All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, we are asked to increase our retention period of splunk logs to 1 year. we need to put our data to be searchable for 1 year. i'm very confused about hot, warm and cold data, are all of them... See more...
Hi, we are asked to increase our retention period of splunk logs to 1 year. we need to put our data to be searchable for 1 year. i'm very confused about hot, warm and cold data, are all of them is searchable or cold data is not searchable? how can we configure this retenion period?  
Hello Experts. I'm trying to backup our kvstores with the well documented backup command in a windows batch file. I tried using CALL as well as START. CALL doesn't do anything. START will initiate ... See more...
Hello Experts. I'm trying to backup our kvstores with the well documented backup command in a windows batch file. I tried using CALL as well as START. CALL doesn't do anything. START will initiate another splunk cmd window but it closes after some seconds without any result. Is there a way to catch error from the Splunk cmd window? Here is what I tried, with a lot of combinations.   set AppName=my_app set ArchiveName=What_ever cd %CorrectFolder% > verified by running echo %cd% CALL splunk.exe backup kvstore -archiveName %ArchiveName% -appName %AppName% START "title" "splunk.exe" backup kvstore -archiveName %ArchiveName% -appName %AppName%   Thanks in advance Paul
Hi, After setted a source by inputs.conf where inside is specified a sourcetype="something" and index="something". Sources come from by UFs. So the question: is insert sourcetype into that file... See more...
Hi, After setted a source by inputs.conf where inside is specified a sourcetype="something" and index="something". Sources come from by UFs. So the question: is insert sourcetype into that file inputs.conf enough or do I also have to create sourcetype in the GUI so I mean into settings > sourcetype.
I heard that RHEL 7 can have mount points that point to S3...has anyone tried setting that up and placing index buckets on that partition?  Wondering if it's possible or not.
These are few requirements. (I am splunk beginner Please help me) Plot out devices that degrade over time using specific outliers. input field to define the total degredation value calculate befor... See more...
These are few requirements. (I am splunk beginner Please help me) Plot out devices that degrade over time using specific outliers. input field to define the total degredation value calculate before time and after time and have this summarised per device. For each mac on telemetry: • First calculate the device’s uptime value e.g by calculating time delta (uptime < 1800) up to next (uptime < 1800). (note: if the next uptime is not found then just calculate time up to end period). • Take the memory data (freemem) from the first point and just BEFORE the next point at where the device was rebooted. • Show the device uptime based on time calculation between the two points. • Calculate the delta of memory (freemem) between the two points. This will need to be put into an indexing page with the query run across the entire telemetry base. The dashboard should have the following inputs: Time period (for before / after delta) + Leak Threshold (Number of bytes) + Span Exclude (removing test devices) + One column can show the device’s uptime and another column will show the memory degradation.     the events look like this: 2020-07-14 06:43:37.0,0,ERROR,000000000000,na,na,na,na,na,na,na,na,"""na""",na,na,"{""bootid"":0,""deviceid"":""BC10164B002952"",""mac"":""9021063d8898"", ""payload"":{""CPU"":[2,9,85],""Mem"":[253360,124120],""CmsLock"":{""PID"":0,""Dur"":0,""PName"":""NULL"",""Fn"":""NULL""},""IFStat"":{""eth0.1"":[320838754,252147895], ""br0"":[413300414,21771493],""wl1"":[0,430467720],""wds1.2"":[51152432,2323764265],""wl0"":[437899257,6876453],""wds1.1"":[580685048,116947992],""eth0"":[3680810744,927584233]}, ""Eth"":{""0"":{""Type"":""100baseTx-FD."",""LinkUp"":1}},,""Temp"":[45,62]},""model"":""EE120"",""region"":""UK"",""resetid"":""FIRM_FUS"",""sw"":""2.20.2747.R"", ""topic"":""HCTELEM"",""uptime"":271031,""utc"":1594705390,""vc"":""na"",""wakereason"":""na"",""ver"":2}"    
I was trying to create a manual notable event using "sendalert notable". But the name of the notable is coming as "Manual Notable Event- Rule". How can I name the notable to exactly what I want? Ple... See more...
I was trying to create a manual notable event using "sendalert notable". But the name of the notable is coming as "Manual Notable Event- Rule". How can I name the notable to exactly what I want? Please note that I want to create the notable through sendalert only.
