All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to convert a column of text values into  percentage. STATUS ontime late ontime late
Hello, we want to filter some fields of receiving events before indexing for the license saving, for example, in a firewall traffic log we want to delete the country field in the event and index the ... See more...
Hello, we want to filter some fields of receiving events before indexing for the license saving, for example, in a firewall traffic log we want to delete the country field in the event and index the remaining fields or parts of the event. How we can do that? Can we do that with Heavy Forwarder? We don't want to drop any events, we just want to delete some parts of events before indexing.
Hello, we Have 2 separate Splunk indexer clusters with 2 separate licenses for each one, can we forward data to both of them from one Heavy Forwarder? what license we should use on the HF?
index= base search | stats count, avg(ElapsedTime) as duration,  by requestName, LogType, errorMessage, HttpStatus, isValidError   is there anyway i can calculate the success percent of each reques... See more...
index= base search | stats count, avg(ElapsedTime) as duration,  by requestName, LogType, errorMessage, HttpStatus, isValidError   is there anyway i can calculate the success percent of each requestName field based on HttpStatus values(<299 success and >299 failure) before executing stats command and then include that in the result table?   Appreciate any help.
I used splunk catchpoint add-ons to fetch the data from catchpoint. But after i mapped into splunk i can see only 12 hours of data into splunk. I want all 24 hours of data. Can any one tell me what s... See more...
I used splunk catchpoint add-ons to fetch the data from catchpoint. But after i mapped into splunk i can see only 12 hours of data into splunk. I want all 24 hours of data. Can any one tell me what settings i need to modify in catchpoint or in splunk add-on.
Hello I am new to Splunk and Citrix Environment. I wanted to know the steps to install splunk UF for getting the OS level Logs from systems in Citrix environment(XenApp,Xendesktop,Xenserver), Is the... See more...
Hello I am new to Splunk and Citrix Environment. I wanted to know the steps to install splunk UF for getting the OS level Logs from systems in Citrix environment(XenApp,Xendesktop,Xenserver), Is there any link or guide I can ref and install UF on these systems?  Also What is the difference between Splunk Ad-ons for XenApp,Xendesktop,Xenserver and UF? which is the best practice? 
I frequently use my 400+ splunk saved reports.   Thus im constantly accessing this url: http://splunkServer.com:8000/en-US/app/search/reports and then type into the search box in the middle (which ... See more...
I frequently use my 400+ splunk saved reports.   Thus im constantly accessing this url: http://splunkServer.com:8000/en-US/app/search/reports and then type into the search box in the middle (which filters the reports displayed in real-time). Is there any direct url which can search/list my saved reports?  (ie a url that can give me the the same output as typing into the search box in the url above). ie something like  http://splunkServer.com:8000/app/search/saved-reports/reports?q=Cisco (and then ill see any of my saved-reports where report-title matches "Cisco") Im trying to add my splunk saved searches as a "My Search Engines" entry in Chrome browser, such that i can just type into the chrome url bar:   spr <tab> blah (and it will bring me to a page showing any saved reports matching "blah" ). The closest ive been able to pull out is a long splunk url which i can add a search query to, but it returns my saved-reports matches as raw JSON.  thanks ----------- BTW: A super useful, related tip for others: Im already doing this for splunk searches (this= chrome url bar -> splunk search results) via this url below (note the %s at the end, chrome uses %s to fill in what you have typed into the chrome url bar) http://splunkServer.com:8000/en-US/app/search/search?earliest=-4h%40m&latest=now&q=search%20%s (the chrome setting for this is located in:   Settings -> Search Engine -> Manage Search engines -> "Other Search Engines" (Add) ) So using chrome keyword "sp" im able to type into the chrome url bar:   sp <tab> blah and i get the splunk search results for "blah"  for the past 4 hours. (ofcourse i can also do: " sp <tab> index=network blah "  ,  and so on ) thanks
<form theme="dark"> <label>U Clone</label> <fieldset submitButton="true"> <input type="radio" token="field1"> <label>Select Parameter (Ensure all are null and no spaces)</label> <... See more...
