All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, my goal is to find and combine data from multiple source. Here: employee_lookup: the table for all employee database product_lookup: the table for all the product  now my goal is to fin... See more...
Hello, my goal is to find and combine data from multiple source. Here: employee_lookup: the table for all employee database product_lookup: the table for all the product  now my goal is to find, how many company wide product each department uses and group by DepartmentName, ProductName, and Count. The department name is on the  "employee_lookup" table along with employee name, department name. So when any employee clicks on a product, it is counted as a product use and logs the data into Splunk. my Splunk query is as follows:   data = "global" |  lookup  product_lookup productID OUTPUT ProductName |  lookup employee_lookup userID OUTPUT DepartmentName |  table ProductName, DepartmentName, UserID that query does not work...   My goal is to find the total count of product usages by Department.  The resulting table should be like:   DepartmentName,     Product,     count -------------------------------------------------- Dept_5,     Product1234,     2000 Dept_5,     Product333,     1434 Dept_5,     Product633,     600 Dept_2,   Product333,     2500 Dept_2,   Product215,     2500 Dept_2,   Product415,     1200 .... so basically group by department, product, count  any suggestions and recommendation would be very helpful. Thank you!
HI,   I am new to Splunk and I am looking forward to learning more. I wanted to know where do I learn what keywords/code such as the following mean or do...   earliest="-1mon@mon" latest="@d" ... See more...
HI,   I am new to Splunk and I am looking forward to learning more. I wanted to know where do I learn what keywords/code such as the following mean or do...   earliest="-1mon@mon" latest="@d" latest="@mon"   and what does it mean when I add this in the Splunk query like this:   data = "global" earliest="-1mon@mon" latest="@d" [ search data = "global" earliest="-1mon@mon" latest="@d"] I also have a Time Range Widget connected with this query... and the value of the output changes as I change the time range. However, (I believe) since I already defined (earliest="-1mon@mon" latest="@d") query in the search, does it make the result different?    Please help me understand what is happening. Thank you.
Any help is highly appreciated... I have a panel(1) which shows 3 different single values say a,b,c When I click on a, it should open another panel(2) with 3 single values say d,e and f and simil... See more...
Any help is highly appreciated... I have a panel(1) which shows 3 different single values say a,b,c When I click on a, it should open another panel(2) with 3 single values say d,e and f and similarly, when I click on b, it should open another panel(3) with 3 single values say g,h,i and panel (4) with values j,k,l when c is clicked. Further on clicking the value d or e or f, it opens 1 panel for each respectively, and same for remaining single values. Summary. Note: Every ( ) is 1 panel .       (a                   b                 c)         Level 1 (Single Values) on clicking a,b,c respectively we get .   (d e f)          (g h i)          (j k l)       Level 2 (Single Values) clicking the values respectively we get below tables  (m) (n) (o)   (p) (q) (r)   (s) (t) (u)  Level 3 opens m if d is clicked, opens n if e is clicked, opens o if f is clicked, respectively (Here m,n,o, etc. are individual tables with Rows and Columns) Also, a way to make the opened panels in levels 2 and 3 hide once again would be great.
I have a data set with values in a specific moment in time. Each day can have multiple values (but in different events). I want to find the events that have the highest value in that moment in time. ... See more...
I have a data set with values in a specific moment in time. Each day can have multiple values (but in different events). I want to find the events that have the highest value in that moment in time. For example, if the data is the following: Day1, 10 Day2, 13 Day2, 12 Day3, 11 Day3, 14 Day 4, 12 Day 5, 15 The search should return that Day1, Day2 (the first row), Day3 (the second row) and Day5 had the highest numbers at the moment they occurred. I do not only want the final highest value but the maximum at that moment in time (like the events after it didn't happen). For example, an additional column can be added which indicates whether it is/was the highest result. Day1, 10, Yes Day2, 13, Yes Day2, 12, No Day3, 11, No Day3, 14, Yes Day 4, 12, No Day 5, 15, Yes I have been trying to achieve this with the MAX function but I couldn't get it working. Is it possible to achieve this?
