All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I see error messages from the exec processor on my Splunk DB Connect installs where dbxquery complains about input that suspiciously looks like stuff from Nessus. So it seems that dbxquery is l... See more...
Hi, I see error messages from the exec processor on my Splunk DB Connect installs where dbxquery complains about input that suspiciously looks like stuff from Nessus. So it seems that dbxquery is listening on the Ethernet. How can I stop that? Me thinks it should listen only on localhost if it needs to listen at all.   thx afx
Here is my search: index=database action_id="CR" OR action_id="AL" database_name= "test" NOT (server_principal_name = account_1 OR server_prinicipal_name = account_2 OR server_prinicipal_name = ac... See more...
Here is my search: index=database action_id="CR" OR action_id="AL" database_name= "test" NOT (server_principal_name = account_1 OR server_prinicipal_name = account_2 OR server_prinicipal_name = account_3) Search result still showing event including server_prinicipal_name=account_1 server_principal_name=account_2 and account_3  
Hello community of Splunk, I am currently developing an app in Splunk 7.0 and trying to adapt it to 8.0, in local I use the dependencies of Horseshoe meter & Bullet graph and I would like to add the... See more...
Hello community of Splunk, I am currently developing an app in Splunk 7.0 and trying to adapt it to 8.0, in local I use the dependencies of Horseshoe meter & Bullet graph and I would like to add these visualizations to the same app I am developing  for Splunkbase. Is there any possibility of adding these dependencies directly to my app package so it can be uploaded to Splunkbase? Or does the user need to download the dependencies in advance in order to view the visualizations?   Thanks in advance
Not sure if this is a potential bug or simply not doable but trying to colour format a field whilst comparing it to the expected value of another field. ie if field 1!= field 2 then colour field 1 ... See more...
Not sure if this is a potential bug or simply not doable but trying to colour format a field whilst comparing it to the expected value of another field. ie if field 1!= field 2 then colour field 1 as red Below was the sample in the source used: <format type="color" field="netbox_tenant"> <colorPalette type="expression"> if (netbox_tenant!=tenant,"#53A051","#DC4E41")</colorPalette> Result looked like below:   Those top three should be green based on logic although it appears to colour everything with the first choice colour - have tried multiple different statements (case etc) but doesn't seem to want to work. Any ideas?
Good day is it possible to get above visualization on Splunk? im kinda new and lost, I designed this myself using PowerPoint. We want to get a view of all the services running in our servers to ... See more...
Good day is it possible to get above visualization on Splunk? im kinda new and lost, I designed this myself using PowerPoint. We want to get a view of all the services running in our servers to be like the above image on Splunk dashboards.  We are currently running a cron script on our server and forwarding the results to our Splunk server every 5 minutes. The results look like the above screenshot. We want a live view of all the services running with green being up and red being down.
Hi Team,   I'm trying to connect to MongoClient using Node Js Script. While i'm passing the same certificate what we used earlier to connect through mongoose.connect .  ==========================... See more...
Hi Team,   I'm trying to connect to MongoClient using Node Js Script. While i'm passing the same certificate what we used earlier to connect through mongoose.connect .  ========================================================== var MongoClient = require("mongodb").MongoClient,  f = require('util').format,  fs = require('fs'); const options = {   server: {   //sslValidate:true, sslCA:fs.readFileSync("/etc/ssl/mongo-certs/client-combined.crt"),   sslKey:fs.readFileSync("/etc/ssl/mongo-certs/client.key"),   sslCert:fs.readFileSync("/etc/ssl/mongo-certs/client.crt"),   } } MongoClient.connect("mongodb://username:password@hostname:27017/databasename?ssl=true&authSource=admin",options, function (err,database) {                 console.log("Not Connected");                 if (err) return console.error(err);                 console.log("We are connected");                         });   ===================== Can you please help on this.. Log is saying as Below ============ I'm getting Below Error  2020-07-05T11:52:44.869+0000 I ACCESS [conn805] authenticate db: admin { authenticate: 1, user: "myassistroot", nonce: "5be2405f5a0d1eed", key: "d140b8834a2f96624991bfa9cdf911df", $db: "admin" }
Hi Team,   I'm trying to connect to MongoClient using Node Js Script. While i'm passing the same certificate what we used earlier to connect through mongoose.connect .  =========================... See more...
