All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello! I downloaded the SPLUNK4JMX app to onboard JMX logs from Oracle Weblogic. I installed the app locally on a universal forwarder version 7.3.3. I have been messing around with the configurations... See more...
Hello! I downloaded the SPLUNK4JMX app to onboard JMX logs from Oracle Weblogic. I installed the app locally on a universal forwarder version 7.3.3. I have been messing around with the configurations but have not been able to get it to work. When I check the splunkd logs, i get this error message, "ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/SPLUNK4JMX/bin/jmx.py" Activation key check failed.Please ensure that you copy/pasted the key correctly." I have copy/pasted and verified that the trial key is correct. I am also getting this error when I run this command " /opt/splunkforwarder/bin/splunk cmd splunkd print-modinput-config jmx | /opt/splunkforwarder/bin/splunk cmd /bin/python /opt/splunkforwarder/etc/apps/SPLUNK4JMX/bin/jmx.py" [Fatal Error] :-1:-1: Premature end of file. ERROR Error executing modular input : HTTP 401 -- <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN">call not properly authenticated</msg> </messages> </response> : com.splunk.HttpException: HTTP 401 -- <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN">call not properly authenticated</msg> </messages> </response> at com.splunk.HttpException.create(HttpException.java:84) at com.splunk.HttpService.send(HttpService.java:399) at com.splunk.Service.send(Service.java:1268) at com.splunk.HttpService.get(HttpService.java:151) at com.splunk.Entity.refresh(Entity.java:381) at com.splunk.Entity.refresh(Entity.java:1) at com.splunk.Resource.validate(Resource.java:174) at com.splunk.Entity.validate(Entity.java:462) at com.splunk.Entity.getContent(Entity.java:157) at com.splunk.Entity.getString(Entity.java:279) at com.splunk.ServiceInfo.getVersion(ServiceInfo.java:155) at com.splunk.modinput.ModularInput.runStateCheckerThread(Unknown Source) at com.splunk.modinput.ModularInput.init(Unknown Source) at com.splunk.modinput.jmx.JMXModularInput.main(Unknown Source)
Hi, I have downloaded Splunk enterprise Trial version for Windows 64 bit. Only the Search Head is accessible? I created a text file and got into splunk and I could see the logs under main index if... See more...
Hi, I have downloaded Splunk enterprise Trial version for Windows 64 bit. Only the Search Head is accessible? I created a text file and got into splunk and I could see the logs under main index if suppose I need to change the name of the index where should I change? or due to trial version all the logs by default goes to main index?
Hi Everyone, My Splunk UF's are installed on Linux. How do I get the OS version. (Not OS type). I am using Splunk App for Unix and Linux. Is there a way to get from that app.?
Hi Experts, I have a one month data inputlookup file i.e, sample.csv which contains two fields test and _time. I want to compare weekly data. sample.csv test _time 101 202/04/02 14:0... See more...
Hi Experts, I have a one month data inputlookup file i.e, sample.csv which contains two fields test and _time. I want to compare weekly data. sample.csv test _time 101 202/04/02 14:02:18 102 202/04/01 20:21:50 101 202/04/05 02:09:12 101 202/03/31 08:11:29 Expected output: test count week 101 2 thisweek 102 1 lastweek 103 1 prior week 101 1 prior week like this.. please help on this and thanks in advance.
Hi, I'm new to splunk. I learned many things from Splunk Answers section. Firstly i would like to thank you all who have given answers and Splunk support team. I have requirement to fetch use... See more...
