from today the red colored ones is showing as grey with N/A inside it.   It was working showing the values till yesterday even if the color changes from green to red .   Could someone help me to fix this issue?    
How do i start by connecting 2 of my network IP to splunk/ I would like to view the system activities and predicative maintenance for any HDD failure?   Thank you
How does one enrich using data from another app space? or: How can one write enrichment data to another app space? I have a need to enrich a search from data who's source is in another app space. ... See more...
How does one enrich using data from another app space? or: How can one write enrichment data to another app space? I have a need to enrich a search from data who's source is in another app space. The enrichment data is temporal in nature in that it can change on a moment's notice. The fields are mostly string data that deal with relationships and is derived from the source app event index. A scheduled job can be run to build the relationships out of events. The environment is partitioned into several app spaces representing services, where users of one service do not have access to the index or knowledge objects in the app of another ; there is emphasis on role based access.  New to the environment is site reliability engineering where users from other services would be able to access the SLI/SLO (and possibly KPI) metrics of any other service.   My current thinking is that summary reporting to a common index (SRE) would work, but that needed enrichment data would be missing. I was thinking that outputlookup would be right way to go to generate the data and share, but I have few controls as to where the CSV is made available. The controls create_context=[app|user|system] and createinapp=<bool> will only work if the share source has write access to the system level space. I could concatenate the fields of the CSV and write a numeric value of 1 to summary_index to achieve the effect, but somehow that feels wrong. Guidance needed, Tim
I am getting this error and needs help troubleshooting and resolving the issue:  " App: [ForeScout App for Splunk] could not read index from : [ForeScout Technology Add-on for Splunk]"  
Hello, My Splunk dev license expired and I renewed it, but I get immediately license violations and search  was disabled. The licence has been renewed (see attached screenshot). Error Message: Err... See more...
Hello, My Splunk dev license expired and I renewed it, but I get immediately license violations and search  was disabled. The licence has been renewed (see attached screenshot). Error Message: Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.  
Hello I encountered a problem when trying to execute the command dbxquery if there are Cyrillic characters in the query. Tried: | dbxquery connection="connection_name" query="select 'тест' as test... See more...
Hello I encountered a problem when trying to execute the command dbxquery if there are Cyrillic characters in the query. Tried: | dbxquery connection="connection_name" query="select 'тест' as test from dual", and search freezes in "Parsing job" If I remove the Cyrillic symbols from the query, the search works without problems: | dbxquery connection="connection_name" query="select 'test' as test from dual" DBConnect version 3.4.0 Has anyone come across a similar one? How can this be solved?
Hello everyone, I have the following pattern of logs and I'm trying to use rex to filter the values, but I'm having problems because of + in some events, can you help me? I started doing it lik... See more...
Hello everyone, I have the following pattern of logs and I'm trying to use rex to filter the values, but I'm having problems because of + in some events, can you help me? I started doing it like this:  | rex field=_raw "attr_actor_agent_id\s(?<agent_id>.*)" I need to get only the last 04 digits after "_" Example: 1243, 3232, 1122, 5454, etc.   attr_actor_agent_id [str] = "LB_DFSVGLQ_1243" attr_actor_agent_id [str] = "AT_APARPRI_3232" attr_actor_agent_id [str] = "TR_REGIBEL_1122" attr_actor_agent_id [str] = "GP_DAYAPAN_5454" attr_actor_agent_id [str] = "LB_BIANIBR_5454" attr_actor_agent_id [str] = "AS_NAYRVIE_3232" attr_actor_agent_id [str] = "AS_LUMANAS_4343" attr_actor_agent_id [str] = "AS_MBCEVDJ_9111" attr_actor_agent_id [str] = "LB_SILVWAN_4343"