All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone! I am using a python script to send some data to a splunk instance on my own machine. The code is something like this: service = client.connect(host='localhost',port=8089,username=... See more...
Hello everyone! I am using a python script to send some data to a splunk instance on my own machine. The code is something like this: service = client.connect(host='localhost',port=8089,username='SOMETHING',password='SOMETHING2') myindex = service.indexes["indexName"] myindex.submit(jsonData, sourcetype="bobby", host="local")   Is there any way to "tell" Splunk not to index anything duplicated? That is, anything that already exists in the index. I know i could mess with the script to avoid sending duplicates, but if splunk could do it, things would be easier. Thanks! 
In my enviroment there are 2 indexer cluster .i.e. cluster 1 and cluster 2. I need to disable perfmon index in cluster 1. i need to disable this index in the cluster for the time being. In future , m... See more...
In my enviroment there are 2 indexer cluster .i.e. cluster 1 and cluster 2. I need to disable perfmon index in cluster 1. i need to disable this index in the cluster for the time being. In future , maybe it is required to re enable the index. So, what will be the workaround for that. Do we need to route data to null queue or do we need to create the lastchance index. 
Hi All, I installed an app with its TA addon, adjusted the FW rules, and created the inputs with the appropriate credentials...but I still don't see any data.  Any help as where I can look to tro... See more...
Hi All, I installed an app with its TA addon, adjusted the FW rules, and created the inputs with the appropriate credentials...but I still don't see any data.  Any help as where I can look to troubleshoot?
Is it open for 3rd party to develop content packs for ITSI? If yes, is there any documentation on how? In the link below, it mentioned a beta program, however, the link for signing up is broken, ho... See more...
Is it open for 3rd party to develop content packs for ITSI? If yes, is there any documentation on how? In the link below, it mentioned a beta program, however, the link for signing up is broken, how do you sign up for the beta program?     To participate in the beta program for the new ITSI Content Library, sign up at splunk.com/beta-content-library. The Content Library offers the ability to install content packs directly through the UI. Future versions might include selective install of objects, previews of objects to be installed, and other features suggested by beta participants.​   https://docs.splunk.com/Documentation/ITSICP/current/Config/About   Thanks
So my data structure has four columns: "Month", "Status", "Accepted", "Value". As the title suggest I'm trying to determine two things: 1) the total values per month, 2) the total values per month wh... See more...
So my data structure has four columns: "Month", "Status", "Accepted", "Value". As the title suggest I'm trying to determine two things: 1) the total values per month, 2) the total values per month where "Status=Done and Accepted = Done". I have the query working for the first one but I'm having difficulty with the second. Does anyone have any ideas how to do this? Thanks!   index=index |table Month, Status, Accepted, Value | eval _time=strptime(scan_date,"%Y-%m-%d") | stats sum(Value) as total_value_per_month by Month  
How to configure a status panel in Splunk dashboard. Based on the input dropdown field change[program input] , there should be some indicator which represents the status[Basically representing the ... See more...
How to configure a status panel in Splunk dashboard. Based on the input dropdown field change[program input] , there should be some indicator which represents the status[Basically representing the overall status of the program]. The indicator can be gauge or similar to radio button showing red/amber/green status and has to be located in the same row as that of input dropdown
Hi, I need to schedule an alert every 2 minute in between 8PM to 11PM in splunk cloud. Anyone could help please
Hi All, We are trying to push data from Grafana to Splunk using HEC based integration. When we did the testing we found that the header sent by Grafana was in the following format "Bearer <HEC TOKEN... See more...
Hi All, We are trying to push data from Grafana to Splunk using HEC based integration. When we did the testing we found that the header sent by Grafana was in the following format "Bearer <HEC TOKEN>" instead of "splunk <HEC TOKEN>" format. Because of this, authentication failed and we cannot ingest data into Splunk. We manually tried the same via postman where we have an option to change the Bearer prefix and it worked. Our ask is, do we have a method to change the Header Authorization from Splunk to Bearer to fix the authentication issue? Please help. Regards, Naresh
Hi All, We are trying to push data from Grafana to Splunk using HEC based integration. When we did the testing we found that the header sent by Grafana was in the following format "Bearer <HEC TOKEN... See more...
