All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi i would like to check is there a way to hide my chart before i select my ASSET_NAME from the dropdown box, example the picture below is my initial startup dashboard but the chart on my right does ... See more...
Hi i would like to check is there a way to hide my chart before i select my ASSET_NAME from the dropdown box, example the picture below is my initial startup dashboard but the chart on my right does not make sense only after i select any of my chart on the left then the right chart will make sense so my question is there a way to mask of the initial search?  if ASSET_NAME : ALL is selected my chart on the right should be blank . , if there is other selection it will show the result thanks
Hello, I have configured my service provider as per the following config.  SAML Authentication - 4.4.x Documentation - AppDynamics Documentation Below is the error i get. The weird thing is there ... See more...
Hello, I have configured my service provider as per the following config.  SAML Authentication - 4.4.x Documentation - AppDynamics Documentation Below is the error i get. The weird thing is there is no 'action' parameter meant to exist in the SAML 2.0 protocol HTTP Status 400 - 'action' parameter must be specified type Status report message'action' parameter must be specified descriptionThe request sent by the client was syntactically incorrect. AppDynamics
Hi All, I've created new app with all the indexes required and have added all the stanzas for parameters.Restarted the Splunk on Indexer. Now when i login all is good. The indexes are reflected in GU... See more...
Hi All, I've created new app with all the indexes required and have added all the stanzas for parameters.Restarted the Splunk on Indexer. Now when i login all is good. The indexes are reflected in GUI and logs are ingesting. But when i try to create new index. It is throwing e a below error. stanza=alm_win_allservers parameter=frozenTimePeriodInSecs Value supplied='12096000‬' is illegal; default='188697600' Could you please help here
Hi, I've created a search which is based on 1 field value but I need the search to run over many field values.  Rather than many repeating lines. What is the best way to do this?  I know what the f... See more...
Hi, I've created a search which is based on 1 field value but I need the search to run over many field values.  Rather than many repeating lines. What is the best way to do this?  I know what the field values are before the search too. It will be an alert where if 1 or more field values match the end criteria, an email is sent.  I only want 1 email, not 1 for every field value. Thanks!
Hi, Suppose I have an alert, whenever that alert will trigger it should return a unique result only, I don't want those previous results of that same alert. If my alert "A" triggering at "A1" time ... See more...
Hi, Suppose I have an alert, whenever that alert will trigger it should return a unique result only, I don't want those previous results of that same alert. If my alert "A" triggering at "A1" time it will return  "R1" results, at "A2" time it should return "R2" results not "R1+R2" and at "R3" times it should return "R3" results not "R1+R2+R3"   Please tell what are the things that I need to consider, Alert search - index=jira  "issue is not fixed" condition- If  number of results is greater than Zero corn schedule - */5    8-10   *   *   * time range - last 24 hours  Trigger - Once     Thanks in advance  
I'm new to Splunk Enterprise, I did some searching and reporting for file log data, and from them, I implemented alerting and it worked well. Is it possible to make my alert show up in Monitoring Con... See more...
I'm new to Splunk Enterprise, I did some searching and reporting for file log data, and from them, I implemented alerting and it worked well. Is it possible to make my alert show up in Monitoring Console Splunk Enterprise? When I open the Splunk Enterprise Monitoring Console, all the searching and alert that I made not show up there, how to make my searching and alert that I made it show up in Monitoring Console?   Pict 1: Search and Alert in Monitoring Console (no search and alert that I made) Pict 2: Search and Alert I made        
Hi,   I have two different queries, I want to join two columns. Below is my query:   `macro` msg="Finish import*" OR msg = "*inserted for*" | rex field=msg "Finish import (?<dataField>.+)\s*at... See more...