All users are located under POP_Address. If the POP_Address = 192.168.* or 172.16.*, etc, we consider them to be internal, if not, external. So how can I create a table that can show both: POP_Addres... See more...
All users are located under POP_Address. If the POP_Address = 192.168.* or 172.16.*, etc, we consider them to be internal, if not, external. So how can I create a table that can show both: POP_Address=192.168.* (Internal) AND POP_Address!=192.168.* (External) and output the User_Name and a count of how many times this user connected? Example Output: User_Name           Internal/External               Count   Or something to this effect. In a nutshell, I just want to know how many times each user is connecting and whether it is an internal or external connection, all in one table using just POP_Address. Thanks!
Hi all, I'm dealing with a legacy Splunk installation where I'd like to clean up an index for consistency. Lets say I have an index called 'mydata'.  This index is active and has events indexed the... See more...
Hi all, I'm dealing with a legacy Splunk installation where I'd like to clean up an index for consistency. Lets say I have an index called 'mydata'.  This index is active and has events indexed there fairly regularly (i.e. many times a minute) Previously, this index was defined manually in /opt/splunk/etc/system/local/indexes.conf. The home path was specified as /opt/splunk/var/lib/splunk/mydatadb/db'.  (NOTE: the folder 'mydatadb' in the path) Most of our other indexes use the notation of having the home path folder the same name as the index.  I would like to migrate this existing index to use this pattern. Can I simply update indexes.conf to use '/opt/splunk/var/lib/splunk/mydata/db' then manually rename the folder in the filesystem, and restart the indexer? Is there any metadata or anything else in the db that would cause this path change to break the indexed data?  
Recently upgraded Splunk Enterprise Security from 6.1.1 to 6.2.0, install went fine, however clicking on Setup gives me the following error, this happens for both my personal account and the embedded... See more...
Recently upgraded Splunk Enterprise Security from 6.1.1 to 6.2.0, install went fine, however clicking on Setup gives me the following error, this happens for both my personal account and the embedded administrator account: Error: You do not have the permissions to view this page. Executed the following Search: "| essinstall --dry-run gives the following error:" Error in 'essinstall' command: (Exception) Missing the capabilities to use essinstall command If I investigate the Job Inspector/Search.log I find the following error: Traceback (most recent call last): File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py" line 385 in run while self._handle_chunk() Logged into the Splunk server SSH/CLI itself and ran the command manually ("/opt/splunk/bin/splunk cmd python3 /opt/splunk/etc/apps/SplunkEnterpriseSecurity/bin/essinstall.py" as the splunk user and get the following error: Traceback (most recent call last): File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py" line 14, in <module> import splunk.rest as rest There is more to the error than the above, but figure I need to solve that issue first before worrying about the rest. Seems it cannot import splunk.rest? Verified both the Splunk server is configured for python3 (not enforce) in local/server.conf as well as Splunk Enterprise Security which by default is python3 in inputs.conf, I don't have a custom inputs.conf in local for Splunk Enterprise Security
I was wondering if someone could provide me with the document. "Deploying Splunk Inside Virtual Environments" https://www.splunk.com/en_us/resources.html#filter/filter1/SplunkEnterprise/filter2/lis... See more...
I was wondering if someone could provide me with the document. "Deploying Splunk Inside Virtual Environments" https://www.splunk.com/en_us/resources.html#filter/filter1/SplunkEnterprise/filter2/list-item-block/filter3/TechBrief The link no longer works. https://www.splunk.com/pdfs/technical-briefs/splunk-and-vmware-vms-tech-brief.pdf Thank you!!
How to COM+ components of windows server in splunk? 
How to know/search windows server uptime?
Hello All, I'm displaying Failures and Delays of some processes running daily, i need to make a dashboard where i have to show the volatility of a process, like if the process is getting failed and ... See more...
Hello All, I'm displaying Failures and Delays of some processes running daily, i need to make a dashboard where i have to show the volatility of a process, like if the process is getting failed and delayed for the same execution date i should get volatilty value count as 1. Can anybody help me how to construct a eval query with some condition so if Delay count =1 and Failure count=1 for a particular execution date, the volatility count should come as 1. please help
Hi, While I'm running splunk  for a search for timeperiod = 1year. I always getting this error [xxxxindexernamexxxx]  Failed to read size=1 event(s) from rawdata in bucket='os~708~1FBB5DA1-4091-4DE... See more...
