All Topics

Top

All Topics

 Im currently using the query to find the cpu utilization for a few host but i want to see the average utilization per host  tag=name "CPU Utilization" | timechart span=15m max(SysStatsUtilizationCp... See more...
 Im currently using the query to find the cpu utilization for a few host but i want to see the average utilization per host  tag=name "CPU Utilization" | timechart span=15m max(SysStatsUtilizationCpu) by host limit=0   Any information would be helpful
I have noticed that a saved search is chronically skipped, almost 100% but I cannot trace it back to the origin. The search name is >>> _ACCELERATE_<redacted>_search_nobody_<redacted>_ACCELERATE_ ... See more...
I have noticed that a saved search is chronically skipped, almost 100% but I cannot trace it back to the origin. The search name is >>> _ACCELERATE_<redacted>_search_nobody_<redacted>_ACCELERATE_ From _internal its in search app, report acceleration, and user nobody.  _Audit provides no clues either. How do I trace this to the source? Thank you
Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist... See more...
Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist in all systems. I am trying to come up with a list of unique combinations of parameters with an Matching flag which shows whether the value is identical between both systems. It should indicate a false flag if the parameter exists in either system, but not the other, or if the parameter exists in both systems but with different values. The parameters are identified by a unique combination of SERVICE_NAME, FILE_NAME, SECTION and KEY (all four are required to be the same). And the system is identified by SID. The data look like this: SID SERVICE_NAME FILE_NAME SECTION KEY VALUE AAA index global.ini global timezone_dataset 123 AAA dpserver index.ini password policy minimal_password_length 16 AAA index index.ini flexible_table reclaim_interval 3600 AAA dpserver global.ini abstract_sql_plan max_count 1000000 BBB dpserver index.ini password policy minimal_password_length 16 BBB index index.ini password policy minimal_password_length 25 BBB dpserver global.ini abstract_sql_plan max_count 1000000 BBB index index.ini mergedog check_interval 60000   The data is in a dashboard, along with drop-downs to select two systems to be compared. One a user selects system AAA and system BBB, I would like the result to show: SERVICE_NAME FILE_NAME SECTION KEY Match index global.ini global timezone_dataset No dpserver index.ini password policy minimal_password_length Yes index index.ini flexible_table reclaim_interval No dpserver global.ini abstract_sql_plan max_count Yes index index.ini password policy minimal_password_length No index index.ini mergedog check_interval No   I have tried many different SPL searches, but none have provided the intended result. I would greatly appreciate any assistance or guidance. Cheers, David
Could the Splunk Add-on for Salesforce team clarify whether FIPS mode is supported? Per https://docs.splunk.com/Documentation/AddOns/released/Overview/Add-onsandFIPsmode it seems certain Add-on do b... See more...
Could the Splunk Add-on for Salesforce team clarify whether FIPS mode is supported? Per https://docs.splunk.com/Documentation/AddOns/released/Overview/Add-onsandFIPsmode it seems certain Add-on do but there doesn't seem to be a definitive list of what supports it and what doesn't.
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looki... See more...
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking... See more...
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. C... See more...
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. Cases: Lookup Priority value is '5', I've to get the max(Rates) from Priority Values 1 to 5. Lookup Priority value is '4', I've to get the max(Rates) from Priority Values 1 to 4. Lookup Priority value is '3', I've to get the max(Rates) from Priority Values 1 to 3. Lookup Priority value is '1', I've to get the max(Rates) from Priority Values 1.
I have to create a custom command using python script to update a particular property(enableSched) from 1 to 0 or 0 to 1.  Please let me know if anyone know how to do this..    
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for... See more...
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for image, right now I uploaded an image manually to visualize the widget. I'm assessing a way to connect the required s3 Bucket with the widget so to get those images onto Splunk Dashboard. Please can anyone assist on how to achieve this? Thanks!
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, De... See more...
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, Define a range based on this, Get the count of the last 5 min from current time and tell when is out of the range All this in a table so I can use it from Alerts I read a lot of things, but couldn’t came up with something close enough so far, I’m still new with Splunk Thank you!
