All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Everyone,   I'm experiencing a problem with the latest version of Missile Map (1.6.0). The animated arrows remain static when the page initially loads, and the animations only begin when I ma... See more...
Hello Everyone,   I'm experiencing a problem with the latest version of Missile Map (1.6.0). The animated arrows remain static when the page initially loads, and the animations only begin when I manually zoom in or out of the map.   This is an issue, as the animations used to start automatically as soon as the dashboard page was loaded.   Thank you for your assistance.
Hi, Can anyone please help me to frame the SPL script. I have to collect the list of devices reporting in splunk along with the indexname. For that I am using tstats command. |  tstats count where ... See more...
Hi, Can anyone please help me to frame the SPL script. I have to collect the list of devices reporting in splunk along with the indexname. For that I am using tstats command. |  tstats count where index=* by host,index  Now the problem is, for an index the device name is under fieldname 'asset'.  To get such list from this index, I can't able to use tstats command since it works only for metafields. I tried using stats command but it is taking very long time which is impacting the performance. Please suggest me how should I frame the query in efficient manner for this case. Thanks
Hi,  I have doing a list of different searches and want the count of each searches.  So, I was using the searchmatch command but when using it I get only the first result that is successfully searc... See more...
Hi,  I have doing a list of different searches and want the count of each searches.  So, I was using the searchmatch command but when using it I get only the first result that is successfully searches and it ignore the rest For example: index="abc"  | eval JobName= case( searchmatch("error 1234", Error1), searchmatch("error 567", Error2), searchmatch("error 89", Error3) ) | stats count by JobName Output says  Error1 - 234 (234 is the count of error) though error 2 and error 3 are there, It is not listing in the results.  Please could you suggest on how to get this sorted  
Hello everyone, I am encountering an issue with sending emails for the alerts I have configured on Splunk. Here are the steps I followed: SMTP Server Configuration: I set up an SMTP server usin... See more...
Hello everyone, I am encountering an issue with sending emails for the alerts I have configured on Splunk. Here are the steps I followed: SMTP Server Configuration: I set up an SMTP server using Postfix on a virtual machine (VM). I also configured the firewall on this VM to allow SMTP traffic. Splunk Configuration: In Splunk, I configured the email server settings using my Postfix server information. I verified the settings under Settings -> Server settings -> Email settings, and everything seems correct. Alert Configuration: I created several alerts and configured the "Send Email" action for each alert. I provided the recipients, subject, and email content. Despite these configurations, I am not receiving any emails when the alerts are triggered. Additional Details: I tested sending emails from the command line on the VM with Postfix, and it works correctly. I checked Splunk logs (splunkd.log) and did not find any obvious errors related to email sending. Postfix logs show that email requests do not seem to be reaching the server. Questions: Are there any additional steps I might have missed in the Splunk configuration for sending emails? How can I diagnose why emails are not being sent from Splunk? Are there specific logs or configurations I should check again? Thank you in advance for your help!
I need to create an alert but the data to be fetched from the server is using a lot of license in Splunk. The data that has to be fetch are few keywords from a excel file that will  be available on ... See more...
I need to create an alert but the data to be fetched from the server is using a lot of license in Splunk. The data that has to be fetch are few keywords from a excel file that will  be available on the server. I need to install Universal Forwarder on the servers . Is it possible to make any changes at Universal forwarder level so that it can forward only the Keywords to Splunk? If not what alternative option there is to ingest the data without it using a lot of Splunk license?    
Hello Cisco Security team, Firstly I'd like to say thank you for creating such a great splunk app! Now I am playing with this and found this app directly receive syslog on Splunk combined instance ... See more...
