All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to apply different colors on different bars according to my Column values. My column values are: A,B,C. These will remain fixed. I tried this: <search> <query>index=<> sourcetype=<> ... See more...
I want to apply different colors on different bars according to my Column values. My column values are: A,B,C. These will remain fixed. I tried this: <search> <query>index=<> sourcetype=<> source=<> | stats count(eval(channel="A")) as A count(eval(channel="B")) as B count(eval(channel="C")) as C</query> <earliest>$earnTime.earliest$</earliest> <latest>$earnTime.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">10</option> <option name="charting.chart.bubbleMinimumSize">1</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.columnSpacing">20</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"A":0x009900, "B":0x0099CC, "C":0xCC6600}</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">none</option> <option name="height">198</option> <option name="refresh.display">progressbar</option> But my "A" value is not coming in the graph and getting aligned on x axis with the count. Can someone please tell me where I am going wrong?
I have a single value panel which is generated from the spl below: | inputlookup AD_User_LDAP_list where OU=Staff isDeleted=FALSE |stats count I would like to drill down when clicked and dis... See more...
I have a single value panel which is generated from the spl below: | inputlookup AD_User_LDAP_list where OU=Staff isDeleted=FALSE |stats count I would like to drill down when clicked and display a list of users in another panel (the results of the spl below): | inputlookup AD_User_LDAP_list where OU=Staff isDeleted=FALSE |table sAMAccountName Can someone kindly explain how to do this TIA
We have a set of logs from different hosts that specify a metric. I want to display a line graph over a user-selectable time period that plots the metric as a percentage difference from the 30 day av... See more...
We have a set of logs from different hosts that specify a metric. I want to display a line graph over a user-selectable time period that plots the metric as a percentage difference from the 30 day average for each host. That is to get the 30 day average for each host then plot (metric/average)*100)-100. This would mean that 80% would plot as -20, 100% as 0, 120% as 20, and so on. Additionally, we would like to highlight where the value falls outside -50 - 50. The next stage would be to alert if the value is outside the -50 to 50 more than the last, say 20 mins. What we are looking for is to spot where the metric is larger than average for an extended period (flood condition) or lower (drought). The range could change. I'm new to Splunk so I don't really know exactly where to start. I can get the graph to work with averaging in the same period as plotting. It's having the average over a different time period. Hosts are selected by a pattern so would be dynamic (host matching pattern CVM_AGG). We may extend this to either a second query BUS_AGG or merge the two _AGG. Since we are using percentage against average they will scale the same.
the log is parsed in bad way. that's the props.conf: SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)Data:\s\d{14} MAX_EVENTS = 256 TRUNCATE = 10000 TIME_PREFIX = ^Data:\s TIME_FORMAT ... See more...
the log is parsed in bad way. that's the props.conf: SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)Data:\s\d{14} MAX_EVENTS = 256 TRUNCATE = 10000 TIME_PREFIX = ^Data:\s TIME_FORMAT = %d%m%Y%H%M%S MAX_TIMESTAMP_LOOKAHEAD = 25 that's the log: Data: 29052020113001 Numero file in /data/In/ = 0 Numero file in /data/In/IMS/ = 0 Numero file in /data/archive/ = 7 Processi: a is running b is running platform is running -Controllo sftp -pippo: Connected to . sftp> bye -pluto: Connected to . sftp> bye -casa: Connected to . sftp> bye -SMC: Connected to . sftp> bye -Datalake: Connected to . sftp> bye -Controllo System Log ultime 48h no rows selected i need to have all this log in one splunk event. with that configuration, splunk parse the log in two events:
Hi, I'm the newbie for AppDynamics and using the Trial version with SAAS. While I'm trying to install a Server agent for our Window Server which starts successfully without any problem but we see ... See more...
Hi, I'm the newbie for AppDynamics and using the Trial version with SAAS. While I'm trying to install a Server agent for our Window Server which starts successfully without any problem but we see an error when creating the registration: WARN RegistrationTask - Encountered error during registration. Will retry in 60 seconds. When I access the "SAAS Status" on Controller online Web UI, I saw that it was Paused. Is there anything related to my above problem? Do I need to wait for the SAA Status up and try to connect the Server agent again?
Hi all, so the question looks pretty simple but i am not able to figure out the accurate answer. So i need to find the count of common values between two different fields from two different sourcetyp... See more...
