All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello In splunk Cloud, how to change the background color and centre the links. Please find below the code   <dashboard stylesheet="sample_dashboards.css" theme="dark"> <row> <panel> <html> ... See more...
Hello In splunk Cloud, how to change the background color and centre the links. Please find below the code   <dashboard stylesheet="sample_dashboards.css" theme="dark"> <row> <panel> <html> <style>.btn-primary { margin: 5px 10px 5px 0; }</style> <p> <a href="https://xyzabc.com" style="color:white;">BLOCK</a> </p> </html> </panel>
Hello, I need to include static image in Splunk Cloud. In the below content, how can I include a static image. <row> <panel> <html> <style>.btn-primary { margin: 5px 10px 5px 0; }</style> <p> ... See more...
Hello, I need to include static image in Splunk Cloud. In the below content, how can I include a static image. <row> <panel> <html> <style>.btn-primary { margin: 5px 10px 5px 0; }</style> <p> <a href="https://abcxyz" style="color:white;"> BLOCK</a> </p> </html> </panel> Thanks
Hi, In order to remove an index, how can we be sure that the index is not getting used? What should we check before removing any index?
Hi everyone, I need to put in these fix values on the Interval_tolerance column. Has somebody an idea ?   Thanks  
Everyone, Needed help on an issue of event blocking for a Splunk setup which would receive events from a Web page that would be passed forward to a Splunk Webhook alert to get triggered. There woul... See more...
Everyone, Needed help on an issue of event blocking for a Splunk setup which would receive events from a Web page that would be passed forward to a Splunk Webhook alert to get triggered. There would be many events coming to Splunk from this Webpage with events like the following (Latest event received is placed on top) :  ID Process Name Receive Time Trigger Status 2 xyz 17th Aug 4PM Queued 1 abc 17th Aug 3PM Queued  My requirement is as follows: 1. If any new event comes to Splunk with the same process name I need to block the event from getting triggered by the WebHook alert.  2. This new event should be permanently blocked. 3. If the older event changes its state to Completed then any OTHER new event (not blocked in step 2) should be eligible to get triggered by the WebHook alert. To summarize : If during the time duration of the older event's Status change from "Queued to Completed" any new event gets sent to Splunk it needs to be blocked permanently. But if the older event's Status changes to Completed AND THEN any other new event comes to Splunk then they need to flow ahead to the Web Hook trigger. Let me know your inputs
Error on the search head: KV Store process terminated abnormally. I have verified the expiry of the server.pem file and permissions of the file E:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\j... See more...
Error on the search head: KV Store process terminated abnormally. I have verified the expiry of the server.pem file and permissions of the file E:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\journal\lsn. Everything looks good. But the error keeps coming up. Has anyone else faced a similar situation? Are there any configurational settings I am missing?
I want to use the machine learning toolkit to detect outliers.  I've made a query with earliest=-2mon@mon latest=@mon to let splunk determine the values for outliers for that period. I want to run t... See more...
I want to use the machine learning toolkit to detect outliers.  I've made a query with earliest=-2mon@mon latest=@mon to let splunk determine the values for outliers for that period. I want to run the search every day and let the alert send an email when a new outlier is detected since the last run.   I can't find out how to do this. Every time the search runs it detects all outliers of the last 2 months.
Hi there, I'm very new to the Splunk infrastructure. We are running 8.0.3 Enterprise and I have a thing that I do not understand. When I restart our searchheads, the first login "stalls" after enter... See more...
