All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have Splunk set up as an HTTP Event Collector receiver and am seeing parsing errors in splunkd.log like: ERROR HttpInputDataHandler - Parsing error . How do I resolve these?
Hi, I am unable to use the SecKit geo app when going to app config because it's stuck on loading. I tried uninstalling and reinstalling the app. Splunk 8.04 Following error received: 05-29-20... See more...
Hi, I am unable to use the SecKit geo app when going to app config because it's stuck on loading. I tried uninstalling and reinstalling the app. Splunk 8.04 Following error received: 05-29-2020 14:26:17.415 +0000 ERROR AdminManagerExternal - Unexpected error "" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/seckit_sa_geolocation/aob_py3/splunktaucclib/rest_handler/handler.py", line 117, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/seckit_sa_geolocation/aob_py3/splunktaucclib/rest_handler/handler.py", line 303, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/seckit_sa_geolocation/aob_py3/splunktaucclib/rest_handler/credentials.py", line 188, in decrypt_for_get\n clear_password = self._get(name)\n File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/seckit_sa_geolocation/aob_py3/splunktaucclib/rest_handler/credentials.py", line 393, in _get\n string = mgr.get_password(user=context.username())\n File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/seckit_sa_geolocation/aob_py3/solnlib/utils.py", line 159, in wrapper\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/seckit_sa_geolocation/aob_py3/solnlib/credentials.py", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/seckit_sa_geolocation/aob_py3/solnlib/utils.py", line 159, in wrapper\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/seckit_sa_geolocation/aob_py3/solnlib/credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: can only concatenate str (not "NoneType") to str\n". See splunkd.log for more details.
Hi All, I need to turn this: curl --insecure -k -u username "https://api.splunk.company.com:443/servicesNS/username/sse_sitescope_prod_v01/saved/searches/apisearchv3/history" Into a PowerShell ... See more...
Hi All, I need to turn this: curl --insecure -k -u username "https://api.splunk.company.com:443/servicesNS/username/sse_sitescope_prod_v01/saved/searches/apisearchv3/history" Into a PowerShell equivalent: api.splunk.company.com:443 is not trusted, as it does not have an SSL cert. I've read many examples, I just want to export this saved search using invoke-restmethod Can anyone assist?
I have a bunch of dashboards created. I would like to create an Overview or Menu type dashboard. Basically this dashboard should show a menu of other dashboard's names. And once the user decides... See more...
I have a bunch of dashboards created. I would like to create an Overview or Menu type dashboard. Basically this dashboard should show a menu of other dashboard's names. And once the user decides which one they wanna visit they click on the name and it redirects them to that dashboard. Is this possible to do in Splunk?
I have a similar situation as the question "Splunk Offline command - running for hours" however in my case I have several indexers which have been running the offline --enforce-counts command for day... See more...
I have a similar situation as the question "Splunk Offline command - running for hours" however in my case I have several indexers which have been running the offline --enforce-counts command for days. One was started last Friday so it's been a week for it. When I check splunkd.log I can still see it copying buckets. For example, 05-29-2020 14:02:01.562 +0000 INFO DatabaseDirectoryManager - idx=main Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/main/db', pendingBucketUpdates=1 . Reason='Updating manifest: bucketUpdates=1' There are also a huge number of entries like this: 05-29-2020 14:45:05.923 +0000 WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user (In splunkd.log 1911 entries for 1st host, 1256 entries for 2nd host, 1277 for 3rd host that has been running for a week, 1226 entries for 4th host) 05-29-2020 14:45:53.476 +0000 ERROR SearchProcessRunner - launcher_thread=0 runSearch exception: PreforkedSearchProcessException: can't create preforked search process: Cannot send after transport endpoint shutdown ( In splunkd.log 19962 entries for 1st host, 20273 entries for 2nd host, 1829 for 3rd host that has been running for a week, 19101 entries for 4th host) And on the one where it's been running for a week: 05-29-2020 14:43:33.464 +0000 WARN DistBundleRestHandler - Failed to find data processor for endpoint=full-bundle 05-29-2020 14:44:26.520 +0000 WARN ReplicatedDataProcessorManager - Failed to find processor with key=delta-bundle since no such entry exists. 05-29-2020 14:44:26.520 +0000 WARN BundleDeltaHandler - Failed to find data processor for endpoint=delta-bundle (3092 total entries for both in splunkd.log) I see in the master Indexer Clustering dashboard that they are still decommissioning (although I don't know what the Buckets entry indicates. The number of buckets left to replicate?) All the indexers are running version 8.0.1 with the exception of a handful in the cluster that are not being decommissioned that have been upgraded to 8.0.3. The Master indexer is still 8.0.1 What do I do to speed this up? There was no solution posted in the other question.
