All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Splunk Gurus!  I have come across an absurd issue where my eventstats is not recognizing the field value.  Sample Problem: Field1 source (Blank) dummy_source.csv Record1 dummy2_cour... See more...
Hi Splunk Gurus!  I have come across an absurd issue where my eventstats is not recognizing the field value.  Sample Problem: Field1 source (Blank) dummy_source.csv Record1 dummy2_cource.csv   query: |eventstats dc(source) as check by Field1 expected o/p:  Field1 source check (Blank) dummy_source.csv   Record1 dummy2_cource.csv 1   current o/p: Field1 source check (Blank) dummy_source.csv   Record1 dummy2_cource.csv     Additional Info:  I have the following message in my Splunk- Failed to register with cluster master... (not sure if its got something to do with the problem ) Any help is appreciated ! Thanks
I am trying to configure Splunk_TA_nix to collect nix data from our Hf but the inputs aren’t  being enabled. We have clustered env.  I have followed the splunk doc to install and configure the A... See more...
I am trying to configure Splunk_TA_nix to collect nix data from our Hf but the inputs aren’t  being enabled. We have clustered env.  I have followed the splunk doc to install and configure the Addon but on attempting to enable the metrics via UI em_metrics index is already selected and greyed out but it says search produced no results.   checked splunkd logs and could not find any error related to this.  any help appreciated, thanks 
Hi Need you help please with a query; "| tstats summariesonly=true allow_old_summaries=true dc(Malware_Attacks.date) as \"day_count\",count from datamodel=Malware.Malware_Attacks by \"Malware_Att... See more...
Hi Need you help please with a query; "| tstats summariesonly=true allow_old_summaries=true dc(Malware_Attacks.date) as \"day_count\",count from datamodel=Malware.Malware_Attacks by \"Malware_Attacks.dest\",\"Malware_Attacks.signature\" | rename \"Malware_Attacks.dest\" as \"dest\",\"Malware_Attacks.signature\" as \"signature\" | search dest=\"10.0.0.0/8\" OR dest=\"192.168.0.0/15\" OR dest=\"172.16.0.0/12\"\n| where 'day_count'>3"   I got an errors:  "type": "ERROR", "text": "[idx-indexname.splunkcloud.com] The search process with search_id=\"remote_sh-i-idx-indexname.splunkcloud.com_1\" may have returned partial results. Try running your search again. If you see this error repeatedly, review search.log for details or contact your Splunk administrator."   How can I fix that? thanks
lookup_file.csv has the data as below dId,count,perc Usecase : User to select dropdown based on lookup dId field. Once select, I want to populate count and perc for that dId selected as a html text... See more...
lookup_file.csv has the data as below dId,count,perc Usecase : User to select dropdown based on lookup dId field. Once select, I want to populate count and perc for that dId selected as a html text. So that user known the count and perc for the dropdown selected dId       <panel> <input type="dropdown" token="lookup_Id" searchWhenChanged="true"> <label>Select ID</label> <fieldForLabel>id</fieldForLabel> <fieldForValue>dId</fieldForValue> <search> <query>| inputlookup lookup_file.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <prefix>"</prefix> <suffix>"</suffix> <change> <condition value="$lookup_Id$"> <set token="count"><query>|inputlookup lookup_file.csv | where dId="$lookup_Id$" | table count</query></set> <set token="perc"><query>|inputlookup lookup_file.csv | where dId="$lookup_Id$" | table perc</query></set> </condition> </change> </input> <html> <i>$lookup_Id$: Count is $count$, Percentage is $perc$</i> </html> </panel>         Currenlty i get "001": Count is |inputlookup lookup_file.csv | where dId="$lookup_Id$" | table count, Percentage is |inputlookup lookup_file.csv | where dId="$lookup_Id$" | table perc Meaning the dId is populated correctly, but other 2 tokens under change/condition is not not evaluating rather printed as-is query string. Please help me on this.
Hi guys, looking at the Splunk Dashboards app here. Just wondering if this is simply an app that makes it easier to generate custom HTMLor SimpleXML dashboards or it is utilizing a new framework for ... See more...
