All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, We monitor 29 windows servers in our environment with a mixture of server2012, 2016 and 2019. The following search gives me updates for all of our windows servers, except for 3 Windows Serve... See more...
Hi All, We monitor 29 windows servers in our environment with a mixture of server2012, 2016 and 2019. The following search gives me updates for all of our windows servers, except for 3 Windows Server2016 Domain controllers.  We use the following search criteria: **************************************************************************************************** tag=Windows_Update package=* | dedup package, host | eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA")) | search NOT status="NA" | stats latest(_time) as ltime, count by status, host, package | convert ctime(ltime) | eval lsuccess="Succesful at (".ltime.")" | eval lfail="Failed at (".ltime.")" | eval lstatus=if(status=="Success",lsuccess,lfail) | stats values(lstatus) as Status_History by host, package | sort host,package | eval scount=mvcount(Status_History) | eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed")) | table host, package, Last_Status, Status_History | sort host,package ********************************************************************************************** Any thoughts on why we do not see updates for the 3 domain controllers? Thanks, Bob
Hi  I have a query which I use for generating a timeline visualization: is there a way to get an image for this visualization using an API. We need to attach this image to a test report we send... See more...
Hi  I have a query which I use for generating a timeline visualization: is there a way to get an image for this visualization using an API. We need to attach this image to a test report we send at the end of the tests. As everything is happening in an automated env, we need to get this via an API. This visualization gets generated using Timeline visualization Splunk app (not sure if that's relevant here)
I need to use a field for a drill-down link that can't be in the table Normally I would use the answer from here  which is to use the <fields> tag in the XML area however since I have a multi-select ... See more...
I need to use a field for a drill-down link that can't be in the table Normally I would use the answer from here  which is to use the <fields> tag in the XML area however since I have a multi-select in my search which adds to the tables <fields> wont work.  In the Link I posted someone suggested that I use an underscore however that did work for me. Can anyone tell me what I am doing wrong here? or if there is a way to use <fields> with a multi-select. The token $fieldsANI$ is my multi-select     <panel depends="$ShowANI$"> <input type="multiselect" token="fieldsANI" searchWhenChanged="true" id="resized_input1"> <label>Add other Fields</label> <choice value="Codec">Codec</choice> <choice value="Codec_List">Codec_List</choice> <choice value="Dis_Init">Dis_Init</choice> <choice value="Sip_Resp">Sip_Resp</choice> <choice value="rnum">rnum</choice> <choice value="Minutes">Minutes</choice> <delimiter> </delimiter> <search> <query> ANI=$ANI$ | fillnull | eval Caller_Location=if(isnull(Caller_Location),"UnKnown",Caller_Location) by Caller_Location,Routing_Location,rdest,Called_Country_ID,$fieldsANI$ | eval Routing_Location=Routing_Location+" ("+rdest+")" | eval rdest=_rdest | eval Called_Country_ID=_Called_Country_ID | table Caller_Location,Routing_Location,_rdest,_Called_Country_ID,$fieldsANI$ | fields - Seconds | sort -Attempts</query> <earliest>$Time_Range.earliest$</earliest> <latest>$Time_Range.latest$</latest> </search> <option name="count">10</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> <drilldown> <link target="_blank">https://art.comp.net/#/routing?country=$row._Called_Country_ID$&amp;location=$row._rdest$</link> </drilldown>    
Hi,  In the description of the TA-linux_secure app, it states: It is intended to replace the security-relevant aspects of the Splunk Add-on for Unix and Linux (Splunk_TA_nix) and as such it's str... See more...
Hi,  In the description of the TA-linux_secure app, it states: It is intended to replace the security-relevant aspects of the Splunk Add-on for Unix and Linux (Splunk_TA_nix) and as such it's strongly recommended that the Splunk_TA_nix app be removed from your search head before installing this app as they may conflict.  My org is using the Splunk_TA_nix app, and I'm trying to figure out how these two apps might conflict.  From what I can tell the only thing that might conflict are perhaps some of the configurations in props.conf. But then again, wouldn't that be solved since Splunk would use the Splunk_TA_nix settings over TA-linux_secure settings (because of lexicographical order)? Perhaps you @doksu have some more insights? 