Hi guys, I'm trying to replace values in an irregular multivalue field. I don't want to use mvexpand because I need the field remains multivalue. Here some examples of my multivalues fields #1 1... See more...
Hi guys, I'm trying to replace values in an irregular multivalue field. I don't want to use mvexpand because I need the field remains multivalue. Here some examples of my multivalues fields #1 115000240259839935-619677868589516300 1003000210260195023-294635473830872390 1003000210260241553-580541817408914764 531000140235102831-490142552617583496 115000240260262212-692365156372645389   #2 448000250026778748-44531981890881098 1286000030219284359-851572649149989069   I told irregular because the multivalue field could be compose by 1 or n values.   My goal is to keep only the numerical part before the "-" for example: the #1 should became   115000240259839935 1003000210260195023 1003000210260241553 531000140235102831 115000240260262212   the #2 should become: 448000250026778748 1286000030219284359   Thanks in advance for your help   Regards Mario
I have some firewall session state logs which get sent to Splunk every minute. The session state events contain a unique ID per session and a running total of the bytes transferred for the duration o... See more...
I have some firewall session state logs which get sent to Splunk every minute. The session state events contain a unique ID per session and a running total of the bytes transferred for the duration of the session.  Example events:       Nov 7 09:00:18 em1 tcp 23.246.39.150:443 <- 192.168.10.104:60241 6966 bytes id: 5fa81441 Nov 7 09:01:18 em1 tcp 23.246.39.150:443 <- 192.168.10.104:60241 7174 bytes id: 5fa81441 Nov 7 09:02:18 em1 tcp 23.246.39.150:443 <- 192.168.10.104:60241 8900 bytes id: 5fa81441 Nov 7 09:03:18 em1 tcp 23.246.39.150:443 <- 192.168.10.104:60241 11501 bytes id: 5fa81441       Ultimately, I would like to do a timechart showing the bytes transferred by minute. To make that work, I need to add a new field to each event that is the difference between the bytes value in the event and the bytes value in the previous event. Note, I cannot use the "delta" command directly, as the 4 events shown are mixed in with hundreds of other events and are not directly next to each other. I need like a delta combined with transaction command. I'm currently considering using transaction to group the events, and then mvexpand to break them back apart again, but my search is getting real clunky. Any recommendations on how to do the above?
search query  |table error_name event error_code=400||error_name=ErrorMsg: Internal Server Error Output ErrorMsg: I should get the output as  ErrorMsg: Internal Server Error
Hi all,   (refer to the screenshot attached) I have a dashboard with 30 or so panels just like the one below.  They feature a search as well as a green dot if the numbers in the last hour are withi... See more...
Hi all,   (refer to the screenshot attached) I have a dashboard with 30 or so panels just like the one below.  They feature a search as well as a green dot if the numbers in the last hour are within acceptable ranges.   Looking at the dashboard html below, you can see the MainTrafficSearch causes the color of the svg circle on the row to change colors.  It also updates a color named V7Color.  This is the main color for the entire dashboard.  It represents the worst color of any of the searches in the dashboard. Now what I want is to configure an alert so that if the color of the V7Color goes to yellow or red, I send out an email.  I would like to not have to do a massive search query which is the combination of all 30 of my searches.  If possible, I would like to not have to configure 30 separate alerts (because the app is so tightly monitored that many times, when one part of the app goes bad, several do).   I also already have basically the same search in two places, if possible, I'd like to not have to write the search in a third place. (Unless it is possible to write the search one place and reference it as a variable in all the other places) I understand that what I am hoping to do might not be possible.  