All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team, I'm seeing following 22.77 as avg latency for the last 24 hours for one of the sourcetype. What is the normal avg latency that can be accepted since the logs are coming through syslog-> Hea... See more...
Hi Team, I'm seeing following 22.77 as avg latency for the last 24 hours for one of the sourcetype. What is the normal avg latency that can be accepted since the logs are coming through syslog-> Heavy Forwarder->Indexer's and ingesting into splunk.  Please let us know if there is any other alternative approach we can use to calculate the latency if below is incorrect.   Any help would be highly appreciated. Regards VK  
Hello, I am implementing some actions in the S1 app for Splunk SOAR. All actions function independently, such as 'run action', and some work within a playbook. However, one action, when attempted wit... See more...
Hello, I am implementing some actions in the S1 app for Splunk SOAR. All actions function independently, such as 'run action', and some work within a playbook. However, one action, when attempted within a playbook, displays the following error: phantom.act(): action 'get endpoint info by computer name' not supported by any enabled apps
Hello,   We are interested in capturing Microsoft Teams PSTN call records.  There is a Microsoft Graph API  with specific methods to capture this information.   https://learn.microsoft.com/en-us/g... See more...
Hello,   We are interested in capturing Microsoft Teams PSTN call records.  There is a Microsoft Graph API  with specific methods to capture this information.   https://learn.microsoft.com/en-us/graph/api/callrecords-callrecord-getpstncalls?view=graph-rest-1.0&tabs=http   This app in splunkbase looks like it can capture what we want.   (https://splunkbase.splunk.com/app/1546).  The Microsoft Teams  add-on for Splunk is not capturing the PSTN call records and only seems to be capturing Teams to Teams calling.  Any other ideas ?  Thanks.
I have a mutiselect input like this   <input type="multiselect" token="year"> <label>Year</label> <choice value="*">All</choice> <delimiter> OR year=</delimiter> <fieldForLabel>year</fieldForLa... See more...
I have a mutiselect input like this   <input type="multiselect" token="year"> <label>Year</label> <choice value="*">All</choice> <delimiter> OR year=</delimiter> <fieldForLabel>year</fieldForLabel> <fieldForValue>year</fieldForValue> <search> <query>| inputlookup supported_years.csv | dedup year | table year</query> </search> <default>2023</default> <initialValue>2023</initialValue> </input>   I want to set the time range token to the result of the input selection above. If 2023 was chosen, the token value for $timeRangeEarliest$ should be 2023/01/01 and the token value for $timeRangeLastet$ should be 2023/12/31.  If 2021 and 2023 was chosen, the token value for $timeRangeEarliest$ should be 2021/01/01 and the token value for $timeRangeLastet$ should be 2023/12/31. Etc. I want to use this two tokens for time range in search. Don't know how to do it. Please help. Many thanks.
Hello I have installed the Splunk add on for AWS on our on perm Splunk instance. Using IAM User is not allowed in our company due to security policy. We can only use IAM role to access the resources... See more...
Hello I have installed the Splunk add on for AWS on our on perm Splunk instance. Using IAM User is not allowed in our company due to security policy. We can only use IAM role to access the resources. In Splunk aws addon page, Under configuration tab, Adding AWS account in Splunk requires KeyID/secret key which I can not create due to my company policy.. Is there a way to connect to the AWS account using IAM role that has the Splunk inline policy attached to it?   Thanks in advance. Siva  
Dears, Eum service and its db doesnt start automatically after restart in RHEL linux server. After every reboot need to start eum the its db manually. Is there any solution to automatically start th... See more...
Dears, Eum service and its db doesnt start automatically after restart in RHEL linux server. After every reboot need to start eum the its db manually. Is there any solution to automatically start the eum service and its db when there is server reboot.  Thank you..
Iam using splunk with delta command             index=xxxx source=xxxx rcrdType=xxx | timechart span=1h avg(requestSize) avg(responseSize)|delta avg(requestSize) |delta avg(responseSize)  ... See more...
Iam using splunk with delta command             index=xxxx source=xxxx rcrdType=xxx | timechart span=1h avg(requestSize) avg(responseSize)|delta avg(requestSize) |delta avg(responseSize)           I need to modify the query to ONLY include those events where either delta avg(requestSize)  OR delta avg(responseSize) OR both are positive
Hi, in our organization we use wef to monitor windows. we configure an inputs.conf for monitoring from the Event viewer. the powershell events (mainly event code 800 and 4103) logs received too... See more...
Hi, in our organization we use wef to monitor windows. we configure an inputs.conf for monitoring from the Event viewer. the powershell events (mainly event code 800 and 4103) logs received too long and we want to cut duplicated data. we tried various test with props.conf and transforms.conf and nothing works, here some of our stanzas we tried in props.conf [source::"XmlWinEventLog:Windows PowerShell"] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g [source::XmlWinEventLog:Microsoft-Windows-PowerShell/Operational] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g [WinEventLog://Microsoft-Windows-PowerShell/Operational] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g   also i wanted to make sure the inputs.conf stanza for powershell is correctly when i used : renderXml = true over: wec_event_format = rendered_event
_raw data exported from a search query. This not the actual raw data stream from the sending device, correct? This is the data after any default rules have been applied at index time. 
Dozens of posts on these topics.. I've tried makemv, fieldformat, tostring, tonumber all to no avail. So I'm just going to past my query in hopes someone can help me out. I have placed them after the... See more...
Dozens of posts on these topics.. I've tried makemv, fieldformat, tostring, tonumber all to no avail. So I'm just going to past my query in hopes someone can help me out. I have placed them after the stats call but having no luck.  query | stats list(Plugin) by Host, OS, App, Manager | rename list(Plugin) as "Plugin ID" The result is either one or several numbers in a single field - Plugin ID. I would prefer to delimit those results by comma (and align left for the single value results if possible).  Instead of (the lines are supposed to represent the cell/field): ______________ 204188 193574_______ ______193574__   I would like them on a single line, wrapping where necessary: 204188, 193574  193574_______   Any assistance would be appreciated. 
