All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Trying to set up a script to add a users to an AD group, got the script working on my computer and when I try to add it into splunk in the script folder the imports aren't working.   file test.py l... See more...
Trying to set up a script to add a users to an AD group, got the script working on my computer and when I try to add it into splunk in the script folder the imports aren't working.   file test.py line 21, in <module> import pandas as pd ImportError: No module named pandas Keep getting this error and others for different modules but the modules are installed. same with LDAP3 Requirement already satisfied: pandas in /usr/local/lib64/python3.6/site-packages Requirement already satisfied: numpy>=1.13.3 in /usr/local/lib64/python3.6/site-packages (from pandas) Requirement already satisfied: ldap3 in /usr/local/lib/python3.6/site-packages Requirement already satisfied: pyasn1>=0.1.8 in /usr/local/lib/python3.6/site-packages (from ldap3)
Hello Slunk Team, I have a question about appendcols. When I try to use two index to compare some information I got the information in different orders not in the same to compare the values.   SE... See more...
Hello Slunk Team, I have a question about appendcols. When I try to use two index to compare some information I got the information in different orders not in the same to compare the values.   SEARCH index="inlooxtt" StatusName!=Paused StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* | eval Horas=(DurationMinutes/60) |stats dedup_splitvals=true sum(Horas) as Tiempo by ProjectName | eval Tiempo=round(Tiempo,2) |rename Tiempo as Tiempo | sort ProjectName | appendcols [search index="inlooxtasks" ProjectStatusName!=Paused ProjectStatusName!=Completed ProjectStatusName!=Cancelled ContactDisplayName!=Donado* ContactDisplayName!="null" | eval Horas2=(WorkAmount) | stats dedup_splitvals=true sum(Horas2) as Tiempo2 by ProjectName | rename ProjectName as Proyecto2 | eval Tiempo2=round(Tiempo2,2) | sort Proyecto2] How I can do to solve my iproblem I will show what happen.  I want to have all my data in order to do a exatly data comparison   Thanks all!!
How to add + button for log details. if user select + button the log tab with  details will open and display as per Screenshot. Need to add two condition here 1.If user select + button it ll expend... See more...
How to add + button for log details. if user select + button the log tab with  details will open and display as per Screenshot. Need to add two condition here 1.If user select + button it ll expend 2.If user select - button it ll hided the log details. index=test1 sourcetype=app1 |table ID Request CD SMSL Date status I don't have permission to add JS file. So looking for solution in XML/HTMl/CSS  
Hi, We recently installed splunk add on for websphere source type "ibm:was:serverIndex" for websphere logs. When manually adding a log file using add data option, splunk is picking up and setting th... See more...
Hi, We recently installed splunk add on for websphere source type "ibm:was:serverIndex" for websphere logs. When manually adding a log file using add data option, splunk is picking up and setting the sourcetype automatically and extracting all the fields. See [1] But when configuring inputs.conf file using the same source types, it is failing to extract the fields. See [2] Please advise on what should be done to auto extract all the fields. [1] sourcetype ibm:was:systemOutLog Event eventtype ibm_was_errors       wasClassName com.ibm.ws.webcontainer.internal.WebContainer     wasEventLogType E     wasMessage A WebGroup/Virtual Host to handle / has not been defined.     wasMessageID SRVE0255E     wasMethodName handleRequest     wasShortName WebContainer     wasThreadID 00013588     was_host dw07apl43     [2] sourcetype ibm:was:systemOutLog Event appserver server89-2       profile WASFNINT     was_host dw21apl89
Hi, I am in need of assistance with trimming down the Win Sec Event 4624 as it is blowing out our licensing. It is working in my dev environment, but not in my prod clustered peers (v7.3.3).  I have... See more...
Hi, I am in need of assistance with trimming down the Win Sec Event 4624 as it is blowing out our licensing. It is working in my dev environment, but not in my prod clustered peers (v7.3.3).  I have verified that the app is making it to the cluster_apps. For testing, the following props and transforms: props.conf [WinEventLog:Security] TRANSFORMS-winsec_events_manipulation = replace_4624 EXTRACT-winsec_4624_custom_fields = ^Trimmed Event EventCode=(?<EventCode>4624) transforms.conf [replace_4624] REGEX = (?ms)EventCode=(4624) DEST_KEY = _raw FORMAT = Trimmed Event EventCode=$1  Any assistance is appreciated. ~John 
 Please let me on how to troubleshoot this issues.  
