All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We are using free Splunk for Logbinder plus supercharger for our AD changes auditing. We want to license it, how do we contact the sales teams? I already sent one in their portal but received no answ... See more...
We are using free Splunk for Logbinder plus supercharger for our AD changes auditing. We want to license it, how do we contact the sales teams? I already sent one in their portal but received no answer. Can you help me with this please? 
Hi, I have created an alert for an event in real-time. For example, send me an alert if a user is not able to log in 3 times. On the above event, I have created an alert action. Here I want to trig... See more...
Hi, I have created an alert for an event in real-time. For example, send me an alert if a user is not able to log in 3 times. On the above event, I have created an alert action. Here I want to trigger a custom script. The purpose of this Python script will be to capture the error message and send it to a different application using Key Based authentication. However, I am not able to fetch the error message. Using sys.argv gives me the parameters but the error message is encoded. Can anyone assist me here, how can I extract the error message from the event triggering the alert?
Hello All... 1st time visitor. Strong community here! Forecast Temperature, Wind Chill, Sunny/Hazy/Cloudy Factors, Humidity data is available by API... no problem. Instrumentation data is also ava... See more...
Hello All... 1st time visitor. Strong community here! Forecast Temperature, Wind Chill, Sunny/Hazy/Cloudy Factors, Humidity data is available by API... no problem. Instrumentation data is also available by API... no problem again. So is Splunk a good tool for looking at two very different data silos to measure, compare, model and predict? I know that's kind of vague... so a good vague answer would still be greatly appreciated! 
I configured an interval of 60s for my custom data input via the GUI. The script is getting executed every 60s as expected but if the script execution itself takes more than 60 seconds, the modular i... See more...
I configured an interval of 60s for my custom data input via the GUI. The script is getting executed every 60s as expected but if the script execution itself takes more than 60 seconds, the modular input stops and never gets executed again. Has anyone experienced this? I Another question: Is there any way to specify a value for the interval so that it automatically gets executed right after current execution is completed?
下記のように、ファイル名から日を取り出し、timechartコマンドなどで集計したいです。 source="C:\\weekly2020-08-*.csv" | eval week=replace(substr(source,9,10),"-","/") | table week,_raw サーチ結果 week,_raw 2020/08/14, xxxxx 2020/08/14, ... See more...
下記のように、ファイル名から日を取り出し、timechartコマンドなどで集計したいです。 source="C:\\weekly2020-08-*.csv" | eval week=replace(substr(source,9,10),"-","/") | table week,_raw サーチ結果 week,_raw 2020/08/14, xxxxx 2020/08/14, xxxxx 2020/08/21, xxxxx 2020/08/28, xxxxx   ソースデータの前処理なしで、サーチで作成したweekを_time代わりにできればと思うのですが・・・
Hello, does anyone have any success stories using the Genesys logs in Splunk?
Dear Community,  I Have a csv file with no timestamp with the data, I only have a timestamp on the beggining of the file (Line 3). So, How do I capture the date on line 3 of a csv file, while the he... See more...
Dear Community,  I Have a csv file with no timestamp with the data, I only have a timestamp on the beggining of the file (Line 3). So, How do I capture the date on line 3 of a csv file, while the header fields begin on line 5 and following data begins on line 6? See the data as follow: CHILLER_01 slot:/Drivers/NiagaraNetwork/TA_WEB2_CAG/points/ARQUITETURA/POC$2dCHILLERS/CHILLER_01 02-Jun-20 2:55 PM BRT ?NOME DO PONTO,VALOR "ALARME,""0.00""" "CAP_TOTAL,""0.00""" "CAP_TOTAL_A,""0.00""" "CAP_TOTAL_B,""0.00"""
Hello all, I am struggling to get perfmon data in for our hyper-v CSV's. I have tried various inputs from the default input folder of the splunk hyper-v app to no avail. Specifically what I am look... See more...
Hello all, I am struggling to get perfmon data in for our hyper-v CSV's. I have tried various inputs from the default input folder of the splunk hyper-v app to no avail. Specifically what I am looking for from the CSV's is: \Cluster CSV File System\Read Latency \Cluster CSV File System\Write Latency   any help is appreciated
I'm dealing with a lot of duplicate event logs at the exact same millisecond. From what I can tell, everytime this happens, the events in my search results have all of the same data. There are some e... See more...
