All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a large query that keeps failing/timing out because search head has no enough ram. I want to run the data in half instead (twice). running one query to filter only half the alphabets of values... See more...
I have a large query that keeps failing/timing out because search head has no enough ram. I want to run the data in half instead (twice). running one query to filter only half the alphabets of values under FieldX, then run another one with rest of alphabets. I can do something like FieldX=a* OR FieldX=b* ... but looking for something more practical to query 
Hi,  I m trying to use the plugin to send SNMP alerts to external devices from Splunk - https://splunkbase.splunk.com/app/3596/#/details I can see alerts are getting triggered properly but on Spe... See more...
Hi,  I m trying to use the plugin to send SNMP alerts to external devices from Splunk - https://splunkbase.splunk.com/app/3596/#/details I can see alerts are getting triggered properly but on Spectrum end, they are receiving the Splunk SNMP traps with agent-addr as 0.0.0.0 instead of the correct IP address. Because of this Spectrum is unable to trap them.  I have attached the screenshot from Spectrum. Is there any way to correct this address to the true IP address of the Splunk server?      
I have a dropdown input fields to select environment and app name. when I select environment.. app name input field displays all apps in that region.. I gave option ALL =* selecting all option displa... See more...
I have a dropdown input fields to select environment and app name. when I select environment.. app name input field displays all apps in that region.. I gave option ALL =* selecting all option displays all apps instead of displaying apps belongs to particular environment..please advise. Below is my source code   <form theme="dark"> <label>SCUP_Perf</label> <fieldset submitButton="true"> <input type="dropdown" token="env"> <label>ENVIRONMENT</label> <choice value="*">ALL</choice> <choice value="DEV">DEV</choice> <choice value="DEVINT">DEVINT</choice> <choice value="QA">QA</choice> <choice value="UAT">UAT</choice> <default>DEV</default> <initialValue>DEV</initialValue> </input> <input type="dropdown" token="app_name" searchWhenChanged="false"> <label>APP NAME</label> <fieldForLabel>cf_app_name</fieldForLabel> <fieldForValue>cf_app_name</fieldForValue> <search> <query>index=aws sourcetype="cf:logmessage" cf_app_name=$env$-SCUP* | stats count values(cf_app_name) as apps by cf_app_name</query> <earliest>0</earliest> <latest></latest> </search> <choice value="*SCUP*">ALL</choice> </input> <input type="time" token="field1"> <label>TIME FRAME</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Avg Memory Used</title> <chart> <search> <query>index=aws sourcetype="cf:containermetric" cf_app_name=$app_name$ | spath memory_bytes | eval usedmb=((memory_bytes/1024)/1024)|timechart span=15m avg(usedmb) as "Average Used MB" by cf_app_name useother=false</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <title>HTTP_Count</title> <chart> <search> <query>index=aws sourcetype="cf:logmessage" cf_app_name=$app_name$ cf_responseCode&gt;=200 | stats count by cf_responseCode</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">pie</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <title>PCF App Crash</title> <chart> <search> <query>index=aws sourcetype="cf:logmessage" cf_app_name=$app_name$ CRASHED | eval cf_app_name="/".cf_app_name | regex cf_app_name="/.*" | timechart span=15m count(cf_app_name) by cf_app_name</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <title>PCF- Failed to start app</title> <chart> <search> <query>index=aws sourcetype="cf:logmessage" cf_app_name=$app_name$ "Failed to start component" OR "A child container failed during start" | timechart span=1d count(cf_app_name) by cf_app_name</query> <earliest>-7d@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <title>Disk Capacity</title> <chart> <search> <query>index=aws name=CapacityRemainingDisk|spath ip| spath value| join ip [search index=aws sourcetype="cf:*" cf_app_name=$app_name$ |spath ip] | eval availgb=round(value/1024,1)|timechart span=15m avg(availgb) as avgGB min(availgb) as minGB max(availgb) as maxGB</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <title>User_Activity</title> <table> <search> <query>index=aws sourcetype=cf* sourcetype="cf:logmessage" cf_app_name=$app_name$ | rename msg as _raw | extract pairdelim=" " kvdelim=":" | rename response_time as cf_rt | table _time, cf_app_name, _raw, cf_activity, cf_rt, cf_responseCode</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>
Hi, guys,I need your swarm intelligence. I'm supposed to write a use case that detects a very specific traffic pattern. Specifically, this is about an SRC system sending a packet to a destination s... See more...
Hi, guys,I need your swarm intelligence. I'm supposed to write a use case that detects a very specific traffic pattern. Specifically, this is about an SRC system sending a packet to a destination system on destination port 161 and within 10 minutes this destination system sends a "response" "connection" to another system on destination port 69. Here the 2nd destination system can be the 1st SRC system or another. I can't get a real transaction here because there is no identifier except that the 1st destination system becomes the SRC system. I thank you for your time and effort!
