All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I've been trying to reproduce simple custom drilldown behavior as documented in https://dev.splunk.com/enterprise/docs/developapps/webframework/codeexamplefw/splunkjsstack/drilldownjavascript/ but n... See more...
I've been trying to reproduce simple custom drilldown behavior as documented in https://dev.splunk.com/enterprise/docs/developapps/webframework/codeexamplefw/splunkjsstack/drilldownjavascript/ but nothing appears to work for me (that is, 1- click events in my chart don't seem to be producing any effects in the console; 2- the default onDrilldown function only appears to get called from one of the charts in my page -and produces an error-. What could be wrong? (note: I'm simply trying to produce some custom logging behavior at this point).
Hi there! I have a multiselect input named "Fields" that presents all the available fields and populates the table with the selected fields. Then based on the multiselect's values a dropdown named ... See more...
Hi there! I have a multiselect input named "Fields" that presents all the available fields and populates the table with the selected fields. Then based on the multiselect's values a dropdown named "Filter by" gets automatically populated and presents the user the ability to filter by a specific field. Everything works fine and I'm able to filter my search. My issue is when I delete the selected "Filter by" value from the multiselect input "Fields". If you see the screenshot above, my dropdown still displays the old selected value while the multiselect actually doesn't have it and that of course breaks my search. Any ideas on how to approach this? Below is a XML sample that would help to better see my issue. <form> <label>Sample</label> <init> <set token="tokSearchby"></set> </init> <fieldset submitButton="false"> <input type="multiselect" token="prmFields" searchWhenChanged="true"> <label>Fields</label> <fieldForLabel>field</fieldForLabel> <fieldForValue>field</fieldForValue> <search> <query>index=_internal | top limit=20 sourcetype | eval percent = round(percent,2) | fieldsummary | table field</query> <earliest>0</earliest> <latest></latest> </search> <delimiter>,</delimiter> <change> <condition match="like($prmFields$,&quot;%pwdLastSet%&quot;)"> <eval token="prmFields">prmFields.",pwdLastChangeDays"</eval> </condition> </change> <initialValue>count,percent,sourcetype</initialValue> </input> <input type="dropdown" token="prmFilterBy" searchWhenChanged="true"> <label>Filter By</label> <fieldForLabel>field_desc</fieldForLabel> <fieldForValue>field_desc</fieldForValue> <search> <query>| makeresults | eval prmData=$prmFields|s$ | makemv delim="," prmData | mvexpand prmData |eval prmData=replace (prmData, "Attributes.", "")|eval prmData=replace (prmData, ".value", "") | rename prmData as field_desc | table field_desc</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="text" token="prmTextFilter" id="prmTextFilter" searchWhenChanged="true"> <label>Text Filter</label> <default></default> <change> <condition> <set token="tokSearchby">| where $prmFilterBy$ like "%$prmTextFilter$%"</set> </condition> </change> </input> </fieldset> <row> <panel> <table> <title>Top Sources</title> <search> <query>index=_internal | top limit=20 sourcetype | eval percent = round(percent,2) | table $prmFields$ $tokSearchby$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> TIA!
Hi, I have Jira 1.0.7 installed on Splunk Cloud. I have 2 actions setup: Jira and Email. When I ran a test yesterday, both alerts triggered. Today only triggered the Email. The user is alre... See more...
Hi, I have Jira 1.0.7 installed on Splunk Cloud. I have 2 actions setup: Jira and Email. When I ran a test yesterday, both alerts triggered. Today only triggered the Email. The user is already in jira_alert_action group. There is no errors or creation in Jira dashboard. Any idea what I need to do here? Is there a grace period when the next Jira alert gets trigger? Thanks!
From the splunkd.log: 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - Traceback (most recent call last): 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - a... See more...