Hi Team,   I'm trying to connect to MongoClient using Node Js Script. While i'm passing the same certificate what we used earlier to connect through mongoose.connect .  ========================================================== var MongoClient = require("mongodb").MongoClient,  f = require('util').format,  fs = require('fs');   const options = {   server: {   //sslValidate:true, sslCA:fs.readFileSync("/etc/ssl/mongo-certs/client-combined.crt"),   sslKey:fs.readFileSync("/etc/ssl/mongo-certs/client.key"),   sslCert:fs.readFileSync("/etc/ssl/mongo-certs/client.crt"),   } } MongoClient.connect("mongodb://username:password@hostname:27017/databasename?ssl=true&authSource=admin",options,   function (err,database) {                 console.log("Not Connected");                 if (err) return console.error(err);                   console.log("We are connected");                         });   ===================== Can you please help on this.. Log is saying as Below ============ I'm getting Below Error   
Hello everyone, Which is better to showcase critical business data? Funnel or business journey? Can someone please explain the differences with an example.  Thanks, Sravan
Hello guys, Does Splunk CIM implementation (after app setup) require admin permissions? If yes is it needed all the time or it's majorly creating event types/tags as seen at https://docs.splunk.com... See more...
Hello guys, Does Splunk CIM implementation (after app setup) require admin permissions? If yes is it needed all the time or it's majorly creating event types/tags as seen at https://docs.splunk.com/Documentation/CIM/4.16.0/User/UsetheCIMtonormalizedataatsearchtime#3._Configure_CIM-compliant_event_tags ? Thanks.  
I want to get some ideas on search-time field extraction.   I already know that precedence when having host, source, and source type stanza. (highest) host > source > source type (lowest) https:... See more...
I want to get some ideas on search-time field extraction.   I already know that precedence when having host, source, and source type stanza. (highest) host > source > source type (lowest) https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Wheretofindtheconfigurationfiles I also know that search time precedence follows below order: EXTRACT > REPORT > KV_MODE > FIELDALIAS > EVAL > LOOKUP https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Searchtimeoperationssequence   But I wanted to understand the below questions:     [host::test] EXTRACT-a = <regex that extract field a="h1"> EVAL-b = "h2" [source::test] EXTRACT-a = <regex that extract field a="s1"> EVAL-b = "s2" EVAL-c = "s3" EXTRACT-e = <regex that extract field common="s4"> [test] EXTRACT-a = <regex that extract field a="st1"> EVAL-b = "st2" EXTRACT-c = <regex that extract field c="st3"> EXTRACT-d = <regex that extract field common="st4">       What will be the final output fields in the above scenario? In what sequence the extraction (all the parameters) will be evaluated? Are there any parameters that will be skipped? When we say "X" applied before "Y" parameter, how do we know whether that will override the field value or keep the value from the first extraction parameter? Is there any document that can give an idea of these scenarios?
I have the below command to setup ES through CLI but looking only juniper add-on to get install. Please let me know the command for it. I remember that we have the option to see the essential comma... See more...
I have the below command to setup ES through CLI but looking only juniper add-on to get install. Please let me know the command for it. I remember that we have the option to see the essential command arguments from Splunk server. Please let me know the file which has the command argument details. /opt/splunk/bin/splunk search '| essinstall --deployment_type shc_deployer --skip-ta'  
Hello! As I correctly understand that Splunk cloud doesn't have now any deployment servers? So if yes, can you explaine how to confiugre universal forward that send data to Splunk cloud but using a... See more...
Hello! As I correctly understand that Splunk cloud doesn't have now any deployment servers? So if yes, can you explaine how to confiugre universal forward that send data to Splunk cloud but using addon ? Thank you
Hi everyone, I have a dashboard with custom stylesheet that works beautifully on light theme. When theme changes to dark the css is no longer compatible with visual requirements. I do have another s... See more...