I am setting up universal forwarders to run using service account and in Splunk documentations https://docs.splunk.com/Documentation/Splunk/8.0.4/Installation/PrepareyourWindowsnetworkforaSplunkins... See more...
I am setting up universal forwarders to run using service account and in Splunk documentations https://docs.splunk.com/Documentation/Splunk/8.0.4/Installation/PrepareyourWindowsnetworkforaSplunkinstallation the GPO section states that we need to give the account domain admin which doesnt make sense
I have just installed the Microsoft Azure Add-on for Splunk and am wondering what App everyone uses for the dashboards and reporting? Looking for suggestions.
Hi, With regards to the upcoming 20.6 Controller release. Is there any documentation to specify where and what to add to the APM Agents when masking URL detail? I was under the impression this fea... See more...
Hi, With regards to the upcoming 20.6 Controller release. Is there any documentation to specify where and what to add to the APM Agents when masking URL detail? I was under the impression this feature was being added to this particular release. Many thanks, Tim 
Hi, I installed Splunk Security Essentials 3.1.1. The app runs just fine. But Data inventory doesn't work for me. The automated introspection never finishes and manually added sources keep disappe... See more...
Hi, I installed Splunk Security Essentials 3.1.1. The app runs just fine. But Data inventory doesn't work for me. The automated introspection never finishes and manually added sources keep disappearing. But there is no error message. Is there a way to debug this app? Does it generate logs? Thanks
Hi, I have a weird requirement where I am looking to create an alert using some specific conditions. My OS index gets logged every 2 mins and I need to set up an alert to monitor a certain process ... See more...
Hi, I have a weird requirement where I am looking to create an alert using some specific conditions. My OS index gets logged every 2 mins and I need to set up an alert to monitor a certain process "java" for a user "admin". Now I have 4 hosts and suppose that 2 hosts (p3 and p4) are down, then trigger an alert using some specific message. index=os sourcetype=ps host="p1" OR host="p2" OR host="p3" OR host="p4" user=admin process_name=java | stats count by host Now under a normal scenario, the above search gives me 4 rows with a count of 1 for each host. In case my p3 and p4 goes down, I get only 2 rows because there is no process for p3 and p4. Is there a simple way to achieve this? I want to trigger an alert with a table that contains the following columns: host, message, priority. The message would be common, something like, "These hosts are down. Please take action." and priority will also be always p2. But under the host column I need to specify those host which are down.
Good afternoon, I have a question on customizing trellis dashboard visualization. I want to remove the titles/categories on the second trellis visualization (the ones that are highlighted in yell... See more...
Good afternoon, I have a question on customizing trellis dashboard visualization. I want to remove the titles/categories on the second trellis visualization (the ones that are highlighted in yellow). Does anyone know if there is an option in SimpleXML to make this possible? Thanks, kind regards, Willem Jongeneel
Hi below is my sample data- Date State 29-05-20 01:00:00 On 29-05-20 01:10:00 Off 29-05-20 01:20:00 On 29-05-20 01:30:00 On 29-05-20 01:50:00 Off 29-05-20 01:55:00 On Here I want to calc... See more...
Hi below is my sample data- Date State 29-05-20 01:00:00 On 29-05-20 01:10:00 Off 29-05-20 01:20:00 On 29-05-20 01:30:00 On 29-05-20 01:50:00 Off 29-05-20 01:55:00 On Here I want to calculate "Number of Times State Went from On to Off" and "Number of Times State Went from Off to On" using streamstats command. In above case results will be- "Number of Times State Went from On to Off" |"Number of Times State Went from Off to On" 2 2
Hey experts! I'm relatively new to Splunk, so if this is a stupid question, mea culpa. That being said, I have a solid SQL background and I'm in need of a solution for this seemingly easy problem. ... See more...
