All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

There is a search that runs every 30 minutes and normally it runs okay. But in few instances seemingly at random the events shows up as 0. index=eventlog (host="TP-Servers-*" OR host="TP-Hosts-*") s... See more...
There is a search that runs every 30 minutes and normally it runs okay. But in few instances seemingly at random the events shows up as 0. index=eventlog (host="TP-Servers-*" OR host="TP-Hosts-*") splunk_server="splunkns0" sourcetype="event.log" | top limit=38 host | stats count as alive_hosts We grab the time frame to be -30m to -10m at time of running the search.  The system uses this to confirm connection towards the hosts and servers. Below shows that at one point it shows 0 events found.  Occurrences But when we run the search again of the same time frame. We find there were events (this time it should be around 8000 events).  We've checked the python, schedule, and splunkd logs and found no errors.  The times this occurs is not the same every time. Each time we search back there are results to be found. Has anyone else met this type of issue? Or has any other direction we can check? 
how to use regex yo fetch Incident (eg: INC0000453245 or INC0000342568) to fetch INC and exactly 10 numbers after INC??  
I'd like set set up a combination of "depends" criteria for a panel where the panel only shows when: 1. " <panel depends="$show_print$,"> AND 2. When the date range picker is <=30 days.  Any assi... See more...
I'd like set set up a combination of "depends" criteria for a panel where the panel only shows when: 1. " <panel depends="$show_print$,"> AND 2. When the date range picker is <=30 days.  Any assistance would be greatly appreciated. Cheers, Mac
  8/24 update I'm sorry, I didn't describe the problem well. I re-corrected the description. I need to find "parent" in the processes table "services.exe", Using the above found "parent" looking... See more...
  8/24 update I'm sorry, I didn't describe the problem well. I re-corrected the description. I need to find "parent" in the processes table "services.exe", Using the above found "parent" looking for "parent" = "pid" in the original "processes" table consistent information. Processes table Name pid parent csrss.exe 568 552 csrss.exe 576 560 fontdrvhost.exe 564 756 lsass.exe 712 556 lsass.exe 728 572 services.exe 712 564 services.exe 716 568 services.exe 712 568 services.exe 836 712 services.exe 836 712 svchost.exe 712 716 wininit.exe 564 468 wininit.exe 568 472 wininit.exe 572 476 wininit.exe 712 592   SQL query:   SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe');   Use SQL query result Name pid parent wininit.exe 564 468 fontdrvhost.exe 564 756 wininit.exe 568 472 csrss.exe 568 552 services.exe 712 564 wininit.exe 712 592 services.exe 712 568 svchost.exe 712 716 lsass.exe 712 556   Use  Splunk search   index="processes" [search index="processes" name=services.exe | dedup parent | fields parent] |search pid=parent |table name parent pid   but  No results !! Please help me  convert splunk query Thnaks!! --------------------------------------------------------------------------- i need to convert sql query into splunk query could some one help me ? here is SQL query: SELECT name pid parent FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe') ; processes table name pid parent wininit.exe 712 592 wininit.exe 712 592 wininit.exe 712 592 svchost.exe 1812 712 svchost.exe 1480 712 svchost.exe 2024 712 svchost.exe 1780 712 svchost.exe 4496 712   SQL query Results   name pid parent wininit.exe 712 592 wininit.exe 712 592 wininit.exe 712 592   I try  Splunk search: index=" porcesses "  [search index="porcesses" columns.name=services.exe | dedup parent | fields parent ] |search pid=parent |table name parent pid    but  No results !! Please help me  convert splunk query Thnaks!!  
Hi, I have a dashboard where I have a drop down which returns me a string. The xml of the drop down is below: <input type="dropdown" token="jobID" searchWhenChanged="true"> <label>JOB ID II</label... See more...