Hello Cisco Security team, Firstly I'd like to say thank you for creating such a great splunk app! Now I am playing with this and found this app directly receive syslog on Splunk combined instance itself. I would like to install this in the test network where FMC generates approx. 300-500MB syslog per hour. Assuming 700 bytes per event, it could be reaching to 200 Events per sec . https://community.cisco.com/t5/network-security/fmc-connection-events-log-size-and-location/td-p/4769765 What number of events is this application designed to handle? Any advice on performance such as utilizing multiple sockets, modifying receiving buffer size, and etc. would be appreciated. Thank you, Urikura      
Hi All, Deployment: Single Instance Splunk Enterprise What I want: install the Splunk_TA_stream on my universal forwarder to capture DNS traffic as stream The doc I followed https://docs.splunk.... See more...
Hi All, Deployment: Single Instance Splunk Enterprise What I want: install the Splunk_TA_stream on my universal forwarder to capture DNS traffic as stream The doc I followed https://docs.splunk.com/Documentation/StreamApp/8.1.3/DeployStreamApp/Deploymentrequirements  https://lantern.splunk.com/Data_Descriptors/DNS_data/Installing_and_configuring_Splunk_Stream The App and add-on are already installed The Splunk_TA_stream has been deployed to the UF: But I found that the streamfwd.exe is not running. Also I don't see the UF in the dashboard: (only the splunk single instance itself is present, and it is even in Error Status)   Any insights for me to discover what went wrong?   Thank you in advance.  
I've got a string that contains CSV contents. How do I send an email that has an attachment which is made from my string variable?
|union [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx field1=* field3=xxx field4="" | eval DATE = strftime(strptime(xxx, "%Y%m%d"), "%Y-%m-%d") | stats latest(source) as example1 b... See more...
|union [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx field1=* field3=xxx field4="" | eval DATE = strftime(strptime(xxx, "%Y%m%d"), "%Y-%m-%d") | stats latest(source) as example1 by field5 field6 DATE] [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx field1=* field3=xxx field3=xxx field4="" | eval DATE = strftime(strptime(xxx, "%Y%m%d"), "%Y-%m-%d") | stats latest(source) as example2 by field5 field6 DATE] [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx field1=* field3=xxx NOT field3=xxx field4="" | eval DATE = strftime(strptime(xxx, "%Y%m%d"), "%Y-%m-%d") | stats latest(source) as example3 by field5 field6 DATE] | stats count(example1) as "example 1", count(example2) as "example 2", count(example3) as "example 3" by DATE The data is populating correctly for example 1 and example 3, individually, and if I just use two queries. However, I need all 3 queries for my data but data is missing from example 2.
Is there a way for me to match a background color if the output from the panel involves rex. For example,  if the output displays a unique error how do i still match the background color to red wi... See more...
Is there a way for me to match a background color if the output from the panel involves rex. For example,  if the output displays a unique error how do i still match the background color to red without changing the display text for single visualization panels 
Hello! How are you? We are currently working on an integration with Splunk Cloud to be able to retrieve a set of data that we persist in an index and then we search to generate a table. For this, ... See more...
Hello! How are you? We are currently working on an integration with Splunk Cloud to be able to retrieve a set of data that we persist in an index and then we search to generate a table. For this, we need to use the Splunk Cloud API from another of our developments. We generate a new local user on the platform and assign it a new role with 'search' permission on the index we need to query. Then, we perform this test call from our computer: curl -v -u username:p455w0rd -k https://<organization>.splunkcloud.com:8089/services/search/jobs -d search='index="index_to_query" rule="inventory" | stats count by rawData.Association.asset | sort - count' but the response we get is as follows: * Trying <IP>:8089.... * connect to<IP> port 8089 failed: Operation timed out * Failed to connect to<organization>.splunkcloud.com port 8089 after 75195 ms: Couldn't connect to server We investigated in Splunk forums and found that it could be caused by a Splunk Cloud restriction, and that apparently we could solve it by adding the subnets from where we do the consumption in: https://<organization>.splunkcloud.com/en-GB/manager/system/manage_system_config/ip_allow_list We tried that but we're getting the same error message Have you faced this in the past? Thank you very much! Regards, Juanma
The diskspace remaining=6235 has breached the yellow threshold for filesystems=['C:\Program Files\Splunk\var\lib\splunk\_introspection\db' 'C:\Program Files\Splunk\var\lib\splunk\_internaldb\db' 'C:\... See more...
