All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Splunkers, Do splunk alerts have functionality to highlight field name in the alert subject? TIA
Hi all, I have dropdown input in my dashboard. <input type="dropdown" token="test" searchWhenChanged="false"> <label>test</label> <choice value="hogehogehoge">ALL</choice> <cho... See more...
Hi all, I have dropdown input in my dashboard. <input type="dropdown" token="test" searchWhenChanged="false"> <label>test</label> <choice value="hogehogehoge">ALL</choice> <choice value="hogehogehoge">ALL2</choice> <choice value="hogehogehoge">ALL3</choice> <default>ALL</default> <prefix>(</prefix> <suffix>)</suffix> <change> <set token="label1">$label$</set> </change> I want use label value(like ALL, ALL2, ALL3) in my base search. (this is example) |makeresult [|eval test1="$label1$"] but this eval command has no value. How to get $label$ in eval command? Thank you for helping me.
If I comment out the following settings, will TSIDX be recreated? enableTsidxReduction = true timePeriodInSecBeforeTsidxReduction = 864000 The following is the contents of indexes.conf vi /... See more...
If I comment out the following settings, will TSIDX be recreated? enableTsidxReduction = true timePeriodInSecBeforeTsidxReduction = 864000 The following is the contents of indexes.conf vi /opt/splunk/etc/master-apps/_cluster/local/indexes.conf [onepocket] coldPath = $SPLUNK_DB/onepocket/colddb homePath = $SPLUNK_DB/onepocket/db thawedPath = $SPLUNK_DB/onepocket/thaweddb enableTsidxReduction = true timePeriodInSecBeforeTsidxReduction = 864000 frozenTimePeriodInSecs = 63072000 repFactor = auto
So here are the details. I have an app called myapp. under myapp/default I have a setup.xml defined like this <!-- Note that the path to the script uses URI encoding --> <block ti... See more...
So here are the details. I have an app called myapp. under myapp/default I have a setup.xml defined like this <!-- Note that the path to the script uses URI encoding --> <block title="Enable a scripted input" endpoint="data/inputs/script" entity="%24SPLUNK_HOME%252Fetc%252Fapps%252Fmyapp%252Fbin%252Fmyscript.sh"> <text> <i>Specify the configuration for a single setting in a stanza.</i> </text> <input field="interval"> <label>Specify the interval for [$name$] </label> <type>text</type> </input> </block> </setup> I have myscript.sh under myapp/bin #!/bin/sh echo "Yay! You called me!" Now when I navigate to the app, the setup page comes up. I update the interval and click save and get the following error Encountered the following error while trying to update: Cannot find item for POST arg_name="/data/inputs/script/%24SPLUNK_HOME%252Fetc%252Fapps%252Fmyapp%252Fbin%252Fmyscript.sh/interval" I have checked and the endpoint https://localhost:8089/servicesNS/nobody/myapp/data/inputs/script/%24SPLUNK_HOME%252Fetc%252Fapps%252Fmyapp%252Fbin%252Fmyscript.sh exists. Not sure yet what is going on? Help please.
Hello, This might not be a Splunk question, but here goes. Anyone have ideas, using Splunk, of how to track that Work-From-Home workers are actually working from home? We are monitoring our Cit... See more...
Hello, This might not be a Splunk question, but here goes. Anyone have ideas, using Splunk, of how to track that Work-From-Home workers are actually working from home? We are monitoring our Citrix Netscaler and Cisco ISE solutions. Are there particular field-values in these logs we should parse to determine employees are working? Or are there 3rd party tools you have implemented, and using Splunk to report. Stay safe and healthy. Thanks and God bless, Genesius
hi, i am a newbie in Splunk here and i am not a native speaker, so please bare my grammar. can someone explain how to correlate between two columns that is present in a table and remove the other v... See more...
hi, i am a newbie in Splunk here and i am not a native speaker, so please bare my grammar. can someone explain how to correlate between two columns that is present in a table and remove the other values? for example table below, i want to correlate between the Number and Router, because one Number only belongs to one Router. and the first digit of the Number is correlated to the R(1-7) for example: - Number 21938 belongs to SWW- R2 -896 - Number 12439 belongs to HIT- R1 -141 and i need to remove the other value that is not correlated, so there is only one Number, one IP Address and one Router in each row. so the proper table would look like below. any answer and help would be really appreciated. thank you.
I have a 5 node Indexer cluster with version 7.3.1.1. I added configuration to replicate data on indexer cluster but only new data is getting replicated. Old data which is in cluster before I added r... See more...
