All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We are using Splunk logs in an iOS app, We are logging 1. Request Log (has URL, Tag, appTimestamp fields in log) 2. Response details (failed / succeeded, has response JSON, Tag, appTimestamp fi... See more...
We are using Splunk logs in an iOS app, We are logging 1. Request Log (has URL, Tag, appTimestamp fields in log) 2. Response details (failed / succeeded, has response JSON, Tag, appTimestamp fields in log) The Tag is unique for each request, we want to identify the time difference between request and response logs, (difference between 1 and 2 logs). Sample Request Log: "businessFlowTag":"Login - Get REP JWT token" ,"appTimestamp":"Apr 30, 2020, 04:08:21.103 GMT", "note" : "URL_OF_API" Sample Response Log: "businessFlowTag":"Login - Get REP JWT token" ,"appTimestamp":"Apr 30, 2020, 04:08:24.100 GMT", "note" : "RESPONSE_JSON_OF_API" In above case there is a time difference of 3 seconds between request and response. (Apr 30, 2020, 04:08:24.100 GMT) - (Apr 30, 2020, 04:08:21.103 GMT) = 3 seconds I want this time difference for each request. please help please let me know if any additional details requred
Hello everyone, i'm creating an app for a specific users that i want them to see only it's Dashboard. However the users can see also 'All' option which capable them to see the rest of the dashboard... See more...
Hello everyone, i'm creating an app for a specific users that i want them to see only it's Dashboard. However the users can see also 'All' option which capable them to see the rest of the dashboard on splunk. So is there is a way to make them see 'This App' option only ?
Hi Guys, How can we configure BMC remedy as an adaptive response action so that whenever a notable is created a unique incident id has to be generated. I have successfully integrated remedy with s... See more...
Hi Guys, How can we configure BMC remedy as an adaptive response action so that whenever a notable is created a unique incident id has to be generated. I have successfully integrated remedy with splunk and when I am running command through search it generate the incident id is remedy but the same I want when a notable is triggered and how to validate the same and what additional configuration configuration needs to be done for the same ?? Thanks in advance.
Need to transform like this. Please help. Before: Col1----Col2 Name1---- a ------------b --------c After:` Col1 Col2 Col3 Col4 Name1 a b c
Hi, Out of 100 logs one of my log is -------------------------------------------------------- How to parse or eliminate this?
Hi everyone, Can you please help us to make the Secure cookies by doing below things. Setting HTTPOnly Flag to splunkweb_csrf_token_8000 Setting Secure flag to splunkweb_csrf_token_8000, spl... See more...
Hi everyone, Can you please help us to make the Secure cookies by doing below things. Setting HTTPOnly Flag to splunkweb_csrf_token_8000 Setting Secure flag to splunkweb_csrf_token_8000, splunkd_id_8000,splunkd_8000 Setting SameSite Attribute to strict or lax to splunkweb_csrf_token_8000, splunkd_id_8000,splunkd_8000 Please help me out by providing any solutions or suggestions.
Hi Team, I'm with another challenging issue. I've a csv file ex: ABC.csv that being used in couple of schedulers(alerts) in splunk ex: update_ABC1, update_ABC2 As these alerts were scheduled t... See more...
Hi Team, I'm with another challenging issue. I've a csv file ex: ABC.csv that being used in couple of schedulers(alerts) in splunk ex: update_ABC1, update_ABC2 As these alerts were scheduled to run at same time and want's to update results of schedules into ABC.csv file. In this scenario only one scheduler ex: update_ABC1 is only actually appending its results to ABC.csv. what i'm thinking of the issue is, file is getting locked by update_ABC1 and becoming deadlock so that data concurrency is not happening work around i tried was scheduled both alerts with some time difference. I'm currently using splunk enterprise 7.3.5, Is this a known bug for this version ? Could anyone help in resolving issue?
I have an event that is monitoring a host and triggers an alert when the host is down. I have used below search and its working fine: index=main url=hosturl title=hostname response_code!=200 No... See more...
