All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi   Suppose the device that sent the log to Splunk is logging in US Pacific time. If I run a search like this in splunk: sourcetype=blah Data="*blahdata*" | table _time, Action, Data, Username ... See more...
Hi   Suppose the device that sent the log to Splunk is logging in US Pacific time. If I run a search like this in splunk: sourcetype=blah Data="*blahdata*" | table _time, Action, Data, Username In reviewing the output of the search, Is _time in US Pacific or the default UTC?  
Hello, I am trying to add a break time into a cycle time that I am tracking. So the _time field pulls when the start of a cycle is. I have been using the delta function to gather the duration betwee... See more...
Hello, I am trying to add a break time into a cycle time that I am tracking. So the _time field pulls when the start of a cycle is. I have been using the delta function to gather the duration between the cycles. The problem that I am running into that the cycles stay on during breaks and lunch time which will add 15 or 30 minutes to the cycle time. I am hoping this is something east to account for.  The problem in my mind is that I want the solution to be scalable to multiple days. I am looking to add 15 minutes to any cycle that was started from 8:50-9:15 or 30 minutes to something 11:50-12:30. An example from the data _time duration 2020-10-26 12:40:32.593 -0.003 2020-10-26 12:40:32.577 -0.016 2020-10-26 12:35:29.080 -303.497 2020-10-26 12:35:29.058 -0.022 2020-10-26 12:35:28.967 -0.091 2020-10-26 12:30:25.567 -303.400 2020-10-26 12:30:25.547 -0.020 2020-10-26 11:50:01.608 -2423.939
Currently using LDAP authentication, enterprise license for splunk version 7.3.3  I know there was a similar issue in previous versions when SSO was used, and again if you were on a free license.   ... See more...
Currently using LDAP authentication, enterprise license for splunk version 7.3.3  I know there was a similar issue in previous versions when SSO was used, and again if you were on a free license.   to meet CCI-002364, a logout message needs to be recorded. but there is no logout option.  Could this be do to CAC authentication?  Does anyone know if there's a workaround? Or why the logout option does not exist for users? 
I have an event which is in json and it has a repeating field say "message" Example: { "Message":[ { "message":"xyz987" }, { "message":"abc123" }, { "message":"abc456" }, { "message":"a... See more...
I have an event which is in json and it has a repeating field say "message" Example: { "Message":[ { "message":"xyz987" }, { "message":"abc123" }, { "message":"abc456" }, { "message":"abc567" }, ] }   I have to form a table with the values of message that only starts with abc(i.e abc123, abc456, abc567) and exclude the other values(i.e xyz987)   How may I achieve this?   Thanks in advance
I'm trying to find all the saved alerts that have a certain action. I've found this search: |rest/servicesNS/-/-/saved/searches | search alert.track=1 actions="*action*" | fields title description s... See more...
I'm trying to find all the saved alerts that have a certain action. I've found this search: |rest/servicesNS/-/-/saved/searches | search alert.track=1 actions="*action*" | fields title description search disabled triggered_alert_count actions   However, this only returns some of the alerts with that action, and I'm not sure why. It looks like any alert that has other actions that are alphabetically before "action" are in the results, but any alert that has other actions alphabetically after "action" are not returned.   Any assistance would be much appreciated.
Hi, I have a splunk dasboard which needs to be auto accessed by selenium(python). But the specific dashboard needs my credentials to access it, so how can this be achieved by splunklib.client/splunkl... See more...
Hi, I have a splunk dasboard which needs to be auto accessed by selenium(python). But the specific dashboard needs my credentials to access it, so how can this be achieved by splunklib.client/splunklib.binding, which automatically takes my credentials when I call the website.
How can I view the default index of a user? In other words, if user runs a search within splunk search app and does not specify an index, how do i view which index he will default at?
Has anybody implemented Firehose to Splunk cloud destination? Was wondering how the connection is made and if it can be routed thru a proxy in between. Have some network guys questioning this before ... See more...
Has anybody implemented Firehose to Splunk cloud destination? Was wondering how the connection is made and if it can be routed thru a proxy in between. Have some network guys questioning this before we decide on firehose as a solution. Any pointers to documentation/blogs will be helpful! Thank you!
Hi Community, I would need your help in extracting multi field values from the below sample. I have a regex below which is not helping me in extracting multi field values, It's just extracting first... See more...
