All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, we receive data using _TCP_ROUTING from forwarders from another team using another Splunk cluster. We don't use same indexes. Instead of routing data based on source or host we receive on ou... See more...
Hello, we receive data using _TCP_ROUTING from forwarders from another team using another Splunk cluster. We don't use same indexes. Instead of routing data based on source or host we receive on our indexers, is it possible to route data from one index (specified in their inputs.conf) to our own index? Especially what would be the props.conf stanza? Thanks.  
After disabling the Splunk readiness app due to a vulnerability recommendation, i restarted my search head which had the KV store. Once i restarted, the splunkd started with no error but the search h... See more...
After disabling the Splunk readiness app due to a vulnerability recommendation, i restarted my search head which had the KV store. Once i restarted, the splunkd started with no error but the search head web interface will not come back on. Apart from the app change, nothing else has changed. Any recommendations on how to address this?  search peer XXXXX has the ollowing message KV store changed status to failed. An error occurred during the last operation (‘getServerVersion’,domain ‘15’ code ‘13053’) No suitable servers found(ServerSeectionTryOnce Set) connection closed calling ismaster on XXXXX:8191 Thank you
I have 3 separate queries. I need to run them one after the other.  1. First query returns a field from each event that matches the search, say eventId 2. I need to make another query to identify e... See more...
I have 3 separate queries. I need to run them one after the other.  1. First query returns a field from each event that matches the search, say eventId 2. I need to make another query to identify events which has this eventId in the event , not a specific field. There will be zero or one row that will be returned in this case. I want to read a field on that event say "traceId". 3. Now i need to make a 3rd query using that returned traceId.  There will be only one event. With the result returned, i need to fetch the "fileName" from that matched event.  This fileName is the final result that i need.  Any guidelines / example to do this.  Known issue: On the search 2,  eventId from search 1 is not searchable as a field rather should be search on the _raw events as such.  I tried sub-search , but always result on OR statement on a field. But i dont have such field on the _raw event for search 2. Apologies if i sounded this confusing. 
(Hard sometimes to think of a good salutation that isn't boring or awkward, so fill in what you like here.), I accidentally deleted some of the data sets in my TA data model, I have a back-up from... See more...
(Hard sometimes to think of a good salutation that isn't boring or awkward, so fill in what you like here.), I accidentally deleted some of the data sets in my TA data model, I have a back-up from the original app but want to know if there is a quick and easy way to restore these. It would also be useful exercise to go over how the DM and its related data is stored in Splunk (from the backend perspective, not where to look for it in the GUI.) Thanks beforehand for any help/guidance.
I extracted 2 fields called 'Resp_time' and 'Req_time'...Both these fields are integers. I also changed the values to epoch  How do I display the difference between the Resp_time and req_time?
Hi,  I have an alert that triggers when an employee opens a file. This alert runs every 30 minutes so we can see these alerts fast. When employee1 opens file1 we see the alert, and throttle based ... See more...
Hi,  I have an alert that triggers when an employee opens a file. This alert runs every 30 minutes so we can see these alerts fast. When employee1 opens file1 we see the alert, and throttle based on the field "employee", because if we dont throttle then this alert keeps repeating every 30 minutes. Problem is now that when employee1 opens file2, file3, or file4 we do not see this anymore since we have a throttle on employee.. Is there a way to throttle on a combination of employee and file so that when employee1 opens file1 we get an alert, when he opens file2 we get a different alert, but we dont keep seeing the same alerts repeating every 30 minutes?  
Hi All , I am getting  the logs  from this query , But I need a query to get deviation of error count in two time periods index="prod_k8s_onprem_dii--prod1" "k8s.namespace.name"="abc-secure-dig-ser... See more...
Hi All , I am getting  the logs  from this query , But I need a query to get deviation of error count in two time periods index="prod_k8s_onprem_dii--prod1" "k8s.namespace.name"="abc-secure-dig-servi-prod1" "k8s.container.name"="abc-cdf-cust-profile" for this I need to consider volume of logs as well .  depending on deviation percentage I will decide , Need to promote deployment or  stop the deployment   
I have a number of events in 2 category (CAT A and CAT B). There are successful events and failed events with different RESULT value. I need to calculate error percentage of a specific failed event (... See more...
I have a number of events in 2 category (CAT A and CAT B). There are successful events and failed events with different RESULT value. I need to calculate error percentage of a specific failed event (RESULT = 404) that occurs in only CAT B.  I need to segregate CAT A from calculation. Then the final result result should be: ( count(RESULT = 404) / count(CAT B) * 100 ) and plot for every 5 minutes. Please suggest.  
We recently added a TOS to our deployment. We have smart card auth enabled as well. When both are enabled at the same time and we select "OK" to agree to the terms nothing happens; prior to getting t... See more...
We recently added a TOS to our deployment. We have smart card auth enabled as well. When both are enabled at the same time and we select "OK" to agree to the terms nothing happens; prior to getting to the TOS screen we have already authenticated using the smart card. If we disable smart card auth and just allow UN/PW sign in we are able to accept the terms and continue on our merry way. If we disable the TOS and just have smart card auth enabled we are allowed to continue. What is (or is not) happening to where we can't have both enabled simultaneously. 
Hi All, Data is not getting indexed after adding the conf
After rebuilding the docker image of DBConnect it requires a restart of the container in order to start showing data flowing.  Is there something I'm missing that is making me need to perform a resta... See more...
After rebuilding the docker image of DBConnect it requires a restart of the container in order to start showing data flowing.  Is there something I'm missing that is making me need to perform a restart of the app for it to work properly?
