All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm struggling to make the custom time range work. I need to filter issues based on specific past date/time. But whatever I define in the custom time selector, its showing a previous date/time not re... See more...
I'm struggling to make the custom time range work. I need to filter issues based on specific past date/time. But whatever I define in the custom time selector, its showing a previous date/time not related to what I have selected. Has anyone has this issue? I tried creating custom time range, but when I save its changing my time to a different time.  Could it be due to time zone? Appreciate if anyone can advise how I can resolve this?
    Please advise.
I have this kind of data,   Event ID Event Step Status   100 1 SUCCESS   100 2 SUCCESS   100 3 FAILURE   100 4 FAILURE   100 5 SUCCESS   100 6 FAILURE   ... See more...
I have this kind of data,   Event ID Event Step Status   100 1 SUCCESS   100 2 SUCCESS   100 3 FAILURE   100 4 FAILURE   100 5 SUCCESS   100 6 FAILURE     Success Condition : When Event Steps 1,2,4 and 5 ALL are SUCCESS , then SUCESS, Else it is in PROGRESS. Can you help me with the query to find out the same. I have tried AND Condition, but it is not giving me correct result, because it searches for one condition only. I have tried OR as well, but that gives me wrong count.
For SQL Server audit information, we ended up sending the data to the wineventlog index as application events. This data - EventCode=33205 should be visible only for the cyber/audit audience. How ca... See more...
For SQL Server audit information, we ended up sending the data to the wineventlog index as application events. This data - EventCode=33205 should be visible only for the cyber/audit audience. How can we apply a different access to this data or should we route it to a different index? If so, how can we do it?
I upgraded a minor version recently and my data inputs and field extractions are removed. So my dashboard no longer works. Is this normal for upgrades? Also how can I link them back so in the dashboa... See more...
I upgraded a minor version recently and my data inputs and field extractions are removed. So my dashboard no longer works. Is this normal for upgrades? Also how can I link them back so in the dashboards or the search the fields are properly extracted?
We currently use a single-site cluster for our main environment. We need to be able to receive data from a remote site to our cluster but still maintain search-ability if the connection from the main... See more...
We currently use a single-site cluster for our main environment. We need to be able to receive data from a remote site to our cluster but still maintain search-ability if the connection from the main site to the remote site is severed (intentionally or not). The remote site has less than 50 assets and may ingest as little as 3GB a day.  Converting our single-site cluster to a multi-site cluster is not possible. Should we use a heavy forwarder in a "store and forward configuration" at the remote site to forward data to the cluster? I believe we would have some sort of search capability at the remote site if the connection fails.  Or Should we put a single Indexer at the remote site and have it connected as a non-clustered search peer of our single search head that exists in our main environment? In this configuration we should also have local search capability if the connection fails.  I'm leaning on going the HF route or may even end up going with a non-distributed instance that gets backed up daily.  What do you think?
Is there an simple understandable document describing how to setup encrypted communication with third party signed certs? I'm ok with the web certs, its all the rest of it that is not very clear in t... See more...
Is there an simple understandable document describing how to setup encrypted communication with third party signed certs? I'm ok with the web certs, its all the rest of it that is not very clear in the documentation.
My boss has asked me to create a chart that shows the number of fired alerts (y-axis) by day of the month (x-axis). I suggested we do this as a stacked chart with each alert represented by a differen... See more...
My boss has asked me to create a chart that shows the number of fired alerts (y-axis) by day of the month (x-axis). I suggested we do this as a stacked chart with each alert represented by a different color. I know the alert variable is "ss_name" and i found this expression to create the "date": convert timeformat="%m-%d" ctime(_time) AS date I just cant get the correct syntax to get all 3 elements in to the chart. So far i have this: index=_audit action="alert_fired" | convert timeformat="%m-%d" ctime(_time) AS date | timechart date by ss_name Thanks!
Is there a way to apply different color schemes for different environments - QC, Prod, etc.? It probably can be a big header as well. We just had a case where one admin fellow got confused between t... See more...
