All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Guys, We are using Splunk Cloud and have created multiple HECs for different products. We noticed that events coming in through HEC always have "xxx.splunkcloud.com" as the value of the host ... See more...
Hello Guys, We are using Splunk Cloud and have created multiple HECs for different products. We noticed that events coming in through HEC always have "xxx.splunkcloud.com" as the value of the host field. Is there a way to assign different hostnames to different products? Thanks & Regards, Iris
Hello everyone, I installed and configured the Splunk Forwarder on a machine. While the logs are being forwarded to Splunk, I’ve noticed that some data is missing from the logs that are coming throu... See more...
Hello everyone, I installed and configured the Splunk Forwarder on a machine. While the logs are being forwarded to Splunk, I’ve noticed that some data is missing from the logs that are coming through. Could this issue be related to specific configurations that need to be adjusted on the forwarder, or is it possible that the problem is coming from the machines themselves? If anyone has experienced something similar or has insights on how to address this, I would greatly appreciate your advice. Thank you in advance for your help! Best regards,
Hi all, How can this be fixed? Thanks for your help on this,
Hello Guys, We have paloalto firewalls with different timezone settings. For the ones which is not in the same timezone as Splunk, their logs will be considered as the logs of the future and hence c... See more...
Hello Guys, We have paloalto firewalls with different timezone settings. For the ones which is not in the same timezone as Splunk, their logs will be considered as the logs of the future and hence cannot be searched in Splunk in a timely manner. I cannot fix it by specifying timezone for the source types provided by the paloalto TA, since it cannot fulfill multiple time zones at the same time. I wonder if you have experienced the similar problem, if yes, would you please share your experience on handling this kind of issue? Thanks much for your help in advance! Regards, Iris
I've got a data set which collects data everyday but for my graph I'd like to compare the time selected to the same duration 24 hours before.   I can get the query to do the comparison but I want... See more...
I've got a data set which collects data everyday but for my graph I'd like to compare the time selected to the same duration 24 hours before.   I can get the query to do the comparison but I want to be able to show only the timeframe selected in the timepicker i.e. last 30 mins rather then the fill -48hours etc.   Below is the query I've used: index=naming version=2.2.* metric="playing" earliest=-36h latest=now | dedup _time, _raw | timechart span=1h sum(value) as value | timewrap 1d | rename value_latest_day as "Current 24 Hours", value_1day_before as "Previous 24 Hours" | foreach * [eval <<FIELD>>=round(<<FIELD>>, 0)] This is the base query I've used. For a different version I have done a join however that takes a bit too long to join. Ideally I want to be able to filter the above data (as it's quite quick to load) but only for the time picked in the time picker.   Thanks,
Hi all,  Im trying to use this app by Baboon - Monitoring of Java Virtual Machines with JMX I get some error when i click on data inputs Oops. Page not found! Click here to return to Splunk h... See more...
Hi all,  Im trying to use this app by Baboon - Monitoring of Java Virtual Machines with JMX I get some error when i click on data inputs Oops. Page not found! Click here to return to Splunk homepage. Would I need to activate the app first?
Hi, For a few days now, my Splunk Dashboard shortcut has been displaying an error when I connect with the administrator account. But when I use another account with less privilege via LDAP auth... See more...
Hi, For a few days now, my Splunk Dashboard shortcut has been displaying an error when I connect with the administrator account. But when I use another account with less privilege via LDAP authentication, I don't get this error, the page displays fine. Do you have any idea what the problem is? Thanks for your help.
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development ... See more...
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development purposes. Now that the development is nearly complete, I need to make the URL dynamic. It should retrieve the REST API server URL and the currently logged-in user’s information and use it in the Splunk React app. How can I achieve this? Here is the current hardcoded code: const fetchAllUsers = async () => { try { const response = await axios.get('https://mymachine:8089/services/authentication/users', { auth: { username: 'admin', password: 'admin123' }, headers: { 'Content-Type': 'application/xml' } }); } catch (error) { console.error('Error fetching users:', error); } }; #restapi  #createuser #react #reactapp thanks in advance
Might be a silly question but does anyone possibly know where I can locate lines with pointing arrows at the end? I wanted to use them to point to each panel I had to show a flow diagram of some sort.
