All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Experts, Please suggest how to connect splunk_app_db_connect (i.e present in a Splunk-HF) with db instances of Oracle-11g and Oracle-12c both. Its working fine with 12-c instances but show e... See more...
Hi Experts, Please suggest how to connect splunk_app_db_connect (i.e present in a Splunk-HF) with db instances of Oracle-11g and Oracle-12c both. Its working fine with 12-c instances but show error while connect 11-g instances. Error: java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-01882: timezone region not found
HI, I have searching data from only first 6 days of each month i.e for example: from 1st April to 4th April 2020 My first time value is 04/01/2020 09:20 and the latest is 04/07/2020 07:05, but ... See more...
HI, I have searching data from only first 6 days of each month i.e for example: from 1st April to 4th April 2020 My first time value is 04/01/2020 09:20 and the latest is 04/07/2020 07:05, but in the timeline chart visualization its displaying axis label as 04/01/2020 04/07/2020 04/14/2020 ........ 05/02/2020 Is it possible to force the timeline to display the full range of only my search, or manually set the time range? I want the timeline to always displays the values which only in time field . Any advice and assistance is appreciated. Thanks,
Here, the requirement is to delete all the data from KVStore having the particular KVStore filed value. Example: I have a KVStore for student data with Name, Std, roll_number. In my KVStore, I ... See more...
Here, the requirement is to delete all the data from KVStore having the particular KVStore filed value. Example: I have a KVStore for student data with Name, Std, roll_number. In my KVStore, I have all the student information across all the standards. So my use cases re, If I want to delete all the records of 10th standard's students then how can I do using REST API If I want to delete all the records of 5th to 10th standard's students then how can I do using REST API. You can create as many use cases as you think.
I am trying to create a result set out of 2 search queries with a common field.I have tried multiple solutions provided but nothing seems to work. The queries have separate indexes and separate sourc... See more...
I am trying to create a result set out of 2 search queries with a common field.I have tried multiple solutions provided but nothing seems to work. The queries have separate indexes and separate source types and the 1st search query searches for a particular text. index = i1 sourcetype=s1 "Text to search" | join type ="left" field1 [ search index = i2 sourcetype = s2 app_message = "Completed" ] table field1 field2 field3 In the above query field1 is the common field and field2 and field3 are coming from the 2nd search query. But somehow this query produces values for field1 and no values for field2 and field3.
Hello community, I am using search to get the values for ‘runtime’ and trying to get overall stats for a runtime values in the log for a given time period. For my search command, I get the out... See more...
Hello community, I am using search to get the values for ‘runtime’ and trying to get overall stats for a runtime values in the log for a given time period. For my search command, I get the output with multiple rows as per below ( single row) -  host: abc-lyui-09    level: info    msg: {"key”:”#’abc.xyz.services.abc-def/call-qwe-rt-nats","return":"{\"status\":\"error\",\"errors\":[{\"code\":\"server-error\"}],\"timestamp\":\"2020-04-19T17:38:25.147Z\"}","time":600474579345999,"start-time":600473689740122,"state":"return","stop-time":600474579339135,"thread":48703,"runtime":889.599013,"correlation-id":"f0c7e1d1-db8d-4fb7-b564-e89c6fc625f3"}    timestamp: 2020-04-19 17:38:25.150+0000 I am trying to extract values for ‘runtime’ ( example above with 889.599013) from the log for a given time range to find the trend ( e.g. last 24 hrs). The example output can be for a selected time period. timestamp, runtime , correlation-id Whats the best way to get the output? I am novice to splunk search and reporting. Thanks,
Hi, Where can information point metric data be put to good use? I believe we can establish: 1. Alerting & Health Rules 2. Custom Dashboards Are there any other uses members of the community... See more...
Hi, Where can information point metric data be put to good use? I believe we can establish: 1. Alerting & Health Rules 2. Custom Dashboards Are there any other uses members of the community can share? Thanks
he guys! i have 6 linux servers. i'm trying to understand what is needed to speedup searching: indexer cluster or search head cluster?
Hello, The following process variable logs are created in my system. Time | Target | Variable | Status 00:00:00 1 99 On-line 00:00:01 2 ... See more...
Hello, The following process variable logs are created in my system. Time | Target | Variable | Status 00:00:00 1 99 On-line 00:00:01 2 89 On-line ...... 01:01:03 10 76 Off-line I want to send all process variable logs to Splunk's SIEM by using Universal Forwarder. However, I don't know how to set-up its configuration to send log file. Could you please tell me how I can set-up it? Thanks, Kevin
Hi All, I upgraded my Splunk ES and i could notice that for some reason the "Out Of The Box" correlation searches are not getting upgraded to their newer version. Does anyone know why? Do i hav... See more...
Hi All, I upgraded my Splunk ES and i could notice that for some reason the "Out Of The Box" correlation searches are not getting upgraded to their newer version. Does anyone know why? Do i have to manually upgrade every correlation search? Thanks !
I have 6 sources with json event in the following structure (each source with different data of tests): "tests": [ { "name": "test1", "status": "pa... See more...
