All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi ,  Is it possible to get the search result from a specific app to my own application? Example: The result of the APP_1 search will be displayed on APP_2 dashboard panel.  The knowledge object ... See more...
Hi ,  Is it possible to get the search result from a specific app to my own application? Example: The result of the APP_1 search will be displayed on APP_2 dashboard panel.  The knowledge object (lookup,macros) and the APP_1 itself are APP specified , and the client don't want it to be changed. Now i need to get the result from the APP_1 to the APP_2 , is there a possible way to do this ?  
Hi Team, I have installed donut custom visualization app from splunkbase https://splunkbase.splunk.com/app/3150/ Its says , drilldown feature exist of this app , but when click on one part of ... See more...
Hi Team, I have installed donut custom visualization app from splunkbase https://splunkbase.splunk.com/app/3150/ Its says , drilldown feature exist of this app , but when click on one part of donut and tried to pass the value by $click.value$ /$click.value2$, its not working. How to enable drilldown for clicked value in Donut custom visualization . Please suggest
Can someone tell me if when you change settings on a deployed app in your deployment server if the changes are propogated to the servers the app is deployed on or is there another step needed.
Hi Team, Im working on a user dashboard which gives some information about the metadata info  about their access/logs/retention etc using rest queries. I need some help on how to use  Search event ... See more...
Hi Team, Im working on a user dashboard which gives some information about the metadata info  about their access/logs/retention etc using rest queries. I need some help on how to use  Search event handlers token as it is considering only one value.I need all the results to be  passed as token in the other search queries. In the attached screenshot, under logs and retention panels  , data is only being displayed for network index and not os index.So I need a help on getting os index info in logs and retention panels. Thank you.       <dashboard> <label>User Info</label> <search> <query>| rest /services/authentication/current-context splunk_server=local | fields roles | mvexpand roles | join type=left roles [ rest /services/authorization/roles splunk_server=local | table title srchIndexesAllowed | rename title as roles] | makemv srchIndexesAllowed tokenizer=(\S+) | fillnull value=" " | mvexpand srchIndexesAllowed | table srchIndexesAllowed</query> <earliest>-60m@m</earliest> <latest>now</latest> <progress> <set token="title">$result.srchIndexesAllowed$</set> </progress> </search> <row> <panel> <title>Access Information</title> <table> <search> <query>| rest /services/authentication/current-context splunk_server=local | fields roles | mvexpand roles | join type=left roles [ rest /services/authorization/roles splunk_server=local | table title srchIndexesAllowed | rename title as roles] | makemv srchIndexesAllowed tokenizer=(\S+) | fillnull value=" " | mvexpand srchIndexesAllowed | stats values(*) as * by roles | rename roles as "Your Roles", srchIndexesAllowed as "Indexes You Can Search"</query> </search> </table> </panel> </row> <row> <panel> <single> <title>Current App - $env:app$</title> <search> <query>| makeresults|eval message="Hi $env:user$ always remeber to restrict the permissions of your knowledge objects (Reports/Alerts/Dashboards/Saved Searches) to the role mapped to your account.This will restrict other users to delete your knowledge objects"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> </single> </panel> </row> <row> <panel> <title>logs</title> <table> <search> <query>|rest /services/data/indexes count=0 | dedup title | fields title | map [|metadata type=sources index="$title$" | eval type="$title$"] maxsearches=1000 | stats values(type) AS index by source | sort source</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <title>retention</title> <table> <search> <query>| rest splunk_server=* /services/data/indexes | join type=outer $title$ [ | rest splunk_server=$title$ /services/data/indexes-extended ] | search title=$title$ | eval retentionInDays=frozenTimePeriodInSecs/86400 | table title retentionInDays</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard>         @jconger  @renjith_nair @gcusello @isoutamo @nfilippi_splunk 
Request={"headers":{"zip":"500000"}},"location":"HYD","info":[{"phoneNumber":"******6467","test":[{"id":"1234"}]}],"testing123":{"tenure":1234,"stringvalue":"A"}}}   How can search for "stringvalue... See more...
Request={"headers":{"zip":"500000"}},"location":"HYD","info":[{"phoneNumber":"******6467","test":[{"id":"1234"}]}],"testing123":{"tenure":1234,"stringvalue":"A"}}}   How can search for "stringvalue":"A"?   I tried | makemv tokenizer="([^,]+)," Params | mvexpand line | rex field=Params "(?<key>[^{'stringvalue'':']+) : (?<value>[A]+)" It did not work.