Where in the logs for Microsoft Azure Add on for Splunk 2.1.0 would we see that the add-on is done with the batch and iterations and is sending the data to the indexers? index=_internal sourcetype... See more...
Where in the logs for Microsoft Azure Add on for Splunk 2.1.0 would we see that the add-on is done with the batch and iterations and is sending the data to the indexers? index=_internal sourcetype="ta:ms:aad:log" host=heavy_forwarder source="/opt/splunk/var/log/splunk/ta_ms_aad_azure_event_hub.log" The configuration is currently set to debug, so we see all the logs, lots of parse and discard messages.   
I have 2 saved searches (non-transforming) on my dashboard and those are set to run every morning collecting data for the last 7 days . I have a global time picker on my dashboard and I was under the... See more...
I have 2 saved searches (non-transforming) on my dashboard and those are set to run every morning collecting data for the last 7 days . I have a global time picker on my dashboard and I was under the assumption that any time range (eg: last 2 days) within the time range of the saved search (last 7days) would yield results but it looks like I always get back the data for the last 7 days.   <form> <label>Test1</label> <search id="query1" ref="query_01"> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <search id="query2" ref="query_02"> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="time_token" searchWhenChanged="true"> <label></label> <default> <earliest>-7d@d</earliest> <latest>@d</latest> </default> </input> </fieldset> <row> <panel> <chart> <title>Count by Resource</title> <search base="query2"> <query>| timechart count by timerName limit=0 | fields - NULL</query> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.text">Day</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">319</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <single> <title>Count</title> <search base="query02"> <query>| search "x=null" | stats count</query> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">0</option> <option name="useThousandSeparators">1</option> </single> </panel> </row> </form>   I'm not sure what I'm doing wrong, any help is appreciated. Thanks!
Hi, Our team, that actually runs installations of  Splunk Universal Fowarder on linux servers,  found an issue with Splunk UF version 8.0.3 .  Unlike Splunk UF 7.1.5 (we have been installing previo... See more...
Hi, Our team, that actually runs installations of  Splunk Universal Fowarder on linux servers,  found an issue with Splunk UF version 8.0.3 .  Unlike Splunk UF 7.1.5 (we have been installing previously) , this new version wants to create another directory called "/opt/splunk".   This is alongside of the directory installers already familiar with on clients named "/opt/splunkforwarder".   1) Has anybody come across the same issue? What causes  /opt/splunk to be created during Splunk Universal Forwarder installation? 2) How to prevent Splunk UF 8.0.3 from creating /opt/splunk directory? UPDATE:  We found our issue - accidentally the wrong executable file was used: splunk-8.0.3*.tgz instead of splunkforwarder-8.0.3*.tgz    
I keep getting messages that metrics values are indexing as a string: Search peer ip-truncated.us-gov-west-1.compute.internal has the following message: The metric value=70182.320 provided for s... See more...
I keep getting messages that metrics values are indexing as a string: Search peer ip-truncated.us-gov-west-1.compute.internal has the following message: The metric value=70182.320 provided for source=/opt/splunk/var/log/introspection/resource_usage.log, sourcetype=splunk_intro_resource_usage, host=ip-truncated.us-gov-west-1.compute.internal, bucket=/opt/splunk/var/lib/splunk/_metrics/db/219_8E3A1CE4-B758-4960-B23D-96FBAD796ADB is not a floating point value. Using a "numeric" type rather than a "string" type is recommended to avoid indexing inefficiencies. Ensure the metric value is provided as a floating point number and not as a string. For instance, provide 123.001 rather than "123.001". I can't seem to find where I would fix this issue. 
I am facing issues while configuring Smart PDF exporter app, though  I have provided settings correctly for during the setup option, it keeps on throwing the error as "Please finish setting up the sm... See more...
I am facing issues while configuring Smart PDF exporter app, though  I have provided settings correctly for during the setup option, it keeps on throwing the error as "Please finish setting up the smart export application (restart may be required)"  I have provided the user credentials with the capability can_schedulepdf and email server and PhantomJS installation path.   