Hi Community, I would need your help in extracting multi field values from the below sample. I have a regex below which is not helping me in extracting multi field values, It's just extracting first value from the  below log sample. So could you help me in modifying the regex please? Thanks in advance. Regex: \w+[\s+\-\:\w+]*=(?:[^\\,]+)* e.g. multivalue field is dhcp-parameter-request-list=1\, 22\, 3\, 4\, 77\, 55\, 99\, 200\, Current Result: dhcp-parameter-request-list=1 (Pls note just 1 is extracted from my regex but i would need other values i.e. 22, 3, 4, 77, 55, 77, 99 and 200 to get extracted as well)  Log source Sample: Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\, Policyversion=000\, AuthenticationIdentityStore=Internal Endpoints\, lldpcachecapabilities=B\;T\, EndpointPolicyID=xxx-xxx-xxxxx\, LogicalProfile=xxx-xxx-xx\, xxx-xxxx-xxxx\, AuthenticationMethod=lookup\, FirstCollection=1518577\, CacheUpdateTime=10000\, IdentityAtoreGUID=\, StaticAssignment=false\, UserName=xxx\, NmapScanCpunt=0\, NetwrokDeviceName=xx.xx.xx.com\, DestIPAddress=xx.xx.xxx.xx\, AAA-Server=xxx\, MessageCode=000\, Device Type= Device Type#All Device Types\,PortalUser=\, AllowedProtocalMatchedRule=Wired_MM\, ciaddre=x.x.x.x\, BYODRegistration=Unknown\, Calling-Station-ID=xx-xx-xx-xx\, dhcp-requested-address=xx.xx.xx.xx\, FailureReason=-\, dhcp-parameter-request-list=1\, XX\, X\, X\, XX\, XX\, XX\, XXX\, PostureApplicable=Yes\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\, phoneID=\, hostname=xxxx\, NAS-Port-Id=Gigabit Ethernet/x/xx\, location=location #all locations#\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,
Hello, We're running Splunk Enterprise 7.3.7.1 on Linux. We have a Deployment Server to manage our forwarders. We are using our own certificates to authenticate the server (DS) and clients (UFs... See more...
Hello, We're running Splunk Enterprise 7.3.7.1 on Linux. We have a Deployment Server to manage our forwarders. We are using our own certificates to authenticate the server (DS) and clients (UFs, HFs) connecting to it, all working fine and WebGUI working fine on DS. But we keep seeing this error in the logs and we don't know what's causing it and what are the consequences. 10-27-2020 09:01:00.395 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/splunk_instrumentation/bin/instrumentation.py" ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:741)   Does anyone know?
Hi,    I am trying to link different panels in the same dashboard i.e. when I click the panel on top of the dashboard the drilldown should automatically take me to that panel below in that same das... See more...
Hi,    I am trying to link different panels in the same dashboard i.e. when I click the panel on top of the dashboard the drilldown should automatically take me to that panel below in that same dashboard, just like how internal HTML linking works. Thanks, Singla
Hello, I have noticed that Splunk dashboard is working in Firefox but is not working in Chrome or Edge (maybe more browsers). I use an iframe to load Splunk in my Wordpress website. This is not a... See more...
Hello, I have noticed that Splunk dashboard is working in Firefox but is not working in Chrome or Edge (maybe more browsers). I use an iframe to load Splunk in my Wordpress website. This is not a problem since i tried a website that does use the cookie samesite='None'. To my understanding Chrome did an update where is does not allow third party (Splunk) apps that does not use the samesite cookie. Is this a known problem? is there a workaround? Articles i found interesting for understanding this problem: - https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md - https://blog.heroku.com/chrome-changes-samesite-cookie After disabling the 'samesite by default' Splunk works. Previously i got an answer that this is a wordpress bug, if so can someone explain to me how this is a wordpress bug.  Thanks
Hi all, I have this json file like below:   rootfield: [[-] {[-] field 1: A field 2: [[-] value1 value2 ] } {[-] ... See more...
Hi all, I have this json file like below:   rootfield: [[-] {[-] field 1: A field 2: [[-] value1 value2 ] } {[-] field 1: B field 2: [[-] value1 value2 value3 value4 ] } {[-] field 1: C field 2: [[-] value1 value3 value4 ] }   I want to extract the result to look like this A_value1,value2 B_value1,value2,value3,value4 C_value1,value3,value4 i know combination of spath and mvexpand will work but I want to avoid mvexpand because it's eating memory and our json file is huge. Would be nice to be able to get the data without mvexpand. Thanks  
Hi all, we configured the Input Microsoft Azure Active Directory Sign-ins in Microsoft Azure Add on and get always following error message. 10-27-2020 11:05:23.938 +0100 ERROR ExecProcessor - messa... See more...
