All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

How do we uninstall existing AppD configuration from our SAP systems? Looking for documentation for uninstallation process for machine agents, Java agents, ABAP App agents and Datavard transports.
I am trying to create a sourcetype for a new client: Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this source... See more...
I am trying to create a sourcetype for a new client: Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this sourcetype?  C:\Program Files\Universal\UAGSrv\xxx>set StartDate=Mon 07/29/2024 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set StartTime=14:45:09.56   any assistance would be very helpful and appreciated.
I Have  Service_names  (A, B ,C ,D, E,  F, G, H, I J, K, L , M)  but want  (C ,D, E,  F, G, H, I J, K, L , M ) services_names renamed as "Other_Services"  | Stats by  services_names  | table services... See more...
I Have  Service_names  (A, B ,C ,D, E,  F, G, H, I J, K, L , M)  but want  (C ,D, E,  F, G, H, I J, K, L , M ) services_names renamed as "Other_Services"  | Stats by  services_names  | table services_names  time_Taken Thanks in advance!
how to get the user not logged into Splunk for last 30 or 90days in splunk using audit or _internal index.  
Hi AppDynamics Community, I have a scenerio where I have 6 different MariaDB instances running in 6 different containers on the same server host, and I have 1 Linux VM to installed the Database Agen... See more...
Hi AppDynamics Community, I have a scenerio where I have 6 different MariaDB instances running in 6 different containers on the same server host, and I have 1 Linux VM to installed the Database Agent, so do I need 6 Database Agent licenses for the 6 collectors to configure? or do I need just 1 Database Agent for the VM in which I can configure the 6 collectors? Thanks in advance. Hope everybody have a great week! Regards
i just installed CEF Extraction add-on for splunk i want to try this for example  | makeresults | eval _raw="CEF:0|vendor|product|1.0|TestEvent|5| filename=name.txt ip=10.10.1.2 fullname=mike reac... See more...
i just installed CEF Extraction add-on for splunk i want to try this for example  | makeresults | eval _raw="CEF:0|vendor|product|1.0|TestEvent|5| filename=name.txt ip=10.10.1.2 fullname=mike reacher status=ok" | kv | table fullname filename ip * why it didnt work.. all this because  default kv dont support multi string with whitespace
It is like that for couple of minutes. I tried to refresh the page and reupload and it behaves the same.  What can I do?      
Is it possible to set a token based on the value of the x-axis label on a column chart by clicking on the column?  I am able to set the new token to the value (number) or name (count) but that doesn'... See more...
Is it possible to set a token based on the value of the x-axis label on a column chart by clicking on the column?  I am able to set the new token to the value (number) or name (count) but that doesn't give me what I need.  I need to pass the X label to a second search.
I have a deployment where multiple computers are sending logs to a WEF server using WEF(windows event forwarding). I tried to map ComputerName field to host name field but failed to do so. Now I wan... See more...
I have a deployment where multiple computers are sending logs to a WEF server using WEF(windows event forwarding). I tried to map ComputerName field to host name field but failed to do so. Now I want to create an alert if any of the computer is not sending logs to splunk. how can i do so.   The method defined by splunk is based on index,host and sourcectype field, which will remain same for all computers in our case.
Hi, I met an input issue about s3, which stays not in a aws security lake. Is that possible to use Splunk addon for aws to ingest s3 bucket with parquet formatted files?   
Hi, Apologies if I'm using the wrong terminology here. I'm trying to configure SC4S to override the destination indexes of types of sources. For example, if an event is received from a Cisco firewa... See more...
Hi, Apologies if I'm using the wrong terminology here. I'm trying to configure SC4S to override the destination indexes of types of sources. For example, if an event is received from a Cisco firewall by default it'll end up in the 'netfw' index. Instead, I want all events that would have gone to 'netfw' to go to, for example, 'site1_netfw'. I attempted to do this using the splunk_metadata.csv file but I now understand I've misinterpreted the documentation. I had used 'netfw,index,site1_netfw' but if I understand correctly, I'd actually need to have a seperate line for each key such as 'cisco_asa,index,site1_netfw'. Is that correct? Is there a way to accomplish what I want without listing each source key? Thanks
HI  Can you please let me know how we can combine the outputs of multiple searches into a single field??  For example :  We need a single output for the below 2 searches:  Search1 :  `macro... See more...
HI  Can you please let me know how we can combine the outputs of multiple searches into a single field??  For example :  We need a single output for the below 2 searches:  Search1 :  `macro_events_all_win_ops_esa` sourcetype=WinHostMon host=P9TWAEVV01STD (TERM(Esa_Invoice_Processor) OR TERM(Esa_Final_Demand_Processor) OR TERM(Esa_Initial_Listener_Service) OR TERM(Esa_MT535_Parser) OR TERM(Esa_MT540_Parser) OR TERM(Esa_MT542_Withdrawal_Request) OR TERM(Esa_MT544_Parser) OR TERM(Esa_MT546_Parser) OR TERM(Esa_MT548_Parser) OR TERM(Esa_SCM Batch_Execution) OR TERM(Euroclear_EVIS_Border_Internal) OR TERM(EVISExternalInterface)) | stats latest(State) as Current_Status by service | where Current_Status != "Running" | stats count as count_of_stopped_services | eval status = if(count_of_stopped_services = 0 , "OK" , "NOK" ) | table status Search2 :  `macro_events_all_win_ops_esa` host="P9TWAEVV01STD" sourcetype=WinEventLog "Batch *Failed" System_Exception="*" | stats count as count_of_failed_batches | eval status = if(count_of_failed_batches = 0 , "OK" , "NOK" ) | table status Output :  If status for the search1 and status for the search2 is OK, then output should be OK.  If status for the search1 or status for the search2 is NOK, then output should be NOK.   
