All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I am facing an issue on my 3 member SHC whereby I have used the deployer to push a local folder with the deployer_push_mode=full. This ends up at <app>/local/inputs.conf on all 3 SHs. This i... See more...
Hello, I am facing an issue on my 3 member SHC whereby I have used the deployer to push a local folder with the deployer_push_mode=full. This ends up at <app>/local/inputs.conf on all 3 SHs. This inputs.conf has settings which are independent to the SH it is on, eg. SSL cert name. So for now, the inputs.conf is the same throughout the cluster, which is wrong as the certs are named differently on each SH.   The thing is, I only need this inputs.conf on only 1 SH which is receiving logs from Splunk UBA.  Splunk UBA is now forwarding logs to the SH1. My question is,  should the SH1 go down, how do i configure SH2 inputs.conf to point to its cert path instead of the configuration from deployer which is the path for SH1. I'm not sure if I can setup each of the 3 SHs /opt/splunk/etc/<app>/local/inputs.conf differently as it will affect SHC raft issues?
Hi Splunkers,   I have set up a field extractor and it does not work when the log entry is empty. For e.g Field extraction syntax is --------------------------- (?:[^=\n]*=){9}"(?P<frontEndLaten... See more...
Hi Splunkers,   I have set up a field extractor and it does not work when the log entry is empty. For e.g Field extraction syntax is --------------------------- (?:[^=\n]*=){9}"(?P<frontEndLatency>\d+)"\s+\w+="(?P<backEndLatency>\d+) -------------------------- Log messages --------------------- blah blah contentType="text/xml" frontEndLatency="587" backEndLatency="391" messages= blah --------------- It extracts correctly  frontEndLatency="587" and backEndLatency="391" If somehow in the log file one of the field is empty, it does not extracts properly Log Messages -------------  blah blah contentType="text/xml" frontEndLatency="1795" backEndLatency="" messages= blah blah -------------- How to set this up or handle it via field extraction? Your help is much appreciated. Thanks,  
Hi Everyone, What are the best practices to follow in the event of 90% license usage? Can we take any precautionary measures so that the license usage doesn't reach maximum? I don't think disabling ... See more...
Hi Everyone, What are the best practices to follow in the event of 90% license usage? Can we take any precautionary measures so that the license usage doesn't reach maximum? I don't think disabling the specific index is a good idea since it might cause issues.    
Hi, How can I add a color to the field in one column based on the other column filed values? The example below, I need to display service filed green if the status is running and red if the status i... See more...
Hi, How can I add a color to the field in one column based on the other column filed values? The example below, I need to display service filed green if the status is running and red if the status is down.                             service   status      McAfee EPO    down Symantec DLP  running                
Our heavy forwarder is 8.0.0 and splunk server is 8.0.2 and AIX agent is 6.3.1. AIX agent will send logs to heavy forwarder and heavy forwarder will send logs to splunk server. We found that the sp... See more...
Our heavy forwarder is 8.0.0 and splunk server is 8.0.2 and AIX agent is 6.3.1. AIX agent will send logs to heavy forwarder and heavy forwarder will send logs to splunk server. We found that the splunk server cannot completely and correctly receive all the logs of AIX . However, we cannot upgrade the AIX agent for some reasons.  is it possibly solve this problem?
Is there any way to filter in only episodes for which a given field, not among those in the 'Add Filter' menu, has one of two values, and no others?
I would like to setup 2 alerts whenever no hits during the period . one is peak hours from 6am-01am and another one is non peak hours 01am-6am  each alert should trigger every 30 mins during these p... See more...
I would like to setup 2 alerts whenever no hits during the period . one is peak hours from 6am-01am and another one is non peak hours 01am-6am  each alert should trigger every 30 mins during these period .
I haven't found something for this time format in the docs: Mon Sep 28 00:00:00 GMT 2020 How can I convert this with strptime()? How do I make sure the "GMT" part of the string isn't interfering?
Evening Splunk Community, I'm a new Splunk administrator (<6MO) and I have a couple of questions I could really use your help finding the solutions to. Over the past several months my team and I hav... See more...
