All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I was hoping someone might be able to help me with what I'm trying to achieve. I've tried to work this out but with limited knowledge of queries I'm struggling. I have a very basic query (below)... See more...
Hi I was hoping someone might be able to help me with what I'm trying to achieve. I've tried to work this out but with limited knowledge of queries I'm struggling. I have a very basic query (below) which outputs the following data from my index... index=centredata (domain="*.create.com*" OR domain="*.puzzle.com*") sc_status=200 | table centreid, domain, groupid, userid centreid domain             groupid    userid 0123       create.com     Student    tiyud0 0123       create.com     Staff          dbega0 0456       create.com     Staff          oghjr6 0123       puzzle.com     Student   qsadh2 0456       puzzle.com     Staff         srthg5 0123       create.com     Student   klghg2 0456       create.com     Staff         wrdv6 0456       create.com     Student   xcgar4 0123       create.com     Student   tiyud0 0456       create.com     Staff         oghjr6 0123       puzzle.com     Student   klghg2 0456       puzzle.com     Staff         ykszd9 0123       create.com     Staff         dbega0 0456       puzzle.com     Staff         oghjr6 0123       puzzle.com     Student   tiyud0 0123       create.com     Staff         sdgxc0 The output I'm wanting is the count of distinct userids for both groupid types (staff and student) by domain and centreid. An example of how I need it to look is as follows... centreid domain            staff       student 0123       create.com     2             2 0456       create.com     2             1 0123       puzzle.com     0             3 0456       puzzle.com     3             0 Many thanks in advance
Greetings, I'm currently testing splunk in kubernetes.  I'm using git-sync to populate my deployment-apps/ directory. It has a web hook feature to pull down new items as they change.  It would be ni... See more...
Greetings, I'm currently testing splunk in kubernetes.  I'm using git-sync to populate my deployment-apps/ directory. It has a web hook feature to pull down new items as they change.  It would be nice if splunk-ansible provided an automated restart playbook.  At this point, I'll even take a restart on a chron schedule. I don't suppose there's a more complete playbook library than the one I see here:  https://splunk.github.io/splunk-ansible/ Thanks
Hi Team I am looking to send an email alert once the notable event is closed, I can send an email when the notable event is created but I cannot seem to find a way to send an email when the notable ... See more...
Hi Team I am looking to send an email alert once the notable event is closed, I can send an email when the notable event is created but I cannot seem to find a way to send an email when the notable event is closed
Hi all, Is it possible to create a dashboard to show the Response Time from a Business Transaction splitted by Node?
Looking to install some new indexers wondering if by my turning Data De- Duplication at the OS level can save me some space later on with the storage. 
Hi Everyone, I have requirement like this: I have one multi select drop-down which consists of 20+ values.Below is the code for the multi-select drop down <input type="multiselect" token="name" se... See more...
Hi Everyone, I have requirement like this: I have one multi select drop-down which consists of 20+ values.Below is the code for the multi-select drop down <input type="multiselect" token="name" searchWhenChanged="true"> <label> Name</label> <choice value="*">All Name</choice> <search> <query>|inputlookup abc.csv|table FolderName</query> <earliest>$field4.earliest$</earliest> <latest>$field4.latest$</latest> </search> <fieldForLabel>FolderName</fieldForLabel> <fieldForValue>FolderName</fieldForValue> <prefix>(</prefix> <valuePrefix>FolderName ="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <suffix>)</suffix> <initialValue>*</initialValue> <default>*</default> </input> I have one dashboard which consists of 20 panels in a form of rows. I want when I select value from multi select drop down say "Force" then "Force" panel should show and rest  panels should hide. If I select "Merchant" from multi select drop-down then "Merchant" panel should show  and rest panels should hide. I have already pass the multi select drop down token "name" in each panel. How can I achieve hide/show of panels. Below is my xml: <form theme="dark"> <label>Report</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="name" searchWhenChanged="true"> <label> Name</label> <choice value="*">All Name</choice> <search> <query>|inputlookup abc.csv|table FolderName</query> <earliest>$field4.earliest$</earliest> <latest>$field4.latest$</latest> </search> <fieldForLabel>FolderName</fieldForLabel> <fieldForValue>FolderName</fieldForValue> <prefix>(</prefix> <valuePrefix>FolderName ="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <suffix>)</suffix> <initialValue>*</initialValue> <default>*</default> </input> </fieldset> <row> <panel> <title> Report for Force</title> <chart> <search> <query>index=abc sourcetype="xyz" FolderName=force $name$ </query> <earliest>$field4.earliest$</earliest> <latest>$field4.