All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a deployment server, and I get that apps defined in the serverclass.conf will be removed or deployed based on the machines listed in the serverclass.conf white and blacklists.  But I'm seeing ... See more...
I have a deployment server, and I get that apps defined in the serverclass.conf will be removed or deployed based on the machines listed in the serverclass.conf white and blacklists.  But I'm seeing inconsistencies regarding apps that aren't defined on the serverclass / deployment server being removed (or not) on the client side. Example - I have 3 serverclass + apps defined on the serverclass.conf.  outputs, which goes to everyone, ta_windows which goes to windows machines and ta_linux which goes to linux boxes.  The linux boxes also have a custom apps locally configured named varlogs.  Varlogs has never been added or defined to the deployment server.  When I hook a new linux box that has varlogs on it to the deployment server, varlogs vanishes.  However, some of the linux boxes also have a custom app named sri, and that /doesn't/ vanish even though it also isn't defined in serverclass. What's the appropriate behavior?  Should hooking up to a deployment server wipe the installed apps down to what the deployment server is trying to send them or not?  And if it is supposed to reset to nothing but things defined in serverclass, is there a way to not have that happen?  We'd like to let folks keep their customized apps if possible.  thanks    
Hi there! I'm a newbie in Splunk and faced with issues in triggered alerts that suddenly not send any more. I had configured alerts and reports earlier and received alerts in the mail all the time.... See more...
Hi there! I'm a newbie in Splunk and faced with issues in triggered alerts that suddenly not send any more. I had configured alerts and reports earlier and received alerts in the mail all the time. I checked server settings, advanced setting in alerts,  run search index=_internal sendemail and find out that emails are sent but I don't receive them. Does anyone have suggestions how to fix that?  Any help that you can provide would be greatly appreciated.  
The searches look like this in their base form   | tstats count where index=nix_os earliest=07/10/2020:00:00:00 latest=07/10/2020:23:59:59 by host | tstats count where index=nix_os earliest=07/09/2... See more...
The searches look like this in their base form   | tstats count where index=nix_os earliest=07/10/2020:00:00:00 latest=07/10/2020:23:59:59 by host | tstats count where index=nix_os earliest=07/09/2020:00:00:00 latest=07/09/2020:23:59:59 by host     I was trying something like this but I can't seem to get it just right:   | tstats count where index=nix_os earliest=07/09/2020:00:00:00 latest=07/09/2020:23:59:59 by host [| tstats append=true count where index=nix_os earliest=07/10/2020:00:00:00 latest=07/10/2020:23:59:59 by host prestats=true | stats count as newhost by host]   My goal is to find hosts that were not logging on the 9th that started on the 10th   thanks for the help!
Brand new to Splunk and curious whether there is a way to add descriptive text to the pop out window that appears when a user selects (clicks) a field in the search results?  I am building a data dic... See more...
Brand new to Splunk and curious whether there is a way to add descriptive text to the pop out window that appears when a user selects (clicks) a field in the search results?  I am building a data dictionary for myself, but I would like the ability to view these descriptions in Splunk.  Is there a way to do this?
In splunk logs, I have to monitor some specific events. The identifier I use to target for those events is a text 'EVENT_PROCESSED'. So my search query is:     index=testIndex namespace=testNameSp... See more...
In splunk logs, I have to monitor some specific events. The identifier I use to target for those events is a text 'EVENT_PROCESSED'. So my search query is:     index=testIndex namespace=testNameSpace host=\*testHost* log=\*EVENT_PROCESSED*     It fetches me ll of my target events. Please note that EVENT_PROCESSED is not an extracted field and is just a text in the event logs. Now my aim is to find throughput for these events. So I do this:     index=testIndex namespace=testNameSpace host=\*testHost* log=\*EVENT_PROCESSED* | timechart span=1s count as throughtput       Is this correct way of determining throughput rate? If I change span to some other value, say 1h, then I change to:     index=testIndex namespace=testNameSpace host=\*testHost* log=\*EVENT_PROCESSED* | timechart span=1h count/3600 as throughtput     Is this correct way? 
Hi, i've been trying to fix  this for the last 4 hours.  I'm evaluating a value in a drilldown.   The evaluated value isn't literally being passed into the link token value i've specified.  Instead ... See more...
