All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi guys,  This little (?) thing's has been wrecking my head all weekend. I'm trying to merge 2 stats commands, or somehow make my search look neater.  I want to see the number of emails sent to a s... See more...
Hi guys,  This little (?) thing's has been wrecking my head all weekend. I'm trying to merge 2 stats commands, or somehow make my search look neater.  I want to see the number of emails sent to a specific person, but some of the events are showing up as 1, despite having few recipients.      The only way i can get this result is where I do 2 separate stats commands one after the other:  | stats last(eventTime) as Detected_Time , values(quarantineFolder) as Type , values(senderIP) as Sender_IP , values("threatsInfoMap{}.threatType") as threat_type, values("threatsInfoMap{}.threat") as threat, values("threatsInfoMap{}.threatUrl") as threatUrl, values(malwareScore) as malwareScore by Email_Sender Email_Recipient | eventstats count as Recipient_occurrence by Email_Recipient | stats last(Detected_Time) as Detected_Time , values(Email_Recipient) as Email_Recipient list(Recipient_occurrence) as Recipient_occurrence values(Type) as Type , values(Sender_IP) as Sender_IP , values(threat_type) as threat_type, values(threat) as threat, values(threatUrl) as threatUrl, values(malwareScore) as malwareScore by Email_Sender | where isnotnull(Email_Sender)   Is there any other way to make it look better and more tidy? Any help and tips will be greatly appreciated! 
I have an event in json which has key pairs like: { "timestamp": 157281937, "message":"abc\xyz\pqr\efg", }   I have to create a table of message with with four columns and the columns in the ta... See more...
I have an event in json which has key pairs like: { "timestamp": 157281937, "message":"abc\xyz\pqr\efg", }   I have to create a table of message with with four columns and the columns in the table will have the values abc,xyz,qpr,efg...   How can i do this?   Thanks in advance!  
Hi team, I have below sample raw data in splunk:  2020-10-27 06:43:56.351 action=view_page httpSessionID = 11 2020-10-27 06:43:57.351 action=click_create_button  httpSessionID = 11 2020-10-27 06:... See more...
Hi team, I have below sample raw data in splunk:  2020-10-27 06:43:56.351 action=view_page httpSessionID = 11 2020-10-27 06:43:57.351 action=click_create_button  httpSessionID = 11 2020-10-27 06:43:58.351 action=save  httpSessionID = 11 2020-10-28 03:33:33.351 action=view_page  httpSessionID = 22 2020-10-28 03:33:34.351 action=filter  httpSessionID = 22 2020-10-28 03:33:35.351 action=update  httpSessionID = 22 2020-10-29 01:11:11.351 action=view_page  httpSessionID = 33 the number of event in a httpSessionID is dynamic. For example: it could be 1, 2, 3, 4....10...20 etc.. Now I want splunk to return me the first two events in a httpSessionID,  how the query  should be? Thanks, Cherie
Hello Everyone, Please help us to fix the below warnings related to Python Compatibility in Splunk Cloud. 1.Update custom CherryPy endpoints to be Python 3-compatible for the Splunk Enterprise 8.0.... See more...
Hello Everyone, Please help us to fix the below warnings related to Python Compatibility in Splunk Cloud. 1.Update custom CherryPy endpoints to be Python 3-compatible for the Splunk Enterprise 8.0. Splunk Web, which CherryPy endpoints depend on, will support only Python 3.7. If you've finished your update, please disregard this message. File: appserver/controllers/s3_connector_script.py 2.Python files found. Update these Python scripts to be cross-compatible with Python 2 and 3 for Splunk Enterprise 8.0. See https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/AboutMigration for more information. If you've finished your update, please disregard this message.
Hi I have the below query.But its output is "no results found".I dont know what mistake am I making.Please help   index="entab_due" Session=2019 ClassName="* *" | join type=outer AdmissionNo, FeeI... See more...
Hi I have the below query.But its output is "no results found".I dont know what mistake am I making.Please help   index="entab_due" Session=2019 ClassName="* *" | join type=outer AdmissionNo, FeeInstallmentName, Session [search index="entab_collection"] | eval start = strptime(DueDate, "%d/%m/%Y") | eval end = strptime(RecDate, "%d/%m/%Y") | eval duration = round((end-start)/86400) | where (duration > 45 and duration <= 75) AND (duration > 105 and duration <= 120) AND (duration > 120 and duration <= 180) AND (duration > 180) | table AdmissionNo,StudentName
We just upgraded our SE low environment  to v. 8.0.6 and "Roles" sub-menu disappeared from Settings Menu on Search Heads (we have Search Head cluster) We can get there directly by going to  https://... See more...
