All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,  I have a search like this applied on many queries :  index="abs" field1="aaa" field2="bbb"  | eval dummy="true" | eval epochnow = now() | eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:... See more...
Hi,  I have a search like this applied on many queries :  index="abs" field1="aaa" field2="bbb"  | eval dummy="true" | eval epochnow = now() | eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S") | eval Horodate=strftime(epochHorodate, "%Y-%m-%dT%H:%M:%S") | where epochnow>=epochHorodate | eval _time=Horodate | stats count(eval(Statut=="KO")) as KO by _time | sort _time ASC | appendpipe [| stats sum(KO) as KO | eval _time=now()] Usually the search return a result like this :  I have the sum of KO / day. And then I use the single value for the visualization :    My issue is that on one query I have this error : And it doesn't span bay day anymore. Can you help me please ?          
Greetings, The search I am using currently is giving me the total number of failed logins by day of the week for the last 90 days: | base search event="login_fail" | bin _time as date span=1d |... See more...
Greetings, The search I am using currently is giving me the total number of failed logins by day of the week for the last 90 days: | base search event="login_fail" | bin _time as date span=1d | eval weekday=strftime(_time, "%A") | stats count by weekday | stats avg(count) by weekday The problem is I want to find the daily average number of failed logins for the last 90 days.  For example, in the search above is shows a total of 625 failed logins for Fridays.  The last line of the search isn't providing any value so it's not needed.  Is there a way to modify my search to get that average number instead of the total count for Fridays?  For example, since there are ~12 Fridays over the last 90 days that would come out to ~52 failed logins on Fridays (12 * 52 is where I get the 625).    Thanks for any help.
Hi , I am trying to increase font size and make it bold of text present in a panel. Panel consists of radio button and two dropdowns. I want to increase font size of radio button options and label ... See more...
Hi , I am trying to increase font size and make it bold of text present in a panel. Panel consists of radio button and two dropdowns. I want to increase font size of radio button options and label of dropdowns. any simple html code that i can include in xml?              
Hi, I have the JS and CSS created to highlight the row based on my search result. Instead of highlighting the row, I have done encircling the row with blue color to show that is the data for the cho... See more...
Hi, I have the JS and CSS created to highlight the row based on my search result. Instead of highlighting the row, I have done encircling the row with blue color to show that is the data for the chosen filter. Issue: Initially when the dashboard is loaded and when I chose the filter the row encircling doesn't work but after flipping(choosing different option) the filter option it works fine. Could you please let me know do I need to add anything to the below JS to fix the issue to get the row encircling when the dashboard loads initially. JS:   /* TODO: jink to replace theme_utils with that from core */ require.config({ paths: { theme_utils: '../app/simple_xml_examples/theme_utils' } }); require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'theme_utils', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView, themeUtils) { var isDarkTheme = themeUtils.getCurrentTheme && themeUtils.getCurrentTheme() === 'dark'; // Row Coloring Example with custom, client-side range interpretation var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { // Enable this custom cell renderer for both the ACK_DATE_TIME and the ACK_BY field return _(['posting_date', 'Chosen_Row', 'chosen_row']).contains(cell.field); }, render: function($td, cell) { // Add a class to the cell based on the returned value var value = cell.value; // Apply interpretation for number of historical searches if (cell.field === 'Chosen_Row') { if (value === 'Yes') { $td.addClass('range-cell').addClass('range-severe'); } } // Apply interpretation for number of realtime searches if (cell.field === 'chosen_row' | cell.field === 'Chosen_Row') { if (value === 'Yes') { $td.addClass('range-cell').addClass('range-severe'); } } // Update the cell content $td.text(value); } }); mvc.Components.get('highlight').getVisualization(function(tableView) { tableView.on('rendered', function() { // Apply class of the cells to the parent row in order to color the whole row tableView.$el.find('td.range-cell').each(function() { $(this).parents('tr').addClass(this.className); }); if(isDarkTheme){ tableView.