Hi, While I'm running splunk  for a search for timeperiod = 1year. I always getting this error [xxxxindexernamexxxx]  Failed to read size=1 event(s) from rawdata in bucket='os~708~1FBB5DA1-4091-4DEA-9134-E6C689617D66' path='/opt/splunkcolddata/os/colddb/rb_1590815402_1590790190_708_1FBB5DA1-4091-4DEA-9134-E6C689617D66. Rawdata may be corrupt, see search.log. Results may be incomplete!   Does this mean that particular file "rb_1590815402_1590790190_708_1FBB5DA1-4091-4DEA-9134-E6C689617D66" is corrupted? If so can we retrieve this?  Thanks.
|from datamodel:"Threat"."Threat_one" |search * and |datamodel Threat Threat_one search both of these queries is working every 15 minutes but after 15 minutes it's not working and so on. This is h... See more...
|from datamodel:"Threat"."Threat_one" |search * and |datamodel Threat Threat_one search both of these queries is working every 15 minutes but after 15 minutes it's not working and so on. This is happening with this "Threat" data model only.   Could you pls help me to fix this out.   Thanks in advance
Hi, I am developing a custom app on Splunk Enterprise and I am looking for a solution to make the <splunk-select> tag more flexible. Like we fetch a list of options from a Rest API and then loop it ... See more...
Hi, I am developing a custom app on Splunk Enterprise and I am looking for a solution to make the <splunk-select> tag more flexible. Like we fetch a list of options from a Rest API and then loop it inside the UI file. How can we solve it? Thank in advance.
Hello All, I'm trying to create a query for finding if a sender email address is similar to recipient address. for example - in this case below I need to return TRUE- sender: john.smith@example.... See more...
Hello All, I'm trying to create a query for finding if a sender email address is similar to recipient address. for example - in this case below I need to return TRUE- sender: john.smith@example.com recipient: johnsmith@gmail.com (or even recipient like-  johns@gmail.com) Is there a way to utilize spunk ES to search such approximate string comparison?   Thanks!!
I have a timestamp variable  EmailSendAt=2020-07-15 05:52:13.186 ,  Whenever I am using stats value(EmailSendAt) as time.. It shows me only Date part.. Time part is discarding. (I used table also ... See more...
I have a timestamp variable  EmailSendAt=2020-07-15 05:52:13.186 ,  Whenever I am using stats value(EmailSendAt) as time.. It shows me only Date part.. Time part is discarding. (I used table also but no change happen)
Hi All,  We have a LB sitting in front of two deployment server with health rule of LB defined as https. we tested with a server by updating the deploymentclient.conf with the LB name but the client... See more...
Hi All,  We have a LB sitting in front of two deployment server with health rule of LB defined as https. we tested with a server by updating the deploymentclient.conf with the LB name but the client gets connected and gets disconnected after some time.  The health rule of the LB was configured as https.  Do we need to change  the LB rule  to TCP for this connection to work ?   Regards
Dear community, is it possible with plain Dashboard-XML (no JavaScript) to create a reusable component (panels). In my example I have a huge dashboard with many rows, panels and charts. I want the... See more...
Dear community, is it possible with plain Dashboard-XML (no JavaScript) to create a reusable component (panels). In my example I have a huge dashboard with many rows, panels and charts. I want the possibility to display and hide everything and parts of it. This is done by tokens and they XML-Keyword depends. So this works just fine. I can display and hide panels / rows via multiple filters. But I in general I only have like 2 different kind of charts with defined Options containing something like coloring, size and so on. My actual approach is to copy and paste the same charts and paste in another search (everything else keeps the same). Therefore my current dashboard contains 1801 lines of "code", in this case XML-Tags. To display it via code I want something like this: <!-- definition --> <my-custom-panel> <title>$title$</title> <chart> <search> <query>$search-query$</query> <earliest>$date_range.earliest$</earliest> <latest>$date_range.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </my-custom-panel> <!-- usage --> <my-custom-panel title="chart1" search-query="index ..."/> <my-custom-panel title="chart2" search-query="index ..."/>   This would reduce my code to something like 500 lines of code and it would be much more easy to handle. HINT: I have seen the feature about Prebuild Panels  but that does not solve my  problem here. Thank you so much  Kind regards, Philipp