I cant use the home monitor app because I have a Zyxel modem from Centurylink.  And I am very new to Splunk.  any ideas on where I can start from in getting data in from my home network would be grea... See more...
I cant use the home monitor app because I have a Zyxel modem from Centurylink.  And I am very new to Splunk.  any ideas on where I can start from in getting data in from my home network would be greatly appreciated.  I have splunk installed on the laptop I want to monitor the smart tv and the xbox, and an additional desktop computer.
I have a search that will return a number of search ids. index=_audit | <various modifications>| table search_id Example.. I end up with search_id 1604617764.7885_5E002618-3E1F-491E-88C9-516508A9... See more...
I have a search that will return a number of search ids. index=_audit | <various modifications>| table search_id Example.. I end up with search_id 1604617764.7885_5E002618-3E1F-491E-88C9-516508A9DB66 1604617764.7886_5E002618-3E1F-491E-88C9-516508A9DB66 1604617764.7887_5E002618-3E1F-491E-88C9-516508A9DB66 Now for each of search_id I want to do a rest call to find out information about the search For example, for the first search_id I want to call: | rest services/search/jobs/1604617764.7885_5E002618-3E1F-491E-88C9-516508A9DB66 splunk_server=local Since | rest is a generating command, I can't figure out how to do this.
date                          reportid    notificationid     status 10/1/2020            5555                       1                  clear 10/1/2020            2222                      2        ... See more...
date                          reportid    notificationid     status 10/1/2020            5555                       1                  clear 10/1/2020            2222                      2                  clear 10/2/2020           3333                      3                   critical 10/3/2020           5555                       4                   major 10/4/2020           2222                   5                       critical 10/4/2020           5555                       4                   clear   i would like to display the latest Status by Date based on the REPORT ID (unique id only displays).   output: date                          reportid    notificationid     status 10/2/2020           3333                      3                   critical 10/4/2020           2222                   5                       critical 10/4/2020           5555                       4                   clear but after the output is displayed, i would like to also now filter/display based on a status.  example, based on the initial result, i want to only show if the status = CLEAR   output: date                          reportid    notificationid     status 10/4/2020           5555                       4                   clear   but i keep getting stuck.. here is my current search that is able to get the initial output. but i dont know how to then filter it further based on intial results. all my searche dont work.    index=companyx sourcetype=alarm_status  | eval Start=strftime(Start/1000, "%H:%M:%S %d-%b-%Y") |rex field=AlarmPath "^\/(?<AlarmPath1>.+?)\/(?<AlarmPath2>.*)\s\(" |dedup reportid    |search AlarmPath1="$field2$" | stats Last(reportid) as ReportId, last(status) as status, last(AlarmPath1) as AlarmPath1, last(AlarmPath2) as AlarmPath2, last(Start) as "Start Time" , by notificationId | sort -notificationId
hi everyone, i want to scheduled a report at 00 hrs, from 1st to 15th day of previous month and this should run on 1st day of current month
Hi Guys,   New to Splunk. I have managed to build dashboards with multiselects before, but the data for this multiselect below does not populate any results in my dashboard, but it does populate on ... See more...
Hi Guys,   New to Splunk. I have managed to build dashboards with multiselects before, but the data for this multiselect below does not populate any results in my dashboard, but it does populate on a separate search - opening a new search. Below is my multiselect query and my main sub search.  I reached a dead end and really don't know what I am doing wrong.  Note: my main query is fine no issue there - its my multiselect that has the issue.  Multiselect: <input type="multiselect" token="tok_ServerStatus" searchWhenChanged="true"> <label>Server Status</label> <choice value="*">All</choice> <fieldForLabel>Server Status</fieldForLabel> <fieldForValue>ServerStatus</fieldForValue> <search> <query>| inputlookup  X_Report.csv | rename "Server Status" as Status "Application Name" as ApplicationName | search $tok_ApplicationName$ | stats count by Status | table Status </query> <earliest>-15m</earliest> <latest>now</latest> </search> <delimiter>OR </delimiter> <default>All</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>ServerStatus="</valuePrefix> <valueSuffix>"</valueSuffix> </input>   Main Query: | inputlookup X_Report.csv | rename  "Application Name" as ApplicationName  "Server Status" as Status | fillnull ApplicationName, Status value=NULL | search $tok_ServerStatus$ $tok_ApplicationName$  | stats values(Status) as "Server Status" values(ApplicationName) as "Application Name" by ServerName | sort ServerName  
All, having issues getting some data into Splunk. I have a system that processes literally tens of thousands of CSV files every day. I am getting the error in the subject line with a passel of the fi... See more...