Hi all, so the question looks pretty simple but i am not able to figure out the accurate answer. So i need to find the count of common values between two different fields from two different sourcetypes . I have an index=main and two sourcetypes sourcetype1 and sourcetype2. These two sourcetypes each have a hostname field and i need to find the common values between the two hostname fields. The query i used is this: Index=main sourcetype=sourcetype1 | dedup hostname | table hostname | append [ search index=main sourcetype= sourcetype2 | dedup hostname | table hostname ] |table hostname | stats count by hostname | where count >1 The problem is the values in hostname field in sourcetype1 are almost 75k and values in hostname field in sourcetype2 are almost 90k. And i am getting a result of 22k by using that query. But the actual count of common values is almost 40k . So I don't understand where i am gng wrong. Can anyone plz tell me if my query is right or if there is any other approach to this i can use?? Thanks a lot.
Hello, I need to query all last two http status for every page (extracted from URI) For example for this log: ip_address - - [23/May/2020:18:22:16] "GET /test HTTP 1.1" 200 1665 "http://www.te... See more...
Hello, I need to query all last two http status for every page (extracted from URI) For example for this log: ip_address - - [23/May/2020:18:22:16] "GET /test HTTP 1.1" 200 1665 "http://www.testwebsite.com/test "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159 ip_address - - [23/May/2020:19:24:09] "GET /test HTTP 1.1" 404 2301 "http://www.testwebsite.com/test" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159 I'd like to query for page /test two last codes, in this case 404 and 200. I tried something with streamstats but I dont really know how to combine this into one single query: | streamstats values(status) by uri_path window=2
I have a index named Events Example events: AccountCreated { "AccountId": 1234, "EventName": "AccountCreated", "SomeOtherProperty": "Some value" } FavoriteCreated { "Account... See more...
I have a index named Events Example events: AccountCreated { "AccountId": 1234, "EventName": "AccountCreated", "SomeOtherProperty": "Some value" } FavoriteCreated { "AccountId": 1234, "EventName": "FavoritesCreated } Let's say that I have a bunch of these events, like millions. Now, I want to create a query that returns the AccountCreated event IF 1 (or more) FavoriteCreated event exists with the same AccountId. I've tried the following query and it works index=events EventName=AccountCreated [search index=events EventName=FavoriteCreated | dedup AccountId | fields AccountId] | table AccountId, SomeOtherProperty The only problem with that one is that it's using a subsearch and im hitting the 10000 results limit. So then I tried using a JOIN instead (this also works) index=events EventName=AccountCreated AccountId=* | stats count by AccountId, EventName | fields - count | join AccountId [ | search index=events EventName=FavoriteCreated AccountId=* | stats count by AccountId ] | fields - count | table AccountId, EventName ...but now im facing the 50K events limit (JOIN subsearch). So, I need to be able to write the query without using JOIN and/or subsearch, do you guys have any tips?
I have installed Splunk Enterprise version 8.0.4 on an Ubuntu IBM cloud Server with default port(8000). I can access Splunk from my Laptop's Chrome / Edge browsers. I uploaded an CSV from browser as ... See more...
I have installed Splunk Enterprise version 8.0.4 on an Ubuntu IBM cloud Server with default port(8000). I can access Splunk from my Laptop's Chrome / Edge browsers. I uploaded an CSV from browser as admin and could search. I have two doubts in this regard 1. How to load an CSV file from Linux command prompt? I went through documentation provided online. What I did not understand was, what is "|" symbol before invoking inputcsv command? Is it some Splunk shell kind of stuff? Is it CLI ? or something 2. I created an user from admin GUI and gave role of "user". Can I upload a CSV by logging in as this user? As per documentation, "user" role should be able to input a file, However, I did not find "Add Data" option on GUI for this user. Any help is greatly appreciated
Hi i have 2 diff dashboards. Is there a way to make them look like a sheet view kind of thing in splunk. I mean in a single view can we dynamically display two dashboards
ComputerName Events Rank ABC 100 1 BCD 200 2 CDE 300 3 i need to create Rank by Events
Hello All, I have below questions on the reload command and phonehoming which I need to confirm: 1. Both the deploy reload command and the phonehoming changes the configs in forwarders(clients) bu... See more...
Hello All, I have below questions on the reload command and phonehoming which I need to confirm: 1. Both the deploy reload command and the phonehoming changes the configs in forwarders(clients) but both have a different approach. The reload command will push the changes to forwarders(clients) without any splunk start but the phonemhoming willcheck for any changes in the configs in the deployment server and if there are changes will poll the changes and restart the forwarder(clients) and apply changes? 2. Should we run the reload command before or after phonehoming?
hear if we have a multiple same status is there it will pick only first status event and if the different status events will come then it will pick the other status events how we can write the query ... See more...
hear if we have a multiple same status is there it will pick only first status event and if the different status events will come then it will pick the other status events how we can write the query for this ex: status values and its dates False positive (25 may) False positive (24 may) Investigating (23 may) Investigating (22 may) Service degradation (21 may) thanks
Dear all, I have installed Splunk Enterprise Security but the Security Posture dashboard does not show any information. Security intelligence in particular Risk Analysis does not show any informat... See more...