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.text">Date</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">BuildDuration in minutes</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="trellis.splitBy">FolderName</option> </chart> </panel> </row> <row> <panel> <title> Report for Merchant</title> <chart> <search> <query>index=abc sourcetype="xyz" FolderName=merchant $name$ </query> <earliest>$field4.earliest$</earliest> <latest>$field4.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.text">Date</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">BuildDuration in minutes</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="trellis.splitBy">FolderName</option> </chart> </panel> </row> <row> <panel> <title> Report for One</title> <chart> <search> <query>index=abc sourcetype="xyz" FolderName=one $name$</query> <earliest>$field4.earliest$</earliest> <latest>$field4.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.text">Date</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">BuildDuration in minutes</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="trellis.splitBy">FolderName</option> </chart> </panel> </row> <row> <panel> <title> Report for CP</title> <chart> <search> <query>index=abc sourcetype="xyz" FolderName=cp $name$</query> <earliest>$field4.earliest$</earliest> <latest>$field4.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.text">Date</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">BuildDuration in minutes</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="trellis.splitBy">FolderName</option> </chart> </panel> </row> .......... .......... .......... .......... .......... .......... .......... ............ ............. ............. ................... ..................... </form> Can someone guide me on this. Thanks in advance.  
If a party decided to split all events into their own index's (IE. winevent_security to "security", winevernt_application to "application" etc), but then they had a third party security group that nee... See more...
If a party decided to split all events into their own index's (IE. winevent_security to "security", winevernt_application to "application" etc), but then they had a third party security group that needed specific index's (in this case just the security index). How would one set it up to where that index still goes to the main splunk for the company but ONLY that log goes to the third party splunk as well. The idea is to use a heavy forwarder, but I am not sure how to specify the index. Right now I have all index's going to both but that is not a solution that everyone is comfortable with. Any help would be amazing.
Hi Folks, I am getting below error in the incident review dashboard and this error is persistent impacting operations. Error: only 0 events successfully updated. unable to edit all selected events ... See more...
Hi Folks, I am getting below error in the incident review dashboard and this error is persistent impacting operations. Error: only 0 events successfully updated. unable to edit all selected events due to the max events per bucket limit. I tried increasing max_events_per_bucket to 2500 referring below link even though the issue is still persistent.  https://docs.splunk.com/Documentation/ES/6.2.0/Admin/CustomizeIR Please suggest. Attached below screenshot Thanks in advance  
Hi Everyone,   We have one Schedule which is running on the Index(mulesoft_index ).In this Index all the Fields are act as Indexed Fields . We are Storing Schedule  Search Results into one Summary... See more...
Hi Everyone,   We have one Schedule which is running on the Index(mulesoft_index ).In this Index all the Fields are act as Indexed Fields . We are Storing Schedule  Search Results into one Summary Index (summaryindex_mt_stats) by enabling Summary Indexing option from that Schedule Search.But the Fields are not acting as Indexed-Fields in the Summary Index. So How can we create Indexed Fields in Summary Index while indexing from a schedule search ?   We are using data models on the Summary Index.But tstats command is not working on the Data Model because tsidx files does not contain the indexed fields, As summary index does not have the indexed fields. Can any one please help on this? Thanks&Regards, Manikanth        
I'm talking EVERYTHING Can I include CA certificates in a Splunk app?  Can I accept the license agreement and set an admin password? Where is the line?  What HAS to happen at the system level? Tha... See more...
I'm talking EVERYTHING Can I include CA certificates in a Splunk app?  Can I accept the license agreement and set an admin password? Where is the line?  What HAS to happen at the system level? Thanks so much!
I am trying to create a report for failed Oracle logins and noticed that the lookup provided with the Add-on for Oracle Database seems to be missing ORA-01017. This search of the lookup returns no r... See more...
