All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I am trying to create an information point to collect metrics on a a particular method of a particular class getting called. I want to customize this information point to calculate metrics ba... See more...
Hi, I am trying to create an information point to collect metrics on a a particular method of a particular class getting called. I want to customize this information point to calculate metrics based on certain values being present in the parameter object of the method. So I am using the match condition. I have 2 options of classes with their methods to be used. 1st Option - doesnt have a toString() implementation so I have to use the Getter Chain. 2nd Option - my method is a private method but the parameter object has both toString() implementation and Getter Chains. Already tried the following and am facing certain issues on each: 1. I tried to use regex on toString() of the parameter of my 2nd option but for some reason its not getting any metric counts. I dont see any errors on the controller but its not working. 2. I tried to do getX().getY().toString() in Option 1 using Getter chain but still aint getting any metrics.  3. I tried to use just the getX().getY().getZ() using Getter Chain (with both Option 1 and 2) but I am stuck at a condition. getZ() returns a list of custom objects. For example the custom object: Person { String name; int age; int somethingElse; } (assuming there are getters, setters, hashcode, equals and toString defined) How do I do list contains name = "Harshad" ? The object with name "Harshad" can be at any index but it will be available only once. I am assuming I need to use "contains". But how? Can someone give some examples?
Trying to log in to a default instance using admin/changeme (long the standard for on-prem splunk).  Does anyone know the default creds for the trial instance?  Thanks
Hi, I am trying to extract data from my logs to display it by time. My logs look in this form: 2020-09-09 14:45:46.321 finished processing data- sold 5 products: 2(<product1>) 1(<product2>) 2(<prod... See more...
Hi, I am trying to extract data from my logs to display it by time. My logs look in this form: 2020-09-09 14:45:46.321 finished processing data- sold 5 products: 2(<product1>) 1(<product2>) 2(<product3>). i want to show it as a timechart when 3 of the products are shown with each of their values: 2 sales for <product1>, 1 for <product2> and 2 for <product3>, how can i do it for each log? Note: in a log there can be shown n different products.
I have different flavors of log files, below are those. 1. Each events having timestamp 2. Events without timestamp 3. Few events having timestamp, few doesn't. For all these type of logs, i have... See more...
I have different flavors of log files, below are those. 1. Each events having timestamp 2. Events without timestamp 3. Few events having timestamp, few doesn't. For all these type of logs, i have one common source type because these are belongs to one app. Due to these varieties of logs, will it create any problem like logs not getting updated properly on time or sometime data itself is missing ? If that is the case, how to apply time-setting to fix the issue ?
I have different kinds of error messages which will be present in WebSphere SystemOut logs. So it would be difficult for me to give error message every time in my query when any new error occurs. So ... See more...
I have different kinds of error messages which will be present in WebSphere SystemOut logs. So it would be difficult for me to give error message every time in my query when any new error occurs. So what i want to do is to create one lookup file, which should have all the error messages. So my query should use lookup file to look for error messages and if it's there in logs, it should shows the count of errors based on time by using timechart. My ultimate goal is to give the error messages in lookup file instead of in my search query every time. So that this lookup file can be used anywhere. Please suggest how to create lookup file and search query for this requirement. Sample error messages: SRVE0190E: File not found SRVE0255E: A WebGroup/Virtual Host has not been defined
I am not receiving data in my windows infrastructure search head msad is enabled but not reading any data
My Table looks like this  VF_Price   Huyndai_Price  Jaguar_Price 345               412                         542 I want it to look like the following VF_Price               345 Huyndai_P... See more...
My Table looks like this  VF_Price   Huyndai_Price  Jaguar_Price 345               412                         542 I want it to look like the following VF_Price               345 Huyndai_Price   412 Jaguar_Price       542 I need to transpose the table without using transpose command. I cannot use transpose command, 'cos I am using some invisible _<fields> that I am passing to my alert, those invisible field becomes visible and show in my transposed table, if I use 'transpose' command. Hence I am trying to figure out , how can I achieve this without using 'transpose'.  
Hi I have following query to show a graph of the free memory on the server. This working nicely. However, the numbers are in bytes, making it hard to understand. When doing this with a regular st... See more...
Hi I have following query to show a graph of the free memory on the server. This working nicely. However, the numbers are in bytes, making it hard to understand. When doing this with a regular stats command, I could add eval to calculate this, but with mstats this fails Working query without conversion | mstats avg(_value) prestats=t WHERE index=em_metrics AND metric_name="Memory.Available_Bytes" span=30s by metric_name | timechart avg(_value) as "Avg" span=1m by metric_name failing query with eval | mstats avg(_value) prestats=t WHERE index=em_metrics AND metric_name="Memory.Available_Bytes" span=30s by metric_name | eval FreeMem = ((_value/1024)/1024) | timechart avg(FreeMem) as "Avg" span=1m by metric_name   Any ideas how this can be achieved, I can't seem to find an example for mstats for this, only questions with stats
I have an issue where the raw data shows up with data but when I query it, all the other fields come up as empty.    I have used a simple query" index = syslogs "10.250.0.136" | table SYSLOG_messa... See more...