Hi guys, looking at the Splunk Dashboards app here. Just wondering if this is simply an app that makes it easier to generate custom HTMLor SimpleXML dashboards or it is utilizing a new framework for Dashboards
Java Code; package com.ibm.splunk; import java.util.HashMap; import java.util.Map; import com.splunk.Service; import com.splunk.Args; import com.splunk.Receiver; public class SplunkService { ... See more...
Java Code; package com.ibm.splunk; import java.util.HashMap; import java.util.Map; import com.splunk.Service; import com.splunk.Args; import com.splunk.Receiver; public class SplunkService { public static void main(String[] args) { Map<String,Object> splunkObj = new HashMap<String,Object>(); splunkObj.put("host","localhost"); splunkObj.put("username","admin"); splunkObj.put("password","password"); splunkObj.put("port",8000); splunkObj.put("scheme","http"); Service splunkLogObj = Service.connect(splunkObj); Receiver splunkLogReceiver = splunkLogObj.getReceiver(); Args logDebug = new Args(); logDebug.put("sourceType","hellosplunk"); splunkLogReceiver.log("main", logDebug, "sql"); } } After executing I am getting following exception Exception in thread "main" com.splunk.HttpException: HTTP 404 -- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This is a static HTML string template to render errors. To edit this template, see appserver/mrsparkle/lib/error.py. --> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:splunk="http://www.splunk.com/xhtml-extensions/1.0" xml:lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="referrer" content="never" /> <meta name="referrer" content="no-referrer" /> <link rel="shortcut icon" href="/en-US/static/@90D01B29FA360636D5CB8D409133AAB811AFD803520AA382919A97DB376D5500/img/favicon.ico" /> <title>Page not found! - Splunk</title> <style> @font-face { font-family: "Splunk Sans"; src: url('/static/fonts/proxima-regular-webfont.woff') format('woff'); font-weight: 400; font-style: normal; } @font-face { font-family: "Splunk Mono"; src: url('/static/fonts/inconsolata-regular.woff') format('woff'); font-weight: 400; font-style: normal; } * { margin: 0; padding: 0; } body { font-family: "Splunk Sans", "Proxima Nova", Roboto, Droid, "Helvetica Neue", Helvetica, Arial, sans-serif; color: #3C444D; background-color: #F2F4F5; position: absolute; top: 0; right: 0; bottom: 0; left: 0; } a { color: #007ABD; text-decoration: none; } a:hover { text-decoration: underline; } p,pre { margin-bottom: 1em; } .status { color: #818D99; margin: 20px; } .msg { margin-bottom: 1em; font-size: 1.4em;} pre { font-family: Monaco,Courier Bold,Courier New,monospace; font-size: .7em;background-color: #eee; padding: 5px;} #toggle { font-size: .8em; margin-bottom: 1em; } .byline { color: #555; } .byline span { font-weight: bold; line-height: 1.4em; } hr { height: 1px; background-color: #c3cbd4; border: 0; margin: 20px 0 10px; } h1 { font-size: 100px; margin-bottom: 10px; } h2 { font-size: 1em; margin-bottom: 1em; } table { border-collapse: collapse; } td { padding: 2px; } td.k { font-family: helvetica neue, helvetica, arial, sans-serif; font-weight: bold; } #debug { display: none; } #crashes { margin: 20px 0; padding: 10px; border: 1px solid #800; } #crashes dt { font-size: 12px; margin-bottom: 5px; } #crashes dd { white-space: pre; background: #f2f2f2; padding: 10px; margin-left: 20px; display: none; font-size: 11px; font-family: "Splunk Mono", Inconsolata, Consolas, "Droid Sans Mono", Monaco, "Courier New", Courier, monospace; } .fixed-width { width: 960px; margin: auto; } .error-wrapper { height: 60%; min-height: 400px; margin-top: 10vh; } .error-container { z-index: 10; display: table; } .error-image { float: left; margin-left: 