All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,   I have below data: Date: Sep 2020 Aug 2018 Feb 2020 July 2017 Sep 2019 I want to sort the date by month and year Like July 2017 Aug 2018 Sep 2019 Feb 2020 Sep 2020 ... See more...
Hi,   I have below data: Date: Sep 2020 Aug 2018 Feb 2020 July 2017 Sep 2019 I want to sort the date by month and year Like July 2017 Aug 2018 Sep 2019 Feb 2020 Sep 2020     I am using eval strftime function but ouput is coming as Sep 2020  Sep 2019 Can someone please help me to fix this.   Thanks!!
I am trying to create an alert based on sourcetype=iis | iplocation True_Client_IP | geostats count by Country that if one of my true client IPs show up in a Country where its not supposed to be it w... See more...
I am trying to create an alert based on sourcetype=iis | iplocation True_Client_IP | geostats count by Country that if one of my true client IPs show up in a Country where its not supposed to be it will generate an alert with the IPs listed. I think I would some how need to input a list of locations that would trigger such an alert.  Any help on how to create such an alert would be appreciated.
I am new to Splunk but was task to leverage Splunk to build dashboards and monitor all of our data from SFMC. I was successful in creating the different indexes and inputs and everything was working... See more...
I am new to Splunk but was task to leverage Splunk to build dashboards and monitor all of our data from SFMC. I was successful in creating the different indexes and inputs and everything was working fine until 11/1 when I either made the mistake to upgrade from 8.0.6 then rolled back and also my company updated my Mac as well. However when running several diagnotics and investigations everything comes back to the SSL error       11-05-2020 09:31:15.819 -0800 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='error', alert_description='unknown CA'. event_message = Received fatal SSL3 alert. ssl_state='error', alert_description='unknown CA'. eventtype = splunkd-log host = 4ustorml05032 source = /Applications/Splunk/var/log/splunk/splunkd.log sourcetype = splunkd               11-05-2020 09:31:15.819 -0800 ERROR ApplicationUpdater - Error checking for update, URL=https://apps.splunk.com/api/apps:resolve/checkforupgrade: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.         I tried pretty much all the other recommendation and as well as in the documentation that Splunk provides which included generating the certs, configuring it in the various location web.conf, input.conf, server.conf, etc. The only that that would happen is break my instance and I would need to roll back. I am unsure what may the cause is, I rolled back the latest version because it broke our apps since they were Python 2 and the latest version is now 3. Any insight would be great. Also I pretty much been at all of the forums and tried several solution but many were outdated and most likely didn't fit my issue.
Hi All, While analyzing the firewall logs, i could see src_ip (src) field taking some numeric number also alognwith actual ip address, sharing the below sample log where it is grabing src is 5864897... See more...
Hi All, While analyzing the firewall logs, i could see src_ip (src) field taking some numeric number also alognwith actual ip address, sharing the below sample log where it is grabing src is 5864897 the numric one just after PASS.  Nov 5 17:37:57 abcxyz.com fwlogs:[27999] match PASS 5864897/5893553 IN 60 TCP 10.10.10.10/4655->10.20.20.20/443 S I extracted field as below for src, still it is not getting parsed and taking numeric value. Kindly help (TCP|FIN|RST|TIMEOUT)\s(?<srcip>\d+\.\d+\.\d+\.\d+)/
I'm Borys from LLC  "Trading systems". Our company participates in public procurement  The client describes in the requirements the possibility of using Splunk on the provider's equipment and as... See more...
I'm Borys from LLC  "Trading systems". Our company participates in public procurement  The client describes in the requirements the possibility of using Splunk on the provider's equipment and asks to provide confirmation of this with a certificate. We are using Supermicro servers with Intel Xeon GOLD and AMD EPYC, SSD and NVME disks and Microsoft HyperV virtualization. Is it possible to certificate this hardware for us? If you could please respond to let me know the email has been received, it would be greatly appreciate.   Kind regards Borys 
I have a lookup table with certain Windows Event Codes.  I am searching our Windows index for all Windows Event Codes.  I would like a count of all Windows Event Codes, per Event Code, and a column t... See more...
I have a lookup table with certain Windows Event Codes.  I am searching our Windows index for all Windows Event Codes.  I would like a count of all Windows Event Codes, per Event Code, and a column that says whether that Event Code is in my lookup table.  This is what I am attempting partly with what I found on Answers, but it isn't working:     | inputlookup MyWinEvCodes | fields EventCode | append [ search index=winsevlog | stats count as Count by EventCode ] | eval Found = if(Count > 1,"Yes","No") | stats count by EventCode, Found | sort + count   Thank you in advance!
Hi, I'm getting problems while getting data parsed from IIS TA. an example may be in the host field I'm getting: /services/rest/search.svc/ another example: dest_ip: UserCulture=en-US I've confi... See more...