I have an issue where the raw data shows up with data but when I query it, all the other fields come up as empty.    I have used a simple query" index = syslogs "10.250.0.136" | table SYSLOG_message,SYSLOG_mne,_time,_raw
Hello guys, getting 404 not found error "Oops. Page not found!" when trying to access /en-US/dj/en-us/deviceinformation URL, SNMP module still collecting HSM data however. Same with /en-US/app/devi... See more...
Hello guys, getting 404 not found error "Oops. Page not found!" when trying to access /en-US/dj/en-us/deviceinformation URL, SNMP module still collecting HSM data however. Same with /en-US/app/deviceinformation/ Looks like this uses Django and therefore not supported anymore. Thanks. Safenet Luna HSM App 1.0.1 and same with 1.1.0  
We've used the Add-on Builder to create a custom app which uses a Python script to query a REST API, process some of the data (mostly to convert epoch to human-readable timestamps), and write events ... See more...
We've used the Add-on Builder to create a custom app which uses a Python script to query a REST API, process some of the data (mostly to convert epoch to human-readable timestamps), and write events to Splunk. This works fine on three different test or development instances. On those, the returned data look like the following: The API's documentation and manually running the API request in Python confirms that this is the normal and expected data structure: As such, the regex for field parsing / extraction is written to follow this structure. However, when we run the same version of the app on the production instance there are two problems with the returned data: The data is in a completely different order. This is an unworkable problem with regex and I don't want to have to maintain a separate version just for this once instance. Every key is prefixed with u. I guess that, for some reason, this is to explicitly define the strings as Unicode but, whatever the reason, I guess that using u* would work around this fairly easily. Does anyone know why this is happening? Further information on the instances' environments: 1 x development: OS: Ubuntu Server 20.04 Splunk Enterprise: 8.0.5. Python: 3.8.2 2 x test: OS: Ubuntu Server 20.04 Splunk Enterprise: 8.0.5. Python: 3.8.2 Production: OS: Ubuntu Server 18.04.4 LTS Splunk Enterprise: 8.0.4. Python: 3.6.9 Thanks.   Update 2020/09/10 11:32: I just tried running the API commands in Python on the actual production instance and it worked fine so it seems to be Splunk itself that's causing this problem.   Update 2020/09/11 16:03: On the production instance, I updated the installation of Splunk Enterprise to version 8.0.6 (latest as of writing) but it didn't make a difference. Interestingly enough, when the custom app is installed via the Splunk Add-on Builder, rather than directly, it works fine and exactly as expected, even though it's installed directly on the test instances.
Hi Folks, i have a requirement to create relevant query in Splunk to retrieve daily count of records from Kafka server for all topics disctintively along with total records. Below is my Query it ru... See more...
Hi Folks, i have a requirement to create relevant query in Splunk to retrieve daily count of records from Kafka server for all topics disctintively along with total records. Below is my Query it runs though but is very slow to process. Can you please help me to accelerate the data in populating : index=blc_db sourcetype=jmx EventType="messages" | where IN(mbean_property_topic,"ciot_pdx_vision_er_gorr_modify","ciot_pdx_vision_er_gorr_subscription_account","ciot_pdx_vision_er_gorr_transaction","ciot_pdx_vf_sharepoint_group_tac_list","com_vodafone_smartlife","com_witsoftware_vodafone_smartlife","android_com_vodafone_smartlife","android_com_crvsh_vodafone_smartlife","prod_ciot_mongo","ciot_pdx_unipart_dispatches_uk","ciot_pdx_vf_italy_liveperson","ciot_pdx_mongodb_flow_orchestrator_transaction","ios_com_vodafone_smartlife","ios_com_crvsh_vodafone_smartlife","my_com_maxis_smartlife","android_my_com_maxis_smartlife","ios_my_com_maxis_smartlife","ciot_pdx_vss_events","ciot_pdx_vss_events_detailed","ciot_nginx_cg_01","ciot_pdx_chatlingual_full","ciot_pdx_vision_er_gorr_refund") | bin _time span=1d | stats range(Count) as countPerHost by host, _time, mbean_property_topic | stats count(host) as hostCount, sum(countPerHost) as totalCountPerDay by _time, mbean_property_topic                
Hi All,  I have made a dashboard which accept input(url). I have applied regex to the url to extract only http/https Then i need to visit various sites to view the domain authenticity. I am not ab... See more...