My cluster has IDXs going in and out of detention very quickly (only a couple of seconds of detention). I see messages on the CM like the following: 08-20-2020 08:35:00.682 -0700 INFO CMPeer - peer... See more...
My cluster has IDXs going in and out of detention very quickly (only a couple of seconds of detention). I see messages on the CM like the following: 08-20-2020 08:35:00.682 -0700 INFO CMPeer - peer=XXXXXXXX-2E88-4DBF-8BC5-BA788B8D8083 peer_name=splunkidx7 transitioning from=Up to=AutomaticDetention reason="peer is blocked" is then followed soon after by: 08-20-2020 08:35:03.197 -0700 INFO CMPeer - peer=XXXXXXXX-2E88-4DBF-8BC5-BA788B8D8083 peer_name=splunkidx7 transitioning from=AutomaticDetention to=Up reason="heartbeat received." As you can see it only is in detention for 2.5 seconds in this case. These have not been happening until just this last week. I've restarted the CM. The status for the CM is all green and it is running fine AFAIK. The disk space is more than fine on the IDXs, and they seem to be running fine. What is the criteria for an IDX being put into AutomaticDetention that I should look at? The second event above seems to point to a communication issue. Is there a config parameter that would give more time to the heartbeat (if that is the problem) that I can apply to make the auto detention not occur as frequently?
Good afternoon Does anyone know what the procedure would be to migrate a standalone splunk to a cluster splunk.      splunk standalone 1 SH + 2 IDX      Future cluster 3 SHC + 6 IDX How to migrat... See more...
Good afternoon Does anyone know what the procedure would be to migrate a standalone splunk to a cluster splunk.      splunk standalone 1 SH + 2 IDX      Future cluster 3 SHC + 6 IDX How to migrate the information from the indexers and leave them operational in the future cluster any support is appreciated Regards
I have the following scenario: There are two transactions that I want to monitor. Both occur randomly, and multiple times. I also want to search for some specific events (Events X). These events com... See more...
I have the following scenario: There are two transactions that I want to monitor. Both occur randomly, and multiple times. I also want to search for some specific events (Events X). These events come in multiple times as well, but sometime come in during some of those transactions.  I want to make a query that searches for all these events That Do NOT occur during any of the transactions. I have a temporary query that does what I explain, but it only works for 1 type of the two transactions. I also have a temporary query that works for the other type of transaction. How can I combine them to search for these events that do not occur during both types of transactions? Here are my queries that work for a single type of transaction:      index="main" OR (<Events X>) | transaction startswith=<Start_Event1> endswith=<End_Event1> keeporphans=true | search (<Events X>) index="main" OR (<Events X>) | transaction startswith=<Start_Event2> endswith=<End_Event2> keeporphans=true | search (<Events X>)     Any feedback helps.  
I am looking to have a search that counts in days when the event was when a person logs in. When a person resets a password, the dc sends the event to splunk. I am looking to have the timestamp on t... See more...
I am looking to have a search that counts in days when the event was when a person logs in. When a person resets a password, the dc sends the event to splunk. I am looking to have the timestamp on the event start the clock at 30 days. Every day that passes from the event timestamp of when the person reset the password, I want it to minus a day. I have played around | eval time but can't seem to get the correct search. 
I currently have a windows 10 splunk local server for development purposes. After installing Splunk Add-on Builder 2.2.2 on Splunk Enterprise 7.35, I'm getting the following error:  Unable to initia... See more...
I currently have a windows 10 splunk local server for development purposes. After installing Splunk Add-on Builder 2.2.2 on Splunk Enterprise 7.35, I'm getting the following error:  Unable to initialize modular input "validation_mi" defined in the app "splunk_app_addon-builder": Introspecting scheme=validation_mi: script running failed (exited with code 255)..   I've tried installing through Splunk as well as extracting the .tgz & .tar file and extracting the uncompressed folder to $splunk_home/etc/apps/ folder and it still throws this error. (HEEEEELP). Any help would be greatly appreciated. I'm not sure if this is causing other errors in my splunk app development or just other screwups from my end.  Thanks ahead of time. 
Hi team,     i was trying to add input for yahoo api , getting below error .       Argument validation for scheme=yahoo_weather_api: script running failed (exited with code 255).     please... See more...
Hi team,     i was trying to add input for yahoo api , getting below error .       Argument validation for scheme=yahoo_weather_api: script running failed (exited with code 255).     please let know if any thing could be tried 
If I have the below results: server_name secondary_id server1 KB4571703 server1 KB4570508 server1 KB4566425 server2 KB4578013 server3 KB4569751 server3 KB4561600 server3 KB4565351 server4 KB... See more...
