All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I don't know if data model:Containers are on Splunk's road map. or if there's a official data model that supports the containers logs(kerbernetes, dockers)?
On my dashboard I have a list to define the date on which I want to display the events I want to create a drilldown by clicking on a Type value (Single Value) in order to display the details in a ... See more...
On my dashboard I have a list to define the date on which I want to display the events I want to create a drilldown by clicking on a Type value (Single Value) in order to display the details in a table on another dashboard I would like to know how can we retrieve the Time field which is configured to display the table according to this Time?
Hello, I have request to collect all network data based allowed denyed and dropped traffic info from various network feeds. Unfortunately my network data model is not set only 15 days worth of ... See more...
Hello, I have request to collect all network data based allowed denyed and dropped traffic info from various network feeds. Unfortunately my network data model is not set only 15 days worth of data so i have to run manual searches to collect data so any help will be much appreciated . I have tried with below one but not showing all data and any help will be much appreciated | tstats summariesonly=t allow_old_summaries=f count FROM datamodel=Network_Traffic.All_Traffic WHERE index=* BY sourcetype All_Traffic.action _time span=1h | rename All_Traffic.* AS * | stats count As total_connections count(eval(action=="allowed")) AS allowed count(eval(action=="blocked" OR action=="dropped")) AS blocked BY _time, sourcetype | eval pct_blocked = 100 * blocked / total_connections
In my event data, I have a field called "blocks", the content of that field is a comma separated list of blocks. For example: block_1,block_4,block_10 block_1,block_3,block_4 I wan... See more...
In my event data, I have a field called "blocks", the content of that field is a comma separated list of blocks. For example: block_1,block_4,block_10 block_1,block_3,block_4 I want to be able to count the occurrence of the blocks over time. So from above example, I should get the following block_1 2 block_3 1 block_4 2 block_10 1 I have this working via the following, however it is very slow. <my search> | makemv delim="," blocks| mvexpand blocks| stats count by blocks Is there a more efficient way to do this?
Hi all, I've succeeded in making a table with custom_table_row_expansion,js which expand every rows publishing the child events of a correlated father. Now I'm tryingto apply table_cell_highlig... See more...
Hi all, I've succeeded in making a table with custom_table_row_expansion,js which expand every rows publishing the child events of a correlated father. Now I'm tryingto apply table_cell_highlighting to colour the child new event with a color for the dalay. I've combined table_cell_highlighting.js in the dashboard. In the custom_table_row_expansion.js I set the id of the new table highlight, I made a style css inside the dashboard in the hidden panel: <panel depends="$alwaysHideCSS$"> <html> <style> .table>thead>tr>th { color: #0066ff !important; text-shadow: none; font-family : Verdana !important; } .table>thead>tr>th:hover { /*background-image: linear-gradient(to bottom, #666, #444) !important;*/ color: #000000 !important; text-shadow: none; } .table .sorts a { text-decoration: none; font-weight: bold; font-size: 12px ; color: #002966; } .table>tbody>tr { width: 20%; color: #006699; font-family : Verdana !important; } td{ font-size: 11px !important; font-family : Verdana !important; } #highlight tr.range-elevated td { background-color: #000000 !important; color: #ffffff; } #highlight tr.range-severe td { background-color: #ff0000 !important; color: #ffffff; } #highlight .table td { border-top: 1px solid #fff; } #highlight td.range-severe, td.range-elevated { font-weight: bold; } </style> </html> </panel> and the javascript is this one: require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { // Row Coloring by String Comparision of Numeric Time Value in HH:MM:SS var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { // Enable this custom cell renderer for DELAY field return _(['DELAY']).contains(cell.field); }, render: function($td, cell) { // Add a class to the cell based on the returned value var value = cell.value; // Apply interpretation for DELAY field if (cell.field === 'DELAY') { if (value >= "02:00:00") { $td.addClass('range-cell').addClass('range-severe'); } if (value < "02:00:00" && value > "01:30:00") { $td.addClass('range-cell').addClass('range-elevated'); } } // Update the cell content with string DELAY value HH:MM:SS $td.text(value).addClass('string'); } }); mvc.Components.get('highlight').getVisualization(function(tableView) { tableView.on('rendered', function() { // Apply class of the cells to the parent row in order to color the whole row tableView.$el.find('td.range-cell').each(function() { $(this).parents('tr').addClass(this.className); }); }); // Add custom cell renderer, the table will re-render automatically. tableView.addCellRenderer(new CustomRangeRenderer()); }); }); But nothing happened when I expand the rows. Any suggestion ? Fabrizio
I have this application log that is made up of nested JSON { "status": "OK", "next": null, "data": { "Event1": { "Time": "2020-04-21 11:28:22", "Username": "testuser11@test.... See more...
