All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Has the ability to run Splunk attack range from a local virtual environment been removed?
Hello, I would like to know  how to build a search  with  using lookup result I mean   I have a list(assent_server.csv)  with my  servers  with the follow   filds (ip,priority,nt_host)   Ejempl... See more...
Hello, I would like to know  how to build a search  with  using lookup result I mean   I have a list(assent_server.csv)  with my  servers  with the follow   filds (ip,priority,nt_host)   Ejemple: ip,priority,nt_host 10.10.1.1,critical,SERVER01 10.10.1.2,critical,SERVER02 10.10.1.2,critical,SERVER02     So I  need to create the next to:   Search  any  servers that  I have in the file assent_server.csv and get  the log fiels. I  had tried  with this search 1)index="win*" host=[|inputlookup asset_list | fields ip] 2)index="win*"  | search host=[|inputlookup asset_list | fields nt_host]  but  I get this  result: Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side:        
Hi I got following values as a result of a splunk table: 842034200103 8200000005 780432017187 841011300007 841011300001 750105364925 750105364926 750635181101 780432075008 750105364021... See more...
Hi I got following values as a result of a splunk table: 842034200103 8200000005 780432017187 841011300007 841011300001 750105364925 750105364926 750635181101 780432075008 750105364021 501032775501 750103501520 500026702400 74460700795 318537000033 501032700017 750302357834 318537000039 74460700355 5019691 842034200201 750104881020 500019600377 841041536072 500026701420 800057043540 750103501055 780432006301 764017566005 750104881001 750103501301 750103504501 841011300752 74460700805 779154012710 74460700807 8051613514 740100500451 780432016969 74460700806 74460700803 731204001701 779154012716 750103501348 841002604740 541031695052 750100866020 750100866021 841010602325 750103504316 843701160176 500026711720 841022111015 843601425251 74978750013 5019638 324599096941 501101310015 501010380031 750100561751 841011300708 750103501312 304961000410 8218409047 8043240039 500029102070 500028105626 5019613 780432042235 750103501080 750302357821 500028105624 750104881030 475002100015 750103501203 841059100127 750103501202 22 22 12 4 23 83 24 12 12 15 4 0 54 47 27 2 9 16 4 4 13 22 10 23 13 7 26 29 6 65 30 25 21 20 12 37 30 16 7 70 17 23 24 13 5 6 31 18 30 53 14 9 5 20 12 71 4 4 10 51 6 15 7 17 24 3 18 7 11 5 118 4 4 4 207 15 59 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814 3814   This is my splunk query index="prod_super_cc" source="InventorySnapshot" | spath input=data.InventoryData| search "{}.UPC"="*" | table {}.UPC,{}.AvailableToSellQty,{}.NodeId | rename "{}.UPC" as "UPC", "{}.AvailableToSellQty" as "Stock", "{}.NodeId" as Store | where Stock=0 I need to filter some specific values from this table, such as "0" for example. 750103501520 - 0 - 3814 I've tried with where sentence but i can´t get the desired result. Thanks for your help
Hi Can I connect  Tableau 2020.2 to Splunk 8.0.3 version using the Splunk ODBC driver? I have installed a 64 bit Splunk ODBC driver since Tableau is also 64 bit but getting error " "Thanks! Error... See more...
Hi Can I connect  Tableau 2020.2 to Splunk 8.0.3 version using the Splunk ODBC driver? I have installed a 64 bit Splunk ODBC driver since Tableau is also 64 bit but getting error " "Thanks! Error "Error with HTTP API, error code: Couldn't connect to server" Someone just told me that the error is because "The Splunk ODBC connector is compatible with Splunk Enterprise 5.x and 6".
Today we had an issue in our production environment - a cluster did restart without a preceding command to restart. Now I want to search our logs to see if this has happened before without us realizi... See more...
Today we had an issue in our production environment - a cluster did restart without a preceding command to restart. Now I want to search our logs to see if this has happened before without us realizing it. I have tried using the transaction command, but I am not sure if it will fix the for me. We are running WebSpere and whenever a JVM is being started it will log an event like this   [9/8/20 8:54:10:653 CEST] 00000001 WsServerImpl A WSVR0001I: Server MinSideMember02 open for e-business    If the restart was initiated by an administrator via the console or as a scheduled restart via a script, the following event will be logged    [9/8/20 8:47:57:429 CEST] 000003b8 AdminHelper A ADMN1020I: An attempt is made to stop the MinSideMember02 server. (User ID = defaultWIMFileBasedRealm/wasadmin)   This is what I have tried (ref this answer)   index=production (e-business OR ADMN1020I) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m |search eventcount=1    But - no - it does find all "stop then started", but no the two "started without stopped"-events. 