Evening Splunk Community, I'm a new Splunk administrator (<6MO) and I have a couple of questions I could really use your help finding the solutions to. Over the past several months my team and I have been working to lift and shift our production environments hosted in physical data centers up to AWS. We use AWS Cloudformation to spin up these environments from top to bottom. Ideally with as little manual work as possible. Ultimately I'm having trouble finding solutions on how to keep my Splunk deployment and configurations data-center agnostic as possible to achieve this goal. We currently have the following multi-site architecture deployed in AWS. Each Region consists of 2 primary VPCs, a production app VPC, and a shared services VPC. With the exception of some heavy forwarders the Splunk infrastructure in these environments is housed in the shared services VPC: Region A (Active): 1x Standalone Search Head 1x Combined Deployment Server / License Server / Monitoring Console 1x Cluster Master 3x Clustered Indexers (Clustered with region B for event replication) 4x Load Balanced Syslog-NG Collectors / Heavy Forwarder Combo Region B (Failover): 1x Standalone Search Head (Offline unless needed) 1x Combined Deployment Server / License Server / Monitoring Console (Offline unless needed) 1x Cluster Master (Offline Unless Needed) 3x Clustered Indexers (Clustered with region A for event replication) 4x Load Balanced Syslog-NG Collectors / Heavy Forwarder Combo Here are my questions: Our environment architect would prefer that there are no external dependencies in our production app tier. Currently the heavy forwarders in my app tier communicate to the primary cluster master to receive a list of available indexers to output their events to. Would it be wise of me to write a custom outputs.conf that manually defined the indexers, essentially eliminating the need for my HFs to contact the cluster master on startup? What would the cons be to this approach? It's worth noting that my HF's are only able to forward events to the indexers within their own region. In a similar vein to question one is it possible to have more than one license server / deployment server active at a time? We would like to eliminate as many of Splunk's dependencies on the opposite region as much as possible. Ideally region A could have it's own DS / LS / MC and never need to contact region B's DS / LS / MC or visa versa. Is there any clean way to handle index replication for data DR / HA purposes across indexers that are not in a multi-site cluster? My problems seem like they would be solved if I simply split our individual AWS regions into their own independent Splunk deployments. Would something like having each region back their events up to AWS Smart Store / S3 then pulling the data into the other regions indexers work?    Any advice you could provide me would be more than appreciated. I'm here to learn. Thank you all for your time.
Hello, I'd like my search to return 30 min interval searches between 9/24/2020 20:00 and the current date; what's the best way to do this?  I'm trying to investigate what is causing lockouts every s... See more...
Hello, I'd like my search to return 30 min interval searches between 9/24/2020 20:00 and the current date; what's the best way to do this?  I'm trying to investigate what is causing lockouts every six hours on Account_Name="johndoe"  Suggestions are greatly welcomed. index=* source=win* Account_Name=johndoe EventCode=4740  
I'm looking to find information about the Splunk Deployment Server beyond the stuff found here: https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Aboutdeploymentserver For example: https... See more...
I'm looking to find information about the Splunk Deployment Server beyond the stuff found here: https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Aboutdeploymentserver For example: https://conf.splunk.com/files/2019/slides/FN2048.pdf  talks about how DS and their clients need Layer 3 to negotiate.  That's not something you can find on the official docs.  In fact, I wish the main doc focused less on server classes and more on how the DS actually functions.
I have a query that has multiple states represented in each log event how do i get stats based on the state values my logs look like this  event 1 : x=true, y=true, z=false event 2 : x=false, y=fal... See more...
I have a query that has multiple states represented in each log event how do i get stats based on the state values my logs look like this  event 1 : x=true, y=true, z=false event 2 : x=false, y=false, z=true event 3: x=true, y= false, z=true i want track all the scenarios where the values are true for these stages(x, y, z) like. base_search AND (x=true or y=true or z=true) | stats count by x, y, z state count x 2 y 1 z 2 Is this possible to chart or do i have to log each state individually ? 
Hi All, I'm ingesting data about device health state and want to create a dashboard that only shows the device services if they are critical, warning or unknown. But i need to still include the "OK"... See more...
Hi All, I'm ingesting data about device health state and want to create a dashboard that only shows the device services if they are critical, warning or unknown. But i need to still include the "OK" state in the search to ensure that i get the latest result. The other factor i need to take into account is there are two different fields that may display the state. One is a daily state update (svc_state) the other is a state change alert (alert_state). This ensures that if there are any issues with data missing (which unfortunately has occurred due to issues outside of Splunk) the state should be as accurate as possible.  So basically i only want to display the output in the table if it is the latest reported state and it is either critical, warning or unknown This is what i have so far but obviously it isn't displaying what i want. Also if anyone can think of a way that i could create this as a post processing search as it has numerous panels but the only change to the search is the device name it would be greatly appreciated. index=abc device=dev service=* | eval current_state = mvappend(alert_state, svc_state) | dedup service | where current_state=CRITICAL OR current_state=WARNING OR current_state=Unknown | table service current_state Thanks
Buenos días chicos. Soy nuevo en splunk cuando se trata de extraer datos, así que necesito su apoyo. Actualmente estoy inyectando los datos en splunk en formato Json y necesito extraer el siguiente... See more...
