All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone.....I have been trying to get CPU time for different workloads. However, for some workloads I am getting multiple entries of CPU Time.....how do i avoid getting multiple entries? Plea... See more...
Hello everyone.....I have been trying to get CPU time for different workloads. However, for some workloads I am getting multiple entries of CPU Time.....how do i avoid getting multiple entries? Please see the query I am working on below... | fields SMF30JBN DATETIME SMF30CPT | eval Job_Name=SMF30JBN, Date = substr(DATETIME,1,10) | eval WORKLOAD = substr(Job_Name,1,3) | eval CP_Time=SMF30CPT | eval cpu_time=strptime(SMF30CPT,"%H:%M:%S.%2N") | eval base=strptime("00:00:00.00","%H:%M:%S.%2N") | eval ctime=cpu_time-base | eval ctime=round(ctime, 2) | stats values(ctime) as CPU_TIME by WORKLOAD Date
Hello, I'm new to the Splunk ES world. What I'm trying to do is list the date and time of the last comment entry that appears in the investigation comment section under Incident Review. The time actu... See more...
Hello, I'm new to the Splunk ES world. What I'm trying to do is list the date and time of the last comment entry that appears in the investigation comment section under Incident Review. The time actually appears when reviewing investigations via the gui but I need to be able to get that time listed next to the comment column in this search:                         `notable` | rename owner_realname as Analyst, comment as Comment status_label as Status, savedsearch_description as Trigger_Reason, rule_name as Title | search Status=* | eval Destination=coalesce(dest_url,threat_match_value) | nomv Destination | eval Source=coalesce(src, sender) | eval Urgency=urgency | convert ctime(_time) as Time | table Urgency, Time, Title, rule_description, Comment, Status, Analyst, Status | sort -Urgency
I am trying to develop a dashboard with various dependent dropbox getting their data from a lookup table.   Like the below one     If the user selects the All button and clicks on the submit... See more...
I am trying to develop a dashboard with various dependent dropbox getting their data from a lookup table.   Like the below one     If the user selects the All button and clicks on the submit button, I just want the details of the data based on the filters to be used in my search.  The store no is multi-select and all other filters are dropdowns.   I am using this store no as my base of the search for the rest of the dashboard details.   Looking for suggestions.   PS: I am a newbie to Splunk.
Hello Everyone,  We are sending VPN data via syslog over UDP to our splunk server. The reason we are using syslog and not a forwarder is because we wanted to filter the VPN logins to only show the o... See more...
Hello Everyone,  We are sending VPN data via syslog over UDP to our splunk server. The reason we are using syslog and not a forwarder is because we wanted to filter the VPN logins to only show the ones that are for our environment this is why we used syslog. Anyways my concern is I have been reading online that having the syslog sent to the splunk server can cause issues and splunk would need to operate as root to access the syslogs. Should I have a separate server for the syslogs then figure out a way to send them to the splunk server? 
Hi all, After setting up the universal forwarder on a Exchange server. Which configuration should be done in the GUI while selecting logs/log types, any tips or tweaks? I do not wish to use the excha... See more...
Hi all, After setting up the universal forwarder on a Exchange server. Which configuration should be done in the GUI while selecting logs/log types, any tips or tweaks? I do not wish to use the exchange splunk app, that requires a separate license. Thank you.  
Hi friends, I am newbie with Splunk and trying to set up an email alert for the errors being logged in Splunk.  When i trigger the email manually with the below command, it sends it fine. index... See more...
Hi friends, I am newbie with Splunk and trying to set up an email alert for the errors being logged in Splunk.  When i trigger the email manually with the below command, it sends it fine. index=uat | head 5 | sendemail from="abc@abc.com" to="abc@abc.com" server=localhost subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true But when I try to send emails to the same user via alerts it doesn't work. I can see the alert executing fine and fetching records to send. As I am on the cloud, I don't have control over setting up mail server details. Can anyone point me in the right direction?      
Hi Splunk Experts, We have requirement to shows % availability using Single Value panel as shown below , we used trellis but with trellis below panels is not displayed in scheduled pdf  dashboard. ... See more...
Hi Splunk Experts, We have requirement to shows % availability using Single Value panel as shown below , we used trellis but with trellis below panels is not displayed in scheduled pdf  dashboard. Then we changed the approach and we put individual panels for each entity shown below, but the challenge here we are unable to split single value panel.  Please do let me know if any one has came across same problem and how we resolved it.  
I am aware that answers.splunk.com has changed engines and is now community.splunk.com. The migration announcement states that user profiles would be migrated. Post history, responses, upvotes, etc..... See more...
I am aware that answers.splunk.com has changed engines and is now community.splunk.com. The migration announcement states that user profiles would be migrated. Post history, responses, upvotes, etc... I signed in (my password still worked) and found my account to be blank. Says I've been a member for 1 day, no posts, no upvotes, no history. Six (?) years of Splunk Answers history all gone.  Is this expected behavior? 