Hi, i've been trying to fix  this for the last 4 hours.  I'm evaluating a value in a drilldown.   The evaluated value isn't literally being passed into the link token value i've specified.  Instead the token name is being passed into the link.  I've looked through the docs and similar issues in this forum but nothing explains the problem i'm having.  I'm on Splunk Version 6.2.5 Splunk  Build 272645 Simple xml below Any help would be amazing.       <drilldown target="blank"> <eval token="trunc_host">rex field=host mode=sed "s/\d+/"*"/g"|</eval> <link> <![CDATA[ Integration_PRA_capacity_breakdown?form.host=$trunc_host$&form.stack=$row.stack$&earliest=-h$&latest=now ]]> </link> </drilldown>       This is the url generated   https://url/app/excd/Int_PR_city_break?form.host=%24trunc_host%24&form.stack=inst&earliest=-h%24&latest=now  
Hi, I want to present the following table: class: 5-12 min 12-24 min 24+ min classA 12 20 40 classB 42 56 54 classC 15 57 14   i.e For each class, I want to count all t... See more...
Hi, I want to present the following table: class: 5-12 min 12-24 min 24+ min classA 12 20 40 classB 42 56 54 classC 15 57 14   i.e For each class, I want to count all the records (id) that fall into each bucket. This is what I have now: index="x" queuename=vncisr runtime>300 | fields class id runtime | eval runtime = case(runtime < 720, "5-12 min", runtime < 1440 , "12-24 min", 1==1, "24+ min") | chart count by runtime And I only get the total count for each bucket without considering the classes. I hope it was clear.  
Hi, I am running below curl command but it is getting stuck for long. Does not return any error or xml or paste data in file or any other outhput. curl -k -u username:password https://server_ip:808... See more...
Hi, I am running below curl command but it is getting stuck for long. Does not return any error or xml or paste data in file or any other outhput. curl -k -u username:password https://server_ip:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=test earliest=-15m latest=-1m" --get -d output_mode=raw >> "/opt/data.csv"   I tried to just run search as well to get job id in xml but it is also getting hanged. curl -k -u username:password https://server_ip:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=test earliest=-15m latest=-1m"' Same curl commands are working for my local instance.
Hi All, I'm using a query to get the total total count of  a filed ( different error messages ) . Here is the search and stats being displayed:   index=sp_dev  "ProductHandler" | rex field=messag... See more...
Hi All, I'm using a query to get the total total count of  a filed ( different error messages ) . Here is the search and stats being displayed:   index=sp_dev  "ProductHandler" | rex field=message "operation\\\":\\\"(?<ErrorMessage>[A-Za-z]+)\\\""| stats count by ErrorMessage ErrorMessage Count ProductNotFound         10 DuplicateProduct          36 InvalidProductCode     18   I want  the total number of  these 3 error messages   as  TotalErrors. Thanks, DD
Hello Splunkers, I have created a dashboard about the number of events indexed per day (history). This what it looks like :           My question is, how can I create a select/search fiel... See more...
Hello Splunkers, I have created a dashboard about the number of events indexed per day (history). This what it looks like :           My question is, how can I create a select/search field to be able to specify a date (format : YYYY-MM-DD) and display the number of events for this specific date  ? For example I specify the "2020-07-26" date in the search field  and the dashboard must displays the only line with the date and the number of events at this date (Number of Events = 107119 in the example). Hope you can help me, Regards
HI, I'm trying to create a graph for overall disk usage for few  linux servers. I'm getting the free percentage  of individual mount points but not the overall disk usage.        
Hi everyone,  I want to calculate the number of days (exclude weekends) between 2 days with the same format of datetime (Ex: 2018-07-21 09:55:51). I followed the solution in the post right here: H... See more...
Hi everyone,  I want to calculate the number of days (exclude weekends) between 2 days with the same format of datetime (Ex: 2018-07-21 09:55:51). I followed the solution in the post right here: How do I calculate the date difference for two timestamps other than _time and exclude weekends?  and adjusted the answer to fit my data but there was no results returned. So I removed a few lines of code in the solution above to understand the problem:    index="orders_csv_local" |eval start=strptime(start_date,"%Y-%m-%d") |eval end= strptime(end_date,"%Y-%m-%d") |eval dates= mvrange(end,start,86400) |table start end dates   At this stage, there was no value returned for the third column "dates"? I'm wondering why the 4th line didn't return anything.   Please advice me on how to resolve this problem in order to get the final result. Thank you so much in advance.
