All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Are there any prerequisites for installing CIM?How can I verify it is installed?Should I make configuration related changes and restart Splunk after installing CIM?
Hi, It would be really helpful if someone help me to resolve the below problem. We have wriitten a modal popup when click the any of the row in the table. It is working as expected but we are faci... See more...
Hi, It would be really helpful if someone help me to resolve the below problem. We have wriitten a modal popup when click the any of the row in the table. It is working as expected but we are facing the below problem. if I trying to click the any row for the first it is working but when we are trying to click the same row second modal popup is not triggering. Below is the Javascript and XML: Javascript &colon; require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/chartview', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, TableView, ChartView) { var tokens = mvc.Components.get("default"); function displayChart(i, searchId, chartType) { $('#modalPanel' + i).modal(); var epoch = (new Date).getTime(); var chartItem = new ChartView({ id: "chart" + epoch, type: chartType, drilldown: "none", managerid: searchId, el: $("#modalChart" + i) }) chartItem.render(); } function displayTable(i, searchId) { $('#modalPanel' + i).modal(); var epoch = (new Date).getTime(); var tableItem = new TableView({ id: "table" + count, pageSize: "10", drilldown: "none", managerid: searchId, el: $("#modalChart" + i) }) tableItem.render(); console.log(searchId); } function displayModal(i) { var checkAreaChart = mvc.Components.get("modalAreaChartSearch" + i); var checkBarChart = mvc.Components.get("modalBarChartSearch" + i); var checkColumnChart = mvc.Components.get("modalColumnChartSearch" + i); var checkLineChart = mvc.Components.get("modalLineChartSearch" + i); var checkTableChart = mvc.Components.get("modalTableChartSearch" + i); if (typeof (checkAreaChart) !== "undefined") { displayChart(i, "modalAreaChartSearch" + i, "area"); } else if (typeof (checkBarChart) !== "undefined") { displayChart(i, "modalBarChartSearch" + i, "bar"); } else if (typeof (checkColumnChart) !== "undefined") { displayChart(i, "modalColumnChartSearch" + i, "column"); } else if (typeof (checkLineChart) !== "undefined") { displayChart(i, "modalLineChartSearch" + i, "line"); } else if (typeof (checkTableChart) !== "undefined") { displayTable(i, "modalTableChartSearch" + i); } else { //console.log("i:"+i); displayTable(i, "modalSearch" + i); //console.log("clicked"); } console.log("click"); } tokens.on("change:modalToken1", function (model, value, options) { displayModal(1); }); //tokens.off("change:modalToken1",function(model, value, options){ //}); tokens.on("change:modalToken2", function (model, value, options) { displayModal(2); }); tokens.on("change:modalToken3", function (model, value, options) { displayModal(3); console.log("clicked"); }); tokens.on("change:modalToken4", function (model, value, options) { displayModal(4); }); tokens.on("change:modalToken5", function (model, value, options) { displayModal(5); }); tokens.on("change:modalToken6", function (model, value, options) { displayModal(6); }); }); XML: <dashboard script="modalchart.js"> <label>Modal Popup</label> <search id="modalAreaChartSearch1"> <query> index=_internal sourcetype=$modalToken1$ | timechart count by sourcetype </query> <earliest>-24h</earliest> <latest>now</latest> </search> <search id="modalLineChartSearch2"> <query> index=_internal source=$modalToken2$ | timechart count by sourcetype </query> <earliest>-24h</earliest> <latest>now</latest> </search> <search id="modalTableChartSearch3"> <query> index=_internal sourcetype=$modalToken3$ | timechart span=1h count </query> <earliest>-24h</earliest> <latest>now</latest> </search> <row> <panel> <table> <title>$modalToken1$</title> <search> <query>index=_internal | dedup sourcetype | table index sourcetype source</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="modalToken1">$row.sourcetype$</set> </drilldown> </table> </panel> <panel> <table> <title>$modalToken2$</title> <search> <query>index=_internal | dedup sourcetype | table index sourcetype source</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="modalToken2">$row.source$</set> </drilldown> </table> </panel> </row> <row> <panel> <table> <title>$modalToken3$</title> <search> <query>index=_internal | dedup sourcetype | table index sourcetype source</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="modalToken3">$row.sourcetype$</set> </drilldown> </table> </panel> </row> <row> <panel> <html> <div class="modal fade" id="modalPanel1" tabindex="-1" role="dialog" aria-labelledby="modalLabel1" aria-hidden="true"> <div class="modal-dialog modal-lg" role="document"> <div class="modal-content"> <div class="modal-header"> <h5 class="modal-title" id="modalLabel1">$modalToken1$</h5> <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true"/></button> </div> <div class="modal-body"> <div id="modalChart1"/> </div> <div class="modal-footer"> <button type="button" class="btn btn-primary" data-dismiss="modal">Close</button> </div> </div> </div> </div> <div class="modal fade" id="modalPanel2" tabindex="-1" role="dialog" aria-labelledby="modalLabel2" aria-hidden="true"> <div class="modal-dialog modal-lg" role="document"> <div class="modal-content"> <div class="modal-header"> <h5 class="modal-title" id="modalLabel2">$modalToken2$</h5> <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true"/></button> </div> <div class="modal-body"> <div id="modalChart2"/> </div> <div class="modal-footer"> <button type="button" class="btn btn-primary" data-dismiss="modal">Close</button> </div> </div> </div> </div> <div class="modal fade" id="modalPanel3" tabindex="-1" role="dialog" aria-labelledby="modalLabel3" aria-hidden="true"> <div class="modal-dialog modal-lg" role="document"> <div class="modal-content"> <div class="modal-header"> <h5 class="modal-title" id="modalLabel3">$modalToken3$</h5> <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true"/></button> </div> <div class="modal-body"> <div id="modalChart3"/> </div> <div class="modal-footer"> <button type="button" class="btn btn-primary" data-dismiss="modal">Close</button> </div> </div> </div> </div> </html> </panel> </row> </dashboard>
index=ABC Check!=D | stats count by Device Check I am using this query and getting Device and Related Checks reported by the device. Now i have a scenario where i need to show only those de... See more...
index=ABC Check!=D | stats count by Device Check I am using this query and getting Device and Related Checks reported by the device. Now i have a scenario where i need to show only those devices where the Check!=D And i have data like below Device Check india_1 A india_1 D india_2 B india_3 B india_3 C india_4 A india_4 D output i want is only below 2 devices where D is not there in the check although we have other names in the Check. Device count india_2 1 india_3 2 please help me with the query
In my table the last row is the "Average" of all the columns which is calculated based on the query. I want to disable the drilldown click for it. how it can be done ? Attaching image for your refere... See more...
In my table the last row is the "Average" of all the columns which is calculated based on the query. I want to disable the drilldown click for it. how it can be done ? Attaching image for your reference. Below is the snippet of query I am using for the table : | transpose header_field=Category 10 | addtotals | eval Average=round(Total/8,0)| fields - Total | table column "Availability Management" "Identity Access & AD" "Information Security Management" "Monitoring & Analysis" "Server & Storage" "Service Asset & Configuration Mangement" "Service Management" Others Average | transpose header_field=column 25 | rename column as Category
Hi below is my sample data- Date source State 29-05-20 01:00:00 abc On 29-05-20 01:10:00 abc Off 29-05... See more...
Hi below is my sample data- Date source State 29-05-20 01:00:00 abc On 29-05-20 01:10:00 abc Off 29-05-20 01:20:00 abc On 29-05-20 01:30:00 abc On 29-05-20 01:50:00 abc Off 29-05-20 01:55:00 abc On Here I want to calculate "Number of Times State Went from On to Off" and "Number of Times State Went from Off to On" using streamstats command. In above case results will be- source|date| "Number of Times State Went from On to Off" |"Number of Times State Went from Off to On"|"Number of RunSwitch ONs"|"Number of RunSwitch Offs" abc |29-05-20 | 2 | 2 |4 |2 with help of @kamlesh_vaghela I am able to extract first two columns and now my new requirement is to add above four columns. Ref-https://answers.splunk.com/answers/825891/streamstats-change-state-count.html Note- I want above all these by each source.
