All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi everyone, I'm going through the course Splunk Fundamentals 2 and I'm sorry if the question is too easy: what does it mean for a field to be 'static'? Namely, in the slide 151 of Splunk 7.X Fund... See more...
Hi everyone, I'm going through the course Splunk Fundamentals 2 and I'm sorry if the question is too easy: what does it mean for a field to be 'static'? Namely, in the slide 151 of Splunk 7.X Fundamentals Part 2 (IOD).pdf, it is stated: 'Use FX to extract fields that are static...' But I couldn't find any definition of a 'static' field in the documentation. What does it mean? Any help is appreciated!
I'm running this query to get average event counts per day by index. When I run this, each site does an aggregate 2.5GB/s of IO each for 15 - 30 minutes to satisfy the query. Our understanding is tha... See more...
I'm running this query to get average event counts per day by index. When I run this, each site does an aggregate 2.5GB/s of IO each for 15 - 30 minutes to satisfy the query. Our understanding is that this is just metadata, so this is fairly surprising. Does anyone know why this is and have a better way to write this query? | tstats count where (index=* OR index=_*) AND earliest=-w@w+1d latest=-w@w+6d by index | eval eventCountPerDay=count/5 | table index, eventCountPerDay
Hello, Recently we noticed that splunkd on one of the nodes in our search head cluster had stopped. I was wondering whether there is a way to set off an alert if one of the nodes from the Search He... See more...
Hello, Recently we noticed that splunkd on one of the nodes in our search head cluster had stopped. I was wondering whether there is a way to set off an alert if one of the nodes from the Search Head Cluster stops? thanks
I have the following query. The key TEST_DECISION has 4x possible outcomes. CALL_FAILED, VALID, INVALID, NOT_CALLED. ns=test* TEST_DECISION PRODUCT IN (SAMPLE_123) | timechart span=5m limit=0 cou... See more...
I have the following query. The key TEST_DECISION has 4x possible outcomes. CALL_FAILED, VALID, INVALID, NOT_CALLED. ns=test* TEST_DECISION PRODUCT IN (SAMPLE_123) | timechart span=5m limit=0 count by TEST_DECISION The output is as follows: _time CALL_FAILED VALID INVALID NOT_CALLED 2020-04-14T05:50:00.000-0700 11 83 7 46 2020-04-14T05:55:00.000-0700 6 60 6 42 2020-04-14T06:00:00.000-0700 8 78 19 55 2020-04-14T06:05:00.000-0700 11 86 19 59 2020-04-14T06:10:00.000-0700 10 94 17 71 2020-04-14T06:15:00.000-0700 8 67 17 63 2020-04-14T06:20:00.000-0700 2 19 4 17 Is there a way I could show % instead? I only care about VALID and INVALID. Thus I want to get the following instead. For first row 100% will be 83(valid) + 7(invalid) Thus I want to achieve following VALID INVALID 92.22% 7.77% Please advice if there is a way I could achieve this. Thank you.
Hi all, I have the following command:- | savedsearch issue_with_lookup team="$token$" team_from_roster="$token$" team_roster_count="$token$" | eval team="$token$" | eval current_owner = if(... See more...
Hi all, I have the following command:- | savedsearch issue_with_lookup team="$token$" team_from_roster="$token$" team_roster_count="$token$" | eval team="$token$" | eval current_owner = if(current_owner = "","NA", current_owner) | eval ID = current_owner | where current_owner != "NA" | lookup example.csv name as current_owner OUTPUT sys_id as user_sys_id | table ticket_number, system_id, current_owner, assigneeID, team, reassignment, user_sys_id | rename ticket_number as ticketName, system_id as ticketID, current_owner as assigneeName, reassignment as reassignment_flag | search NOT [search index=abc earliest=-6m latest=now | dedup ticketName | table ticketName ] Now the issue is when I run this query, all the fields occur except user_sys_id whose value is definitely present in the lookup and should reflect but is not. This is a scheduled query which runs every 6 mins.
Hello, I have a query that controls authentication to an application. It is forbidden to connect to the application from 8:00 pm to 7:00 am unless necessary. i want to do alert when i have connec... See more...
Hello, I have a query that controls authentication to an application. It is forbidden to connect to the application from 8:00 pm to 7:00 am unless necessary. i want to do alert when i have connections from 8:00 pm to 7:00 am. i use cron: 00 20,21,22,23,0,1,2,3,4,5,6,7 * * * but it's not work. can you help me please? thanks
In my web application, I want to log user country when they first log in. I then want to create a Choropleth using the geom country built in lookup. I understand the examples in how to use the geom... See more...