Buenos días chicos. Soy nuevo en splunk cuando se trata de extraer datos, así que necesito su apoyo. Actualmente estoy inyectando los datos en splunk en formato Json y necesito extraer el siguiente campo.   Debe tenerse en cuenta que: 1. La ip remota cambia por lo que no es posible simplemente extraer la ip. 2. en allHeaderValue, los ocultos al mostrarlos se denominan nombre y valor y todos traen datos diferentes. 3. Solo necesito extraer el campo x-repote-ip: 181.135.58.163 o x-repote-ip: (trae la ip que registras) Sé que esto se hace con expresiones regulares pero tengo poco conocimiento sobre cómo hacerlo y afecta poco a Splunk porque entiendo que rex y regex generan un alto impacto en la herramienta      
It's been a very very long time since I want to accomplish this goal.   I want to set an image in to my dashboard like the Image Overlay Dashboard Sample. I already created a new app and created t... See more...
It's been a very very long time since I want to accomplish this goal.   I want to set an image in to my dashboard like the Image Overlay Dashboard Sample. I already created a new app and created the appserver/static folders But I have a few questions that the Dashboard Sample doesn´t say.   1.- In which path do I put the .css file? 2.- In which path do I put the image? 3.- Does the image only can be in png format or can be in jpg 4.- In the .css file which is the exact way to target the image path? Example: the path where is the image is: apps\app_name\appserver\static\image.png in the ccs file is defined like this: image_overlay_panel .image{ background: transparent 50% 50% no-repeat url('C:\Program Files\Splunk\etc\apps\app_name\appserver\static\image.png'); position:absolute; top: 0px; left: 0px; width: inherit; height: inherit; Can you help me please
Hi! I'm searching for an appropriate agent to transmit Windows Event log to syslog server.   Can Universal Forwarder convert Windows Event logs to syslog for transmitting log?     Best... See more...
Hi! I'm searching for an appropriate agent to transmit Windows Event log to syslog server.   Can Universal Forwarder convert Windows Event logs to syslog for transmitting log?     Best regards,  
Hi,   I am new to splunk, I am trying to extract specific message from my log event. The pattern I am looking from below message  [ERROR] 2020-09-28T11:50:06.108Z           6012c275-5df5-4839-95a0... See more...
Hi,   I am new to splunk, I am trying to extract specific message from my log event. The pattern I am looking from below message  [ERROR] 2020-09-28T11:50:06.108Z           6012c275-5df5-4839-95a0-260057509041     |HLX|Task Failure Occured:{'jobid': 'FLOW-134', 'taskid': 'T-09', 'subtaskid': 'a88f6260-0180-11eb-9ccc-3e5cb494596a'}   I need to extract everything after |HLX| and create another field. Its fine even if it includes |HLX|. I have tried multiple patterns but none are working. Any help would be appreciated.    Thank you.    
I am preparing for new Splunk Dashboard, I want to Display the values in pie chart and line chart.  For example  Connected to :  https://weblink01 Processing Time (m s) :  500 Server :  AB39ZF... See more...
I am preparing for new Splunk Dashboard, I want to Display the values in pie chart and line chart.  For example  Connected to :  https://weblink01 Processing Time (m s) :  500 Server :  AB39ZF12   I am new to splunk dashboard, Please help me to fetch the values from next line and display in the Pie chart or any place.  Mill  seconds time should be displayed as like average time for all total transactions. 
Hi! I work at a company that uses CyberArk for storing passwords securely. We have a built-in CyberArk dashboard which has room for improvement. That being said, is there any way Splunk can show us ... See more...
Hi! I work at a company that uses CyberArk for storing passwords securely. We have a built-in CyberArk dashboard which has room for improvement. That being said, is there any way Splunk can show us passwords that are due to expire within a certain time window...let's say every week? So for example we'd like a report for passwords that will change between 9/28 and 10/5.   Thanks B
After Upgading the Installation from 7.3.1.1. to 8.0.6 of the Search-Head i get the message "This browser is not supported by Splunk." while trying to access the splunk web. We have a distributed I... See more...
After Upgading the Installation from 7.3.1.1. to 8.0.6 of the Search-Head i get the message "This browser is not supported by Splunk." while trying to access the splunk web. We have a distributed Installation on a Windows Server 2016 (1 Deployment-Server, 1 Serch-Head and two Indexer). By now, only the Search-Head ist updated.