ComputerName Events Rank ABC 320 1 BCD 229 2 CDE 120 3 need to create rank Column based on Event count
Hello! I'm a noob with Splunk and had a question regarding the client SDK (C#) I wanted to understand if I could expect a quicker turnaround time from my search if I set its priority to a hig... See more...
Hello! I'm a noob with Splunk and had a question regarding the client SDK (C#) I wanted to understand if I could expect a quicker turnaround time from my search if I set its priority to a higher number than the default (which I think is 5) ? And why do I get Exception: Splunk.Client.BadRequestException: 400: Bad Request Fatal: Unknown action. when I try to invoke job.SetPriorityAsync(10) ? How do I get around that ? Will appreciate any insights. Thanks, Avinash
Hi, As admon collects changes to the ad and these events are replicated to all other DCs we have then got duplicate events from multiple DCs that are otherwise the same in every way apart from host... See more...
Hi, As admon collects changes to the ad and these events are replicated to all other DCs we have then got duplicate events from multiple DCs that are otherwise the same in every way apart from host. Is there a way besides just disabling it, to collapse these events together?
Hi all, I am using SA-DMARC from (https://github.com/aholzel/SA-dmarc). And I have already gathered Jason events from TA-dmarc. SA-DMARC app is not showing any results. It says not found. Any i... See more...
Hi all, I am using SA-DMARC from (https://github.com/aholzel/SA-dmarc). And I have already gathered Jason events from TA-dmarc. SA-DMARC app is not showing any results. It says not found. Any idea how to fix that ??!
Hi All, I have a problem with DNS apfor Splunk provided in ( https://splunkbase.splunk.com/app/4879/) . It shows the following error ( the DNS operation timed out after 2.0 seconds). Any idea how... See more...
Hi All, I have a problem with DNS apfor Splunk provided in ( https://splunkbase.splunk.com/app/4879/) . It shows the following error ( the DNS operation timed out after 2.0 seconds). Any idea how to fix it???! Thanks in advance,
I am using Splunk TA for Windows infrastructure configured to consume the XML logs. The problem is the RAW doesn't parse out the XML that is contained w/in the XML log very well (see raw output bel... See more...
I am using Splunk TA for Windows infrastructure configured to consume the XML logs. The problem is the RAW doesn't parse out the XML that is contained w/in the XML log very well (see raw output below) It parses the "Outer" XML fine, but the "Inner" XML, not so much. (See all the lt; and gt;) &amp;gt; and &amp;lt; is just to get through this WYSIWYG editor Anyone have good advice on how to get splunk to parse and store this properly? <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='AD FS Auditing'/> <EventID Qualifiers='0'>1200</EventID> <Level>0</Level> <Task>3</Task> <Keywords>0x80a0000000000000</Keywords> <TimeCreated SystemTime='2020-05-31T20:31:28.875321100Z'/> <EventRecordID>27322577</EventRecordID> <Channel>Security</Channel> <Computer>Computer</Computer> <Security UserID='S-1-5-21----SID'/> </System> <EventData> <Data>3fb4c7cb-865b-4d89-3e02-0080010000b3</Data> <Data>&amp;lt;?xml version="1.0" encoding="utf-16"?