All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a statistical table with rows and columns I need to color a particular column values either red or green based on some value.How can I achieve that A B C D 1 1 1 1 2 2 2 ... See more...
I have a statistical table with rows and columns I need to color a particular column values either red or green based on some value.How can I achieve that A B C D 1 1 1 1 2 2 2 2 3 3 3 3 Hence,as per above, C1,C2,C3 column should be either red or green based on values of D1,D2,D3,
hello all How to Extract only MPid field with the value from the raw data. so that MPID=127746 i can list {"MPid":"127746","url":"https://www.webox123.com","id":2301,"IDformance_level":"436"... See more...
hello all How to Extract only MPid field with the value from the raw data. so that MPID=127746 i can list {"MPid":"127746","url":"https://www.webox123.com","id":2301,"IDformance_level":"436", "line":"24.1","help":{"description":"23 ht_hg.", "how_to_fix":"Check the TCSEr specification for \"tundg Rich\" (CPR_rts) to see which TCSEr attributes are allowed for this type of element. Ensure that all attribute values are valid, including ID references. ","title":"Invalid TCSEr role, state or property"},"IDpages":134290,"pages_past":2221416, "_links":{"pages":{"href":"https://api.webox123.com/v2/sites/355//432e2.1.322/101/pages"} ,"progress":{"history":{"href":"https://webox123.com/v2/v2/sites/355//432e2.1.322/101/pages""}}}},
hi , I need help writing a query to fetch the details for the below mentioned logic For the firewall logs, accept events from same source IP more than 100 times, to more than 3 destination IP T... See more...
hi , I need help writing a query to fetch the details for the below mentioned logic For the firewall logs, accept events from same source IP more than 100 times, to more than 3 destination IP Thanks
hello i have this query : index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback... See more...
hello i have this query : index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" | stats count list(eventtype) by _time the result im getting is : _time count list(eventtype) 2019-08-05 10:24:23 5 csm-messages-dhcpd-send-socket-fallback-net csm-messages-dhcpd-lpf-eth0-sending csm-messages-dhcpd-lpf-eth0-listening csm-messages-dhcpd-eth1-nosubnet-declared csm-messages-dhcpd-write-zero-leases what should i change in my query so i will see the count for each raw ? thanks
We're considering setting up Splunk enterprise 7.3.0 (for heavy forwarding) in a docker container. https://docs.splunk.com/Documentation/Splunk/7.3.0/Installation/Systemrequirements As per this ... See more...
We're considering setting up Splunk enterprise 7.3.0 (for heavy forwarding) in a docker container. https://docs.splunk.com/Documentation/Splunk/7.3.0/Installation/Systemrequirements As per this Splunk doc link, the splunk docker image could be used only for evaluation purpose and not officially supported. Docker images of Splunk Enterprise are also available at Docker Hub for developers to evaluate the deployment of Splunk on containerized infrastructures that are not covered by Splunk support. The community supports these Docker images. See https://hub.docker.com/r/splunk/splunk/. https://www.splunk.com/en_us/blog/cloud/announcing-splunk-on-docker.html This Splunk blog says splunk docker image is officially supported. Can someone confirm whether Splunk enterprise 7.3 docker image (https://hub.docker.com/r/splunk/splunk/) is officially supported? Thanks!
Hi team, I have below query. The base query has 440 events returned, But when I use stats command, tje number is 0. Does the because the special charaters in the string to be matched? How should... See more...
Hi team, I have below query. The base query has 440 events returned, But when I use stats command, tje number is 0. Does the because the special charaters in the string to be matched? How should I correct the string? (servername=pc* OR host=pc*) AND sourcetype=access_log_bizx AND "GET /jsup?m=calibrationOrgDataV12*" | stats count(eval(searchmatch("GET /jsup?m=calibrationOrgDataV12*"))) as number by SFDC
I am looking for a Splunk query equivalent to the following SQL query involving window functions. Assuming I have a table like so: CREATE TABLE my_stats_tbl ( time timestamp, cid character... See more...