Hi, I face a issue with the submit button on xml dashboards. When i load the xml  dashboard pre-populating the form tokens in the url like below, it automatically runs the searches in panel. However... See more...
Hi, I face a issue with the submit button on xml dashboards. When i load the xml  dashboard pre-populating the form tokens in the url like below, it automatically runs the searches in panel. However i want the panels to run only when submit is clicked after a user opens the prepopulated url like below: http://<ipaddress>/en-US/app/search/mw_dashboard/editxml?form.title=mw1&form.starttime=1599237529&form.endtime=1599241129&form.servicekey=39b975bf-7ab3-413d-ac90-e4063fb064d3 The dashboard code is as follows:   <form> <label>MW_Dashboard</label> <fieldset submitButton="true" autoRun="false"> <input type="text" token="title" searchWhenChanged="false"> <label>Title</label> </input> <input type="text" token="starttime" searchWhenChanged="false"> <label>StartTime</label> </input> <input type="text" token="endtime" searchWhenChanged="false"> <label>EndTime</label> </input> <input type="text" token="servicekey" searchWhenChanged="false"> <label>ServiceKey</label> </input> </fieldset> <row> <panel> <title>PostMW</title> <table> <search> <query>| postservicemw $title$, $starttime$, $endtime$, $servicekey$</query> <earliest>-24h@h</earliest> <latest>now</latest> <!-- setting the tokens to have dependency between panels. using this token in the search of panel below will ensure this is done and the token is set --> <progress> <unset token="NOOP_1"></unset> </progress> <done> <set token="NOOP_1">noop</set> </done> </search> <option name="drilldown">none</option> </table> </panel> </row> <row> <panel> <title>GetMW</title> <table> <search> <!-- The following dummy tokens are set to only run the search after all the inputs are set and submit button is clicked --> <query>| eval dummytoken_title = $title$, dummytoken_starttime = $starttime$, dummytoken_endtime = $endtime$, dummytoken_panel1=$NOOP_1$| getmws</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>     Any help on this issue will be awesome.   Thanks and Regards, Divya
Hi All, I have created a dashboard with four panels and used a base query and sub query. But in the base query  i have used the non-transforming command. Base query details index=test sourcetype=x_... See more...
Hi All, I have created a dashboard with four panels and used a base query and sub query. But in the base query  i have used the non-transforming command. Base query details index=test sourcetype=x_service component=x_component |  eval result=case(result="Passed","CompletePassed",result="Failed","CompletedFailed",isnotnull(result),result,isnull(result),null) | eventstats lastest(result) as result latest(status) as finalStatus earliest(_time) as Earliest latest(_time) as Latest by transId,component  | eval Final_result=case(isnull(result) AND isnotnull(finalStatus),finalStatus,isnotnull(result),result,isnull(result) AND isnull(finalStatus),"MissingStatus") | fields  _time, transId,component,result,Final_result,status,finalStatus,message,duration In one of the panels I have used sub query to find the average duration to complete the transaction. Average duration to complete the transaction  | timechart span=30m avg(duration)  Using the above base query and sub query, I am able to get the output but it seems it is not best practice to use the non-transforming commands in dashboards,  so used stats command instead of event stats command in base search and got the output. Similarly to calculate the average duration to complete the transaction created another base query for that panel and used  the stats/timechart unable to get the output.  index=test sourcetype=x_service component=x_component | stats earliest (_time) as Earliest   latest(_time) as Latest by correlationId | eval duration= Earliest-Latest | timechart span=30m avg(duration)   unable to get the output.  But when we use the eventstats commands I am  getting the output. index=test sourcetype=x_service component=x_component | eventstats earliest (_time) as Earliest   latest(_time) as Latest by correlationId | eval duration= Earliest-Latest | timechart span=30m avg(duration)   Question is how to write the sub query using the base query. Thanks in advance.                       