But if you were in my shoes, what route would you take?  Thanks       <search id="MainTrafficSearch"> <query>sourcetype=provider_api_jidp env=$envselection$ index=$envselection$ "AccessTokenInterceptor" | rex field=_raw "ajp-/(?&lt;ipthread&gt;[0-9\.\-:]+)" | rex field=_raw "(GET|POST|PUT|DELETE|OPTIONS) (?&lt;resource&gt;[a-zA-Z\.]+ \(.*\)) " | dedup _time host resource ipthread | stats count | eval status=case(count &gt; 500000, 2, count &gt; 250000, 1, count &lt; 100, 1, count &lt; 10, 2, true(), 0) | table status</query> <earliest>-60m</earliest> <latest>$timepicker.latest$</latest> <progress> <eval token="MainTrafficColor">case($result.status$=="0","green",$result.status$=="2","red",$result.status$=="1","yellow",true(),"grey")</eval> <eval token="V7Color">case($result.status$=="2","red",$result.status$=="1" AND $V7Color$ != "red","yellow",true(),$V7Color$)</eval> </progress> </search> … <row> <panel> <title>Traffic</title> <html> <div style="width:100%;height:30px;position:absolute"> <svg xmlns="http://www.w3.org/2000/svg" style="margin-left:95%"> <circle cx="13" cy="13" r="10" fill="$MainTrafficColor$"/> </svg> </div> </html> <single> <title>Number of Calls</title> <search> <query>sourcetype=provider_api_jidp index=$envselection$ env=$envselection$ "AccessTokenInterceptor" | rex field=_raw "ajp-/(?&lt;ipthread&gt;[0-9\.\-:]+)" | rex field=_raw "(GET|POST|PUT|DELETE|OPTIONS) (?&lt;resource&gt;[a-zA-Z\.]+ \(.*\)) " | dedup _time host resource ipthread | stats count</query> <earliest>$timepicker.earliest$</earliest> <latest>$timepicker.latest$</latest> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="height">50</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="unitPosition">before</option> <option name="useColors">0</option> <option name="useThousandSeparators">1</option> </single> </panel> </row>          
Hi Splunk,   I need help to reactivate my email, because when logging in to the web splunk it returns that "That email address or username is inactive", please help to reactivate it. thank you
Hello   I see that Splunk education is down for maintenance and was wondering when the site would be back up?   Kind regards
I have a dashboard panel with a table showing some events, which each contain a jobId field. I'm trying to use the drilldown to set a token on the dashboard to that jobId, let's call it CLICKED_ID. ... See more...
I have a dashboard panel with a table showing some events, which each contain a jobId field. I'm trying to use the drilldown to set a token on the dashboard to that jobId, let's call it CLICKED_ID. Then I should be able to go into the edit drilldown menu, pick Set, put in CLICKED_ID for the token name, and $row.jobId$ for the value. So far so good... The problem arises when I go to a different dashboard panel after clicking on some row in the first panel and try to use that $CLICKED_ID$ token in its search. Yes, the $CLICKED_ID$ token is successfully replaced... by the string "$row.jobId$", not by the actual value of jobId from that event! Not even fields that I know should exist in the events work; setting $CLICKED_ID$ to $row.sourcetype$ or $row.hostname$ didn't get the values correctly, instead just getting literally "$row.sourcetype$" and so on. For now I'm getting around this by having the jobId appear in the table of the first panel and using $click.value2$, which works fine. However, I would like the user to be able to click any cell on that row and still have the right values go to the second panel, as opposed to having to click specifically on the jobId column. This is also a problem if I want to stop displaying the jobId on the first panel, too, since the user won't be able to click on it to populate the second panel.   Am I doing something wrong here? Please let me know if I can include anything more that might help. Thanks!
Hello All, I need to have the multiselect  for Application Name apply its value to the Server Status Multiselect. I have a token for Application Name and have been able to pass it to the other multi... See more...