We just upgraded our SE low environment  to v. 8.0.6 and "Roles" sub-menu disappeared from Settings Menu on Search Heads (we have Search Head cluster) We can get there directly by going to  https://<our_url>/en-US/manager/search/authorization/roles ,but not via Settings -> Roles. At the same time "Roles" sub-menu is available for navigation on other servers in the same environment, also upgraded to v. 8.0.6 Any ideas would be appreciated  
Hi guys. I've got both Palo Alto and Fortinet logs coming in to my Splunk instances and have the appropriate apps set up for each. The thing I'd like to do is see if there are any chatty and mostly u... See more...
Hi guys. I've got both Palo Alto and Fortinet logs coming in to my Splunk instances and have the appropriate apps set up for each. The thing I'd like to do is see if there are any chatty and mostly useless events I can have Splunk drop and not process before it is received and counted against my license. Palos are pretty good about how to trim in the FW itself but the Fortinet isn't quite as granular. Is there something I can put an inputs.conf file (or another similar app conf file) that will tell it to just drop an incoming event if it contains X?
Hello , I configured splunk to start at boot time , i checked the permissions and the script all looks good to me , But when i am rebooting the server , Splunk is not starting up automatically. her... See more...
Hello , I configured splunk to start at boot time , i checked the permissions and the script all looks good to me , But when i am rebooting the server , Splunk is not starting up automatically. here is my init.d script #!/bin/sh # # /etc/init.d/splunk # init script for Splunk. # generated by 'splunk enable boot-start'. # # chkconfig: 2345 90 60 # description: Splunk indexer service # RETVAL=0 USER=splunk . /etc/init.d/functions splunk_start() { echo Starting Splunk... su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" start --no-prompt --answer-yes' RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk } splunk_stop() { echo Stopping Splunk... su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" stop' RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/splunk } splunk_restart() { echo Restarting Splunk... su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" restart' RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk } splunk_status() { echo Splunk status: su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" status' RETVAL=$? } case "$1" in start) splunk_start ;; stop) splunk_stop ;; restart) splunk_restart ;; status) splunk_status ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 ;; esac exit $RETVAL   Once the VM is up after reboot , When i check manually the status of splunk it says its not running and getting below messages  splunkd 6519 was not running. Stopping splunk helpers... [ OK ] Done. Stopped helpers. Removing stale pid file... done. splunkd is not running.
I have a device that set up the syslog to send to Splunk and everything working great.  I can see the syslog in Splunk, but How to set up secured syslog from Splunk?  Not sure the link below it what ... See more...
I have a device that set up the syslog to send to Splunk and everything working great.  I can see the syslog in Splunk, but How to set up secured syslog from Splunk?  Not sure the link below it what I need how to set it up. https://community.splunk.com/t5/All-Apps-and-Add-ons/Setup-Secure-Encrypted-Syslog/m-p/391221 Please point me to the right direction.    
I am trying to create a "monitoring" dashboard that compares the data count in a clients database to the count in our corporate database.  For each Event Name (sourcetype) I have the following metric... See more...
I am trying to create a "monitoring" dashboard that compares the data count in a clients database to the count in our corporate database.  For each Event Name (sourcetype) I have the following metrics: nVerifyEvents, nPropertyEvents, nReceivedEvents.  I want to display all 3 metrics per Event Name per date for the last 7 days.  Here is a screenshot of what I have so far. Is there anyway to create a chart so it displays like this: If this isn't possible, do any of you have some suggestions on a way to display this information on a dashboard?  Should I do each date as a separate chart and put them on the same row in the dashboard?  In my opinion it would be overkill to have the Event Name listed for each date but if that's the only way to go then it will have to work.  I will also need to set up notifications if nReceivedEvents < nPropertyEvents so that we can address any missing data right away.   Thanks for any help or suggestions you send my way.  
Hello, am trying to run a query like below:   basequery | where match(stringFieldConsistingOfNumsDelimitedBy#, numField)   Apparently the numField is not able to evaluate and yield rows. Tried c... See more...
Hello, am trying to run a query like below:   basequery | where match(stringFieldConsistingOfNumsDelimitedBy#, numField)   Apparently the numField is not able to evaluate and yield rows. Tried converting numField as below, but returns no rows:   | eval strConvFld = tostring(numField) | where match(stringFieldConsistingOfNumsDelimitedBy#, strConvFld)   When I inspect strConvFld, it's coming out as Null. Am not sure if my approach is correct. Any help is much appreciated. Pls advise. Thanks.
Hello everyone, Greetings, Looking for help using  restapi command or anyother way to create alert for when an app update is available on Splunkbase , Basically Should alert when new versions are ... See more...
Hello everyone, Greetings, Looking for help using  restapi command or anyother way to create alert for when an app update is available on Splunkbase , Basically Should alert when new versions are available on splunkbase | rest /services/apps/local | search disabled=0 core=0|dedup label | table label version....this one gives the current version of the apps.....  
Hello Splunk Community, I have 2 reports trying to combine into 1. The fields are different to each other. Say Report 1 has field1,field2,field3,field4,field5 and Report2 has field6, field,7, field8... See more...