I have an event that is monitoring a host and triggers an alert when the host is down. I have used below search and its working fine: index=main url=hosturl title=hostname response_code!=200 Now, I need to generate another alert when the host comes up next. For this, I am tracking the alert (for down host) time when it got triggered and then searching for the host monitoring event which got triggered after that to check if the host is up/down. Below is the search query which I tried and need help on. index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" alert_actions="email" savedsearch_name="Host-Tracking" | stats latest(_time) as alerttime | append [search index=main title=hostname response_code=200 earliest=alerttime]
Hello, I am new to Splunk and I am currently checking on alerts. I was able to create a triggered alert on my Splunk Enterprise. I am now checking if it's possible to connect my Splunk Enterprise to ... See more...
Hello, I am new to Splunk and I am currently checking on alerts. I was able to create a triggered alert on my Splunk Enterprise. I am now checking if it's possible to connect my Splunk Enterprise to my own WebApp. I have a working endpoint wherein I can use POST command to send SMS. Although for it to be able to work, I have to set certain parameters from Splunk. Is this possible?
I have a search where I lookup the hostname for an IP address. I want to set the empty hostname with N/A so I can see in the values which src splunk wasnt able to lookup. My search is the followin... See more...
I have a search where I lookup the hostname for an IP address. I want to set the empty hostname with N/A so I can see in the values which src splunk wasnt able to lookup. My search is the following index=http | stats values(dest) as dest values(src) as src by domain | lookup dnslookup clientip as src OUTPUTNEW clienthost as src_host | fillnull src_host value="N/A" this works if there is just one src and one src_host in the line, but if there are multiple src and src_host and one src_host cant be looked up, it just writes the found src_hosts under themselves and you cannot map the src_host to the related src. now it looks like this: (................. stands for empty src | src_host | dest | domain 10.0.0.2 | hostxy2 | 8.8.8.8 | google.com 10.0.0.7 |..................|..............|................. 10.0.0.11 | hostxy21 | 9..9.9.9 | example.com 10.0.0.21 | ................| ............ |................. should look like this src | src_host | dest | domain 10.0.0.2 | hostxy2 | 8.8.8.8 | google.com 10.0.0.7 | N/A |............. |................. 10.0.0.11 |N/A | 9.9.9.9 | example.com 10.0.0.21 | hostxy21 | ........... |................. Can anyone help?
Hi all! I need help on how to check retention set into splunk using splunk search and other way we can check it and see time settled if the data will be deleted when?3months or 6 months? and als... See more...
Hi all! I need help on how to check retention set into splunk using splunk search and other way we can check it and see time settled if the data will be deleted when?3months or 6 months? and also how can we change it? Thank you in advance
I want to enable the KPI analyzer to identify the root causes of poor application performance. As per according to this link: https://docs.appdynamics.com/display/PRO45/KPI+Analyzer they defined as :... See more...
I want to enable the KPI analyzer to identify the root causes of poor application performance. As per according to this link: https://docs.appdynamics.com/display/PRO45/KPI+Analyzer they defined as : Enabling the KPI Analyzer The KPI Analyzer is available on select SaaS Controllers only. If you are interested in using the feature, contact your AppDynamics representative.  What should I do?
Hello I am trying to compare my average events in current month to previous 3 month average (per day [1,2,3...31]) based on _time For example: Considering that the current month is October (10... See more...
Hello I am trying to compare my average events in current month to previous 3 month average (per day [1,2,3...31]) based on _time For example: Considering that the current month is October (10). I am trying to compare the current count of random numbers that I have received on the 10/1 and 10/2 to the average of the counts that I have received on the 1st and 2nd of September(09) and August(08). That's how i tried to do it: `soc_events` | eval mytime=strftime(_time, "%Y/%m/%d") | table mytime | rex field=mytime "("?<Year>\d+)/(?<Month\d+)/(?<Day>\d+)")" | stats count as Count by Year,Month,Day | sort Year,Month,Day | eventstats last(Month) as Current_Month last(Year) as Current_Year | where Month!=CurrentMonth OR Year!=Current_Year | stats avg(Count) as DayAveravge values(Month) as Months by Day but it says syntax error in rex : missing terminator
hi there, i am having trouble with the website monitoring addon status showing failed hw i am going to configure that to green\ can someone help me on it cheers.