Hi there, I'm very new to the Splunk infrastructure. We are running 8.0.3 Enterprise and I have a thing that I do not understand. When I restart our searchheads, the first login "stalls" after entering the username/password before the GUI loads. Might also happen again later, not sure. Also, I get the "a new version is available" message after each restart, even though I tried all answers I found to disable the update checking. But I still suspect it to be the culprit. The delay happens while waiting for data from "/en-GB/app/launcher". The searchheads try to contact 35.164.43.215:443 and 34.218.138.15:443. Our Splunk environment does not have direct internet access, so those time out (but yet, it somehow found that a new maintenance version is available?). I have set updateCheckerBaseURL to "0" as advised by other answers (btool outputs from a searchhead): splunk btool web list settings --debug | grep updateCheckerBaseURL /srv/splunk/etc/apps/oediv_all_search_base/local/web.conf updateCheckerBaseURL = 0 Internet-Access is supposed to be disabled completely, I think?: splunk btool server list applicationsManagement --debug /srv/splunk/etc/apps/oediv_cluster_search_base/local/server.conf [applicationsManagement] /srv/splunk/etc/apps/oediv_cluster_search_base/local/server.conf allowInternetAccess = false   What else can I do to stop it trying to access the internet? The delay is annoying but not really a desaster, I just want to understand what's happening there. Thanks in advance, Frank
Hi Team   Can you please help me with Configuration SAML for Migrating Splunk to OKTA as I work for Service NSW and I need to know the steps about this matter That's what we found in google  http... See more...
Hi Team   Can you please help me with Configuration SAML for Migrating Splunk to OKTA as I work for Service NSW and I need to know the steps about this matter That's what we found in google  https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Splunk-Enterprise.html   If there is another clear and better documents you can provide to us it would be great   Thank you  
Hi, The screenshot presented below shows that there are 2 pairs that negates each other which should equal to 0 on column1, same with column2. With that in mind, the total value should be 0, right? ... See more...
Hi, The screenshot presented below shows that there are 2 pairs that negates each other which should equal to 0 on column1, same with column2. With that in mind, the total value should be 0, right? But upon rounding it up to 13th decimal value and beyond, it no longer equates to 0.       I've attached a search query that will replicate the said issue stated above.       | makeresults | eval column1=600.0000 | append [| makeresults | eval column1=390.0000] | append [| makeresults | eval column1=355.0000] | append [| makeresults | eval column1=575.0000] | append [| makeresults | eval column1=355.0000] | append [| makeresults | eval column1=590.0000] | append [| makeresults | eval column1=600.0000] | append [| makeresults | eval column1=355.0000] | append [| makeresults | eval column1=-600.0000] | append [| makeresults | eval column1=-590.0000] | append [| makeresults | eval column1=-355.0000] | append [| makeresults | eval column1=-575.0000] | append [| makeresults | eval column1=-355.0000] | append [| makeresults | eval column1=-390.0000] | append [| makeresults | eval column1=-600.0000] | append [| makeresults | eval column1=-355.0000] | eval column2=round(column1/1.12,20) , column1=round(column1,20) | addcoltotals     Thank you.   Regards, Raj
Greetings. I'm using Gsuite for Splunk. I could get data, but I cannot get data periodically. I set frequency to 900 sec and It get data when save configuration. But only this time to get data an... See more...
Greetings. I'm using Gsuite for Splunk. I could get data, but I cannot get data periodically. I set frequency to 900 sec and It get data when save configuration. But only this time to get data and stopped. Another application's input is working fine. Could you advice me how to trouble shoot this issue?    
Hello, I have an issue, where I run Splunk search via splunklib (client.jobs.create) with a given query that is limited to recentTime < now() - ( 900 ), and I always get some lines of the results do... See more...
Hello, I have an issue, where I run Splunk search via splunklib (client.jobs.create) with a given query that is limited to recentTime < now() - ( 900 ), and I always get some lines of the results don't match the query I ran (i.e. results from 2020-06-26). The same query doesn't return these values when ran in Splunk. I'm unsure what's causing this issue.
In splunk charting, there is a property showDataLabels, its options are: all | minmax | none. It shows data values on a chart. But I need to show data labels on a chart so as their values are from o... See more...
In splunk charting, there is a property showDataLabels, its options are: all | minmax | none. It shows data values on a chart. But I need to show data labels on a chart so as their values are from other data series, no that was used for plotting. For example, here i plot by USD series while show data labels from % series:   Q1 Q2 Q3 Shop1, USD 50 100 100 Shop1, % 25% 20% 10% Shop2, USD 150 400 900 Shop2, % 75% 80%  90%   I attach a screenshot of result chart. Now i do it in MS Excel chart (in attached screenshot, it's a setting  Label Options - Values From Cells). But want to migrate to splunk. Is it possible in Splunk?
