All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have Alert Type set to Real-Time and to trigger Per-Result, but how often will it run? What I need is on every new event to perform some calculation on the last n events, and if the calculated num... See more...
I have Alert Type set to Real-Time and to trigger Per-Result, but how often will it run? What I need is on every new event to perform some calculation on the last n events, and if the calculated number meets a certain criteria, then an alert needs to be triggered. I don't have a problem writing the part of the search that does the calculation, it's setting up the alert that I am unclear on.
Hello, i'm trying to configure a dashboard to be sent as a email automatized report but I can't do it.   If I use the native PDF export function it does not allows to send trellis, and it breaks my... See more...
Hello, i'm trying to configure a dashboard to be sent as a email automatized report but I can't do it.   If I use the native PDF export function it does not allows to send trellis, and it breaks my visualizations, the tokens I use to make labels (for example I see $current_month$ instead of "july" on my pdf) and another issues like the size if the sheet and etc etc. So my alternative was to go for the report sender app. But oh, this app does not work in splunk 8 and it does not have support since 2016. is there a viable alternative to send dashboards as reports, or to send with the same functionality of a dashboard, a report via email? Thanks a lot
I have a scenario where when a device checks in, it sends multiple records of it's inventory with the same time stamp.   The check-in time is random but grouped by timestamp.   With a given dataset:... See more...
I have a scenario where when a device checks in, it sends multiple records of it's inventory with the same time stamp.   The check-in time is random but grouped by timestamp.   With a given dataset: 5am fruit=apple 5am fruit=orange 5am fruit=banana 7am fruit=apple 7am fruit=orange 12pm fruit=orange 12pm fruit=banana What I would like to see if there is a way to determine when one record exists but another record does not exist for a given time.  For instance, note when apple is present but banana is not present like the 7am time.
I have a query statement like so       index=* "account balance:" | rex "blah blah account balance:(?P<balance>(\d{1,3}(,\d{3})*)+) " | table balance       And this works fine, but when I try... See more...
I have a query statement like so       index=* "account balance:" | rex "blah blah account balance:(?P<balance>(\d{1,3}(,\d{3})*)+) " | table balance       And this works fine, but when I try to add `latest` In there, it gives no results.       index=* "account balance:" | stats latest() | rex "blah blah account balance:(?P<balance>(\d{1,3}(,\d{3})*)+) " | table balance       Why am I not able to perform regex on the latest event?
I have different options which includes combination of Dropdown, Radio, Text box etc.. Need to execute different panel based on certain combination of above selection. Can some one help me how can co... See more...
I have different options which includes combination of Dropdown, Radio, Text box etc.. Need to execute different panel based on certain combination of above selection. Can some one help me how can control execution of specific panel
Getting an error code=5 whenever running an alert action from Puppet Report Viewer action=puppet_generate_detailed_report - Alert action script returned error code=5 First time setup, how do I trou... See more...
Getting an error code=5 whenever running an alert action from Puppet Report Viewer action=puppet_generate_detailed_report - Alert action script returned error code=5 First time setup, how do I troubleshoot this?  
HI, I am looking for something that is the 'opposite' of dedup; where the duplicate events are kept, and singular events are filtered out. Any suggestions?
https://splunkbase.splunk.com/app/5022 I get this error when configuring the app to send email: Unexpected error: too many values to unpack (expected 2). Endpoint: https://myserver.local:12581/Pat... See more...
https://splunkbase.splunk.com/app/5022 I get this error when configuring the app to send email: Unexpected error: too many values to unpack (expected 2). Endpoint: https://myserver.local:12581/Path/Here/{ContainerID} Headers: Authorization=Basic abcdefg12345== Body: {"Property1":"{Property1}","Property2":"{Property2}"}
hi, i'm trying to use an eval variable in my search. i've tried many different things and i've failed, and i'm sure this is a quick easy solution but i just can't seem to get it.  my eval variables p... See more...
hi, i'm trying to use an eval variable in my search. i've tried many different things and i've failed, and i'm sure this is a quick easy solution but i just can't seem to get it.  my eval variables print out exactly as i need, i have validated it with the table as well as manually put it in the search as well.   | eval z="legolas,TGZ,ux*" | eval name="*" + mvindex(split(z, ","), 0) + "*" | eval type=mvindex(split(z, ","), 1) | eval query="*" + mvindex(split(z, ","), 2) | eval searchVar=if(type="JAR", name, query) | table name, type, query, searchVar | search artifactory=* uri=searchVar
Hello, I am looking to figure out the percentage of times certain value combinations appear in the data.   The field I am looking to construct in the sample below is "combo." Field1 Field2 com... See more...
Hello, I am looking to figure out the percentage of times certain value combinations appear in the data.   The field I am looking to construct in the sample below is "combo." Field1 Field2 combo A Y 10 A Z 20 B Y 20 B Z 40 C Z 10 In the sample the A value appears in 30% of all events, Y appears in 30% of all events, and the combination of AY appears in 10% of all events.  Pieces of the following code have worked by themselves but not together.  ... | stats count by Field1 Field2 as combo | eventstats sum(count) as total | eval perc=(combo/total)
I am looking at setting up Search/Alert if i see an only "ERROR OGG-01296", however don't want to receive any alert when i have both errors "ERROR OGG-01296" and "ERROR OGG-01668" for the file  xxxxx... See more...