In my web application, I want to log user country when they first log in. I then want to create a Choropleth using the geom country built in lookup. I understand the examples in how to use the geom tool, but I am not clear on what I need to log into splunk, what to search for and how to get that data correctly into geom. So for example, if I decide to log this every time a user logs in: Log.Info ("User logged in from:" + user.country); e.g.s "User logged in from: Canada" "User logged in from: France" I then want to map the count of each country and map it on a Choropleth. Could someone help me out here? Thanks
Hello Splunker, I'l tryin to use application to search Vendor I installed the application MAC Address Vendor Lookup for Splunk (https://splunkbase.splunk.com/app/4308/) to recover the Vendor b... See more...
Hello Splunker, I'l tryin to use application to search Vendor I installed the application MAC Address Vendor Lookup for Splunk (https://splunkbase.splunk.com/app/4308/) to recover the Vendor based on the MAC address, but I find the following error. [Indexer1] Script execution failed for external search command '/opt/splunk/var/run/searchpeers/SH-XXXXXX/apps/TA-mac-address-vendor-lookup/bin/mac_vendor_lookup.py' . Info: The application is installed in Search Head. I have a cluster mode Can you help please. Thank you
Hello, This is my character string user=YHYIFLP@intra.bcg.local i want to display just YHYIFLP, i use | eval user=trim(user, "@intra.bcg.local") he doesn't work verry well. it's possible to ... See more...
Hello, This is my character string user=YHYIFLP@intra.bcg.local i want to display just YHYIFLP, i use | eval user=trim(user, "@intra.bcg.local") he doesn't work verry well. it's possible to use regex? Thanks.
Hi All, I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf [sslConfig] enableSplunkdSSL = true... See more...
Hi All, I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf [sslConfig] enableSplunkdSSL = true useClientSSLCompression = true sslVersions = tls1.2 serverCert = $SPLUNK_HOME/etc/auth/mycerts/server-chain-with-key.pem sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem sslVerifyServerCert = true requireClientCert = true But I see below errors in CM Splunkd.log ERROR X509Verify - X509 certificate (CN=XXXX,OU=YYYY,O=ZZZ..) failed validation; error=26, reason="unsupported certificate purpose" WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'. WARN HttpListener - Socket error from <indexer_ip>:47154 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name. And I see this in my Indexer splunkd.log WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'. Can anyone help me in understanding why I'm seeing this issue? I have gone thru lot of answers and even the 2015 .conf slides, but do not understand why requireClientCert should be made false.I don't see anyone explaining the reason for this. I basically want to enable mutual authentication between CM and indexers on management port and hence made requireClientCert = true. Is mutual TLS supported by Splunk on management port? If yes, how should I provide client certs for mTLS? Thanks in advance
Hi, I have 2 different indexers snmptrapd and servicenow. Where snmptrap will have NNMI related events for storage devices, such as when any storage device is down/not functional and servicenow... See more...
Hi, I have 2 different indexers snmptrapd and servicenow. Where snmptrap will have NNMI related events for storage devices, such as when any storage device is down/not functional and servicenow indexer will have incident related events from CMDB data. So i need to get events with storage device down along with respective Incident data. Is there any possibility to correlate these 2 indexers, so that i can get required
i have search head A and B and C. it is search head clustering structure. i modified $SPLUNK_HOME/etc/apps/custom_apps/lib/connect.py from search head C and restartss to search head C only. i... See more...
i have search head A and B and C. it is search head clustering structure. i modified $SPLUNK_HOME/etc/apps/custom_apps/lib/connect.py from search head C and restartss to search head C only. i think change and applied from search head C only. but, search head A and B together change and applied my questions mean I modified Search Head C directly without using deployer, but why does it work? and How does search head clustering refer to python files in this case?
I was asked in my current project if Splunk is compatible with RHEL7.8 and I wasn't very sure what answer to give as I'm not exactly knowledgeable on the subject. I did my own research but thought I ... See more...
I was asked in my current project if Splunk is compatible with RHEL7.8 and I wasn't very sure what answer to give as I'm not exactly knowledgeable on the subject. I did my own research but thought I should ask here as well just to be sure. Your help will be much appreciated. By the way, the version of Splunk that we're using right now is 8.0.0.
Hi, I need to extract the values for the below-mentioned keys from the below-mentioned log. I used spath but it's not working. Please assist in the same. divisionID accountNumber p... See more...
