All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Guys, I'm trying to match a result from one search to an Inputlookup. The original search contains "spath" command because the source sends the logs in JSON format. Here is the first search: i... See more...
Hi Guys, I'm trying to match a result from one search to an Inputlookup. The original search contains "spath" command because the source sends the logs in JSON format. Here is the first search: index="MyIndex" some search filters | spath "EmailAddr" | table "EmailAddr" Here is the second search: [| inputlookup all_identities.csv | fields email ]   The end goal is to take the "EmailAddr" from the first search and match it with the field "email" from the second search so only email addresses that are in the inputlookup will return from the search.  The email address needs to be in both the search and the inputlookup.   I've tried to use the | eval email = spath(_raw,"email") command to place the "email" value in the eval field but that did not do the job.   I would really appreciate the community help on this. Thanks! 
I have a dropdown and I want to show values between 0 and 10 , 10 and 20 , 20 and 30 <input type="dropdown" token="Nb" searchWhenChanged="true"> <label>Nb</label> <choice value="0--1... See more...
I have a dropdown and I want to show values between 0 and 10 , 10 and 20 , 20 and 30 <input type="dropdown" token="Nb" searchWhenChanged="true"> <label>Nb</label> <choice value="0--10">0--10</choice> <choice value="0--10">0--20</choice> <choice value="0--20">0--30</choice>  
Hello i want to create a dashboard that monitors the failed job (savedsearches the i can see in the activity page) how can search for failed jobs ?  i saw that ITSI can do it but i wonder if the... See more...
Hello i want to create a dashboard that monitors the failed job (savedsearches the i can see in the activity page) how can search for failed jobs ?  i saw that ITSI can do it but i wonder if there is a way to do it with Splunk itself   thanks
Hello, Today my lookup files are owned by "nobody", in order to change their permissions i have to assign then to other user such as admin (all the lookups located under system and not under specifi... See more...
Hello, Today my lookup files are owned by "nobody", in order to change their permissions i have to assign then to other user such as admin (all the lookups located under system and not under specific app) since we are working with Kubernetece, we are duplicating our environments and all the changes has to be on the configuration files and not via the web   where this file is located ?   thanks sarit
Hi all, i need some help in comparing 2 fields, the other field has multi values, Field 1 Field 2 127.0.0.1 127.0.0.1 127.0.0.2 127.1.1.1 127.1.1.2 127.1.1.2 127.1.1.3 127.1.1.4 ... See more...
Hi all, i need some help in comparing 2 fields, the other field has multi values, Field 1 Field 2 127.0.0.1 127.0.0.1 127.0.0.2 127.1.1.1 127.1.1.2 127.1.1.2 127.1.1.3 127.1.1.4   I want to compare these 2 fields , when in field 1 has matching value with the field 2 it will return match in a new field im going to make, but in field 2 records isnt always has multi values, im expecting the result as below: Field 1 Field 2 New_Field 127.0.0.1 127.0.0.1 127.0.0.2 matched 127.1.1.1 127.1.1.2 not matched 127.1.1.2 127.1.1.3 127.1.1.4 127.1.1.5 not matched   im still new with splunk search, need some advice how i could do the compare and on multi values field as above   really appreciate if someone could help on this  
Hi, can I check how can I output this row in a  proper format?  E.g. <LogonTriggers>       <Enabled>               ..........        </Enabled> </LogonTriggers> My file source type is ... See more...
Hi, can I check how can I output this row in a  proper format?  E.g. <LogonTriggers>       <Enabled>               ..........        </Enabled> </LogonTriggers> My file source type is csv format if that is of any help. | rex "(?ms)\<Triggers\>(?<Triggers>.*?)\</Triggers\>" | table Triggers
How can convert the replication factor raw log to searchable data incase the searchable data is not available in a indexer. Is this a automated process by indexer or manual process.
Hello splunk users, Can someone help me with a solution? I am running my base search query to see the error in response, but the error id coming in the response is not showing as a field so I am n... See more...