From the splunkd.log: 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - Traceback (most recent call last): 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - File "C:\Program Files\Splunk\etc\apps\sendresults\bin\sendresults_alert.py", line 305, in <module> 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - sendemail(recipient, bcc, recipient_list[recipient].get('email_subj') , outbound, argvals) 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - File "C:\Program Files\Splunk\etc\apps\sendresults\bin\sendresults_alert.py", line 145, in sendemail 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - smtp.sendmail(sender, all_recipients, message) 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - File "C:\Program Files\Splunk\Python-3.7\lib\smtplib.py", line 855, in sendmail 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - msg = _fix_eols(msg).encode('ascii') 05-19-2020 16:36:03.808 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - UnicodeEncodeError: 'ascii' codec can't encode character '\u2003' in position 2239: ordinal not in range(128) 05-19-2020 16:36:04.317 -0500 INFO sendmodalert - action=sendresults_alert - Alert action script completed in duration=2559 ms with exit code=1 05-19-2020 16:36:04.317 -0500 WARN sendmodalert - action=sendresults_alert - Alert action script returned error code=1 05-19-2020 16:36:04.317 -0500 ERROR sendmodalert - Error in 'sendalert' command: Alert script returned error code 1. Position in question was </td> . It was in the middle of the file, many came before and many came after. File was saved as UTF-8. Tried re-adding the tag, no effect. Tried minimizing the file, no effect. Eventually, I saved the file as ANSI and that did the trick. I do notice that the failure is coming from a Python library. Sendresults is 5.0.0, on Splunk 8.0.2.1.
Hi, I need monitoring WebLogic in a Solaris server.  How can I do this?
Is the product still supported and how do I download the latest patches for the product? All references seem to have disappeared from the site. Only see Enterprise and Cloud. Thank you.
Hello to everyone, I have Splunk 7.3.1 with jQuery library version 2.1.0 and jQuery-ui version 1.10.4. Since they are affected from security bugs, is it possible to upgrade those libraries globally... See more...
Hello to everyone, I have Splunk 7.3.1 with jQuery library version 2.1.0 and jQuery-ui version 1.10.4. Since they are affected from security bugs, is it possible to upgrade those libraries globally? I mean, I'd like that every file with a reference to those libraries will use the upgraded ones....possibly without modifying every single file Thank you in advance for your answers/advices.
to integrate my mcafee with splunk ,sould i need to install heavy forward on my windows server
Hi everyone, I'm having an issue with a JSON file. The thing is, I have to extract some evaluations that the file does, but those are multiple evaluations inside the "STATUS" field (see screenshot at... See more...
Hi everyone, I'm having an issue with a JSON file. The thing is, I have to extract some evaluations that the file does, but those are multiple evaluations inside the "STATUS" field (see screenshot attached) so this field has the two possible STATUS INSIDE (COMPLIANT and NON_COMPLIANT) and when I filter to get only one, the filter does not work and I keep getting both results back when I run my search. Here I leave the query that I've been testing and attached you'll find a sample of the issue. index=aws eventSource="config.amazonaws.com" additionalEventData.managedRuleIdentifier="S3_BUCKET_PUBLIC_READ_PROHIBITED" awsRegion="us-east-1" recipientAccountId="149676245134" | rename requestParameters.evaluations{}.complianceResourceId as S3 requestParameters.evaluations{}.complianceType as STATUS, recipientAccountId as ACCOUNT | spath output=requestParameters.evaluations path=STATUS | search STATUS=NON_COMPLIANT | table S3 STATUS ACCOUNT Any idea of what I can do? Thanks in advance to whoever has time to answer!
Hello, I have a list of strings that are more meaningful when grouped and viewed together by time. This is great and easy to do in Splunk with the transaction command. However, I need to export th... See more...
Hello, I have a list of strings that are more meaningful when grouped and viewed together by time. This is great and easy to do in Splunk with the transaction command. However, I need to export this to excel. In the export, the transaction becomes a single line and I want to mimic the format to make the groups easy to read. I get this is probably more of an excel question, but maybe there is some Splunk pre-formatting I can do to make it easier like separate the individual items in a transaction by commas, or something similar. Example of transaction output: I need help | categoryA | _time help help me please what is splunk | category b | _time splunk help please splunk Example of excel extract I need help help help me please | cat a | _time what is splunk splunk help please splunk | cat b | time I want to wrap the values in the excel cell, but I have nothing to note when to wrap and I don't actually know how to wrap a cell.