The diskspace remaining=6235 has breached the yellow threshold for filesystems=['C:\Program Files\Splunk\var\lib\splunk\_introspection\db' 'C:\Program Files\Splunk\var\lib\splunk\_internaldb\db' 'C:\Program Files\Splunk\var\lib\splunk\audit\db' 'C:\Program Files\Splunk\var\lib\splunk\_configtracker\db' 'C:\Program Files\Splunk\var\lib\splunk\audit\colddb' 'C:\Program Files\Splunk\var\lib\splunk\_metrics\db' 'C:\Program Files\Splunk\var\lib\splunk\_configtracker\colddb']   Hi, I am new to Splunk, I am using Splunk enterprise on my laptop, and I have been getting this error about disk space, please help me to solve it 
Hi  Can anyone help me with this solution how to do the power BI logs analysis in Splunk. I just want to integrate Power Bi with splunk and then in splunk index want to check logs for Power Bi App w... See more...
Hi  Can anyone help me with this solution how to do the power BI logs analysis in Splunk. I just want to integrate Power Bi with splunk and then in splunk index want to check logs for Power Bi App who is logged in etc. Anyone knows what to do in this case 
This is what I used and after applying  the results just highlights the entire mv field in red <format type="color"> <colorPalette type="expression"> case (match(value,"Large Effect"), "#ff0000"... See more...
This is what I used and after applying  the results just highlights the entire mv field in red <format type="color"> <colorPalette type="expression"> case (match(value,"Large Effect"), "#ff0000",match(value,"Medium Effect"), "#ffff00",match(value,"Small Effect"),"#00ff00",true(),"#ffffff")</colorPalette> </format> looking for Small effect -> Green Medium effect -> Orange and Large effect -> Red Continuing from this search: @ITWhisperer  https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695151#M236406
Hello Splunkers, For an unknown reason, I'm not able to open a case so I'm describing the issue here today. I'm using the sim_forwarder_assets in my company to monitor the possible loss of UF & H... See more...
Hello Splunkers, For an unknown reason, I'm not able to open a case so I'm describing the issue here today. I'm using the sim_forwarder_assets in my company to monitor the possible loss of UF & HF, it's working well and is easy to maintain. Today Splunk introduces an update (3.28.0) : https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/ReleaseNotes/CloudMonitoringConsole And since this update (around 2PM UTC), I'm experiencing a lot of HF & UF marked as "missing" but in fact they are not and they are working perfectly well.  So I dig in the scheduled search responsible of the build & maintain of the sim_forwarder_assets and  found the issue. Schedule Search Name : SIM SS - Forwarder Build Asset Table  The following macro at the top is the following : `sim_build_forwarder_assets(1m)` index=_internal sourcetype=splunkd TERM(group=tcpin_connections) TERM("cooked") OR TERM("cookedSSL") (hostname!=*.splunk*.*) fwdType!="edge" | lookup reserved-cidrs cidr_block AS sourceIp OUTPUT cidr_source | where isnull(cidr_source) So Splunk is searching for hosts that are not in the lookup reserved-cidrs, This lookups contains some of well-known multicast address and some reserved subnets over internet but it also contains some GCP IPs shared with customer :  34.0.0.0/15 gcp Public IP addresses for Google APIs and services including Google Cloud netblocks. However in my case and I believe in other customers too some on my HFs are presented on Splunk Cloud as with GCP Public IPs (34.X & 35.X) As most of the GCP supernets are present in this lookup, my HF are declared as "missing" due to that. I assume that Splunk should not include this kind of supernet in the lookup. I do not know if everything is clear and I'm sorry for my poor english :).
When we attempted to upgrade Splunk Universal Forwarder on our windows servers, they repeatedly failed.  Here is a windows script that solved the issue below.  The issue was cause by the registry key... See more...
