All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I would like to know the process of submitting two of our apps "SailPoint Adaptive Response" and "SailPoint IdentityNow AuditEvent Add-on" for Splunk cloud compatibility. I came across a form named ... See more...
I would like to know the process of submitting two of our apps "SailPoint Adaptive Response" and "SailPoint IdentityNow AuditEvent Add-on" for Splunk cloud compatibility. I came across a form named "Cloud App/Addon Requests". Is this the correct form for submitting the request? If yes, what does the following form fields mean and what is an expected answer for it. 1. Select cloud stack 2. Expected Install location If this is not a correct form, please let me know which is the other way to proceed. Form Image: Any help would be appreciated. Thank you!
Hello Experts, I need to generate a series of values in the form of Year-Month to part of the drop down list in the Panel I was trying the below but it only generates the data for 1 Month  |makere... See more...
Hello Experts, I need to generate a series of values in the form of Year-Month to part of the drop down list in the Panel I was trying the below but it only generates the data for 1 Month  |makeresults  | eval month = strftime(relative_time(now(), "+3mon@mon"), "%B %Y")  | return $month Jan 2021   Expected Ouput : Jan 2021 April 2021 JULY 2021        
I'm creating a number of correlation searches, and I'd like to be able to send an email ONLY when an episode has been open for more then X number of  minutes.  If i go into the aggregation policy an... See more...
I'm creating a number of correlation searches, and I'd like to be able to send an email ONLY when an episode has been open for more then X number of  minutes.  If i go into the aggregation policy and set 'If this episode existed for X second(s)', then any event that is added to the episode after X seconds triggers an additional email, which potentially could be a lot of emails. I haven't been able to find a combination of settings that will just send an email once from the aggregation policy rules. I considered the option to create an alert search for an episode that has been up for a certain period of time in a 'New' state, but I'd prefer for it to be built into the aggregation policy. Anyone else hit something similar?
I'm using a free Splunk instance to develop dashboard mostly with simple XML before I deploy it to the production system.  The trial license of the free Splunk instance has expired. I can still use ... See more...
I'm using a free Splunk instance to develop dashboard mostly with simple XML before I deploy it to the production system.  The trial license of the free Splunk instance has expired. I can still use it for the development. However,  when I tried to use JavaScript to extend a dashboard, I could not get the JavaScript working, in the sense that I don't see the print out statement executed as I could not see the print out on the web console. I only got the following error message:   "common.js:1063 GET http://l-yshen:8000/en-US/splunkd/__raw/servicesNS/admin/search/alerts/alert_actions?output_mode=json&search=(is_custom%3D1+OR+name%3D%22email%22+OR+name%3D%22script%22+OR+name%3D%22lookup%22)+AND+disabled!%3D1&count=1000&_=1602204254014 402 (Payment Required)".   I wonder the meaning of the error message?  I guess that it might have something related to payment/license. The javascript file in question common.js is not of mine, probably from Splunk's own. Any suggestion how I can get my javascript running, or how to investigate the root cause of its not running? I wish to learn how to find any response or clue of my mistakes. Here is the script that I having difficulty with:   require([ 'jquery', 'underscore', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function($,_,mvc){ var multi1 = mvc.Components.get("multi1") multi1.on("change",function(){ current_val = multi1.val() console.log("Current Vals: " + current_val) var first_choice_value = multi1.options.choices[0].value; if (current_val.length > 1 && current_val.indexOf(first_choice_value) == 0) { multi1.val(_.without(current_val, first_choice_value)); } if (current_val.length > 1 && current_val.indexOf(first_choice_value) > 0) { multi1.val([first_choice_value]); } }) } ) ©   It's copied from here: https://www.youtube.com/watch?v=kQLV9AOL-FE&t=503s
hellowe’ve directory structure as follows /apps/ftp/user/logs/admin -- main directory sub-directories 2018 2019 2020 and further more each sub-directory with year has directories with months as ... See more...
hellowe’ve directory structure as follows /apps/ftp/user/logs/admin -- main directory sub-directories 2018 2019 2020 and further more each sub-directory with year has directories with months as 01 02 02 03 04 05 06 07 08 09 10 under months directories we have csv log filesso to access a csv file for today /apps/ftp/user/logs/admin/2020/10/20201008.csvhere is monitor stanza for to read this file [monitor:///apps/*/user/logs/admin/.../.../*.csv] disabled = false sourcetype = csv index= user-access-logs crcSalt = <SOURCE>but it’s not reading logs and no error in splunkd logs. can someone help me in correcting the monitor stanza if i’ve done mistake
Hi, I want to combine 3 different source type in single table. The column names are different in all the 3 source type to join them. Eg. Source type = a ID name location Source type = b PID cou... See more...
Hi, I want to combine 3 different source type in single table. The column names are different in all the 3 source type to join them. Eg. Source type = a ID name location Source type = b PID country  Source type = c id contact_number   Kindly help to get output as follows: PID name location country contact_number There are more than 50 column I want in table.   Thank & Regards  
Hi Guys, I need a help in sort the date,   Month_Value 27-Aug-20 17-jul-20 4-sep-20 30-jul-20 16-jul-20 I have sort then in sorting order as mentioned in the below, Month_Value 16-jul-20 ... See more...