I have a token that i'm setting in javascript's $(document).ready function.   The token is set when the dashboards main TableView loads up with data.  But when the TableView returns no data, I'm seei... See more...
I have a token that i'm setting in javascript's $(document).ready function.   The token is set when the dashboards main TableView loads up with data.  But when the TableView returns no data, I'm seeing "No results found."  in the field associated with the token (js code snippet below). I was expecting that $(document).ready would fire regardless of whether a TableView's search returned data or not.   Any help would be appreciated. Rick require([ "underscore", "jquery", "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/searchbarview", "splunkjs/mvc/searchcontrolsview", "splunkjs/mvc/tableview", "splunkjs/mvc/simplexml/element/table", "splunkjs/mvc/textinputview", "splunkjs/mvc/dropdownview", "splunkjs/mvc/timerangeview", "splunkjs/mvc/eventsviewerview", "splunkjs/mvc/simplexml/ready!" ], function( _, $, mvc, SearchManager, SearchbarView, SearchControlsView, TableView, TableElement, TextInputView, DropdownView, TimeRangeView, EventsViewer ) { var tokens = mvc.Components.get("default"); var selected_values_array = []; var submittedTokens = mvc.Components.get('submitted'); $(document).ready(function () { var service = mvc.createService(); service.currentUser(function(err, user) { real_name = user.properties().realname usr = user.name email = user.properties().email roles = user.properties().roles if (real_name == "") { real_name = "FNU"; // #full name unavailable(not in splunk) } if (email == "") { email = "EMU"; // #email unavailable (not in splunk) } current = real_name + " (" + email +")" tokens.set("userName",current) });    
Need help excluding results which have field values that show up in another field. Search:  | tstats `summariesonly` values(Authentication.user_priority) as user_priority earliest(_time) as earli... See more...
Need help excluding results which have field values that show up in another field. Search:  | tstats `summariesonly` values(Authentication.user_priority) as user_priority earliest(_time) as earliest latest(_time) as latest count from datamodel=Authentication where Authentication.signature_id=4624 Authentication.Authentication_Package=NTLM Authentication.Logon_Type=3 Authentication.user!="ANONYMOUS LOGON" Authentication.Logon_Process="NtLmSsP" NOT Authentication.type=Information NOT Authentication.Key_Length=0 by Authentication.dest Authentication.user Authentication.dest_nt_domain | `drop_dm_object_name("Authentication")` Results: dest field with fully qualified hostnames (computername.xx.mycompany.com) - can also be computername.yy.mycompany.com or computername.zz.mycompany.com. des_nt_domain field should only have domains but also has computernames (computername) not fully qualified How do I exclude results which have dest_nt_domain values that match dest values? Example: dest=lab001.xx.mycompany.com dest_nt_domain=lab001 Any dest field value that starts with dest_nt_domain value, I would like it excluded from resulsts. The above example should be excluded.
Is there any way we can create tags using SPL? I checked the documentation and mostly    |tags   command is used to create a new field called test with all the tags in that.:   |tags outp... See more...
Is there any way we can create tags using SPL? I checked the documentation and mostly    |tags   command is used to create a new field called test with all the tags in that.:   |tags outputfield=test   Appreciate your help in advance.
We are looking to create an alert that will trigger if two distinct events happens. The first event is a DB health check and the second is a services check. we wnat the alert to tirgger if the DB com... See more...
We are looking to create an alert that will trigger if two distinct events happens. The first event is a DB health check and the second is a services check. we wnat the alert to tirgger if the DB comes back unhealthy AND the service is running.  I cna search for either event, but combining the searches with an append or a multisearch seems to act as an or, where the evnets show up even if only one of the searches has results. We only want the alert to trigger if both searches return values.  
I have some json coming in from syslog and there's a bunch of added junk that's inhibiting the field extraction. I tried  transforms.conf [eliminate_header] REGEX=s/^[^{]+//g DEST_KEY=queue FOR... See more...
I have some json coming in from syslog and there's a bunch of added junk that's inhibiting the field extraction. I tried  transforms.conf [eliminate_header] REGEX=s/^[^{]+//g DEST_KEY=queue FORMAT=nullQueue and props.conf [syslog_cue] TRANSFORMS-t1=eliminate_header and a couple other things but can't quite seem to get the outcome I want. Testing the regex works, but isn't helping in the way I need it to. 
I have a dashboard that's similar to this, however i'm running into a problem... Is it possible to use a single token (Text token) to search multiple fields at once ?   For example from the csv fi... See more...