$el.find('td.timestamp').each(function() { $(this).parents('tr').addClass('dark'); }); } }); // Add custom cell renderer, the table will re-render automatically. tableView.addCellRenderer(new CustomRangeRenderer()); }); mvc.Components.get('highlight1').getVisualization(function(tableView) { tableView.on('rendered', function() { // Apply class of the cells to the parent row in order to color the whole row tableView.$el.find('td.range-cell').each(function() { $(this).parents('tr').addClass(this.className); }); if(isDarkTheme){ tableView.$el.find('td.timestamp').each(function() { $(this).parents('tr').addClass('dark'); }); } }); // Add custom cell renderer, the table will re-render automatically. tableView.addCellRenderer(new CustomRangeRenderer()); }); });   CSS:   /* Custom Icons */ td.icon { text-align: center; } td.icon i { font-size: 25px; text-shadow: 1px 1px #aaa; } td.icon .severe { color: red; } td.icon .elevated { color: orangered; } td.icon .low { color: #006400; } /* Row Coloring for selected posting_date */ #highlight tr.range-severe td { border: solid rgba(0,164,253,.6) !important; border-width: 4px 0px 4px 1px !important; font-weight: bold; } #highlight1 tr.range-severe td { border: solid rgba(0,164,253,.6) !important; border-width: 4px 0px 4px 1px !important; font-weight: bold; } /* Row Coloring */ .icon-inline i { font-size: 18px; margin-left: 5px; } .icon-inline i.icon-alert-circle { color: #ef392c; } .icon-inline i.icon-alert { color: #ff9c1a; } .icon-inline i.icon-check { color: #5fff5e; } /* Dark Theme */ td.icon i.dark { text-shadow: none; } /* Row Coloring */ #highlight tr.dark td { background-color: #5BA383 !important; } #highlight tr.range-elevated.dark td { background-color: #EC9960 !important; } #highlight tr.range-severe.dark td { background-color: #AF575A !important; } #highlight .table .dark td { border-top: 1px solid #000000; color: #F2F4F5; } #highlight1 tr.dark td { background-color: #5BA383 !important; } #highlight1 tr.range-elevated.dark td { background-color: #EC9960 !important; } #highlight1 tr.range-severe.dark td { background-color: #AF575A !important; } #highlight1 .table .dark td { border-top: 1px solid #000000; color: #F2F4F5; }    
Hello!  Is it possible with Splunk Enterprise to input JSON logs into the instance and transform them to CEF format? 
Hello Team, I am trying to integrate the FMC to the estreamer client (encore addon for firepower) with an IPv6 address. The client works with ipv4 address but not with ipv6 address. It throws the er... See more...
Hello Team, I am trying to integrate the FMC to the estreamer client (encore addon for firepower) with an IPv6 address. The client works with ipv4 address but not with ipv6 address. It throws the error as shown below: 2020-09-14 20:03:37,935 Controller ERROR EncoreException: socket.gaierror ([Errno -9] Address family for hostname not supported)\nTraceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/controller.py", line 244, in start\n diagnostics.execute()\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/diagnostics.py", line 82, in execute\n connection.connect()\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 88, in connect\n raise estreamer.EncoreException( 'socket.gaierror ({0})'.format(gex) )\nEncoreException: socket.gaierror ([Errno -9] Address family for hostname not supported)\n 2020-09-14 20:03:37,941 Controller INFO Stopping... IPv6 is enabled from the estreamer side. Is there any settings that needs to be done so as to work with IPv6?
Everyone, I am trying to edit the ID values for the "div" tags mentioned in the above screenshot so that they are unique i.e the first one would be id="statistics" and the second id would be id=... See more...
Everyone, I am trying to edit the ID values for the "div" tags mentioned in the above screenshot so that they are unique i.e the first one would be id="statistics" and the second id would be id="statistics_1" etc.  I am getting the code above when I inspect a table panel in Splunk but not aware of how this can be edited. Can you suggest how this change is possible?
I'm tasked with moving the $SPLUNK_HOME/etc/system/local/ conf files within our peer nodes to their own Splunk apps for easier management using the deployment-server/cluster master method. Since, ... See more...
I'm tasked with moving the $SPLUNK_HOME/etc/system/local/ conf files within our peer nodes to their own Splunk apps for easier management using the deployment-server/cluster master method. Since, we are using third-party SSL certificates to secure log ingestion from the forwarders each peer has their own unique .pem file. What is the best way to incorporate the inputs.conf file regarding the SSL configs, for all peer nodes within a Splunk app that will be distributed to all peers? Specifically, I'm referring to the serverCert option, which has a different filename on each peer node. All other config options are the same within the inputs.conf files. Thanks!