Hi, I'm new to splunk. I learned many things from Splunk Answers section. Firstly i would like to thank you all who have given answers and Splunk support team. I have requirement to fetch user login and logout with timestamp and couple of fields more. Currently one of my network component generates multiple events for single session and send it to splunk. Session ID remains same for all events but required fields displays in a separate event or row with same session id. example i'm looking table format like this: hostname session_id username clientip country session_start session_end device_A af1202010 userX 1.1.1.x US 01-01-2020 11:15:00 AM 02-01-2020 03:30:00 AM device_B zqfs04011 userY 2.2.2.y UK 01-01-2020 12:15:00 PM events appears like this 01-01-2020 01:15:00 GMT session_id af1202010 "User_Agent:IE" 01-01-2020 01:15:01 GMT session_id af1202010 Country US clientip 1.1.1.x destination ip 9.0.0.1 01-01-2020 01:15:02 GMT session_id af1202010 username userX 01-01-2020 01:15:03 GMT session_id af1202010 resource assigned computer_A 01-01-2020 01:15:04 GMT session_id af1202010 Allowed 02-01-2020 03:30:00 GMT session_id af1202010 Bytes_out Based on above splunk logs, I need a query to fetch output in a table format last 24 hrs report or 1 week report into csv format. example: index=xyz hostname=device_* session_id="*" | eval session_start=if(searchmatch("User_Agent"),_time,null()) | eval session_end=if(searchmatch("Bytes_Out"),_time,null()) | transaction session_id | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?\S*)" | search session_id username country resource | convert ctime(session_start) ctime(session_end) | table hostname, session_id, username, country, clientip, session_start, session_end Note: Some of the users who already logged in several days before so log out of the user could today or not all. Your help much appreciated, also if you provide to correct search string to fetch report into csv format. Thank you
is there a messaging option available here please. I want to send a direct message to someone, it is for professional purposes only. Or is there a way to send the question to one person without other... See more...
is there a messaging option available here please. I want to send a direct message to someone, it is for professional purposes only. Or is there a way to send the question to one person without others seeing it Regards Suman P.
I am trying to pull some stats from splunk around how long a user session was active for. in the logs i have a logon message, and either a corresponding log off message or a session timeout messa... See more...
I am trying to pull some stats from splunk around how long a user session was active for. in the logs i have a logon message, and either a corresponding log off message or a session timeout message and i can correlate the messages by a session token present in each message. I have the following query which uses transaction to tie everything together index=diagnostic (host="*ABC*" OR host="*DEF*" OR host="*XYZ*") (mod="Authenticator" AND opn="Logout Service" AND msgId="AUDIT_MSG_005" AND ssoTicket=* ) OR (mod="Authenticator" AND opn="Validate Service" AND msgId="AUDIT_MSG_005" AND ssoTicket=* ) OR (mod="SESSIONTIMEOUT" AND opn="SESSION_TIMEOUT" AND msgId="Working On Key:*") | rex field=msgId "(?<ssoTicket><TOKEN REX>)" | fields ssoTicket,msgId | transaction ssoTicket startswith="Validate Service" endswith=("Logout Service" OR "SESSIONTIMEOUT") | stats avg(duration) as "Avg Sess. Dur(sec)",perc25(duration) as "25th percentile",perc75(duration) as "75th Percentile",perc95(duration) as "95th percentile", max(duration) as "Max Sess. Dur(sec)", dc(ssoTicket) as "Unique Sess.", count(eval(duration>36000)) as "sess. > 10hrs" However it does not appear to be returning all the results I expect, for instance If i run it for a 24 hour period I don't see any sessions that went over 10 hours. and the overall session count is a lot lower then i would expect for a 24 hour period. I know there are sessions that hit the time out window as I can see the tiimeout message, and If i search for that session token along with the token of a session that was logged out, the stats look ok. so how do I get transaction to return all the results i need, or produce the same stats without using transaction? Thanks
Hey everybody! I have this following multi-select construction with checkboxes and submit button. This gives me the selected value on the first panel and allows me to pass that onto the secondary p... See more...