Hello splunk users, Can someone help me with a solution? I am running my base search query to see the error in response, but the error id coming in the response is not showing as a field so I am not able to generate a timechard for all the different errors/error id's. I need your help on this, since I am very weak in using rex command I can't think a solution at my own: Base search query:-   ("Unexpected partner error.." OR "Timeout occurred waiting for response from Fulfillment - java.net.SocketTimeoutException: Read timed out") GenerateBookingResponse ERROR source="/var/log/myapp/electronic-purchase-service/electronic-purchase-service.log" Below is the sample of error response. Every error is having a unique errorid associated with it: 2019-01-10 19:39:21.454 [https-jsse-nio-8080-exec-10] [hdhdhda704-4444-44a1-bbbb-52857lllcd1d] INFO  EndpointLogger - endpoint=my-endpoint; operation=createOrder; duration=4517, response=<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns3:GenerateBookingResponse xmlns:ns1="urn:myworld:dom:common:defn:v1" xmlns:ns10="urn:myworld:dm:hhhhh:hhhhh:define:v1" xmlns:ns11="urn:myworld:dom:supply:messages:defn:v1" xmlns:ns12="urn:myworld:dom:vvvv:datatype:define:v1" xmlns:ns13="urn:myworld:c3:data:placetypes:defn:v4" xmlns:ns14="urn:myworld:c3:data:messagetypes:defn:v5" xmlns:ns2="urn:myworld:ddom:datatype:define:v1" xmlns:ns3="urn:myworld:dom:order:messages:v1" xmlns:ns4="urn:myworld:ord:order:persisttypes:v2" xmlns:ns5="urn:myworld:c3:data:financetypes:define:v5" xmlns:ns6="urn:myworld:c3:data:financetypes:defn:v4" xmlns:ns7="urn:myworld:c3:data:basetypes:defn:v4" xmlns:ns8="urn:myworld:c3:data:timetypes:define:v4"><ns1:MessageInfo CreateDateTime="2019-01-10T19:39:16.935-07:00" MessageGUID=“0102037-048a-49a9-08u5-2222ba059e2a" TransactionGUID=“11111111-ac11-1a11-22d7-eb1a2c333333><ns1:DebugTraceBoolean>false</ns1:DebugTraceBoolean></ns1:MessageInfo><ns1:MessageStatus><ns1:Status>Failure</ns1:Status><ns1:ErrorList><ns1:Error><ns1:MessageTransactionInfo><ns1:Category>ExternalError</ns1:Category><ns1:Code>0000</ns1:Code><ns1:Description>Unexpected partner error..</ns1:Description><ns1:Namespace>urn:myworld:c3:ss:electronic:digitalinterface:purchasecommontypes:define:v2</ns1:Namespace><ns1:ExternalErrorList><ns1:ExternalError><ns1:ExternalErrorID>10007</ns1:ExternalErrorID><ns1:ExternalErrorDescription>Unexpected partner error..</ns1:ExternalErrorDescription></ns1:ExternalError></ns1:ExternalErrorList></ns1:MessageTransactionInfo></ns1:Error></ns1:ErrorList></ns1:MessageStatus><ns1:MobileOrderProcessRelationNO>ab7cdc43-f8a6-4cdf-0000-33t4f530u65a</ns1:MobileOrderProcessRelationNO></ns3:GenerateBookingResponse></soap:Body></soap:Envelope> I need to generate a timechart based on the error or error ID. thanks a lot in advance.
Hi, I'm trying to use  SplunkHTTPAppender in production, the set up (log4j2.xml) works in development environment. But when I switch to production, http collector metrics (_introspection) starts to ... See more...
Hi, I'm trying to use  SplunkHTTPAppender in production, the set up (log4j2.xml) works in development environment. But when I switch to production, http collector metrics (_introspection) starts to show data.num_of_requests_to_incorrect_url > 1 and no events are posted. Is there a way to know the url used in event posting? and what is the criteria to determine a wrong url? Thank you!