I have this application log that is made up of nested JSON { "status": "OK", "next": null, "data": { "Event1": { "Time": "2020-04-21 11:28:22", "Username": "testuser11@test.com", "IP_Address": "127.0.0.1", "Action": "Log in", "Data": "12.34.56.78" }, "Event2": { "Time": "2020-04-21 11:26:41", "Username": "testuser2@test.com", "IP_Address": "127.0.0.1", "Action": "Log in", "Data": "23.45.67.89" }, "Event3": { "Time": "2020-04-21 11:25:37", "Username": "testuser3@test.com", "IP_Address": "127.0.0.1", "Action": "Log in", "Data": "34.123.56.78" } } } I want to try to search on Username (or really any of the fields under the "Event x" key field). My issue is that the application increments the Event number so I can't do a normal spath path=data.Event{}.Username statement. I am not skilled enough in the ways of spath or the rename|mvzip|mvexpand|mvindex combonations to figure this out. I feel the answer is to do something like that, but that is just from reading all of the other Answers that had JSON parsing issues. Please help.
Hi Team, Is it feasible to configure a dashboard panel search to look for events only on Monday and Tuesday? Please let me know if it is possible. Thanks, Anilkumar
I want to create a visualization that combines the 2 queries like below and give a overlapping timechart of counts Query 1: index=myindex Service=MyService| timechart count (for day1) Query 2... See more...
I want to create a visualization that combines the 2 queries like below and give a overlapping timechart of counts Query 1: index=myindex Service=MyService| timechart count (for day1) Query 2: index=myindex Service=MyService| timechart count (for day2) How can I do that?
Hi Folks, We are having upgrade planned for our clustered environment where we have 400+ forwarders , 14 Int forwarders then Indexers and so on.. As splunk said version 8.x accept connections fro... See more...
Hi Folks, We are having upgrade planned for our clustered environment where we have 400+ forwarders , 14 Int forwarders then Indexers and so on.. As splunk said version 8.x accept connections from forwarders with version 7.x and above. Notes: All forwarders running on different versions, 6.x 7.x. All Intermediate forwarders are on 7.x So can we proceed with upgrading Indexers to 8.x as literally we receive data feed from Int Forwarders? Any guidance is highly appreciated Thanks and Regards, Pramodh B
I am wondering why from some set of _raw indexes I do not see _indextime. I should see it. Any idea? Thanks, Lp
Right now I have a search set up that compares the previous hours events to the same hour 1 week ago: foo | timechart count span=1h | where strftime(_time, "%A %H")==strftime(relative_time(now(),... See more...
Right now I have a search set up that compares the previous hours events to the same hour 1 week ago: foo | timechart count span=1h | where strftime(_time, "%A %H")==strftime(relative_time(now(),"-1h"),"%A %H") However I would like to add it to a dashboard and instead of having everything relative to "now" I would like it to be based on the time picker. How can I change the second strftime to allow me to do this? Currently I have to set the time picker to the previous 7 days to get this to work on the report, though I'm not married to that implementation. I have tried the below search, however it doesn't return any events: foo| timechart count span=1h | where strftime(_time, "%A %H")==strftime(latest,"%A %H") I tried using addinfo, but to no avail: foo | addinfo | eval high=strftime(relative_time(info_max_time, "-1h"), "%A %H") | timechart count span=1h | where strftime(_time, "%A %H")==high
Hi, I am new to AppDynamics and trying to learn from the basics. If anyone can suggest the name/link of the sample application where I can install on my own VM to learn AppDynamics, it would be gr... See more...