&amp;gt; &amp;lt;AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit"&amp;gt; &amp;lt;AuditType&amp;gt;AppToken&amp;lt;/AuditType&amp;gt; &amp;lt;AuditResult&amp;gt;Success&amp;lt;/AuditResult&amp;gt; &amp;lt;FailureType&amp;gt;None&amp;lt;/FailureType&amp;gt; &amp;lt;ErrorCode&amp;gt;N/A&amp;lt;/ErrorCode&amp;gt; &amp;lt;ContextComponents&amp;gt; &amp;lt;Component xsi:type="ResourceAuditComponent"&amp;gt; &amp;lt;RelyingParty&amp;gt;RelyingParty&amp;lt;/RelyingParty&amp;gt; &amp;lt;ClaimsProvider&amp;gt;AD AUTHORITY&amp;lt;/ClaimsProvider&amp;gt; &amp;lt;UserId&amp;gt;UserId&amp;lt;/UserId&amp;gt; &amp;lt;/Component&amp;gt; &amp;lt;Component xsi:type="AuthNAuditComponent"&amp;gt; &amp;lt;PrimaryAuth&amp;gt;http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows&amp;lt;/PrimaryAuth&amp;gt; &amp;lt;DeviceAuth&amp;gt;false&amp;lt;/DeviceAuth&amp;gt; &amp;lt;DeviceId&amp;gt;N/A&amp;lt;/DeviceId&amp;gt; &amp;lt;MfaPerformed&amp;gt;false&amp;lt;/MfaPerformed&amp;gt; &amp;lt;MfaMethod&amp;gt;N/A&amp;lt;/MfaMethod&amp;gt; &amp;lt;TokenBindingProvidedId&amp;gt;true&amp;lt;/TokenBindingProvidedId&amp;gt; &amp;lt;TokenBindingReferredId&amp;gt;false&amp;lt;/TokenBindingReferredId&amp;gt; &amp;lt;SsoBindingValidationLevel&amp;gt;TokenBoundAndValid&amp;lt;/SsoBindingValidationLevel&amp;gt; &amp;lt;/Component&amp;gt; &amp;lt;Component xsi:type="ProtocolAuditComponent"&amp;gt; &amp;lt;OAuthClientId&amp;gt;N/A&amp;lt;/OAuthClientId&amp;gt; &amp;lt;OAuthGrant&amp;gt;N/A&amp;lt;/OAuthGrant&amp;gt; &amp;lt;/Component&amp;gt; &amp;lt;Component xsi:type="RequestAuditComponent"&amp;gt; &amp;lt;Server&amp;gt;Server&amp;lt;/Server&amp;gt; &amp;lt;AuthProtocol&amp;gt;SAMLP&amp;lt;/AuthProtocol&amp;gt; &amp;lt;NetworkLocation&amp;gt;Intranet&amp;lt;/NetworkLocation&amp;gt; &amp;lt;IpAddress&amp;gt;IpAddress&amp;lt;/IpAddress&amp;gt; &amp;lt;ForwardedIpAddress /&amp;gt; &amp;lt;ProxyIpAddress&amp;gt;N/A&amp;lt;/ProxyIpAddress&amp;gt; &amp;lt;NetworkIpAddress&amp;gt;N/A&amp;lt;/NetworkIpAddress&amp;gt; &amp;lt;ProxyServer&amp;gt;N/A&amp;lt;/ProxyServer&amp;gt; &amp;lt;UserAgentString&amp;gt;Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko&amp;lt;/UserAgentString&amp;gt; &amp;lt;Endpoint&amp;gt;/adfs/ls/wia&amp;lt;/Endpoint&amp;gt; &amp;lt;/Component&amp;gt; &amp;lt;/ContextComponents&amp;gt; &amp;lt;/AuditBase&amp;gt;</Data> </EventData> </Event>  
Hi every one I have a schedule search which will run every 5 mins.But some times it going into failed state .Is there any way or setting to Re Run that schedule search as soon as it goes into fai... See more...
Hi every one I have a schedule search which will run every 5 mins.But some times it going into failed state .Is there any way or setting to Re Run that schedule search as soon as it goes into failed state? Thanks&Regards, Manikanth
I want add one checkbox for checkboxgroup,when i click the select/deselect all checkbox , It should select all checkbox will selected in that category. can i do it by using splunkjs. Please help me... See more...
