All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I am stuck at a query problem. So what i need to do is join 2 events and get the hourly stats and peak hour successful login attempts. The sample events are -   2020-09-07 23:59:59,641 trackin... See more...
Hi, I am stuck at a query problem. So what i need to do is join 2 events and get the hourly stats and peak hour successful login attempts. The sample events are -   2020-09-07 23:59:59,641 trackingid="id:638rdchdfe7vhs" event=AUTHN_ATTEMPT subject="" ip=8.2.8.44 app= clientId=WEB protocol="" role=IdP status=inprogress attributes="" description="" responsetime=39 messagetype="Request" 2020-09-07 23:59:59,641 trackingid="id:ljsdhff76duhj" event=AUTHN_ATTEMPT subject="" ip=8.2.8.24 app= clientId=MOBAPP protocol="" role=IdP status=inprogress attributes="" description="" responsetime=39 messagetype="Request" 2020-09-07 23:59:59,641 trackingid="id:8675hbcdksjdfub" event=AUTHN_ATTEMPT subject="" ip=8.6.8.24 app= clientId=SKYAPP protocol="" role=IdP status=inprogress attributes="" description="" responsetime=39 messagetype="Request"   as you can see the status right now is "inprogress" and different clientId's (WEB, MOBAPP, SKYAPP) and once customer logs in successfully the below event is logged.   2020-09-07 23:59:46,772 tid:638rdchdfe7vhs INFO [org.class.MediaCredentialValidator] in processPasswordCredential VERIFIED user=test@gmail.com found and success   I want to calculate the hourly volume of successful logins from clientId=WEB The common field in the events is id which i am extracting and what is want is a table with _time and count column on hourly basis. Query -   index=test (sourcetype=splunk_log event=AUTHN_ATTEMPT clientId=web status=inprogress) OR (source="server.log" "In processPasswordCredential" "found and success") | rex field=_raw "sessionid\=\"id\:(?<id>[^\"]+)" | stats count by tid     Let me know if someone can advice on this. @richgalloway @gcusello 
Hello, I have a table of IP's and my requirement is to fetch raw data for all the IP's from each and every sourcetype having the IP. My query is like below, 1.sourcetype="IPs"|dedup ip|table ip S... See more...
Hello, I have a table of IP's and my requirement is to fetch raw data for all the IP's from each and every sourcetype having the IP. My query is like below, 1.sourcetype="IPs"|dedup ip|table ip So I want to use below logic, For each and every IP in the table, run the below query, 2.sourcetype!="IPs"|table sourcetype,_raw Help me to run the second query for each and every IP in 1st query and merge the tables.  
Hi , Can anyone help me- how to get average of the all the columns at the bottom. The output should be like -  ctime  totalaccesses: https://www.google.com minrespond: https://www.google.co... See more...
Hi , Can anyone help me- how to get average of the all the columns at the bottom. The output should be like -  ctime  totalaccesses: https://www.google.com minrespond: https://www.google.com averrespond: https://www.google.com totalaccesses: https://www.listofurls.com 7/31/2020 0:00 1500 665 56.22727273 18177 7/31/2020 1:00 500 779 47.76659039 692 7/31/2020 2:00 400 774 44.44514768 912 7/31/2020 3:00 9 648 50.61764706 722 7/31/2020 4:00 700 715 47.76427256 721 7/31/2020 5:00 560 1469 50.43421053 821 7/31/2020 6:00 620 1179 48.08455882 741 7/31/2020 7:00 740 688 61.37606838 790 7/31/2020 8:00 235 1322 45.85294118 1388 7/31/2020 9:00 789 559 47.125 327 Average should show average of above should show average of above should show average of above should show average of above I am using below query but it is not giving correct output (doubt if I am using correct query)- index=servers host="Datacenter01" websites IN ("https://www.google.com","https://www.listofurls.com","https://www.fishbucks.com") |bucket _time span=1h | convert timeformat=" %m/%d/%y %H:%M:%S" ctime(_time) AS ctime | stats count as totalaccesses min(responsd_time) as minrespond max(responsd_time) as maxrespond avg(responsd_time) as averrespond by ctime over websites | foreach *minrespond *maxrespond *averrespond [eval sum_<<FIELD>> = 0, count_<<FIELD>> = 0] | foreach *minrespond [eval sum_A_Field = sum_A_Field + '<<FIELD>>', count_A_Field = count_A_Field + 1] | foreach *minrespond *maxrespond *averrespond [eval avg_<<FIELD>> = sum_<<FIELD>> / count_<<FIELD>>]  
We are planning to upgrade  splunk OS RHEL 6 to OL 7.its single site cluster environment.i have few of doubts. What would be up-gradtion sequence? do we need to consider upgrade all vms in one mant... See more...