Hi, I'm getting problems while getting data parsed from IIS TA. an example may be in the host field I'm getting: /services/rest/search.svc/ another example: dest_ip: UserCulture=en-US I've configured as the documentation says but it is not working. Thanks!  
I am very close but need some assistance.  I am attempting to create an alert based upon the criteria "Free Megabytes"<6000 AND "% Free Space" <10.  I have that logic working below... sourcetype="Pe... See more...
I am very close but need some assistance.  I am attempting to create an alert based upon the criteria "Free Megabytes"<6000 AND "% Free Space" <10.  I have that logic working below... sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="% Free Space" Value<20 [ search host=* sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="Free Megabytes" Value<6000 | return 1000 host ]   The above code works as long as there is a hit for the Free Megabytes < 6000.  However if there are no hits, no host is returned to the % Free Space so it show all hosts that meet that critera.  How can this be adapted so that no hosts returned doesn't result in further query?  I am guessing eval, but my Splunk-fu is weak.   Any help is appreciated but actual code would be most helpful.
HI All, I need to reconcile 2 different swift messages from Splunk DB connect The key pattern should be <<YYYYMMDD>>#SWIFTRACKER#*#*#*#INFO The three * are UETR Number, ToSwift/FromIIB and st... See more...
HI All, I need to reconcile 2 different swift messages from Splunk DB connect The key pattern should be <<YYYYMMDD>>#SWIFTRACKER#*#*#*#INFO The three * are UETR Number, ToSwift/FromIIB and status. Each combination of UETR Number and FromIIB record must have a corresponding record with UETR Number and ToSwift combination. For e.g., 20200715#SWIFTRACKER#FromIIB#abcdfghif#Accepted#INFO 20200715#SWIFTRACKER#ToSwift#abcdfghif#Accepted#INFO I have extracted the fields from the table, its a single filed in DB which holds this data | dbxquery connection=CONN query="select RECID from Schema.table" shortnames=true | rex field=RECID "(?<date>\d+)#(?<swift>\w+)#(?<source>\w+)#(?<uetr>\w+\-+\w+\-+\w+\-+\w+\-+\w+)#(?<status>\w+)#(?<loglevel>\w+)" | table date,swift,source,uetr,status,loglevel I need help with the reconciliation part, way to compare both the records and see if there was a corresponding entry for each ToSwift/FromIIB entry with the same UETR number.    
Hi there, I have 2 forwarders on a single box - one HF one UF. I want to switch off the UF. Im looking for a list of sourcetypes that the UF is sending. Does anyone have a search that can tell me wh... See more...
Hi there, I have 2 forwarders on a single box - one HF one UF. I want to switch off the UF. Im looking for a list of sourcetypes that the UF is sending. Does anyone have a search that can tell me what sourcetypes are actively sending data to Splunk via the UF's GUID ? Thanks! 
Hi All, what should be the regex while doing event extraction for srcip   eventtime=1604591829395228259 appid=41 srcip=192.168.1.1 dstip=192.168.2.2 srcport=47450 dstport=443
Hey, I have an index 'test_iterations' which contains test data (start time, end time, iterationIndex ane TestName). Each Test can appear more than once but with different iteration index I need t... See more...
Hey, I have an index 'test_iterations' which contains test data (start time, end time, iterationIndex ane TestName). Each Test can appear more than once but with different iteration index I need to get the test duration, which is the sum of the duration of each iteration I used this query to find for a single test: Index="test_iteration" TestRunId=someId TestName=someTestName | dedup IterationIndex | eval sum = 0 | foreach IterationIndex* [ eval sum = sum + strptime(EndTime, "%Y-%m-%d%H:%:M%:S.%N") - strptime(StartTime,  "%Y-%m-%d%H:%:M%:S.%N")] | table sum Which provide me the right answer   But when I try to get all the tests duration in a run, I get an error. My search: Index="test_iteration" TestRunId=someTestRunId | dedup TestName |  Eval dur = [ search Index="test_iteration" TestRunId=someId TestName=someTestName | dedup IterationIndex | eval sum = 0 | foreach IterationIndex* [ eval sum = sum + strptime(EndTime, "%Y-%m-%d%H:%:M%:S.%N") - strptime(StartTime,  "%Y-%m-%d%H:%:M%:S.%N")] | table sum] | table Duration, TestName   I get the error: error in 'eval' command: the expression is malformed. An unexpected character is reached at ')'.   But I don't get why?   Thanks.
Hi I would like to generate a count for the current month to date (today), and compare this with the count of the previous month, to the same day. So for instance, the count from the start of this m... See more...
Hi I would like to generate a count for the current month to date (today), and compare this with the count of the previous month, to the same day. So for instance, the count from the start of this month to the 15th, compared to the start of the previous month to the 15th. Is it possible to get both these values in a single search? Maybe using timewarp?
There is a single page application (React.js). Custom user data doesn't come when I work on a page during one session (I don't refresh a page and don't change URL). The first time Page sends data... See more...