In order to filter below data logs not to ingest into splunk.  %DOMAIN-2-IME: %DOMAIN-2-IME_DETAILS: %DOMAIN-5-TCA: Following techniques followed but it didn't worked out a)Using Regex expressio... See more...
In order to filter below data logs not to ingest into splunk.  %DOMAIN-2-IME: %DOMAIN-2-IME_DETAILS: %DOMAIN-5-TCA: Following techniques followed but it didn't worked out a)Using Regex expression in transform.conf as \%.*\: to filter all the above 3 domain in transform.conf file(heavy forwarder) even-though logs are ingesting into splunk. Like below [elimatedomain_text] REGEX=\%.*\: DEST_KEY=queue FORMAT=nullQueue b)Using Hardcode values as below in transform.conf file doesn't worked out REGEX = %DOMAIN-2-IME: REGEX = %DOMAIN-2-IME_DETAILS: REGEX = %DOMAIN-5-TCA: Any other solution to black list in heavy forwarder.?    
Hi guys, Recently, I've been working on migration from Splunk 7 to Splunk 8. But I run into a little bit trouble with iframe.  It was used to embed one of the dashboards within another dashboard, bo... See more...
Hi guys, Recently, I've been working on migration from Splunk 7 to Splunk 8. But I run into a little bit trouble with iframe.  It was used to embed one of the dashboards within another dashboard, both of which are part of my Splunk app. And it was working fine with Splunk 7.3.X. However, in Splunk 8.0.4 and 8.0.5, it seems not able to reference any of the dashboards within the Splunk instance. All it shows is "Loading...", but if it points to some website outside the Splunk instance, it works fine as shown in the screenshots below: I've identified that it has nothing to do with the system web.conf/server.conf. I've enabled iframe and inline-style content and some other options, but they don't change the behavior of my iframe.  Then I investigated the network traffic using the browser inspector. It seems in Splunk 8 whenever dashboard visualization is starting to initialize, a GET request is sent like this: localhost:8000/en-us/config?autoload=1. And normally it should receive a response with a list of configuration settings. In my case, this request is sent twice. First time is for the initialization of the main dashboard and the second time is for that of the dashboard that is intended to load in the iframe. But the second request will never receive a correct response. Instead, it always says CORS Missing Allow Origin and thus it's always blocked by the browser. OK, CORS then. But noooo, again, it has nothing to do with the CORS-related options in the system web.conf/server.conf. If I put a * to allow all cross-origin use, it says setting it to * won't allow the use of credentials. So it seems when this request is launched, it specifically asks to exchange credential and setting * to allow all corss-origin use do no allow exchange of crendentials. So I put 127.0.0.1:8000 localhost:8000 trying to white-list the local Splunk server. But it still doesn't work.  The behavioral difference between Splunk 7 and 8 is that, in Splunk 7, the localhost:8000/en-us/config?autoload=1request only sent once when the main dashboard is initializing. I'm guessing this is to improve the security features of the Splunk, but somehow it's killing iframe in my case... So, has anyone encountered such issue? Is there a workaround to resolve it?  
Hello, In one of the windows machine logs (path: C:\servicedesk\logs) sending via the universal forwarder to Splunk. So I created inputs.conf and below are the monitor paths, so now am getting logs ... See more...
Hello, In one of the windows machine logs (path: C:\servicedesk\logs) sending via the universal forwarder to Splunk. So I created inputs.conf and below are the monitor paths, so now am getting logs from sourcetype=%sit% but no logs are coming from sourcetype=automation. Why logs are not coming under sourcetype=automation. [monitor://C:\servicedesk\logs] disabled = 0 index = main sourcetype = %sit% [monitor://C:\servicedesk\logs] disabled = 0 index = main sourcetype = automation
Hi everyone,   I'm trying to correlate some events that have same field and then to output the results to a table. Example of raw data: test d34e9bca-cfd9-11ea-9873-962481bd1187 Overall Execution... See more...