I'm dealing with a lot of duplicate event logs at the exact same millisecond. From what I can tell, everytime this happens, the events in my search results have all of the same data. There are some events that follow with slightly different fields including a ascending "Record Number" count. Should the record number be different for every log?  I'm looking for a better way to identify duplicate data and stop logging it. In the past 16 hours, I've logged 550 events with different record numbers but 390,000 different events. Some record numbers repeating up to 600 times. If you have a solution for this I'd appreciate it, but also just looking for a Unique ID to confirm this is an issue.
i am trying to extract specific words starts with gi. from all events and display in a table below is my string but it returned nothing please advise. String: mysearch | rex field=_raw "Start(?<"gi... See more...
i am trying to extract specific words starts with gi. from all events and display in a table below is my string but it returned nothing please advise. String: mysearch | rex field=_raw "Start(?<"gi">.*)End" Event: /p.rabbitmq/rabbitmq/queues/81061abe-4007-46c4-b9f2-4855cda5ace2/gi.nam.quotesvc.submission.cleared.evt.flq/consumers
   I  am getting an error when attaching appdynamics java agent with Jenkins. I am using the SaaS controller and installed java agent in AWS-ec2 where Jenkins is running, app agent is showing in the ... See more...
   I  am getting an error when attaching appdynamics java agent with Jenkins. I am using the SaaS controller and installed java agent in AWS-ec2 where Jenkins is running, app agent is showing in the SaaS controller but no data is showing as we are unable to attach the java agent.     Kindly help to resolve the below error. [root@ip-192-168-0-209 jenkins]# java -Xbootclasspath/a:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.261-2.6.22.2.amzn2.0.1.x86_64/lib/tools.jar -jar /opt/appdynamics/appagent/ver20.8.0.30686/javaagent.jar 3367 appdynamics.controller.hostName=[Redacted].saas.appdynamics.com ,appdynamics.controller.port=443,appdynamics.controller.ssl.enabled=true,appdynamics.agent.applicationName=jenkins,appdynamics.agent.tierName=dynalean,appdynamics.agent.nodeName=jenkins Attaching to VM [3367] java.util.ServiceConfigurationError: com.sun.tools.attach.spi.AttachProvider: Provider sun.tools.attach.LinuxAttachProvider not found         at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:588)         at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.nextProviderClass(ServiceLoader.java:1211)         at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNextService(ServiceLoader.java:1220)         at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNext(ServiceLoader.java:1264)         at java.base/java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1299)         at java.base/java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1384)         at jdk.attach/com.sun.tools.attach.spi.AttachProvider.providers(AttachProvider.java:258)         at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:200)         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)         at java.base/java.lang.reflect.Method.invoke(Method.java:566)         at com.singularity.ee.agent.appagent.AgentEntryPoint.main(AgentEntryPoint.java:1127) agent path >>>/opt/appdynamics/appagent/ver20.8.0.30686/javaagent.jar WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.singularity.ee.agent.appagent.AgentEntryPoint (file:/opt/appdynamics/appagent/ver20.8.0.30686/javaagent.jar) to method sun.tools.attach.HotSpotVirtualMachine.loadAgent(java.lang.String,java.lang.String) WARNING: Please consider reporting this to the maintainers of com.singularity.ee.agent.appagent.AgentEntryPoint WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release java.lang.reflect.InvocationTargetException         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)         at java.base/java.lang.reflect.Method.invoke(Method.java:566)         at com.singularity.ee.agent.appagent.AgentEntryPoint.main(AgentEntryPoint.java:1137) Caused by: com.sun.tools.attach.AgentInitializationException: Agent JAR loaded but agent failed to initialize         at jdk.attach/sun.tools.attach.HotSpotVirtualMachine.loadAgent(HotSpotVirtualMachine.java:165)         ... 5 more Exception in thread "main" java.lang.RuntimeException: java.lang.reflect.InvocationTargetException         at com.singularity.ee.agent.appagent.AgentEntryPoint.main(AgentEntryPoint.java:1141) Caused by: java.lang.reflect.InvocationTargetException         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)         at java.base/java.lang.reflect.Method.invoke(Method.java:566)         at com.singularity.ee.agent.appagent.AgentEntryPoint.main(AgentEntryPoint.java:1137) Caused by: com.sun.tools.attach.AgentInitializationException: Agent JAR loaded but agent failed to initialize         at jdk.attach/sun.tools.attach.HotSpotVirtualMachine.loadAgent(HotSpotVirtualMachine.java:165)         ... 5 more ========================================================================= agent properties in SaaS controller Agent   Configure Reset Properties Version Server Agent #20.8.0.30686 v20.8.0 GA compatible with 4.4.1.0 rcaedb006dc46dddce17bc7540c4bed10fa52536e master JVM Version OpenJDK 64-Bit Server VM 11.0.7 Oracle Corporation Last Agent Restart 09/03/20 2:09:43 PM Reporting   Uptime 0 % Install Directory /opt/appdynamics/appagent/ver20.8.0.30686 Install Date/Time 08/30/20 3:04:28 AM Process ID 9792 IP Addresses [Redacted] [Redacted] ^ Post edited by @Ryan.Paredez to redact the Saas Controller URL and IP addresses. Please do not share your Controller URL or IP addresses on community posts for security and privacy reasons.