When we attempted to upgrade Splunk Universal Forwarder on our windows servers, they repeatedly failed.  Here is a windows script that solved the issue below.  The issue was cause by the registry keys that remained after uninstalling the previous version of splunk: REM Set current directory cd %~dp0 REM Uninstall any existing Splunk versions - if no versions are present, the script will continue wmic product where "name like '%%universalforwarder%%'" call uninstall REM Remove Splunk installation reg keys reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4 /f reg delete HKEY_CLASSES_ROOT\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4 /f reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\771F943D524B4D44EB7F87D16BBECDE4 /f reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\splunkd.exe" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\splunk-winevtlog.exe" /f reg delete "HKEY_CLASSES_ROOT\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4" /f reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100012\79ceb0e4-9f86-11ee-a216-000d3ac2f180" /f reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100018\38c9b010-d5c3-11ee-a218-000d3ac2f180" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100019\affe40ec-d660-11ee-a218-000d3ac2f180" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV10001F\c19eef51-4dd7-11ef-a21c-000d3ac2f180" /f reg delete "HKLM:\SOFTWARE\Classes\Installer\Features\B0271F4D65C5D084FA81634DC56AD4AE" /f reg delete "HKLM:\SOFTWARE\Classes\Installer\UpgradeCode\13631B46466632F4FA2E89CF8E9602DB" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\" /v "C:\Program Files\SplunkUniversalForwarder\" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\splunk-perfmon.exe" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-80-972488765-139171986-783781252-3188962990-3730692313" /f reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{775313CB-929D-442C-8B52-2ED391D816E2}" /f REM Install Splunk - set to passive to allow installer to see progress or errors msiexec.exe /i splunkforwarder-9.2.2-d76edf6f0a15-x64-release.msi SPLUNKUSERNAME="SplunkUser" SPLUNKPASSWORD="password" DEPLOYMENT_SERVER="USW-SPLUNKDPL-1:8089" AGREETOLICENSE=yes /passive REM Start Splunk Service net start SplunkForwarder REM Install SPL file "c:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" install app splunkclouduf.spl -auth SplunkAdmin:pasword REM Stop and start Splunk service to enable SPL net stop SplunkForwarder net start SplunkForwarder exit
HI, I'm running a search for two different timeranges, for missing datapoint pair it's creating discrepancy with my calculations. I need accurate diff so fillnull value is not an option, I would p... See more...
HI, I'm running a search for two different timeranges, for missing datapoint pair it's creating discrepancy with my calculations. I need accurate diff so fillnull value is not an option, I would prefer want to remove _time row if it's missing a pair for the same timestamp, any hints appreciated. Got an idea with below but despite moving around my stats  | stats count values(marker) as pairstamp by _time | where count=2
Currently, I have a single Splunk server that is performing all the necessary functions. However, I would like to expand my infrastructure by deploying two new physical servers: one for an additional... See more...
Currently, I have a single Splunk server that is performing all the necessary functions. However, I would like to expand my infrastructure by deploying two new physical servers: one for an additional indexer and another for a dedicated search head. I am using Windows Server 2019.I would appreciate guidance on the best approach to achieve this. Specifically, I would like to know the steps involved in setting up another indexer and search head. Any advice or guidance is appreciated! 
Hi, I installed Splunk SOAR (on-premises)6.2.2 On a single server. Does anyone know how to get SOAR related services up and running again after the server restarts? Thank you!
Hi, While troubleshooting below error message:  "The percentage of non high priority searches delayed (75%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk ... See more...
Hi, While troubleshooting below error message:  "The percentage of non high priority searches delayed (75%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=16. Total delayed Searches=12" how can I address actual issue? ============= while looking into the system, I found out that  1- Splunk ES app is installed under /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite. Can I remove the app from above location? 2- furthermore, The output of below query is : index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count BY reason 1- Error in 'SearchParser': The search specifies a macro 'notable' that cannot be found. Reasons include: the macro name is misspelled, you do not have... 2-The maximum number of concurrent running jobs for this historical scheduled search on this instance has been reached =================         I found that