We are planning to upgrade  splunk OS RHEL 6 to OL 7.its single site cluster environment.i have few of doubts. What would be up-gradtion sequence? do we need to consider upgrade all vms in one mantainance window? is it ok if we upgrade indexers first and leave it for a week to see the performance and then we upgrade the search heads?is that ok to run with two different os in the splunk cluster. Any help would be appreciated. Regards,Shivanand    
Hello there! I am struggling to reduce the top margin on a panel with a text input and a link input using CSS. I want to reduce top-margin and still have both elements aligned horizontally: What I... See more...
Hello there! I am struggling to reduce the top margin on a panel with a text input and a link input using CSS. I want to reduce top-margin and still have both elements aligned horizontally: What I wish: If I use 'display: flex', the top margin applies but the button moves under the textbox: display : flex; margin-top: 0vw !important; Without 'display: flex' elements remain aligned but the top margin just does not apply: margin-top: 0vw !important; I have tried several display / flex options without luck so far. My test dashboard: <form> <label>Panel Height</label> <fieldset submitButton="false"></fieldset> <row> <panel> <input id="textbox_1" type="text" token="text_1_tok"> <label></label> <default>Test1</default> </input> <input id="link_button_1" type="link" token="link_1_tok"> <label></label> <choice value="true">A</choice> </input> </panel> </row> <row> <panel> <html> <style> #link_button_1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"], #link_button_2 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ width: 23% !important; } #link_button_1 button, #link_button_2 button{ margin-right: 10px; } #textbox_1, #textbox_2{ margin-left: 8vw; } #link_button_1, #link_button_2, #textbox_1, #textbox_2{ margin-top: 0vw !important; } </style> </html> </panel> </row> </form> Anyone has a clue?
I've created a correlation search, then I want to add the send email response action with a link to this rule that show on incident review page, it will be easy for my team to access to this incident... See more...
I've created a correlation search, then I want to add the send email response action with a link to this rule that show on incident review page, it will be easy for my team to access to this incident by the email and do more action. Please recommend, I don' t want the link to alert result, I want the link to the incident review page that show only the incident from this rule.
Hello here! Would there be a simple way to center a mix of text and link inputs? I have tried margin left so far and it is not so bad, but there might be a proper way to do this.   <dashboard... See more...
Hello here! Would there be a simple way to center a mix of text and link inputs? I have tried margin left so far and it is not so bad, but there might be a proper way to do this.   <dashboard> <label>Center Inputs Mix</label> <row> <panel> <input id="textbox_1" type="text" token="text_1_tok"> <label></label> <default>Test1</default> </input> <input id="link_button_1" type="link" token="link_1_tok"> <label></label> <choice value="true">A</choice> </input> </panel> <panel> <input id="textbox_2" type="text" token="text_2_tok"> <label></label> <default>Test2</default> </input> <input id="link_button_2" type="link" token="link_2_tok"> <label></label> <choice value="true">A</choice> </input> </panel> </row> <row> <panel> <html> <style> #link_button_1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"], #link_button_2 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ width: 23% !important; } #link_button_1 button, #link_button_2 button{ margin-right: 10px; } #textbox_1, #textbox_2{ margin-left: 8vw; } </style> </html> </panel> </row> </dashboard>     Thanks in advance for any suggestion!
Is it possible to search only the indexes assigned to a specific app? So far, the only recommendation I've been able to find is to restrict user roles but that doesn't work for our usage.
Hello there! I am working on a App I am willing to publish on Splunkbase. I do like the dark mode one click feature so I try to adapt CSS colors based on currently applied theme, so that users wi... See more...