I am trying to minimize or simplify the below search, which has many match filters on further control. Any suggestions or recommendations to handle with lookups rather hard coding in the search its... See more...
I am trying to minimize or simplify the below search, which has many match filters on further control. Any suggestions or recommendations to handle with lookups rather hard coding in the search itself? index=myindex "PROBLEM" | rex field=_raw "(?<alert_service>^.+?)" | eval alert_suppress = case ( (match(alert_service, "^Swarm_.*")),"1", (match(alert_service, "^HTTPS\s+Certificate\s+Status$") AND match (alert_info, "expire|expired|expires")),"1", (match(alert_service, "^(Disk|Disk_inode|Memory|Load)$")), "1", (match(alert_service, "^Qualys\s+Service\s+Test$") AND match (alert_host, "^(papi|pbo|pfo|pip|ppb|pps|prep|ptp)")),"1", (match(alert_service, "ceph-mon") AND match (alert_host, "^masifdat[0-9][0-9]")),"1", (match(alert_service, "puppet") AND match (alert_host, "(((dbmgmt|dbrac|qkafka|qzkpr|qkafkamgmt|(dbrac-scan)|fproxy|pproxy)\d+)|(dbrac-scan))\.")),"1", (match(alert_service, "crond") AND match (alert_host, "(fproxy|pproxy)[0-9]{2}\.")),"1", match(alert_host, "^(acwin|netmon|vma)"), "1", match(alert_info, "Service check timed out after"), "1", 1 = 1, "0" )  
We have a deployment server in a separate domain. I wanted to know if the deployment server needs to be able to connect to the license server. Do i need to open port 8089 from the deployment to the ... See more...
We have a deployment server in a separate domain. I wanted to know if the deployment server needs to be able to connect to the license server. Do i need to open port 8089 from the deployment to the license server or visa versa?
How to display the below query results in a better way on a dashboard? | metasearch index=_internal | eval host=lower(host) | stats count BY host | append [ | inputlookup perimeter | eval host=low... See more...
How to display the below query results in a better way on a dashboard? | metasearch index=_internal | eval host=lower(host) | stats count BY host | append [ | inputlookup perimeter | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | eval status=if(total=0,"Down","Up") | table host status  
I have a dashboard built that views today's events for processes running on systems.  To focus on a single event, I have several text box inputs across the top that serve as a "Quick Search" capabili... See more...
I have a dashboard built that views today's events for processes running on systems.  To focus on a single event, I have several text box inputs across the top that serve as a "Quick Search" capability.  The tokens from these text box inputs are included in various charts and tables to change the values when the text is typed into the boxes.  An example of the text box inputs are process name, destip, dest port,  and md5.  I am having an issue using getting the splunk boolean expression right to search for one or more values from the text inputs.   A sample of my text box inputs are as follows:  Search Filename                     Search MD5                               Search Dest IP                         Search Dest Port * MD5                      DestIP                                  DestPort                                    Currently, my default values are shown in the screenshot.  I use * for the Filename which shows all data, but I want this and all other text box inputs to be optional.  All other default values are basically place holders.  The goal is to be able to view all data, then type in one or more values in any of the type box inputs to view the alerts with the typed value. This is a snippet of a command that is used. ..... | (process IN ($sfilename$) OR md5 IN ($smd5$) OR destinationip IN ($sdestip$) OR destinationport IN ($sdestport$) ) AND $alertstoview$ | table process, md5, destinationip, destinationport For example, if I have the following as my list of alerts: Filename        MD5                                                                     DestIP                 DestPort abc.exe           eec9859394abcdef1234567fedca     12.22.22.22        8080 xyz.exe            ade98dbc77abcdef1234567fb32a     22.22.22.23       80 fff.exe              fbc9859394abcdef123456bce32a     32.22.22.24       443 bbb.exe           ebc9859394abcdef1234567fedca     42.22.22.25       80 ddd.exe           ad59859394abcdec77abcdebbbbb   52.22.22.26       22 And I only want to see destport 22 AND filename fff.exe, I should get: Filename        MD5                                                                     DestIP                 DestPort fff.exe              fbc9859394abcdef123456bce32a     32.22.22.24       443 ddd.exe           ad59859394abcdec77abcdebbbbb   52.22.22.26       22
I have a lookup table. Let's say the lookup table contains a column called "a". The "a" column contains a list of indices. How can I perform a stats count of logs found in each index from the "a" co... See more...