Hello Splunk Community, I have 2 reports trying to combine into 1. The fields are different to each other. Say Report 1 has field1,field2,field3,field4,field5 and Report2 has field6, field,7, field8,field9 Report 1 uses weekly time range earliest=-1w@w latest=@w1 Report 2 uses Year to date time range earliest=@y latest=@w1 I tried using append,appedcols and join but the values are messing up and not lined up together Please help
I have the Splunk Jenkins plugin in use, but I cannot find the RobotFramework test tags from the raw data. Should I do some custom configurations into Jenkins side so that it would add the test leve... See more...
I have the Splunk Jenkins plugin in use, but I cannot find the RobotFramework test tags from the raw data. Should I do some custom configurations into Jenkins side so that it would add the test level RobotFramework tags into the testcase data? Below in an example from the Robot results. Is the plugin sending only the "Test results", but not "Robot Results" to the Splunk? Currently I can find only the following test level results from the Splunk.   { [-] classname: Testsuites.Assistant tests.Configurations duration: 307 errordetails: *HTML* ... errorstacktrace: failedsince: 329 groupname: Testsuites skipped: false status: FAILURE testname: Assistant For External Callers uniquename: Testsuites.Assistant tests.Configurations.Assistant For External Callers }  
Hi All! When we choose to send an email as an alert action in Splunk, is there a way for Splunk to take the oldest ServiceNow incident in the alert results and link to it or at least provide it's in... See more...
Hi All! When we choose to send an email as an alert action in Splunk, is there a way for Splunk to take the oldest ServiceNow incident in the alert results and link to it or at least provide it's info (e.g., incident number) in the email it sends out with the alert?
Hi everyone! I'm trying to have Splunk modify incidents in ServiceNow. For example, when an alert is triggered in Splunk based on ServiceNow data, I would like Splunk to take the oldest ServiceNow i... See more...
Hi everyone! I'm trying to have Splunk modify incidents in ServiceNow. For example, when an alert is triggered in Splunk based on ServiceNow data, I would like Splunk to take the oldest ServiceNow incident event that triggered the alert, and have Splunk go into ServiceNow to escalate that incident's priority and also make other related incidents in the alert's results the children of that oldest incident in ServiceNow. Does Splunk have this power?
Hi Splunkers, I am trying to get Salesforce version 49 logs to my splunk (Cloud) instance. Have installed the add-on but that supports only version 42 to 48 , and hence I am getting error. Do we h... See more...
Hi Splunkers, I am trying to get Salesforce version 49 logs to my splunk (Cloud) instance. Have installed the add-on but that supports only version 42 to 48 , and hence I am getting error. Do we have any work around here? Any pointers here? Appreciate your help in advance
I am trying to add and search data directly from my local file directory in splunk. I went to setting > data inputs > Add new Files & Directories > Start searching data When I chose to continue sear... See more...
I am trying to add and search data directly from my local file directory in splunk. I went to setting > data inputs > Add new Files & Directories > Start searching data When I chose to continue searching the data no results showed? Why is this?
CREATE OR REPLACE PROCEDURE BSDTADLS.DMS_Main (Query_type in varchar, query_id in varchar, outResults out sys_refcursor ) as BEGIN IF upper(Query_type) = 'F' THEN open outResults for sele... See more...
CREATE OR REPLACE PROCEDURE BSDTADLS.DMS_Main (Query_type in varchar, query_id in varchar, outResults out sys_refcursor ) as BEGIN IF upper(Query_type) = 'F' THEN open outResults for select distinct A.J_BACI, A.J_BAGT, A.J_BAZC, A.J_BBS_,A.J_BAJ8,A. J_BAO8, B.J_MBTI , c.J_NOHT from J_COM A left join J_CLMS B ON A.J_BACI = B.J_MBXI inner join J_CTUN c on A.J_crpi = c.J_NOGI and c.J_NOFC = '02' WHERE A.J_BACI = query_id; ELSIF upper(Query_type) = 'L' END IF ; END DMS_Main; open outResults for SELECT distinct A.J_MBTI ,A.J_MEE_,A.J_MCFC,A.J_MCI8,A.J_MCJ8,B.J_Mvfi, B.J_MVGT from J_CLMS A Inner join J_CUPI B ON A.J_MBWI = B.J_MVAI WHERE A.J_MBTI = query_id; ELSIF upper(Query_type) = 'A'
Hello, Is there any way to disable EUM dynamically without refreshing the page? Ex. user logs into the SPA application, but he changes his privacy settings and we need to disable AppDynamics totall... See more...
Hello, Is there any way to disable EUM dynamically without refreshing the page? Ex. user logs into the SPA application, but he changes his privacy settings and we need to disable AppDynamics totally on the browser side. Is that possible? We are injecting AppDynamics with SPA2 (https://docs.appdynamics.com/display/PRO45/SPA2+Monitoring). Thank you in advance for your help.