I am looking for a Splunk query equivalent to the following SQL query involving window functions. Assuming I have a table like so: CREATE TABLE my_stats_tbl ( time timestamp, cid character varying(10), tid character varying(10), step character varying(10) ); and SQL query: select cid, tid, step, min(time) as earliest, max(time) as latest from ( select time, cid, tid, step, cid_recent_time, dense_rank() over (order by cid_recent_time desc) as cid_recency_rank from ( select time, cid, tid, step, max(time) over(partition by cid) as cid_recent_time from my_stats_tbl )q1 ) q2 where cid_recency_rank = 1 group by cid, tid, step order by cid, tid, step How do i accomplish this in Splunk, assuming I have a search query which generates an output similar to my SQL table my_stats_tbl ? Essentially, I want to: 1. Select only those rows from my search query that correspond to the most recent cid AND. 2. Amongst rows selected in step-1 above, I want to find the earliest and latest timestamps for each cid , tid and step triplet. I'd appreciate any pointers.
Hi All, I'm install splunk on windows. After i'm insert parameter of "Demisto URL/Hostname/IP Address" and "API Key" i'm found error "Encountered the following error while trying to update: Err... See more...
Hi All, I'm install splunk on windows. After i'm insert parameter of "Demisto URL/Hostname/IP Address" and "API Key" i'm found error "Encountered the following error while trying to update: Error while posting to url=/servicesNS/nobody/TA-Demisto/demisto/demistocustomendpoint/demistoenv". Then i'm try to run command "curl -ku 'username:password' https://localhost:8089/servicesNS/nobody/TA-Demisto/configs/conf-demistosetup/demistoenv/ -d VALIDATE_SSL=false". But still not work. Please help. Thank you.
I have got a query to check container metric for micro-services. There are currently multiple versions of micro-services running. I would like to change the query to check metrics for latest version ... See more...
I have got a query to check container metric for micro-services. There are currently multiple versions of micro-services running. I would like to change the query to check metrics for latest version of each micro-service. Can someone assist with this please?
Hi Experts, I have data set like below from same index but from different sourcetype, common field on which I can join is aapid, app_id. I want to only show those app id which take more than 20 m... See more...
Hi Experts, I have data set like below from same index but from different sourcetype, common field on which I can join is aapid, app_id. I want to only show those app id which take more than 20 min time for approval . Sourcetye=created date,status,appid 18/Oct/2018 05:05:02,created,1234 18/Oct/2018 05:06:02,created,12345 18/Oct/2018 05:07:02,created,123456 Sourcetye=approved date,status,app_id 18/Oct/2018 05:25:02,approved,1234 18/Oct/2018 05:40:02,approved,12345 On the above sample data set I am expacting a table like below. Appid,Created time , Approved time ,totoal_time 12345,18/Oct/2018 05:06:02,18/Oct/2018 05:40:02,34min Regards VG
Getting these vulnerabilities on a my splunkforwarders all on port 8089. To resolve the certificate issue I have a paid certificate I want to replace the default splunk certs with. If I was to simp... See more...
Getting these vulnerabilities on a my splunkforwarders all on port 8089. To resolve the certificate issue I have a paid certificate I want to replace the default splunk certs with. If I was to simply disable the management port on the forwarders with the stanza below inside server.conf would it get rid of all these vulnerabilities? [httpServer] disableDefaultPort = true Vulnerabilities: SSL Certificate Expiry SSL Certificate Signed Using Weak Hashing Algorithm SSL Certificate Cannot Be Trusted SSL Certificate Chain Contains RSA Keys Less Than 2048 bits TLS Version 1.1 Protocol Detection
Hi im having this Error where my Splunk Add-on for Microsoft Office 365 is not working. TypeError: can only concatenate str (not "bytes") to str . Please suggest help ASAP. Thankssss! Here is the... See more...