I am trying to create a report for failed Oracle logins and noticed that the lookup provided with the Add-on for Oracle Database seems to be missing ORA-01017. This search of the lookup returns no rows: | inputlookup oracle_ora_codes.csv | search ORACODE=ORA-01017 Just to make sure I wasn’t missing something, I checked the oerr utility for 1017 and got the following: $ oerr ora 1017 01017, 00000, "invalid username/password; logon denied" // *Cause: // *Action: Am I missing something obvious?  Has anyone else run into missing codes?  What is the best way to deal with this?
In my data, there are duplicate rows for a server, but their status is "active" or "deleted". Based on the field value I would like "Active" records to be returned at all times when both "active" a... See more...
In my data, there are duplicate rows for a server, but their status is "active" or "deleted". Based on the field value I would like "Active" records to be returned at all times when both "active" and "deleted" are present. If "active " is not present, then I want the "deleted" record to be shown. Sample data result below. Please let me know how this can be done. | makeresults | eval server="one",column1="1",column2="2",column3="3",_time="09-02-2020",status="active" | append [| makeresults | eval server="one",column1="1",column2="2",column3="3",_time="09-01-2020",status="deleted"] | append [| makeresults | eval server="one",column1="1", column2="2",column3="3",_time="08-31-2020",status="deleted"] | append [| makeresults | eval server="two",column1="3",column2= "2",column3="1",_time="09-02-2020",status="active"] | append [| makeresults | eval server="three",column1="4", column2="5",column3="6",_time="09-01-2020",status="deleted"] | table server,status,column1,column2,column3,_time Output of the above makeresult is below: server status column1 column2 column3 _time one active 1 2 3 9/2/2020 one deleted 1 2 3 9/1/2020 one deleted 1 2 3 8/31/2020 two active 3 2 1 9/2/2020 three deleted 4 5 6 9/1/2020   In this output, I would like to see the "active" record for server "one", active record for server "two", and "deleted" record for server "three".  
Hello, We are using Lookup editor app and before we were able to scroll through all the 4000+ rows within a specific CSV file.  Now it does not go over 100 rows. We tried different browsers and a... See more...
Hello, We are using Lookup editor app and before we were able to scroll through all the 4000+ rows within a specific CSV file.  Now it does not go over 100 rows. We tried different browsers and also incognito and still the same behavior. This happen to all users. It was noticed that there is a up arrow at the top and down arrow at the bottom so you can click/hold to quickly scroll through the rows. The bar is there but looks grayed out, so to get the rows to go down, we have to choose a row and then hold the keyboard down arrow to scroll through 4000 rows. Lookup editor 3.4.6. Any recommendations is greatly appreciated. @LukeMurphey 
BLUF: is there a good way to search for double TLD's? I have been attempting to get at a way to hunt for double TLD's in a firewall index, and I am looking at how to improve on some basic searchin... See more...
BLUF: is there a good way to search for double TLD's? I have been attempting to get at a way to hunt for double TLD's in a firewall index, and I am looking at how to improve on some basic searching. Basically, if you search tools like phishtank, you will see a lot of phishing domains like to spoof legitimate sites with something along the lines of "mybank.com.thisisabadguy.com" so you think you're navigating to "mybank.com." I've done very simplistic searches to see how things work, searching things like `index=firewall .com*.com | dedup url` just to see what results i get. Lots of false positives, what with Google Ad redirects, bing search results, etc. I can work with FP's though, I'll create a whitelist csv for that. Is there a way to get Splunk to recognize double TLD's, so instead of having to individually search .com*com, .org*.org, .ru*.ru, etc I can search where .tld*.tld?
I have events with response_time fields coming from an access log file. I have to display the average, min, and max response times sorted by another field called repository. My search looks like this... See more...
I have events with response_time fields coming from an access log file. I have to display the average, min, and max response times sorted by another field called repository. My search looks like this:   <base_search> | stats min(response_time) as min max(response_time) as max avg(response_time) as avg by repository   The average column is empty while I have min and max calculated correctly. Now, if I remove min and max from my stats command average is calculated as expected. The response_time field is numeric. How do I combine avg, min, and max together to have all the stats that I need?
is it just me or is this new'ish splunk answers community not as 'active' as the old version?