80px; } .error-message { display: inline-block; margin: 60px 0 0 100px; width: 600px; } .error-message p { font-size: 18px; } .error-background { color: #B8C2CC; position: absolute; margin-top: 260px; height: 96px; z-index: -10; line-height: 16px; user-select: none; font-size: 11px; font-family: "Splunk Mono", Inconsolata, Consolas, "Droid Sans Mono", Monaco, "Courier New", Courier, monospace; } .main-error-background { height: 80px; width: 76%; overflow: hidden; text-overflow: clip; } .error-offset-background { position: absolute; top: 0; left: 65%; width: 150px; } .offset-background { position: absolute; white-space: nowrap; } .offset-1 { top: 19px; left: 50px; transform: rotate(12deg); -webkit-transform: rotate(12deg); -ms-transform: rotate(12deg); } .offset-2 { top: 10px; left: 20px; transform: rotate(41deg); -webkit-transform: rotate(41deg); -ms-transform: rotate(41deg); } .offset-3 { top: 4px; left: 40px; transform: rotate(-3deg); -webkit-transform: rotate(-3deg); -ms-transform: rotate(-3deg); } .offset-4 { top: 30px; left: 106px; transform: rotate(-13deg); -webkit-transform: rotate(-13deg); -ms-transform: rotate(-13deg); } .offset-5 { top: 29px; left: 125px; } .offset-6 { top: 21px; left: 239px; } .offset-7 { top: 37px; left: 198px; } .offset-8 { top: 58px; left: 237px; } .offset-9 { top: 46px; left: 194px; transform: rotate(-18deg); -webkit-transform: rotate(-18deg); -ms-transform: rotate(-18deg); } .offset-10 { top: 52px; left: 203px; transform: rotate(41deg); -webkit-transform: rotate(41deg); -ms-transform: rotate(41deg); } .offset-11 { top: 63px; left: 239px; transform: rotate(-3deg); -webkit-transform: rotate(-3deg); -ms-transform: rotate(-3deg); } .offset-12 { top: 56px; left: 61px; transform: rotate(-3deg); -webkit-transform: rotate(-3deg); -ms-transform: rotate(-3deg); } .offset-13 { top: 88px; left: 65px; transform: rotate(41deg); -webkit-transform: rotate(41deg); -ms-transform: rotate(41deg); } .offset-14 { top: 100px; left: 0px; transform: rotate(-30deg); -webkit-transform: rotate(-30deg); -ms-transform: rotate(-30deg); } .message-wrapper { padding: 20px; margin-top: 20px; clear: both; border-top: 1px solid #C3CBD4; } .message-container { padding: 0 0 10px 0; } .message-container:empty { padding: 0; } </style> <script> function toggle(what) { what = document.getElementById(what); if (what.style.display == 'block') { what.style.display = 'none'; } else { what.style.display = 'block'; } } </script> </head> <body> <p class="status" data-role="page-status">404 Not Found</p> <div class="error-wrapper"> <div class="error-background"> <div class="main-error-background"> 12.130.60.4 - - [05/Mar/2014 18:10:57:153] "GET /category.screen?category_id=GIFTS&JSESSIONID=SD1SL4FF10ADFF10 HTTP 1.1" 404 720 "http://buttercup-shopping.com/cart.do?action=view&itemId=EST-6&product_id=FI-SW-01" "Opera/9.20 (Windows NT 6.0; U; en)" 559 128.241.220.82 - - [05/Mar/2014 18:10:57:123] "GET /product.screen?product_id=FL-DSH-01&JSESSIONID=SD5SL7FF6ADFF9 HTTP 1.1" 404 3322 "http://buttercup-shopping.com/category.screen?category_id=GIFTS" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 317 27.160.0.0 - - [05/Mar/2014 18:10:56:156] "GET /oldlink?item_id=EST-26&JSESSIONID=SD5SL9FF1ADFF3 HTTP 1.1" 200 1318 "http://buttercup-shopping.com/cart.do?action=purchase&itemId=EST-26&product_id=K9-CW-01" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 468 12.130.60.4 - - [05/Mar/2014 18:10:57:153] "GET /category.screen?category_id=GIFTS&JSESSIONID=SD1SL4FF10ADFF10 HTTP 1.1" 404 720 "http://buttercup-shopping.com/cart.do?action=view&itemId=EST-6&product_id=FI-SW-01" "Opera/9.20 (Windows NT 6.0; U; en)" 559 128.241.220.82 - - [05/Mar/2014 18:10:57:123] "GET /product.screen?product_id=FL-DSH-01&JSESSIONID=SD5SL7FF6ADFF9 HTTP 1.1" 404 3322 "http://buttercup-shopping.com/category.screen?category_id=GIFTS" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 317 27.160.0.0 - - [05/Mar/2014 18:10:56:156] "GET /oldlink?item_id=EST-26&JSESSIONID=SD5SL9FF1ADFF3 HTTP 1.1" 200 1318 "http://buttercup-shopping.com/cart.do?action=purchase&itemId=EST-26&product_id=K9-CW-01" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 468 12.130.60.4 - - [05/Mar/2014 18:10:57:153] "GET /category.screen?category_id=GIFTS&JSESSIONID=SD1SL4FF10ADFF10 HTTP 1.1" 404 720 "http://buttercup-shopping.com/cart.do?action=view&itemId=EST-6&product_id=FI-SW-01" "Opera/9.20 (Windows NT 6.0; U; en)" 559 128.241.220.82 - - [05/Mar/2014 18:10:57:123] "GET /product.screen?product_id=FL-DSH-01&JSESSIONID=SD5SL7FF6ADFF9 HTTP 1.1" 404 3322 "http://buttercup-shopping.com/category.screen?category_id=GIFTS" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 317 27.160.0.0 - - [05/Mar/2014 18:10:56:156] "GET /oldlink?item_id=EST-26&JSESSIONID=SD5SL9FF1ADFF3 HTTP 1.1" 200 1318 "http://buttercup-shopping.com/cart.do?action=purchase&itemId=EST-26&product_id=K9-CW-01" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 468 </div> <div class="error-offset-background"> <div class="offset-1 offset-background"> "http://buttercup-shopping.com/cart.do?actio </div> <div class="offset-2 offset-background"> view&itemId=EST-6 </div> <div class="offset-3 offset-background"> reen?category_id=GIFTS&JSESSIONID </div> <div class="offset-4 offset-background"> JSESSIONID </div> <div class="offset-5 offset-background"> 18:10:57:153 </div> <div class="offset-6 offset-background"> action </div> <div class="offset-7 offset-background"> shopping.com </div> <div class="offset-8 offset-background"> 404 </div> <div class="offset-9 offset-background"> 12.130.60.4 </div> <div class="offset-10 offset-background"> SD1SL4FF10ADFF10 </div> <div class="offset-11 offset-background"> GET /category.screen? </div> <div class="offset-12 offset-background"> category_id </div> <div class="offset-13 offset-background"> &product_id=FI-SW-01 </div> <div class="offset-14 offset-background"> JSESSIONID </div> </div> </div> <div class="error-container fixed-width"> <div class="error-image" data-role="error-image"> <svg width="147px" height="391px" viewBox="339 122 147 391" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <defs></defs> <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" transform="translate(341.964620, 124.258095)"> <path d="M30.8324637,383.060345 C30.8324637,385.005323 48.2226765,386.583023 69.673423,386.583023 C91.1241695,386.583023 108.514382,385.005323 108.514382,383.060345 C108.514382,381.115367 91.1241695,379.537667 69.673423,379.537667 C48.2226765,379.537667 30.8324637,381.115367 30.8324637,383.060345" id="Fill-1" fill="#221F20" transform="translate(69.673423, 383.060345) scale(1, -1) translate(-69.673423, -383.060345) "></path> <path d="M89.4503057,375.876595 C93.0743835,375.820647 93.4669839,373.36376 ........ 501.389179"></polygon> <ellipse id="Oval-3" stroke="none" fill="#FFFFFF" fill-rule="evenodd" cx="406.744014" cy="191.337682" rx="1.74401396" ry="2.33768157"></ellipse> <ellipse id="Oval-3" stroke="none" fill="#FFFFFF" fill-rule="evenodd" cx="437.44693" cy="188.92924" rx="1.44693017" ry="1.92924022"></ellipse> </svg> </div> <div class="error-message"> <h1 data-role="error-title">Oops.</h1> <p data-role="error-message">Page not found! Click <a href="/" data-role="return-to-splunk-home">here</a> to return to Splunk homepage.