All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Good day,   I am new to Splunk and just have completed the fundamentals I course.   For my first use case I am looking for an example where I can create reports/dashboard on average time spent in... See more...
Good day,   I am new to Splunk and just have completed the fundamentals I course.   For my first use case I am looking for an example where I can create reports/dashboard on average time spent in our systems. I have a key (orderid) and multiple systems log events where they provide this orderid as field. In some systems the process continues after a human has acted. This might take hours or days.   I need to display stats like: average time to process an order end to end. But also the number of orders that have started but have not yet ended.   Thanks   Can you point me to a sample/documentation that will help me to achieve this ?
 Is there any function to find degree of similarity between 2 string  I want to compare current incident short_description to historical incidents to get suggested resolutions   Also if it ignores... See more...
 Is there any function to find degree of similarity between 2 string  I want to compare current incident short_description to historical incidents to get suggested resolutions   Also if it ignores words like this,that,these,those,a an etc.. it would be better comparison   Thanks in advance
We have a managed splunk cloud tenant. I am trying to set up forwarding on on-prem server logs to splunk cloud. I've been able to successfully do this by installing the universal forwarder applicatio... See more...
We have a managed splunk cloud tenant. I am trying to set up forwarding on on-prem server logs to splunk cloud. I've been able to successfully do this by installing the universal forwarder application on the servers and configuring inputs.conf. We have no deployment server. Our setup is on-prem server directly to splunk cloud over port 9997. The issue I have is that the default splunk CA cert is being used and there are warnings in the splunkd log file saying I should another cert but I can't find any useful info in the docs about how to go about this. From what I've been able to find out, the data is encrypted going out to splunk cloud but anyone with the cert could decrypt it as it comes with every forwarder installation. Has anyone any experience of setting up proper TLS for universal forwarders connecting directly to splunk cloud? For reference, currently testing on Windows Servers but will need to forward some Linux logs at some point too.
Hello everyone, I am facing some issues with log restoration process from azure cloud to splunk . I have gone through the epoch time conversion process to get the exact date for file. then restore th... See more...
Hello everyone, I am facing some issues with log restoration process from azure cloud to splunk . I have gone through the epoch time conversion process to get the exact date for file. then restore the particular file using the shell commands. But right now I want to restore two months of log data in splunk. so the previous process is really time taking and there is a chance that we might miss some of the data for a particular time interval. So is there any way we can restore the two months of date using some prebuild commands or is there any process to ease the task. Thanks in advance. 
I am using pie chart for visualization which has more than 500 records. For first 10 values I am getting different slices, however remaining details are clubbed into "Other" option. The requirement i... See more...
I am using pie chart for visualization which has more than 500 records. For first 10 values I am getting different slices, however remaining details are clubbed into "Other" option. The requirement is, when we click on each slice it will be considered as token and passed to next panel as a input. Then in new panel table will be displayed for that value along with additional details. The issue is when I am clicking on "Other (12)" value it is considering "Other (12)" as token value.    Can someone help me to identify how can I expand other option and created corresponding statistics table for it?
Hi Community  We are currently running into Alert issue with the Hangouts Webhook on Splunk. Unsure how to start troubleshooting the webhook configuration.  Any guidance will be greatly appreciated... See more...
Hi Community  We are currently running into Alert issue with the Hangouts Webhook on Splunk. Unsure how to start troubleshooting the webhook configuration.  Any guidance will be greatly appreciated  LOG's  INFO sendmodalert - Invoking modular alert action=hangsout_chat_alert for search="************" sid="rt_scheduler__****** +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - Traceback (most recent call last): +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - File "/opt/splunk/etc/apps/TA-hangsout-chat-webhook/bin/hangsout_chat_alert.py", line 48, in <module> +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - exitcode = AlertActionWorkerhangsout_chat_alert("TA-hangsout-chat-webhook", "hangsout_chat_alert").run(sys.argv) +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - File "/opt/splunk/etc/apps/TA-hangsout-chat-webhook/bin/hangsout_chat_alert.py", line 15, in __init__ +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - super(AlertActionWorkerhangsout_chat_alert, self).__init__(ta_name, alert_name) +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - File "/opt/splunk/etc/apps/TA-hangsout-chat-webhook/bin/ta_hangsout_chat_webhook/alert_actions_base.py", line 29, in __init__ +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - sys.stdin.read(), self._logger, alert_name) +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - File "/opt/splunk/etc/apps/Splunk_SA_CIM/lib/cim_actions.py", line 157, in __init__ +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - if isinstance(self.sid, basestring) and 'scheduler' in self.sid: +0200 ERROR sendmodalert - action=hangsout_chat_alert STDERR - NameError: name 'basestring' is not defined +0200 INFO sendmodalert - action=hangsout_chat_alert - Alert action script completed in duration=266 ms with exit code=1 +0200 WARN sendmodalert - action=hangsout_chat_alert - Alert action script returned error code=1
Our Splunk email alerts are being sent without a Sender (see below screenshot, "Afzender" is sender), resulting in them being quarantined by Office 365.  I tried the following actions but these ... See more...