Hi all, we configured the Input Microsoft Azure Active Directory Sign-ins in Microsoft Azure Add on and get always following error message. 10-27-2020 11:05:23.938 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py" ERROR403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns* We configured it as described in the App itself app/TA-MS-AAD/aad_app_registration. Can someone explain what is still missing to get the data in? kind regards Kathrin
Hi, I am struggling with joining two indexes based on substring match. I have following indexes : index1 : having following fields PROTOCOL,DIRECTION,FILENAME,DIRECTORYNAME   index2: having... See more...
Hi, I am struggling with joining two indexes based on substring match. I have following indexes : index1 : having following fields PROTOCOL,DIRECTION,FILENAME,DIRECTORYNAME   index2: having following fields APPID,CUSTOMERID,FILEPATTERN,DIRECTORYNAME I want to join above indexes based on following condition  1. FILEPATTERN is substring of FILENAME 2. DIRECTORYNAME in index1 = DIRECTORYNAME in index 2. and display output with following fields PROTOCOL,DIRECTION,APPID,CUSTOMERID,FILEPATTERN,DIRECTORYNAME Thanks in anticipation Regards Nikhil 
Hi, We have Splunk DB Connect V2.4.1 is running on Splunk enterprise 7.1.6. Now we are planning to upgrade the Splunk enterprise to 7.3.  Is Splunk DB connect V2.4.1 compatible with Splunk Enterpri... See more...
Hi, We have Splunk DB Connect V2.4.1 is running on Splunk enterprise 7.1.6. Now we are planning to upgrade the Splunk enterprise to 7.3.  Is Splunk DB connect V2.4.1 compatible with Splunk Enterprise 7.3?
Hello,  I am looking for some clarifications when using an INGEST_EVAL to set a timezone during index time. The timezone I am working with is Romania which is +0200 or EET standard time and +0300 or... See more...
Hello,  I am looking for some clarifications when using an INGEST_EVAL to set a timezone during index time. The timezone I am working with is Romania which is +0200 or EET standard time and +0300 or EEST daylight savings time.  No Romanian cities are available in the Splunk timezone list so I am using Beirut which according to this page is on the same timezone year round as Romania. Now for my data I am indexing using an INGEST_EVAL which takes the timestamp from the source where each filename has the following format and reflects local Romanian time: this_is_my_file_2020_10_27_10_55_53.csv Since there is no timezone specified in the filename and since the Splunk system time is set to UTC I need to append the timezone using the INGEST_EVAL: INGEST_EVAL = _time=strptime(replace(source,".*(?=/)/","")."EET","this_is_my_file_%Y_%m_%d_%H_%M_%S.csv%Z") Now for my concern.  Since I have hardcoded "EET" in the INGEST_EVAL, will this skew the files that are ingested during the daylight savings period?  In other words, if a filename comes in during EEST, so 2020-10-01 for example, will Splunk understand not to use "EET" and use "EEST" instead even though it is not specified in the INGEST_EVAL? To conclude, I hate timezones Any input would be greatly appreciated. Thank you and best regards, Andrew
Hi,  With the time change, my logs are shifted by one hour (logs from an HEC input) :  It is the same case on many logs from several sources. Like logs from Azure add-on (the props is correctl... See more...
Hi,  With the time change, my logs are shifted by one hour (logs from an HEC input) :  It is the same case on many logs from several sources. Like logs from Azure add-on (the props is correctly set with a TIME_PREFIX on the field Horodate) :  And same case from other add-on... How can I fix this ?  Thank you!  
Hi, Anyone please help. We have used the username as a domain account while installation of Splunk Universal forwarder and we want to use service account in place of that ?   Can we do it without... See more...
Hi, Anyone please help. We have used the username as a domain account while installation of Splunk Universal forwarder and we want to use service account in place of that ?   Can we do it without uninstallation ?     Regards Pankaj Upadhyay
hello, splunker I have question. plz I want to search for a specific time range by specifying earliest and latest in the search. E.g I searched for "index="_internal" earliest=1 latest=now". ... See more...
hello, splunker I have question. plz I want to search for a specific time range by specifying earliest and latest in the search. E.g I searched for "index="_internal" earliest=1 latest=now". And in timepicker, if you specify the last 15 minutes, the search will be done by timepicker time. Why is this happening? Any help and tips will be greatly appreciated!