Hi All,  I have made a dashboard which accept input(url). I have applied regex to the url to extract only http/https Then i need to visit various sites to view the domain authenticity. I am not abe to use the generated token as a token. So the query i have is | table url | rex field=url "^(?<new_url>http.*$)" | eval virustotal="https://www.virustotal.com/gui/search/$new_url$" | table virustotal But it is not working. Can someone please help me to understand, how to get the generated 'new_url" as a string to eval command  
Hi, I am having issues with dbx queries I created a dashboard with dbx queries, I can run the queries, dashboard displays fine for me and other admins but standard users (non admins) get "unknown s... See more...
Hi, I am having issues with dbx queries I created a dashboard with dbx queries, I can run the queries, dashboard displays fine for me and other admins but standard users (non admins) get "unknown search command 'dbxquery'". I am domain admin. I am an admin on splunk The users having the issue Are not domain admin They have permission on the sql database that splunk queries I was looking at the article that would kind of explain why it works for me (being local admin on the splunk server) https://docs.splunk.com/Documentation/DBX/3.3.1/DeployDBX/Configuresecurityandaccesscontrols Before using DB Connect, the logged-in user must have the ability to write to the $SPLUNK_HOME/var directory (%SPLUNK_HOME%\var on Windows hosts) and to $SPLUNK_HOME/etc/apps/splunk_app_db_connect ($SPLUNK_HOME/etc/apps/splunk_app_db_connect on Windows hosts) and its sub-directories Am i reading this right? i have to grant read access on the splunk server directly if the dashboard user doesn't have permission to these folders? Surely i have that wrong? It can't be the case? Thanks.
Hi I have an environment that is increasing in files each day, this I think is causing high CPU on the forwarders as the number of files is increasing. I am looking to prove this, so is there a com... See more...
Hi I have an environment that is increasing in files each day, this I think is causing high CPU on the forwarders as the number of files is increasing. I am looking to prove this, so is there a command I can run on the forwarder that will tell me the number of files it is monitoring, etc... or something that will give me data on this topic? Regards Robert Lynch
Hi Experts, inputs.conf [script:///opt/splunk/etc/apps/app_name/bin/test1.sh] disabled = false interval= 300 passAuth = root [monitor:///tmp/output.txt] disabled = false index = index_name ... See more...
Hi Experts, inputs.conf [script:///opt/splunk/etc/apps/app_name/bin/test1.sh] disabled = false interval= 300 passAuth = root [monitor:///tmp/output.txt] disabled = false index = index_name sourcetype = _json crcSalt = <SOURCE> Content of /opt/splunk/etc/apps/app_name/bin/test1.sh command > /tmp/output.txt Background: As shown above script "test1.sh" runs a command and redirects the output to output.txt in json format. Monitor reads output.txt and sends to splunk enterprise. Problem: The "command" mentioned in test1.sh may or may not return new set of values whenever it runs. So the forwarder should send only the events from output.txt, that were not indexed earlier. Forwaarder is unbale to send the logs to splunk enterpirse if "crcSalt = <SOURCE>" is not mentioned. Please help.   Thank you.    
Hi guys, I'm currently developing a Dashboard for user interaction.  We have a production machine with three work stations which are separated.  Now every work station can stop the conveyor.  We ... See more...