Hello All, I need to have the multiselect  for Application Name apply its value to the Server Status Multiselect. I have a token for Application Name and have been able to pass it to the other multiselects, but I cant seem to pass it for the Server Status. Any advise would greatly help.    <form theme="light"> <label>Sample Dashboard</label> <fieldset submitButton="false"> <input type="multiselect" token="tok_ApplicationName" searchWhenChanged="true"> <label>Application Name</label> <choice value="*">All</choice> <fieldForLabel>Application Name</fieldForLabel> <fieldForValue>ApplicationName</fieldForValue> <search> <query>| inputlookup X_Servers_Report.csv | inputlookup append=t Y_Servers_Report.csv | inputlookup append=t B_Servers_Report.csv | inputlookup append=t J_Servers_Report.csv | inputlookup append=t R_Servers_Report.csv | rename "Application Name" as ApplicationName | stats count by ApplicationName</query> <earliest>-15m</earliest> <latest>now</latest> </search> <delimiter>OR</delimiter> <default>*</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>ApplicationName="</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="tok_ServerName" searchWhenChanged="true"> <label>Server Name</label> <choice value="*">All</choice> <fieldForLabel>Server Name</fieldForLabel> <fieldForValue>ServerName</fieldForValue> <search> <query>| inputlookup X_Servers_Report.csv | inputlookup append=t Y_Servers_Report.csv | inputlookup append=t B_Servers_Report.csv | inputlookup append=t J_Servers_Report.csv | inputlookup append=t R_Servers_Report.csv | rename "Domain Name" as ServerName "Application Name" as ApplicationName | search $tok_ApplicationName$ | stats count by ServerName | table ServerName</query> <earliest>-15m</earliest> <latest>now</latest> </search> <delimiter>OR</delimiter> <default>*</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>ServerName="</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="tok_ServerStatus" searchWhenChanged="true"> <label>Server Status</label> <choice value="*">All</choice> <fieldForLabel>Status</fieldForLabel> <fieldForValue>Status</fieldForValue> <search> <query>| inputlookup SPL_Server_Status.csv | rename "Application" as ApplicationName | search $tok_ApplicationName$ | stats count by Status | table Status</query> <earliest>-15m</earliest> <latest>now</latest> </search> <delimiter>OR</delimiter> <default>All</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>Status="</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="tok_ServerNature" searchWhenChanged="true"> <label>Server Nature</label> <search> <query>| inputlookup X_Servers_Report.csv | inputlookup append=t Y_Servers_Report.csv | inputlookup append=t B_Servers_Report.csv | inputlookup append=t J_Servers_Report.csv | inputlookup append=t R_Servers_Report.csv | rename "Server Nature" as ServerNature "Application Name" as ApplicationName | search $tok_ApplicationName$ | stats count by ServerNature | table ServerNature</query> <earliest>-15m</earliest> <latest>now</latest> </search> <default>All</default> <prefix>(</prefix> <valuePrefix>ServerNature="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>OR</delimiter> <suffix>)</suffix> <choice value="*">All</choice> <fieldForLabel>Server Nature</fieldForLabel> <fieldForValue>ServerNature</fieldForValue> </input> <input type="multiselect" token="tok_DeploymentName" searchWhenChanged="true"> <label>Deployment Name</label> <search> <query>| inputlookup X_Servers_Report.csv | inputlookup append=t Y_Servers_Report.csv | inputlookup append=t B_Servers_Report.csv | inputlookup append=t J_Servers_Report.csv | inputlookup append=t R_Servers_Report.csv | rename "Deployment Name" as deploymentName "Application Name" as ApplicationName | search $tok_ApplicationName$ | stats count by deploymentName | table deploymentName</query> <earliest>-15m</earliest> <latest>now</latest> </search> <default>All</default> <prefix>(</prefix> <valuePrefix>deploymentName="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>OR</delimiter> <suffix>)</suffix> <choice value="*">All</choice> <fieldForLabel>Deployment Name</fieldForLabel> <fieldForValue>deploymentName</fieldForValue> </input> <input