All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am trying to count the requests which `message.logType` is "Outgoing Response". My query is like   index="my_index" | stats count as total, count(eval(message.logType="Outgoing Response")) as ou... See more...
I am trying to count the requests which `message.logType` is "Outgoing Response". My query is like   index="my_index" | stats count as total, count(eval(message.logType="Outgoing Response")) as outgoingCount by log.request.url | table log.request.url, total, outgoingCount | sort -outgoingCount   My logs are like, they do have `message.logType` field. However, the outgoingCount column is always 0. I read https://community.splunk.com/t5/Splunk-Search/stats-count-eval-always-returns-zero/m-p/334406 But does not help in my case. Any idea? Thanks  
Hi all, I am trying to create a token from user input on a html textarea. Unfortunately I can't use the default "input type=text" because I need to have a large text box for users to record investig... See more...
Hi all, I am trying to create a token from user input on a html textarea. Unfortunately I can't use the default "input type=text" because I need to have a large text box for users to record investigations (which gets posted to an external ticketing tool). The idea is that the user completes the textbox and clicks on a "Next" or "Submit" button and the user input will be set as a token. The name of the token will need to be based on the id of the textarea as the dashboard may have a few textboxes. As a starter, I've been testing with the following and failing (not very good at Javascript): XML   <form script="textarea.js"> <label>HTML Text Area Button</label> <row> <panel> <html> <textarea id="ta_investigateoutcome" rows="3"/> <input id="html_ta_user_comment" type="button" value="Click"/> <html encoded="1">TEST: $investigateoutcome$</html> </html> </panel> </row> <row> <panel depends="$alwayshideCSSpanel$"> <html> <style> textarea { width: 100%; height: 150px; padding: 12px 20px; box-sizing: border-box; border: 2px solid #ccc; border-radius: 4px; background-color: #f8f8f8; resize: none; } </style> </html> </panel> </row> </form>   textarea.js   require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { var defaultTokenSpace = mvc.Components.getInstance('default'); $('textarea').parent().parent().addClass('textarea_div'); $('textarea').each(function (ta) { $(this).on('click',"#html_ta_user_comment",function(input) { defaultTokenSpace.set($(this).attr('id').replace('ta_' ,'') ,$(this).val()); }) }) });  
I have some logs like these   { logType: 'Incoming Request', url: '/hello' timestamp: '2020-09-18T17:53:56.516Z' } { logType: 'Outgoing Response', url: '/hello' timestamp: '2020-09-18T17:53:57.516... See more...
I have some logs like these   { logType: 'Incoming Request', url: '/hello' timestamp: '2020-09-18T17:53:56.516Z' } { logType: 'Outgoing Response', url: '/hello' timestamp: '2020-09-18T17:53:57.516Z' } { logType: 'Incoming Request', url: '/bye' timestamp: '2020-09-19T10:53:56.516Z' }   I tries to get error rate that does that does not have following response after a given time range. For example, if the given time range is 5 seconds, for URL /hello, Incoming Request does have a Outgoing Response, so it is successful. However, for URL /bye, it is missing Outgoing Response like this case (or does not have the following Outgoing Response in 5 seconds). So I want list a table like url totalRequests errRate /hello 1 0 /bye 1 100%   Any guide would be helpful! Thanks
Currently I have something like this: I would like to make it so the error1 and error2 cells are ALWAYS red. How can I achieve this? 
I'm attempting to access a value returned from a previous block that performed a Splunk query, returning a field named "id.orig_h" as a result of the query. Using this syntax: extIPs = phantom.colle... See more...
I'm attempting to access a value returned from a previous block that performed a Splunk query, returning a field named "id.orig_h" as a result of the query. Using this syntax: extIPs = phantom.collect2(container=container, datapath=['Execute_External_IP_Query:action_result.data.*.id.orig_h']) I can readily access other fields from the search (i.e. the one named "uid"), but I'm getting NULL values returned for the field with the dot in its name. I've tried using "as" in my Splunk query to alias the field name to something without a dot, but that didn't make a difference. I'm assuming that there's some way to escape the dot in the field name, or quote the entire name such that it interprets things properly, but just can't find the syntax. Can anyone help?