Hi, I need to extract the values for the below-mentioned keys from the below-mentioned log. I used spath but it's not working. Please assist in the same. divisionID accountNumber ppvCreditLimit ppvRemainingCreditLimit accountStatus Note: some of the data has been masked for security ":"{ \n\"getAccountResponse\" : {\n \"account\" : {\n \"divisionID\" : \"ABC.202\",\n \"accountNumber\" : \"111122222\",\n \"customerNumber\" : \"19118902\",\n \"locationNumber\" : \"191189\",\n \"billingStationLevel0Code\" : \"202\",\n \"billingStationLevel1Code\" : \"50\",\n \"billingStationLevel2Code\" : \"05\",\n \"sourceFTACode\" : \"005\",\n \"accountType\" : {\n \"billerCode\" : \"R\",\n \"enterpriseCode\" : \"RESIDENTIAL\",\n \"description\" : \"Residential\",\n \"longDescription\" : null\n },\n \"accountStatus\" : \"Active\",\n \"billerAccountStatus\" : \"A\",\n \"connectDate\" : \"2019-10-31\",\n \"classification\" : \"SFU\",\n \"name\" : {\n \"last\" : \"raft\",\n \"first\" : \"xxx\"\n },\n \"serviceAddress\" : {\n \"line1\" : \" SAGE ST\",\n \"city\" : \"COL\",\n \"state\" : \"SC\",\n \"postalCode\" : \"211051132\"\n },\n \"phone\" : [ {\n \"number\" : \"9999999999\",\n \"type\" : \"Home\"\n } ],\n \"lineOfBusinessDetail\" : [ {\n \"type\" : {\n \"billerCode\" : \"C\",\n \"enterpriseCode\" : \"VIDEO\",\n \"description\" : \"Video\",\n \"longDescription\" : \"Video\"\n },\n \"status\" : {\n \"billerCode\" : \"1\",\n \"enterpriseCode\" : \"LOBCONNECTED\",\n \"description\" : \"LOB Connected\",\n \"longDescription\" : \"LOB Connected\"\n }\n }, {\n \"type\" : {\n \"billerCode\" : \"D\",\n \"enterpriseCode\" : \"HSD\",\n \"description\" : \"HSD\",\n \"longDescription\" : \"HSD\"\n },\n \"status\" : {\n \"billerCode\" : \"1\",\n \"enterpriseCode\" : \"LOBCONNECTED\",\n \"description\" : \"LOB Connected\",\n \"longDescription\" : \"LOB Connected\"\n }\n } ],\n \"experianPin\" : \"xxxxx140299\",\n \"accountDetail\" : {\n \"totalCurrentBalance\" : 212.31,\n \"totalPendingAmount\" : 0.00,\n \"totalLastPayment\" : -27.00,\n \"totalAmountDue\" : 312.31,\n \"ppvCreditLimit\" : 0.00,\n \"ppvRemainingCreditLimit\" : 0.00,\n \"language\" : {\n \"billerCode\" : \"ENGL\",\n \"enterpriseCode\" : \"ENGLISH\",\n \"description\" : \"English\",\n \"longDescription\" : \"English\"\n },\n \"auditCreationDate\" : \"2019-10-31\",\n \"locationType\" : {\n \"billerCode\" : \"J\",\n \"enterpriseCode\" : \"RSSINFAM\",\n \"description\" : \"Single Family Home\",\n \"longDescription\" : \"Single Family Home\"\n },\n \"bulkFlag\" : \"N\",\n \"vipCode\" : {\n \"billerCode\" : \"1\",\n \"enterpriseCode\" : \"OWNER\",\n \"description\" : \"Owner\",\n \"longDescription\" : \"Owner\"\n },\n \"billingDetails\" : [ {\n \"currentStatementId\" : \"151441\",\n \"statementCode\" : \"1\",\n \"cycleDay\" : \"1\",\n \"fromDate\" : \"2020-04-01\",\n \"thruDate\" : \"2019-04-30\",\n \"amountDue\" : 312.31,\n \"frequency\" : {\n \"billerCode\" : \"M\",\n \"enterpriseCode\" : \"MONTHLY\",\n \"description\" : \"Monthly Billing\",\n \"longDescription\" : \"Monthly Billing\"\n },\n \"dunningGroup\" : \"0\",\n \"futureDatedFlag\" : \"N\",\n \"paperlessFlag\" : \"N\",\n \"currentBalance\" : 312.31,\n \"lastPaymentDate\" : \"2020-03-09\",\n \"lastPaymentAmount\" : -27.00,\n \"paymentDueDate\" : \"2020-04-18\",\n \"pendingPayment\" : 0.00,\n \"cycle1Amount\" : 156.08,\n \"cycle2Amount\" : 0.00,\n \"cycle3Amount\" : 0.00,\n \"delinquencyAmount\" : 156.08,\n \"delinquencyStatus\" : {\n \"billerCode\" : \"_\",\n \"enterpriseCode\" : \"NORMAL\",\n \"description\" : \"Normal\",\n \"longDescription\" : \"Normal\"\n },\n \"daysDelinquent\" : 44,\n \"billToName\" : {\n \"first\" : \"xxx raft\"\n },\n \"billToAddress\" : {\n \"line1\" : \"SAGE ST\",\n \"city\" : \"COL\",\n \"state\" : \"SC\",\n \"postalCode\" : \"211051132\"\n },\n \"statementHold\" : {\n \"billerCode\" : \"P\",\n \"enterpriseCode\" : \"PAPERONLY\",\n \"description\" : \"Paper Bill Only\",\n \"longDescription\" : \"Paper Bill Only\"\n },\n \"promiseAmount\" : 0.00,\n \"promiseActivityCode\" : \"41\",\n \"billingCurrentBalance\" : 312.31,\n \"statementBalance\" : 312.31,\n \"electronicFlag\" : \"N\",\n \"adjustedDelinquencyAmount\" : 156.08\n } ]\n },\n \"accountCategory\" : \"Re\",\n \"accountSegment\" : \"Re\"\n },\n \"sourceSystemTimeZone\" : \"-04:00\"\n }\n}", "responseTime": 551
I run the query below every so often to see if there are any blocked queues and most of the time I see results when I run the query, the type of queues that are blocked sometimes include: indexqueue,... See more...