Hello, I am currently using Splunk UF 7.2 on a Windows Server, and my UF is configured on D Drive. I am getting below error message in splunkd.log: 07-29-2024 09:07:25.343 +0100 ERROR ExecProcesso... See more...
Hello, I am currently using Splunk UF 7.2 on a Windows Server, and my UF is configured on D Drive. I am getting below error message in splunkd.log: 07-29-2024 09:07:25.343 +0100 ERROR ExecProcessor -message from ""D:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: Win32_Service | SELECT Name, Caption, State, Status, StartMode, StartName, PathName Description) 07-29-2024 09:07:25.343 +0100 ERROR ExecProcessor - message from ""D:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: Win32_PerfFormattedData_PerfProc_Process | SELECT Name, PSComputerName, WorkingSetPrivate, IDProcess, PercentProcessorTime)"   $SPLUNK_HOME\etc\system\local\ inputs.conf: [default] host = <hostname> [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0   wmi.conf: [settings] initial_backoff = 5 max_backoff = 20 max_retries_at_max_backoff = 2 checkpoint_sync_interval = 2 [WMI:LocalProcesses] interval = 20 wql = Win32_PerfFormattedData_PerfProc_Process | SELECT Name, PSComputerName, WorkingSetPrivate, IDProcess, PercentProcessorTime disabled = 0 [WMI:Service] interval = 86400 wql = Win32_Service | SELECT Name, Caption, State, Status, StartMode, StartName, PathName Description   Can someone please help? I am not using Splunk Add On For Windows.
I've been using a free version of Splunk Cloud, creating dashboards over the past couple of days - it's been great. Last night when I tried to login using my password I got this message     For se... See more...
I've been using a free version of Splunk Cloud, creating dashboards over the past couple of days - it's been great. Last night when I tried to login using my password I got this message     For security reasons, your account has been locked out. Please try again later or contact your system administrator.     As far as I know, I am the administrator. I cannot find a way to change settings through the splunk.com account I used to login.
Hello I have one big index with lots of files which I want to reroute logs from there to different indexes The reroute will be by regex who is looking for the domain name in the logs For each doma... See more...
Hello I have one big index with lots of files which I want to reroute logs from there to different indexes The reroute will be by regex who is looking for the domain name in the logs For each domain i will create separate stanza in transforms.conf  for example : [setIdx-index1] REGEX = ^(?!.*{ "workflow_id": .*, "workflow_type": .*, "workflow_name": .*, "jira_ticket": .*, "actor": .*, "deployment_status": .*, "start_time": .*, "end_time": .*, ("app_name"|"additional_data"): .* }).*$ FORMAT = new_index DEST_KEY = _MetaData:Index LOOKAHEAD = 40000 my question is about props.conf how should i configure it if i have more than 1 index ? [index1] TRANSFORMS-setIdx = setIdx-index1 TRANSFORMS-setIdx2 = newIndex TRANSFORMS-setIdx3 = newIndex1 TRANSFORMS-setIdx4 = newIndex2 should it work ?
Hello Splunk Community, For compliance reasons, I need to figure out an efficient way to archive notable events that is generated from the correlation searches in enterprise security. My first thoug... See more...
Hello Splunk Community, For compliance reasons, I need to figure out an efficient way to archive notable events that is generated from the correlation searches in enterprise security. My first thought is to create an index for these notable events and configure dynamic data self storage. Is this a good solution and feasable in splunk enterprise ? I would appreciate any support here and thank you in advance !
Hello All, I have tried installing .net agent 24x version on my windows machine and used the .net agent configuration wizard to create tier for the default web site under the IIS pool and restarted... See more...
Hello All, I have tried installing .net agent 24x version on my windows machine and used the .net agent configuration wizard to create tier for the default web site under the IIS pool and restarted the IIS/Co-ordinator service I could see that in the SaaS controller only the machine agent is reporting but I don’t find the app agent in up status and the tier is not visible Note : Tried re-installing and restarting the services multiple times but it did not make any difference and enabled debug as well but in logs I don’t find any error only the messages of metric registration which is successful Any suggestions would be helpful Thanks in advance
Hello, I am on Windows and am newer to Splunk and I have been doing so learning, so I was getting ready to follow along some modules. But when I went to try and open the \bin, I come to find out tha... See more...
Hello, I am on Windows and am newer to Splunk and I have been doing so learning, so I was getting ready to follow along some modules. But when I went to try and open the \bin, I come to find out that I don't even have the Splunk folder in my Windows folder! The only folder I can find with the name Splunk is a .splunk folder under my laptop user. Did I do something wrong in the installation process, and is there a way to resolve this?
I was wondering if there was a query to track flows through multiple firewalls For example I want to track the flow source IP ---> FIrewall A ---> Firewall B ----> Firewall N---> Destination ip ... See more...
I was wondering if there was a query to track flows through multiple firewalls For example I want to track the flow source IP ---> FIrewall A ---> Firewall B ----> Firewall N---> Destination ip I understand that accuracy is not going to be there when dealing with NATs/PAts and of course delays along the path.   However, if there are no delays and no nats I am wondering if this would be possible and what that would look like
Hi, We installed splunk_TA_onelogin app on Splunk cloud, however the set up page keeps on failing with message "The "OneLogin - Setup Page" app has not been fully configured yet.".   We verified the... See more...
Hi, We installed splunk_TA_onelogin app on Splunk cloud, however the set up page keeps on failing with message "The "OneLogin - Setup Page" app has not been fully configured yet.".   We verified the onelogin credentials working correctly. Question: Does the app works in Splunk cloud? Should we install it on heavy forwarder as there are input.conf and props.conf files inside the TA package. Thanks, FL