Hello Team, Can someone help me with creating a query to report if there are multiple blocked requests from a single IP? Please find the sample alert below. Please email me @colwinrebeiro.rajendran... See more...
Hello Team, Can someone help me with creating a query to report if there are multiple blocked requests from a single IP? Please find the sample alert below. Please email me @colwinrebeiro.rajendran@hidglobal.com.   action httpSourceId webaclId httpRequest.uri httpRequest.clientIp ruleGroupList{}.terminatingRule.ruleId terminatingRuleType terminatingRuleId BLOCK 555662058394-app/ALB-EXT-ORIGO-API-CERT/611b0867bb7ac42c arn:aws:wafv2:us-east-1:555662058394:regional/webacl/WEBACL-ALB-EXT-ORIGO-API-CERT/b83fd96e-c7ae-4c20-93cb-4a2b1404e57e / 185.185.41.193   REGULAR Default_Action   Regards Colwin 
Using `transaction` to trace email delivery through a chain of postfix relays, and I end up with a transaction where each relay reported a `status=`. In the normal case all of these are `status=sent`... See more...
Using `transaction` to trace email delivery through a chain of postfix relays, and I end up with a transaction where each relay reported a `status=`. In the normal case all of these are `status=sent` but now and then I see `status=bounced` or `status=deferred`. How do I search for the non-success `status` when there are multiple success ones and only one non-success. If I add `| search NOT status=sent` to the search, nothing gets matched because there is almost always a `status=sent`. Sadly, `| search status != sent` seems to behave the same way. I could list all the other possible values so I can have `| search status=bounced OR status=deferred` but this not what I am looking for.
in ES content management, if i click the subsearch, it will bring me to the edit page. but when i click search or view, it display the blank page, where can we find the detail of the search and view?... See more...
in ES content management, if i click the subsearch, it will bring me to the edit page. but when i click search or view, it display the blank page, where can we find the detail of the search and view? in ES, can we go to search/search menu and run the subsearch or subsearch has to be runned in content managment as scheduled job? thanks  
I have a index, I want to know all display fields list and field description for this index without running the search,  where in splunk enterprise security, can we find this info?
I am trying to use data models in my subsearch but it seems it returns 0 results. | datamodel disk_forecast C_drive search | join type=inner host_name [ | datamodel disk_forecast C_drive sear... See more...
I am trying to use data models in my subsearch but it seems it returns 0 results. | datamodel disk_forecast C_drive search | join type=inner host_name [ | datamodel disk_forecast C_drive search | search value > 80 | stats count by host_name | lookup host_tier.csv host_name output host_name, tier | search tier = G | fields host_name ] |timechart span=1d first(value) by host_name limit=0 I tried using normal searches to replace the data model and it worked fine. Is there any restriction of using datamodel in subsearch?
I am planning to use DB-connect in my workflow. Right now all our lookups lie on SH nodes.  I want to add/update processed data to DB from SH nodes (in a clustered env) . Is this possible to do so u... See more...
I am planning to use DB-connect in my workflow. Right now all our lookups lie on SH nodes.  I want to add/update processed data to DB from SH nodes (in a clustered env) . Is this possible to do so using dbxoutput command ? NOTE :processed data is created  from some intermediate lookups which lie on SH nodes
I have a CSV (domains.csv) that contain the list of domains. I have uploaded into Splunk and get the result using [| inputlookup domains.csv]. Splunk is getting the data from email system for inbound... See more...
I have a CSV (domains.csv) that contain the list of domains. I have uploaded into Splunk and get the result using [| inputlookup domains.csv]. Splunk is getting the data from email system for inbound/outbound emails. I want to check against my domains list which are using email security protocols like TLS, SPF, DKIM and DMARC. How can I get that info? index="pp_index" sourcetype="pp_messagelog" [| inputlookup domains.csv ]