Hello, I'm struggling with finding a parser in splunk for the following log: May 20 12:22:21 127.0.0.1 {"rootId": "AXIxikL8ao-yaSvA", "requestId": "f6a873jkjjkjk:-8000:5738", "details": {"flag... See more...
Hello, I'm struggling with finding a parser in splunk for the following log: May 20 12:22:21 127.0.0.1 {"rootId": "AXIxikL8ao-yaSvA", "requestId": "f6a873jkjjkjk:-8000:5738", "details": {"flag": false, "title": "task 1", "status": "Waiting", "group": "", "order": 0}, "operation": "Creation", "objectId": "AXIyCN5Oao-H5aYyaSvd", "startDate": 1589977341890, "objectType": "case_task", "base": true, "object": {"_routing": "AXIxikL8ao-H5aYyaSvA", "flag": false, "_type": "case_task", "title": "task 1", "createdAt": 1589977341516, "_parent": "AXIxikL8ao-H5aYyaSvA", "createdBy": "user", "_id": "AXIyCN5Oao-H5aYyaSvd", "id": "AXIyCN5Oao-H5aYyaSvd", "_version": 1, "order": 0, "status": "Waiting", "group": ""}} The log itself is a valid json, and i can parse it well with the default _json parser. However, splunk inserts the datetime and hostname at the beginning of the log, which makes the parser stop working.. Is there any workaround for this? Thanks!
I would like to set up an alert when a HeartBeat MISSED event happens in a log file but HeartBeat REACQUIRED event doesn't happen max within 1min span indicating an issue. so wanted my search to ... See more...
I would like to set up an alert when a HeartBeat MISSED event happens in a log file but HeartBeat REACQUIRED event doesn't happen max within 1min span indicating an issue. so wanted my search to alert i tried ...|rex "HEARTBEAT\s+(?\S+).*?(?MISSED|REACQUIRED)" | stats latest(_time) AS time latest(action) AS action BY hb | eval age=now()-time | where age>(1*60) AND action=MISSED
How to change the table color according to the below image. I have used multiple colors in different tables it is now showing like the given image the table border is not showing properly. just wa... See more...
How to change the table color according to the below image. I have used multiple colors in different tables it is now showing like the given image the table border is not showing properly. just want to use the same as the below image.
Hello, I'm looking to force a dropdown to revert to its first choice using JS. I already have a dropdown on my dashboard with id dropdown , but I don't know how to select it and set the selectFir... See more...
Hello, I'm looking to force a dropdown to revert to its first choice using JS. I already have a dropdown on my dashboard with id dropdown , but I don't know how to select it and set the selectFirstChoice property with JS. I've found examples that show how to create a new dropdown input, but in my case I have an existing one and I'm just trying to set selectFirstChoice to true . Is it possible to do this? Thanks! Andrew
Hi guys, I'm trying to work out what's wrong with my search (see below). I have a CSV lookup file with a list of names that I would like to exclude from the search results. index=new RequestI... See more...
Hi guys, I'm trying to work out what's wrong with my search (see below). I have a CSV lookup file with a list of names that I would like to exclude from the search results. index=new RequestID=* NOT [| inputlookup User_Exclusions.csv | fields Exclude_User ] | stats count | rename count as Total Any help is greatly appreciated! Many thanks! D
I have integrated splunk with ocp and able to see the logs on openshift openshiftlab1_logging but not on openshiftlab1_metrics openshiftlab1_objects.Could any one let me know the issue in the file. ... See more...