Dears Splunkers, I´m investigating issue with the duplicated maps+ for Splunk application icon in the Home menu of Splunk (see attached pic.) Enterprise running on Cloud. This is a weird performanc... See more...
Dears Splunkers, I´m investigating issue with the duplicated maps+ for Splunk application icon in the Home menu of Splunk (see attached pic.) Enterprise running on Cloud. This is a weird performance. Splunk version 9.1.2. Can you pls. suggest how to resolve this problem so that only 1 app. icon does appear as before? Thank you
Hi, this is my 1st post, I'm a newbie splunkers. I have a case from my clients so, the splunk is running with LB following with the SH cluster. I already using LDAP to inject the data for login ac... See more...
Hi, this is my 1st post, I'm a newbie splunkers. I have a case from my clients so, the splunk is running with LB following with the SH cluster. I already using LDAP to inject the data for login access account in splunk.  When I checked out the audittrail log in query table, it's showing only 1 spesific clientip or src. That was different with the 1st time I inject the AD for login access to splunk, or inside the dev server because we only use AIO/standalone splunk in dev. It's showing the real IP of the user. But now, when I logged in to the splunk web, the audit trail log, will show the spesific 1 IP, I think it's LB or AD IP.  Even I used the native user like "admin", it will show only 1 IP, and it's not my device IP. How to make the real IP  fromuser showing, while using LB in shcluster instead of only 1 IP from LB or AD in Audittrail log?
I am using the following html for my alert action data entry screen.  The tenant mulit-select does not show up in the configuration dictionary of the payload object passed to the python script.  What... See more...
I am using the following html for my alert action data entry screen.  The tenant mulit-select does not show up in the configuration dictionary of the payload object passed to the python script.  What am I doing wrong? Payload passed to python script: Payload: {'app': 'search', 'owner': 'jon_fournet@bmc.com', 'result_id': '1', 'results_file': '/opt/splunk/var/run/splunk/dispatch/rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19/per_result_alert/tmp_1.csv.gz', 'results_link': 'http://clm-aus-wm6fwd:8000/app/search/search?q=%7Cloadjob%20rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now', 'search_uri': '/servicesNS/jon_fournet%40bmc.com/search/saved/searches/sentToBHOM12', 'server_host': 'clm-aus-wm6fwd', 'server_uri': 'https://127.0.0.1:8089', 'session_key': 'juYpGOJO29CVEJXEhNFtlVZu0NdAUtGRObXSddXgB^nwDFZHofpZ58tDr^dfFRHcAeBKb3sKvtUNY48u7z2go^bDjUIR1K59YJhT3mkpPKXm3Vom_mXwSCA5rF2AQsgeoEuM332jKYMhEiZRakt1Qs69if_wD_QAPo', 'sid': 'rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19', 'search_name': 'sentToBHOM12', 'configuration': {'additional_info': 'This is an additional slot', 'category': 'AVAILABILITY_MANAGEMENT', 'ciid': 'test ciid', 'citype': 'testcitype', 'hostname': 'splunktesthost', 'logLevel': 'WARN', 'message': ' kkkk', 'object': 'testobject', 'originuri': 'testuri', 'severity': 'WARNING', 'subcategory': 'APPLICATION'}   HTML: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Information</title> <style> body { background-color: lightblue; font-family: Arial, sans-serif; } .container { width: 80%; margin: 20px auto; } .section { background-color: white; padding: 15px; margin-bottom: 20px; border: 2px solid black; border-radius: 5px; } .section h2 { margin-top: 0; } </style> </head> <body> <form class="form-horizontal form-complex"> <h1>BHOM Tenant Configuration</h1> <div class="control-group"> <label class="control-label" for="bmc_tenants">Tenants</label> <div class="controls"> <select id="bmc_tenants" name="action.sendToBHOM.param.tenants" multiple size="3"> <option value="prod">Production</option> <option value="qa">QA</option> <option value="dev">Development</option> </select> <span class="help-block">The BHOM Tenants to forward alerts</span> </div> </div> <h1>BHOM Event Configuration</h1> <div class="control-group"><label class="control-label" for="bmc_severity">Severity</label> <div class="controls"><select id="bmc_severity" name="action.sendToBHOM.param.severity"> <option value="OK">Ok</option> <option value="WARNING">Warning</option> <option value="MINOR">Minor</option> <option value="MAJOR">Major</option> <option value="CRITICAL">Critical</option> </select><span class="help-block">The severity of the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_hostname">Source Hostname</label> <div class="controls"><input id="bmc_hostname" name="action.sendToBHOM.param.hostname" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Hostname of the source of the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_object">Object</label> <div class="controls"><input id="bmc_object" name="action.sendToBHOM.param.object" type="text" placeholder="e.g. Splunk_log_1 " /> <span class="help-block">The Object related to the alert</span></div> </div> <div class="control-group"> <div class="control-group"><label class="control-label" for="bmc_category">Category</label> <div class="controls"><input id="bmc_category" name="action.sendToBHOM.param.category" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Category related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_subcategory">Sub-Category</label> <div class="controls"><input id="bmc_subcategory" name="action.sendToBHOM.param.subcategory" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Sub-Category related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_originuri">Origin URI</label> <div class="controls"><input id="bmc_originuri" name="action.sendToBHOM.param.originuri" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Origin URI related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_ciid">CI ID</label> <div class="controls"><input id="bmc_ciid" name="action.sendToBHOM.param.ciid" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The CI ID related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_citype">CI Type</label> <div class="controls"><input id="bmc_citype" name="action.sendToBHOM.param.citype" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The CI Type related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_event_message">Message</label> <div class="controls"><textarea id="bmc_event_message" style="height: 120px;" name="action.sendToBHOM.param.message"> </textarea><span class="help-block">The message for the event send to BHOM</span</div> </div> </div> <div class="control-group"><label class="control-label" for="bmc_additional_info">Additional Info</label> <div class="controls"><input id="bmc_additional_info" name="action.sendToBHOM.param.additional_info" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Additional Information related to the alert</span></div> </div> </div> <h1>Log Level (logs written to index _internal)</h1> <label for="logLevel">Choose a log level:</label> <select id="logLevel" name="action.sendToBHOM.param.logLevel"> <option value="INFO">INFO</option> <option value="WARN">WARNING</option> <option value="ERROR" selected>ERROR</option> <option value="DEBUG">DEBUG</option> </select> </body> </html>  
I want to show which User not logged into Splunk for last 30 or 90days in splunk For example: we have 300 user have access to splunk UI, I want to know who is not logged into splunk more than 7 day... See more...
I want to show which User not logged into Splunk for last 30 or 90days in splunk For example: we have 300 user have access to splunk UI, I want to know who is not logged into splunk more than 7 days  Below query will show who has logged into splunk, but i wanted to show the who is not logged and last login time information. index=_audit sourcetype=audittrail action=success AND info=succeeded | eval secondsSinceLastSeen=now()-_time | eval timeSinceLastSeen=tostring(secondsSinceLastSeen, "duration") | stats count BY user timeSinceLastSeen | append [| rest /services/authentication/users | rename title as user | eval count=0 | fields user ] | stats sum(count) AS total BY user timeSinceLastSeen
I have had a few issues ingesting data into the correct index. We are deploying an app from the deployment server, and this particular app has two clients. Initially, when I set this app up, I was in... See more...