Is there a way to apply different color schemes for different environments - QC, Prod, etc.? It probably can be a big header as well. We just had a case where one admin fellow got confused between the environments and we obviously would like to avoid it.  
My boss has asked me to create a chart that shows the number of fired alerts (y-axis) by day of the month (x-axis). I suggested we do this as a stacked chart with each alert represented by a differen... See more...
My boss has asked me to create a chart that shows the number of fired alerts (y-axis) by day of the month (x-axis). I suggested we do this as a stacked chart with each alert represented by a different color. I know the alert variable is "ss_name" and i found this expression to create the "date": convert timeformat="%m-%d" ctime(_time) AS date I just cant get the correct syntax to get all 3 elements in to the chart. So far i have this: index=_audit action="alert_fired" | convert timeformat="%m-%d" ctime(_time) AS date | timechart date by ss_name   Thanks!
Hello Everyone, I have searched for an answer on this forum but have not seen any thread talking about checking the group policy attributes.  I'm using Splunk app for windows infrastructure and tha... See more...
Hello Everyone, I have searched for an answer on this forum but have not seen any thread talking about checking the group policy attributes.  I'm using Splunk app for windows infrastructure and that gives me the "group Policy changes" report which gives the name of the GPO that was changed and who changed it. However, I need to know how can we check the attributes that are being changed in a GPO as just the GPO name is not helpful. GPO consists of several attributes and searching for the one that's changed will be a tiring process without Splunk. I've seen the following threads about GPO but none of them are about GPO attributes. https://community.splunk.com/t5/Archive/Query-for-Checking-GPO-Changes/m-p/384810/highlight/false https://community.splunk.com/t5/Security/How-to-identify-an-admin-who-made-a-change-in-GPO/m-p/469984#M10908 https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-correlate-the-admin-user-with-a-GPO-change/td-p/159210 Please let me know if you have further questions. Thank You, Rahul
Hello , i am new splunk user, is it possible connect local API with splunk enterprise and get automated update of the results of rest api in splunk ? 
i tested a python script works with pythin2.7x version and used the same script to run in python3, which returns error code 1. it works in python2.7x  below is the commands.conf [prettyformat] fi... See more...
i tested a python script works with pythin2.7x version and used the same script to run in python3, which returns error code 1. it works in python2.7x  below is the commands.conf [prettyformat] filename = xmlformat.py retainsevents = true overrides_timeorder = false run_in_preview = false streaming = true python.version = python3
Apologies in advance as im new to Splunk Im trying to put a name to each line below. Each src to dst is a business client. So 1st line would be cisco. 2nd would be juniper, third would be Microsof... See more...
Apologies in advance as im new to Splunk Im trying to put a name to each line below. Each src to dst is a business client. So 1st line would be cisco. 2nd would be juniper, third would be Microsoft.  Once i put this in a visualtion i want to show client name rather than src or whatever.  OR (src=192.168.1.1 dest=172.16.1.1) OR (src=192.168.1.2 dest=172.16.2.1) OR (src=192.168.1.3 dest=172.16.3.1)  made up syntax: Name:Cisco = (src=192.168.1.1 dest=172.16.1.1) I hope you understand what im getting at - Thanks Simon
Hi All, I unable to select Rising column parameter from the following SQL Query.Can someone please help me with this. select * from (select to_char(count(1)) as "sessions" from v\\$session), (sel... See more...
Hi All, I unable to select Rising column parameter from the following SQL Query.Can someone please help me with this. select * from (select to_char(count(1)) as "sessions" from v\\$session), (select to_char(count(1)) as "processes" from v\\$process), (select value as "max_sessions" from v\\$parameter where NAME='sessions'), (select value as "max_processes" from v\\$parameter where NAME='processes'), (select to_number(substr(output, 33),9999999.99) avg_ash from table(dbms_workload_repository.ash_report_text( (select dbid from v\\$database), 1, sysdate - interval '5' minute, sysdate, 0)) where output like '%Average Active Sessions%') Regards, Rahul
Hi all, I searching web server's centralized logs and getting results from multiple servers. But those servers belongs to different deployments. For example: - srv1, srv7, srv9, ... belongs to depl... See more...