Hi, I have a dashboard where I have a drop down which returns me a string. The xml of the drop down is below: <input type="dropdown" token="jobID" searchWhenChanged="true"> <label>JOB ID II</label> <fieldForLabel>JOB-ID-WITH-TIME</fieldForLabel> <fieldForValue>JOB-ID-WITH-TIME</fieldForValue> <search> <query>index=test sourcetype="testabc" | rename sre_job_id as JOB_ID | stats earliest(_time) AS Earliest by JOB_ID | eval FirstEvent=strftime(Earliest,"%b %d %Y, %H:%M:%S") | eval JOB_ID_STR=tostring(JOB_ID) | eval JOB-ID-WITH-TIME=JOB_ID + "-" + FirstEvent | table JOB-ID-WITH-TIME | dedup JOB-ID-WITH-TIME | sort JOB-ID-WITH-TIME</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> </input> This drop down returns me data something  like: 6802-Jul 20 2020, 10:41:14 (an ID with a date separated by a dash). Now, I have a tabular report where I want to use just the ID (6802) in the search for the report to show data. The xml for the tabular report is below: <table> <title>TOTAL TIME for JOB $jobID$</title> <search> <query>index=test sourcetype="testabc" sre_job_id=$jobID$ Perf_Type=Perf* | stats sum(Time_Taken) as NetTime_secs by Perf_Type | eval NetTime_mins=(NetTime_secs/60) | table Perf_Type, NetTime_mins | sort -Perf_Type <earliest>0</earliest> <latest></latest>  The problem with the above query is sre_job_id=$jobID$ gets the whole value 6802-Jul 20 2020, 10:41:14 and hence do not shown any results, whereas it expects only 6802 to show some data.   I tried to eval the token and split the token data but not able to use the split data into my search. This is what I have tried: index=test sourcetype="testabc" Perf_Type=Perf* [| makeresults | eval test="6802-Jul 20 2020, 10:41:14" | eval results=split(test,"-") | eval job_id=mvindex(results,0)] sre_job_id=job_id.  For now tried hard coding the value, but no luck. Could someone please help on this. I hope the question is clear. Thanks in advance for your time.
I have a custom ML model which does anomaly detection and once the fit and apply is done , i need the ML result to be consumed on multiple tiles to show various graph and result.  Since its concurren... See more...
I have a custom ML model which does anomaly detection and once the fit and apply is done , i need the ML result to be consumed on multiple tiles to show various graph and result.  Since its concurrent multi-user dashboard i cannot use lookup functionality. So my problem is "How do i share ML results to multiple tiles in dashboard at once ?"
When i try to access server through 8089 where Forwarder is installed, i am seeing Invalid certificate. "This CA Root certificate is not trusted because it is not in the Trusted Root Certification A... See more...
When i try to access server through 8089 where Forwarder is installed, i am seeing Invalid certificate. "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store." How can i install self certification for 8089 port.
How to upload New TA (Add-on) on splunkbase.
I am using Splunk Add-on Builder and am trying to setup the config and input development. The config page seems to work. It takes in username and password. The input page load up and allows me to ent... See more...
I am using Splunk Add-on Builder and am trying to setup the config and input development. The config page seems to work. It takes in username and password. The input page load up and allows me to enter in the form, but as soon as I hit submit, it throws the following error message:  Argument validation for scheme=myapp failed: The script returned with exit status 1 when i check the splunkd logs i see the following error:  08-20-2020 20:52:50.557 -0400 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "C:\Splunk\Python-2.7\Lib\site-packages\splunk\admin.py", line 131, in init\n hand.execute(info)\n File "C:\Splunk\Python-2.7\Lib\site-packages\splunk\admin.py", line 594, in execute\n if self.requestedAction == ACTION_CREATE: self.handleCreate(confInfo)\n File "C:\Splunk\etc\apps\TA-myapp\bin\ta_myapp\splunktaucclib\rest_handler\admin_external.py", line 40, in wrapper\n for entity in result:\n File "C:\Splunk\etc\apps\TA-myapp\bin\ta_myapp\splunktaucclib\rest_handler\handler.py", line 118, in wrapper\n raise RestError(exc.status, exc.message)\nRestError: REST Error [400]: Bad Request -- HTTP 400 Bad Request -- {"messages":[{"type":"ERROR","text":"Argument validation for scheme=myapp failed: The script returned with exit status 1."}]}\n   when i inspect the network in chrome, i noticed this URL is throwing 400 and 500 server errors. http://localhost:8000/en-US/splunkd/__raw/servicesNS/nobody/TA-myapp/TA_myapp_myapp?output_mode=json&count=100&sort_dir=asc&sort_key=name&offset=0&search=&_=1597973900868 The only place where i see TA_myapp_myapp show up are in these two files: $splunk_home/etc/apps/TA-myapp/local/web.conf $splunk_home/etc/apps/TA-myapp/local/restmap.conf am i missing anything to get this endpoint to work?
Hi, I want to extract all the log events (normal lines) except JSON messages. There should be an easy way for this. Any hints, please?   My log file is a mix something like below ---------- ... See more...