I have a scheduled report that runs monthly for the previous month. It runs a cron job 00 08 1 * *.  I need to go back an validate the report but when i run the raw search i get different results: ... See more...
I have a scheduled report that runs monthly for the previous month. It runs a cron job 00 08 1 * *.  I need to go back an validate the report but when i run the raw search i get different results: Search: index=x sourcetype="xxx" source="*xxx*" group=*-xxx* msg="*assigned to session" | stats max(_time) as last_login by user, group | table user group last_login | convert ctime(last_login) | rename user as User group as Group last_login as "Last Login" Results count from the scheduled report Tuesday, September 1, 2020 8:01 AM:  15754 results results from the ad-hoc search ran this morning 9/8/2020: 15748 I understand this is a small difference but it doesn't make sense why i would have less results now, verses 7 days ago. Thanks everyone in advance for the help.
Hi all, I created a playbook that runs a Splunk search query and I can see in the playbook's debugger and in the event that it works fine. In the event, splunk gadget, there are data in the info se... See more...
Hi all, I created a playbook that runs a Splunk search query and I can see in the playbook's debugger and in the event that it works fine. In the event, splunk gadget, there are data in the info section, but below in results, it's empty. What would it be missing or misconfigured?   Cheers!
I have index1, index2, and index 3. I want role_user to have access to all three within a specific app. Is there a way to do this? In $SPLUNK_HOME/etc/system/local my authorize.conf has  srchIndexe... See more...
I have index1, index2, and index 3. I want role_user to have access to all three within a specific app. Is there a way to do this? In $SPLUNK_HOME/etc/system/local my authorize.conf has  srchIndexesDefault: index1;index2 srchIndexesAllowed: index1;index2  In $SPLUNK_HOME/etc/apps/myApp/local my authorize.conf has  srchIndexesDefault: index1;index2;index3 srchIndexesAllowed: index1;index2;index3 Of course, this doesn't work. I understand /system/local wins this conflicting parameter fight. Is there anyway to grant the user role access to index3 within myApp? Or would I have to create a different role that inherits role_user and adds index3 access to achieve this?  Thanks in advance.
Hi We are upgrading from 1 standalone machine to 5 machines. I am looking to get a cluster up and running. Originally we were only going to use 4 and have 1 SH and 3 indexers, however, it looks lik... See more...
Hi We are upgrading from 1 standalone machine to 5 machines. I am looking to get a cluster up and running. Originally we were only going to use 4 and have 1 SH and 3 indexers, however, it looks like we have to have a "Master Node". So is the best way forward 1MN, 1SH, 3 indexers?  Will The MN be used as a SH or will the machine be sitting ideal most of the time? So basically I will have 2 SH and 3 indexers? Regards Robert
I would like to integrate an app or add-on into Splunk that enables employees in the company to bring anomalies into the SIEM system through an externalization tool. For example, received phishing em... See more...
I would like to integrate an app or add-on into Splunk that enables employees in the company to bring anomalies into the SIEM system through an externalization tool. For example, received phishing emails or openly lying around USB sticks. What is the best way to implement this? Which App or Add on can you recommend?
Hi there. A simple question. I know, i can use "rex", as usual, to do the job, or other methods (fields extraction, definition etc... in WebIf in SearhHead), or do it directly in Indexers. props/tr... See more...
Hi there. A simple question. I know, i can use "rex", as usual, to do the job, or other methods (fields extraction, definition etc... in WebIf in SearhHead), or do it directly in Indexers. props/transforms.. but, i'm curious to know if this can be made , easily, with a simple SPL command (like "extract" or "multikv", for example)... Log has no header, so looks like... only key-value, no key-name and not an header,   timestamp;field1value;field2value;field3value;fieldNvalue   Can a SPL command (not rex ) extract those fields, also with temporary names (to rename then), in a simple way? Thanks.
Hi everyone, could someone help me with SHC issue? Problem is: I have SHC with 6 members. Splunk is running as systemd service. Today morning I made rolling restart of SHC (via GUI, searchable option... See more...
