All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, so I was looking at my metadata/local.meta and it is only the following 4 lines: [savedsearches/mysavedsearch] owner = myaccount version = <something> modtime = <something> From the splun... See more...
Hello, so I was looking at my metadata/local.meta and it is only the following 4 lines: [savedsearches/mysavedsearch] owner = myaccount version = <something> modtime = <something> From the splunk web it shows that the savedsearch is of "App" sharing. My question is, shouldn't there be a setting there as: export = none Trying to find out how the savedsearch was created, what causes the creation of savedsearch to not have the export configurations?
I have the following search:       index="automox" sourcetype="automox:devices" server_group="Windows Server Pilot" | dedup name | top pending, server_group | fields - percent | eventstats sum... See more...
I have the following search:       index="automox" sourcetype="automox:devices" server_group="Windows Server Pilot" | dedup name | top pending, server_group | fields - percent | eventstats sum(count) as total by server_group | eval percent=round(count*100/total,2) | fields - total | where pending="false" | sort -percent | rename server_group AS "Server Group", count AS "Devices", percent AS "Patched Percent" | table "Server Group", "Patched Percent"       What I want to do is when there are no events with "pending=false" , I would like this to be reflected in the stats table as 0%. This is for patch compliance which is why I would like this. I tried using fillnull but I haven't managed to get it working. Any help would be appreciated.
Hi Guys, I am working on searching data from Servicenow ticket, and tickets normally have some status for example: #Ticket     #Status   #Time Ticket1       Open        Sep 01 Ticket1       Close... See more...
Hi Guys, I am working on searching data from Servicenow ticket, and tickets normally have some status for example: #Ticket     #Status   #Time Ticket1       Open        Sep 01 Ticket1       Closed     Sep 02 Ticket2        Open        Sep 01 Ticket2        Pending   Sep 03   How can I get a table only list the latest status like below: #Ticket     #Status   #Time Ticket1       Closed     Sep 02 Ticket2        Pending   Sep 03   Thank you!
We have create HTTP event collector event using postman through Rest API. Also we have few events created by uploading log file on our splunk enterprise instance.   Is update possible on events and ... See more...
We have create HTTP event collector event using postman through Rest API. Also we have few events created by uploading log file on our splunk enterprise instance.   Is update possible on events and what is Rest API for that? We didn't find any api in documentation.
Is there a way to get the current app name in a search ? I've found how to get the current user name (| rest splunk_server=local /services/authentication/current-context | table username) but I woul... See more...
Is there a way to get the current app name in a search ? I've found how to get the current user name (| rest splunk_server=local /services/authentication/current-context | table username) but I would also need the current app. The app I'm building is looking in splunk access logs for its own name, so that it displays some statistics about itself, like response time, etc...  
Hi, there is a requirement to create drill down from  a chart. When you click the chart the values should populate in a panel below. But currently its not working. In the below chart user roles are ... See more...
Hi, there is a requirement to create drill down from  a chart. When you click the chart the values should populate in a panel below. But currently its not working. In the below chart user roles are not getting populated. Attaching the code for reference. Any help would be appreciated    
When we use mobile device to open browser with splunk dashboard , add input fucntion like time/multi select can not work normally in Splunk 7.x version. But use PC brower to open the same splunk das... See more...
When we use mobile device to open browser with splunk dashboard , add input fucntion like time/multi select can not work normally in Splunk 7.x version. But use PC brower to open the same splunk dashboard , select time or multi-select , the dashboard can work well. it to broken screen my iPhone 12 pro max I guess it is bug on Splunk.7.x . Does anyone have the same issue like me? Read More at Huy Dung Mobile Viet Nam Thay màn hình iPhone - Thay màn hình iPhone 12 Pro
When installing Splunk Universal Forwarder on Windows via GUI we can specify to run splunk under virtual account.                   How can I specify the same when installing via comm... See more...
When installing Splunk Universal Forwarder on Windows via GUI we can specify to run splunk under virtual account.                   How can I specify the same when installing via command prompt? I tried the following command in my batch script, but eventually splunk forwarder was installed under SYSTEM.. msiexec.exe /i splunkforwarder-8.0.6-152fb4b2bb96-x64-release.msi AGREETOLICENSE=yes SET_ADMIN_USER=0 SPLUNKUSERNAME=%user% SPLUNKPASSWORD=%password% LOGONUSERNAME="NT SERVICE\SplunkForwarder" /L*v %installation_log% /quiet Is there this possibility?
I have 2 large data sets   Data Set 1 (Assets) contains information about devices.  For example the dataset will have the following fields hostname ipaddress status parent   Data Set 2 (Sof... See more...