Hi im having this Error where my Splunk Add-on for Microsoft Office 365 is not working. TypeError: can only concatenate str (not "bytes") to str . Please suggest help ASAP. Thankssss! Here is the log on _internal 2020-05-07 10:35:17,727 level=ERROR pid=10550 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:67 | datainput=b'AuditGeneral' start_time=1588818915 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 65, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 102, in run executor.run(adapter) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/batch.py", line 47, in run for jobs in delegate.discover(): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 127, in discover subscription.start(session) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 160, in start response = self.perform(session, 'POST', '/subscriptions/start', params) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 169, in _perform return self._request(session, method, url, kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 181, in _request raise O365PortalError(response) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 26, in __init_ message = str(response.status_code) + ':' + payload TypeError: can only concatenate str (not "bytes") to str
I have a report scheduled which runs every day and it has earliest=-30d for general scenario and I have a separate alert which uses this report to collect the data and it provides the outlier. Now,... See more...
I have a report scheduled which runs every day and it has earliest=-30d for general scenario and I have a separate alert which uses this report to collect the data and it provides the outlier. Now, my question is if for some reason I need to see the historical data which is older than 30 days then I need to hardcode that time range (for example - earliest=-125d latest=-95d) in the search of the report. I am also updating the same in the time picker using date range to match with what I have updated in the search. Now when I run the report, it gives me correct results but nothing changes in the Alert. It gives me the same data as it was giving me previously for last 30 days. So, basically the alert is not getting updated based on the changes I am making in the report. Any help would be appreciated!!
Hi,  I have created a docker image using: OpenJDK  glassfish 5.1 etc. and installed the java appagent t inside the container where glassfish is running.  and configured the glassfish: to us... See more...
Hi,  I have created a docker image using: OpenJDK  glassfish 5.1 etc. and installed the java appagent t inside the container where glassfish is running.  and configured the glassfish: to use the JVM parameter -javaagent:/opt/appdynamics/appagent/javaagent.jar. modified osgi.properties for glassfish to use com.singularity.* the agent /opt/appdynamics/appagent/javaagent.jar is unzipped inside the container where glassfish is running The controller doesn't receive any events not does there are any log files generated where the agent is located. We are using appdynamics on-premise successfully with the above configuration without any dockerization.  Without logs, it is pretty difficult to trouble shoot the issue. Any advise would be apprecited.
Hi everyone, I am trying to add a custom field on every events that coming from a Heavy-Forwarder, so that from search I can know which HF the evnets are going thru. Here is my configuration in... See more...
Hi everyone, I am trying to add a custom field on every events that coming from a Heavy-Forwarder, so that from search I can know which HF the evnets are going thru. Here is my configuration in a HF: props.conf: [default] TRANSFORMS-addHF = addHF transforms.conf: [addHF] INGEST_EVAL = hf="my-hf-01" fields.conf: [hf] INDEXED=true So instead of hardcoding the hostname for every HF, I am trying to find a way to use an OS variable such as hostname in the INGEST_EVAL. Any idea how to achieve this? Many thanks. S
Existential question here... What is the appropriate mechanism in Splunk to have multiple (potentially hundreds) of alerts that are based on the latest events, rather than real-time or timeframe... See more...