Hi Splunk Team, I am using a dropdown input form. Corresponding to a value of dropdown, it should show panel. But before hitting the submit button, it is giving me the result. Can you please gui... See more...
Hi Splunk Team, I am using a dropdown input form. Corresponding to a value of dropdown, it should show panel. But before hitting the submit button, it is giving me the result. Can you please guide me? I have tried various solution which there are there on Splunk QA but it is not working for me. https://answers.splunk.com/answers/742451/searchwhenchangedfalse-not-honored-1.html https://answers.splunk.com/answers/679596/what-is-the-expected-behavior-for-submit-button-wh.html My Sample code:- <input type="time" token="Time" searchWhenChanged="false"> <label>Time Picker</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="APPLICATION" searchWhenChanged="false"> <label>APPLICATION</label> <choice value="svc-logisticsdm-mlo">svc-logisticsdm-mlo</choice> <choice value="svc-logistics-bookings">svc-logistics-bookings</choice> <choice value="svc-logix-loms-status-updates">svc-logix-loms-status-updates</choice> <choice value="svc-logix-loms-create-order">svc-logix-loms-create-order</choice> <choice value="svc-logix-stock-check-uat">svc-logix-stock-check-uat</choice> <default>svc-logistics-bookings</default> <change> <set token="tokLogLevelOnChange">$value$</set> </change> </input> <input type="text" token="tokLogLevelOnSubmit" searchWhenChanged="false" depends="$justHideMe$"> <label>searchOnSubmit</label> <change> <condition value="svc-logistics-bookings"> <unset token="logisticsdm"></unset> <unset token="status-updates"></unset> <unset token="create-order"></unset> <unset token="stock-check"></unset> <set token="bookings"></set> </condition> <condition value="svc-logix-stock-check-uat"> <unset token="logisticsdm"></unset> <unset token="status-updates"></unset> <unset token="create-order"></unset> <unset token="bookings"></unset> <set token="stock-check"></set> </condition> <condition value="create-order"> <unset token="logisticsdm"></unset> <unset token="status-updates"></unset> <unset token="bookings"></unset> <unset token="stock-check"></unset> <set token="create-order"></set> </condition> <condition value="svc-logix-loms-status-updates"> <unset token="logisticsdm"></unset> <unset token="stock-check"></unset> <unset token="create-order"></unset> <unset token="bookings"></unset> <set token="status-updates"></set> </condition> <condition value="svc-logisticsdm-mlo"> <unset token="create-order"></unset> <unset token="status-updates"></unset> <unset token="bookings"></unset> <unset token="stock-check"></unset> <set token="logisticsdm"></set> </condition> </change> <default>$tokLogLevelOnChange$</default> </input> Any kind of help would be appreciated.
Hello, Very frequently we getting below two errors in _internal logs in our Splunk Cloud Managed environment: 04-30-2020 05:09:05.513 +0000 ERROR DataModelValidator - '-12undefined' is not a time... See more...
Hello, Very frequently we getting below two errors in _internal logs in our Splunk Cloud Managed environment: 04-30-2020 05:09:05.513 +0000 ERROR DataModelValidator - '-12undefined' is not a time string. 04-30-2020 05:09:05.513 +0000 ERROR AdminManagerValidation - '-12undefined' is not a time string. Not sure how to get in detail of it? Any clue guys? Thanks in advance
Hi All, I would like to combine similar strings (with different field values) in my data. The data I have now: Error | Count (yesterday) | Count (today) Low ink on printer A | 10 | 0 Invalid i... See more...