Hello, UPDATED. Does anyone have any ideas? Thank you. Here is my search; time range is All time.     index=d* host=n3* source="/opt/d.properties" | diff | rex max_match=0 field=_raw "(?<=[\n\r... See more...
Hello, UPDATED. Does anyone have any ideas? Thank you. Here is my search; time range is All time.     index=d* host=n3* source="/opt/d.properties" | diff | rex max_match=0 field=_raw "(?<=[\n\r])\+(?<activated>(\#.*)|.*)" | rex max_match=0 field=_raw "(?<=[\n\r])\-(?<inactivated>(\#.*)|.*)" | table _time, activated, inactivated     The results are exactly what I am looking for.     2020-06-10 07:24:43 #appinit.url.business=/DAY/tempdown.jsp appinit.url.override=/DAY/emergencyPage     # Means the tempdown.jsp was commented out (inactivated). No # means emergencyPage was activated. However, when the search code is added to a new dashboard panel, the results are not the same. Here is the XML code. Either they are the earliest events; or no results at all.     <search> <query>index=d* host=n3* source="/opt/d.properties" | diff | rex max_match=0 field=_raw "(?&lt;=[\n\r])\+(?&lt;activated&gt;(\#.*)|.*)" | rex max_match=0 field=_raw "(?&lt;=[\n\r])\-(?&lt;inactivated&gt;(\#.*)|.*)" | table _time, activated, inactivated</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search>     Why would the SPL run in the Search App give different results than the same SPL run in a d/b panel?   Stay safe and healthy, you and yours. Thanks and God bless, Genesius
Hi there,  I'm new to Splunk, but I've been making some progress. I'm trying to compare traffic going from one zone to another zone, and to filter out expected traffic. For example, I have the ... See more...
Hi there,  I'm new to Splunk, but I've been making some progress. I'm trying to compare traffic going from one zone to another zone, and to filter out expected traffic. For example, I have the hosts Dr Pepper, Pepsi, coke, sprite, and I need to see if theyre talking to each other when they shouldn't be These all have various hosts that could be something like "pepsi-public-dmz", or "test_drpepper_internet_transit" However a few of them could also contain 2 of the variables, such as "coke-combo-pepsi"  I need to determine a way of searching the variable strings, and comparing the values found against any values found in the other string   I've managed to do this by using case and like, to determine if a string has the word in there ,then comparing it to the the src_zone using the code below: | eval dest_test=case(like(dest_zone ,"%coke%") ,"coke", like(dest_zone ,"%pepsi%") ,"pepsi", like(dest_zone ,"%pepper%") ,"pepper", like(dest_zone ,"%sprite%") ,"sprite", 1<2, "Not found1") | eval src_test=case(like(src_zone ,"%coke%") ,"coke", like(src_zone ,"%pepsi%") ,"pepsi", like(src_zone ,"%dr-pepper%") ,"dr-pepper", like(src_zone ,"%sprite%") ,"sprite", 1<2, "Not found2") | eval outcome = if(src_test == dest_test, "match", "no match") | eval concat_z2z = if(outcome == "no match" , (dest_zone . " : " . src_zone), "Expected" | where concat_z2z != "Expected" | table concat_z2z This provides a list of all traffic that is not going from something marked "pepsi", to another host marked "pepsi", but as it searches in order with case, it doesn't find when something has 2 of the keywords in it.   If I was using Python id do a for/while loop to look through all the variables of the keywords, but I cannot figure it out for the life of me here. The final bit, this isn't exactly scalable either, as you'd have to edit the list each time a new host provider was added. Help? PS. I realize the code is messy, as I said, I'm still new to this.
I have a dashboard which contains several panels displaying kpi: those returning no results as sometimes returns the message "no results found". Example of my initial search : | makeresults | t... See more...