Hey experts! I'm relatively new to Splunk, so if this is a stupid question, mea culpa. That being said, I have a solid SQL background and I'm in need of a solution for this seemingly easy problem. I have indexed data and I would like to link it to a lookup. The purpose of this lookup is both to limit the final output, as well as enrich the final output with some extra fields. The key for linking the lookup with the indexed data, consists of multiple fields. I was thinking about something like this: index=ringelingdong sourcetype=ring | eval testfield=strftime(_time,'%Y%m%d%T')."#".some_id | where testfield=[| inputlookup lookup_csv.csv | eval LKPFIELD=strftime(_time,'%Y%m%d%T')."#".my_lkp_id | where checked!=0 | fields checked, changerequest | rename checked as ck, changerequest as CR] | table _time some_id ck CR This is what I came up with so far, but I'm still missing: how to link the lookup output with the indexed data on multiple keys how to have the lookup restrict the final output, so that only checked!=1 is shown how to add both checked and changerequest fields from the lookup in the result Many thanks in advance Paul
Hi All, I have logs from my SSO servers, where I need to show a few apps' usage with names and rest all other apps display as otherapps. I tried below but the results are not accurate. And I need... See more...
Hi All, I have logs from my SSO servers, where I need to show a few apps' usage with names and rest all other apps display as otherapps. I tried below but the results are not accurate. And I need to display in a pie chart with correct values. index=sso sourcetype="mysource" status=success | stats count as otherapps count(eval(searchmatch("jira"))) as jira count(eval(searchmatch("service-now"))) as ServiceNow count(eval(searchmatch("exchange"))) as Exchange count(eval(searchmatch("office365"))) as office365 count(eval(searchmatch("bitbucket"))) as Bitbucket count(eval(searchmatch("Cost"))) as Cost | transpose Please help me with correct search, thanks in advance! Thanks! Pavna
Hi, I'm trying to make my dashboards accessible by the Splunk mobile app, but my Cloud Gateway Status dashboard is showing some odd errors, of which I can't find anything about online. Under Clou... See more...
Hi, I'm trying to make my dashboards accessible by the Splunk mobile app, but my Cloud Gateway Status dashboard is showing some odd errors, of which I can't find anything about online. Under Cloud Gateway Processes it says for all 4 boxes; Error in 'scgpstree' command: External search command exited unexpectedly with non-zero error code 1. The four boxes are; Websocket Python Process, Websocket Sodium Process, Subscription Python Process, and Subscription Sodium Process. Does anyone know what's going wrong? Thanks! Edit: The Cloud Gateway status is connected, and the KV store status is ready.
I want to deploy app configurations from a deployer to my search heads using the command splunk apply shcluster-bundle There are several apps in the shcluster directory, all which already exis... See more...
I want to deploy app configurations from a deployer to my search heads using the command splunk apply shcluster-bundle There are several apps in the shcluster directory, all which already exist on the search heads. All built-in stock apps (such as search) are however missing from shcluster. Question: Will these stock apps be removed from the search heads if a deployment is performed, if they are missing from shcluster? Or is there a rule that prevents any stock apps from being removed?
i have a query that show the data in table form i have to merge the row Query : my search query | | timechart span=5m count by message | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") |untable ... See more...
i have a query that show the data in table form i have to merge the row Query : my search query | | timechart span=5m count by message | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") |untable time message count | xyseries message time count It gives the date in a table form message time1 time2 time3 a/b/c 1 2 3 abc/1/x 0 1 4 abc/2/x 0 1 2 abc/3/x 0 2 4 i have to merge the row and change the metric to message time1 time2 time3 a/b/c 1 2 3 abc/x 0 4 10 i have tried rex expression also but i didn't work
I have integrated McAfee ePO 5.10 with Splunk 8.0.3 using DB-connect. I am seeing a lot of duplicate entries when I run the search below on SQL DB. In the EPO-Events table, I only have 39 rows, whe... See more...