Hi,   I have two different queries, I want to join two columns. Below is my query:   `macro` msg="Finish import*" OR msg = "*inserted for*" | rex field=msg "Finish import (?<dataField>.+)\s*at\s+(?P<datetime>\S+\s+\S+) processing time=(?<processingTime>\w+)" | where trim(dataField)="postcode" | append [ search `macro` msg="*inserted for*" | rex field=msg "(?<records>\d+)+\s[^\s].+for(?<dataField1>.*)" | where trim(dataField1)="postcode" ] | eval records1 = records+":"+processingTime | transaction msg maxpause=100s | strcat records "::" processingTime recordsPr | table datetime, dataField, records,ts,processingTime, recordsPr,dataField1. I want to combine records and processingTime in one column like records:processingTime. With eval records1 its doesnot concatenate but with string concatenate it looks like below:    Any help, would be appreciated.   Thanks,
Hello - I am a Splunk newbie. datetime Src_machine_name Col1 Col3 1/1/2020 Machine1 Value1 Value2 1/2/2020 Machine1 Value1 Value5 1/31/2020 Machine3... See more...
Hello - I am a Splunk newbie. datetime Src_machine_name Col1 Col3 1/1/2020 Machine1 Value1 Value2 1/2/2020 Machine1 Value1 Value5 1/31/2020 Machine3 Vavleu11 Value22 2/1/2020 Machine1 Value1 Value2 2/2/2020 Machine2 Value1 Value5 2/28/2020 Machine3 Vavleu11 Value22 I want to get sum of all counts of all machines (src_machine_name) for every month and put that in a bar chart with Name of month and count of Src_machine_name in that month. So in january 2020, total count of Src_machine_name was 3, in Feb It was 3. This is what I started with. index="test |  stats count by Src_machine_name Will appreciate any help
Hi, Does anyone know how to ingest the WAF logs generated by the Oracle Cloud Web Application Firewall service? The logs are generated in the format indicated here (https://docs.cloud.oracle.com/en-... See more...
Hi, Does anyone know how to ingest the WAF logs generated by the Oracle Cloud Web Application Firewall service? The logs are generated in the format indicated here (https://docs.cloud.oracle.com/en-us/iaas/Content/WAF/Tasks/logs.htm) and I can not seem to find any TA or App that can facilitate the log ingestion from the OCI WAF. Any assistance is certainly appreciated! Thanks!  
I have log file like this,want with regex extract everything after last colon in each line input: 2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackExc... See more...
I have log file like this,want with regex extract everything after last colon in each line input: 2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUNA016053: Could not commit.  2020-06-28 14:24:41,322 ERROR In--111111[Processor] FATAL: exception in process: [GG_010] Failed >> 0060:  required to perform this operation (extended persistence context). 2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUNA016053:Could not update. 2020-06-28 12:08:21,777 ERROR in-app-9999999 [Service] authorize: org.closed.PropertyAccessException: Null value was assigned to a property [class co.domain.entity] of primitive type setter of domain.entity. 2020-06-28 15:03:32,710 ERROR In: Could not commit. 2020-06-28 15:03:32,: 71::0 :ERROR :In: not commit.   output: Could not commit required to perform this operation (extended persistence context) Could not update Null value was assigned to a property [class co.domain.entity] of primitive type setter of domain.entity. Could not commit. not commit. Thanks
I have a dashboard that runs a base search, and has panels that populate from it. One of the panels has a custom drilldown that sets a token, and that token is used by another panel.   <search id="... See more...
I have a dashboard that runs a base search, and has panels that populate from it. One of the panels has a custom drilldown that sets a token, and that token is used by another panel.   <search id="basesearch"></search> <panel><title>panel</title><search base="basesearch"><query>| chart c by Name <drilldown><set token="subpanelfilter">$row.Name$</set></drilldown> </panel> <panel><title>subpanel</title><search base="basesearch"> <query>| search Name="$subpanelfilter$" | chart c over SomeOtherField by SomethingElse </query> </panel>     The results rendered in "subpanel" either show "No Results" or a list of valid results, depending on what I use for the "chart over" value. For example, if i "chart over AFieldWithLongText" then I get No Results, but if I chart over a different field, results populate. 1 of the fields I am working with is called "Title". An example of Title might be something with this sort of text pattern (to indicate length and the sort of characters found):      1.18 Do not allow the "quick brown fox" to jump over the lazy dog.   Even if I use `| table Title SomeOtherField`, the "Title" column is just cut out, and only "SomeOtherField" is rendered (so it renders the same as if I'd used "| table SomeOtherField"). What could be causing the results to not render because of field characteristics?   Thanks in advance.