I am looking at setting up Search/Alert if i see an only "ERROR OGG-01296", however don't want to receive any alert when i have both errors "ERROR OGG-01296" and "ERROR OGG-01668" for the file  xxxxx.prm. How can exclusively ignore this patterns. Pls advise 2020-07-31T08:19:46.925-0700 ERROR OGG-01668 Oracle GoldenGate Delivery, xxxxx.prm: PROCESS ABENDING. 2020-07-31T08:19:46.924-0700 ERROR OGG-01296 Oracle GoldenGate Delivery, xxxxx.prm: Error mapping from LZ.ABCD to LZ.ABCD.
Hello I have a basic search that I am running from the following: index=sso This search returns a lot of events.  Within those log events, I would like to extract two pieces of  information and cre... See more...
Hello I have a basic search that I am running from the following: index=sso This search returns a lot of events.  Within those log events, I would like to extract two pieces of  information and create fields for them both, they are: "saml:Issuer" AND "saml:Audience>https://" I'd then like to run a simple query against these two new fields index=sso sourcetype="pingfed*" table saml:Issuer saml:Audience>https:// What would be the most efficient way of doing this field extraction step-by-step?
I am trying to write a report of 'AccessDenied' messages in our AWS CloudTrail logs. These are in JSON format and the notable fields change depending on which service reports the error. So I am tryin... See more...
I am trying to write a report of 'AccessDenied' messages in our AWS CloudTrail logs. These are in JSON format and the notable fields change depending on which service reports the error. So I am trying to simplify my results by comparing 2 fields: errorMessage requestParameters.Host and keeping whichever one is populated, e.g.   sourcetype=aws:cloudtrail errorCode="AccessDenied" | eval error = if( isnull(requestParameters.Host), errorMessage, requestParameters.Host)   But it doesn't work? I've traced it back to something weird with the "requestParameters.Host" field -- which is 'nested' inside the JSON. The other field, "errorMessage" works as expected and that's probably because it's a 'first-level' field in the JSON (not a secondary/nested field) It's like the "requestParameters.Host" field isn't a string, e.g. the following search also fails   sourcetype=aws:cloudtrail errorCode="AccessDenied" | eval test = requestParameters.Host   e.g. "test" is blank ------------------ I have also tried adding an "spath" command but I'm not sure how to use it. If I use the search UI's built-in "Add to search" it inserts:   sourcetype=aws:cloudtrail errorCode="AccessDenied" | spath "requestParameters.Host" | eval error = if( isnull(requestParameters.Host), errorMessage, requestParameters.Host)   but that has no effect, i.e., "requestParameters.Host" is still a 'ghost' field which I cannot use in an 'eval' statement
I want to test an HEC script that is hosted remotely by pointing it to the Splunk instance at my desk. Up to this point the script was also on my machine, so I would point the HEC to localhost:8088 ... See more...
I want to test an HEC script that is hosted remotely by pointing it to the Splunk instance at my desk. Up to this point the script was also on my machine, so I would point the HEC to localhost:8088 and that would be that.   Now that the script lives remotely, how do I tell Splunk to send it back to my machine?  I tried substituting my IP address for localhost, but I got a connection refused error in Python. Am I skipping some steps? Thanks
I'm a noobie here, and I'm trying to figure out how to search for all outward bound data. How does one accomplish this?
Hi, Can we manipulate data with functions in a chart. I have a chart table obtained with : | chart count over user by date_wday   The result is the following : user monday thuesday user... See more...
Hi, Can we manipulate data with functions in a chart. I have a chart table obtained with : | chart count over user by date_wday   The result is the following : user monday thuesday user1 36 52 user2 28 192 user3 235 492   Now  imagine that I want to convert the count field in hexadecimal with "tostring(count,"hex")". How can I do ? I already managed to do it with "foreach" statement but after that, I cannot use the Trellis view cause the chart command is not at the end of the search. Thanks for yout help.   A.
Hey there guys, running into an issue that causing Splunkweb to not start on our deployment server. Here's the output of the last log file. Anyone know what the potential issue is by chance? 2020-07... See more...
Hey there guys, running into an issue that causing Splunkweb to not start on our deployment server. Here's the output of the last log file. Anyone know what the potential issue is by chance? 2020-07-30 16:53:05,444 ERROR   [5f235d5e3a7f1fe39018d0] root:769 - Unable to start splunkweb 2020-07-30 16:53:05,444 ERROR   [5f235d5e3a7f1fe39018d0] root:770 - invalid literal for int() with base 10: '1000 // increases SplunkWeb upload limit to 1GB' Traceback (most recent call last):  File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py", line 765, in <module>    run(blocking=True)  File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py", line 595, in run    cfg['global']['server.max_request_body_size'] = int(maxsize) * 1024 * 1024 ValueError: invalid literal for int() with base 10: '1000 // increases SplunkWeb upload limit to 1GB' [root@sc9splunklic splunk]#   Thank you!
Are there policies/restrictions to using the Splunk logo in an application that ingests splunk data? Thanks!
Can anyone please let me know how to put a list of hosts under maintenance so that Splunk doesn't trigger alerts for those hosts alone where ever it is used in Alerts.
Have Indexer Cluster. Have settings set to Search Factor 2, Replication Factor 3. I have 5 Indexer Peers at the moment.  I'm getting the following messages on a number of buckets within the "Fixup T... See more...
Have Indexer Cluster. Have settings set to Search Factor 2, Replication Factor 3. I have 5 Indexer Peers at the moment.  I'm getting the following messages on a number of buckets within the "Fixup Tasks - Pending". They don't seem to be going away after a number of hours.  Fixup Reason: streaming failure - src=XXXXXX tgt=XXXX failing=tgt Current Status: Missing enough suitable candidates to create replicated copy in order to meet replication policy. Missing=( default: 1 ) What has gone wrong here?