Hi everyone, could someone help me with SHC issue? Problem is: I have SHC with 6 members. Splunk is running as systemd service. Today morning I made rolling restart of SHC (via GUI, searchable option off, force option off) and unfortunately restart got stuck: Output of splunk rolling-restart shcluster-members -status 1:  Peer  |  Status  |  Start Time  |  End Time  |  GUID  1. pbsmsas01.vs.csin.cz | NOT STARTED | N/A | N/A | 0335FD54-853B-4FB4-A77F-3AE80805D272  2. pbsmsas02.vs.csin.cz | RESTARTING | Tue Sep  8 07:25:07 2020 | N/A | 52AF82EF-7703-4A45-8DAB-80787B630FE4  3. ppsmsas03.vs.csin.cz | NOT STARTED | N/A | N/A | 7869C19C-8575-42E6-B925-5C34AE036C3E  4. pbsmsas03.vs.csin.cz | NOT STARTED | N/A | N/A | 8C9148A1-AEC8-499F-BD40-D2A4DB49741C  5. ppsmsas02.vs.csin.cz | NOT STARTED | N/A | N/A | CAB5B9F2-99F4-4CE1-9E8F-8A108A7AE907  Server pbsmsas02 is in restarting state for nearly 6 hours now. In splunkd.log from pbsmsas02.vs.csin.cz I found this: 09-08-2020 07:25:12.962 +0200 WARN Restarter - Splunkd is configured to run as a systemd service, skipping external restart process 09-08-2020 07:25:12.962 +0200 INFO SHCSlave - event=SHPSlave::service detected restart is required, will restart node 09-08-2020 07:25:12.794 +0200 INFO SHCSlave - event=SHPSlave::handleHeartbeatDone master has instructed peer to restart Output of splunk show shcluster-status looks good: Captain:                 decommission_search_jobs_wait_secs : 180                                dynamic_captain : 1                                elected_captain : Mon Sep  7 08:04:38 2020                                             id : 3ED24A60-790A-42D2-903B-0C30C6EFDD28                               initialized_flag : 1                                          label : ppsmsas01.vs.csin.cz                  max_failures_to_keep_majority : 1                                       mgmt_uri : https://ppsmsas01.vs.csin.cz:8089                          min_peers_joined_flag : 1                                rolling_restart : restart                           rolling_restart_flag : 1                           rolling_upgrade_flag : 0                             service_ready_flag : 1                                 stable_captain : 1  Cluster Master(s):         https://splunk-master.csin.cz:8089              splunk_version: 8.0.4.1  Members:         pbsmsas01.vs.csin.cz                                          label : pbsmsas01.vs.csin.cz                          last_conf_replication : Tue Sep  8 12:28:09 2020                               manual_detention : off                                       mgmt_uri : https://pbsmsas01.vs.csin.cz:8089                                 mgmt_uri_alias : https://10.177.155.49:8089                               out_of_sync_node : 0                              preferred_captain : 1                               restart_required : 1                                 splunk_version : 8.0.4.1                                         status : Up         ppsmsas01.vs.csin.cz                                          label : ppsmsas01.vs.csin.cz                               manual_detention : off                                       mgmt_uri : https://ppsmsas01.vs.csin.cz:8089                                 mgmt_uri_alias : https://10.177.155.48:8089                               out_of_sync_node : 0                              preferred_captain : 1                               restart_required : 0                                 splunk_version : 8.0.4.1                                         status : Up         pbsmsas02.vs.csin.cz                                          label : pbsmsas02.vs.csin.cz                          last_conf_replication : Tue Sep  8 12:28:09 2020                               manual_detention : off                                       mgmt_uri : https://pbsmsas02.vs.csin.cz:8089                                 mgmt_uri_alias : https://10.177.155.51:8089                               out_of_sync_node : 0                              preferred_captain : 1                               restart_required : 1                                 splunk_version : 8.0.4.1                                         status : Restarting         ppsmsas03.vs.csin.cz                                          label : ppsmsas03.vs.csin.cz                          last_conf_replication : Tue Sep  8 12:28:09 2020                               manual_detention : off                                       mgmt_uri : https://ppsmsas03.vs.csin.cz:8089                                 mgmt_uri_alias : https://10.177.155.52:8089                               out_of_sync_node : 0                              preferred_captain : 1                               restart_required : 1                                 splunk_version : 8.0.4.1                                         status : Up         pbsmsas03.vs.csin.cz                                          label : pbsmsas03.vs.csin.cz                          last_conf_replication : Tue Sep  8 12:28:08 2020                               manual_detention : off                                       mgmt_uri : https://pbsmsas03.vs.csin.cz:8089                                 mgmt_uri_alias : https://10.177.155.53:8089                               out_of_sync_node : 0                              preferred_captain : 1                               restart_required : 1                                 splunk_version : 8.0.4.1                                         status : Up         ppsmsas02.vs.csin.cz                                          label : ppsmsas02.vs.csin.cz                          last_conf_replication : Tue Sep  8 12:28:08 2020                               manual_detention : off                                       mgmt_uri : https://ppsmsas02.vs.csin.cz:8089                                 mgmt_uri_alias : https://10.177.155.50:8089                               out_of_sync_node : 0                              preferred_captain : 1                               restart_required : 1                                 splunk_version : 8.0.4.1                                         status : Up What is strange, I made this rolling restart many times before and never had a problem. Could you please someone advise what to do now? Is it safe manually restart problematic server? Or there is another solution? Thank you very much.