</p> </div> </div> </div> <div class="message-wrapper"> <div class="message-container fixed-width" data-role="more-results"><a href="/en-US/app/search/search?q=index%3D_internal%20host%3D%22DESKTOP-OCM7KU1%22%20source%3D%2Aweb_service.log%20log_level%3DERROR%20requestid%3D5f79fbcf721d31000b048" target="_blank">View more information about your request (request ID = 5f79fbcf721d31000b048) in Search</a></div> <div class="message-container fixed-width" data-role="crashes"></div> <div class="message-container fixed-width" data-role="refferer"></div> <div class="message-container fixed-width" data-role="debug"></div> <div class="message-container fixed-width" data-role="byline"> <p class="byline">.</p> </div> </div> </body> </html> at com.splunk.HttpException.create(HttpException.java:84) at com.splunk.HttpService.send(HttpService.java:500) at com.splunk.Service.send(Service.java:1295) at com.splunk.HttpService.post(HttpService.java:348) at com.splunk.Service.login(Service.java:1124) at com.splunk.Service.login(Service.java:1103) at com.splunk.Service.connect(Service.java:189) at com.ibm.splunk.SplunkService.main(SplunkService.java:20) Please help me
Hi, any one knows the benefits of search command? search src="10.9.165.*"  and src_ip="10.9.165.*" , any difference?
I have Splunk version: 7.3.1 and I see the message: APPSERVER_PORT_ZERO The value for: "appServerPorts" is set to 0, I get this message. I have tried with many different combinations like:  "appSe... See more...
I have Splunk version: 7.3.1 and I see the message: APPSERVER_PORT_ZERO The value for: "appServerPorts" is set to 0, I get this message. I have tried with many different combinations like:  "appServerPorts = 0", I get an warning message If I comment out that line in local/web.conf, then the values in default/web.conf is used, and splunkweb does not start If I comment them out in both places, I get a warning about "appServerPorts = 0". If I set "appServerPorts = 8065" or some other unused value, splunkweb did not start I have attached a screenshot of the error message. Any inputs would be appreciated.
Want to have a drop down filter which is filled dynamically .   Filter should have the following options : 1. Latest 5 Numbers 2. Latest 10 Numbers 3 . Latest 15 Numbers These numbers should be... See more...
Want to have a drop down filter which is filled dynamically .   Filter should have the following options : 1. Latest 5 Numbers 2. Latest 10 Numbers 3 . Latest 15 Numbers These numbers should be populated by some time field . there is a time field existing and last 5 numbers should be queried out according to time and according the dropdown should be grouped as last 5 numbers , last 10 numbers and last 15 numbers ..    
Are internal events compressed to 50% as it does for any normal events? For avg raw size of events in metrics.log is 150bytes So while storing it in indexer will it take approx 75 bytes??
Given free sample http stream data download from splunk website. I got two questions with start time, record time and endtime. (1). is "_time" the recorded time by splunk index?  how to output as "H... See more...
Given free sample http stream data download from splunk website. I got two questions with start time, record time and endtime. (1). is "_time" the recorded time by splunk index?  how to output as "H:MM:SS" format. and "HH:MM:SS" format respectfully?  example, 18:27.36.257, HH:MM:SS will be 18:27:36, H:MM:SS will be 6:27:36 (2), say, user enter hacker.com/a.js in chrome at 18:27:36, at 18:27:50, a.js start loading,  18:28:59, a.js finished execution, would splunk index capture start time, record time, endtime? what are the fields? thanks
Hi  we are trying to understand is there a way to create dashboard to show case the request response flow and including request and response time based on a ID (traceid or sessionID). Actually in... See more...
