All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I am looking for an example to follow, where I can specify which data source goes to which indexers. I am trying to cutover data sources from my HF tier to a new indexer cluster. Currently all m... See more...
Hi I am looking for an example to follow, where I can specify which data source goes to which indexers. I am trying to cutover data sources from my HF tier to a new indexer cluster. Currently all my HFs output to my existing indexers (unclustered). 1st>>> I want to try sending data from a tcp listener port (e.g. tcp1234 local on a single HF) to my new indexer cluster only.  But I want the other data sources flowing thru the HF to go to the existing indexers. 2nd>>> I want to try changing the UFs on some windows hosts to send to the HF tier (but configure the HFs) and then send to the new indexers. Is _tcp_routing the way to go on the inputs?   Any advice appreciated.  Thank you.
Windows does not provide an accurate user who performed an audit policy change on the system (EventCode 4719), it lists System versus the logged in user. I would like to identify EventCode=4719 as th... See more...
Windows does not provide an accurate user who performed an audit policy change on the system (EventCode 4719), it lists System versus the logged in user. I would like to identify EventCode=4719 as the primary event and then search for the closest EventCode=4624 prior to when EventCode=4719 occurred.   I have been checking the splunk community page and google to look for something that meets the need. I cannot seem to grasp this concept and would appreciate the help!    
Hi, I had the situation that I wanted to know why an alert wasn't fired for a resource. Therefore I was looking which field values (don't know how to describe it better) are currently stored in Sp... See more...
Hi, I had the situation that I wanted to know why an alert wasn't fired for a resource. Therefore I was looking which field values (don't know how to describe it better) are currently stored in Splunk for suppressing there alert action to be executed. To make it better understandable what I mean, here a short fictive example: Use Case: Monitoring of CPU usage of hosts. When the CPU usage hits the 80% threshold fire an alert and throttle alert for 1 hour, based on host field. Question: How can I determine which for which hosts the alert is throttled. Note: I'm interested in the throttling list the alert uses. Not in approaches that evaluate the CPU usage events. Thank you in advance. Jens
i am attempting  to use tstats to make this search faster  index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll [| inputlookup "WSSIOC4.csv" | rename match as query | fields quer... See more...
i am attempting  to use tstats to make this search faster  index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll [| inputlookup "WSSIOC4.csv" | rename match as query | fields query ] i get an an error that i dont understand . Can anyone tell me what i need to correct to use tstats , or am i trying to do something impossible ?  
Hello Expert Team, Greetings !! We have requirement at client place to doing integration with Appdynamics and ServiceNow for creating Incident. Looking for possible approach to create incident dir... See more...
Hello Expert Team, Greetings !! We have requirement at client place to doing integration with Appdynamics and ServiceNow for creating Incident. Looking for possible approach to create incident directly from Health Rule Violation.We would need to do this integration without ServiceNow Event Management Module  Thanks Sharad
Please help to convert  ELAPSED of format 3-16:30:19  (3days-16hours:30m:19s) to minutes.
Hi All, A few questions pertaining the Splunk Addon for ServiceNow Context: We are trying to setup exclusion filter parameters to ingest only selective data from certain tables from our SNow instan... See more...
Hi All, A few questions pertaining the Splunk Addon for ServiceNow Context: We are trying to setup exclusion filter parameters to ingest only selective data from certain tables from our SNow instance. The documentation at present is not very comprehensive with examples of how to do what we need. https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs Filter parameters Enter filters, in key-value pairs for indexing selected data from the table. For example, key1=value1&key2=value2. By default, there is no filter.   Below are the questions. How do we add exclusion filters  For example sys_id!=abc. I tried using ! but doesn't appear to be working Do multiple filters have to be separated by & or , or AND. How do we encode values with spaces. For instance, let's say we are trying to apply a filter sys_id=abc def. Should that be sys_id="abc def" OR as is without spaces. I checked the debug log and the TA seems to be URL encoding spaces with a + but would be worth if that is confirmed.   At present, it appears as thought the above tested filters are being ignored. Appreciate any inputs. Thanks!
Hi, I am almost there on this task but need some assitance please on how to target different indexes. I have a number of UF's sending WinEventLog to HF's. The HF has the prop/trans to send to two di... See more...
