All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am implementing a streaming distributed custom command in python which needs to access the kv store on the search head where the command has been issued. The kv stores are to large to distribute th... See more...
I am implementing a streaming distributed custom command in python which needs to access the kv store on the search head where the command has been issued. The kv stores are to large to distribute them to the indexers and simple lookups are to slow. To connect to the kv store with a REST call, I am using the to session_key authenticate. :   kwargs={} kwargs["owner"] = "nobody" kwargs["app"] = "search" kwargs["host"] = "<hostname>" self.headers = {'output_mode': 'json', 'count':10000} self.connection client.connect(token=self._metadata.searchinfo.session_key,**kwargs)   from then on I access the kvstore with kvs = self.connection.kvstore[.....] and result= kvs.data.query(........) But the instance of the executed command on an indexer fails with a login failure as it gets  the session_key from the local session on the indexer which is not valid to connect to the search head. Is it possible to execute a part of the command on the search head before it gets distribute and pass its result (the session_key) to all distributed executed instances?
Hi all, Can i display left and right panel based on Even or Odd Click ? For example, I have a chart. And a row with title is "Comparison" including left panel and right panel. So, my question is ... See more...
Hi all, Can i display left and right panel based on Even or Odd Click ? For example, I have a chart. And a row with title is "Comparison" including left panel and right panel. So, my question is for even click(0,2,4,...) the left panel will be changed and the right panel was changed with odd click (1,3,5,...) Example code,     <row> <panel depends="$ver$"> <title>Here is the chart</title> <chart> <search> <query>index=idx MODEL IN ($model$) LOCAL=$location$ source="*" | dedup VERSION sortby -TOTALSIZE | chart values(TOTALSIZE) by VERSION </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option> <option name="height">600</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="version">$row.VERSION$</set> </drilldown> </chart> </panel> </row> <row> <panel depends="$version$"> <title>LEFT PANEL</title> <table> <search> <query>index=flash MODEL IN ($model$) LOCAL=$location source="*" | search VERSION&lt;$odd_click_verion$ | stats count by VERSION | sort -VERSION</query> </search> </table> </panel> <panel depends="$version$"> <title>RIGHT PANEL</title> <table> <search> <query>index=flash MODEL IN ($model$) LOCAL=$location source="*" | search VERSION&lt;$even_click_verion$ | stats count by VERSION | sort -VERSION</query> </search> </table> </panel> </row>      appreciate for any help & comment   
Hi, I have to instrument the java agent for a tableau application. I am able to update the config file after extracting the agent files. But I need help in updating the java parameter. 
We have lost all data recorded in Splunk Mint for our Mobile App. This happened with both iOS, Android Apps which has several million hits. Does any one have an idea what could cause it? Thank you,
Hello,   I am trying to build a report where I can list all the notable events with associated investigations. The output should be a table with some selected column from notable event and an addit... See more...
Hello,   I am trying to build a report where I can list all the notable events with associated investigations. The output should be a table with some selected column from notable event and an additional column - investigation name. I looked at various macros which pull investigation collaborators but couldn't find anything which will pull notables for an investigation to see if it can be that way. I hope that makes sense. I will appreciate any help.   Thanks   regards, Tanmay    
Reposting a question from our support channel in case others run into this: root@splunk:~# splunk-appinspect --help Traceback (most recent call last): File "/usr/local/bin/splunk-appinspect", ... See more...
Reposting a question from our support channel in case others run into this: root@splunk:~# splunk-appinspect --help Traceback (most recent call last): File "/usr/local/bin/splunk-appinspect", line 5, in <module> from splunk_appinspect import main File "/usr/local/lib/python3.5/dist-packages/splunk_appinspect/__init__.py", line 2, in <module> from . import environment_validator File "/usr/local/lib/python3.5/dist-packages/splunk_appinspect/environment_validator.py", line 15 f"Python version {version_detected} was detected." ^ SyntaxError: invalid syntax   Here's my current Python version: root@splunk:~# python --version Python 3.5.3
Like SPLUNK Mint available for Mobile Apps, is there any similar app available for collecting metrics from browser applications.
Hi!  Hope everyone is doing well. Looking into a replacement for the Splunk_TA_nexus add-on(https://splunkbase.splunk.com/app/1710/).  Mainly the parsing functionality. Does anyone know of an app /... See more...