I have integrated splunk with ocp and able to see the logs on openshift openshiftlab1_logging but not on openshiftlab1_metrics openshiftlab1_objects.Could any one let me know the issue in the file. global: logLevel: info journalLogPath: /run/log/journal splunk: hec: host: 10.133.8.98 port: 8088 token: 36698f4f-db56-45b8-8bf3-cc0d12ab433 protocol: http indexName: openshift insecureSSL: true #clientCert: #clientKey: #caFile: kubernetes: clusterName: "openshiftlab" openshift: true splunk-kubernetes-logging: enabled: true logLevel: debug splunk: hec: host: 10.133.8.98 port: 8088 token: 36698f4f-db56-45b8-8bf3-cc0d12ab433 protocol: http indexName: openshiftlab1_logging insecureSSL: true #clientCert: #clientKey: #caFile: containers: logFormatType: cri logs: kube-audit: from: file: path: /var/log/kube-apiserver/audit.log splunk-kubernetes-metrics: rbac: create: true serviceAccount: create: true name: splunk-kubernetes-metrics enabled: true splunk: hec: host: 10.133.8.98 port: 8088 token: 36698f4f-db56-45b8-8bf3-cc0d12ab433 protocol: http indexName: openshiftlab1_metrics insecureSSL: true #clientCert: #clientKey: #caFile: kubernetes: openshift: true splunk-kubernetes-objects: rbac: create: true serviceAccount: create: true name: splunk-kubernetes-objects enabled: true kubernetes: openshift: true splunk: hec: host: 10.133.8.98 port: 8088 token: 36698f4f-db56-45b8-8bf3-cc0d12ab433 protocol: http insecureSSL: true indexName: openshiftlab1_objects #clientCert: #clientKey: #caFile: objects: core: v1: - name: pods interval: 30s - name: namespaces interval: 30s - name: nodes interval: 30s - name: services interval: 30s - name: config_maps interval: 30s - name: persistent_volumes interval: 30s - name: service_accounts interval: 30s - name: persistent_volume_claims interval: 30s - name: resource_quotas interval: 30s - name: component_statuses interval: 30s - name: events mode: watch apps: v1: - name: deployments interval: 30s - name: daemon_sets interval: 30s - name: replica_sets interval: 30s - name: stateful_sets interval: 30s
I want to compare some data with fields and then rename the data matched with fields. Since we have large set of data and comparing of all those data with fields it makes query bulky. Can anyone give... See more...
I want to compare some data with fields and then rename the data matched with fields. Since we have large set of data and comparing of all those data with fields it makes query bulky. Can anyone give efficient code for this?? Example: stats count(eval(fieldname=="some data" OR fieldname=="some data")) as XYZ count(eval(fieldname=="some data" OR fieldname=="some data" OR fieldname=="some data" fieldname=="some data" fieldname=="some data"fieldname=="some data"fieldname=="some data"fieldname=="some data"fieldname=="some data")) as ABC..............by fieldname
We encountered some error on default certificates that are expiring. WE renewed the certificates but now we want to know if there is a command to check when will a certificate expire. I tried this co... See more...
We encountered some error on default certificates that are expiring. WE renewed the certificates but now we want to know if there is a command to check when will a certificate expire. I tried this command: /opt/splunk/bin/openssl x509 -enddate -noout -in /opt/splunk/etc/auth/server.pem However, I am getting message: /opt/splunk/bin/openssl: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory Thanks in advance.
I have 3 fields(Key, Version, Date) seperated by comma and records(can be many) seperated by ;(semicolon). Example: pgn-aemrules,1.1,2020-04-02;pgn-csharp,8.4 (build 15306),2020-02-21;pgn-csharp... See more...
I have 3 fields(Key, Version, Date) seperated by comma and records(can be many) seperated by ;(semicolon). Example: pgn-aemrules,1.1,2020-04-02;pgn-csharp,8.4 (build 15306),2020-02-21;pgn-csharp,8.5 (build 15942),2020-03-16; I am trying to extract the 3 fields and display as a table in splunk. Please help.
I try to add custom visualisation on my splunk enterprise, but I am not able to find add file option in manage app. Is there any role needed to get such option on my splunk?