All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I would like to trigger an Alert when event 1074 (Windows Shutdown) is raised but only for specific computers. I have a group of about 50 servers and I would like to know if they shut down but I don'... See more...
I would like to trigger an Alert when event 1074 (Windows Shutdown) is raised but only for specific computers. I have a group of about 50 servers and I would like to know if they shut down but I don't care about workstations in general. Since all events currently go to the same index I need a way to only trigger the alert when one of the servers raises the event. Short of a huge OR statement in my search, is there a way to do something like this?
I have a list of ip address that come from 1 source, I want a query to list the ip address separately and make them their own value so when I click on each ip address they are their own event etc.  ... See more...
I have a list of ip address that come from 1 source, I want a query to list the ip address separately and make them their own value so when I click on each ip address they are their own event etc.   Thank you,
Hi Team, I have a table drill down from single value trellis panel. Since there are few panels, I have to scroll down to see the drill down table details. Is there any way we can show the table dril... See more...
Hi Team, I have a table drill down from single value trellis panel. Since there are few panels, I have to scroll down to see the drill down table details. Is there any way we can show the table drill down just next to selected trellis single value as soon as we click on it.   Regards, Manish  
Hi,   When i am using Splunk admin username and password, am able to get the indexes via below code HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2); ServiceArgs loginArgs = new Se... See more...
Hi,   When i am using Splunk admin username and password, am able to get the indexes via below code HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2); ServiceArgs loginArgs = new ServiceArgs(); loginArgs.setUsername("USER"); loginArgs.setPassword("PASS"); loginArgs.setHost("HOST"); loginArgs.setPort(8089); loginArgs.setScheme("https"); Service service = Service.connect(loginArgs); System.out.println("printing indexes" + service.getIndexes().values().toString()); But when I am trying to connect with the HEC token created via Splunk Web, I am getting 401 UnAuthorized exception HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2); Service service = new Service("HOST", 8089); service.setToken("xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"); System.out.println("printing indexes" + service.getIndexes().values().toString()); Am getting below exception Exception in thread "main" com.splunk.HttpException: HTTP 401 -- Unauthorized at com.splunk.HttpException.create(HttpException.java:84) at com.splunk.HttpService.send(HttpService.java:500) at com.splunk.Service.send(Service.java:1295) at com.splunk.HttpService.get(HttpService.java:169) at com.splunk.ResourceCollection.list(ResourceCollection.java:288) at com.splunk.ResourceCollection.refresh(ResourceCollection.java:331) should I use service.setToken("Basic" + "xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"); or there should be other configuration required to use token?
Hi @gcusello , Following is the query that used to return database records but now it is not working. dbquery wmsewprd  "select REC_TYPE, CODE_TYPE, CODE_DESC, SHORT_DESC, USER_ID from SYS_CODE_TYP... See more...
Hi @gcusello , Following is the query that used to return database records but now it is not working. dbquery wmsewprd  "select REC_TYPE, CODE_TYPE, CODE_DESC, SHORT_DESC, USER_ID from SYS_CODE_TYPE" Regards, Rahul
Oracle Linux 7.5 Splunk Core 7.2.5 Alert Name -- DMC Alert - Critical System Physical Memory Usage The alert works on below rest command which pulls 2 fields from systems --- mem and mem_used.  ... See more...
Oracle Linux 7.5 Splunk Core 7.2.5 Alert Name -- DMC Alert - Critical System Physical Memory Usage The alert works on below rest command which pulls 2 fields from systems --- mem and mem_used.  | rest splunk_server_group=dmc_group_* /services/server/status/resource-usage/hostwide we have learned that this alert is giving false value after confirming from oracle support.  as per them, when running "free -m" command - "In Oracle Linux 7/8, the focus should be on the "available" column. The available column estimates how much memory is available for starting new applications without swapping. If, the system still has 28G available memory and you see 26G  in "used" - that is because this is how Linux behaves. Linux treats the memory that can be made available upon request as "used"."  also see - -   https://www.redhat.com/sysadmin/dissecting-free-command So, I am interested to fetch the "available memory" field from hosts.  So that I can do some eval and then optimize the existing alert to suit fit to our needs.  Is there any way, how to pull the "available memory" field from hosts?
Hi Everyone, I have data like below, Certificate1, expirydate-15/7/2020, a@gmail.com Certificate2, expirydate-18/7/2020, b@gmail.com I need to setup email alerts in such a way, when expiry date i... See more...