Hi, I am almost there on this task but need some assitance please on how to target different indexes. I have a number of UF's sending WinEventLog to HF's. The HF has the prop/trans to send to two different instances. I now need to send it to different indexes i.e. instance1=indexa, instance2=indexb. This is my current props/transforms files. (hostname used initially to simplify) props.conf [host::hostname] TRANSFORMS-routing = dual_ship transforms.conf [dual_ship] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=group1, group2 Then I have outputs.conf with the groups within the tcpout stanzas. Thanks in advance
Bonjour si le maître écrase une configuration qui n'était pas dans son fichier lors d'un push Par exemple, il écrase un index qui était juste sur les indexeurs pas sur son fichier de conf. exist... See more...
Bonjour si le maître écrase une configuration qui n'était pas dans son fichier lors d'un push Par exemple, il écrase un index qui était juste sur les indexeurs pas sur son fichier de conf. existe-t-il un moyen de trouver ces journaux?
Hello. I'm buliding a report where i want byte to be converted into seconds/millisecond. any idea how to do that  source="/usr/IBM/HTTPServer/logs/access*" httpmethod="GET" statuscode="200"  |eval... See more...
Hello. I'm buliding a report where i want byte to be converted into seconds/millisecond. any idea how to do that  source="/usr/IBM/HTTPServer/logs/access*" httpmethod="GET" statuscode="200"  |eval APFields=split(loaninfo,"/") |chart count(DDMURLLast),avg(DDMTimeTakenSeonds) max(DDMTimeTakenSeonds) stdev(DDMTimeTakenSeonds) by APfields
Requirement- I want to display distinct logins into an app in the last 30 days. My query returns zero events. index="123" AND organizationId="011110012D" logRecordType=ailtn ("appName":"Cash_Platfo... See more...
Requirement- I want to display distinct logins into an app in the last 30 days. My query returns zero events. index="123" AND organizationId="011110012D" logRecordType=ailtn ("appName":"Cash_Platform" AND "appType":"Console") [|inputlookup "test"|table UserID|rename UserID as userId]|lookup test.csv UserID AS userId |timechart span=1mon dc(userId) as distinctLogins   Here App name is Cash_Platform and lookup file test.csv contains  UserID and UserNames   Any Suggestions where am I doing wrong or how this can be improved to return valid events.   Thanks
Hi  Guys , I want to check login behavior on a per-app basis. In short to look at when most logins happen, for example : if an application’s login behavior follows US business hours (~9am - ~6pm), b... See more...
Hi  Guys , I want to check login behavior on a per-app basis. In short to look at when most logins happen, for example : if an application’s login behavior follows US business hours (~9am - ~6pm), but we see a login spike at 1am, that’s probably something strange.  That’s the sort of things I’d like to find out. Can anyone help me in this in writing SPL for this ? Any suggestions will be helpful Note: We are not using Splunk Enterprise security in our environment.   
Splunk ServiceNow app Account Setup is not loading due to the below error.   Unexpected error occurs. Unexpected error "<type 'exceptions.keyerror'="">" from python handler: "'No key or prefix... See more...
Splunk ServiceNow app Account Setup is not loading due to the below error.   Unexpected error occurs. Unexpected error "<type 'exceptions.keyerror'="">" from python handler: "'No key or prefix: release.'". See splunkd.log for more details.     splunkd logs:   09-24-2020 12:26:24.378 +0200 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/data/apps/splunk/lib/python2.7/site-packages/splunk/admin.py", line 131, in init\n hand.execute(info)\n File "/data/apps/splunk/lib/python2.7/site-packages/splunk/admin.py", line 595, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/data/apps/splunk/etc/apps/splunk_app_servicenow/bin/snow_accounts_handler.py", line 55, in handleList\n account_in_response[prop] = account.content[TARGET_PROPERTIES_MAPPING[prop]]\n File "/data/apps/splunk/etc/apps/splunk_app_servicenow/bin/splunklib/data.py", line 245, in __getitem__\n raise KeyError("No key or prefix: %s" % key)\nKeyError: 'No key or prefix: release.'\n 09-24-2020 12:26:24.379 +0200 ERROR AdminManagerExternal - Unexpected error "<type 'exceptions.KeyError'>" from python handler: "'No key or prefix: release.'". See splunkd.log for more details.
Hi, I have a collection in the KV Store that contains several 10,000's of documents. Each document has a specific field that is present in each of them - sometimes values are the same, sometimes di... See more...