Hi  we are trying to understand is there a way to create dashboard to show case the request response flow and including request and response time based on a ID (traceid or sessionID). Actually in every request from browser(UI) -> backEnd (Microservice) -> backEnd (multiple dependent services), we are passing a traceid to trace the request and we are logging that in every service.  so we want to create a dash board to show where the response took long time and where the request failed .etc...  any suggestions/thoughts ? please find the attached diagram for example  
Hello, I would like to create an alert based email on the following manually entered search string below.  The time frame used was for a 3 minute period, say from 1:02am to 1:05am, 10/2/2020.  As on... See more...
Hello, I would like to create an alert based email on the following manually entered search string below.  The time frame used was for a 3 minute period, say from 1:02am to 1:05am, 10/2/2020.  As one can see from the result only has 3 reasons are present and that is fine as I know more would be reported if there were other reasons to be reported. index=firewall host=10.10.10.10 | top limit=20 reason Below is an example of the output: reason                                count                      percentage Idle Timeout                        582                      88.7197512 Transport Closing                42                           6.402439 DPD Failure                             32                           4.878049 It is my desire to have this alert be generated any time a reason is equal to or greater than 70% for a 3 minute period.  The trigger would be any reason passing that threshold percentage of 70%.  I understand this is considered "rolling window triggering" as such the following document was referred to me:  docs.splunk.com/Documentation/SplunkCloud/latest/Alert/DefineRealTimeAlerts#Create_a_real-time_alert_with_rolling_window_triggering That said, I did not find those instructions to be helpful for a percentage threshold trigger alert.  Perhaps what I am hoping to do cannot be done.  Nonetheless, I thought I would inquire with the Splunk community. FYI, we are on code 7.3.5 and have no idea when an upgrade is taking place and to what code version. Your time, help, patience and feedback is appreciated.  
Hello, I've read through the documentation on external lookup with python and read through a few posts, could use some guidance.  What I am trying to do is use this python script.  Giving the scrip... See more...
Hello, I've read through the documentation on external lookup with python and read through a few posts, could use some guidance.  What I am trying to do is use this python script.  Giving the script arguments protocol src_ip dest_ip src_port dest_port, gives you a calculated hash. Running it on its own works fine.  This is what I've done so far: Python script added to: $SPLUNK_HOME/etc/apps/search/bin Added stanza to transforms.conf: [cid] external_cmd = community-id.py Protocol SourceIp DestinationIp SourcePort DestinationPort external_type = python fields_list = Protocol, SourceIp, DestinationIp, SourcePort, DestinationPort I've tried several examples of search commands that was in the documentation and what others have used, but haven't returned any results (errors).  So im not really sure if I'm doing this correctly.  I've noticed that some examples have their python scripts output to a .csv?  is that necessary?  should I approach this another way? BLUF:  I want to pass some fields into a python script to give me a calculated hash in a new field.    
I have ~2 months experience with Splunk so far, so my apologies if this is a dumb question: Can a custom deployment app remove $SPLUNK_HOME/etc/instance.cfg? Additional background: We have >3,000 ... See more...
I have ~2 months experience with Splunk so far, so my apologies if this is a dumb question: Can a custom deployment app remove $SPLUNK_HOME/etc/instance.cfg? Additional background: We have >3,000 deployment clients, and ~600 of them do not have unique Client IDs. To fix this, I found that we need to simply remove $SPLUNK_HOME/etc/instance.cfg and then restart splunk. Instead of hunting down the countless Server Admins for each of those hosts, I was hoping we could accomplish this via a Deployment App. To prevent the app from repeatedly performing this on the same host, maybe I'd have to implement logic similar to this:   if [[ ! -e /opt/splunkforwarder/etc/instance.cfg.dup_guid ]]; then mv /opt/splunkforwarder/etc/instance.cfg /opt/splunkforwarder/etc/instance.cfg.dup_guid /opt/splunkforwarder/bin/splunk restart fi   I guess it might be tedious when I have to manually add the ~600 affected hosts to my custom app's Server Class, but I still think this will be easier/quicker than hunting down the Server Admins. Appreciate your thoughts.