I want add one checkbox for checkboxgroup,when i click the select/deselect all checkbox , It should select all checkbox will selected in that category. can i do it by using splunkjs. Please help me Example : Select/deselect all for checkpoint checkpoint 1 , checkpoint 2 , checkpoint 3 Select/Deselect All for Linux Linux 1, Linux 2, Linux 3
Hello, I have configured our cluster master to receive log in certain port and also configured the cluster master to forward to two indexer nodes. Now we have universal forwarder installed in few... See more...
Hello, I have configured our cluster master to receive log in certain port and also configured the cluster master to forward to two indexer nodes. Now we have universal forwarder installed in few servers from which we need to send the logs to cluster master instead of directly sending to two indexer nodes. Can I directly configure the output conf to point to the cluster master ip and receiver port? or is there anything I need to configure specifically for this in cluster master? Thanks, Gopa
I have a dashboard having different panels that belong to 4 groups. I added 4 titles and aligned panels under each title, But here my requirement is I want to hide all panels under their titles. When... See more...
I have a dashboard having different panels that belong to 4 groups. I added 4 titles and aligned panels under each title, But here my requirement is I want to hide all panels under their titles. When I will click on each title I want to see the panels belong to that group. Kindly help me
hi every one i try to refresh a specific panel, i follow the splunk answers but not work for me, i have a buton like this : id="button_update" class="btn" data-set-token="run_check" data-value="tru... See more...
hi every one i try to refresh a specific panel, i follow the splunk answers but not work for me, i have a buton like this : id="button_update" class="btn" data-set-token="run_check" data-value="true" style="background-color:#68E674;" and search <query>|test.csv | stats count</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> and javascript &colon; require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { $(document).ready(function () { $("button_update").on("click", function (e) { var mySearch = mvc.Components.get("toto"); mySearch.startSearch(); }); }); }); but the search never refresh someone can help me ?
I'm a newbie as far as Splunk is concerned with modest regex skills. We have events with the following patterns fallbackAPIStatus={api1=133:..., api2=472:...,api3=498:...} fallbackAPIStatus={a... See more...
I'm a newbie as far as Splunk is concerned with modest regex skills. We have events with the following patterns fallbackAPIStatus={api1=133:..., api2=472:...,api3=498:...} fallbackAPIStatus={api1=3535:...} fallbackAPIStatus={api2=252:...,api3=655:...} The numeric value indicates the response times and the ellipsis inidcates fields that I'm not interested in. The number of apis within the braces is dynamic (between 1 and 4) I want to be able to create a table as follows: apiName TotalRequests Max-Response-Time Min-Response-Time api1 2 3535 133 api2 2 472 252 api2 2 655 498 Here's my search: index=my_logs sourcetype=my_sourcetype | rex field=_raw "fallbackAPIStatus={(?P[^}]+)}" | eval temp=split(fallBackApis,",") | rex field=temp "(?P[a-zA-Z-]+)=(?P[0-9]+):"|stats count as TotalRequests max(responseTime) as Max-Response-Time min(responseTime) as Min-Response-Time by apiName I'm able to get the TotalRequests right but I'm not able to get the correct max and min response times Can someone advise what I'm doing wrong here?
Greetings!! how to create index of the new device data source in Splunk enterprise 7.2.6 in Linux? and how to create its fields by extracting fields using regex from events that come from the Web a... See more...
Greetings!! how to create index of the new device data source in Splunk enterprise 7.2.6 in Linux? and how to create its fields by extracting fields using regex from events that come from the Web application Firewall to fetch relevant information fields?how to extract using regex and get meaningful information in fields, I really need your help, thanks in advance!
What does 'have values in at least 20% of the events' what does it mean in simple terms, please, for interesting fields?
Hi Everyone I have two Indexes (IndexA and IndexB)in both i have some common events. I need to append only the common events from Index B to the IndexA Data? Syntax Like This? index=indexA |... See more...
Hi Everyone I have two Indexes (IndexA and IndexB)in both i have some common events. I need to append only the common events from Index B to the IndexA Data? Syntax Like This? index=indexA |append [search index=indexB |Here write filter condition] Please help me out this?