Hi everyone,   I'm trying to correlate some events that have same field and then to output the results to a table. Example of raw data: test d34e9bca-cfd9-11ea-9873-962481bd1187 Overall Executions in this runtime: 295 test d34e9bca-cfd9-11ea-9873-962481bd1187 End Execution test d34e9bca-cfd9-11ea-9873-962481bd1187 Total Execution Time: 1.6354868500493467 test d34e9bca-cfd9-11ea-9873-962481bd1187 Query Elapsed Time 0.5768028399907053 test d34e9bca-cfd9-11ea-9873-962481bd1187 Query Status: Success test d34e9bca-cfd9-11ea-9873-962481bd1187 Query Result: {"EXPR$0":{"0":1595834505}} test d34e9bca-cfd9-11ea-9873-962481bd1187 Connection elapsed time: 1.056466632988304 test d34e9bca-cfd9-11ea-9873-962481bd1187 Establishing connection as: user@domain test d34e9bca-cfd9-11ea-9873-962481bd1187 Begin Execution For each "test" I have 9 events in Splunk. I want to output to a table like: ID, Query_status, Query_time, Total_time d34e9bca-cfd9-11ea-9873-962481bd1187, Success, 0.57, 1.63   Which would be the best method to accomplish this?   
Hello, I have a query which works properly and returns value in MS SQL. But when the same query is executed via DB connect , its returning no rows returned. Below is the sample of that query not th... See more...
Hello, I have a query which works properly and returns value in MS SQL. But when the same query is executed via DB connect , its returning no rows returned. Below is the sample of that query not the original one SELECT * FROM (SELECT abc.row, abc.rsa, abc.desc, CASE WHEN resTyp = 'OBJECT' THEN objNa(abc.rsa) ELSE objNa(pt.OBJECT_ID) END AS objNa, abc.resTyp, abc.reqMod, abc.reqStat FROM sys.abc LEFT JOIN sys.pt ON pt.hobt_id = abc.rsa WHERE rsa > 0 AND resource_database_id = DB_ID('Database1')) as locks ORDER BY objNa The same is returning rows in MS SQL not in db connect. Please help what is causing the issue in above query
Hi In the search below, I would be able to change the background color following the value of the FreeSpace field It works if I delete the format of the field       | eval FreeSpace=FreeSpace."... See more...
Hi In the search below, I would be able to change the background color following the value of the FreeSpace field It works if I delete the format of the field       | eval FreeSpace=FreeSpace." GB"       but I need to keep it in the search How to do this please? Is anybody can help?         [| inputlookup host.csv | table host] `diskspace` | fields FreeSpaceKB host | eval host=upper(host) | eval FreeSpace = FreeSpaceKB/1024 | eval FreeSpace = round(FreeSpace/1024,1) | search host=$tok_filterhost$ | stats latest(FreeSpace) as FreeSpace by host | eval FreeSpace=FreeSpace." GB" | table FreeSpace | appendpipe [| stats count | eval FreeSpace="No event for this host" | where count = 0 | table FreeSpace ]          
Greetings folks, and thanks in advance for a little brainpower here.  I'm definitely a splunk novice. I'm trying to pull some tstats values via a REST call via powershell, and I can't seem to return... See more...
Greetings folks, and thanks in advance for a little brainpower here.  I'm definitely a splunk novice. I'm trying to pull some tstats values via a REST call via powershell, and I can't seem to return any data.  I can perform a basic search "search hostname=servername.corp" via this method and it will return the results I expect. The search term that gets me the data I want via the web interface is "|tstats values(host) where index=*" however, performing this search (with various options for " or ' substitution) via a rest call yields nothing. Thanks in advance for your help.  If you're powershell fluent, I've included my script chunk below, but this shouldn't be just a powershell thing... I'm pretty sure I'm just calling this search the wrong way since, again, I've verified this with a more simple search term.  And yes, the credential is valid.     $SplunkAPI = "https://<MySplunkServer>/services/search/jobs/export" $Search = 'search "|tstats values(host) where index=* by index"' $Body = @{   search = $search   output_mode = "json"   earliest_time = "-24h"   latest_time = "now" } Invoke-RestMethod -Method Post -Uri $SplunkAPI -Credential $Cred -Body $Body  
I have a query which is able to fetch me the results. I want to extract the fields from raw data. So I click  on 'Extract New Fields'. But step 'Select Sample Event' just goes on and on, as shown in ... See more...
I have a query which is able to fetch me the results. I want to extract the fields from raw data. So I click  on 'Extract New Fields'. But step 'Select Sample Event' just goes on and on, as shown in image below. Sample data never shows up, hence I am not able to select the target field.   I even tried other route...Event Actions -> Extract field. But nothing happens and I just see text 'Loading' on the page, as below: