All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I am trying to access Splunk web. Enabled web server. Splunkd & splunk webserver both are running. Configured web.conf file in local folder  with httpport as 8000 and the port is listening. Whi... See more...
Hi, I am trying to access Splunk web. Enabled web server. Splunkd & splunk webserver both are running. Configured web.conf file in local folder  with httpport as 8000 and the port is listening. While trying to access the web interface using the host name it is giving error as "This site can’t be reached". While trying to access via IP address getting error as "Network Error (tcp_error) A communication error occurred: "Operation timed out" The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.". Can someone please help to fix this.
Hi, I'm trying to get the Splunk user that making changes in kv store. I tried to use the rest call but the User_Name fields return "undefined". I launch this search from javascript. | inputlooku... See more...
Hi, I'm trying to get the Splunk user that making changes in kv store. I tried to use the rest call but the User_Name fields return "undefined". I launch this search from javascript. | inputlookup open_cases | eval Notes=if(_key=\"" + key + "\",\"" + mod_notes + "\",Notes), Status=\"Work-in-progress\" | appendcols [ | rest /services/authentication/current-context | rename username AS User_Name | fields User_Name] | search _key=\"" + key + "\" | outputlookup open_cases append=true | eval key=_key Can you help me to get the right username value? Thanks, Mauro  
Hi, I have a button that take values from splunk's tokens, launch a search that update a KV Store and refresh the page. Is there a method to unset the splunk's token after the page refresh? I ... See more...
Hi, I have a button that take values from splunk's tokens, launch a search that update a KV Store and refresh the page. Is there a method to unset the splunk's token after the page refresh? I tried with the "tokens.unset("name of the token", null);" command in javascript but this method didn't work for me. I took all the tokens with this command "var tokens = mvc.Components.get("default");" Thanks, Mauro
I am using website monitoring app https://splunkbase.splunk.com/app/1493/ We need to add a long list of URLs into monitoring. However, we want this list to be dynamically updated from the CMDB datab... See more...
I am using website monitoring app https://splunkbase.splunk.com/app/1493/ We need to add a long list of URLs into monitoring. However, we want this list to be dynamically updated from the CMDB database. I am trying to query the list of URLs from our CMDB and can store this in Splunk index. This list of URLs need to be added into Website monitoring app. I am thinking of writing out this list to a file on HF and then create a script to read this file and create inputs in website monitoring... any ideas please @LukeMurphey 
Hello All, I am running Splunk version 7.3.3, and am facing a weird issue where I write a search, which successfully returns all the required values. When I click on export button in the UI to expor... See more...
Hello All, I am running Splunk version 7.3.3, and am facing a weird issue where I write a search, which successfully returns all the required values. When I click on export button in the UI to export the data into a CSV, Splunkd crashes on the search head. It doesn't happen with the small sized report, but anything over 800 MB becomes a problem, especially when the data is more than 2 months old.   PS: We upgraded from 7.1.X to 7.3 around 2 months ago. It used to work without an issue in the previous version, but now is a problem.  Any help or suggestions are highly welcomed.   Thanks!
Hello team,   my Splunk cloud free instance has been locked out can you help me reset my password.   thank you.
Hi guys, I'm a very intermittent user of Splunk Enterprise 8. I tend to build dashboards for a team to display on their floor and then walk away for 6 months until a new use case comes up. Recently h... See more...
Hi guys, I'm a very intermittent user of Splunk Enterprise 8. I tend to build dashboards for a team to display on their floor and then walk away for 6 months until a new use case comes up. Recently had to do a migration of 200 forwarders from an old Splunk 6 instance to a new Splunk 8 one. I spent a huge amount of time checking with sysadmins what the role of various hosts was (i.e. what role the actual server was i.e. web server, DB server etc.). So my question is: - Can the hosts in Splunk be tagged with metadata to describe their function?
Hi Guys, I am doing the first time to configure Jenkins with a distributed Splunk environment.  I have  3 cluster  Cluster 1 has 3 peers, Cluster 2 has 4 peers Cluster 3 has 2 peers. All peers ... See more...
Hi Guys, I am doing the first time to configure Jenkins with a distributed Splunk environment.  I have  3 cluster  Cluster 1 has 3 peers, Cluster 2 has 4 peers Cluster 3 has 2 peers. All peers are indexer so basically I have 9 indexers. 1 deployment server. 2 search head. So I have no idea where I should install Splunk app for Jenkins, Should I install search head or anyone indexer, or anything else.  Please provide me step by step process to configure Jenkins in distributed Splunk env. Thanks in advance. 
Hi everyone, hope u r all doing good. So i have a query i am not able to figure out.I need to show a visualisation of column chart which shows each bar containing ... See more...
Hi everyone, hope u r all doing good. So i have a query i am not able to figure out.I need to show a visualisation of column chart which shows each bar containing data between two dates. I'll explain it clearly.    As u can see in the picture i  attached...it shows a timeline visualisation and data between two dates 6/9/2020-6/23/2020. In the exact same way i want to show on a column chart. So that later if i add any data between those dates for ex. On 6/15/2020 and 6/16/2020 etc....and if i overlay it , it should show me a line chart on that column chart.I hope i am clear if not plz tell me. So the query that I used for that timeline graph is: Index= main sourcetype= timeline | rename "beginning_date" as start_date | rename "ending_date" as end_date | eval _time= strptime(start_date, "%m/%d/%Y") | eval end_time= strptime(end_date, "%m/%d/%Y") | eval duration = (end_time - _time) * 1000 | eval duration = IF(duration < 86400000, 0, duration) | stats count by _time, duration, "target" | table _time "target" duration so most of this query is from the timeline gallery example dashboard in Splunk. I don't think duration work with a column chart to show 6/9/2020-6/23/2020 format like this.  I have two fields  Beginning_date.     Ending_date 6/9/2020.                      6/23/2020 Like this and I need to show something like the below pic:   It would be really helpful if anyone could help me with this. Thanks.   
Hello, I have 2 input fields like : time_val: 1 (any number) (dropdown)time_span: Hour/Day/Month   (value:[h,d@d,@w0,@m] respectively) I am trying to append these two fields and apply them to a... See more...
Hello, I have 2 input fields like : time_val: 1 (any number) (dropdown)time_span: Hour/Day/Month   (value:[h,d@d,@w0,@m] respectively) I am trying to append these two fields and apply them to a date column in a dashboard. what I am trying :   eval Time_Diff="-".$time_val$.$time_span$ eval last_seen=relative_time(now(), Time_Diff )   What I want to achieve is similar to the below query:   eval last_seen=relative_time(now(), "-7d@d" )   Is there any way to achieve this? any help will be appreciated. Regards, Souradeep
Hi, I have used the Search_normal.js example that runs a normal search, prints the job statistics and search results. How do I return the search results (instead of logging to console) so that I ca... See more...
Hi, I have used the Search_normal.js example that runs a normal search, prints the job statistics and search results. How do I return the search results (instead of logging to console) so that I can pass the result data into another js file? The code:   var splunkjs = require('splunk-sdk'); var Async = splunkjs.Async; exports.main = function(opts, callback) { opts = opts || {}; var username = opts.username || "*******"; var password = opts.password || "********"; var scheme = opts.scheme || "https"; var host = opts.host || "localhost"; var port = opts.port || "8089"; var version = opts.version || "default"; var service = new splunkjs.Service({ username: username, password: password, scheme: scheme, host: host, port: port, version: version }); Async.chain([ // Login function(done) { service.login(done); }, // Perform the search function(success, done) { if (!success) { done("Error logging in"); } service.search("search index=cog-censor-allow", {}, done); }, // Wait until the job is done function(job, done) { job.track({}, function(job) { // Ask the server for the results job.results({}, done); }); }, // Print out the statistics and get the results function(results, job, done) { // Print out the statistics /*console.log("Job Statistics: "); console.log(" Event Count: " + job.properties().eventCount); console.log(" Disk Usage: " + job.properties().diskUsage + " bytes"); console.log(" Priority: " + job.properties().priority);*/ // Find the index of the fields we want var rawIndex = results.fields.indexOf("_raw"); var sourcetypeIndex = results.fields.indexOf("sourcetype"); var userIndex = results.fields.indexOf("user"); // Print out each result and the key-value pairs we want console.log("Results: "); for(var i = 0; i < results.rows.length; i++) { console.log(" Result " + i + ": "); console.log(" sourcetype: " + results.rows[i][sourcetypeIndex]); console.log(" user: " + results.rows[i][userIndex]); console.log(" _raw: " + results.rows[i][rawIndex]); } job.cancel(done); } ], function(err) { callback(err); } ); }; if (module === require.main) { exports.main({}, function() {}); }   My example code is located in the /splunk-sdk-javascript/examples/node directory. https://dev.splunk.com/enterprise/docs/javascript/sdk-javascript/sdkjavascriptexamples/cmdlinedkjavascript
Hi All, Need a best solution in plotting a graph. for daily based alerting/ticketing am receiving. Query am using is below. Also the search is for last 30 days.   index=itsm | eval Time=strf... See more...
Hi All, Need a best solution in plotting a graph. for daily based alerting/ticketing am receiving. Query am using is below. Also the search is for last 30 days.   index=itsm | eval Time=strftime(_time,"%b-%d") | sort - Time | stats count by USER Time | xyseries Time USER count | fillnull value=0   Output, I am getting is: Time USER 1-Jun 132 2-Jun 260 3-Jun 153 4-Jun 72 5-Jun 147 6-Jun 228 7-Jun 122 8-Jun 195 9-Jun 210 10-Jun 114 11-Jun 148 12-Jun 168 13-Jun 119 14-Jun 299 15-Jun 58 16-May 159 17-May 215 18-May 195 19-May 305 20-May 220 21-May 219 22-May 160 23-May 198 24-May 73 25-May 126 26-May 308 27-May 271 28-May 109 29-May 124 30-May 144 31-May 103 My graph looks like: I am unable to sort it in monthly order, I tried a different way- but I am not getting June after May. Any other graph way this looks better also pls suggest. Please help me with this.
Hi All - This is my first time looking and using workload management in Splunk Cloud. I am having trouble making my rule work regarding moving the search to alternate pool or placing search into oth... See more...
Hi All - This is my first time looking and using workload management in Splunk Cloud. I am having trouble making my rule work regarding moving the search to alternate pool or placing search into other pool. The rule I created is not working and I do not know why. I have an sc_admin role on our Splunk Cloud instance and sc_admin role have these capabilities: list_workload_pools, list_workload_rules, edit_workload_rules and select_workload_pools, Can you please help me with the issue? Thank you in advance!
index=spb_uip_qa_automation splunkAutomationTag="Client_ReleaseChecklist_Staging_Platform_Desktop_Chrome_9.15.0.1568_360" | table guid startTime endTime guid startTime endTime 73ad9706-53e3... See more...