type="multiselect" token="tok_Location" searchWhenChanged="true"> <label>Location</label> <search> <query>| inputlookup X_Servers_Report.csv | inputlookup append=t Y_Servers_Report.csv | inputlookup append=t B_Servers_Report.csv | inputlookup append=t J_Servers_Report.csv | inputlookup append=t R_Servers_Report.csv | rename "Application Name" as ApplicationName | search $tok_ApplicationName$ | stats count by Location | table Location</query> <earliest>-15m</earliest> <latest>now</latest> </search> <default>All</default> <prefix>(</prefix> <valuePrefix>Location="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>OR</delimiter> <suffix>)</suffix> <choice value="*">All</choice> <fieldForLabel>Location</fieldForLabel> <fieldForValue>Location</fieldForValue> </input> <input type="multiselect" token="tok_OS" searchWhenChanged="true"> <label>O.S</label> <search> <query>| inputlookup X_Servers_Report.csv | inputlookup append=t Y_Servers_Report.csv | inputlookup append=t B_Servers_Report.csv | inputlookup append=t J_Servers_Report.csv | inputlookup append=t R_Servers_Report.csv | rename "Operating System" as OS "Application Name" as ApplicationName | search $tok_ApplicationName$ | stats count by OS</query> <earliest>-15m</earliest> <latest>now</latest> </search> <default>All</default> <prefix>(</prefix> <valuePrefix>OS="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>OR</delimiter> <suffix>)</suffix> <choice value="*">All</choice> <fieldForLabel>O.S</fieldForLabel> <fieldForValue>OS</fieldForValue> </input> <input type="multiselect" token="tok_CompName" searchWhenChanged="true"> <label>Component Name</label> <!-- <default>All</default> --> <prefix>(</prefix> <valuePrefix>ComponentName="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>OR</delimiter> <suffix>)</suffix> <choice value="*">All</choice> <fieldForLabel>Component Name</fieldForLabel> <fieldForValue>ComponentName</fieldForValue> <search> <query>| inputlookup X_Servers_Report.csv | inputlookup append=t Y_Servers_Report.csv | inputlookup append=t B_Servers_Report.csv | inputlookup append=t J_Servers_Report.csv | inputlookup append=t R_Servers_Report.csv | rename "Component Name" as ComponentName "Application Name" as ApplicationName | search $tok_ApplicationName$ | stats count by ComponentName</query> <earliest>-15m</earliest> <latest>now</latest> </search> <!-- <choice value="*">All</choice> <suffix>)</suffix> --> <default>*</default> </input> </fieldset> <row> <panel> <title>Server Count $tok_count$</title> <html> <style>.dashboard-row .dashboard-panel h2.panel-title { background:PALEGOLDENROD !important; color:black !important; font-size: 16px !important; font-family:Helvetica, sans-serif !important; text-align: center !important; font-weight: bold !important; }</style> <div /> </html> <table> <search> <progress> <set token="tok_count">$job.resultCount$</set> </progress> <query>| inputlookup X_Servers_Report.csv | inputlookup append=t Y_Servers_Report.csv | inputlookup append=t B_Servers_Report.csv | inputlookup append=t J_Servers_Report.csv | inputlookup append=t R_Servers_Report.csv | rename "Deployment Name" as deploymentName "Server Name" as ServerName "Server Nature" as ServerNature "Operating System" as OS "Application Name" as ApplicationName "Component Name" as ComponentName | lookup SPL_Server_Status.csv Server_Name as ServerName OUTPUT Status | fillnull ApplicationName ComponentName Location ServerName ServerNature OS deploymentName Status value=NULL | search $tok_DeploymentName$ $tok_ServerName$ $tok_ServerNature$ $tok_Location$ $tok_OS$ $tok_ApplicationName$ $tok_CompName$ $tok_ServerStatus$ | stats values(Status) as "Server Status" values(ApplicationName) as "Application Name", values(ServerNature) as "Server Nature", values(deploymentName) as "Deployment Name", values(Location) as Location, values(ComponentName) as "Component Name" values(OS) as "O.S" by ServerName | sort ServerName</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>    
I just upgraded from 8.0.7 Enterprise from my Mac to 8.1 and now my apps are not working mainly one Unable to initialize modular input "" defined in the app "": Introspecting scheme=: script running... See more...