Hi, I can't grasp the concept of dedup_splitvals. I was writing search for a pie chart on my dashboard, something like this: index=* ... | stats count by field1, field2, field3 It returns a table,... See more...
Hi, I can't grasp the concept of dedup_splitvals. I was writing search for a pie chart on my dashboard, something like this: index=* ... | stats count by field1, field2, field3 It returns a table, let's say it looks like this: field1 field2 field3 count a b   8 a c   4     d 150     e 25   When I click on first row, I see only 2 events, while the count in stats says 8. This was driving me crazy for hours. I've stumbled upon dedup_splitvals in documentation and decided to add it to my stats command: index=* ... | stats count by field1, field2, field3 dedup_splitvals=true And it worked like a charm! Counts in the table are now equal to the number of events in the search. But I still don't understand what's going on. Documentation says: Syntax: dedup_splitvals=<boolean> Description: Specifies whether to remove duplicate values in multivalued BY clause fields. What does this mean? What kind of duplicate values? Can anyone explain this?
Hello! Is it possible to receiver logs on multiple ports on HTTP Event Collector (Splunk HEC) ? Thanks in advance, Rashid
By reading https://docs.appdynamics.com/display/PRO45/Configuration+Import+and+Export+API I found out how to export and import various types of configuration - but what about rules for service endpoi... See more...
By reading https://docs.appdynamics.com/display/PRO45/Configuration+Import+and+Export+API I found out how to export and import various types of configuration - but what about rules for service endpoints and scopes? How do I go about to export and import those? Thanks, Mattias
Hi all, Do you know, how to set up the frequency for the sourcetype="kube:objects:pods" events? Right now, in our setup, the events are being refreshed in Splunk every 15 minutes and I would like to... See more...
Hi all, Do you know, how to set up the frequency for the sourcetype="kube:objects:pods" events? Right now, in our setup, the events are being refreshed in Splunk every 15 minutes and I would like to have that frequency to be lower. Many thanks for help in advance. - Stefan
Hello i got result like below from the splunk query ABC123 DEF456 GHI789 But i want to show like below ABC DEF GHI
Below is my existing query : i want to add ceratin common feilds with different value for the respective indexes .How can i add and get the filter count of events .Please help me in tuning the q... See more...
Below is my existing query : i want to add ceratin common feilds with different value for the respective indexes .How can i add and get the filter count of events .Please help me in tuning the query ASAP here's attaching the different feilds for respective indexes  :    
I want to build a Chart with two values. Inactive Users based on Customer ID and the Active Users who have used the service in the last 30 days.     index=prod earliest=-30d AND latest=now | eval... See more...
I want to build a Chart with two values. Inactive Users based on Customer ID and the Active Users who have used the service in the last 30 days.     index=prod earliest=-30d AND latest=now | eval Total = mvdedup(customerId) | timechart span=1d dc(customerId) as "Active Users"     The above code gives me the Chart for Active Users in the last 30 days. From All time data I want to get the count of Total Users and then derive the Inactive users. (Inactive = Total users - Active users). Please help me to rewrite the query to generate the required data.
Hey All,   I am currently facing issue while trying to configure the app. This is the Error message : ServiceNow Security Operations Addon". I am getting error message saying "Error while posting ... See more...
Hey All,   I am currently facing issue while trying to configure the app. This is the Error message : ServiceNow Security Operations Addon". I am getting error message saying "Error while posting to url=/servicesNS/nobody/TA-ServiceNow-SecOps/TA-ServiceNow-SecOps_setup/myinstance/sn_instance I am entering correct credentials & URL for serviceNow instance but it is still giving me error message. I don't know any place where I can scan for error logs.  Please help and kindly reply if you have any resolution or kind of guidance for the same. Any help will be greatly appreciated.
hi team, i have created a lookup table and i have a dashboard which makes use of the values the lookup table. The dashboard has a dropdown which has values from one of the columns in the lookup tabl... See more...
hi team, i have created a lookup table and i have a dashboard which makes use of the values the lookup table. The dashboard has a dropdown which has values from one of the columns in the lookup table. I want to update the dashboard panel based on the selected drop down value and show a trend graph plotting data from another column of the lookup table. Can someone help in building a query for the same. shari <form> <label>Transaction Trend</label> <description>Shows the response time trend graph of a particular transaction</description> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" searchWhenChanged="true" token="transaction"> <label>Transaction</label> <fieldForLabel>Transaction Name</fieldForLabel> <fieldForValue>Transaction Name</fieldForValue> <search> <query>| inputlookup test.csv | stats count by "Transaction Name"</query> </search> </input> </fieldset> <row> <panel> <chart> <title>90% response time trend</title> <search> <query>| inputlookup test.csv |table $transaction$, 90%</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>
Hi everyone,   I'm looking for how to add information on a graphical point. My graph shows only an average and an ofnumber. How to add information of the same line like the Date or the bench number... See more...