Hi all, I searching web server's centralized logs and getting results from multiple servers. But those servers belongs to different deployments. For example: - srv1, srv7, srv9, ... belongs to deployment Fin - srv15, srv19, srv21, ... belongs to deployment Jpn - srv100, srv 102, srv110, ... belongs to deployment Bra On the results I can see the hosts, but I'm looking possibilities to group the servers into own deployments. Is that something I could do during the search by giving an array where servers are listed, or some other way? Or is this something I should do earlier?
Hello, I have very basic query which is giving me the desired results and visualization but even after lot of researching what I am not able to do is color the bars according to the field values. B... See more...
Hello, I have very basic query which is giving me the desired results and visualization but even after lot of researching what I am not able to do is color the bars according to the field values. Below is something what my query looks like - my search ...| chart count by status now this status fields has around 15-20 status values like complete,pending, repair, canceled, posted,etc, etc.. so as of now my Bar chart has Status field on X-axis with the field values name mapped to it like complete, cancelled,etc and my Y -axis has the count of those statuses. Now what i want is to keep the visualization as it is and change colors of few statuses like green for Complete, red for canceled, amber for repair and so on. I tried charting.fieldColors">{"COMPLETE":#32a838,"CANCELED":#e81324,"REPAIR":#FFC200} but is not helping. I also tried to transposing rows to column with which i am able to change the colors but then the mapping of field values onto to the Y-axis is  being removed and converted to legends, which is not looking good. Can this be achieved by keeping my current visualization intact ? I have gone through multiple pages here on Splunk Answers but no luck. Thanks in advance.  
When I try to configure the "Splunk Add-on for Unix and Linux" app in Splunk Cloud I receive an error message that states: "There was an unexpected problem while saving the inputs. Please reload the ... See more...
When I try to configure the "Splunk Add-on for Unix and Linux" app in Splunk Cloud I receive an error message that states: "There was an unexpected problem while saving the inputs. Please reload the page and try again." This error message is vague and I am not sure what to do next. Does anyone have a solution?
Hi, In a single event, we have a field named username which is occurring multiple time in the events in raw data and username are different. How can we extract this username field since there are mu... See more...
Hi, In a single event, we have a field named username which is occurring multiple time in the events in raw data and username are different. How can we extract this username field since there are multiple values in the same event. Please help, this is the SAP spool data which is forwarded to splunk cloud. Attaching the screensho with mutiple usernames in single event  
I am trying to extract a field using field transformation. My event contains a XML. Partial snippet given below -   <Name>/xx</Name> <Id>HASPR00100</Id> ... See more...
I am trying to extract a field using field transformation. My event contains a XML. Partial snippet given below -   <Name>/xx</Name> <Id>HASPR00100</Id> <Class>B</Class> <Confidence>0.8957</Confidence> <Notes> <Note> <Key name="note">[CDATA[{"target": "corp", "precision": 0.365, "recall": 0.553, "fnr": 0.447, "fpr": 0.0273, "confidence": {"A": 0.0, "B": 0.8957}}]]</Key> <Key name="score">0.0271</Key>   I am trying to capture the "score" value 0.0271 in a field. I tried to create a field transformation using regex below  - \<Name\>\/xx\<\/Name\>\n.+\n.+\n.+\n.+\n.+\n.+\n.+\<Key name\=\"score\"\>(\S+)\<\/Key\> But that does not work. If I use the same expression in rex I am able to extract the field. index=a ... | rex "\<Name\>\/xx\<\/Name\>\n.+\n.+\n.+\n.+\n.+\n.+\n.+\<Key name\=\"score\"\>(?<sc>.*)\<\/Key\>" Am i missing something? Or is there any better way to do this? Thanks.