Working with some Apache logs. I am trying to get a table that displays the uri, the clientip, and the number of times that clientip has hit that uri (as hits). Everything is working as expected exce... See more...
Working with some Apache logs. I am trying to get a table that displays the uri, the clientip, and the number of times that clientip has hit that uri (as hits). Everything is working as expected except for that table. Why doesn't the uri part work? I get a table with uri that has blank values, and the other fields show the expected values.     index=* clientip=* uri=* | stats count(uri) AS hits by clientip | table uri, hits, clientip        
Hi ,    i am currently integrating logs from ESET endpoint security server , we have configured ESET to send logs in JSON format , but will i have applied _json sourcetype to the logs , it didn't p... See more...
Hi ,    i am currently integrating logs from ESET endpoint security server , we have configured ESET to send logs in JSON format , but will i have applied _json sourcetype to the logs , it didn't parse correctly  .. Any ideas  ?        <12>1 2020-06-28T13:13:25.32Z eset-esmc ERAServer 1319 - - {"event_type":"EnterpriseInspectorAlert_Event","ipv4":"4.5.6.7","hostname":"desktop123","source_uuid":"b851c1bc-0b62-4ca8-888c-c004e0d002f2","occured":"28-Jun-2020 13:09:06","severity":"Warning","processname":"%PROGRAMFILES(X86)%\\google\\update\\googleupdate.exe","username":"nt authority\\system","rulename":"Potential credential dumping - Generic [F0436a]","count":1,"hash":"842AE39880C3C0BC501007B42949950C3D3B7ED3","eiconsolelink":"https://EABC:443/console/detection/29"} <14>1 2020-06-28T12:58:55.306Z eset-esmc ERAServer 1319 - - {"event_type":"Audit_Event","ipv4":"1.2.3.4","hostname":"eset","source_uuid":"4b643875-9b90-41b7-a046-cc30f6a331d3","occured":"28-Jun-2020 12:58:55","severity":"Information","domain":"Native user","action":"Logout","target":"Administrator","detail":"Logging out native user 'Administrator'.","user":"Administrator","result":"Success"}      Thanks .
Is there a method to do "AND" while writing regex instead of "OR" . As when i write a reg and add to regex _raw="expression". Since using "|" its matching a lot of similar logs . 
Hi, We need to extract text after "description=" between two single quotes (") into a  new field "my_description": ,description="Env: Application: Upgrade App  from 1.0.0 to 2.0.0 on server myserve... See more...
Hi, We need to extract text after "description=" between two single quotes (") into a  new field "my_description": ,description="Env: Application: Upgrade App  from 1.0.0 to 2.0.0 on server myserver.mydomain.com. This is being done to support the upcoming upgrade to Patch 3 release. All changes and post implementation verification will be done. This has been tested successfully .", we used the following search extraction that works for majority of events but on rare occasions it is not extracting. Any suggestions? | rex field=_raw ",my_description=\W(?<description>.*?)\W," ,  
Hello, after connecting AWS add-on and configuration,  I have this query which is filling my index with much unwanted events : index=cloudtrail "userIdentity.sessionContext.sessionIssuer.userName"... See more...
Hello, after connecting AWS add-on and configuration,  I have this query which is filling my index with much unwanted events : index=cloudtrail "userIdentity.sessionContext.sessionIssuer.userName"=PrismaCloudReadOnlyRole errorCode=success   how can I prevent this username from indexing ? can I do it on the local .conf file ? Thanks
Hello All, I have a UFs in  cloud DCs. Proposed solution is to have SSL between the Indexer and the Heavy forwarders. Plan is 1 indexer to connect with 3 HF (Both indexer and HF having SSLS) I as... See more...