Hi Community, I was trying to get the event details of all the indexes wise in splunk but i couldn't. please help me out on this Thankyou.
Hi,  I would like to color the cells from a column table depending on their time value is it possible to be done without JavaScript? Only with CSS and HTML? For example: For cells with values low... See more...
Hi,  I would like to color the cells from a column table depending on their time value is it possible to be done without JavaScript? Only with CSS and HTML? For example: For cells with values lower than  00:05:00 it should be green For cells between values 00:05:00 and 00:15:00 it should be orange For cells higher than 00:15:00 it should be red   
Hi, I need to increase the size of text box filters in my dashboard. I need to be able to increase size of all or select textbox filter. I found below solution from a previous post but it is not wor... See more...
Hi, I need to increase the size of text box filters in my dashboard. I need to be able to increase size of all or select textbox filter. I found below solution from a previous post but it is not working in Splunk Enterprise versions 7.x and 8.x. Can someone assist pls? Thanks in -advance!!! https://community.splunk.com/t5/Dashboards-Visualizations/How-to-increase-the-textbox-size-when-you-want-to-increase-the/m-p/328563/highlight/false#M21305  <form> <label>Text Box Size</label> <fieldset submitButton="false"> </fieldset> <row> <panel depends="$alwaysHideCSSStyle$"> <html> <style> #text4 .splunk-textinput { width: 300px !important; } #text4 .splunk-textinput input{ width: 300px !important; } #text5 { padding-left:95px !important; } #text5 .splunk-textinput { width: 300px !important; } #text5 .splunk-textinput input{ width: 300px !important; } </style> </html> </panel> <panel> <input id="text1" type="text" token="field1"> <label>field1</label> </input> <input id="text2" type="text" token="field2"> <label>field2</label> </input> <input id="text3" type="text" token="field3"> <label>field3</label> </input> <input id="text4" type="text" token="field4"> <label>field4</label> </input> <input id="text5" type="text" token="field5"> <label>field5</label> </input> </panel> </row> </form> Splunk Enterprise  
Hi, I have text box input that I have tweaked for taking multiple values and it works fine. I need to limit number of values that a user can insert. How to do this? Thanks in-advance!!!! 
So the Deployment Sever's job is to hold a bunch of apps, some of which contain outputs.conf to send to Deployment Clients Outputs.conf has a field called sslPassword.  When placed in the deploymen... See more...
So the Deployment Sever's job is to hold a bunch of apps, some of which contain outputs.conf to send to Deployment Clients Outputs.conf has a field called sslPassword.  When placed in the deployment app library, this value is written in plain text right now. Am I doing this wrong?  Is this how it's supposed to work?  Anybody who shells into the container can see a plain text password right there in $SPLUNK_HOME/etc/deployment-apps/myapp/local/outputs.conf! When the app reaches the Deployment Client, the password becomes encrypted when the app is installed.  That's not the issue.  The issue is I don't want them in plain text on my server.  I don't want them in plain text anywhere. Is there a better way to manage these sslPasswords? (the ones that live in the deployment-apps, not used to configure the server itself) on the Deployment Server though?  I really hope I'm doing this wrong. For example, is there a way to use splunk.secret on the Server to encrypt ALL files that look like sslPasswords? Is there a feature request in the works?  Am I the first person to ever ask for this?  
Hi I am trying to extract timestamp including nanoseconds but I am able to extract only 7 digits of nanoseconds though I used %9N in TIME_FORMAT. Below is my sample event-   10,11/03/20 04:00:00.... See more...