In the _cluster app on the cluster manager there is an indexes.conf file that specifically sets repFactor to 0 for the _introspection, _telemetry, _metrics, and _metrics_rollup indexes. Is there a re... See more...
In the _cluster app on the cluster manager there is an indexes.conf file that specifically sets repFactor to 0 for the _introspection, _telemetry, _metrics, and _metrics_rollup indexes. Is there a reason these indexes should not be replicated? Thanks.
Hi Team, How to replace no results found with 0 with a color in Splunk dashboard. I know that by appending below it update 'no results found' with 0 value. | appendpipe [stats count | where cou... See more...
Hi Team, How to replace no results found with 0 with a color in Splunk dashboard. I know that by appending below it update 'no results found' with 0 value. | appendpipe [stats count | where count=0] But it comes with red color as 0 value, I want to change to green color. even if I have changed Format Visualization --> Color range  from 0-5 as Green 5-max as Red   Could you please let me know how I can get green color with value as 0 when there is 'no results found' 
Hi Experts,  I have a question regarding our Splunk Dashboard. I want to show the logic of the calculation used in a single value panel. Specifically, I would like to display this information when a... See more...
Hi Experts,  I have a question regarding our Splunk Dashboard. I want to show the logic of the calculation used in a single value panel. Specifically, I would like to display this information when a user hovers over the panel or clicks a question mark (?) or information (i) symbol.  Is it possible to add this feature to a particular single value panel? Any guidance or examples would be greatly appreciated. Thank you
I know that rest calls don't cover the deployment server apps as they are not memory resident. But is there any way we can monitor Deployment Server which saves the output somewhere and we can monito... See more...
I know that rest calls don't cover the deployment server apps as they are not memory resident. But is there any way we can monitor Deployment Server which saves the output somewhere and we can monitor that to splunk ?
Hello there! To monitor Microsoft Hyper-V in customer environment, I know and use Hyper-V add-on for Splunk. But, the add-on does not include PowerShell scripts for monitoring Microsoft Hyper-V MS c... See more...
Hello there! To monitor Microsoft Hyper-V in customer environment, I know and use Hyper-V add-on for Splunk. But, the add-on does not include PowerShell scripts for monitoring Microsoft Hyper-V MS cluster and CSV (Cluster Shared Volumes) metrics and counters. Anyone using any sort of monitoring or custom scripts/apps for MS cluster and CSV monitoring?   Thanks
get-brokersession is run via powershell and sent to a txt file.   The information is getting into splunk however, every line that has a date and time in it the event is killed and a new event begins ... See more...
get-brokersession is run via powershell and sent to a txt file.   The information is getting into splunk however, every line that has a date and time in it the event is killed and a new event begins  with the next line in splunk.   Is there a way just to have the txt file to be ingested into splunk without it chopping up the file every time it come to a timestamp in the log?
Hi, I would like to get the latest search record or multiple search combination. For example, if my search is as below index=myIndex ABCD AND (Input OR Error) I am expecting output as below table... See more...
Hi, I would like to get the latest search record or multiple search combination. For example, if my search is as below index=myIndex ABCD AND (Input OR Error) I am expecting output as below table format Component | Last Input Timestamp| Last Errored Timestamp ABCD             | 24-03-2024 12:23:23| 24-03-2024 08:23:12 Search should fetch the timestamp of latest log event of (ABCD and Input) and (ABCD and Error). 
I guess the question can be broad, but I am coming from the following scenario: I am using the Splunk app, which has been configured and connection tested successfully in SOAR.  Recently, something ... See more...
I guess the question can be broad, but I am coming from the following scenario: I am using the Splunk app, which has been configured and connection tested successfully in SOAR.  Recently, something happened that I did not expect - the credentials to Splunk were rejected and the action to "run query" returned with an expected message of: "Unauthorized Access (401)". But then the action terminated there and did not continue with the rest of the playbook.  I have another app action for Ansible Tower to run a (Ansible) playbook (action name is "run job"), and if the Ansible playbook fails, the action in Splunk SOAR is marked as FAILED, but the SOAR playbook continues otherwise. I can't tell what the difference is between these two actions that allows one to continue, but the other to halt the SOAR playbook progression. Any advice is appreciated.  
I can't add any Background images to a dashboard created in dashboard studio and i presume it is because my role is missing the correct capability. I am trying to find information relating to what c... See more...
I can't add any Background images to a dashboard created in dashboard studio and i presume it is because my role is missing the correct capability. I am trying to find information relating to what cap. i need but i could not find anything. Chat.G.P.T. answered that there is a cap. "edit_visualizations" but i could not find info about that. Can someone help me with identifying the correct capability linked to adding a background image to a Dashboard Studio dashboard? Thanks in advance, Paul
I am wondering why Deployment Server is full and the only stored in this server is Deployment Server Ta’s and .Conf to distribute the TA’s and Conf to Universal Forwarders. this is the Specs. Deplo... See more...
I am wondering why Deployment Server is full and the only stored in this server is Deployment Server Ta’s and .Conf to distribute the TA’s and Conf to Universal Forwarders. this is the Specs. Deployment Server - 16 CPU Core (or 32 vCPU – if VM then must be dedicated), 2 GHz+ per core or greater - 16GB RAM - 1 x 200GB storage space (for OS and Splunk) - 64-bits OS Linux/Windows - 10GB Ethernet NIC, with optional 2nd NIC for management network   but the disk Space is full in /root   Please help Thank you