I am using the multiselect input definition below: The issue is that it is not setting the token named "app_net_fm_entity_id" properly. The desired behavior is, if the user selects "All" label ... See more...
I am using the multiselect input definition below: The issue is that it is not setting the token named "app_net_fm_entity_id" properly. The desired behavior is, if the user selects "All" label (value=*) then the condition should detect the "*" value and set the "app_net_fm_entity_id" token to "_all" If the user selects anything else other than just the "All" label then the "app_net_fm_entity_id" token should be set to the contents of the selected values. I am using Splunk Enterprise 9.2.1 This is a simple xml dashoard, aka classic dashboard. I am 1month into splunk and learning feverishly but I surely need some help on this.  I've tried using JS to get the desired behavior for this multi, but couldn't get that to work either     <input id="app_nodes_multiselect" type="multiselect" depends="$app_fm_app_id$" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | inputlookup aix_kv_apm_comps WHERE entity_type!=$app_fm_group_nodes$ | search [| makeresults | eval search="internal_parent_id=(".mvjoin($app_fm_app_id$, " OR internal_parent_id=").")" | return $search] | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition> <eval>len($value$) == 1</eval> <set token="app_net_fm_entity_id">_all</set> </condition> <condition> <eval>len($value$) > 1</eval> <set token="app_net_fm_entity_id">$value$</set> </condition> </change> </input>                
Here is the raw text -  com.companyname.package: stringstart e-38049e11-72b7-4968-b575-ecaa86f54e02 stringend for some.datahere with status FAILED, Yarn appId application_687987, Yarn state FINISH... See more...
Here is the raw text -  com.companyname.package: stringstart e-38049e11-72b7-4968-b575-ecaa86f54e02 stringend for some.datahere with status FAILED, Yarn appId application_687987, Yarn state FINISHED, and Yarn finalStatus FAILED with root cause: samppleDatahere: com.packagenamehere: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: sjhdjksdn;  Need to list down the uuid which is in between stringstart and stringend 
Hello - I realize this question has been asked several times before and I've tried to implement every solution I've found, but nothing seems to be working. I simply want to update a single value v... See more...
Hello - I realize this question has been asked several times before and I've tried to implement every solution I've found, but nothing seems to be working. I simply want to update a single value visualization based on the text. If "Yes", then green, and if "No", red.  I've tried using older solutions involving rangemap and changing some of the charting options, but I'm not having any luck in v9.3.0.  | inputlookup mylookup.csv | search $time_tok$ $field_tok$=Y | stats max(Distance) AS GuideMiles | appendcols [| mylookup.csv | search $month_tok$ | stats max(TargetMiles)] | rename max(TargetMiles) AS TargetMiles | eval OnTarget=case(GuideMiles>=TargetMiles,"Yes", true(), "No") | table OnTarget  
Hello, I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below: [myprops] SHUOLD_LINEMERGE=false LINE_BREAK=(... See more...
Hello, I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below: [myprops] SHUOLD_LINEMERGE=false LINE_BREAK=([\r\n]+) TIME_PREFIX="timestamp": TIME_FORMAT=%s%3N Sample Events: {"id":"A303", "timestamp":1723933920339","message":"average time to transfer file"} {"id":"A307", "timestamp":1723933915610","message":"average time to hold process"} {"id":"A309", "timestamp":1723933735652","message":"average time to transfer file"} Extracted time should be: YYYY-mm-ddTHH:MM:SS.3N       
Dear Splunkers...  As i was checking about the fishbuckets at the splexicon https://docs.splunk.com/Splexicon:Fishbucket this page got a link - See the detailed Splunk blog topic but that blog li... See more...
