All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, This app contains a list of Field aliases including a field alias for the field "networkConnections{}.applicationName AS app" Except this field never seems to filled in the data that we rec... See more...
Hello, This app contains a list of Field aliases including a field alias for the field "networkConnections{}.applicationName AS app" Except this field never seems to filled in the data that we receive from the MS Graph API. Instead I am manually going to change this using the field vendorInformation.provider AS app as this field contains app like values like: IPC Office 365 Security and Compliance MCAS Azure Advanced Threat Protection Would this be a good idea? And why is the networkConnections{}.applicationName field never filled with values?
Hi! We are on Splunk 7.2.0, and I am trying to automate setting up a Saved Search using an Ansible Playbook that would dump data into a Summary Index. What's odd is that I can get everything to work... See more...
Hi! We are on Splunk 7.2.0, and I am trying to automate setting up a Saved Search using an Ansible Playbook that would dump data into a Summary Index. What's odd is that I can get everything to work correctly, except for the "Enable Summary Index" (action.summary_index) won't go to "true" or accept the value of 1, but it does accept everything else. - name: Create Splunk Search to populate Summary Index uri: url: https://<server>:8089/servicesNS/admin/chargeback/saved/searches method: POST user: admin password: "{{ splunk }}" body_format: form-urlencoded validate_certs: false status_code: 201 body: name: "name" search: 'index=_internal"' dispatch.earliest_time: -1d@h dispatch.latest_time: now cron_schedule: 0 0 * * * action.summary_index: 1 action.summary_index._name: index_utilization_summary is_scheduled: 1 register: searchquery Can someone please take a look and see perhaps if I'm using the wrong tag? I would appreciate it! Thanks! Stephen
Hi, I am trying to fetch the alerts created by a particular user using REST APIs. How can i filter it? Generally on UI, under alerts, there will be a yours tab which shows alerts created by me. Ho... See more...
Hi, I am trying to fetch the alerts created by a particular user using REST APIs. How can i filter it? Generally on UI, under alerts, there will be a yours tab which shows alerts created by me. How can i achieve similar thing using REST API(for myself or any other user). Thanks, Santosh
I have to deploy the Cisco ACI Add-on for Splunk Enterprise on a heavy forwarder without web interface. How can I configure it with the configuration files, the Readme mentions only the web interface.
Hello, We have had a forwarder that has its disk full several times in a weekend, So some hosts were not able to send their logs to this forwarder while splunk forwarder disk was full. how to list... See more...
Hello, We have had a forwarder that has its disk full several times in a weekend, So some hosts were not able to send their logs to this forwarder while splunk forwarder disk was full. how to list hosts (and know period for each host that sent no logs while this period. there are +100 hosts behind this forwarder, so a host=xxx | timechart count by host would not be efficient. Thank you for your help
How can i change password of a user, only using Inline search through Search Head ? Search Head > Heavy Forwarder Search Head > Indexer Search Head > License Master Search Head > Monitoring... See more...
How can i change password of a user, only using Inline search through Search Head ? Search Head > Heavy Forwarder Search Head > Indexer Search Head > License Master Search Head > Monitoring console Search Head > Deployment Server
Whenever I am trying to login to splunk through docker image , the default user is ansible beacsue of that I am not able to access logs and var directory in splunk . And not permitted to create a n... See more...
Whenever I am trying to login to splunk through docker image , the default user is ansible beacsue of that I am not able to access logs and var directory in splunk . And not permitted to create a new directory too kindly suggest.
I am using ServiceNow Incident Integration add-on to create/update incidents in ServiceNow. I have two alerts that runs on certain search conditions, alert_create_incident to create a new incident an... See more...
I am using ServiceNow Incident Integration add-on to create/update incidents in ServiceNow. I have two alerts that runs on certain search conditions, alert_create_incident to create a new incident and alert_update_incident to close the incident. I am using the Correlation ID field for this and is working fine. Now the issue is with the Correlation ID set and the alert_create_incident runs next, it does not create a new incident but updates the previously closed incident state to new. I thought of running a script as alert action but end up with same situation: to set a dynamic correlation id for both the alerts. Is there a way to generate the Correlation ID dynamically for each pair of create and update alerts. Any help/suggestions would be appreciated. Thanks
Hi All,  In application flow map of the application dashboard for a particular application nodes / tiers are shown as green/yellow/red circles depending on their health. Green means healthy, can any... See more...
Hi All,  In application flow map of the application dashboard for a particular application nodes / tiers are shown as green/yellow/red circles depending on their health. Green means healthy, can any one tell me what yellow and red means. Thank You, Gayan. 