Hi I am trying to extract timestamp including nanoseconds but I am able to extract only 7 digits of nanoseconds though I used %9N in TIME_FORMAT. Below is my sample event-   10,11/03/20 04:00:00.000000010,11/03/20,04:00:00,Zx: 6037,04:00:00,48d4c21c3014850838840a460424c05b20412128053ce6074720006e00f1ff5500000000000000,Mod=2,AckReq=0,RtBits=0,MsgSeq=35,OnRte=1,Id=46,VId=6037    Below is my props.conf -   [abc_logs_st] LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false NO_BINARY_CHECK = true category = Custom pulldown_type = 1 disabled = false TIME_PREFIX = ^\d+\, MAX_TIMESTAMP_LOOKAHEAD = 30 TIME_FORMAT = %m/%d/%y %H:%M:%S.%9N   Why Splunk is considering only 7 digits after decimal..Is this bug in Splunk?  Thanks.
Hi, I have just installed Splunk and doing a training course and trying to follow along and I realize I am having issues with the functionality of some of the features and search logs of if I instal... See more...
Hi, I have just installed Splunk and doing a training course and trying to follow along and I realize I am having issues with the functionality of some of the features and search logs of if I installed the incorrect version. Can we have a chat?
Hi, I've installed the TrackMe app in my Splunk Cloud environment.  It's automatically discovered my environment, including indexes and sourcetypes.   I want to monitor most sources by index, not so... See more...
Hi, I've installed the TrackMe app in my Splunk Cloud environment.  It's automatically discovered my environment, including indexes and sourcetypes.   I want to monitor most sources by index, not sourcetype.  I've configured the index to be monitored, but all the additional sourcetypes for that index still remain.  Do I need to click on each of these and delete them?  Is there another way to do this?  It's a fair amount of sourcetypes.  
I know this version is still in beta, I personally had a lot of issues getting it to install properly. In case it would help someone else, I wanted to provide some notes I wrote up. 
Hi Folks. We would like to get data from several machines which are running HP OpenVMS V8.2-1. I saw something about getting this via syslog.  Happy to do that if that's the best solution.  It does... See more...
Hi Folks. We would like to get data from several machines which are running HP OpenVMS V8.2-1. I saw something about getting this via syslog.  Happy to do that if that's the best solution.  It does seems dicey, because the OpenVMS messages are likely to be multiple lines per message.   Also, the only method I found for turning VMS auth logs into syslog was a bit of custom .c code.  We'd prefer to use something with more likelihood of stability. Anyone have details or references on solving this ? -Vik Solem
I'm reading a file that is being overridden by a PowerShell script. (no append in the file) The PowerShell script is using Out-File command to write the content to the file.   Sample content: Dom... See more...
I'm reading a file that is being overridden by a PowerShell script. (no append in the file) The PowerShell script is using Out-File command to write the content to the file.   Sample content: Domain Profile Settings: ---------------------------------------------------------------------- State ONPrivate Profile Settings: ---------------------------------------------------------------------- State ONPublic Profile Settings: ---------------------------------------------------------------------- State ON Ok. props.conf file ###### FirewallStatus ###### [source::...FirewallStatus.Log] sourcetype = FirewallStatusLog CHECK_METHOD = modtime [FirewallStatusLog] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE= neverbreak DATETIME_CONFIG = NONE pulldown_type = true inputs.conf file [monitor://$SPLUNK_HOME\var\log\custom\FirewallStatus.log] disabled = 0 sourcetype = FirewallStatusLog In my case at the first time content comes in a single event but the next time when file gets updated, the content got broken into two events by Splunk. On a side note, it does not ingest events on all the update, if there is no update in the content. (That might be okay, I may create a lookup, this is no big deal)
We are planning to upgrade our ServiceNow instance to the latest version, Paris. However, the current version of the Splunk Integration plugin is not compatible. Does anyone know when compatibility ... See more...
We are planning to upgrade our ServiceNow instance to the latest version, Paris. However, the current version of the Splunk Integration plugin is not compatible. Does anyone know when compatibility with Paris will be available? Thank you.
Hi All, I've followed the instructions here (https://docs.splunk.com/Documentation/AddOns/latest/MSIIS/About) to ingest MS IIS logs into splunk. I have installed the universal forwarder on our test ... See more...