I have 2 large data sets   Data Set 1 (Assets) contains information about devices.  For example the dataset will have the following fields hostname ipaddress status parent   Data Set 2 (Software) contains software installed for those devices (I did a check on the number of events and there is somewhere around 4.5 million events returned over a 24h window).  For example the dataset will have the following fields machine_name sw_installed installed_date What I am working on is to join these 2 data sets based on the machine_name / host name.  I am then specifically looking for specific software and doing a match if found.  A simple join here would be something like (the following example shows 1 eval, but this could conceivably be 2,3 or more depending on the requirement)     index=assets | dedup host_name | rename host_name AS machine_name | join machine_name [search index=software | fields matchine_name sw_installed] | eval jobinstalled=if(match(sw_installed,"jobsw"),"Yes","No") | table machine_name jobinstalled       If I then change this search to be a little more specific     index=assets host_name=mysrv1 | dedup host_name | rename host_name AS machine_name | join machine_name [search index=software | fields matchine_name sw_installed] | eval jobinstalled=if(match(sw_installed,"jobsw"),"Yes","No") | table machine_name jobinstalled       I get maybe 1 result or maybe a couple of nothing at all.  I know the reason why and this is due to hitting the maximum of 50000 returned events in my subsearch (the finished job drop down shows subsearch produced 50000 results truncating to maxout 50000.  If I configure with a max=0 I run into the similar problem and again my results are skewed     index=assets host_name=mysrv1 | dedup host_name | rename host_name AS machine_name | join machine_name max=0 [search index=software | fields matchine_name sw_installed] | eval jobinstalled=if(match(sw_installed,"jobsw"),"Yes","No") | table machine_name jobinstalled       If I write the following SPL     index=software machine_name=mysrv1 | dedup sw_installed | table sw_installed machine_name       that search will produce for example 90 events for the software installed on the server.  If I run the following search for example     index=assets host_name=mysrv1 | dedup host_name       I will get the 1 events as intended.  How do I fix my search so that I can get around this constraint?  
I have a lookup CSV table that lists dates of holidays in a single column. HolidayTable.csv: HDate 1/1/2020 ...................   I tried to use the following:       search ..... See more...
I have a lookup CSV table that lists dates of holidays in a single column. HolidayTable.csv: HDate 1/1/2020 ...................   I tried to use the following:       search ... | eval currentdate=strftime(now(),"%-m/%-d/%Y") | lookup HolidayTable.csv HDate as currentdate OUTPUT HDate as Holiday | eval Holiday=if(isnull(Holiday), "N", "Y")       My expectation was that when the current date matches a row in the table I will get the date  string and otherwise - null. It does not seem to work this way. What am I missing here?  
Hi all! I'm trying to enable SSL for my HEC ingestor on a small, centralized Splunk Enterprise deployment. I used Let'sEncrypt to generate the certificates for the Splunk Web interface, as it's trust... See more...
Hi all! I'm trying to enable SSL for my HEC ingestor on a small, centralized Splunk Enterprise deployment. I used Let'sEncrypt to generate the certificates for the Splunk Web interface, as it's trusted by everyone. I'm tying to configure HEC to use the same certificates, but I'm having no luck in doing so. I tried following all the guides/questions on this board for securing HEC using certs, but I'm not sure which .pem files to use, if I have to encrypt them with an additional password, etc.    Thanks!
Hello, whenever I try to add a new artifact I got the following error phantom.act(): 'add_artifact_1' cannot be run on asset 'phantom helper'. The "add artifact" action requires the following parame... See more...
Hello, whenever I try to add a new artifact I got the following error phantom.act(): 'add_artifact_1' cannot be run on asset 'phantom helper'. The "add artifact" action requires the following parameters: source_data_identifier. The given parameters look like they were automatically generated by phantom.act() because an empty parameters list was passed to phantom.act(). The parameters list may have been empty because the preceding call to phantom.collect2() returned an empty list. Check your calling code in the action that generated this error   I presume is the container identifier, but how could I reference it in the playbook?  
Id like to be able to display only the top Total values, struggling with this
Anyone know when this AddOn will be made to work on 8.0.4 and above? Just had to back out of a Splunk upgrade because the add-on was spewing out pretty much nothing but python errors.
Hello, I recently started with a company that has a syslog-ng server saving logs to /mnt/syslog/$year/$month/<filename> and onboarded to splunk as sourcetype syslog and index main.  I need to begin... See more...