I just upgraded from 8.0.7 Enterprise from my Mac to 8.1 and now my apps are not working mainly one Unable to initialize modular input "" defined in the app "": Introspecting scheme=: script running failed (exited with code 1).. This is a python script created with the Splunk Addon App Builder. not sure what the reason is since it was working fine before the upgrade.  
I can retrieve results from my search manager by using this type of code:      var mydata = mySearchManager.data("results")      mydata.on("data", function() {          if (mydata.hasData()) { ... See more...
I can retrieve results from my search manager by using this type of code:      var mydata = mySearchManager.data("results")      mydata.on("data", function() {          if (mydata.hasData()) {              let numRows =mydata.data().rows.length;              .... (do something with the data)          }      }); However, the event handler above runs more than once (twice in my particular search, even though there's only one row of results). How do I prevent it from running twice? (or, alternatively, how do I retrieve the results of a search manager ONLY when it is completely done? Since I use this handler to start a difference search -when this one is done-, I want to make sure the handler doesn't run more than once -or otherwise the second search will be started more than once too-. 
I know that if I want to deploy apps to the search heads I should use the search head deployer functionality. My question is can the deployer server also act as the deployment server for pushing out ... See more...
I know that if I want to deploy apps to the search heads I should use the search head deployer functionality. My question is can the deployer server also act as the deployment server for pushing out apps to clients? I think I would also like to make it the license server if that's possible. Thoughts?
I am  trying to configure AWS addon  and SNOW TA for heavy forwarder HA, is there any better way in Splunk to configure synchronize  xxxxxxxx0003 has the SNOW TA and xxxxxxxx0004 has the AWS TA xxx... See more...
I am  trying to configure AWS addon  and SNOW TA for heavy forwarder HA, is there any better way in Splunk to configure synchronize  xxxxxxxx0003 has the SNOW TA and xxxxxxxx0004 has the AWS TA xxxxxxx0002 has SNOW TA which needs to synchronize to xxxxxx0003 xxxxx0001 has AWS TA and needs to synchronize to xxxxxx0004 Thanks In Advance   
we have a SC4S server for both prod and dev environments and would like to use the deployment server to manage the SC4S Configs like environment files and metadata.csv is this possible?
We recently moved Splunk Security Essentials from our lab to our QA environment, but it is not working. In Lab we have admin privs, but in QA it is only power user privs and we did enable the _list s... See more...
We recently moved Splunk Security Essentials from our lab to our QA environment, but it is not working. In Lab we have admin privs, but in QA it is only power user privs and we did enable the _list settings permissions for our roles as suggested by another post. It still will not populate. Any other suggestions? Here is the error.    External search command 'sseanalytics' returned error code 1. .
Hello, Splunk newbie, I have been able to combine several lookups using | inputlookup, and also using | inputlookup append=t. However, I am not able to combine the lookup to the ones I have just cre... See more...
Hello, Splunk newbie, I have been able to combine several lookups using | inputlookup, and also using | inputlookup append=t. However, I am not able to combine the lookup to the ones I have just created. I see I no longer get the must specify one or more lookup files error, but all of my values from my lookup are coming back null. Is my format correct for the code below: | lookup X_Server_Status.csv  Server_Name OUTPUT Status I want to display the current status of the server. 
Good afternoon everyone,  I am the Splunk admin for our instance of Splunk, and yesterday later in the afternoon, I noticed that my searches were not running anymore, and that everything was being s... See more...
Good afternoon everyone,  I am the Splunk admin for our instance of Splunk, and yesterday later in the afternoon, I noticed that my searches were not running anymore, and that everything was being sent to the queue? In my troubleshooting efforts I signed into another searchhead, and ran a similar search with successful results.  Today, I thought what could be causing the issue was, i have a lot of saved searches that run with my username as the owner, so reassigned those knowledge objects, which did not fix the issue. I can see other users running searches, with no issue, so it appears to be my account.  Any advice of where to look next or has anyone experienced this issue before?  I am running 7.2.8 for on my searchheads and using my account not the local admin account.    Thank you.