Existential question here... What is the appropriate mechanism in Splunk to have multiple (potentially hundreds) of alerts that are based on the latest events, rather than real-time or timeframe searches, while keeping our Splunk deployment sane and simple? (Is it even possible?) Example: I need an alert when a volume (disk) breaches an 80% used space threshold, and need it within 30 seconds of when Splunk gets an event. (Then similar alerts for NAS and SAN volumes, CPU, memory, interface utilization, and a whole bunch of other metrics.) Setting up a few dozen of these realtime searches and respective alerts brings our cluster to its knees. Attempting to set up auto-refreshing and fast dashboards with the same metrics simply knocks it out. Whereas doing something like this in Solarwinds or Datadog - piece of cake, including statistics-based metrics (e.g. if a metric exceeds a 30-minute baseline by more than 20% over the last 3 minutes). Is Splunk not the right product for the task? If it is, what is the technical term for my problem, how can it be solved in Splunk, and would you be so kind as to point me to where it's discussed? Thanks! P.S. Please read the question fully and please abstain from attempting to answer what you might think the question is. The question is specific enough: What is the appropriate mechanism in Splunk to have multiple (potentially hundreds) of alerts that are based on the latest events, rather than real-time or timeframe searches, while keeping our Splunk deployment sane and simple? To rephrase it a bit: in an environment where the ability to set up fast alerts on a large number of metrics is important, is Splunk (OOTB) the right product for the task? If so, what are the mechanisms to accomplish that? (Because OOTB, Splunk is not suitable for it - at least not in my experience.) P.P.S. Is metrics such a mechanism? If so what would be a good resource to get those set up and running fast? (Digging through the documentation tells me it's not a streamlined, easy experience.)
I'm posting this question mostly because it's maddening. I want a dashboard that is shared between two apps to behave differently based on the value of $env:app$. Doesn't work: <init> ... See more...
I'm posting this question mostly because it's maddening. I want a dashboard that is shared between two apps to behave differently based on the value of $env:app$. Doesn't work: <init> <eval token="isMyApp>if($env:app$=="myApp", "true", null())</eval> </init> If I run a search as follows: <search> <query>| makeresults | eval foo = if($env:app|s$=="myApp", "true", null())</query> <done> <set token="showMyAppPanels">$result.foo$</set> <eval token="iAmBroken">if($env:app|s$=="myApp", "true", null())</eval> <eval token="meToo">if($env:app$=="myApp", "true", null())</eval> </done> </search> The $result.foo$ evaluates correctly but the other two return null regardless of the value of $env:app$ . So with $result.foo$ , or some JS I can get where I need to be, but why does it take running an extra search or script to get there?
We are often seeing the following error messages from HEC servers and users are complaining of failures connecting to HEC: 04-16-2020 19:02:04.513 +0000 WARN HttpListener - Socket error from 10.... See more...
We are often seeing the following error messages from HEC servers and users are complaining of failures connecting to HEC: 04-16-2020 19:02:04.513 +0000 WARN HttpListener - Socket error from 10.1.32.176:3655 while accessing /services/collector/event/1.0: Connection reset by peer 04-16-2020 19:21:51.387 +0000 WARN HttpListener - HTTP active connections down to 1354, unthrottling 04-16-2020 19:21:51.354 +0000 WARN HttpListener - 1365 HTTP connections active, throttling
Hi, I'm using Splunk Enterprise Dashboards App (beta) and inserted a table in my dashboard, but I need to wrap the text to show all of the content. Instead of this: I need something li... See more...
Hi, I'm using Splunk Enterprise Dashboards App (beta) and inserted a table in my dashboard, but I need to wrap the text to show all of the content. Instead of this: I need something like this returned in a search: How can I do that?
Hello, I have a problem with Splunk ES Glass Tables not loading when setting the requireClientCert=true in sslConfig. Of course I have the complete SSL setup working fine with sslVersions=tls1.2 u... See more...
Hello, I have a problem with Splunk ES Glass Tables not loading when setting the requireClientCert=true in sslConfig. Of course I have the complete SSL setup working fine with sslVersions=tls1.2 using certificates singed by own CA. When trying to access the Glass Tables from ES menu, I get the following error message: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/SplunkEnterpriseSecuritySuite/storage/collections/config/SplunkEnterpriseSecuritySuite_glasstables (Caused by SSLError(SSLError(1, u'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:742)'),)) p.s note: I have tried to add ssl3 to allowed list in sslVersions just to check if this is the problem but I end up with KVStore failure. However, this is not how I want to solve it. Thank you for your interactivity and responses in advance Regards