There is a single page application (React.js). Custom user data doesn't come when I work on a page during one session (I don't refresh a page and don't change URL). The first time Page sends data but the second time there is no data. I always take Data from the Access token. Data always is available. How can I fix it so it sends data every time? thanks
Good afternoon! Installed the Splunk_TA_windows application on the server, edited the inputs1. On the SPLUNK server, the logs contain SID instead of name. [WinEventLog: // Security] disabled = 0 ... See more...
Good afternoon! Installed the Splunk_TA_windows application on the server, edited the inputs1. On the SPLUNK server, the logs contain SID instead of name. [WinEventLog: // Security] disabled = 0 index = wineventlog start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 renderXml = false
Hi Splunk Community, Im trying to install Splunk on a new VM as part of funcitonal testing for an add-on, I would build these daily and havnt run into any issues before today with the process. Runn... See more...
Hi Splunk Community, Im trying to install Splunk on a new VM as part of funcitonal testing for an add-on, I would build these daily and havnt run into any issues before today with the process. Running on Ubuntu 20.04.1, all packages up to date as of today. During the initial dpkg -i phase the following error is reported but install completes anyway: cp: cannot stat '/opt/splunk/etc/regid.2001-12.com.splunk-Splunk-Enterprise.swidtag': No such file or directory I go through the process of starting splunk, accepting license, creating initial user, all fine, but when I get to the GUI and select 'browse more apps' I get the following error back:  Error connecting: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.. Your Splunk instance is specifying custom CAs to trust using sslRootCAPath configuration in server.conf's [sslConfig] stanza. Make sure the CAs in the appsCA.pem (located under $SPLUNK_HOME/etc/auth/appsCA.pem) are included in the CAs specified by sslRootCAPath. To do this, append appsCA.pem to the file specified by the sslRootCAPath parameter. Any idea what is going on here? I have another VM on the same host, identical network configuration, OS versions, its just been running for a few weeks. The Splunk env that is having issues is on a clean VM. I have tried this using the same install .deb from the working VM and again with the latest .deb from the Splunk website, both exhibit same issue so im thinking it may be a system package dependency.  Thanks! Michael
Hello All, I try to get the same colors for the graphics and for the annotations, without success. The differences in syntax between categoryColors and fieldsColors escape me. Could you please h... See more...
Hello All, I try to get the same colors for the graphics and for the annotations, without success. The differences in syntax between categoryColors and fieldsColors escape me. Could you please help me?     <search> <query>index=main sourcetype=Oracle_Database $multiselect_token$ $asa_token$ EIRP &gt;-20|chart latest(EIRP) by _time,EQUIP</query> </search> <search type="annotation"> <query>index=main sourcetype=Oracle_Database (IS_CAL AND $asa_token$ AND $antenna_code$ ) | eval annotation_label = Calibrate | eval annotation_category = EQUIP</query> </search> <option name="charting.annotation.categoryColors">{"#53a051","#0877a6","#f8be34","#f1813f","#dc4e41","#62b3b2","#294e70"}</option> <option name="charting.fieldColors">{53A051,0877A6,F8BE34,F1813F,DC4E41,62B3B2,294E70}</option>            
Hello, Do you know if there is a way to modify the data source maximal allowed lagging value automatically depending of its priority? For example 600 seconds for 'high', 3600 for 'medium' and 86400 ... See more...
Hello, Do you know if there is a way to modify the data source maximal allowed lagging value automatically depending of its priority? For example 600 seconds for 'high', 3600 for 'medium' and 86400 for 'low'. Thanks for the help.
Hi there,   I have a requirement where i need time duration between two events in ms. Events look like this  Event A: Processing started at : <01:00:00.100> Event B: Processing completed at: <01... See more...
Hi there,   I have a requirement where i need time duration between two events in ms. Events look like this  Event A: Processing started at : <01:00:00.100> Event B: Processing completed at: <01:00:00:850> The numbers at the end of each event are timestamps and i have extracted them as fields 'time1' and 'time2' respectively. Is there a way to get time duration between these two events form the extracted fields? Using transaction gives the time duration in seconds, whereas i would require it in ms. Please help.
Hi, I got a request to onboard Event IDs 3039, 3040, 3041, 2886, 2887, 2888, 2889. I tried to Google them but couldn't see anything that will tell which logsource they're from. I don't know if I sh... See more...
Hi, I got a request to onboard Event IDs 3039, 3040, 3041, 2886, 2887, 2888, 2889. I tried to Google them but couldn't see anything that will tell which logsource they're from. I don't know if I should put them under System i.e.     [WinEventLog://System] index = winlogs_of_domain_controllers whitelist = 2886-2889,3039-3041     Or Security i.e.   [WinEventLog://Security] index = winlogs_of_domain_controllers whitelist = 2886-2889,3039-3041     I was hoping someone could point me to a trusty website?   Thank you.