Hi, I am new to AppDynamics and trying to learn from the basics. If anyone can suggest the name/link of the sample application where I can install on my own VM to learn AppDynamics, it would be great. Thanks  Rupinder 
Hello Community, If there is a business need to move a few nodes from an application tier to a different application on the same .net Agent server; how could we make this change safely without aff... See more...
Hello Community, If there is a business need to move a few nodes from an application tier to a different application on the same .net Agent server; how could we make this change safely without affecting the controller data that is already in the Controller such as analytics and application snapshots?
Hey guys, has anyone integrated MS Teams data into Splunk? I am trying to find information on how many teams meetings are being held, how many users are in a meeting etc. Has anyone integrated ... See more...
Hey guys, has anyone integrated MS Teams data into Splunk? I am trying to find information on how many teams meetings are being held, how many users are in a meeting etc. Has anyone integrated that data successfully ? I do have the Azure Add-On, Microsoft Cloud Services Add-On and O365 Add-On installed but none of these Add-Ons give me any Teams details. Oliver
Hi, we are monitorning recursively on directory and some time indexing the data in splunk is delayed a lot ( 12+ hrs). Universal Forwarder [monitor:///net/hp707srv/hp707srv1/apps/QCST_MI... See more...
Hi, we are monitorning recursively on directory and some time indexing the data in splunk is delayed a lot ( 12+ hrs). Universal Forwarder [monitor:///net/hp707srv/hp707srv1/apps/QCST_MIC_v3.1.44_MASTER/logs.../.log] disabled = false host = MIC_v44 index = mlc_live sourcetype = GC11_RAW crcSalt = whitelist = .*gc.log$|.*gc. .log$ blacklist=logs_|fixing_|tps-archives In below example log printed every hour but it was not indexed straigh away. More than 12hrs of data indexed at same time 12:01 throughput is set to unlimited as this forwarder is monitoring many other files. limits.conf [thruput] maxKBps = 0
Hi I have got 5 node SPLUNK . NODE1 : Master + License Manager Node 2 : Indexer - peer Node 3 : Indexer - Peer Node 4 : Indexer - Peer Node 5 : Search head All is working f... See more...
Hi I have got 5 node SPLUNK . NODE1 : Master + License Manager Node 2 : Indexer - peer Node 3 : Indexer - Peer Node 4 : Indexer - Peer Node 5 : Search head All is working fine . Now I need to create a new index for test purpose . and push one file in that index Thus I have done following : In master Node , We have a file called indexes.conf under : /apps/splunk/etc/master-apps/app-infrastructure-loganalysis/local I have added a few index lines : [indexwinelksynclogs] homePath = /data/splunk/indexwinelksynclogs/db coldPath = /data/splunk/indexwinelksynclogs/colddb thawedPath = /data/splunk/indexwinelksynclogs/thaweddb repFactor = auto
I tried many ways to fetch the Web Browser, Version and OS info from the below format, i was unable to could you please help me out from this. {"name":"Content-Length","value":"0"},{"name":"user-a... See more...
I tried many ways to fetch the Web Browser, Version and OS info from the below format, i was unable to could you please help me out from this. {"name":"Content-Length","value":"0"},{"name":"user-agent","value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36"},{"name":"accept","value":"image/webp,image/apng,image/,/*;q=0.8"} index=xxxx | top http_user_agent gives me the below result Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 12112 25.350580 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 8433 17.650383 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 3761 7.871824 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362 2263 4.736490 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 1030 2.155804 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363 690 1.444179 But don't want all the info, i tried rex regen but they didn't work.