Our Splunk email alerts are being sent without a Sender (see below screenshot, "Afzender" is sender), resulting in them being quarantined by Office 365.  I tried the following actions but these did not fix the problem, sender is still seen by Office 365 as "<>": Putting an email address in the "Send emails as" form on the server settings > email settings page Putting "Splunk" in the "Send emails as" form on the server settings > email settings page Edited alert_actions.conf to "from = mail username" and "hostname = mail" domain name, based on a Splunk forum post I found.  When I release the quarantined email within Office365 the alert email sender is shown in my Outlook Inbox as "(splunk via SERVERHOST)splunk". SERVERHOST is the server hostname but I can't post that in this example due to security concerns. This sender name also does not change within Outlook when changing this in alert_actions.conf / email settings within Splunk.  Mail server settings in server settings > email settings (anonymized): Mail host: mail hosting server Email security: none Username: none Password: none I tried looking for other solutions in this forum but these are all I could find. If anybody can point me in the right direction / knows how to fix this that would be greatly appreciated
Hello Forum I am facing problem related with 2 lines search  my logs has information like this 1:  data received  2: data origin form XXXXX company  3: data identifier code  is  YYYYY   4.  dat... See more...
Hello Forum I am facing problem related with 2 lines search  my logs has information like this 1:  data received  2: data origin form XXXXX company  3: data identifier code  is  YYYYY   4.  data not supported    want  search  XXXXX and YYYYY  (i.e Manufacturer name and data identifier code)  and  get the result in one single query. In our case both information are received in deferent log lines.  Can someone help us here to get the search string format.  Thanks in advance. 
Hello! I'm using the full-feature AWS Organization. It allows to create an aggregator that contains Config data from all accounts and regions in the organization. Is it possible to get this data in... See more...
Hello! I'm using the full-feature AWS Organization. It allows to create an aggregator that contains Config data from all accounts and regions in the organization. Is it possible to get this data into Splunk using Splunk Ann-on for AWS? I can't find a good option for it. Of course, I can create a bucket with all the config data from all accounts, but it requires a lot of effort and seems unreasonable. Maybe it is possible to create an input which utilize  get-aggregate-resource-config  method? It looks much easier to query a single API endpoint than set up data collection from different sources to one place. BTW, it can be a good substitution to Describe with Assume Role inputs.  
LDAP is already configured and i see many users with LDAP authentication. Now i want to create new users with LDAP authendication. But i don't see any options to choose LDAP authentication. Pleas he... See more...
LDAP is already configured and i see many users with LDAP authentication. Now i want to create new users with LDAP authendication. But i don't see any options to choose LDAP authentication. Pleas help here. @isoutamo @ITWhisperer @gcusello @thambisetty 
Hello, Let me explain the use case: we are using SAML as authentication system, and we need to give specific users specific roles, there is no group information in the IdP that can be correctly mapp... See more...
Hello, Let me explain the use case: we are using SAML as authentication system, and we need to give specific users specific roles, there is no group information in the IdP that can be correctly mapped to the roles. The role attribution can be very specific and also on-demand. Because of that, we thought we could use the "mail" attribute to map roles, this way we could manually give the specific roles to the individual users, and it would work. But now we also want that all other users trying to access Splunk would be able to sign on and automatically get a very limited default role with minimal permissions, without having to assign this limited role manually to each one of them. We tried using the configuration:   [saml] defaultRoleIfMissing = my_limited_role ...   But random/unmapped users who tries to access Splunk gets the error "No valid splunk role found in local mapping." and can't sign on, so I was wondering if is was possible to do it in some way. Thank you for your help !
Can you please suggest CIM mapping and  what Data model we can use for canary app.   https://splunkbase.splunk.com/app/3980/ https://splunkbase.splunk.com/app/3981/  
I like to take sum the "count" where  "Core Content" field's first 2  max values, Finally divide them by total count. For Example, Core Content Count 4268 2223 4267 1794 4266 305 ... See more...
I like to take sum the "count" where  "Core Content" field's first 2  max values, Finally divide them by total count. For Example, Core Content Count 4268 2223 4267 1794 4266 305 4265 90 4264 19 4263 63 4262 133 4261 34 4260 26   4768   In this table, I want the below calculation to be implemented using Eval. (2223+1794) / 4768, where 2223 - 1st max value of core content, 1794 - 2nd max value of core content , 4768 - total count. How to calculate this using eval.  
The requirement to develop an application (say abc) which depends on splunk_app_db_connect app (available on the splunk applications repo).  When I package abc, I specify splunk_app_db_connect as de... See more...
The requirement to develop an application (say abc) which depends on splunk_app_db_connect app (available on the splunk applications repo).  When I package abc, I specify splunk_app_db_connect as dependency in the app.manifest file.  My expectation is that when I try to install 'abc' using the tar.gz file, it should automatically install db_connect app automatically. But it does not. Is there a way around it? It will be beneficial if app 'abc' and all dependencies can be bundled together and given as single tar to the end user.