Hi Everyone, I have data like below, Certificate1, expirydate-15/7/2020, a@gmail.com Certificate2, expirydate-18/7/2020, b@gmail.com I need to setup email alerts in such a way, when expiry date is today , need to send alert to that particular email id automatically.  I have around 1000 certificates, so if I do it manually, it takes so much time. Is there a way where we can automate this? Please help out.  
Hi all  I recently upgraded my Splunk instance to version 8.x (whatever the newest one was a week ago). I reconfigured pretty much everything as I had it before  (on v7.x) and I have noticed I can ... See more...
Hi all  I recently upgraded my Splunk instance to version 8.x (whatever the newest one was a week ago). I reconfigured pretty much everything as I had it before  (on v7.x) and I have noticed I can no longer get my email notification to work.  I am using exactly the same settings for email as I used in version 7 but with version 8 I get these error messages :  ERROR sendemail:475 - (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: nick.xxxxx@xxxxxx.xxx I have configured Splunk to use our local exchange server for sending emails and its set to send emails as my self to myself. I have the correct settings/ports for TLS and the auth part, I have verified these settings using powershell and another python script and they both work, it's just Splunk that doesn't work.  I suspect that something is being changed when the sendemail attempt happens but I cannot see anything in the logs to see exactly what is being sent.   Any ideas on how to troubleshoot?  Looked in the splunkd.log and nothing really more than the above...
Hi @gcusello , We are using the following query index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | search warehouse=ql | ... See more...
Hi @gcusello , We are using the following query index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | search warehouse=ql | stats sum(sessions) AS psessions by _time,program | timechart avg(psessions) by program I found that sourcetype does not exist.Can we create the sourcetype with same name i.e wms_oracle_sessions. If yes,what else do I need to do to get the events? Regards, Rahul    
configure webhook to receive event from third party application. Configured it from data inputs , but we are not receiving any data. Provided Splunk WebUI and port 8081 to azure team to configure w... See more...
configure webhook to receive event from third party application. Configured it from data inputs , but we are not receiving any data. Provided Splunk WebUI and port 8081 to azure team to configure webhook action and send events but it's not working  any suggestions ?
Hi All. I have a local instance on my laptop for demo purposes, so no complex deployment on this machine. I have created an eventype="event1" wich should be used on search filtering terms for a rol... See more...
Hi All. I have a local instance on my laptop for demo purposes, so no complex deployment on this machine. I have created an eventype="event1" wich should be used on search filtering terms for a role in order to restrict searches. I then create a role named "role1": 1. Inheritance: none 2. Capabilities:  run_collect, run_mcollect, schedule_rtsearch, search  3. Indexes: main 4. Restrictions: (index::main) AND (sourcetype::source) AND (eventtype::event1) - If tested, this spl correctly returns the results I want the role to be able to search on 5. Resources: Nothing changed   I then save the role and assign it to the demo user. I also restarted splunk as docs says. When I login with demo user, I can see all the events and is not filtering by the restrictions of its role. Any clue on this? Thanks!
Hi everyone,   silly question but I'm not much practical with Splunk queries. How to speed up a search that is currently taking around half a minute for just a few hundreds of hints? This is the co... See more...
Hi everyone,   silly question but I'm not much practical with Splunk queries. How to speed up a search that is currently taking around half a minute for just a few hundreds of hints? This is the code: index=* cs_stage=IT cs_component_id=*mynab.nab.wesit.rowini.net* message="*sCB\=200*" AND message="*sCF\=200*" AND reqF="*/rewards/c/d/*" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | stats count by date
Hi All. I have a local instance on my laptop for demo purposes, so no complex deployment on this machine. I have created an eventype="event1" wich should be used on search filtering terms for a rol... See more...
Hi All. I have a local instance on my laptop for demo purposes, so no complex deployment on this machine. I have created an eventype="event1" wich should be used on search filtering terms for a role in order to restrict searches. I then create a role named "role1": 1. Inheritance: none 2. Capabilities:  run_collect, run_mcollect, schedule_rtsearch, search  3. Indexes: main 4. Restrictions: (index::main) AND (sourcetype::source) AND (eventtype::event) - If tested, this spl correctly returns the results I want the role to be able to search on 5. Resources: Nothing changed   I then save the role and assign it to the demo user. I also restarted splunk as docs says. When I login with demo user, I can see all the events and is not filtering by the restrictions of its role. Any clue on this? Thanks!