I have a 5 node Indexer cluster with version 7.3.1.1. I added configuration to replicate data on indexer cluster but only new data is getting replicated. Old data which is in cluster before I added replication configuration is not replicated. Is this how it is supposed to be? If not, how can I replicate old data? Thanks in advance!!
Hi, I try to use a token from a drilldown in a previous view in my app. The token contain a date in this format: "%Y-%m-%d %H:%M:%S.%6Q" (possible to update the format but I need to show microseco... See more...
Hi, I try to use a token from a drilldown in a previous view in my app. The token contain a date in this format: "%Y-%m-%d %H:%M:%S.%6Q" (possible to update the format but I need to show microseconds). I used this code to change the format according to earliest and latest : <input type="text" token="earliest"> <label>earliest</label> <change> <eval token="earliest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval> </change> </input> <input type="text" token="latest"> <label>latest</label> <change> <eval token="latest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval> </change> </input> I tried to use %3Q %Q %6N %3N, nothing works. The best result is using %3N, the function works but the result is wrong (milliseconds are missing after conversion): 2020-04-12 21:34:41.268 => 2020-04-12 21:34:41.000 Any idea to solve this issue ? After solving this issue, I will need to solve another problem: Splunk is unable to search on same date/time. How to limit my search to a single microsecond ? If there is no other option, how can I add one microsecond to latest ?
Question, the list returned in the link posted below updates now and then. I would like a way to filter my firewall results with a dropdown to "filter cloudflare IP's" using field3. anyway i just nee... See more...
Question, the list returned in the link posted below updates now and then. I would like a way to filter my firewall results with a dropdown to "filter cloudflare IP's" using field3. anyway i just need an example on how I could use this dynamic list link below in my search to filter out those IP ranges? any easy way? I dont want to download the file and massage it, i would rather pull it live from their server, either on a schedule or whatever, then write a search to reference that list. otherwise i have to NOT, NOT, NOT and update my search whenever the new list comes out. Link to dynamic IP Range list: https://www.cloudflare.com/ips-v4 Current search: sourcetype=Firewall Dst_Port!="-" Action=ALLOW Path=RECEIVE Src_IP=$field3$ Src_IP!="127.0.0.1" Src_IP!="::1" NOT (Src_IP="10.0.0.0/8" OR Src_IP="172.16.0.0/12" OR Src_IP="192.168.0.0/16") | stats count by Src_IP Dst_Port Protocol Action | sort -count | rename Src_IP as "Source IP" Dst_Port as "Destination Port"
Hi experts, please help me with regular expression to match the value in each event at search time as shown below :{\"buaid\":{\"business\":[\"12345\"],\"exclude* required output: bss_value... See more...
Hi experts, please help me with regular expression to match the value in each event at search time as shown below :{\"buaid\":{\"business\":[\"12345\"],\"exclude* required output: bss_value=12345 thanks in advance.
Hi, I'm facing an issue while establishing connection between splunk db connect and mysql database. configured java, installed mysql "mysql-connector-java-8.0.19-1.el6.noarch.rpm" and i have a... See more...
Hi, I'm facing an issue while establishing connection between splunk db connect and mysql database. configured java, installed mysql "mysql-connector-java-8.0.19-1.el6.noarch.rpm" and i have added identities and trying to save the connection. as soon as i click on save i'm getting error as "There was an error processing your request. It has been logged (ID 6f34ec5b5ff45a76)" Details for configuration: dbx_settings.conf [java] javaHome = /usr/java/jdk-11.0.6 identities.conf [mysql] disabled = 0 password = U2FsdGVkX19lv3QczRSgb6uiOc7/5FZQug8D34AbJu0= use_win_auth = 0 username = root db_connections.conf [mysql_connection] connection_type = mysql database = test disabled = 0 fetch_size = 1000 host = 1.10.103.45 identity = mysql jdbcUseSSL = false localTimezoneConversionEnabled = false port = 3306 readonly = false timezone = Etc/GMT+0 when i search in splunk_app_db_connect_server.log i can see the below error. [dw-75 - POST /api/connections/status] ERROR io.dropwizard.jersey.errors.LoggingExceptionMapper - Error handling a request: 6f34ec5b5ff45a76 java.lang.NullPointerException: null couldn't understand what's meant by this issue?
Hello, Happy Easter, Passover, and holiday to all you Splunkers. I pray that you and your families are safe and healthy during this pandemic. SessionType (Start, Connect, Stop). Each SessionType... See more...