Hello, I have data in a lookup file which i am appending everyday instead of indexing.  Time Device Infra Average Tool1 Tool2 11/26/2020 03:56 6223 95 88.41 95.69 11/27/2020 03:56 6220 94 88.39 9... See more...
Hello, I have data in a lookup file which i am appending everyday instead of indexing.  Time Device Infra Average Tool1 Tool2 11/26/2020 03:56 6223 95 88.41 95.69 11/27/2020 03:56 6220 94 88.39 95.74 And in the lookup file i have data in above format.  What is the best way to show in a graph/chart the evolution of each field by Time  Thanks
Hi Splunkers, Does anyone of you know or has an experience integrating IoT devices for motorcycle/car for insurance telematics. Does it have any third party apps needed or does splunk already have a... See more...
Hi Splunkers, Does anyone of you know or has an experience integrating IoT devices for motorcycle/car for insurance telematics. Does it have any third party apps needed or does splunk already have an app for this? Any recommendation will be appreciated. I already look for internet and it seems I haven't get useful data. So maybe I can get a hint for this community.
Hello team! I would like to ask you a question since I have been thinking about it for a while and I am not getting it I want to compare the user field of my search with the REGISTER field of my cs... See more...
Hello team! I would like to ask you a question since I have been thinking about it for a while and I am not getting it I want to compare the user field of my search with the REGISTER field of my csv. The problem is that I have to adapt the user field first to be similar to REGISTER I have tried with search  | eval user=split(user,"\\")  |  lookup csvfile.csv REGISTRO as usern | values(user) .... | where user=usern Can`t with inputlook cause I have to | eval user=split(user,"\\")  first [| inputlookup csvfile.csv | rename REGISTRO as usern | fields usern] user field is like aaaa111 and REGISTER is like XXX\aaaa111   Thank you!
Regarding the dasboard input panels Im trying to set values into a multiselect when i select a certain radio option. Basically i have 2 fields: 1) multiselect that can have values a and/or b 2) r... See more...
Regarding the dasboard input panels Im trying to set values into a multiselect when i select a certain radio option. Basically i have 2 fields: 1) multiselect that can have values a and/or b 2) radio with 3 options, first set multiselect to value a, second to value b and the third one SHOULD set it to a AND b. I would expect when clicking the third option, the multiselect box to show BOTH option A and B, but instead it just lists a single unknown option "a , b" This is a screenshot may it explains better (3 clicks): I tried multiple combinations with no success. I've read https://docs.splunk.com/Documentation/Splunk/8.1.0/Viz/tokens#Define_tokens_for_multiselect_inputs   , didn't help I also tried with no success what was suggested in https://community.splunk.com/t5/Dashboards-Visualizations/Multiselect-Tokens-not-passing-values/m-p/528381 The problem is also related to the escaping of the data.(see old thread)  When DOM inspecting the multiselect, i get  data-test-values="[&quot;a&quot;,&quot;b&quot;]"   when manually setting a +b directly in the form. When setting the XML to use <set token>a , b</set> DOM is data-test-values="[&quot;a,b&quot;]" When setting the xml to use <set token="tok_multi">a" , "b</set> DOM is  data-test-values="[&quot;a\&quot; , \&quot;b&quot;]"  (notice the backslash .... ) My version is Splunk Enterprise v7.2.9.1 The test dashboard source is:           <form> <label>Check MultipleSelect</label> <fieldset submitButton="false"> <input type="multiselect" token="tok_multi" searchWhenChanged="true"> <label>Aquirers</label> <choice value="a">TEXT1</choice> <choice value="b">TEXT2</choice> <prefix/> <suffix/> <valuePrefix></valuePrefix> <valueSuffix></valueSuffix> <delimiter> , </delimiter> </input> <input type="radio" token="tok_radio"> <label>RADIO</label> <choice value="SETA">SET A</choice> <choice value="SETB">SET B</choice> <choice value="SETAB">SET A + B</choice> <default>SETA</default> <change> <condition value="SETA"> <set token="form.tok_multi">a</set> <set token="field1">$form.tok_multi$</set> </condition> <condition value="SETB"> <set token="form.tok_multi">b</set> <set token="field1">$form.tok_multi$</set> </condition> <condition value="SETAB"> <set token="form.tok_multi">a , b</set> <set token="field1">$form.tok_multi$</set> </condition> </change> </input> <input type="text" token="field1"> <label>multi token value</label> <default>$tok_multi$</default> </input> </fieldset> </form>            
I am new to Splunk and I am trying to determine how to search for when "When a windows host was last patched"?
Hello the team, I am currently preparing a Splunk Lab for my office, and I need the datasets specially for Splunk Enterprise Security. I am trying to deploy a Splunk Entreprise Security (ES) enviro... See more...
Hello the team, I am currently preparing a Splunk Lab for my office, and I need the datasets specially for Splunk Enterprise Security. I am trying to deploy a Splunk Entreprise Security (ES) environment in our Lab but we have a lack of data (Events, Notable Events, …)   Can u propose to me some datasets to aliment ES ? Otherwise, what u can propose as suggestions to deploy Splunk Enterprise Security in our Splunk Lab.   Thanks in advance for your help. Have a nice day.