I have integrated McAfee ePO 5.10 with Splunk 8.0.3 using DB-connect. I am seeing a lot of duplicate entries when I run the search below on SQL DB. In the EPO-Events table, I only have 39 rows, whereas when I run this search it turns out to be 1,521 rows. Could someone please help? I am new to this. SELECT [EPOEvents].[ReceivedUTC] AS [timestamp], [EPOEvents].[AutoID], [EPOEvents].[ThreatName] AS [signature], [EPOEvents].[ThreatType] AS [threat_type], [EPOEvents].[ThreatEventID] AS [signature_id], [EPOEvents].[ThreatCategory] AS [category], [EPOEvents].[ThreatSeverity] AS [severity_id], [EPOEvents].[DetectedUTC] AS [detected_timestamp], [EPOEvents].[TargetFileName] AS [file_name], [EPOEvents].[AnalyzerDetectionMethod] AS [detection_method], [EPOEvents].[ThreatActionTaken] AS [vendor_action], CAST([EPOEvents].[ThreatHandled] AS int) AS [threat_handled], [EPOEvents].[TargetUserName] AS [logon_user], [EPOComputerProperties].[UserName] AS [user], [EPOComputerPropertiesMT].[DomainName] AS [dest_nt_domain], [EPOEvents].[TargetHostName] AS [dest_dns], [EPOEvents].[TargetHostName] AS [dest_nt_host], [EPOComputerPropertiesMT].[IPHostName] AS [fqdn], [dest_ip] = ( convert(varchar(3), convert(tinyint, substring(convert(varbinary(4), convert(bigint, ([EPOComputerPropertiesMT].[IPV4x] + 2147483648))), 1, 1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerPropertiesMT].[SubnetMask] AS [dest_netmask], [EPOComputerPropertiesMT].[NetAddress] AS [dest_mac], [EPOComputerPropertiesMT].[OSType] AS [os], [EPOComputerPropertiesMT].[OSVersion] AS [os_version], [EPOComputerPropertiesMT].[OSBuildNum] AS [os_build], [EPOComputerPropertiesMT].[TimeZone] AS [timezone], [EPOEvents].[SourceHostName] AS [src_dns], [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] AS [src_mac], [EPOEvents].[SourceProcessName] AS [process], [EPOEvents].[SourceURL] AS [url], [EPOEvents].[SourceUserName] AS [source_logon_user], [EPOEvents].[AnalyzerName] AS [product], [EPOEvents].[AnalyzerVersion] AS [product_version], [EPOEvents].[AnalyzerEngineVersion] AS [engine_version], [EPOEvents].[AnalyzerDATVersion] AS [dat_version], [EPExtendedEvent].[SourceHash], [EPExtendedEvent].[SourceParentProcessHash], [EPExtendedEvent].[SourceProcessHash], [EPExtendedEvent].[TargetHash], [EPOProdPropsView_THREATPREVENTION].[verDAT32Major] AS [TP_dat_version], [EPOProdPropsView_THREATPREVENTION].[verEngine32Major] AS [TP_engine32_version], [EPOProdPropsView_THREATPREVENTION].[verEngine64Major] AS [TP_engine64_version], [EPOProdPropsView_THREATPREVENTION].[verHotfix] AS [TP_hotfix], [EPOProdPropsView_THREATPREVENTION].[ProductVersion] AS [TP_product_version] FROM "ePO_INSTANCE-1"."dbo"."EPOEvents", "ePO_INSTANCE-1"."dbo"."EPOProdPropsView_THREATPREVENTION", "ePO_INSTANCE-1"."dbo"."EPOComputerPropertiesMT", "ePO_INSTANCE-1"."dbo"."EPOComputerProperties", "ePO_INSTANCE-1"."dbo"."EPExtendedEvent" ORDER BY AutoID ASC
I have a query with time range earliest=-2mon@mon latest=-1mon@mon . Now can i store the result as the month name which comes between earliest and latest ? E.g., for above example its should be March
I want to apply different colors on different bars according to my Column values. My column values are: A,B,C. These will remain fixed. I tried this: <search> <query>index=<> sourcetype=<> ... See more...
I want to apply different colors on different bars according to my Column values. My column values are: A,B,C. These will remain fixed. I tried this: <search> <query>index=<> sourcetype=<> source=<> | stats count(eval(channel="A")) as A count(eval(channel="B")) as B count(eval(channel="C")) as C</query> <earliest>$earnTime.earliest$</earliest> <latest>$earnTime.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">10</option> <option name="charting.chart.bubbleMinimumSize">1</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.columnSpacing">20</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"A":0x009900, "B":0x0099CC, "C":0xCC6600}</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">none</option> <option name="height">198</option> <option name="refresh.display">progressbar</option> But my "A" value is not coming in the graph and getting aligned on x axis with the count. Can someone please tell me where I am going wrong?