Hello, Happy Easter, Passover, and holiday to all you Splunkers. I pray that you and your families are safe and healthy during this pandemic. SessionType (Start, Connect, Stop). Each SessionType generates a SessionID. The same SessionID is used throughout the life of the session (Start, Connect, Stop). Each SessionType also has an OfficeLocation associated with it. We need to calculate the number of active connections at any point in time. This is the sum(Start) + sum(Connect) - sum(Stop). This is after a dedup of all SessionID. This will give us the total active sessions. Here is the code. index=syslog AND sourcetype=syslog AND (SessionType =Start OR SessionType =Connect) | dedup SessionID | stats count(SessionID) AS actSess | appendcols [ search index= syslog AND sourcetype=syslog AND (SessionType =Stop) | stats count(SessionID) AS inactSess ] | eval totActSess=actSess-inactSess | table totActSess The results will be displayed in a pie chart. We also need the total active sessions broken down by OfficeLocation. This calculation is a bit more complex. Based on the OfficeLocation we need to determine if the SessionID has a SessionType of Stop associated with it. I feel like I might be overthinking this. How do you subtract two tables or charts from each other? I'm figuring something like this. sum(Start) BY OfficeLocation + sum(Connect) BY OfficeLocation - sum(Stop) BY OfficeLocation Thanks and God bless, Genesius
Hi I have specific capability built for my users group. I am calculating events based on the service calls per user. found an anamoly that there are 5000 events in one day on one capability pe... See more...
Hi I have specific capability built for my users group. I am calculating events based on the service calls per user. found an anamoly that there are 5000 events in one day on one capability per user which is incorrect. so i decided to group all the events occurred in a day per user specific to each capability and count as 1 instead of 5000. Tried different like below but no luck. can some one help to solve this ? stats count by users stats count by users,time
How to find Non-Primary and Primary bucket copies on the peer nodes ? I'm new to the Splunk, could someone please help me on this.
I am facing issues when I am trying to mouse over on the timechart to see the exact values on the graph. I am selecting "Last 30 days", there is one spike which shows up in the graph, but when I try ... See more...
I am facing issues when I am trying to mouse over on the timechart to see the exact values on the graph. I am selecting "Last 30 days", there is one spike which shows up in the graph, but when I try to see the exact value of that point using mouse over, it is not pointing to that spike properly and keeps on flickering if I move the pointer there ? Any one has seen this issue before ? Please help how it can be resolved. This is sort of a flickering issue on the timechart during mouse over ? My timechart is plotting data points with a span of 5 mins for last 30 days. Also, second problem, is for last 30 days, it is adding shade of colors, so users are thinking that there are 3 colors in the timechart for IN and OUT, but for IN it is adding shade of blue color ? is it possible to disable that ? I have attached the image before hover and after hover. First Image - shows the high point and the shade of blue color (light blue) added to the graph ? Second Image - while trying to point the high point, mouse over is not going to that point properly to see the highest value ?
Hi, Getting below error while restarting splunk
Hi, During first time setup how to establish a connection between indexer and search head? In forwarder we are giving indexer names in outputs.conf so a connection is established between forwarder ... See more...
Hi, During first time setup how to establish a connection between indexer and search head? In forwarder we are giving indexer names in outputs.conf so a connection is established between forwarder and indexer. In the same way how to establish a connection between indexer and searchhead?
I'm checking to see if i can embed an external web page which requires a login to the splunk dashboard. I'm able to add the web page to a panel using iframe, but it is not letting me log in. Any ide... See more...
I'm checking to see if i can embed an external web page which requires a login to the splunk dashboard. I'm able to add the web page to a panel using iframe, but it is not letting me log in. Any idea what might be happening? I otherwise have access to the external website.
I am facing a difficult problem about search, the condition is: I want to filter the user who change his/her logon source IP address in ten minutes. the problem is, there are many users login in t... See more...
I am facing a difficult problem about search, the condition is: I want to filter the user who change his/her logon source IP address in ten minutes. the problem is, there are many users login in the time period, how can I classify the same username, I can't define the username in advance, it's random. could you give a sample search? thanks in advance.
Hi , I have integrated splunk with Phantom and can send the events to phantom by clicking on send to Phantom button. But I have scheduled search to send the events to Phantom whenever there is any.... See more...
Hi , I have integrated splunk with Phantom and can send the events to phantom by clicking on send to Phantom button. But I have scheduled search to send the events to Phantom whenever there is any. However I dont see any events sent to Phantom . I checked the logs, didnt find any error too. Please guide . Thanks,