Dear Splunkers...  As i was checking about the fishbuckets at the splexicon https://docs.splunk.com/Splexicon:Fishbucket this page got a link - See the detailed Splunk blog topic but that blog link is a broken link.  (PS - on Splunk docs, at lower page, there is a comment input box to give feedbacks, but on splexicon page, no feedbacks input box !)   many of us are aware of wiki.splunk links are broken too.    shouldn't splunk do something about these broken links? shouldn't splunk do splunking on its own.. suggestions pls.  have a great weekend, best regards Sekar
Hello everyone, I hope you’re doing well. I need assistance with integrating Splunk with Elasticsearch. My goal is to pull data from Elasticsearch and send it to Splunk for analysis. I have a few q... See more...
Hello everyone, I hope you’re doing well. I need assistance with integrating Splunk with Elasticsearch. My goal is to pull data from Elasticsearch and send it to Splunk for analysis. I have a few questions on how to achieve this effectively: 1. **Integration Methods:** Are there recommended methods for integrating Splunk with Elasticsearch? 2. **Tools and Add-ons:** What tools or add-ons can be used to facilitate this integration? 3. **Setup and Configuration:** Are there specific steps or guidelines to follow for setting up this integration correctly? 4. **Examples and Guidance:** Could you provide any examples or guidance on how to configure Splunk to pull data from Elasticsearch? Any help or useful resources would be greatly appreciated. Thank you in advance for your time and assistance!    
Response Code: 401 Response text: <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN">call not properly authenticated</msg> </messages> </response> I am using Splun... See more...
Response Code: 401 Response text: <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN">call not properly authenticated</msg> </messages> </response> I am using Splunk bearer token in my python program using REST API, but suddenly I got this error also I have another precisely program that using Splunk token and it works fine without get the error that I got from the other program.  I already test the token it gets 200 responses. I don't know what happens. 
Hello. I have a lot of events. Each event contains similar string \"errorDetail\":\"possible_value\"  Please specify how to create new field \"errorDetail\" and  stats all possible values? (There a... See more...
Hello. I have a lot of events. Each event contains similar string \"errorDetail\":\"possible_value\"  Please specify how to create new field \"errorDetail\" and  stats all possible values? (There are more than 50 kinds of errorDetail) For example: \"errorDetail\":\"acctNumber\"  \"errorDetail\":\"Message Version higher"\ \"errorDetail\":\"email\" Thank you.
Hello everybody, I'm working on a query that does the following: 1. Pull records, mvexpand on a field named INTEL. This is a multi-value field that could have anywhere from 1 to 11 different values... See more...
Hello everybody, I'm working on a query that does the following: 1. Pull records, mvexpand on a field named INTEL. This is a multi-value field that could have anywhere from 1 to 11 different values. 2. Once expanded, perform a lookup using INTEL to retrieve a field WEIGHT. A weight is assigned to each INTEL value, between 1 and 5. 3. After the lookup, collapse the split records back into one record.  At first glance I figured I could do `... | mvexpand | lookup | mvcombine | nomv` but since the records are no longer identical because both INTEL and WEIGHT are different, I don't think I can use mvcombine anymore. To Visually demonstrate the issue ID INTEL 12345 A, B, C, D   After mvexpand ID INTEL 12345 A 12345 B 12345 C 12345 D   After Lookup ID INTEL WEIGHT 123456 A 1 123456 B 2 123456 C 3 123456 D 4   Ultimately, I would like to get back to this ID INTEL WEIGHT 123456 A,B,C,D 1,2,3,4   Any tips?
I have a dataset to visualize my organization in Splunk. When I search for Org=CDO, I get all the direct reports under the CDO, which include positions like CSO and CIO. Under each of these positions... See more...
I have a dataset to visualize my organization in Splunk. When I search for Org=CDO, I get all the direct reports under the CDO, which include positions like CSO and CIO. Under each of these positions, there are many VPs, and under each VP, there are many directors. How can I retrieve the results for the entire hierarchy under the CDO using Splunk? We have a field named Org and another field name job_title When I search Org=CDO I get only direct reports of CDO, no other value in the raw event to extract. any help would be appreciated
Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the ... See more...
Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the same index, or sub-searches (neither worked in my scenario) My query for  the alerts is : | rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" My query for bookmarks is:  | sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display