Since I can't submit a case I would like to inform you that Splunk add-on builder doesn't work if my instance listens on IPv6 and is behind a reverse proxy (I am not sure if the later thing has any e... See more...
Since I can't submit a case I would like to inform you that Splunk add-on builder doesn't work if my instance listens on IPv6 and is behind a reverse proxy (I am not sure if the later thing has any effect). I am running the latest version of Splunk Enterprise and Add-on builder. The internal log shows the follwing error: 2020-04-22 12:27:20,061 ERROR [5ea01c08067fd58014dc50] error:335 - Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 628, in respond self._do_respond(path_info) File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 687, in _do_respond response.body = self.handler() File "/opt/splunk/lib/python3.7/site-packages/cherrypy/lib/encoding.py", line 219, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/htmlinjectiontoolfactory.py", line 75, in wrapper resp = handler(*args, **kwargs) File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpdispatch.py", line 54, in __call__ return self.callable(*self.args, **self.kwargs) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/routes.py", line 383, in default return route.target(self, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-3662>", line 2, in is_user_allow_to_user_tabuilder File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 40, in rundecs return fn(*a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-3660>", line 2, in is_user_allow_to_user_tabuilder File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 118, in check return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-3659>", line 2, in is_user_allow_to_user_tabuilder File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 166, in validate_ip return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-3658>", line 2, in is_user_allow_to_user_tabuilder File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 245, in preform_sso_check return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-3657>", line 2, in is_user_allow_to_user_tabuilder File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 284, in check_login return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-3656>", line 2, in is_user_allow_to_user_tabuilder File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 304, in handle_exceptions return fn(self, *a, **kw) File "/opt/splunk/etc/apps/splunk_app_addon-builder/bin/aob/aob_common/metric_collector/metric_util.py", line 81, in func_wrappers ret = func(*args, **kwargs) File "<string>", line 43, in is_user_allow_to_user_tabuilder File "/opt/splunk/etc/apps/splunk_app_addon-builder/bin/aob/aob_common/metric_collector/metric_util.py", line 81, in func_wrappers ret = func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_app_addon-builder/bin/tabuilder_utility/common_util.py", line 250, in create_splunk_service 'pool_maxsize': 5}) File "/opt/splunk/etc/apps/splunk_app_addon-builder/bin/splunk_app_add_on_builder/solnlib/net_utils.py", line 129, in wrapper 'Illegal argument: {}={}'.format(arg, value)) ValueError: Illegal argument: host=::1
Hello, I have generated a bar graph which has values on both positive and negative sides of the x axis. Logically, the values in the negative axis should display with minus as prefix, but we have ... See more...
Hello, I have generated a bar graph which has values on both positive and negative sides of the x axis. Logically, the values in the negative axis should display with minus as prefix, but we have a requirement not to show the minus character before the numeric value. The idea is to get the graph on both positive and negative side with positive values for easier understanding of the graph. To achieve, we end up converting some positive values to negative inorder to show in negative axis. But now minus character plays as a issue here. Is there any way to hide the preceeding minus character or any other way of bringing some values to the negative axis of the graph. Thanks in advance.
Hello, I'm on Splunk 7.3.3 with the "Security Monitoring for Splunk" https://splunkbase.splunk.com/app/4131 I have install all the addons. I have create a Playbook Entries, but when i try... See more...
Hello, I'm on Splunk 7.3.3 with the "Security Monitoring for Splunk" https://splunkbase.splunk.com/app/4131 I have install all the addons. I have create a Playbook Entries, but when i try to find it in the dashboard "Alerts" where you can find all your schedule alerts, i only have my personnal rules, rules from this app but not my new rules. I notice on the playbook the owner is admin and the others pre-rules are Monitoring App. Any idea why i can't find my rule ? I cannot configure the workflow in this case. Best regards