If I have the below results: server_name secondary_id server1 KB4571703 server1 KB4570508 server1 KB4566425 server2 KB4578013 server3 KB4569751 server3 KB4561600 server3 KB4565351 server4 KB4571703 server4 KB4570508 I would like to combine all instances of "server_name" into one row. Similar to below: server_name secondary_id server1 KB4571703                  KB4570508                  KB4566425 server2 KB4578013 server3 KB4569751                  KB4561600                  KB4565351 server4 KB4571703                  KB4570508 Any ideas on how this could be achieved?
Hello again, hope not to disturb I need to activate SHA256 encryption What I have investigated is a function that does not come active by default in splunk This link gives information but I have a... See more...
Hello again, hope not to disturb I need to activate SHA256 encryption What I have investigated is a function that does not come active by default in splunk This link gives information but I have a couple of doubts, the first is if the information is still valid since it is 8 years ago and second the audit.conf file does not exist in the path / splunk / etc / system / local so I understand that I must create it, it is not clear to me what information should go on the white list or on the black list, extension of the logs? the name of any indexer? should it be done in the indexers or in the search head? I see another article on the integrity of the information, does the same? or which option is better? Note: whenever possible, I would appreciate it if you specify the paths when mentioning a file since either I am very stupid or all forum users know by heart the paths where each of the files are located  
Hello, I would like to make a dashboard panel that is a table the shows total successful logins in one row and total failed logins in another row. The base search for both is index=myindex Eventcode... See more...
Hello, I would like to make a dashboard panel that is a table the shows total successful logins in one row and total failed logins in another row. The base search for both is index=myindex Eventcode=4624(successful) host=myhost1 user=user* | stats count , index=myindex EventCode=4625(failed) host=myhost1 user=user* | stats count. Can anyone help me with how I would display these separate searches in a single dashboard panel?
Hello Team, I am looking to integrate AppDynamics and Kafka. Need to write Appdynamics metrics, events, and health rule violation into Kafka topic. Any help!! Thanks. ^ Edited by @Ryan.Par... See more...
Hello Team, I am looking to integrate AppDynamics and Kafka. Need to write Appdynamics metrics, events, and health rule violation into Kafka topic. Any help!! Thanks. ^ Edited by @Ryan.Paredez for clarity. 
Following up with my previous questions context (https://community.splunk.com/t5/Splunk-Search/How-to-make-the-time-readable-in-stats-latest-time/m-p/515118#M144605) Thanks for solving my previous p... See more...
Following up with my previous questions context (https://community.splunk.com/t5/Splunk-Search/How-to-make-the-time-readable-in-stats-latest-time/m-p/515118#M144605) Thanks for solving my previous problem! I have events with the the following format: Agent_Hostname, _time, alertStatus_1, temperature I want to find the latest events for each Agent_Hostname value, but report all fields of those latest event.  The following query provides close semantics, but it does not provide the field of temperature:       index=snmptrapd | stats latest(_time) as latestTime by Agent_Hostname alertStatus_1 | eval latestTime = strftime(latestTime, "%F %T")       What I want actually is the latest status of the Agent_Hostname  with the full events' value. It is more like the following with some mechanism to show all fields:       index=snmptrapd | stats latest(_time) as latestTime by Agent_Hostname | eval latestTime = strftime(latestTime, "%F %T")       In terms of outcome, I want to have an additional field of temperature from the following: Agent_Hostname Agent_Hostname latestTime Temperature  l20-tempmon normal 2020-08-20 03:30:09 ? l18-tempmon critical 2020-08-19 21:07:50 ? l16-tempmon critical 2020-08-19 12:41:00 ?   Thanks again!
Hello All, When I try to create an Alert I get this error  Argument "action.deimos" is not supported by this handler.  Does anyone what this error means?, I'm a power user in my org's splunk insta... See more...
Hello All, When I try to create an Alert I get this error  Argument "action.deimos" is not supported by this handler.  Does anyone what this error means?, I'm a power user in my org's splunk instance.  Any help is appreciated. Thanks
Hi, I have an issue in forwarding application logs (text files) to splunk. Windows Event Logs are forwarded and indexed properly but text files in a local drive are not. Do you have any idea what ... See more...
Hi, I have an issue in forwarding application logs (text files) to splunk. Windows Event Logs are forwarded and indexed properly but text files in a local drive are not. Do you have any idea what the cause of this problem? Thank you.
Hello, when the trial version expires, is it possible, when re installing splunk, to keep the buckets from old splunk installation ?   thank you
I've made the following multi-series line chart (details) where it makes much more sense to have the Y axis on the right-hand side as that's where the most recent values are charted: Unfortunate... See more...
I've made the following multi-series line chart (details) where it makes much more sense to have the Y axis on the right-hand side as that's where the most recent values are charted: Unfortunately, I can't see a way to do this. The most common recommendation that I've found is to use an overlay but it seems that that's incompatible with multi-series mode. Can anyone help?
Hi All can someone suggest an easy way where i can convert the status indicator panels into a list view of a dashboard?   Thanks in adv!