Hello there! I am working on a App I am willing to publish on Splunkbase. I do like the dark mode one click feature so I try to adapt CSS colors based on currently applied theme, so that users will be able to pick dark theme without having light colors left on the dashboard. It is working fine so far using a background rest search that checks for dashboard's theme and tokens. However, I do use emojis in my dashboards and I have discovered that it makes the dark mode switch fail: It might be a core issue so I guess I will have to live with it but I am posting there just in case anyone figured this out, maybe there is a way to escape / protect emoji or the like.     <dashboard theme="dark"> <label>Emoji Dark Mode</label> <row> <panel> <html> </html> </panel> </row> </dashboard>     PS: Code renderer also seems to dislike emojis but there is one one emoji within html : <html> </html>    
Hello All, We are facing the problem with Deployment server and maybe one of you met with such DS behavior in past.  All HF instances are with Splunk Enterprise 7.3.3 and they are connected with De... See more...
Hello All, We are facing the problem with Deployment server and maybe one of you met with such DS behavior in past.  All HF instances are with Splunk Enterprise 7.3.3 and they are connected with Deployment Server with the same Splunk version. We have apps with content created in local directory (totally custom apps and modified apps from Splunk Base as well) placed in deployment-apps directory. When we install the app on clients in server class then that app is downloaded by clients in correct way - content from default is placed in default directory, configuration from local is placed in local directory on client . The issue shows up when we modify those apps on DS and reload deploy-server. Then modified configuration from local dir is placed in default on clients. The problem is because old content is still in local on client and new configuration is ignored because local has higher priority. I tried to search in splunkd.log on both - client and DS - but unfortunately there is nothing interesting related to DS. Thanks, Bart
Hello there, Is there a way to adjust input link element width using CSS? I mean, I was able to reduce link button width using "div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]":... See more...
Hello there, Is there a way to adjust input link element width using CSS? I mean, I was able to reduce link button width using "div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]": But I would like to also adjust the size of the element itself: The goal is to ease centering depending on browser resolution: My test dashboard: <dashboard> <label>Input Link Width</label> <row> <panel> <input type="text" token="text_1_tok"> <label></label> <default>Test1</default> </input> <input id="link_button_1" type="link" token="link_1_tok"> <label></label> <choice value="true">OK</choice> </input> </panel> <panel> <input type="text" token="text_2_tok"> <label></label> <default>Test2</default> </input> <input id="link_button_2" type="link" token="link_2_tok"> <label></label> <choice value="true">OK</choice> </input> </panel> </row> <row> <panel> <html> <style> #link_button_1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"], #link_button_2 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ width: 23% !important; } </style> </html> </panel> </row> </dashboard>
Hi, We have 2 HF and 2 Indexer in our environment which are standalone instance and running on 7.x version. I wanna go for up gradation from 7.x to 8.x but in document of Splunk they have mentioned... See more...
Hi, We have 2 HF and 2 Indexer in our environment which are standalone instance and running on 7.x version. I wanna go for up gradation from 7.x to 8.x but in document of Splunk they have mentioned python 3.7 and all.   Can someone please help me with Upgradation procedure and pre-requisiste ?   Do i need to install on Python 3.7 on Linux Platform ?    
Hi Splunkers, We are single site cluster environment. Which has 4 indexers,1 deployer,1 master and 3 search heads and  loadbalancer mounted on the search head. Now We are migrating our splunk OS RH... See more...
Hi Splunkers, We are single site cluster environment. Which has 4 indexers,1 deployer,1 master and 3 search heads and  loadbalancer mounted on the search head. Now We are migrating our splunk OS RHEL 6.x to Oracle linux 7.x. Just need guidance on the procedure and what are precautionary measures we need to take? We are migrating because red hat ending the support for RHEL 6.
"Field1" can have one value as either 'yes' or 'no'. I want to calculate count for 'yes' as count1 and count for 'no'  as count2. Then calculate the ratio of count1 and count2. Any pointers please
Hi All, I have two indexes. Index A | table email_users Index B | table email, Group email_users and email fields contain email addresses I need to match both these index fields and get the valu... See more...
Hi All, I have two indexes. Index A | table email_users Index B | table email, Group email_users and email fields contain email addresses I need to match both these index fields and get the value of the field Group for the results. I tried the below query, but its not working. index=A or index=B | rename email_users as email | stats values(Group) by email  
I have vmware esxi server logs..but how i ll create dashboard for    1.The total number of virtual machines on the host 2.The total number of virtual machines powered on and off    please help o... See more...