Hi!  Hope everyone is doing well. Looking into a replacement for the Splunk_TA_nexus add-on(https://splunkbase.splunk.com/app/1710/).  Mainly the parsing functionality. Does anyone know of an app / add-on that will replace the add-on above?  I suppose the regex could be extracted and put into an app of our own but would be preferable to have one maintained.  (This is a repost because of naming it incorrectly in former post) Thanks! 
Hello All, I'm new to splunk and working on one of my error logs onboarding to splunk. somehow my props.conf for the below sample logs seems to be not working. Any help could be greatly appreciated.... See more...
Hello All, I'm new to splunk and working on one of my error logs onboarding to splunk. somehow my props.conf for the below sample logs seems to be not working. Any help could be greatly appreciated. 2020-06-05 07:03:56,639 2020-06-05 11:03:56,639 ERROR [11] Error Message: [RecId=xxxxxxxx][host=xxxxxxx][userID=xxxxxxx] Exception: System.InvalidOperationException: The view 'Error' or its master was not found or no view engine supports the searched locations. The following locations were searched: ~/Areas/Summary/Views/PaySummary/Error.aspx ~/Areas/Summary/Views/PaySummary/Error.ascx ~/Areas/Summary/Views/Shared/Error.aspx ~/Areas/Summary/Views/Shared/Error.ascx ~/Views/PaySummary/Error.aspx ~/Views/PaySummary/Error.ascx ~/Views/Shared/Error.aspx ~/Views/Shared/Error.ascx ~/Areas/Summary/Views/PaySummary/Error.cshtml ~/Areas/Summary/Views/PaySummary/Error.vbhtml ~/Areas/Summary/Views/Shared/Error.cshtml ~/Areas/Summary/Views/Shared/Error.vbhtml ~/Views/PaySummary/Error.cshtml ~/Views/PaySummary/Error.vbhtml ~/Views/Shared/Error.cshtml ~/Views/Shared/Error.vbhtml at System.Web.Mvc.ViewResult.FindView(ControllerContext context) at System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__5(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 2020-06-05 07:03:56,843 2020-06-05 11:03:56,843 ERROR [15] Error Message: [RecId=xxxxxxxx][host=xxxxxx][userID=xxxxxx] Exception: System.InvalidOperationException: The view 'Error' or its master was not found or no view engine supports the searched locations. The following locations were searched: ~/Areas/Summary/Views/PaySummary/Error.aspx ~/Areas/Summary/Views/PaySummary/Error.ascx ~/Areas/Summary/Views/Shared/Error.aspx ~/Areas/Summary/Views/Shared/Error.ascx ~/Views/PaySummary/Error.aspx ~/Views/PaySummary/Error.ascx ~/Views/Shared/Error.aspx ~/Views/Shared/Error.ascx ~/Areas/Summary/Views/PaySummary/Error.cshtml ~/Areas/Summary/Views/PaySummary/Error.vbhtml ~/Areas/Summary/Views/Shared/Error.cshtml ~/Areas/Summary/Views/Shared/Error.vbhtml ~/Views/PaySummary/Error.cshtml ~/Views/PaySummary/Error.vbhtml ~/Views/Shared/Error.cshtml ~/Views/Shared/Error.vbhtml at System.Web.Mvc.ViewResult.FindView(ControllerContext context) at System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__5(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Hi!  Hope everyone is doing well. Looking into a replacement for the Splunk_TA_nexus add-on(https://splunkbase.splunk.com/app/1710/).  Mainly the parsing functionality. Does anyone know of an app /... See more...
Hi!  Hope everyone is doing well. Looking into a replacement for the Splunk_TA_nexus add-on(https://splunkbase.splunk.com/app/1710/).  Mainly the parsing functionality. Does anyone know of an app / add-on that will replace the add-on above?  I suppose the regex could be extracted and put into an app of our own but would be preferable to have one maintained.  Thanks! 
I'm trying to use DBX (v3.3) to execute a stored procedure in one of our application databases. Not sure if I have a syntax problem here or not. The database is MS SQL and I can use DBX to execute qu... See more...