Hi All, I've followed the instructions here (https://docs.splunk.com/Documentation/AddOns/latest/MSIIS/About) to ingest MS IIS logs into splunk. I have installed the universal forwarder on our test windows server, as well as the IIS Splunkbase app on the windows server and our heavy forwarder. (Our heavy forwarder is configured to forward upstream.) For inputs on the test windows server, we have this configured: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-iis\local\inputs.conf   [monitor://C:\inetpub\logs\LogFiles] disabled = 0 index = test_index sourcetype = ms:iis:auto   Example of the IIS log:   #Software: Microsoft Internet Information Services 8.5 #Version: 1.0 #Date: 2020-09-18 13:15:43 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2020-09-18 13:15:43 127.0.0.1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 304 0 0 171 2020-09-18 13:15:43 127.0.0.1 GET /iis-85.png - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko http://localhost/ 304 0 0 0 2020-09-18 13:15:43 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64;+Trident/7.0;+rv:11.0)+like+Gecko - 404 0 2 0     Data from Splunk Search:     Any idea on why fields aren't being extracted? Not even host is being extracted. Other logs from our windows servers work fine, this is the only app/log type we are currently having trouble with.
Hi there,  The situation is as follows. We've a scheduled search running which is doing LDAP query on Active directory and putting all computer objects into one lookup file. The lookup file is being... See more...
Hi there,  The situation is as follows. We've a scheduled search running which is doing LDAP query on Active directory and putting all computer objects into one lookup file. The lookup file is being used by Enterprise security asset and identy managment.  We desire to put in priority for these assets. Now when we do this manually, via lookup editor, next time the scheduled search runs the priority is overwritten again with "nothing" Therefore we created a different csv file with only the prioritized assets in (And contained the same headers as in the "master" file). We would like to overwrite the "master" lookup file from asset&Identy management with the content of that new "prio" csv. After the schedule has run. How can you we achieve that?  Thanks in advance Erik
external script was working in python2x version but after forcing to use pythion3, its return with error code 1. python script.   import sys,splunk.Intersplunk import xml.sax import xml.sax.saxutil... See more...
external script was working in python2x version but after forcing to use pythion3, its return with error code 1. python script.   import sys,splunk.Intersplunk import xml.sax import xml.sax.saxutils as saxutils from xml.sax.handler import ContentHandler from xml.sax.handler import EntityResolver from xml.sax.xmlreader import InputSource import StringIO class NullInputSource(InputSource): def getByteStream(self): return StringIO.StringIO("entity files not supported.") class NullEntityResolver(EntityResolver): def resolveEntity(self,publicId,systemId): return NullInputSource() class XmlHandler(ContentHandler): def __init__(self): self.indent = 0 def reset(self , r): self.current_output = '' self.indent = 0 self.open_tag = '' def getOutput(self): return self.current_output def startElement(self, name, attrs): self.open_tag = name self.current_output += '\n' + ' ' * self.indent self.indent += 1 self.current_output += '<' + name if attrs.getLength() > 0: for k in attrs.getNames(): self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k)) self.current_output += '>' def characters(self, content): if len(content.strip()) > 0: # self.current_output += ' ' * self.indent self.current_output += saxutils.escape( content ) #+ '\n' def endElement(self, name): self.indent -= 1 if self.open_tag != name: self.current_output += '\n' + ' ' * self.indent self.current_output += '</' + name + '>' try: results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() handler = XmlHandler() for r in results: try: if 'xml' in r: xml_text = r['xml'] dest_field = 'xml' else: raw = r["_raw"] dest_field = '_raw' xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ] handler.reset(xml_text) parser = xml.sax.make_parser() parser.setContentHandler(handler) parser.setEntityResolver(NullEntityResolver()) parser.parse(StringIO.StringIO(xml_text)) r[dest_field] = handler.getOutput() if 'xml' in r: xml_text = r['xml'] else: raw = r["_raw"] except: import traceback stack = traceback.format_exc() r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw'] except: import traceback stack = traceback.format_exc() results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack)) splunk.Intersplunk.outputResults( results )   @kamlesh_vaghela   [xmlformat] filename = xmlformat.py retainsevents = true overrides_timeorder = false run_in_preview = false streaming = true python.version = python3