I have vmware esxi server logs..but how i ll create dashboard for    1.The total number of virtual machines on the host 2.The total number of virtual machines powered on and off    please help on this...
We are planning to upgrade our multi-site cluster from Splunk Core ES 7.3.4 to 8.0.5 in a phase-wise manner. Splunk Documentation indicates " Indexers that run versions of Splunk Enterprise lower th... See more...
We are planning to upgrade our multi-site cluster from Splunk Core ES 7.3.4 to 8.0.5 in a phase-wise manner. Splunk Documentation indicates " Indexers that run versions of Splunk Enterprise lower than 8.0 cannot handle bucket replications from versions that run 8.0 and higher" and hence to put the cluster in maintenance mode while Indexer cluster upgrade is in Progress. Now, since it's a multi-site cluster can I upgrade my indexer cluster in site-1 today and site-2 tomorrow? And in such case do I need to extend the maintenance mode on cluster for two days? Or else can I have my indexer cluster with multiple versions of Indexers till the upgrade finishes...
Hi Splunk Gurus, We have a splunk ITSI search head with version 4.4.3 build 14 running on Splunk version 7.2.10 I have created correlation searches.  Some of which run every minute. Event though th... See more...
Hi Splunk Gurus, We have a splunk ITSI search head with version 4.4.3 build 14 running on Splunk version 7.2.10 I have created correlation searches.  Some of which run every minute. Event though the splunk correlation searches run as required, we have noticed that there are no events in the index itsi_tracked_alerts  created even though the alert conditions are met.   in ITSI Health check dashboard, I see this error in the internal log: "2020-09-07 04:52:04,796 ERROR [itsi.notable_event_actions_queue_consumer] [__init__] [exception] [121502] Encountered exception when consuming. "'No key or prefix: token.'". Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_notable_event_actions_queue_consumer.py", line 109, in do_run action_dispatch_config=action_dispatch_config File "/opt/splunk/etc/apps/SA-ITOA/lib/itsi/event_management/itsi_notable_event_queue_consumer.py", line 130, in __init__ self.auditor = Audit(self.session_key, audit_token_name=audit_token_name) File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/notable_event_utils.py", line 553, in __init__ self.audit = PushEventManager(self.session_key, audit_token_name) File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/push_event_manager.py", line 111, in __init__ hec_token=hec_token) File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/modular_input/event_writer.py", line 209, in __init__ hec_input_name, session_key, scheme, host, port, **context) File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/utils.py", line 159, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/modular_input/event_writer.py", line 329, in _get_hec_config return settings['port'], hec_input['token'] File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/packages/splunklib/data.py", line 253, in __getitem__ raise KeyError("No key or prefix: %s" % key) KeyError: 'No key or prefix: token.'"   And "2020-09-07 04:52:02,514 ERROR [itsi.custom_alert.itsi_generator] [__init__] [exception] [121099] Failed to validate arguments. Please make sure arguments are correct Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_event_generator.py", line 57, in <module> modular_alert = ItsiSendAlert(sys.stdin.read()) File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_event_generator.py", line 33, in __init__ super(ItsiSendAlert, self).__init__(settings, is_validate) File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/base_event_generation.py", line 178, in __init__ raise ValueError(_('Failed to validate arguments. Please make sure arguments are correct')) ValueError: Failed to validate arguments. Please make sure arguments are correct" I hope someone has faced this error and help me solve it. I have spent about 3 days looking the possible errors and going through internet resources to help me troubleshoot this  
Hi , I want to clear all the filters I had selected with some button i.e. if i select a button ('clear filters') all the filters should be cleared or reset . If someone can help me on this ?  
Hi , I have a  string fields like '28 Aug-1233456' , '05 Jan-5678999' ,'02 Feb-6789011'. I want to sort the field on the basis of date and month .Please let me know how can I sort this fields . Exp... See more...
Hi , I have a  string fields like '28 Aug-1233456' , '05 Jan-5678999' ,'02 Feb-6789011'. I want to sort the field on the basis of date and month .Please let me know how can I sort this fields . Expected Output : '05 Jan-5678999' ,02 Feb-6789011',28 Aug-1233456'