<form theme="dark"> <label>U Clone</label> <fieldset submitButton="true"> <input type="radio" token="field1"> <label>Select Parameter (Ensure all are null and no spaces)</label> <choice value="Email ID">Email</choice> <choice value="usrid">External User ID</choice> <choice value="wid">W ID</choice> <change> <condition value="Email ID"> <set token="inputemail"></set> <unset token="tknusr_id">NULL</unset> <unset token="tknwid">NULL</unset> </condition> <condition value="usrid"> <unset token="inputemail">NULL</unset> <set token="tknusr_id"></set> <unset token="tknwid">NULL</unset> </condition> <condition value="wid"> <unset token="inputemail">NULL</unset> <unset token="tknusr_id">NULL</unset> <set token="tknwid"></set> </condition> <condition> <unset token="inputemail">NULL</unset> <unset token="tknusr_id">NULL</unset> <unset token="tknwid">NULL</unset> </condition> </change> <initialValue>Email ID</initialValue> </input> <input type="text" token="dn" depends="$inputemail$" searchWhenChanged="false"> <label>Email ID</label> <default>NULL</default> </input> <input type="text" token="usrid" depends="$tknusr_id$" searchWhenChanged="false"> <label>External User ID</label> <default>NULL</default> </input> <input type="text" token="wid" depends="$tknwid$" searchWhenChanged="false"> <label>W ID</label> <default>NULL</default> Above is my code for inputs. A dynamic radio button setup. I want to make the values which are not selected. If the user enters a value and makes a search with it and when he wants to search with a different value, the other two should become null.   Eg; Primarily Users searches email_id and then searches with wi, the email_id should become null. only the results for respective wid should be displayed.   Thanks in Advance!
Hey,    Can you please assist me with how to index this field: What I'm trying to do is to know which index has the 'true' value in it and take action accordingly. For example , in pseudo cod... See more...
Hey,    Can you please assist me with how to index this field: What I'm trying to do is to know which index has the 'true' value in it and take action accordingly. For example , in pseudo code: if(message.anomaly.features{}.anomaly[0] == true  then newfield = 0 Thanks!
Found an issue with "Developer Guidance - Setup View Example For Splunk", after clicking on "Perform Setup" button I am returned to the "App configuration" in Firefox. The app.conf is correctly updat... See more...
Found an issue with "Developer Guidance - Setup View Example For Splunk", after clicking on "Perform Setup" button I am returned to the "App configuration" in Firefox. The app.conf is correctly updated in local, but still restart is needed to not see the "App configuration". In Chrome everything is working as expected.  Any advice on what should be changed in js so that it would work fine also in Firefox.
HI,   I am triying to use value from the below log in drop down and then filter based on this  value in panel.  how can i extract this , please guide Drop Down: Field_ID umt_nic_rbg_config.json... See more...
HI,   I am triying to use value from the below log in drop down and then filter based on this  value in panel.  how can i extract this , please guide Drop Down: Field_ID umt_nic_rbg_config.json mrd.json rbg_config.json nic_rbg_config.json /apps/dat/smrdau/xyz/mrd/temp/umt_nic_rbg_config.json_bu1595098800 /apps/dat/amrdau/xyz/mrd/temp/mrd.json_date=202 /apps/dat/amrdu/xyz/mrdap-ingestion/temp/rbg_config.json_business /apps/dat/amrdau/xyz/mrdap/temp/nic_rbg_config.json_bdate=2020    
Splunk is getting duplicate events from Azure billing API,  We are using inbuild azure connector to onboard the data.   2 Events are returned at the same time but the cost differs:  {"name": "subs... See more...
Splunk is getting duplicate events from Azure billing API,  We are using inbuild azure connector to onboard the data.   2 Events are returned at the same time but the cost differs:  {"name": "subscriptionID              ", "type": "Microsoft.Consumption/usageDetails", "tags": {"environment": "production", "application-name": ""}, "id": "/subscriptions/providers/Microsoft.Billing/billingPeriods/20200301/providers/Microsoft.Consumption/usageDetails/"properties    
Hello,  I have a sourcetype called "signons" and it has a field called "Session_ID" and "System_Account" In my search, I am looking for any proxy sessions and want to display those proxy sessions w... See more...
Hello,  I have a sourcetype called "signons" and it has a field called "Session_ID" and "System_Account" In my search, I am looking for any proxy sessions and want to display those proxy sessions with the same "Session_ID" in the sourcetype called "user_activity". To check if a session is a proxy session, the "System_Account" field has the words "on behalf of". Here is my search so far:      index="foo" host="bar" sourcetype="signons" System_Account="*on behalf of*"     One example of an event that returns:     "System_Account": "12345 / Aaron Cherian on behalf of 67890 / John Doe", "Authentication_Type": "Proxy Started", "Session_ID": "4743ha", "Is_Admin": "1", "Elapsed_Time_Minutes": "1029"     I want to take this Session_ID (There are multiple different Session_ID's because there are many proxy sessions that are being run during the day) and search for the events in a different sourcetype called "user_activity" (This basically checks the user activity for that specific Session_ID.  Here is my search for that:     index="foo" host="bar" sourcetype="user_activity" 4743ha     This is just displaying the events for that specific Session_ID. Is there a way to search for all Session_ID's that have the words "on behalf of" in the "System_Account" field in the "user_activity" sourcetype and display the events? Basically I want to combine these two searches for all proxy Session_ID's Thanks! EDIT: I have posted the same post accidentally under a different category. I am unsure to how to delete it. I apologize for the double post.  