I have a dashboard that's similar to this, however i'm running into a problem... Is it possible to use a single token (Text token) to search multiple fields at once ?   For example from the csv file   Stockticker StockDescription Stock Price CompanyName JMS Food 1 JM Smucker Co CO Food  2 Carpy Oscar CSS Consumer goods 2.40 Consumer Staples Select Sector SPDR ETF (XLP) FINC Goods 5.12 Food. Inc   user puts in : "Co"  in the token field  and their return fields are :  JMS Food 1 JM Smucker Co CO Food  2 Carpy Oscar CSS Consumer goods 2.40 Consumer Staples Select Sector SPDR ETF (XLP)           Is there a way to search Multiple fields with one single token and match that  token's value to those multiple fields  to return their respective rows ? <form> <label>Stocks dashboard</label> <description>Stocks dashboard</description> <fieldset submitButton="true" autoRun="false"> <input type="text" token="Stocks"> <label>Put Stock ID here</label> <initialValue>*StockTicker*</initialValue> </input> </fieldset> <row> <panel> <title>Stocks</title> <table> <title>Stocks</title> <search> <query>| inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName|Search Stockticker=$Stocks$ |Search StockDescription=$Stocks$|Search CompanyName=$Stocks$ </query> <earliest>-24h@h</earliest> <latest>now</latest> <refresh>10m</refresh> <refreshType>delay</refreshType> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">preview</option> <option name="rowNumbers">true</option> </table> </panel> </row> </form>    The query :  | inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName|Search Stockticker=$Stocks$ |Search StockDescription=$Stocks$|Search CompanyName=$Stocks$     Issue is that the token only searches for the first field that is given  which is  : Stockticker=$Stocks$ .... so if a user puts Co into the input.....they only get this for the return :  Stockticker StockDescription Stock Price CompanyName CO Food  2 Carpy Oscar   What the user should be getting when using the dashboard to search:  JMS Food 1 JM Smucker Co CO Food  2 Carpy Oscar CSS Consumer goods 2.40 Consumer Staples Select Sector SPDR ETF (XLP)           Is there a way to do that through a csv file for a splunk query? 
I already have a Splunk Indexer, and the data is being sent there.  I have a separate ES server.  How do I view my data from here?
Hello all, Looking for some help integrating a lookup table into my failed login search. What I am trying to achieve is to look for any events matching the base search I have below using each of the... See more...
Hello all, Looking for some help integrating a lookup table into my failed login search. What I am trying to achieve is to look for any events matching the base search I have below using each of the account name variations in the table. Any help is much appreciated.  base search: index=wineventlog OR index=h_wineventlog EventCode=4625 user=(LL,CL,TL would go here) | stats count by user example of table below :   
Hi, I want to add a new database to AppDynamics to start monitoring the SaaS controller. How can I find the details of port, configuration, server, database, etc? Regards, Sania. ^ Post ed... See more...
Hi, I want to add a new database to AppDynamics to start monitoring the SaaS controller. How can I find the details of port, configuration, server, database, etc? Regards, Sania. ^ Post edited by @Ryan.Paredez to improve the title. Please make your titles clear and concise. This makes posts more discoverable via search and scanning the community
We have been collecting syslog data on our hosts for the past 5 years or so. Syslog is in our 'main' index, along with other events.  We performed a query today and noticed that all of our data in 'm... See more...
We have been collecting syslog data on our hosts for the past 5 years or so. Syslog is in our 'main' index, along with other events.  We performed a query today and noticed that all of our data in 'main', and a few other indexes, prior to late-2018 are gone. *poof*   Looking at our monitoring graphs, it looks like our disk space usage plummeted back in March, which is probably when this happened.  I have no idea where the data went. The time of the drop in disk usage does not correspond to any upgrade or maintenance during that period.  Can anyone offer suggestions on how to troubleshoot this? Is it possible that, for some reason, Splunk rolled it over to frozen? I'm grasping. Any suggestions would be appreciated.  Thanks!
I know this has been probably asked before, but I didn't found an answer yet. Is there any way to know which are all the Splunk Servers (Search Heads, Indexers, Deployment Server, Master Node etc..)... See more...
I know this has been probably asked before, but I didn't found an answer yet. Is there any way to know which are all the Splunk Servers (Search Heads, Indexers, Deployment Server, Master Node etc..) in a distributed environment with a REST call made via SPL? It would be grateful if the query does not have to be run from the Server instance where the Monitoring Console is enabled. Basically I would need to have the same result you can get clicking on "Instances" in the Monitoring Console. Thanks a lot, Edoardo  
We recently upgraded splunk from 6.05 to 8.03.  Afterwards, realized numerous alerts are using flashtimeline view, which no longer works.  Is there a way to update the alerts to search view or timech... See more...
We recently upgraded splunk from 6.05 to 8.03.  Afterwards, realized numerous alerts are using flashtimeline view, which no longer works.  Is there a way to update the alerts to search view or timechart?