Hello All, I have a UFs in  cloud DCs. Proposed solution is to have SSL between the Indexer and the Heavy forwarders. Plan is 1 indexer to connect with 3 HF (Both indexer and HF having SSLS) I assume this all 3 connections should connect to different ports to indexer Indexer 9997-1 connection HF Indexer-9998-2 HF Indexer-9999-3 HF   Also another question is that Is there a criteria that if HF is sending the data via SSL. All the UF agents connecting to the HF also needs to have SSL ?   Cheers, Praseetha      
I have log file like this,want regex everything after last colon in each line input: 2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUN... See more...
I have log file like this,want regex everything after last colon in each line input: 2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUNA016053: Could not commit.   2020-06-28 14:24:41,322 ERROR In--111111[Processor] FATAL: exception in process: [GG_010] Failed >> 0060:  required to perform this operation (extended persistence context).   2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUNA016053:Could not update.   output: Could not commit required to perform this operation (extended persistence context) Could not update   Thanks
Have a website with multiple tables that consistently get updated and endstate is to track/graph changes over time. There are multiple tr's per table, that change at different rates throughout the... See more...
Have a website with multiple tables that consistently get updated and endstate is to track/graph changes over time. There are multiple tr's per table, that change at different rates throughout the day.  Due to the changing at different rates, it appears that my `match` values are sorted alpha-numerically(i.e. 621 before 91) and therefore the mvindex changes throughout the day . There is no other "anchoring" information I can scrape from the website other than the cardinal position. Most recent event from `<search> | table match`:     2020-06-28 132 713 41 9 0 0 0 5 33 0 2020-06-28 362 0 0 0 0 0 2020-06-28 621 926 0 8 0 0 0 0 2020-06-28 91 130 0 84 46 0 2020-06-28 93 1094 0 35 1059 0      one previous     2020-06-28 101 143 0 95 48 0 2020-06-28 104 1252 0 39 1213 0 2020-06-28 150 813 47 9 0 0 0 5 35 0 2020-06-28 408 0 0 0 0 0 2020-06-28 710 1061 0 8 0 0 0 0     As you can see by the number of fields per line, the mv's change order alpha-numerically. I assume this is a bug? @LukeMurphey  However, I would love an immediate temp solution solved through queries P.S. I've verified that table portion is not doing some sort of unexpected "sort"
Hi Splunkers, I'm a newbie in Splunk. I'm trying to create a chart to show the duration between two dates (Occurtime and ClearTime but I'm unable to get my desired result.    Here's my Data: Data... See more...
Hi Splunkers, I'm a newbie in Splunk. I'm trying to create a chart to show the duration between two dates (Occurtime and ClearTime but I'm unable to get my desired result.    Here's my Data: Data1 1593323763.234,AlarmName="Mains Input Out of Range",State="Unacknowledged & Cleared",EventType="Power System",Occurtime="2020-06-28 11:09:42",ClearTime="2020-06-28 17:55:05" Data2 1593323716.209,,AlarmName="NodeB Unavailable",State="Unacknowledged & Cleared",EventType="Running System",Occurtime="2020-06-28 11:59:32",ClearTime="2020-06-28 17:55:13"   Here is my query: |eval dur_sec=strptime(ClearTime,"%Y-%m-%d %H:%M:%S.%N")-strptime(Occurtime,"%Y-%m-%d %H:%M:%S.%N") |eval dur_sec=round((strptime(ClearTime,"%Y-%m-%d %H:%M:%S.%N")-strptime(Occurtime,"%Y-%m-%d %H:%M:%S.%N"))) |eval duration=tostring(dur_sec,"duration") |convert num(duration) |eval duration=round(duration/60,2) | eval filter=case( searchmatch("AC Failure*"),"Power Outage", searchmatch("Cell Blocked*"),"Cell Blocked", searchmatch("NodeB Unavailable"),"3G Outage", searchmatch("eNodeB S1 Control Plane Transmission Interruption"),"4G Outage",1=1,"No Filter match") | chart max(duration) over Occurtime by filter Can anyone help me?