Hi everyone, I have a dashboard with custom stylesheet that works beautifully on light theme. When theme changes to dark the css is no longer compatible with visual requirements. I do have another stylesheet that i could use with that theme though. My question here is: "Is it possible to automatize custom stylesheet change on theme change?". So far i tried using token reference like: <form stylesheet="$stylesheet$.css" theme="light"> and then change that token in an input accordingly. Also i was not able to solve this using custom JS as well. Would appreciate any help on this. Thanks
Splunk Query for adding a column for ISP of blocked IP address?    Thank you,
I just upgraded from 7.2.4 to 8.0.4.1 So far everything seems to be OK apart from two data models. Web still works, but Authentication and Change(Account) both report the following error: Error in... See more...
I just upgraded from 7.2.4 to 8.0.4.1 So far everything seems to be OK apart from two data models. Web still works, but Authentication and Change(Account) both report the following error: Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments. This for even the simplest query, like | tstats values from datamodel=Authentication Unfortunately I see no further explanation or hints in the search log. Any ideas on how to get this fixed? thx afx
Is it possible to get the TAG data of a server from the AppDynamcis API? I have a Machine Agent installed on an ubuntu hosted on AWS and from the AppDynamics > Servers > Dashboard I can see a pane w... See more...
Is it possible to get the TAG data of a server from the AppDynamcis API? I have a Machine Agent installed on an ubuntu hosted on AWS and from the AppDynamics > Servers > Dashboard I can see a pane with "Tags", i.e.: AWS|Instance-Type AWS|region AWS|ami-id etc.. I am looking for a way to extract this information from the AppDynamics API. 
Hi, @chrisyounger  I'm trying to create a flow diagram(usingFlow Map Viz) with couple of nodes and want to draw a node to show grouping of couple of nodes(kind of like a boundary box with less opac... See more...
Hi, @chrisyounger  I'm trying to create a flow diagram(usingFlow Map Viz) with couple of nodes and want to draw a node to show grouping of couple of nodes(kind of like a boundary box with less opacity). I can see that the 'boundary box' node in some cases lies on top of the other nodes and in some cases the other nodes lies above the boundary. Noticed this because when you mouse over the node, instead of the node tooltip, I see the tooltip of the boundary box. Is there a way to ensure that the boundary box node lies below all other nodes? Ie. Ensure correct order of layer Regards, Eby
Hi, As of 6th July 2020, version 3.0.1 of the "Microsoft Azure Add on for Splunk" app ( https://splunkbase.splunk.com/app/3757/ ) states "This version is not yet available for Splunk Cloud." in the ... See more...
Hi, As of 6th July 2020, version 3.0.1 of the "Microsoft Azure Add on for Splunk" app ( https://splunkbase.splunk.com/app/3757/ ) states "This version is not yet available for Splunk Cloud." in the compatibility section and 3.0.0 version is not available to download so new Splunk Cloud users can't currently install this app. I'm guessing that given version 3.0.1of the app was released on 27th June 2020 it hasn't gone through cloud vetting yet. While version 3.0.1 of the app is going through cloud vetting could version 3.0.0. be enabled for download for new splunk cloud instances? Thanks Mark  
Good afternoon, I am trying to Masking an email address at the search head level I have tried using Rex and sed but can’t get it to work, does anyone have any examples?   thanks    Joe   
I can't assign roles to and can't see new users in Splunk search head for last 2 weeks. We have LDAP auth. A part of the Log: 07-06-2020 11:15:31.651 +0300 ERROR AuthenticationManagerLDAP - Couldn'... See more...
I can't assign roles to and can't see new users in Splunk search head for last 2 weeks. We have LDAP auth. A part of the Log: 07-06-2020 11:15:31.651 +0300 ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="ext01d3695". Search filter="(&(uid=EXT01D3695)(&(status=1)(l=KAYSERI)))" strategy="TEST-ISTANBUL"