Here first drop down Dates will display last 7 days of date. When user select any one date, query will be executed and that date will be used in query. Results of that query will be displayed in seco... See more...
Here first drop down Dates will display last 7 days of date. When user select any one date, query will be executed and that date will be used in query. Results of that query will be displayed in second query. I have tried below mentioned code but it's not throwing any error but my second drop down doesn't populate with correct values. Any pointers you provide will be helpful. Thanks.   <input type="dropdown" token="Dates" searchWhenChanged="true"> <label>Date</label> <fieldForLabel>Dates</fieldForLabel> <fieldForValue>Dates</fieldForValue> <search> <query>| gentimes start=-6 end=+1 | eval Dates=strftime(starttime,"%Y-%m-%d") | table Dates </query> <earliest>-15m</earliest> <latest>now</latest> </search> <default>2020-06-15</default> <initialValue>2020-06-15</initialValue> <change> <set token="form.name"> <search> <query>index= test|rename body.recordTotals{}.from.* as from*|rename header.eventCode as eventCode|where eventCode = "abc" and fromfromUs="true" and messagingCalendarDate="$Dates$"|stats count by fromendPointName|table fromendPointName </query> <search> </set> </change> </input> <input type="dropdown" token="name" searchWhenChanged="true"> <label>Name</label> <fieldForLabel>name</fieldForLabel> <fieldForValue>name</fieldForValue> <choice value="All">All</choice> <default>All</default> <initialValue>All</initialValue> </input>        
I am attempting to black hole some data. It is based off simple strings, but my regex is not working.  1st. I want to remove all events that contain "somename@google.com" props: sourcetype=ipstuff ... See more...
I am attempting to black hole some data. It is based off simple strings, but my regex is not working.  1st. I want to remove all events that contain "somename@google.com" props: sourcetype=ipstuff [ipstuff] TRANSFORMS-filter-events = ipstuff_drop_event Transforms:  [ipstuff_drop_event] REGEX = somename\@\google\.\com DEST_KEY = queue FORMAT = nullQueue 2nd. I want to remove all event that contain the string "totalamountsystem". props: sourcetype=ds:fip [ds:fip] TRANSFORMS-filter-events=totalamountsystemDrop Transforms: [totalamountsystemDrop] REGEX = totalamountsystem DEST_KEY = queue FORMAT = nullQueue   What am I missing here?  
Greetings, I'm working on ways to set up Splunk containers inside Kubernetes.  I wanted to ask here if anybody has ever done this, and if there are some gotchas I should know about. I've heard th... See more...
Greetings, I'm working on ways to set up Splunk containers inside Kubernetes.  I wanted to ask here if anybody has ever done this, and if there are some gotchas I should know about. I've heard that Kubernetes Ingress provides TLS, so the inside of a pod doesn't have to listen to encryption as a result.  How does this affect configuring the Splunk container?  Can features like SSL AND TLS be turned off? Does turning off encryption features in Splunk break anything? Is this even possible with Splunk Enterprise? I apologize for the general, high-level type of question, but there's not a lot of documentation out there for this. Thanks in advance.
I have a search that does the following:   | inputlookup system_scores.csv | search "big search goes here" | fields server_org both_server_desktop_score desktop_score server_score   The s... See more...
I have a search that does the following:   | inputlookup system_scores.csv | search "big search goes here" | fields server_org both_server_desktop_score desktop_score server_score   The search gives me the following: server_org    both_server_desktop_score     desktop_score        server_score Bob                        60                                                       10                                     40 Alice                      40                                                       10                                     30 Jill                           10                                                        5                                        5   I would like to get each column into a row for each of the scores. My envision the search would look like this: server_org                        server_type                                                         Score Bob                                        both_server_desktop_score                       60 Bob                                        desktop_score                                                  10 Bob                                        server_score                                                     40          Alice                                      both_server_desktop_score                       40 Alice                                      desktop_score                                                  10          Alice                                      server_score                                                      30 Jill                                           both_server_desktop_score                      10 Jill                                           desktop_score                                                   5 Jill                                           server_score                                                       5 Is this possible?  Any ideas?