Hi Splunky´s ive got a csv with the follwing structure: CreationTime,LastWriteTime,Name,Length,Directory I want to set my timestamp to "Current" when uploading data. My problem is, when i set tim... See more...
Hi Splunky´s ive got a csv with the follwing structure: CreationTime,LastWriteTime,Name,Length,Directory I want to set my timestamp to "Current" when uploading data. My problem is, when i set timestamp to "Current", the splunk generates a new field named "timestamp" and all values in this filed are "none". (see screenshot on right side) This problem is only by choosing "Current", all other options dont have this additional "timestamp" field.
Hi There, After making changes such as editing server roles, adding search peers in Distributed Monitoring console I am clicking on "Apply Changes"for changes to take effect. I am getting message "... See more...
Hi There, After making changes such as editing server roles, adding search peers in Distributed Monitoring console I am clicking on "Apply Changes"for changes to take effect. I am getting message "Loading ... Please wait while we save your configuration." After that I am not getting message like "Success" . And Changes are also not taking effect. "assests.csv" file is not getting updated. Let me know how to fix this issue.
Hi , Need help to provide the color to the avg(alert_level) to pie chart. Spl: index=xxx  | stats avg(alert_level) by id. Sample Data: alert_level , id 6,1234 2,3456 Condition: If alert_level ... See more...
Hi , Need help to provide the color to the avg(alert_level) to pie chart. Spl: index=xxx  | stats avg(alert_level) by id. Sample Data: alert_level , id 6,1234 2,3456 Condition: If alert_level is 6, then the id should show the red color in pie chart, if the alert_level is 2 , then the id should show the green color in pie chart.   kindly help.          
When visiting  https://splunkserver/en-US/app/Splunk_ML_Toolkit/inputs I got 2 404 errors with "common.js" and "entry_page.js", so I tried 'find . -name common.js' but it returned nothing. I also che... See more...
When visiting  https://splunkserver/en-US/app/Splunk_ML_Toolkit/inputs I got 2 404 errors with "common.js" and "entry_page.js", so I tried 'find . -name common.js' but it returned nothing. I also checked many different versions https://splunkbase.splunk.com/app/2890/ pretty much not a version contains these two missing JS file. Does anyone know how I can solve this issue?
what is the major difference of these in streamstats command. I could understand why these function are used as I get the same result on search for reset_on_change even if give the Boolean values. Re... See more...
what is the major difference of these in streamstats command. I could understand why these function are used as I get the same result on search for reset_on_change even if give the Boolean values. Reset_before and after I couldn't understand how can eval expression works for it
Hi Can I check if there is a way to split my chart according to a time stamp? This is my code: DESCRIPTION="* sump *" OR (DESCRIPTION="* ejector pump *" AND DESCRIPTION="* run/stop *") (VALUE="... See more...
Hi Can I check if there is a way to split my chart according to a time stamp? This is my code: DESCRIPTION="* sump *" OR (DESCRIPTION="* ejector pump *" AND DESCRIPTION="* run/stop *") (VALUE="RUN" OR VALUE="STOP" OR VALUE="TRIP") | eval TIMEONLY =strptime(CREATEDATETIME ,"%d/%m/%Y %I:%M:%S %p") | eval _time=TIMEONLY | rex field=VALUE mode=sed "s/TRIP/STOP/g" | rex field=DESCRIPTION mode=sed "s/Trip/Run\/Stop/g" | rex field=ASSET_NAME "^(?<LOCATION>[^/]+)" | streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME DESCRIPTION LOCATION | stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME DESCRIPTION LOCATION | stats sum(duration) AS ActiveTime BY LOCATION | head 10 | sort by -ActiveTime What this does to get the operating time of all my pumps and sum them up together, but i would like to see the sum of my operating time month by month is there a query which i can use so that they are able to be shown monthly? the first picture is my bar chart, the second picture is what i wish to see , i was thinking of using timechart but i am not sure what is the correct syntax to be use. i had tried using "timechart span=1d count by LOCATION " but no result were found hope someone understand what i mean and could help me out thanks.
STDERR - Sending POST request to url=http:/XXX.XXX.XXX.XXX:XXXX/ with size=448 bytes payload   How do i resolve this error.