Hi, I want to extract all the log events (normal lines) except JSON messages. There should be an easy way for this. Any hints, please?   My log file is a mix something like below ---------- normal line normal line json events { {json messages} } normal line etc etc   Thanks, Naresh
I've got 3 automatic lookups: host::ORAC : LOOKUP-game title game_titles id AS title_id OUTPUTNEW publisher_id AS publisher_id title AS game_title host::ORAC : LOOKUP-game title id Games i... See more...
I've got 3 automatic lookups: host::ORAC : LOOKUP-game title game_titles id AS title_id OUTPUTNEW publisher_id AS publisher_id title AS game_title host::ORAC : LOOKUP-game title id Games id AS game_id OUTPUTNEW title_id AS title_id host::ORAC : LOOKUP-publisher name publishers id AS publisher_id OUTPUTNEW name AS publisher   the title id one works fine, but the other two, which are based on the generated field from the automated lookup don't cause an error but don't create any new fields either. Are we not able to use fields created by the automatic lookup for further lookups?
Hi Guys I have Splunk enterprise installed. I have pulled across some directory's with files inside ( from Kali ). The issue is I cannot bring up the files in the search and reporting app.. I beli... See more...
Hi Guys I have Splunk enterprise installed. I have pulled across some directory's with files inside ( from Kali ). The issue is I cannot bring up the files in the search and reporting app.. I believe it is because of the Messages in the screen shot below.. which I have no idea how to fix.. even after reading some forums.. I am non IT person.. and new to Splunk. Any help would be great .  
My question is about day and month components of a date without leading zeroes. Python docs provide %-d and %-m respectively. Splunk docs do not show these options.  Splunk, however, has %e whi... See more...
My question is about day and month components of a date without leading zeroes. Python docs provide %-d and %-m respectively. Splunk docs do not show these options.  Splunk, however, has %e which seems to be the same as %-d.  I did not find any option for decimal month number. I have tried and Splunk seems to accept %-d and %-m Is it standard feature that I can rely on? Is it implementation dependent? Did I miss something in Splunk docs?
How, and what files specifically, do I configure to get data into Splunk enterprise from the localhost? I thought it would be as simple as modifying inputs.conf that I created (shown below), but that... See more...
How, and what files specifically, do I configure to get data into Splunk enterprise from the localhost? I thought it would be as simple as modifying inputs.conf that I created (shown below), but that didn't change anything. Thoughts? \Splunk\etc\apps\SplunkForwarder\local\inputs.conf similar to the inputs.conf file on my system with Universal Forwarder: '\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf Setup: Sys1: Windows 10, Splunk Enterprise Sys2: Windows 10, Universal Forwarder  Logs from Sys2 are in Splunk Enterprise, but I can't see anything from Sys1. Thanks!
Hi everyone! We're sending events to Splunk using the HTTP Collector but we have an issue when we try to search for that data (using fields) Example event data     { "event": "Sample messa... See more...
Hi everyone! We're sending events to Splunk using the HTTP Collector but we have an issue when we try to search for that data (using fields) Example event data     { "event": "Sample message", "sourcetype": "my-backend-json", "fields": { "function.name": "lambda-2", "function.version": "0.0.1", "function.env": "prod", "function.flow": "cashin", "function.country": "ARG", "request.awsRequestId": "0000001", "user.accountId": "00001", "logtype": "error" } }       We see the events in Splunk search:     But the issue is when we select any field for filtering data, Splunk returns 0 results.     Any ideas? Thank you!            
Hi,  In my splunk events, I have multiple jobsNames and their corresponding statusText. For one jobName, there will be multiple events with different statusText.  I need to identify all jobNames wh... See more...