If we face any issue during Splunk Enterprise version upgradation then How to downgrade Splunk Enterprise version to the older version if installation is done using tar method?
we have two system logs: 1.   "Exception in fetching FR response for warehouse published with BusinessKey=XYZ" 2.  "Sucessfully extract data for BusinessKeyValue='XYZ' " i just want to  create tab... See more...
we have two system logs: 1.   "Exception in fetching FR response for warehouse published with BusinessKey=XYZ" 2.  "Sucessfully extract data for BusinessKeyValue='XYZ' " i just want to  create table   [Time of log of First System , Time of Second System ]  where BusinessKey==BusinessKeyValue
Hi Team, We are trying to get data on boarded to splunk security essentials. We do not have a clear visibility to the functioning of the app, I have now onboarded DNS data onto my Splunk Indexer u... See more...
Hi Team, We are trying to get data on boarded to splunk security essentials. We do not have a clear visibility to the functioning of the app, I have now onboarded DNS data onto my Splunk Indexer using the Splunk Stream app, Its in the index=netdns as per splunk docs specification. Now how do I turn on all the use cases related to DNS in splunk security essentials.   Followed the onboarding guide which provided in the app.(https://docs.splunksecurityessentials.com/data-onboarding-guides/stream-dns/)    
Hello, I'm a newbie with Splunk. I have a question. How can I static and draw data from 4 NICs in one computer on Splunk?                      
My indexer server CPU usage going more than 97%. How can I troubleshoot using Splunk query.
If Splunk enterprise setup is done using .deb package at first place. Can the Splunk enterprise version upgradation be done by tar method afterwards?
I am a beginner learning splunk. I have data that I want to read through the splunk, it is firewall data with a size of 2.7 gb. In the free enterprise version, the maximum data upload from a computer... See more...
I am a beginner learning splunk. I have data that I want to read through the splunk, it is firewall data with a size of 2.7 gb. In the free enterprise version, the maximum data upload from a computer is 500 MB. What is the solution so that I can still process my large firewall data?
I got a variable called _host_name which = usscic-secfio102.na.xxx.com.  I need to derive a variable called host_short which will have the value of usscic-secfio102   -- I use Ruby Regular expression... See more...
I got a variable called _host_name which = usscic-secfio102.na.xxx.com.  I need to derive a variable called host_short which will have the value of usscic-secfio102   -- I use Ruby Regular expression editor to figure out expression to get string i need -- it's    ^\w+.\w+     How do I integrate in querty using rex?   index=cisco sourcetype=cisco_asa AND vendor_action=permitted AND host=158.11.333.444 | eval service=transport."/".dest_port| lookup dnslookup ip as host output host as host_name| rex????? | table host_short
While creating a new DB Input in DB Connect 3.4.0, i need to set the host value per event as it is indexed. Its a SQL statement with a column named "DeviceName", and I want the host=[DeviceName value... See more...
While creating a new DB Input in DB Connect 3.4.0, i need to set the host value per event as it is indexed. Its a SQL statement with a column named "DeviceName", and I want the host=[DeviceName value] for each event. So far I can only hard set the host value in the input, but not based on the data.  Help anyone? Thanks! Joe  
Can you help me with this regex pattern? I only need the numbers. simNumber\" "2201240132708969900\" I am using "simNumber\\\":\\\"(?<sim>[^\\]*)"
Hi there, I have a dashboard with a text box field. My goal is to make this field more flexible for different input variations so that you don't need exact text match to get a result. Basically how... See more...
Hi there, I have a dashboard with a text box field. My goal is to make this field more flexible for different input variations so that you don't need exact text match to get a result. Basically how can I transform the token value of inputs so that the token value in my SPL query is transformed so it's all lower case without spaces?  For example, if someone searches for any of the following: "Bank of America" "bank of America" "bank of america" "BANK OF AMERICA" The token value for all entries above will be transformed to "bankofamerica" (no space, all lower), which will THEN be used as a search value in my SPL query. I just know the basics of token usage, but haven't done any transforms and the documentation is confusing...please help!!