Hi everyone, I hope someone can help me with the following situation. I have multiple events generated from Azure Devops like the following: {"system.pullRequest.pullRequestId":"223033","system.... See more...
Hi everyone, I hope someone can help me with the following situation. I have multiple events generated from Azure Devops like the following: {"system.pullRequest.pullRequestId":"223033","system.pullRequest.sourceBranch":"refs/heads/release","system.pullRequest.targetBranch":"refs/heads/master","system.pullRequest.sourceCommitId":"e000000a962ff66c19aacXXXXXXX4c7","system.pullRequest.sourceRepositoryUri":"https://siteXXX.visualstudio.com/XXXX%XXX%20ds%XXXX%C3%ADa/_git/AWXXX000","system.pullRequest.pullRequestIteration":"1"}   I am trying to extract the value that corresponds to the field "system.pullRequest.pullRequestId", for this example it is "223033", I have not been able to achieve it yet. Any idea how to do it? For some events the field "system.pullRequest.pullRequestId" is not at the beginning of the string, it can be in the middle or at the end, the position varies with each event. I appreciate any help you can give me.
Hi,   I'm new to Splunk, but already loving it. I have connected Splunk with our Jamf Pro instance and I'm trying to track the macOS upgrade process based on the macOS Build version. Unfortunatel... See more...
Hi,   I'm new to Splunk, but already loving it. I have connected Splunk with our Jamf Pro instance and I'm trying to track the macOS upgrade process based on the macOS Build version. Unfortunately, I'm only getting the results on the last, current day and not the last 30 days.   sourcetype="jamfmodularinput" computer.hardware.os_build="19H2" OR computer.hardware.os_build="18G6032" OR computer.hardware.os_build="17G14033" | dedup computer.pagination.id | rex field=computer.hardware.os_build mode=sed "s/19H2/macOS Catalina/g" | rex field=computer.hardware.os_build mode=sed "s/18G6032/macOS Mojave/g" | rex field=computer.hardware.os_build mode=sed "s/17G14033/macOS High Sierra/g" | timechart span=30d count BY computer.hardware.os_build | sort -count   Could you please let me know what I'm doing wrong? Thank you in advance, D
Hello Splunkers,  Our current requirement is to only forward events from servers to customers indexers. We have decided to opt minimum of 2GB or 5GB of Splunk Enterprise license since we aren't sto... See more...
Hello Splunkers,  Our current requirement is to only forward events from servers to customers indexers. We have decided to opt minimum of 2GB or 5GB of Splunk Enterprise license since we aren't storing any logs.i think this will suffice our need. Now we need to have a test server where we may have some testing when our technical add ons has been customizied, before deploying new add ons on prod deployment server. Which License do we need for test server??? Dev/Test license having 50GB capacity? But I read it is a personal dev/test... Or any other license? We are expecting to reside test server within the network where prod servers reside.This will help us not allwoing any events to travel out of network and security issues. What are general approachs by splunk professionals ? PS: We are setting up splunk env for the first time and new with splunk skillsets.
Hi Splunkers, We need to estimate the disk space required for our single box Splunk enterprise. We are planning to only ingest internal logs of splunkd and don't see any way, how can I estimate dis... See more...
Hi Splunkers, We need to estimate the disk space required for our single box Splunk enterprise. We are planning to only ingest internal logs of splunkd and don't see any way, how can I estimate disk space for internal logs. Don't know how many events are generated from a UF and how much size a single event size would be. We would be having around 400 UFs running on servers and have expectancy of 60days of retention policy. I'm afraid if 500GB space will fill up before 60days and have wont have internal logs. Apart from this, Please suggest if I really need RAID levels 1+0 for internal logs, there would be few schedule search for health checkups and DMC. Or  any other simple storage will suffice?  Is there any way to estimate this part?
Hi, I'm getting {"text":"Invalid data format","code":6,"invalid-event-number":1} when sending json metrics to a hec. What does it mean?