I have two indexes and it has similar fields and need to compare counts on these two indexes. For example Index A Id   status_code   1 b   2 a   3 a 4 m ... See more...
I have two indexes and it has similar fields and need to compare counts on these two indexes. For example Index A Id   status_code   1 b   2 a   3 a 4 m 5 b 6 c   Index B   ID category_code1 from_dt To_dt 101 p 01/01/2019 09/14/2018 102 b 01/01/2019 null 103 a 01/01/2019 null 104 m 01/01/2019 null 105 a 01/01/2019 null Expected output   Index A count Index B Count difference Category A 2 2   Category B 2 1 1 Category C 1 0   How do I get this count by categories on two different indexes. 
Hello Everyone, I have searched everywhere for a solution but did not get anything close to what I'm trying to do. So, I have one Domain Controller from where we are capturing data into the DS. On s... See more...
Hello Everyone, I have searched everywhere for a solution but did not get anything close to what I'm trying to do. So, I have one Domain Controller from where we are capturing data into the DS. On searching for EventCode 4624, I see around 10-15 events with the same timestamp, AccountName, etc. logging in. This single eventcode is consuming around 4-5 GB of license eveyday from a single Domain Controller which is not at all ideal. Blacklisting the event is no help as I need it for several reports. I have already removed the extra description at the end of events to reduce license usage. I was wondering if someone has faced similar issue or if someone could guide me on this, that would be great. Please let me know if I need to provide anymore information.
Hi! i have the following table: Com-Jun Com-Jul Com-Aug Jun Jul Aug 3 3 1 2 5 7 1 1 3 2 5 3   Can i add the values of each column starting with Com to the values of mont... See more...
Hi! i have the following table: Com-Jun Com-Jul Com-Aug Jun Jul Aug 3 3 1 2 5 7 1 1 3 2 5 3   Can i add the values of each column starting with Com to the values of month. (Com-Jun plus June, Com-Jul plus July etc.) So the values in the first 3 columns should be added to the values of the last three columns so that my table looks like this: Com-Jun Com-Jul Com-Aug June July August Sum-Jun Sum-Jul Sum-Aug 3 3 1 2 5 7 5 8 8 1 1 3 2 5 3 3 6 6   Thank you!
How to create custom network port to receive data on Splunk syslog server ? I don't want data to be received on default port.
Hi Everyone, We are trying to upgrade Threatstream app to version 6.4.2 and also upgraded the app successfully but after upgrade data in not ingesting to our index-threatstream_summary, we followed ... See more...
Hi Everyone, We are trying to upgrade Threatstream app to version 6.4.2 and also upgraded the app successfully but after upgrade data in not ingesting to our index-threatstream_summary, we followed the steps to rerun the setup in our enviorment after upgrade of app still no data getting ingested. We installed app on our Search Head as per the document describles, also we are not getting any internal errors for the app. Kindly suggest the solution to this.
HI All, Need help in preparing a tabular form. Data am having :  using the Index am getting below table. Class Count NODEDOWN 520 BGPDOWN 320 ISISALERT 130   Query am using ... See more...
HI All, Need help in preparing a tabular form. Data am having :  using the Index am getting below table. Class Count NODEDOWN 520 BGPDOWN 320 ISISALERT 130   Query am using   index=itsm stats count by Class   Last 60 days data.   Requirement:  I want month wise data. I used timewrap and timechart.  But the data am getting is not the correct format.   Expected format output. Class Jul-20 Aug-20 Sep-20 NODEDOWN 250 250 20 BGPDOWN 150 150 20 ISISALERT 50 50 30   Please help me this format,  If it search for 1 year data. all 12 months in tabular data.
Have being trying out @jkat54 's Web tool add-on to do some maintenance on ITSI objects with the ITSI REST api. I've managed to do make some of the options work - like enabling and disabling service... See more...