We have created http event with below command:  http://localhost:8088/services/collector Body: {     "sourcetype":"trial",         "event":"ITSM1",         "fields":                 {       ... See more...
We have created http event with below command:  http://localhost:8088/services/collector Body: {     "sourcetype":"trial",         "event":"ITSM1",         "fields":                 {                 "discription":"ITSM1 inserting data",                 "urgency":"High"                             } }   This data is visible on splunk enterprise. Now we are trying to search this event using criteria as Urgency = High . but it didn't return any event. We tried using curl command still same result.  Can you suggest what could be the issue?   C:\Users\terminal>curl -k -u username:Password https://localhost:8089/services/search/jobs -d output_mode="json" -d search="search index=main urgency=high" {"sid":"1599554403.2242"} C::\Users\terminal>curl -k -u username:Password :username:Password  https://localhost:8089/services/search/jobs/1599554403.2242/events --get -d output_mode="json" output:    "preview":false,    "init_offset":0,    "messages":[ ],
I'm trying to disable all queries from Splunk towards the internet. We have Splunk on Linux, on a closed network, and traffic towards the internet is only creating noise. I've already sat updateCheck... See more...
I'm trying to disable all queries from Splunk towards the internet. We have Splunk on Linux, on a closed network, and traffic towards the internet is only creating noise. I've already sat updateCheckerBaseURL=0 in web.conf and remote_tab=false in app.conf, but still there seems to be some traffic from Splunk trying to reach the internet. Is there any other settings I can disable, or is there any smart way to troubleshoot exactly what Splunk services are trying to reach internet, why, and how to turn them off?
Hi Team, From Windows Event Viewer logs we can onboard all Event ID's generated for "Application" and "System" Event logs but unable to onboard filtered events based on Event Code OR Type(Error/... See more...
Hi Team, From Windows Event Viewer logs we can onboard all Event ID's generated for "Application" and "System" Event logs but unable to onboard filtered events based on Event Code OR Type(Error/Warning).   Below is inputs.conf written by me to filter-out the events which is not working.Also followed the below splunk docs.   [WinEventLog ://Application] disabled = 0 whitelist = Type="^[Error|Critical]" index = test   OR   [WinEventLog://Application] disabled = 0 whitelist = EventCode="1001|11707" index = test     [WinEventLog://System] disabled = 0 whitelist 1 = Event Code=7011 whitelist 2 = Type="^[Error|Critical]" index = test   https://community.splunk.com/t5/Getting-Data-In/Monitor-Windows-Event-Log-for-Critical-Error/td-p/502991 https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/MonitorWindowseventlogdata   Please check with your seniors on How can we whitelist only Error events in Application or System Event logs. Please find the attachement      
How do I search for a single specific event? Is there event id provided using Rest api of create event of HTTP event collector?  
For my requirement, I need to put multiple Splunk search results into different tabs in a single Excel file. Please suggest the best way to get this in Splunk.
Hi, What is spath command, when to use it? Please expalin below command. | spath input=json   Is there any alternative command for spath?  When we use spath command will it consume more time ? ... See more...
Hi, What is spath command, when to use it? Please expalin below command. | spath input=json   Is there any alternative command for spath?  When we use spath command will it consume more time ?