Hello,  I have a sourcetype called "signons" and it has a field called "Session_ID" and "System_Account" In my search, I am looking for any proxy sessions and want to display those proxy sessions w... See more...
Hello,  I have a sourcetype called "signons" and it has a field called "Session_ID" and "System_Account" In my search, I am looking for any proxy sessions and want to display those proxy sessions with the same "Session_ID" in the sourcetype called "user_activity". To check if a session is a proxy session, the "System_Account" field has the words "on behalf of". Here is my search so far:    index="foo" host="bar" sourcetype="signons" System_Account="*on behalf of*"   One example of an event that returns:   "System_Account": "12345 / Aaron Cherian on behalf of 67890 / John Doe", "Authentication_Type": "Proxy Started", "Session_ID": "4743ha", "Is_Admin": "1", "Elapsed_Time_Minutes": "1029"   I want to take this Session_ID (There are multiple different Session_ID's because there are many proxy sessions that are being run during the day) and search for the events in a different sourcetype called "user_activity" (This basically checks the user activity for that specific Session_ID.  Here is my search for that:   index="foo" host="bar" sourcetype="user_activity" 4743ha   This is just displaying the events for that specific Session_ID. Is there a way to search for all Session_ID's that have the words "on behalf of" in the "System_Account" field in the "user_activity" sourcetype and display the events? Basically I want to combine these two searches for all proxy Session_ID's Thanks!  
If i run a post search method, it returns a sid. How would i come to know that the search is complete and that when i make a get call i would be able to fetch the resutls, i saw something as search_l... See more...
If i run a post search method, it returns a sid. How would i come to know that the search is complete and that when i make a get call i would be able to fetch the resutls, i saw something as search_listener but wasnt able to understand, both post and get are being done through a java program. Also i know that by using exec_mode : oneshot i can retrieve the results in the post call only but what if post and get are to be done separately?  
Hi questions: 1) Splunk enterprise security already has some rules from default inside? When you buy it I mean 2) where can I create rules in it? do they have to be created from splunk enterprise a... See more...
Hi questions: 1) Splunk enterprise security already has some rules from default inside? When you buy it I mean 2) where can I create rules in it? do they have to be created from splunk enterprise and exported into there or Can I create them inside that (Where) 3) do you know any free course about it to advice? 4) Risk analysis panel in it is used more for? 5) Splunk enterprise security needs one license apart other than that splunk enterprise? 6) How much does a license of that cost? 7) where can be created alarms in it? 
DBConnect 3.3.1 Initial Setup Encountering "cannot communicate with task server" & python script error DBConnect has this issue  our environment when a user’s setting for Time Zone is set to anythin... See more...
DBConnect 3.3.1 Initial Setup Encountering "cannot communicate with task server" & python script error DBConnect has this issue  our environment when a user’s setting for Time Zone is set to anything other than "–Default System Timezone-". Anyone else have this issue?  
Seems pretty simple, but it's kicking my butt so here I am. I've tried more variations than I'd like, but I have a ton of log writes. some of them are response values. What I'd like to do is create a... See more...
Seems pretty simple, but it's kicking my butt so here I am. I've tried more variations than I'd like, but I have a ton of log writes. some of them are response values. What I'd like to do is create a simple table displaying the URL, its total number of incoming requests, and its total number of error responses. I can't get the error responses to work properly. In the latest iteration, this is what I have:   ... line.status != "" | stats count as total_requests by line.url | eventstats count(eval(line.status!="200")) as errors by line.url   line.status doesn't exist on ever log write, of course, so I want to search only on log writes that document a response - for those, line.status will exist. total_requests works as expected, but errors does not. Ideally, errors could be a count where line.status > 399, but the value is a string and nothing I've tried has worked properly. I either get a query error, a 0 value, or a 1 value for all line.url values. Where am I going wrong here?
Getting incomplete (lesser number of events as results ) when using rest API. The same search i run in the splunk enterprise gives 90 events always, but the splunk api returning only 12-14 events(var... See more...
Getting incomplete (lesser number of events as results ) when using rest API. The same search i run in the splunk enterprise gives 90 events always, but the splunk api returning only 12-14 events(varying). Both the searches have earliest_time=-1d and the exec_mode is oneshot, so i am getting the results back then only. Here i was using search/jobs api and oneshot mode, so the reuslts were incomplete. I read somewhere and rather used post:search/jobs, get: search/jobs/{sid} in a while loop and then retrieved results, but the results still are incomplete. Cant  seem to find a solution, would be great if anyone could help, my search looks like this, although not sure if it matters. index="val" [search index="val" field1="val2"   |  dedup  field2  |  format]  eventstats count by field2
I'm trying to extract this line from my linux logs in splunk using rex  but I'm not sure how to extract it TCP 191.174.4.187:80 -> 10.10.50.26:100