All, having issues getting some data into Splunk. I have a system that processes literally tens of thousands of CSV files every day. I am getting the error in the subject line with a passel of the files every day, nothing consistent or different than anything else, files of the same type/content do ingest while others don't with this error... Below are my props.conf and inputs.conf from the UF where I am doing all this work, hopefully someone out there can help me. I am wondering if it's because Splunk is trying to pick it up too quickly before it has data, or proper EOF entries, etc. but have no idea how to build in a delay to ensure the data is complete before trying. It appears once Splunk has tried once, it doesn't try to ingest it again, maybe even a setting that makes Splunk try more than once would be enough to make it work? Any help appreciated. props.conf [csv] force_local_processing = true DATETIME_CONFIG = NONE CHARSET = AUTO inputs.conf [default] host = <redacted> [monitor://D:\IngestRoot\*\*] disabled = 0 index = <redacted> recursive = true whitelist = .*SplunkIngest\.csv$ crcSalt = <SOURCE>
My manager asked to send one file named "data.json" to splunk using python language and HTTP event collector. I tried to do it but I think as I am beginner in python, I don't know how to write the wh... See more...
My manager asked to send one file named "data.json" to splunk using python language and HTTP event collector. I tried to do it but I think as I am beginner in python, I don't know how to write the whole script that will do my work. Can anyone help me with this?
Hello everyone! I'm trying to get Splunk to create an incident in ServiceNow when an alert is triggered. I'm using the "snowincidentstream" command, but receive an error that says "command="snowinc... See more...
Hello everyone! I'm trying to get Splunk to create an incident in ServiceNow when an alert is triggered. I'm using the "snowincidentstream" command, but receive an error that says "command="snowincidentstream", Failed to create ticket. Return code is 400. Reason is Bad Request". I'm following the example in the docs running a query similar to that below:  sourcetype="CPURates" earliest=-5m latest=now | stats avg(CPU) as CPU last(_time) as time by host | where CPU>=95 | eval category="Software" | eval contact_type="Phone" | eval ci_identifier="8214eb87c0a8018b7bd0919758dcc3c2" | eval priority="1" | eval subcategory="Database" | eval short_description="CPU on ". host ." is at ". CPU "" | eval account="user" | eval custom_fields="u_affected_user=nobody||u_caller_id=12345" | eval correlation_id="de305d51-15b4-411b-adb2-fb6b9e546013" | snowincidentstream  What could be wrong? Can someone please help? Thank you so much!
.
I am seeking to get a list of the user typed keyword searches from the proxy activity.  Below is what i got but those seem to be the referred or suggested keyword which can be deceitful and false pos... See more...
I am seeking to get a list of the user typed keyword searches from the proxy activity.  Below is what i got but those seem to be the referred or suggested keyword which can be deceitful and false positive. index=main user_id=splunky AND x_webcat_code_full!="Advertisements" | fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id, x_webcat_code_full   | rex field=dest_url "\?q\=(?<search_term>[^&]+)\&" | stats values(search_term)   something that strip out the link below and just providing me just "hp elitebook 840 g3" if that make sense?   https://www.google.com:443/search?ei=TO-WX_zcF5mDtQbczYCIBg&q=hp+elitebook+840+g3+drivers&oq=hp+elitebook+840+g3+d&gs_lcp=CgZwc3ktYWIQAxgAMgUIABDJAzICCAAyAggAMgIIADICCAAyAggAMgIIADICCAAyAggAMgIIADoECAAQRzoKCAAQsQMQyQMQQzoECAAQQzoHCAAQsQMQQzoFCAAQsQM6BwgAEMkDEENQrh1Yjndg44cBaABwAngAgAHZAYgBsQeSAQUwLjUuMZgBAKABAaoBB2d3cy13aXrIAQjAAQE&sclient=psy-ab
While using print() to emit events from Python input, sometimes the events from separate print statements get merged. An example (edited) below:     2020-11-05T20:23:21.988802+00:00, application="... See more...
While using print() to emit events from Python input, sometimes the events from separate print statements get merged. An example (edited) below:     2020-11-05T20:23:21.988802+00:00, application="application1" 2020-11-05T20:23:21.993878+00:00, application="application2"     I'm unclear why these particular ones got merged (there were other records print() -ed at 2020-11-05T20:23:21, and all events had increasing/unique timestamp) Any pointers on how to prevent this? Thanks
I'm sure it's out there somewhere and maybe I'm just brain fried from looking at Splunk for too long, but I wasn't able to find or figure it out. Any help linking me to the answer or providing the an... See more...