Hi everyone,   I'm looking for how to add information on a graphical point. My graph shows only an average and an ofnumber. How to add information of the same line like the Date or the bench number for example without add a double or triple x axis ?   Thanks    
Hey!  I created custom visualization and now i need to edit search query then i do some stuff there.   For example:  query was " source='test.csv' " and i need to add " | union source='test1.c... See more...
Hey!  I created custom visualization and now i need to edit search query then i do some stuff there.   For example:  query was " source='test.csv' " and i need to add " | union source='test1.csv' " for " souce='test.csv' | union source='test1.csv' ".   Visualization include only canvas.
Hello I have a log like this: ABC=true,DEF=false,GHI=false,JKL=true I want to show only ABC and JKL in the result,because these are having value as true. Result should be like below ... See more...
Hello I have a log like this: ABC=true,DEF=false,GHI=false,JKL=true I want to show only ABC and JKL in the result,because these are having value as true. Result should be like below ABC JKL
My previous team has set a static host name in the input.conf. I am currently trying to make the IP as the host name. I had tried using host_segment=3 and it did not work. Any suggestions? [default]... See more...
My previous team has set a static host name in the input.conf. I am currently trying to make the IP as the host name. I had tried using host_segment=3 and it did not work. Any suggestions? [default] host = IDSPGASPVLOGP01 [monitor:///opt/syslog/172.16.43.126/*/*/*] disabled = 0 sourcetype = cisco:ios interval = 30 [monitor:///opt/syslog/172.16.63.77/*/*/*] disabled = 0 sourcetype = cisco:ios interval = 30 [monitor:///opt/syslog/172.16.43.30/*/*/*] disabled = 0 sourcetype = cisco:ios interval = 30
How can i join two query table based on common column ( host), but i want to display all columns from 1st table but just 1 column ( Incident column) from 2nd table??
This is the search i am using to extract key/value from the field  "RID" with multivalued "DEF" | rex max_match=0 field=RID "(?P<key>[A-Z]+)\s+:\s+(?P<value>[^\n|\"]+)\"?,?" RID= "ABC: ABC-2017-57... See more...
This is the search i am using to extract key/value from the field  "RID" with multivalued "DEF" | rex max_match=0 field=RID "(?P<key>[A-Z]+)\s+:\s+(?P<value>[^\n|\"]+)\"?,?" RID= "ABC: ABC-2017-5715 DEF: 4057120 DEF : 4088779 DEF : 4088782 DEF : 4088786 XYZ : https://portal.msrc.microsoft.com/en-US/" This works fine while performed from the GUI and are extracted into new fields key & value. But the same thing when applied through transforms.conf doesnt extract anything.  # extract multiple fields within source_key and give them key=value SOURCE_KEY = RID #REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,? REGEX = ([A-Z]+)\s+:\s+([^\n|\"]+)\"?,? FORMAT = $1::$2 MV_ADD = 1 The above is the extraction used in transforms.conf with appropriate reference in props.conf. Anybody who has faced something similar and been able to fix? 
I had to thaw data from index abc from 1 Dec 2019-30 Dec 2019 Steps performed: 1.  Copied buckets into thaweddb folder 2. splunk rebuild bucket_name 3. Rolling restart indexer cluster I reviewed... See more...
I had to thaw data from index abc from 1 Dec 2019-30 Dec 2019 Steps performed: 1.  Copied buckets into thaweddb folder 2. splunk rebuild bucket_name 3. Rolling restart indexer cluster I reviewed the data in index=abc and noticed only 1 sourcetype events got thawed. However, there are 4 more sourcetype listed in SourceType.data file bucket after rebuilding it. Any suggestions why not all sourcetypes data got thawed ?