I'm trying to use DBX (v3.3) to execute a stored procedure in one of our application databases. Not sure if I have a syntax problem here or not. The database is MS SQL and I can use DBX to execute queries against it so I know the connection is good. The stored proc uses the following parameters:   @_StartTime (datetime, Input, No default) @_EndTime (datetime, Input, No default) @_Pool (nvarchar(256), Input, No default) @_Interval (int, Input, No default) @_WindowSize (int, Input, No default)   In SQL Management Studio I can execute the following and get results (2 lines)   EXEC [LcsCDR].[dbo].[CdrRegistrationSummary] @_StartTime = '20200615', @_EndTime = '20200616', @_Pool = null, @_Interval = 1440, @_WindowSize = 0;     In Splunk using the following search returns no errors; no results.   | dbxquery procedure="{call LcsCDR.[dbo].[CdrRegistrationSummary](?, ?, ?, ?, ?)}" connection="SkypeBackEndSQL" params="2020-06-15,2020-06-16,null,1440,0"     Thoughts?
This site can’t be reached localhost refused to connect. Try: Checking the connection Checking the proxy and the firewall ERR_CONNECTION_REFUSED
In the past I once knew how to create a single radio button that, when selected, would reset all desired dashboard tokens, by using XML. This button would also reset itself back to being de-selected ... See more...
In the past I once knew how to create a single radio button that, when selected, would reset all desired dashboard tokens, by using XML. This button would also reset itself back to being de-selected (not filled).  Does anyone know how to do this?   I learned how to do this previously in one Splunk's courses but I am not entirely sure which course it was. (SF 1-3 or Adv. DB Creation)
Hi All, I have created a single value panel and then wanted to have a drill down search query not dashboard query. So I was able to do it but I have an issue like if the drilldown search query cont... See more...
Hi All, I have created a single value panel and then wanted to have a drill down search query not dashboard query. So I was able to do it but I have an issue like if the drilldown search query contains "creationhybris&gt;$tokearliest$ and creationhybris&lt;&$toklatest$" then the search query is not working. It is showing blank in the uri. Here the creation hybris is the field which contain epoch time thing and we have already converted the earliest and latest into epoch time in our xml query of the dashboard. Please help here if someone has any idea to resolve this issue.
I am working on creating a simple UI environment and want to include links to related Splunk search result web dashboard to make a more coherent experience for the user. For example, say I have an i... See more...
I am working on creating a simple UI environment and want to include links to related Splunk search result web dashboard to make a more coherent experience for the user. For example, say I have an incident named "Hello World"  in my simple UI and if the user clicks on Splunk from this simple UI, the user is navigated to Splunk Web Dashboard with the logs filtered by the keyword "Hello World". I would very grateful if you could please share your thoughts on this and let me know if you have any questions.
Hello plp,  I am updating the version of splunk (Actually 7.3.3) to 8.0.4.  the problem that i have is, when i started the upgrade, it upgrade perfectly, but when i want to check the web of spl... See more...
Hello plp,  I am updating the version of splunk (Actually 7.3.3) to 8.0.4.  the problem that i have is, when i started the upgrade, it upgrade perfectly, but when i want to check the web of splunk, its appear down.  The message that i have after upgrading is this :  Splunk> CSI: Logfiles.   Checking prerequisites...         Checking http port [8000]: open         Checking mgmt port [8089]: open         Checking appserver port [127.0.0.1:8065]: open         Checking kvstore port [8191]: open         Checking configuration... Done.         Checking critical directories...        Done         Checking indexes...                 Validated: _audit _internal _introspection _metrics _telemetry _thefishbucket canales cobis controlm crm cts duenios f5 hbbe history main monitoreo openshift portales prueba_metric summary woci workflow         Done         Checking filesystem compatibility...  Done         Checking conf files for problems...                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 3: display.visualizations.custom.viz_donut_c3.c3donut.expand  (value:  false).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 4: display.visualizations.custom.viz_donut_c3.c3donut.width  (value: ).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 5: display.visualizations.custom.viz_donut_c3.c3donut.label_threshold  (value:  .05).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 6: display.visualizations.custom.viz_donut_c3.c3donut.label_value  (value:  ratio).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 7: display.visualizations.custom.viz_donut_c3.c3donut.label_show  (value:  true).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 8: display.visualizations.custom.viz_donut_c3.c3donut.label_format  (value:  %).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 9: display.visualizations.custom.viz_donut_c3.c3donut.legend_show  (value:  true).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 10: display.visualizations.custom.viz_donut_c3.c3donut.legend_position  (value:  bottom).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 11: display.visualizations.custom.viz_donut_c3.c3donut.tooltip_value  (value:  default).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 12: display.visualizations.custom.viz_donut_c3.c3donut.tooltip_show  (value:  true).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_donut_c3/default/savedsearches.conf, line 13: display.visualizations.custom.viz_donut_c3.c3donut.tooltip_format  (value:  %).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 2: display.visualizations.custom.wordcloud_app.wordcloud.useColors  (value:  true).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 3: display.visualizations.custom.wordcloud_app.wordcloud.alignmentMode  (value:  horizontal).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 4: display.visualizations.custom.wordcloud_app.wordcloud.backgroundColor  (value:  #fff).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 5: display.visualizations.custom.wordcloud_app.wordcloud.colorBy  (value:  colorMode).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 6: display.visualizations.custom.wordcloud_app.wordcloud.colorMode  (value:  categorical).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 7: display.visualizations.custom.wordcloud_app.wordcloud.numOfBins  (value:  3).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 8: display.visualizations.custom.wordcloud_app.wordcloud.minColor  (value:  #f7bc38).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 9: display.visualizations.custom.wordcloud_app.wordcloud.maxColor  (value:  #d93f3c).                 Invalid key in stanza [default] in /opt/splunk/etc/apps/wordcloud_app/default/savedsearches.conf, line 10: display.visualizations.custom.wordcloud_app.wordcloud.splunkTastic  (value:  false). Can anyone help me? 