Could you provide me how it can write line break and Time regex below logs . 2020-09-26 19:27:33,092 DEBUG com.edifecs.shared.rmi.RMISocketFactoryInitializer - Initialize custom rmiSocketFactory...... See more...
Could you provide me how it can write line break and Time regex below logs . 2020-09-26 19:27:33,092 DEBUG com.edifecs.shared.rmi.RMISocketFactoryInitializer - Initialize custom rmiSocketFactory...\n2014-09-26 19:27:33,983 DEBUG com.edifecs.shared.events.transport.rmi.RmiEventBusBuilder - Building EventBus instance for parameters: [eventBusID=EventBus|Service Manager/TEDITM01 {4ec992e0-ac7d-4b45-af5c-8d81cdb683b6}, rmiConfigurer=com.edifecs.shared.registry.RMIConfigurer@a9255c, remoteEventBusAddresses=[rmi://TEDITM01:1090/EventBus, rmi://TXENGN01:1090/EventBus, rmi://BCKCMD1:1090/EventBus], serverMode=true]\n2014-09-26 19:27:34,155 INFO com.edifecs.shared.events.EventBus - [EventBus: EventBus|Service Manager/TEDITM01 {4ec992e0-ac7d-4b45-af5c-8d81cdb683b6}] registered remote bus: EventBus|Web Component/TEDITM01 {5ba842c9-9310-4342-9362-e63d8a964605}\n2014-09-26 19:27:34,186 INFO com.edifecs.shared.events.EventBus - [EventBus: EventBus|Service Manager/TEDITM01 {4ec992e0-ac7d-4b45-af5c-8d81cdb683b6}] local bus started up\n2014-09-26 19:27:35,921 INFO com.edifecs.shared.events.transport.rmi.RmiBusesPublisher - Failed to obtain a reference to remote EventBus. Connection to rmi://BCKCMD1:1090/EventBus refused.\n2014-09-26 19:27:35,921 DEBUG com.edifecs.shared.events.transport.rmi.RmiBusesPublisher - java.rmi.ConnectException: Connection refused to host: BCKCMD1; nested exception is: \n java.net.ConnectException: Connection refused: connect\n2014-09-26 19:27:37,655 INFO com.edifecs.shared.events.EventBus - [EventBus: EventBus|Service Manager/TEDITM01 {4ec992e0-ac7d-4b45-af5c-8d81cdb683b6}] registered remote bus: EventBus|Service Manager/TEDITM01 {20f1a2e4-14d7-40e0-85b1-7462173ac1c3}
Hi Team, We are using below Splunk App versions in our organization. Splunk App : 7.0.13 Splunk App for AWS: 5.0.2 In the Splunk AWS App, we are able to see the CPU & Memory related inform... See more...
Hi Team, We are using below Splunk App versions in our organization. Splunk App : 7.0.13 Splunk App for AWS: 5.0.2 In the Splunk AWS App, we are able to see the CPU & Memory related information for all the M & r type EC2 instance except (m5, r5 & r4) instances. I believe we are using older version of Splunk AWS App, is it cause for not showing data for latest M5 & R5 AWS EC2 instances. Kindly let me know your inputs.
Hello Experts, Currently I have configured 2 source files for Asset Center and also have configured searches for those to run once in a day for last 24 hr I have set the global settings to wait be... See more...
Hello Experts, Currently I have configured 2 source files for Asset Center and also have configured searches for those to run once in a day for last 24 hr I have set the global settings to wait between each identity manager run to 24 hrs(86400) as well. What i understood that once Identity manager modular inputs detects changed size of source file and changed updated time then it will dispatch the custom search and initiate merging process. Then once data is been merged asset center shows only updated values. My expectations are source file should run only once in a day and identity manager should merge all the data once in day only. And I should always be able to see all the data with updated changes in Asset Center. Could you please let me know what actions I should take to achieve this Thanks in Advance
Hi All, I am very new to splunk, wanted to get the list unique users for below criteria. I need query to get the actor which was a user . Unable to retrieve the content 7ec12461-b0db-4a7b-a... See more...