Hello, I recently started with a company that has a syslog-ng server saving logs to /mnt/syslog/$year/$month/<filename> and onboarded to splunk as sourcetype syslog and index main.  I need to begin on-boarding data by the actual sourcetype The current monitor stanza is [monitor:\\\mnt\syslog].  The $year and $date are part of log rotation with from the previous month being archived and deleted and only logs in the current year and month are updated and pulled into Splunk. We are starting with Juniper for onboarding by sourcetype.  I updated syslog-ng.conf to write juniper logs into their own folder  and setup the following a monitor in inputs.conf [monitor: ///mnt/storage/.../juniper].  sourcetype = juniper host_segment = 5 However, I am unable to get Splunk to see anything in the juniper folder.   When I list monitor from the CLI, it only shows /mnt/storage/$year/$month.   Also, due to network restrictions,  we are currently not are not sending via udp/tcp.  Everything has to be onboarded via file (for now).   I have tried different variations for the monitor stanza to include ///mnt/syslog/*/juniper,  ///mnt/syslog/.../.../juniper, ///mnt/syslog/*/juniper/ to list a few.   I have also used the CLI to "add monitor /mnt/syslog/.../juniper -sourcetype juniper, with the same results. Any recommendations? Or is more information needed? Thanks
I am trying to write splunk search where I have 2 conditions and my query returns the results based on that  for example if condition1 matches create a new field (SEVERITY)=SEV2 if condition 2 ... See more...
I am trying to write splunk search where I have 2 conditions and my query returns the results based on that  for example if condition1 matches create a new field (SEVERITY)=SEV2 if condition 2 matches SEVERITY=SEV2  else SEVERITY=SEV3 How can I achieve this ...In my search string I am using couple of fields to filter the data putting that as SEV2 criteria ...I am able to filter it but and get the results for both the conditions but I am stuck where I cannot call everything else as SEV3
Hello,  I am generating the following table in splunk dashboard using the following query from raw data file:  Two types of values each Process status can have  Process Name Process Status ... See more...
Hello,  I am generating the following table in splunk dashboard using the following query from raw data file:  Two types of values each Process status can have  Process Name Process Status VM_NAME Process oracle cm server "vm1 " "Process1" "0" "0" "0" VM_NAME Process oracle cm server "vm2 " "Process1" "43" "1" "2"   index="log" source="/var/tmp/logs/test.log" | rex max_match=0 (?s)(?&lt;vm&gt;.*?); | mvexpand vm | rex field=vm max_match=0 (?&lt;name&gt;\S+?):?\s(?&lt;value&gt;.*) | rex mode=sed field=value s/(.*)/\"\1\"/g | eval tmp=mvzip(name,value,"=") | rename tmp as _raw | kv | table name value | rename name as "Process Name" | rename value as "Process Status" Now, I want to color code the values of this table as red/green on the basis of if the running processes are zero or not. I don't want anything complex just a simple color coding would work. Please suggest. Thanks in advance 
HI Friends,  I am using below command to check the email alerts but its throwing error and not able to send emails. Can you please help here Command: index=123 info | sendemail to="kumar@xxx.com" s... See more...
HI Friends,  I am using below command to check the email alerts but its throwing error and not able to send emails. Can you please help here Command: index=123 info | sendemail to="kumar@xxx.com" subject=AzureTestAlert from="splunk" Error on UI: command="sendemail", [Errno -2] Name or service not known while sending mail to: kumar@xxx.com Error in python.log: 2020-09-03 17:25:24,113 -0700 ERROR     sendemail:143 - Sending email. subject="Splunk Alert: testAlert", results_link="https://splunk-shc-splunk-search-head-0:8000/app/search/@go?sid=scheduler__admin__search__testAlert_at_1599179100_51_CC555C75-B9DE-43D9-93D3-D1C60A6059CF", recipients="[u'kumar@xxx.com']", server="localhost"
I am using the https://github.com/splunk/splunk-aws-project-trumpet to get AWS logs in, I am facing an issue though with only partial CloudTrail logs compared to the AWS TA. Any suggestions?  On th... See more...
I am using the https://github.com/splunk/splunk-aws-project-trumpet to get AWS logs in, I am facing an issue though with only partial CloudTrail logs compared to the AWS TA. Any suggestions?  On the CloudFormation template does this effectively only collect this event pattern? EventPattern":{ "detail-type":[ "AWS API Call via CloudTrail", "AWS Console Sign In via CloudTrail"  
I have two queries like as below :  > index="int_audit_dev" | chart count(ApplicationName) over ApplicationName by Status > index="int_audit_dev" | chart count(event.ApplicationName) over event.App... See more...
I have two queries like as below :  > index="int_audit_dev" | chart count(ApplicationName) over ApplicationName by Status > index="int_audit_dev" | chart count(event.ApplicationName) over event.ApplicationName by event.Status Individually these two queries are fine and able to get the data in tabular format. But I want the data as a sum of values in tabular format. Any suggestions?