Hi,  In my splunk events, I have multiple jobsNames and their corresponding statusText. For one jobName, there will be multiple events with different statusText.  I need to identify all jobNames where their latest/current status is 'Running' .  i.e For the latest entry for a  specific job, the status should be Running i tried the below, but the stats by statusText shows all the status for a specific job. As such it does    index=batch firm* | stats latest(timestamp) as Time by jobName, statusText | where statusText=Running     An example of some events for one specific job can be as follows. The below job example should not appear in my results as the latest status is 'SUCCESS'   FYI - The Splunk _time for the 3 events are exactly the same. The differentiation comes in the timestamp field. As such i cannot use latest(statusText) timestamp="2020-08-20 03:18:35.0", eventNum="575452832", jobId="887395", jobName="firm_fisp1_ov_D8117", boxJobName="firm_fisp1_postov_box_1", eventCode="101", eventText="CHANGE_STATUS", statusCode="4", statusText="SUCCESS", alarmCode="0", exitCode="0", machine="frmlxap1p1.prudential.com", runNumber="90859630", attemptNumber="1" timestamp="2020-08-20 03:18:28.0", eventNum="575452821", jobId="887395", jobName="firm_fisp1_ov_D8117", boxJobName="firm_fisp1_postov_box_1", eventCode="101", eventText="CHANGE_STATUS", statusCode="1", statusText="RUNNING", alarmCode="0", text="Executing at WA_AGENT", exitCode="0", machine="frmlxap1p1.prudential.com", runNumber="90859630", attemptNumber="1" timestamp="2020-08-20 03:18:28.0", eventNum="575452820", jobId="887395", jobName="firm_fisp1_ov_D8117", boxJobName="firm_fisp1_postov_box_1", eventCode="101", eventText="CHANGE_STATUS", statusCode="3", statusText="STARTING", alarmCode="0", exitCode="-21", machine="frmlxap1p1.prudential.com", runNumber="90859630", attemptNumber="1"     Any help will be appreciated! 
Hello Community, I wanted to schedule an alert If  ExceedHigh OR ExceedLow columns breaches 3 times in a row I have few columns say Highest , Lowest, ExceedHigh, ExceedLow and the values are Highe... See more...
Hello Community, I wanted to schedule an alert If  ExceedHigh OR ExceedLow columns breaches 3 times in a row I have few columns say Highest , Lowest, ExceedHigh, ExceedLow and the values are Highest,  Lowest , ExceedHigh,  ExceedLow 3520        2882         NO                    NO 3502        2860       YES                     NO 3590       2941        YES                    YES 3705       2890       YES                     YES 3474     3028         NO                  YES If ExceedHigh OR  ExceedLow values breaches (the values are YES, YES, YES in a row ONLY) then alert should be triggered . with last 15 min time range and Scheduled Frequency is 24 hours . Please help    
<fieldset submitButton="true"> <input type="multiselect" token="multiselect_token" searchWhenChanged="false"> <label>Proxy</label> <fieldForLabel>Proxy</fieldForLabel> <fieldForValue>headers.apiproxy... See more...
<fieldset submitButton="true"> <input type="multiselect" token="multiselect_token" searchWhenChanged="false"> <label>Proxy</label> <fieldForLabel>Proxy</fieldForLabel> <fieldForValue>headers.apiproxy</fieldForValue> <search> <query>index=apigee sourcetype=apigee_metrics | dedup headers.apiproxy | table headers.apiproxy</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <valuePrefix>headers.apiproxy="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> </input> <input type="time" token="field2" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="field3" searchWhenChanged="false"> <label>Operation Path</label> <fieldForLabel>OperationPath</fieldForLabel> <fieldForValue>OperationPath</fieldForValue> <search> <query>index=apigee sourcetype=apigee_metrics $multiselect_token$ | stats count by apiStats.operation_path | dedup apiStats.operation_path | table apiStats.operation_path</query> <earliest>$field2.earliest$</earliest> <latest>$field2.latest$</latest> </search> </input> </fieldset>
Hi, I need some help. I've two panels side by side, how to get them both in one panel. Chart Model | transaction host startswith="\[Changer\_Montrols\_CR]" endswith="PROFILE=HKEY_LOCAL_M... See more...
Hi, I need some help. I've two panels side by side, how to get them both in one panel. Chart Model | transaction host startswith="\[Changer\_Montrols\_CR]" endswith="PROFILE=HKEY_LOCAL_MACHINE*******Montrols_CR" | dedup host | rex "\[(?<DeviceType>\w+)" | chart count over FIRMWARE Chart Firmware | transaction host startswith="\[Changer\_Montrols\_CR]" endswith="PROFILE=HKEY_LOCAL_MACHINE*******Montrols_CR" | dedup host | rex "\[(?<DeviceType>\w+)" | chart count over FIRMWARE I've tried appendcols it doesn't get me anywhere.
We  took ownership of a website that's full of errors. However, not all errors logged are fatal (e.g. breaks user from proceeding in the funnel, or may take few retries for user to proceed). What wo... See more...
We  took ownership of a website that's full of errors. However, not all errors logged are fatal (e.g. breaks user from proceeding in the funnel, or may take few retries for user to proceed). What would be a splunk query or model I can use to find potential errors from logs that are affecting users in the site funnel (conversion). Can you write some examples?