I run the query below every so often to see if there are any blocked queues and most of the time I see results when I run the query, the type of queues that are blocked sometimes include: indexqueue, typingqueue, structuredparsingqueue, aeq, parsingqueue, splunktcpin, aggqueue, auditqueue, and nullqueue. Is there a reason that there is always some sort of queue that is being blocked and is there a particular queue that if blocked can have serious negative effects? Also any documentation on what each queue is meant for could also be helpful. index=_internal group=queue | eval percfull=((current_size_kb/max_size_kb)*100) | search percfull>80 blocked=true | dedup host, name | table _time host name current_size_kb max_size_kb Thanks in advance
I have a below message:  [32minfo: [Clean Storage] brand/market/testing1.html, brand/market/testing2.html, brand/market/testing3.html were successfully deleted from container stores-test H... See more...
I have a below message:  [32minfo: [Clean Storage] brand/market/testing1.html, brand/market/testing2.html, brand/market/testing3.html were successfully deleted from container stores-test How do I use the splunk query to show the message as below: brand market testing1.html brand market testing2.html brand market testing3.html i've spent hours trying and I just could not got it right. Thanks for your help.
Hi Experts I am getting below error : java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-01882: timezone region not found Its working fine for oracle 12c servers bu... See more...
Hi Experts I am getting below error : java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-01882: timezone region not found Its working fine for oracle 12c servers but show below error while execute on 11g servers.
Hi team, I have logs like this: This is Tom This is Amy This is David This is Ben I want the line breaking to be like this: This is Tom This is Amy This is David This is Ben Here... See more...
Hi team, I have logs like this: This is Tom This is Amy This is David This is Ben I want the line breaking to be like this: This is Tom This is Amy This is David This is Ben Here is my LINE_BREAKER config LINE_BREAKER = (this) And my result is like: is Tom is Amy is David is Ben So how could I keep the line breaking regex? In my case, the "this"? Many thanks. S
Hello all, I created a malformedEventIndex ( malformedevent ), per inputs.conf. I see 400 million+/day from thousands of hosts going to this index from my syslog servers (have a HF that sends to... See more...
Hello all, I created a malformedEventIndex ( malformedevent ), per inputs.conf. I see 400 million+/day from thousands of hosts going to this index from my syslog servers (have a HF that sends to indexer cluster). I tried looking at the events to see what would cause them to end up in this index, and patterns shows: 100% __default_indexprocessor_body This doesn't tell me anything. I went through the reasons as to why events may end up here and none seem to match. * Routes the following kinds of events to the specified index: * events destined for read-only indexes ### we don't have these * log events destined for datatype=metric indexes ### no logs on syslog server go to metric indexes * log events with invalid raw data values, like all-whitespace raw ### I cat log files on syslog server and they are not all-whitespace * metric events destined for datatype=event indexes ### these systems are not sending metric events * metric events with invalid metric values, like non-numeric values ### see above * metric events lacking required attributes, like metric name ### see above Documentation on this index is extremely sparse so I am not sure where to go from here. Please help.
Is the precedence of configuration options "correct"?  From this: https://docs.appdynamics.com/display/PRO45/Administer+the+Java+Agent I understand and have verified that system properties are o... See more...
Is the precedence of configuration options "correct"?  From this: https://docs.appdynamics.com/display/PRO45/Administer+the+Java+Agent I understand and have verified that system properties are overridden by environment variables. This is exactly the opposite of what I would expect and would like and is different from every other convention I have encountered. It also makes it hard to do things like setting up a default configuration baked into a docker image and be able to override those settings in a "run.sh" script on the java command line.