I have a dashboard which contains several panels displaying kpi: those returning no results as sometimes returns the message "no results found". Example of my initial search : | makeresults | timechart span=1d sum(count) as count | eval count=0 | append [search index="alert" source="alert*" insight="User alert" | lookup account_ids account_id OUTPUT title platform | rename title as account | search platform="*" account="*"] | timechart span=1d sum(count) as count The results are:  "No results found." I found the start of a solution via a support response to this question: answers.splunk.com/answers/582253/replacing-no-results-found-with-0.html   I applied the solution explained to my search :    | makeresults | timechart span=1d sum(count) as count | eval count=0 | append [search index="alert" source="alert*" insight="User alert" | lookup account_ids account_id OUTPUT title platform | rename title as account | search platform="*" account="*"] | timechart span=1d sum(count) as count | appendpipe [stats count | where count = 0]   The new result is now a board with a column count and a result 0 instead the 0 on each 7 days (timechart) However, I use a timechart in my request and when I apply at the end of the request | appendpipe [stats count | where count = 0] this only returns the count without the timechart span on 7d.   In an example which works good, I have the result with the timechart on 7d and I can show the trend on my visualization and that's not possible with the search below. How can I fix timechart after the appendpipe ?
I want to set or pass value to the token , after clicking on image in HTML panel Here is my panel code:   <form script="my.js"> <row> <panel> <html> <a id="mydivId"> <img src="/static/app/My_app... See more...
I want to set or pass value to the token , after clicking on image in HTML panel Here is my panel code:   <form script="my.js"> <row> <panel> <html> <a id="mydivId"> <img src="/static/app/My_app/bck_city.png"/> </a> </html> </panel> </row> </form>   And after clicking on the image of above panel the below token should set with value (I want to set token="mytoken", with some value after clicking on the image above)   <row> <panel> <title>mypanel</title> <event> <search> <query>|makeresults |eval result=$mytoken$ |table result</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row>    I also tried setting token value by .js   require(['underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/utils', 'splunkjs/mvc/tokenutils', 'splunkjs/mvc/simplexml/ready!'], function ($) { var utils = require("splunkjs/mvc/utils"); $(document).ready(function () { $("#mydivId").on("click", function (){ var tokens = mvc.Components.get("default"); var tokenValue = tokens.get("mytoken"); tokens.set("mytoken", "cheese"); }); }); });      
All searches appear to be limited to 1000 results in the UI. Can this be modified in a configuration setting somewhere? Screenshot of message indicating that the limit is 1000 has been attached.
Are there any recommended strategies for moving the index data to a new data center? We're planning to build up a new Splunk cluster (indexers, searchheads, master, license-master) in a new data ce... See more...
Are there any recommended strategies for moving the index data to a new data center? We're planning to build up a new Splunk cluster (indexers, searchheads, master, license-master) in a new data center. We want to migrate the existing index data. The most straightforward solution would probably be: shut down old cluster copy indexer data start new cluster However, we have sth. like 4-5TB of index data, so that would take a real long amount of (down) time. Are there better solutions? I was thinking about extending the existing indexer cluster to the new DC, increase the repl. factor so that it's guaranteed that one of the indexers in the new DC must have the data. Then when everything is synced, shut down the old indexers, disconnect the new indexers from the old master, connect them to the new master. Done Has anyone had experience with such a scenario? Or any other proposed solutions?
Hi, I could see that few of Splunk search head servers are affected with these 2 below vulnerabilities. Can someone kindly let me know what is the remediation steps has to be taken to fix the 2 bel... See more...
Hi, I could see that few of Splunk search head servers are affected with these 2 below vulnerabilities. Can someone kindly let me know what is the remediation steps has to be taken to fix the 2 below vulnerabilities?   1. Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake) 2. CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE TLSv1.1 SUPPORTS CIPHERS WITH NO AUTHENTICATION
I want to do a specific string search, say "mary had a little lamb" and have it return the results including the 5 lines previous and the 5 lines after. I have seen some (too complex to believe) res... See more...
I want to do a specific string search, say "mary had a little lamb" and have it return the results including the 5 lines previous and the 5 lines after. I have seen some (too complex to believe) results here, but all near 10 years old.  Is there a more recent, simpler way to do this?  It is a simple switch in grep.   Thanks
Hi. I have a task to extract all fields from raw logs used by our alerts and I wonder if there is an automated way to do it, or I have to go manually through each alert to check what fields are used?... See more...
Hi. I have a task to extract all fields from raw logs used by our alerts and I wonder if there is an automated way to do it, or I have to go manually through each alert to check what fields are used? All help is really appreciated