Hello Splunkers, I've created a custom role with very basic capabilities enabled. The capability "edit_own_objects" has been disabled. For some reason the user is able to clone reports as well as sa... See more...
Hello Splunkers, I've created a custom role with very basic capabilities enabled. The capability "edit_own_objects" has been disabled. For some reason the user is able to clone reports as well as save searches as reports. Also the user is able to access "New Report" button when clicking Settings->Searches,Reports,Alerts. I thought disabling edit_own_object capability would prevent the user from creating any objects, but it is not the case. I've made sure the user only has read access to the app as well. Any help of suggestions would be appreciated!   Thanks!
My target is not only show proper percentiles but also count elements in every precentile . So the first step I did is: index="oap" | stats perc25(tt) as P25, perc50(tt) as P50, ... See more...
My target is not only show proper percentiles but also count elements in every precentile . So the first step I did is: index="oap" | stats perc25(tt) as P25, perc50(tt) as P50, perc75(tt) as P75 by oper It gives me expected values for each percentile - the first part is ready. Then I figured out something like | where tt>P75 | stats values(P75) count by oper It adds additional column but only with data from one (75th) percentile. But how to prepare a query which returns count for each Percentil ?  
Hey all I am taking input over TCP by having this in my inputs.conf   [tcp://1.2.3.4:123] connection_host = ip index = index1 sourcetype = access_combined   My question is, can I have the same p... See more...
Hey all I am taking input over TCP by having this in my inputs.conf   [tcp://1.2.3.4:123] connection_host = ip index = index1 sourcetype = access_combined   My question is, can I have the same port send data to multiple indexes? Ie. without opening additional ports on my firewall, can I have another host send data to the same port but land in a different index? I tried adding this   [tcp://5.6.7.8:123] connection_host = ip index = index2 sourcetype = access_combined   but that just stopped the ingestion altogether. Thanks.
Hi Team, Our Splunk environment, including Search Heads, Indexers, and CM, is hosted in the cloud and managed by Splunk Support. We manage our Deployment Master and Heavy Forwarder servers, which ar... See more...
Hi Team, Our Splunk environment, including Search Heads, Indexers, and CM, is hosted in the cloud and managed by Splunk Support. We manage our Deployment Master and Heavy Forwarder servers, which are hosted in Azure. We are ingesting logs from both Windows and Linux servers via Splunk Universal Forwarder. For some time, we have been ingesting IIS logs from all Windows machines, defining the sourcetype based on the application and environment. For instance, logs from an application server named "xyz" have a sourcetype of "xyz:iis:prod." However, our internal SOC team has identified that data parsing for these IIS logs is not occurring, and it needs to be addressed immediately without changing the host or sourcetype information. Currently, when the sourcetype is set to "iis," fields are auto-extracted, but when a different sourcetype is used, field extraction does not happen. I need to ensure that field extraction for Microsoft IIS logs works correctly while keeping the sourcetype unchanged. How can this be achieved?
Error while connecting AWS lambda with SignalFX
Hi, everybody! I am an iOS engineer. We are using AppD recently, but there are some things that I am very confused about. So I put forward feedback and hope someone can help answer it. As shown... See more...
Hi, everybody! I am an iOS engineer. We are using AppD recently, but there are some things that I am very confused about. So I put forward feedback and hope someone can help answer it. As shown in the picture above, the red frame in the upper right corner of the picture. https://docs.appdynamics.com/appd/4.5.x/en/end-user-monitoring/mobile-real-user-monitoring/overview-of-the-controller-ui-for-mobile-rum/mobile-sessions#MobileSessions-SessionTimeline My questions are as follows: 1. What does "49 of 54 Sessions for this Agent" mean here? 2. When I click the arrows before and after the red frame text, the page can be switched to view different logs, so how are the contents of the current page and the next page divided? What does the log of the current page represent? 3. How is the cycle of a session calculated? Because I don't see the code for the relevant session in the code. 4. What does a session mean? How is it divided? Hope someone can answer it, Many thanks. Best regards.
Hello, I'm so please to find this burgeoning community of professionals here. Please I can't do any search whatsoever in my Splunk installation. It is installed locally on a windows 11 machine and ... See more...
Hello, I'm so please to find this burgeoning community of professionals here. Please I can't do any search whatsoever in my Splunk installation. It is installed locally on a windows 11 machine and after a lot of trails and error I had to install again on a second machine and yet the same is the case.  I can search from a pre constructed query f I select d=from there but I can't type a thing myself into the search head. Please I need your help.   
お世話になります。 SplunkWebからソースタイプを作成する際にCHARSETの項目から、 様々な文字コードを宣言できますが、shift-jis形式の文字コードだけでも SHIFT-JISやSJISなどの複数のパターンが用意されていたと認識しています。 これらの違いについて、説明できる方はいらっしゃいますか?    
Hi,  I have installed the "ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise" app and configured it using Basic Auth. When I try to send an event I get error:    command="s... See more...
Hi,  I have installed the "ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise" app and configured it using Basic Auth. When I try to send an event I get error:    command="snsecingest", Unable to forward notable event  after putting some logging in the python I can see the error behind that is  {"error":{"message":"Requested URI does not represent any resource","detail":null},"status":"failure"} Even a simple curl straight to the endpoint fails with the same error. Does anyone know if this endpoint (supplied with the app) might have changed or does it need to be created for each domain? Endpoint I have is: https://XXXXXXdev.service-now.com/api/sn_sec_splunk_v2/event_ingestion   Any suggestions would be appreciated. Thanks