Hi All, We are trying to push data from Grafana to Splunk using HEC based integration. When we did the testing we found that the header sent by Grafana was in the following format "Bearer <HEC TOKEN>" instead of "splunk <HEC TOKEN>" format. Because of this, authentication failed and we cannot ingest data into Splunk. We manually tried the same via postman where we have an option to change the Bearer prefix and it worked. Our ask is, do we have a method to change the Header Authorization from Splunk to Bearer to fix the authentication issue? Please help. Regards, Naresh
My host is not capable of resolving the ip address so can any one help to configure my ip address as mail relay.
How is LDAP authentication supposed to work? When the user logs in, what LDAP query does the Splunk server use to retrieve the user information and validate the user and password? As near as I can te... See more...
How is LDAP authentication supposed to work? When the user logs in, what LDAP query does the Splunk server use to retrieve the user information and validate the user and password? As near as I can tell, what should be happening is that the Splunk server queries the LDAP server with <account-name>=<value entered from login> where <account-name> is the value specified in the userNameAttribute variable in ldap stanza of authentication.conf. The user query should also be combined (ANDed) with the value of the userBaseFilter variable. The return value from the query should then be the userPassword attribute, which is compared with the value entered into the password field on the login form. Do I have this right? Is there a way to debug the Splunk server to LDAP server interaction, i.e., to examine the LDAP query and look at the response? Or is my best option just to run the server in debug and search splunkd.log?
Hello, I would like to ask for help in this case: I have this message in internal log on my Splunk: Accepted time format has changed ((?i)(?<![\w\.])(?i)(?i)(0?[1-9]|[12]\d|3[01])(?:st|nd|rd|th|[,... See more...
Hello, I would like to ask for help in this case: I have this message in internal log on my Splunk: Accepted time format has changed ((?i)(?<![\w\.])(?i)(?i)(0?[1-9]|[12]\d|3[01])(?:st|nd|rd|th|[,\.;])?([\- /]) {0,2}(?i)(?:(?i)(?<![\d\w])(jan|\x{3127}\x{6708}|feb|\x{4E8C}\x{6708}|mar|\x{4E09}\x{6708}|apr|\x{56DB}\x{6708}|may|\x{4E94}\x{6708}|jun|\x{516D}\x{6708}|jul|\x{4E03}\x{6708}|aug|\x{516B}\x{6708}|sep|\x{4E5D}\x{6708}|oct|\x{5341}\x{6708}|nov|\x{5341}\x{3127}\x{6708}|dec|\x{5341}\x{4E8C}\x{6708})[a-z,\.;]*|(?i)(0?[1-9]|1[012])(?!:))\2 {0,2}(?i)(20\d\d|19\d\d|[9012]\d(?!\d))(?![\w\.])), possibly indicating a problem in extracting timestamps. Context: source=http:linux_rh|host=splunk-collection.com:8088|linux_secure| It is very rare, only 6 messages per 24hours for sourcetype, where milions of messages per 24 hours are received. Could you please someone tell me what this message means and what to do to correct this error? Or how to find events, which are cause for this message? I tried to make some googling, but I did not find any useful... Thank you very much for help. Best regards Lukas
Hi community, one of our indexer cluster peer nodes has a very high cpu consumption by splunkd process see attached screenshot. We have an indexer cluster that consists of two peer nodes and on... See more...