Hi All, I am very new to splunk, wanted to get the list unique users for below criteria. I need query to get the actor which was a user . Unable to retrieve the content 7ec12461-b0db-4a7b-a210-7da0b2a1542e ph924_8bc4e8a6-6tr-oipo-zcvv-ea281ba6b101 Actor raja. Unable to retrieve the content 7ec12461-b0db-4a7b-a210-7da0b2a1542e ph924_8bc4e8a6-950f-rtey-ggff-qwrq42342435 Actor shekar. Unable to retrieve the content 7ec12461-b0db-4a7b-a210-7da0b2a1542e ph924_8bc4e8a6-khj-4ce6-khjk-gdgdfshghgfg Actor Madhu.,
Has anyone noticed that when you comment out a bit of code in splunk simple XML dashboard, and then save it. ANd then go back later to edit the same dashboard, the commented out code has moved to t... See more...
Has anyone noticed that when you comment out a bit of code in splunk simple XML dashboard, and then save it. ANd then go back later to edit the same dashboard, the commented out code has moved to the top. Any one notice this? Can it be made to not happen? I want the code to stay where it is. I find this useful for comparing an old query chart with an new edited one, but this moving the commented code makes this hard. Anyone any ideas or suggestions? I guess I could use the clone option but that does not really work for this scenario. tks
For example how can i add beautifulsoup in the helper script. When i try to import "From bs4 import beautifulsoup" it gives the following error: 2020-05-13 20:11:09,321 ERROR pid=129034 tid=MainThr... See more...
For example how can i add beautifulsoup in the helper script. When i try to import "From bs4 import beautifulsoup" it gives the following error: 2020-05-13 20:11:09,321 ERROR pid=129034 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Unexpected error: No module named 'bs4'." action_name="basic_email" search_name="test_arf" sid="1589415068.896" rid="0" app="TA-basic-app" user="admin" action_mode="adhoc" action_status="failure"
I created a stream for netflow and the sourcetype comes in as stream:netflow. Is there a way to change the sourcetype prior to it being ingested into splunk thanks ed
Yes, I have already checked my user time zone setting. My TZ setting and all my involved servers, forwarder and Splunk servers, are all configured for the same TZ. I have two servers that are con... See more...
Yes, I have already checked my user time zone setting. My TZ setting and all my involved servers, forwarder and Splunk servers, are all configured for the same TZ. I have two servers that are configured the same and have the same use case. Server A is sending events where the _time and date_hour are differing in search. The hour of the timestamp in the log that we are consuming is matching date_hour. Server B is sending events where the _time, date_hour, and the hour of the timestamp in the log match. I am performing the search at the same time and other users are seeing the same results (and are asking me why there is a variance). I have confirmed that both servers are using the same deployed apps. And Server A was working this past Sunday, but no changes were made to the Splunk configuration for these servers between then and Tuesday when the incorrect _time appeared. Both servers in this example are monitoring the same log, its just specific to their own server. Any ideas?
Hello, I have events in the following format (ordered from oldest to newest buyer=1 open_cases=3 buyer=1 open_cases=2 buyer=1 open_cases=5 buyer=2 open_cases=6 buyer=2 open_cases=1 Case... See more...
Hello, I have events in the following format (ordered from oldest to newest buyer=1 open_cases=3 buyer=1 open_cases=2 buyer=1 open_cases=5 buyer=2 open_cases=6 buyer=2 open_cases=1 Cases can be opened or closed during the day and "open_cases" can increase and decrease over time for a specific "buyer". I would like to visualize a timechart of the sum of every "open_cases" we have every day for each buyer. So first we need to retrieve the last number of open_cases by buyer : buyer=1 open_cases=5 buyer=2 open_cases=1 The sum them up: sum_open_cases=6 and then create a timechart that shows the daily trend of "sum_open_cases". How can I achieve this?
We have a dashboard and it has 3 inputs Date, Transaction dropdown, Submit Button. I’m looking to add a dropdown (Manager) between date and transaction dropdown so that I can only see the transaction... See more...
We have a dashboard and it has 3 inputs Date, Transaction dropdown, Submit Button. I’m looking to add a dropdown (Manager) between date and transaction dropdown so that I can only see the transactions based on the Manager.
Wanted to ask the following, hopefuly getting an answer from Luke M. but anybody else's comment is appreciated. So I've installed the 'Google Import/Export' app (https://splunkbase.splunk.com/app/... See more...
Wanted to ask the following, hopefuly getting an answer from Luke M. but anybody else's comment is appreciated. So I've installed the 'Google Import/Export' app (https://splunkbase.splunk.com/app/2630) and it's working pretty good for what is intended. I am able to export data from Splunk to Google Sheets. The problem I am facing is that when exporting a lookup table from Splunk which contains numbers, the numbers go to the google sheet as strings. For example, if the number was a 15 in the lookup table, when it shows up in Sheets it will be '15. And sheets is treating it as a string. Is there a recommendation on how to get around that?