Hi guys, I'm currently developing a Dashboard for user interaction.  We have a production machine with three work stations which are separated.  Now every work station can stop the conveyor.  We can't get the reason the conveyor stops automatically out of the machine so we want to digitize our worker knowledge (they see a faulty part for example).  Every work station now has an own iPad where the HTML-dashboards are running.    Out of a lookup I load the possible reasons why a worker at a certain station could have stopped the conveyor and display them accordingly on the dashboards just as red buttons.  If a button is pressed a search is executed to store the work station, the stopping reason and the time in an index. Now all dashboards are locked (buttons deactivated) that nobody can set two reasons at once. One work station can start the conveyor again and on that dashboard the buttons are replaced with one big dismiss button which has to be pressed if the worker starts the conveyor again.    This works as expected.  Now, because of the separation of the work stations, they want to display the stop reason, work station and time of the current stop on all dashboards.  To do this I implemented a second search which updates a lookup with the required information or deletes it.  Now to my problem: To display the information I run a cyclic search (with setTimeout(function, delay)). Now this works multiple times but then it just stops the execution of the cyclic search (as far as I know).  Question: How can I ensure to run the cyclic search forever?  OR:  Can I retrieve the lookup data in another way?   If you have questions to my question or I forgot to implement some info, please give me a note! Splunk version: 7.3.3  The code:       startCyclicSearch(10000); function cyclicSearch(){ console.log("Start zyklische Suche"); searchReadST.settings.set("search", '| inputlookup Stoerung' + Linie.substr(Linie.length-1,1) + lookup + '.csv' ); searchReadST.startSearch(); } function resetKommendGedrueckt(){ kommendgedrueckt = false; } var aktStoerungArray; var aktStoerungResults = searchReadST.data("results"); // get the data from that search aktStoerungResults.on("data", function() { var tokens = mvc.Components.get("default"); //console.log(aktStoerungResults.data().rows); aktStoerungArray = aktStoerungResults.data().rows; console.log("Arbeitsplatz: " + aktStoerungArray[0][0] + " " + aktStoerungArray[0][1] + " aktive Störung: " + aktStoerungArray[0][2] + " Uhrzeit: " + aktStoerungArray[0][3]); if (!kommendgedrueckt){ if (aktStoerungArray[0][0] == ""){ $("#aktSt").html(""); $("#row00").hide(); $(".btnKommend").prop("disabled", false); } else{ $("#aktSt").html(aktStoerungArray[0][0] + " " + aktStoerungArray[0][1] + ": aktive Störung = " + aktStoerungArray[0][2] + " Uhrzeit: " + aktStoerungArray[0][3]); $("#row00").show(); $(".btnKommend").prop("disabled", true); } } startCyclicSearch(2000); }); var St; var counter = 0; // Eventlistener für Störungsbuttons registrieren document.addEventListener('click',function(e){ if(e.target && $(e.target).hasClass("btnKommend")){ console.log("Entering Kommend"); clearTimeout(intervalID); kommendgedrueckt = true; // Sofort Button deaktivieren um nicht auf lookup warten zu müssen und versehentlich eine 2. Störung zu senden $(".btnKommend").prop("disabled", true); // Störung aus Button Text übernehmen St = e.target.innerHTML; // Suche starten --> Störung mit Timestamp und AP speichern in Summary index machinedata_w05_sum searchST.settings.set("search", mvc.tokenSafe('| makeresults 1 | eval area="Pulvertechnik", machine="inputDevicePulveranlagen", app="StörungenPulveranlagen" | eval Störung="'+ St +'" | eval action="kommend" | eval Arbeitsplatz="' + AP + '", Linie="' + Linie + '" | table _time area machine app Störung action Arbeitsplatz Linie | collect index="' + summaryIndex + '" testmode=f' )); searchST.startSearch(); // TODO: Remove the following line if it doesn't work searchST.finalize(); //console.log("Suche ausgeführt " + getFormattedDate()); //console.log(searchST.id); searchST.settings.set("search", mvc.tokenSafe('')); // Störung in inputlookup schreiben --> Andere Dashboards können drauf zugreifen searchStoreST.settings.set("search", mvc.tokenSafe('| makeresults 1| eval _time=strftime(_time, "%H:%M:%S") | eval Stoerung="'+ St +'" | eval Arbeitsplatz="' + AP + '", Linie="' + Linie + '" | outputlookup Stoerung' + Linie.substr(Linie.length-1,1) + lookup + '.csv ')); searchStoreST.startSearch(); $(".btnKommend").prop("disabled", true); setTimeout(resetKommendGedrueckt, 10000); startCyclicSearch(10000); }       Thanks alot!
Table 1 -Student_id       Student_name         Address                  101                      john                               Bang                  105                     han                ... See more...
Table 1 -Student_id       Student_name         Address                  101                      john                               Bang                  105                     han                                 Singa                    102                   vish                                 India                   103                   ram                                 Lond Table 2 - Student_name    Status    marks students are attempting for exams multiple times , need to extract only failed student details, can any one help Student_name    Status   marks john                               fail        30 han                               fail        10 ram                               fail        20 vish                               Pass        50 han                               Pass        90 ram                               Pass        50     The output should as below after combining  data from both logs  -  as ram as passed in second attempt should not display Student_id   Address   Student_name    Status   marks  101                  Bang           john                               fail        30 105                  Singa           han                               fail        10
Basically, I want to get duration based on the time picker. Example, If i select Year to Date in the time picker, i want to know how many minutes are there in Year to Date and assign it as a new fie... See more...
Basically, I want to get duration based on the time picker. Example, If i select Year to Date in the time picker, i want to know how many minutes are there in Year to Date and assign it as a new field, let say UptimeDuration.  
We have a deployment scenario where Splunk UF forwards the Data to Splunk Enterprise using "One Way Communication", so is there any way we can have the Splunk UF Communicates with the Splunk UE throu... See more...
We have a deployment scenario where Splunk UF forwards the Data to Splunk Enterprise using "One Way Communication", so is there any way we can have the Splunk UF Communicates with the Splunk UE through UDP Protocol?