We ingest the debug logs from our Autodesk license servers into Splunk for license usage reporting/ pool exhaustion alerting, etc. I am trying to create a few reports to measure our unique user count... See more...
We ingest the debug logs from our Autodesk license servers into Splunk for license usage reporting/ pool exhaustion alerting, etc. I am trying to create a few reports to measure our unique user counts and maximum usage for our Autodesk licensing. I am getting some inconsistent results where the number of unique users is a lot lower than the max number of users over the same time frame. I feel like it is something wrong with the unique users query as the max users query results are pretty close to what I see in the live data. I am pretty new to Splunk so I suspect I am doing something wrong, but after many hours of trial and error I can not figure out what. The queries are below, I would appreciate any suggestions anyone may have. Unique users per application query: index="autodesk-licensing" | lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "product" | rename "product" AS "Application", "username" AS "Username", "lichost" AS "Hostname" | dedup Username | addtotals | stats count BY "Application" | rename "count" AS "Total Unique Users" Maximum usage query: index="autodesk-licensing" sourcetype="lmutil" | lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "Autodesk License" | timechart max(current_license_usage) span=8hours by "Autodesk License" | eval date_wday=lower(strftime(_time,"%A")) | where NOT (date_wday="saturday" OR date_wday="sunday") | fields - date_wday
I'm using the Machine Learning Toolkit (MLTK) to detect outliers. It envelopes my line chart between the upper and lower bounds and uses these to determine whether or not there are outliers. If I re... See more...
I'm using the Machine Learning Toolkit (MLTK) to detect outliers. It envelopes my line chart between the upper and lower bounds and uses these to determine whether or not there are outliers. If I reduce the number of data points by zooming in on a particular time period of my line chart, the number of outliers increases. I know that the number of data points changes the numbers in the math, and that we have to tune our model to our needs, but do you have any advice on how to tune this, or how to determine what a large enough sample is so that I don't miss any outliers? The major outliers are always obvious, but how can I make my outlier detection more "capable" at detecting outliers that are not so obvious (since they're not as drastically deviated as some other outliers are)?
I have a search that returns events with many different URLs     index=test URL=*     I want to obtain a count of events per URL However some of the URLs are slightly different so I want to gr... See more...
I have a search that returns events with many different URLs     index=test URL=*     I want to obtain a count of events per URL However some of the URLs are slightly different so I want to group them together Example of my URL values /login/ /login/ /api/customer/5542-a44/data /api/customer/5c77-59w/data /api/customer/7a88-134/data /weather/forecast/ /api/savedseach/7775 /api/savedseach/4788 /new/user What I would like to end up with URL COUNT /login/ 2 /api/customer//data 3 /weather/forecast/ 1 /api/savedseach/ 2 /new/user 1   Im using | stats count by URL However as mentioned above my issue is with the URLs that have ids or guids in them
Hi All, I have recently upgraded Splunk memory to 64 GB. I am observing strange behavior that capacity is consuming 90% of the memory. I am seeing the same behavior for past one year where i have in... See more...
Hi All, I have recently upgraded Splunk memory to 64 GB. I am observing strange behavior that capacity is consuming 90% of the memory. I am seeing the same behavior for past one year where i have increased the RAM from 16 GB to 64 GB Now. Most of the memory is cache. Can anyone let me know if this is normal behaviour of Indexers with High memory along with cache.