Dear all, I have installed Splunk Enterprise Security but the Security Posture dashboard does not show any information. Security intelligence in particular Risk Analysis does not show any information as well. I have reviewed all guides related to Enterprise Security configuration and I do not see any issues with my configuration. Generally, Splunk is collecting many logs including Office 365 logs, AD logs, and Firewall logs, and they are perfectly displayed on Apps that are specialized for particular vendor logs (for instance Microsoft 365 app for Splunk). However, they are not reflected in Enterprise Security. I have configured "Intelligence Downloads" by enabling almost all types of threats and almost all of them are downloaded successfully. I am a new person in using Splunk and do not have a decent experience of configuring Splunk. I have no idea what I should check or configure to find out the core of the problem. Could you help me in addressing this issue? I am ready to provide my current configuration if it is needed.
My rawdata from log is below METHOD="POST" URI="CALLOUT-LOG" USER_ID_DERIVED="00532000004sefcAAA" EVENT_TYPE="ApexCallout" TYPE="REST" CLIENT_IP="" URL=""https://api.contact.com/ContactAuthorizati... See more...
My rawdata from log is below METHOD="POST" URI="CALLOUT-LOG" USER_ID_DERIVED="00532000004sefcAAA" EVENT_TYPE="ApexCallout" TYPE="REST" CLIENT_IP="" URL=""https://api.contact.com/ContactAuthorizationServer/Token"" RUN_TIME="532" SESSION_KEY="" TIMESTAMP="20200529045947.928" REQUEST_SIZE="76" LOGIN_KEY="" REQUEST_ID="4WCb1_2dhf_Zn9-qbvXjs-" Splunk assumes URL as "" since URL value is passed to index in 2 double quotes. I used eval to parse out and get the actual URL to a field in search as URLX but the field URLX becomes jumbled if I use like stats count by URLX. my eval is eval ..... URLX=replace(_raw, ".URL=\"\"(.)\"\" RUN_TIME.*", "\1"), "/") How do I properly tell splunk to get URL extracted without eval in the first place. Thanks fpr help in advance.
host= rbal index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count 73 results and host= rbal* index=winevent_s ... See more...
host= rbal index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog OR sourcetype=XmlWinEventLog | stats count 73 results and host= rbal* index=winevent_s earliest=5/18/2020:7:3:0 latest=5/18/2020:7:5:0 sourcetype=WinEventLog OR sourcetype=XmlWinEventLog stats count 0 results This is odd
Hi, Recently I set up the windows infrastructure app, the windows add-on and the ad-support. However, for some reason even though in the Check Data step of configuring Windows for Infrastructure co... See more...
Hi, Recently I set up the windows infrastructure app, the windows add-on and the ad-support. However, for some reason even though in the Check Data step of configuring Windows for Infrastructure comes back positive to have detected the relevant sourcetypes, when moving on to Customize Features suddenly none of them can be found e.g. Windows Events not found. I am at a complete loss as to why, especially since I followed the documentation to the letter and have changed all the relevant .conf files to reflect the indexes, etc. Any help would be appreciated as I am absolutely pulling my hair out over it.
Hi I am trying to generate a report which i want to run at 2:30PM on 3 days a week only for the time range choosen as 1:25 PM to 1:30 PM how to pass the values earliest and latest in this case ? ... See more...
Hi I am trying to generate a report which i want to run at 2:30PM on 3 days a week only for the time range choosen as 1:25 PM to 1:30 PM how to pass the values earliest and latest in this case ? is it like i have to convert the date and time to epoch time first and then pass it to earliest and latest or how to achieve in a simpler way?
Hi, I have a requirement where I need to display results with HTTP status code 503 but want to exclude all results with status code of 503 that occurred between 10pm and 6am for all days (irrespectiv... See more...
Hi, I have a requirement where I need to display results with HTTP status code 503 but want to exclude all results with status code of 503 that occurred between 10pm and 6am for all days (irrespective of days). For example: index=am_ms_app source="ms_api*" api_status="503 SERVICE_UNAVAILABLE". I want to display all 503 HTTP status code results that occurred outside of 10pm-6am window. Any help will be appreciated. Thanks!
I'm trying to search for a string that occurs more than once. But the string contains wildcards and commas. Which query will find if the following string occurs more than once ? "BLOCK,%,%,1" ... See more...
I'm trying to search for a string that occurs more than once. But the string contains wildcards and commas. Which query will find if the following string occurs more than once ? "BLOCK,%,%,1" Where the % is a wildcard. (it is always an integer)