Hi, I have a collection in the KV Store that contains several 10,000's of documents. Each document has a specific field that is present in each of them - sometimes values are the same, sometimes different. I need to retrieve a list of all possible values by REST API. Talking in SPL I would like to have this result:  |inputlookup mylookup |stats values(myfield) (And I don't want to use the search endpoints a query a search job by REST API that does the SPL above : )  ) Does anyone know if this is possible and how to do it? BR RngFox
Can we detect following from UFs internal logs: Is TCP connection failed between UF and indexer/HF. If UF dropped some logs for example from source A, there were 5 logs generated but sent only 4.(d... See more...
Can we detect following from UFs internal logs: Is TCP connection failed between UF and indexer/HF. If UF dropped some logs for example from source A, there were 5 logs generated but sent only 4.(data loss) Failed to monitor certain path or application. Or are there any other useful info we can fetch from UFs internal logs??? Need to have health check over such 1000UFs. PS: we don't have access to any other logs, not even indexers internal logs but only UFs logs.  
Hi, I am trying to authenticate a Splunk instance via API in my Java project.  We are using CloseableHttpClient to create client and this client will execute payload containing hostname, username... See more...
Hi, I am trying to authenticate a Splunk instance via API in my Java project.  We are using CloseableHttpClient to create client and this client will execute payload containing hostname, username, and password. API used:  services/auth/login What setting do we need to change on Splunk instance for SSL or in Java code to handle this SSL? Below is error stack while executing connection : 24-Sep-2020 08:00:36.694 SEVERE [http-nio-127.0.0.1-46912-exec-3] org.jitterbit.connector.bmc.splunk.connection.SplunkConnection.open sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.jitterbit.connector.bmc.splunk.connection.SplunkConnection.open(SplunkConnection.java:82) at org.jitterbit.connector.sdk.BaseJitterbitConnector.testConnection(BaseJitterbitConnector.java:47) at org.jitterbit.connector.JitterbitConnectorAdapter.testConnection(JitterbitConnectorAdapter.java:127) at org.jitterbit.connector.ConnectorFactory$BaseConnectorAdapter.testConnection(ConnectorFactory.java:259) at com.jitterbit.integration.server.api.ws.connectorframework.ConnectorFrameworkEngineSoapBindingImpl.testConnection(ConnectorFrameworkEngineSoapBindingImpl.java:225) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:410) at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:332) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454) at org.apache.axis.server.AxisServer.invokeService(AxisServer.java:234) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:375) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:689) at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 63 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 69 more  
How do I get the  job-execution start time and job execution endtime of my  query as output of the query. index = some_index source = somesoure | some_logic added here | eval search_starttime = ... See more...
How do I get the  job-execution start time and job execution endtime of my  query as output of the query. index = some_index source = somesoure | some_logic added here | eval search_starttime = $job.earliestTime$ | eval search_endtime = $job.latestTime$ | table some_logic_output search_starttime search_endtime I am seeing no result for the search_starttime and search_endtime column in my table. Any help ? What I mean here is, how do I get  the _time value for the earliest event and the _time value of my latest event of my search resultset ?
I try to search with comand  | rest /services/app/local  but the value of the "updated" field is "1970-01-01T07:00:00+07:00" for all app
The "edit_http_ops" addition to permission settings was recommended to help with irregular API ingestion issues. Is anyone familiar? I didn't find anything in the docs.
Hi hi ninjas! My windows hosts don't appear as Entities in Investigation dashboard. I'm getting events and metrics from those hosts, but app doesn't recognize them. What I've done so far: 1. Insta... See more...
Hi hi ninjas! My windows hosts don't appear as Entities in Investigation dashboard. I'm getting events and metrics from those hosts, but app doesn't recognize them. What I've done so far: 1. Installed SAI app and addon 2. Followed the easy installation guide in Add data settings and got the command to run on the hosts 3. Run the command in powershell, it has installed UF with pre-configured inputs.conf. little preview of it:       # *** Configure Metrics & Logs collected *** [perfmon://CPU] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time instances = * interval = 60 object = Processor mode = single useEnglishOnly = true sourcetype = PerfmonMetrics:CPU index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 ip::"192.168.10.225" entity_type::Windows_Host      4. Splunk instance is receiving metrics and events(app, sec and system) from the host, but host is not recognized in SAI. It still shows that I have 0 entities. Btw: I've single instance deployment of Splunk.