index=spb_uip_qa_automation splunkAutomationTag="Client_ReleaseChecklist_Staging_Platform_Desktop_Chrome_9.15.0.1568_360" | table guid startTime endTime guid startTime endTime 73ad9706-53e3-4dbb-b8f4-89c7e2d773de 2020-06-14T11:48:34.13 2020-06-14T11:49:47.183   index=spb_uip_qa_automation guid IN ("73ad9706-53e3-4dbb-b8f4-89c7e2d773de", "be736d15-d463-4e28-b75c-09e44f7e2177") | eval Status=case(testResult == 0, "Pass", testResult ==1, "Fail", testResult == 2, "Inconclusive") | table testName Status | where isnotnull(testName) AND isnotnull(Status) guid testName Status 73ad9706-53e3-4dbb-b8f4-89c7e2d773de UkLoadAndCompleteRegistrationDesktopTest Inconclusive 73ad9706-53e3-4dbb-b8f4-89c7e2d773de UkResponsibleGamingTest Fail 73ad9706-53e3-4dbb-b8f4-89c7e2d773de MaltaRegistrationDesktopTest Inconclusive 73ad9706-53e3-4dbb-b8f4-89c7e2d773de BelgiumRegistrationDesktopTest Inconclusive 73ad9706-53e3-4dbb-b8f4-89c7e2d773de MexicoResponsibleGamingDesktopTest Fail 73ad9706-53e3-4dbb-b8f4-89c7e2d773de MexicoLoadBankingDesktopTest Inconclusive 73ad9706-53e3-4dbb-b8f4-89c7e2d773de MexicoRegistrationDesktopTest Fail 73ad9706-53e3-4dbb-b8f4-89c7e2d773de SpainRegistrationDesktopTest Fail 73ad9706-53e3-4dbb-b8f4-89c7e2d773de NoindexAttributeTest Pass 73ad9706-53e3-4dbb-b8f4-89c7e2d773de BelgiumSportsToCasinoDesktopTest Inconclusive 73ad9706-53e3-4dbb-b8f4-89c7e2d773de UkLoadBankingTest Inconclusive   I want final result to be like below:  guid startTime endTime totalTestPassed totalTestFailed totalTestInconclusive 73ad9706-53e3-4dbb-b8f4-89c7e2d773de 2020-06-14T11:48:34.13 2020-06-14T11:49:47.183 1 4 6   As I am beginner to Splunk and I am really struggling a lot to get this table right to create charts for Pass & Fail % and Runtime graphs, please kindly help me .
I am using the below query : index=rxc sourcetype="rxcapp" type=ERROR [| inputlookup abc.csv | rename id as i_d | fields i_d] | stats count by i_d type description Now question is I have abc.csv... See more...
I am using the below query : index=rxc sourcetype="rxcapp" type=ERROR [| inputlookup abc.csv | rename id as i_d | fields i_d] | stats count by i_d type description Now question is I have abc.csv which has columns id and name, for one name there are many unique id available. In my logs, the only id is getting logged as i_d so I have used the above query but I want to get count by name instead if id from my logs and name is not getting logged, is there any way I can do that?
Hello Experts, I understand we can use "frozenTimePeriodInSecs" to move the data to a frozen state and the data becomes unsearchable once that happens. We have a requirement that the data remains s... See more...
Hello Experts, I understand we can use "frozenTimePeriodInSecs" to move the data to a frozen state and the data becomes unsearchable once that happens. We have a requirement that the data remains searchable indefinitely.  The moving data to a unsearchable state takes place on a regular basis but only after receiving an approval from a set of people and we can't set a certain retention period to our indexes. Is it possible we set someone like "indefinite" or "infinite" to the frozenTimePeriodInSecs?
I have created one dashboard with using JS and CSS but the dashboard is not working as per design. That dashboard have multiple tabs and subtabs but when I refresh that dashboard it by default execut... See more...
I have created one dashboard with using JS and CSS but the dashboard is not working as per design. That dashboard have multiple tabs and subtabs but when I refresh that dashboard it by default execute the subtabs.  It should look like this but when I refresh it   
Hi All, I have query below that needs to modified for sub string matching condition - splunk query:   sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*" Id... See more...
Hi All, I have query below that needs to modified for sub string matching condition - splunk query:   sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*" Id=coalesce(id1,id2,id3) | stats count by Id sourcetype | xyseries Id sourcetype count | fillnull source1 source2 source3 value="Not exists" | table source1 source2 source3   when  id1=F80C05F3-19AF-40D3-AC73-19544E928D21 id2=XOP-F80C05F3-19AF-40D3-AC73-19544E928D21 id3=ABC-F80C05F3-19AF-40D3-AC73-19544E928D21 The query above needs to be modified for substring matching based on id1 existing in id2 or id3 and it needs to return the results, how can this query below be modified?
Solved
Good day Everyone: Where should we start ES Splunk...   Thank you,   JT