I have a lookup table. Let's say the lookup table contains a column called "a". The "a" column contains a list of indices. How can I perform a stats count of logs found in each index from the "a" column?   | inputlookup lookuptable.csv | table a    
  We use Splunk free with the splunk addon for opc. We can already see the OPC UA data of our server,  but this does not write any data to the index. I create a HEC and a Metric index.    ... See more...
  We use Splunk free with the splunk addon for opc. We can already see the OPC UA data of our server,  but this does not write any data to the index. I create a HEC and a Metric index.     2020-09-03 20:38:17,848 ERROR 10328 - [Worker-1] Write events through HEC failed: Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\Splunk_TA_opc\bin\solnlib\modular_input\event_writer.py", line 353, in write_events headers=self.headers) File "C:\Program Files\Splunk\etc\apps\Splunk_TA_opc\bin\solnlib\packages\splunklib\binding.py", line 287, in wrapper return request_fun(self, *args, **kwargs) File "C:\Program Files\Splunk\etc\apps\Splunk_TA_opc\bin\solnlib\packages\splunklib\binding.py", line 69, in new_f val = f(*args, **kwargs) File "C:\Program Files\Splunk\etc\apps\Splunk_TA_opc\bin\solnlib\packages\splunklib\binding.py", line 738, in post response = self.http.post(path, all_headers, **query) File "C:\Program Files\Splunk\etc\apps\Splunk_TA_opc\bin\solnlib\packages\splunklib\binding.py", line 1201, in post return self.request(url, message) File "C:\Program Files\Splunk\etc\apps\Splunk_TA_opc\bin\solnlib\packages\splunklib\binding.py", line 1221, in request raise HTTPError(response) HTTPError: HTTP 400 Bad Request -- {"text":"Incorrect index","code":7,"invalid-event-number":1} . Ausblenden host = SPLUNK-Server source = C:\Program Files\Splunk\var\log\splunk\splunk_ta_opc_celery.log sourcetype = splunk_ta_opc_celery-2
Hi guys I'm receiving this error when I want to execute a search on my SH:  However, despite what that capture indicates, my license isn't expired nor exceeded, that's why this problem looks so ... See more...
Hi guys I'm receiving this error when I want to execute a search on my SH:  However, despite what that capture indicates, my license isn't expired nor exceeded, that's why this problem looks so weird. Also, when I curl to the url (connecting from the licenser master to the IDX) I saw this error:   This indicates to my understanding that there's a problem with the certificates installed on Splunk. Could you please help me to figure out a solution?    Thanks in advance.    
Greetings, Does splunk have a way to set or change the location where its apps live? Example: serverclass.conf lets you point splunk towards deployment apps for its deployment server component lik... See more...
Greetings, Does splunk have a way to set or change the location where its apps live? Example: serverclass.conf lets you point splunk towards deployment apps for its deployment server component like so: [global] repositoryLocation=/opt/splunk/etc/apps/my_app/app_library Can this happen for $SPLUNK_HOME/etc/apps? Thanks in advance
Hello, I have a script to index enddate from certificats   #!/bin/sh echo debug enddate date=`date "+%d/%m/%Y %H:%M:%S"` for file in `/usr/bin/ls /opt/splunk/etc/auth/mycerts/*.pem` do echo ... See more...
Hello, I have a script to index enddate from certificats   #!/bin/sh echo debug enddate date=`date "+%d/%m/%Y %H:%M:%S"` for file in `/usr/bin/ls /opt/splunk/etc/auth/mycerts/*.pem` do echo debug befor $file /opt/splunk/bin/openssl x509 -in $file -enddate -noout echo debug after $file done   This script is started from this stanza in inputs.conf:   [script://./bin/certificats] interval = * * * * * index=my_index sourcetype = splunk:certificats start_by_shell = false   The script is wriking well when I start it from shell with the splunk account (which is also runnig Splunk) and I enddate is printed for both .pem files thar are in mycerts directory. But when it is started from Splunk, only the lines "debug endate" and "debug befor $file" are indexed (debug befor only for the first file). I also try with the command "/opt/splunk/bin/splunk cmd openssl x509 -in $file -enddate -noout". This don't change anything. Do you have an idee why the command openssl give no result and exit the script when started from Splunk? Thanks