Hi All, I would like to combine similar strings (with different field values) in my data. The data I have now: Error | Count (yesterday) | Count (today) Low ink on printer A | 10 | 0 Invalid input on line 1 | 5 | 2 Invalid input on line 2 | 4 | 4 Low ink on printer B | 6 | 3 Service crash on App1 | 1 | 0 What I want to have: Error Type | Count (yesterday) | Count (today) Low ink on printer * | 16 | 3 Invalid input on line * | 9 | 6 Service crash on * | 1 | 0 Note: I may have thousands of error type that needs to be combined. Is it possible to achieve without having to eval every string?
Hi, I have deployed the Template for Citrix XenDesktop 7 with the TA-XD7-Broker add-on deployed on the brokers. However when I use the dashboards that display CPU, Mem & Disk, it doesn't show up a... See more...
Hi, I have deployed the Template for Citrix XenDesktop 7 with the TA-XD7-Broker add-on deployed on the brokers. However when I use the dashboards that display CPU, Mem & Disk, it doesn't show up anything. Other dashboards seem to work fine and able to display information. Upon looking at the underlying queries and removing the SiteName and running searches, it seems to work. I have already set the "uncheck Case sensitive match" for the siteHosts lookup definition. If I search the Index, I can see that I get a total of 20 sourcetypes, which includes the Perfmonmk: sourcetypes. However if I run the query xd_index SiteName="" (Ex: xd_index SiteName="ABCD"), it just returns the following 4 sourcetypes xendesktop:7:session xendesktop:7:machine xendesktop:7:application xendesktop:7:controller And this seems to be the reason why the dashboards fail as the Perfmonmk: sourcetypes are not available when using SiteName. Has anyone seen this issue before. Any idea why this may be happening? Thanks, AKN
We are using HEC collector endpoint to consume logs from FluentD, we recently identified filtering opportunity and trying to apply props/transforms to send data to null queue which is not working. ... See more...
We are using HEC collector endpoint to consume logs from FluentD, we recently identified filtering opportunity and trying to apply props/transforms to send data to null queue which is not working. Source field is sent by Fluentd, so we are using that field to create sourcetype as below props.conf [source::*.journald] TRANSFORMS-override = override_st_journald,override_host_journald SHOULD_LINEMERGE = false TIME_PREFIX = SOURCE_REALTIME_TIMESTAMP\":\" TIME_FORMAT = %s%6Q transforms.conf [override_st_journald] SOURCE_KEY = _raw REGEX = SYSTEMD_UNIT\":\"([^.\s\"0-9]+) FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype [override_host_journald] SOURCE_KEY = _raw REGEX = instance_id\":\"([^\"]+) FORMAT = host::$1 DEST_KEY = MetaData:Host Now I want to send partial of data for this source to null queue which is not working my configuration in props.conf [source::.journald] **TRANSFORMS-null= setnullsourcetype* TRANSFORMS-override = override_st_journald,override_host_journald SHOULD_LINEMERGE = false TIME_PREFIX = SOURCE_REALTIME_TIMESTAMP\":\" TIME_FORMAT = %s%6Q transforms.conf [setnullsourcetype] SOURCE_KEY = _raw REGEX = \"SYSTEMD_UNIT\":\"rsyslog.service\" DEST_KEY = queue FORMAT = nullQueue Can you please help me understand why it is not working. Please help me to identify how can I fix this
Quick question about KV store - wondering what the best way to update multiple records at once via search may be? Example - let's say I have the most recent logon for users for the past week: u... See more...
Quick question about KV store - wondering what the best way to update multiple records at once via search may be? Example - let's say I have the most recent logon for users for the past week: user1 - last_logon_time user2 - last_logon_time etc.... I would like to query last_logon_time for all users for the past day, then update the KV store with the most recent info. The goal would be to set this up as a schedule search running daily to keep the KV store updated. Any thoughts?