I'm sure it's out there somewhere and maybe I'm just brain fried from looking at Splunk for too long, but I wasn't able to find or figure it out. Any help linking me to the answer or providing the answer would be greatly appreciated. I'm generating the results shown in the screen capture with this search - index="<my index>" sourcetype="<my sourcetype>" | stats count BY Plugin,Severity | sort -count I'd like to add a column called "First Discovered" which contains a date value and I only want to see the oldest date from that field data. If I add to the stats count command "First Discovered" it's not going to work because there are multiple unique values. What's the best way to return the data I already have but add a column containing the oldest date from the field "First Discovered", for each of the Plugins. "First Discovered" data sample is - Jul 2, 2020 02:23:25 EDT and in case I wasn't clear, this field is extracted from the logs along with the "Plugin" and "Severity" fields. Thanks in advance!
Hi, I am dealing with an issue because data changed from my source. I was using a lookup as below to search only on the hosts that are in my lookup. This field name NETBIOS was always coming as UNKN... See more...
Hi, I am dealing with an issue because data changed from my source. I was using a lookup as below to search only on the hosts that are in my lookup. This field name NETBIOS was always coming as UNKNOWN\samplehost so I did a simple eval and added UNKNOWN\ with host name in lookup query and that worked great.   index=source1sample sourcetype="samplesourcetype" [| inputlookup sample.csv | table sample_netbios | eval sample_netbios=upper(sample_netbios) | rename sample_netbios as netbiosName | eval netbiosName="UNKNOWN"."\\". netbiosName]   Now, the data has changed in a way that I am seeing domain coming from data source in netbiosName field e.g. ABC\host1 XYZ\host2 How can I structure a search where I can filter upfront as in search above regardless of the domain value that come in? I can get rid of the "\" but this means that I will have to eval or rex before everything and then do a match which takes a toll on query performance. My query was taking only about 10 seconds for ~5k hosts matching from lookup to index but aforementioned way cause it to run for ~ 20 mins because it has to go thru all hosts and then do a match on the ones in lookup. Thank in-advance!!!
Problem: I've created a dashboard which looks great, but is limited in functionality by the inherently simple XML structure Splunk uses to stub these things out. I want to convert my dashboard to HT... See more...
Problem: I've created a dashboard which looks great, but is limited in functionality by the inherently simple XML structure Splunk uses to stub these things out. I want to convert my dashboard to HTML but the well advertised "Convert to HTML" option is not available through either the edit button or the ellipses dropdown on the dashboard. Are there any particular Splunk antics required to make it appear in the drop down? On both of the installs I have tested I get the same list of options from the ellipses drop down Clone, Set as Home Dashboard and Delete. I am logged in as admin on both system with the included capability of edit_view_html and basically every other assignable capability of admin. I have tried this on versions... Version:8.1.0 Build:f57c09e87251  and Version 4.4.1 Build 1566518380334 Thanks
Assume I have this key value pair in splunk  uri_query=“client=safari&source=hp&ei=5k-kX56GMdGpytMPu7asyA0&q=random+search&oq=random+search&gs_lcp=ChFtb2JpbGUtZ3dzLXdpei1ocBADMgUIABDJAzICCAAyAggAMg... See more...
Assume I have this key value pair in splunk  uri_query=“client=safari&source=hp&ei=5k-kX56GMdGpytMPu7asyA0&q=random+search&oq=random+search&gs_lcp=ChFtb2JpbGUtZ3dzLXdpei1ocBADMgUIABDJAzICCAAyAggAMgIIADICCAAyAggAMgIIADICCAA6CAgAELEDEIMBOgIILjoICC4QsQMQgwE6BQguELEDOgUIABCxAzoICAAQsQMQyQM6BAgAEApQ1xNY6yNg-iVoAHAAeACAAUKIAY8GkgECMTOYAQCgAQGwAQA&sclient=mobile-gws-wiz-hp” the uri parameters could be in any order. If I want to search for a specific value I’m forced to do something like | search uri_query=“*sclient=mobile-gws-wiz-hp*” this is very slow for obvious reasons if I run  | search sclient=mobile-gws-wiz-hp This is very fast, but includes results where this value might be in the refer field rather than the uri_query field.   is there a better way to do these needle in a haystack searches?