Hi Guys, I need a help in sort the date,   Month_Value 27-Aug-20 17-jul-20 4-sep-20 30-jul-20 16-jul-20 I have sort then in sorting order as mentioned in the below, Month_Value 16-jul-20 17-jul-20 30-jul-20 27-Aug-20 4-sep-20. Can someone please help me here. I have check some solutions and tried, but nothing seems to works. Thank you in advance
I have two monitored logs for which no new events are being collected.  The Splunk logs don't show any (new) issues or errors - although I did spend quite some time trying to understand if the encodi... See more...
I have two monitored logs for which no new events are being collected.  The Splunk logs don't show any (new) issues or errors - although I did spend quite some time trying to understand if the encoding is the problem.  Seing many:  "Using charset UTF-16LE, as the monitor is believed over the raw text which may be UTF-8". But these appear for logs that are working and logs that are not. More digging shows the logs stopped being collected *exactly* after midnight.  The first two were collected and the second two were not.   [I 06/00000040/T06BC/P0AA0] 30-09-20 23:47:13 - Client Rules: rule 'Internal Access Policy' matched.  [I 06/0000000A/T06BC/P0AA0] 30-09-20 23:47:13 -Server RAS-SH3:3389 is available [I 0E/00000000/T1920/P0AA0] 01-10-20 00:15:28 - Session login for userwas successful. [I 06/00000040/T1920/P0AA0] 01-10-20 00:15:28 - Client Rules: rule 'External Copy and Paste and Printer  I'm guessing I'll need to use the props.conf to set the TIME_FORMAT for these particular files in the app that is collecting them.  I've not had to dig this deep into Splunk props before.  Wishing myself luck...
Hi, I am combining fields using strcat as shows below and I want to have "N/A" in the same field if result of strcat is Null. But for some reason, isnull or isnotnull command used after strcat is no... See more...
Hi, I am combining fields using strcat as shows below and I want to have "N/A" in the same field if result of strcat is Null. But for some reason, isnull or isnotnull command used after strcat is not identifying null values.  Am I missing something here ?  |strcat Key_1 Key_2 Key_3 Key_4 Testing_Key |eval Testing_Key=if(isnotnull(Testing_Key),Testing_Key,"N/A") Result should be either value of Testing_Key when its not null and it should "N/A" when Testing_Key is Null. Thanks, Rohan Kinhikar
Hi, How to properly append the server's hostname, i.e. $HOSTNAME to the source? This was my failed attempt:     #transforms.conf [append-hf-hostname-to-src] SOURCE_KEY = source REGEX = (.*) FORM... See more...
Hi, How to properly append the server's hostname, i.e. $HOSTNAME to the source? This was my failed attempt:     #transforms.conf [append-hf-hostname-to-src] SOURCE_KEY = source REGEX = (.*) FORMAT = source::$1:$HOSTNAME DEST_KEY = MetaData:Source #props.conf [my:cute:sourcetype] TRANSFORMS-newsrc=append-hf-hostname-to-src       Thanks in advance.
Hi Team,   Currently we are using Splunk cloud Version:8.0.2006. We upgraded the HF to version 8. Now we are planning to upgrade the deployment server from version 7.x to 8.x. Kindly share the im... See more...
Hi Team,   Currently we are using Splunk cloud Version:8.0.2006. We upgraded the HF to version 8. Now we are planning to upgrade the deployment server from version 7.x to 8.x. Kindly share the implementation procedure steps and related documents.   Regards CR
One user want to share his private Alert Knowledge object in app with everyone. However when he tired to share he get the message "already other object exists  with same name" . When we checked there... See more...
One user want to share his private Alert Knowledge object in app with everyone. However when he tired to share he get the message "already other object exists  with same name" . When we checked there is a saved search with same name already exists in the  app local folder. We tired to fix by cloning this alert with another name and share. However this user has many alerts which need to be shared in the app with everyone but having saved search with same name already exists in the server. How can I fix this issue. He does not want to clone each time he want to share this alert with other users.
Greetings Everyone! I am a little confused, hope you can help me. I am trying to assign a value to other rows that are blank in a field using some value of the same field. Let me set an example he... See more...
Greetings Everyone! I am a little confused, hope you can help me. I am trying to assign a value to other rows that are blank in a field using some value of the same field. Let me set an example here: What I have: IP                       |                 Model                                         | Several other fields  127.0.0.1        |                                                                       |             ..... 127.0.0.1        |              AMD Ryzen                                 |             .....  127.0.0.1        |                                                                       |             ..... 127.0.0.2        |                                                                       |             ..... 127.0.0.2        |             Intel Core                                      |             .....   What I need to accomplish: IP                       |                 Model                                         | Several other fields  127.0.0.1        |              AMD Ryzen                                 |             ..... 127.0.0.1        |              AMD Ryzen                                 |             .....  127.0.0.1        |              AMD Ryzen                                 |             ..... 127.0.0.2        |             Intel Core                                      |             ..... 127.0.0.2        |             Intel Core                                      |             ..... What I want to do is to make each row take the unique available value for Model taking the only non-blank value that shows up for that IP, and being able to count the events, I tried with stats values(Model) by IP, Several Fields, but 1 - it still shows blank spaces, and 2 - it breaks the event statistics so I want to count each entry of the several fields. Could you please show me the best way to do this? Thank you in advance!