I have 6 sources with json event in the following structure (each source with different data of tests): "tests": [ { "name": "test1", "status": "pass", "startAt": "", "finshedAt": "", "duration": "" }, { "name": "test1", "status": "pass", "startAt": "", "finshedAt": "", "duration": "" }, { "name": "test1", "status": "pass", "startAt": "", "finshedAt": "", "duration": "" } ] } I need to count number of tests with status: pass and number of tests with status fail total for all events. For example if I have 3 tests in each source I expect to get total of 18 tests in status pass. When I use the following search: index=aaf_jsonexecutionDetails.build="6.78.135" | rename tests{}.status as status|stats count(eval(if(status="pass", 1, null()))) as success_count count(eval(if(status="fail", 1, null()))) as failure_count I get the number of events according to the search criteria (total 6) but not total for all sources tests{}.status = "pass" Any Advice?
we want to receive data from multiple devices on udp port 514, but splunk interface not allowing to second source on same port. is it limitation ?
For some reason, the sourcetype of my forwarded windows events are now set to WinEventType instead of the usual "Windows:xxx". Where do i change the setting for this?
There is a dropdown filter on the dashboard. How can I select multiple values ​​for that filter?
Hi, in the App for Infrastructure this search returns results for 1x Linux and 1x Windows host. So I assume data is coming in as expected: | mstats latest(_value) WHERE index=em_metrics metric_... See more...
Hi, in the App for Infrastructure this search returns results for 1x Linux and 1x Windows host. So I assume data is coming in as expected: | mstats latest(_value) WHERE index=em_metrics metric_name=* BY host, entity_type However, the windows host does not show up as entity in the investigate tab while the linux host does. And it is missing here as well: | inputlookup em_entities Anyone has an idea what could be wrong here? Cheers
Hello, I am building an TA with Splunk add-on builder with scripted input. I want to give a user the possibility to set static host field for each input. I cannot add host field in data inpu... See more...
Hello, I am building an TA with Splunk add-on builder with scripted input. I want to give a user the possibility to set static host field for each input. I cannot add host field in data input parameters because I am getting an error: "Internal name The input parameter name 'host' is a reserved keyword" How can I do that? Hostname or IP is not in the event data, but I have an input parameter hostname which I could use.
I have a logic which I want to implement in Splunk, but I'm getting confused with the syntax.Let me explain what I am trying to achieve: I have three variables: Multiplier, NAS, Tolls. Now for ... See more...
I have a logic which I want to implement in Splunk, but I'm getting confused with the syntax.Let me explain what I am trying to achieve: I have three variables: Multiplier, NAS, Tolls. Now for weightage I have implemented an idea where the Multipliers will work according to the year it was paid. So, for example: 2020=1, 2019=0.9, 2018=0.8 ----2010=0. NAS, it will work as an variable which user will have to input but it has to be between 1 to 5. Tolls, this will be like say X no. of tolls occur in a particular area so, X=x1+x2+x3 X=(No. of tolls*Multiplier of toll occur) For example, 6 tolls occur in 2018, 3 in 2019 and 6 in 2020. The equation will look like this: X= {(6*0.8)+(3*0.9)+(6*1)} X=13.5 Now I want to evaluate the Total Weight, so the formula is=1- NAS(manual input)*X/100, And display the answer.
The jvm agent is unable to connect to the contorller and getting the following error in agent logs  ERROR NetVizAgentRequest - Fatal transport error while connecting to URL It doesnt help in declar... See more...
The jvm agent is unable to connect to the contorller and getting the following error in agent logs  ERROR NetVizAgentRequest - Fatal transport error while connecting to URL It doesnt help in declaring the javagent jar in the end .  Any leads to resolve the issue would be helpful
I'm trying to search for specific words inside the last entry added to a paragraph, where each entry/addition to the paragraph is time & date stamped. For example: Paragraph = "25.12.2019 07:24:... See more...
I'm trying to search for specific words inside the last entry added to a paragraph, where each entry/addition to the paragraph is time & date stamped. For example: Paragraph = "25.12.2019 07:24:06 UTC Initial text entry 25.12.2019 09:50:52 UTC Should this be cancelled? No additional information found 26.12.2019 05:55:51 UTC No issues from this machine today, this should be cancelled" I want to catalogue paragraphs that have the term 'cancelled' in them but only if the term is in the last entry in the paragraph. As you can see, the word 'cancelled' is in the middle of the paragraph following the entry on 25.12.2019 09:50:52 UTC and also in the last entry, so this would be catalogued as a "cancelled" paragraph in what I'm trying to do. There are several paragraphs I Have to search in this way and I plan to search for other terms aside from 'cancelled' once I figure out how to search on only the last entry in the paragraph rather than the whole paragraph.
Hi, I have a single value chart where I will be showing if Node is UP or DOWN. I want to show the color green with text display as UP and red color with text value as DOWN. However single value... See more...
Hi, I have a single value chart where I will be showing if Node is UP or DOWN. I want to show the color green with text display as UP and red color with text value as DOWN. However single value visualization needs numeric value to show the color, how do I change the display to text - UP or DOWN. Below code display number 1 or 0 with green/red color but I want to display UP/DOWN. What code changes I need to do ? index=datagov source=node_log | eval service_up = if(_raw like "%successfully%",1,0) | stats values(service_up) as Availibilty Thanks in advance
I am trying to map data to Vulnerabilities CIM model that I have collected via a python input in a new TA that I am building via the Splunk add-on builder app. According to the CIM modelling docum... See more...
I am trying to map data to Vulnerabilities CIM model that I have collected via a python input in a new TA that I am building via the Splunk add-on builder app. According to the CIM modelling documentation, I should map the tags of Vulnerabilities CIM Model - report , vulnerability - to the event type. Is there a way to do this within the splunk add-on builder via the UI, so I could package it for the end-user of the TA within the TA itself? In the Map to Data Model tab of the Splunk Add-On Builder, I can only see the ability to create Event Types but not map tags to the event type. Thanks in advance!