Hi community, one of our indexer cluster peer nodes has a very high cpu consumption by splunkd process see attached screenshot. We have an indexer cluster that consists of two peer nodes and one master server. Only one of the peer nodes has this performance issue. A few Universal Forwarders and Heavy Forwarders get sometimes following timeout from the peer node which has the high load. 08-06-2020 15:02:47.001 +0200 WARN TcpOutputProc - Cooked connection to ip=<ip> timed out I already looked to the Monitoring Console. In the graph CPU Usage by Process Class i see 117 percent for splunkd server. But what means splunkd server here? Where can i get further information to solve this issue? Thanks for your advice. kind regards Kathrin
Hi , I need to send some Blocked SQL queries in alert mail. In events I can see the complete query in splunk cloud , but when I recieve the alert with these SQL queries,  its getting truncated. eg:... See more...
Hi , I need to send some Blocked SQL queries in alert mail. In events I can see the complete query in splunk cloud , but when I recieve the alert with these SQL queries,  its getting truncated. eg: My query is :- Select abc from xyz where fg=kl but in the alert mail i am getting only 'select abc'
Hi, I want the query in db connect to execute everyday between 8PM and 11 PM for every 2 minutes. Please help with the cron expression to be provided in the db connect
Can outlook be integrated with Splunk to fetch any kind of outlook email data??
I have a logfile with "|" (pipe) seperated field. So i use transform.conf to seperate those fields. two of the fields I separate are json. Usually  I use spath in SPL to extract the fields in this j... See more...
I have a logfile with "|" (pipe) seperated field. So i use transform.conf to seperate those fields. two of the fields I separate are json. Usually  I use spath in SPL to extract the fields in this json field. The jsonfield is just a payload which is loged in the logfile next to user fields. My problem is that "spath" is not available in datasets, so I need to extract the fields automatically and not in SPL. The problem is, that not the whole file is json, so I think I cannot use KV_MODE=json in props conf. Is there a way to assing just the two json fields to a transform.conf extract the fields in it? How can I make the fields in the json field available for datasets root events, because I need to accelerate this dataset.   Here an example of one event in the file (they are also nested) _time | field | field | field | field | field | field | field | field | field | {\"key\":\"value\",\"key\":{\"key\":[\"value\",\"value\",\"value\",\"value\",\"value\"],\"key\":[\"value\"],\"key\":[\"value\"]},\"key\":\"value\",\"key\":\"value\",\"key\":\"value\",\"key\":\"value\",\"key\":\"value\",\"key\":value,\"key\":value} | {\"key\":{\"key\":\"value\",\"key\":\"value\",\"key\":[\"value\"],\"key\":[value],\"key\":\"value\",\"key\":\"value\",\"key\":value,\"key\":{\"key\":value,\"key\":value,\"key\":value,\"key\":value,\"key\":value,\"key\":value,\"color\":value,\"key\":value,\"key\":value}},\"key\":[{\"key\":\"value\",\"key\":\"value\"},{\"key\":\"value\",\"key\":\"value\"}]} AS transform.conf seperate fields by seperator "|" the jsons are seperated fields why I usually use  | spath input=json_field   thansk for your support
hi guys doe anyone know why i could be getting this error. it pops up whenever i go to any splunk control like: settings>server controls or settings>data input. i attached the image of the error
Hi, I have below in column default_message 1st regex : default_message= <14>shell: cmd by abcd: mkdir test can you please help me with the regex to extract user here and the command run by the us... See more...
Hi, I have below in column default_message 1st regex : default_message= <14>shell: cmd by abcd: mkdir test can you please help me with the regex to extract user here and the command run by the user in another column command. We can consider the : as the delimiter after user here i should be able to extract user=abcd and command=mkdir test 2nd regex : default_message= <133>clish[1234]: User abcd finished running clish -c from CLI shell same column we need to extract user=abcd and command=finished running clish -c from CLI shell Please help me with the regex. If we can combine above two it would be great. else i will have to use some case and then do the regex. Thanks    
When I click the "Access Controls" field Users and Authentication, i am getting "Oops. Page not found! Click here to return to Splunk homepage." error. Can someone help me re