I have had a few issues ingesting data into the correct index. We are deploying an app from the deployment server, and this particular app has two clients. Initially, when I set this app up, I was ingesting data into our o365 index. This data looked somewhat like: We have a team running a script that tracks all deleted files. We were getting in one line per event. And at the time, I had the inputs.conf that looked like: [monitor://F:\scripts\DataDeletion\SplunkReports] index=o365 disabled=false source=DataDeletion It would ingest all CSV files within that DataDeletion Directory. In this case, it ingested everything under that directory. This worked.  I changed the index to testing so i could manage the new data a bit better while we were still testing it. One inputs.conf backup shows that i had this at some point: [monitor://F:\scripts\DataDeletion\SplunkReports\*.csv] index=testing disabled=false sourcetype=DataDeletion crcSalt = <string>   Now months later, I have changed the inputs.conf to ingest everything into the o365 index, and i have applied that change and pushed it out to the class using the Deployment server, and yet the most recent data looks different. The last events we ingested went into the testing index and looked like: This may be due to how the script is sending data into splunk, but it looks like its aggregating hundreds of separate lines into one event. My inputs.conf looks like this currently: [monitor://F:\scripts\DataDeletion\SplunkReports\*] index = o365 disabled = 0 sourcetype = DataDeletion crcSalt = <SOURCE> recursive = true #whitelist = \.csv [monitor://F:\SCRIPTS\DataDeletion\SplunkReports\*] index = o365 disabled = 0 sourcetype = DataDeletion crcSalt = <SOURCE> recursive = true #whitelist = \.csv [monitor://D:\DataDeletion\SplunkReports\*] index = o365 disabled = 0 sourcetype = DataDeletion crcSalt = <SOURCE> recursive = true #whitelist = \.csv   I am just trying to grab everything under D:\DataDeletion\SplunkReports\ on the new windows servers, and ingest all of the csv files under there, breaking up each line in the csv into a new event. What is the proper syntax for this inputs, what am i doing wrong, I have tried a few things and none of them see to work. Ive tried adding a whitelist, adding a blacklist, I have recursive and crcSalt there just to grab anything and everything.  and if the script isnt at fault at sending in chunks of data in one event, would adding a props.conf fix how Splunk is ingesting this data? Thanks for any help. 
Is there any way to change the highlight color? In dark mode it's horrible. I don't know if it is supposed to be tan, brown, or gold. It makes it difficult to read the text which remaind a turquoise ... See more...
Is there any way to change the highlight color? In dark mode it's horrible. I don't know if it is supposed to be tan, brown, or gold. It makes it difficult to read the text which remaind a turquoise color.But I really hate it. And whenever I swipe my cursor across a large event the entire thing is highlighted with it.
Hey, I have a problem after upgrading to 9.1.5 from 9.0.4 (enterprise) all the dashboards that have tokenlinks.js from "simple_xml_examples" (splunk dashboard examples) app ,the latest version hav... See more...
Hey, I have a problem after upgrading to 9.1.5 from 9.0.4 (enterprise) all the dashboards that have tokenlinks.js from "simple_xml_examples" (splunk dashboard examples) app ,the latest version have the following error and the script don't work : "  A custom JavaScript error caused an issue loading your dashboard. See the developer console for more details.  " in the dev-tool F12 I sew the error comes from common.js : "  Refused to execute script from/en-US/static/@29befd543def.77/js/util/console.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. common.js:1702 Error: Script error for: util/console http://requirejs.org/docs/errors.html#scripterror      at makeError (eval at e.exports (common.js:502:244924), <anonymous>:166:17)      at HTMLScriptElement.onScriptError (eval at e.exports (common.js:502:244924), <anonymous>:1689:36)  " someone have any idea why or how to fix it? Thanks! Splunk Dashboard Examples Dashboard 
Hello team, I need a query to extarct most commonly used fields by the users in a paticular dashboard. Please help me. Thanks! Renuka O
Hello, Is it possible to send alert using our sms provider? If not how can i send SMS for alerts? Thanks.
Hi all, i have a monitor stanza in inputs.conf  that monitor our organization proxy, the logs are sent by syslog-ng i have only one stanza that monitor 4 diff sources IP's from that proxy. i want... See more...
Hi all, i have a monitor stanza in inputs.conf  that monitor our organization proxy, the logs are sent by syslog-ng i have only one stanza that monitor 4 diff sources IP's from that proxy. i want to configure diff "source" to each source ip's without seeing in the value (under the source field) the name of the log. lets say the monitor path is (in the deployment server): $SPLUNK_HOME/syslog/proxy/*/*.log in the source field i will see: $SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/<proxy_date_and_time>.log i want the source to stop at proxy_source_a|b|c|d, example: $SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/ is that possible?