I am trying to create a timechart of errors with but is not working  index=xxx  AND source = xxxx AND (Error* OR Exception*) | timechart distinct_count(txnid) as errCount | eval RAG = case ( errCoun... See more...
I am trying to create a timechart of errors with but is not working  index=xxx  AND source = xxxx AND (Error* OR Exception*) | timechart distinct_count(txnid) as errCount | eval RAG = case ( errCount > 200, “Red”,  errCount > 100 AND errCount <=200, “Amber” , 1==1,  “ Green”) <option name=“charting.fieldcolors”>{“Red”: 0xD93F3C, “Amber”: 0xFF9933, “Green”: 0x009933}</option>
i want to remove the header tag in the xml during search time as it was not properly quoted also,  please help with the command Have to remove this tag from data durring search time     <?xml vers... See more...
i want to remove the header tag in the xml during search time as it was not properly quoted also,  please help with the command Have to remove this tag from data durring search time     <?xml version=1.0 encoding=utf-8?> @kamlesh_vaghela    <?xml version=1.0 encoding=utf-8?><Material><ID>1</ID><Equip>001</Equip><Date>20201009</Date><Posting>20201009</Posting>  
Error running https://<server>:8000/en-US/debug/refresh I have recently started receiving a 503 error when trying to execute the debug refresh feature. This has worked just fine previously. I receiv... See more...
Error running https://<server>:8000/en-US/debug/refresh I have recently started receiving a 503 error when trying to execute the debug refresh feature. This has worked just fine previously. I receive this error after pressing "Refresh" button on the https://<server>:8000/en-US/debug/refresh page v7.2.7 Enterprise Security server splunkd is running Normal Slunk UI is accessible just fine Unable to correlate error with any message(s) in splunkd.log (not saying there are none - just nothing that I can make sense of with regard to this) ************** 503 Service Unavailable Oops. The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running. Click here to return to Splunk homepage. <Confused equine> **************
Hello, I´m trying to load custom rex field extraction if another field has a certain value, for example: if logtype=system      then                search | rex field=_raw ..... if logtype= ap... See more...
Hello, I´m trying to load custom rex field extraction if another field has a certain value, for example: if logtype=system      then                search | rex field=_raw ..... if logtype= application       then                search | rex field=_raw .... logtype username _raw system   user=002 application   suser=004   Thanks in advance!
Hi to everyone, I have some trouble on setting a correct output for a search query. This is the start situation of the logs:  I've created a regex for a cleaner situation:   host="xxxxx" ... See more...
Hi to everyone, I have some trouble on setting a correct output for a search query. This is the start situation of the logs:  I've created a regex for a cleaner situation:   host="xxxxx" | rex "time\":\"(?<time>[^\"]+)" | rex "fullname\":\"(?<fullname>[^\"]+)" | rex "confname\":\"(?<confname>[^\"]+)" | table time, fullname, confname   So now i have this situation: It's clear but i need a situation where i can see the first and last time a user login (the system logs timestamp for users as long as the user is logged) something like: Time start | Time Stop | full name | confname Someone has a some suggestions? p.s. For helping others people in my situation, this is the logs of Big Blue Button software
Hi All,  I need assistance with counting two fields in a single query. I'm trying modify an existing alert, to exclude white noise.  I'm trying to achieve the following, if a country count is more t... See more...
Hi All,  I need assistance with counting two fields in a single query. I'm trying modify an existing alert, to exclude white noise.  I'm trying to achieve the following, if a country count is more than 10, or an Username field is more than 5, they should be excluded. The query compiles but no data is presented, I suspect the stats count usage is inaccurate.  Example of Query - what I'm trying to achieve  source="**********.log" "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now | iplocation src_ip | stats count as Country_Count by Country , count as Username_Count by User_Name | where (Username_Count < 5 OR Country_Count < 10) Output of Data - Country  Country                 Country_count United States      8 Eswatini                 9 Russia                     1 Mozambique        1 Netherlands         1 Zambia                   6 Output of Data - Username User_Name                                                        Username_Count abc@domain.com                                           1 abc2@domain.com                                        1 abc3@domain.com                                        1 abc4@domain.com                                        4 abc5@domain.com                                        1 abc6@domain.com                                        2
i signup to access free SaaS trial on home page, but i got error something went wrong and SaaS trial can't be setup at this time(error_1).  after sign up i was logged in into my account and when i t... See more...
i signup to access free SaaS trial on home page, but i got error something went wrong and SaaS trial can't be setup at this time(error_1).  after sign up i was logged in into my account and when i tried to start my free trial again i got second error that the page you want to access does not exist(error_2). I have added pictures of home page, error_1 and error_2 for your reference.