Have being trying out @jkat54 's Web tool add-on to do some maintenance on ITSI objects with the ITSI REST api. I've managed to do make some of the options work - like enabling and disabling services, but I'm stuck on creating maintenance windows. Thanks to a few other answers (thanks @damianokuen and @kartikaykv1 ) I've managed to succesfully test enable / disabling a service - insert your own <serviceid> without the <> to try: index=itsi_summary | head 1 | eval header="{\"content-type\":\"application/json\"}" | eval data="{\"enabled\": 0,\"_key\":\"<serviceid>\"}" | curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/<serviceid>?is_partial_data=1 splunkauth=true debug=false headerfield=header datafield=data Using a standard command line curl I've managed to create a maintenance window (again use your own user / password / server / port / serviceid) curl -k -u <user>:<password> https://<server>:<port>/servicesNS/nobody/SA-ITOA/maintenance_services_interface/maintenance_calendar -X POST -H "Content-Type:application/json" -d "{\"title\":\"TEST MW\",\"start_time\":1589715600,\"end_time\":1589719600,\"objects\":[{\"object_type\":\"service\",\"_key\":\"<serviceid>\"}]} but trying to use this within SPL is failing : index=itsi_summary | head 1 | eval header="{\"content-type\":\"application/json\"}" | eval data="{\"title\":\"TEST MW2\",\"start_time\":1589705600,\"end_time\":1589709600,\"objects\":[{\"object_type\":\"entity\",\"_key\":\"<serviceid>\"}]}" | curl method=post uri=https://localhost:8089//servicesNS/nobody/SA-ITOA/maintenance_services_interface/maintenance_calendar splunkauth=true debug=false headerfield=header datafield=data should be materially the same (barring changing the title so it doesn't duplicate the command line curl), but I get a failure {"message":"(400, 'Objects specified must be a valid non-empty list. Must specify at least one object.')"} I've tried a variety of ways of fiddling with syntax but just can't get it to work - I'm wondering whether the add-on doesn't work nicely with the nested array of objects you need to pass? https://docs.splunk.com/Documentation/ITSI/4.6.1/RESTAPI/ITSIRESTAPIschema#Maintenance_Calendar  
Hello, i am trying to search for field values in intervall (79,90). Both versions do not work properly as i know what to expect.   v1   index=XXX earliest="08/03/2020:15:00:00" latest="08/03/2... See more...
Hello, i am trying to search for field values in intervall (79,90). Both versions do not work properly as i know what to expect.   v1   index=XXX earliest="08/03/2020:15:00:00" latest="08/03/2020:16:30:00" TEMP<90 TEMP>79 | stats count as Counter    v2   index=XXX earliest="08/03/2020:15:00:00" latest="08/03/2020:16:30:00" TEMP<90 AND TEMP>79 | stats count as Counter  
Hi, I have a panel where it has 5 columns in it. I want to reduce the width of the 4th and 5th column alone and rest of the three columns can be of the default size.  Could you please help me here ... See more...
Hi, I have a panel where it has 5 columns in it. I want to reduce the width of the 4th and 5th column alone and rest of the three columns can be of the default size.  Could you please help me here whether is there any option to do it in simple xml. Thanks,
Hello,   I am currently confront some problem here. I want to substring data in specific column using rex.   The column's data looks like below(All same or similar style). "****-****-**POD4-***... See more...
Hello,   I am currently confront some problem here. I want to substring data in specific column using rex.   The column's data looks like below(All same or similar style). "****-****-**POD4-***"   In above case, all  I need is the number after the word POD. ( * means some alphabets)   Any ideas?  Thank you.  
Hello, I'm a complete newbie to Splunk so correct me if I'm wrong somewhere. I'm trying to monitor LDAP request, I have more than 21sites in our Domain. I'm using the Splunk App for Windows Infras... See more...
Hello, I'm a complete newbie to Splunk so correct me if I'm wrong somewhere. I'm trying to monitor LDAP request, I have more than 21sites in our Domain. I'm using the Splunk App for Windows Infrastructure and IT Operation. Is there any way I can get 30days LDAP request from these applications or Splunk. I'm taking out the logons weightage but it is taking almost forever to even get 5 days records -    Dashboard_1 Dashboard_1 Note - I don't have any admin privilege and no configuration can be allowed in the Splunk. Only READ-ONLY mode is available, I cannot run any query. HELP ME SUGGEST SOMETHING SO THAT I CAN GET THE LDAP REQUESTS FROM THE DC. TOTAL DC COUNT - 69   THANKs
I have some dashboards,alerts,reports in my single instance environment which are created under search app. Where do I find configurations of all those dashboards,alerts,reports on indexer machine. ... See more...
I have some dashboards,alerts,reports in my single instance environment which are created under search app. Where do I find configurations of all those dashboards,alerts,reports on indexer machine. Please help me with the path of configuration.