Hey everybody! I have this following multi-select construction with checkboxes and submit button. This gives me the selected value on the first panel and allows me to pass that onto the secondary panel. However the value on panel2 therefore loses its connection to other field attributes in the search and is being represented as just a passed-on-text-value. What i want to have is to have the same construction, with the difference of being able to keep the connection of the value that is being passed on to the other field attributes of the search, so that i can construct a summary of certain fields by this transferred value . Here are the . .js and xml: require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, TableView) { // Access the "default" token model var tokens = mvc.Components.get("default"); var selected_values_array = []; var submittedTokens = mvc.Components.get('submitted'); // Custom renderer for applying checkbox. var CustomRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { return _(['Select Value']).contains(cell.field); }, render: function ($td, cell) { var a = $('<div>').attr({ "id": "chk-sourcetype" + cell.value, "value": cell.value }).addClass('checkbox').click(function () { if ($(this).attr('class') === "checkbox") { selected_values_array.push($(this).attr('value')); $(this).removeClass(); $(this).addClass("checkbox checked"); } else { $(this).removeClass(); $(this).addClass("checkbox"); var i = selected_values_array.indexOf($(this).attr('value')); if (i != -1) { selected_values_array.splice(i, 1); } } console.log(selected_values_array); }).appendTo($td); } }); //List of table ID var sh = mvc.Components.get("myTable"); if (typeof(sh) != "undefined") { sh.getVisualization(function (tableView) { // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRenderer()); tableView.table.render(); }); } // Disabling button while search is running var mysearch = mvc.Components.get('mysearch'); mysearch.on('search:start', function (properties) { $("#mybutton").attr('disabled', true); }); mysearch.on('search:done', function (properties) { $("#mybutton").attr('disabled', false); }); $(document).ready(function () { //setting up tokens with selected value. $("#mybutton").on("click", function (e) { e.preventDefault(); tokens.set("mytoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); $("#mybutton").attr('disabled', true); }); }); }); And the xml: <form script="multiselect_table.js" stylesheet="multiselect_table.css"> <label>Summary by ID</label> <row> <panel> <table id="myTable"> <title>Panel A</title> <search> <query>Res!=220 | stats count by MId, a, b, c, d | eval "Select Sourcetype"= MId | table "Select Sourcetype" Mid, a, b, c, d count</query> <earliest>-5d@d</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="drilldown">row</option> <drilldown> <condition field="*"></condition> </drilldown> </table> <html> <div> <input type="button" id="mybutton" value="Submit"/> </div> </html> </panel> <panel> <table> <title>Panel B</title> <search id="mysearch"> <query>| makeresults | eval SelectedRowValue="$mytoken$" | makemv delim="," SelectedRowValue | stats sum(c) as totalc, sum(d) as totald by SelectedRowValue | table SelectedRowValue, a, b, c, d</query> <earliest>-5d@d</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="drilldown">cell</option> </table> </panel> </row> </form> What i wanna have is a summary of the fields a, b, c, d on panel 2, by SelectedRowValue. I'd also like to do that without a submit button, as in the data gets passed on right after i click on checkbox, without having to submit it by the button. Thanks in advance!
If any one could help me clarifying these ...that would help. UniversalForwarder can send data at a time to "One" indexer only ? A UF cannot be configured to send data to multiple indexes in t... See more...
If any one could help me clarifying these ...that would help. UniversalForwarder can send data at a time to "One" indexer only ? A UF cannot be configured to send data to multiple indexes in the same splunk instance. Is my understanding correct? If I'm wrong about question1, say I have two splunk instances (two different teams A & B using their own splunk, no relation at all). However Team B wants some data from Team A. Team B is not allowed to install their forwarders in Team A's web servers. Team A's webservers have their own UF installed of their own Splunk Instance . Is there a way to send the data using Team A's UF's into Team B's splunk index ?
Hi We cannot connect oracle. Currently using splunk version 8.0.1 and Splunk DB Connect version 3.3.0 and oracle version 12.1.0.2 We have figure this below Figure 1 : Error F... See more...
Hi We cannot connect oracle. Currently using splunk version 8.0.1 and Splunk DB Connect version 3.3.0 and oracle version 12.1.0.2 We have figure this below Figure 1 : Error Figure 2 : Driver on splunk Thanks Regards
Good morning all, I have a little challenge for someone whom has far superior brains than myself! I have created a lookup file for one of our teams due to the fact that we cannot permit index acce... See more...
Good morning all, I have a little challenge for someone whom has far superior brains than myself! I have created a lookup file for one of our teams due to the fact that we cannot permit index access to where the original indexed emails reside. The team would like to be able to timechart against the count of emails by sender. There are 3 x mailboxes that the mails could come in from, as such seeing a breakdown as to the date & time recieved from each mailbox, over the day, would give some value as to trend analysis. Normally that would easily be achieved via a |timechart span=1m count by From, however - I can't run this as the _time is escaped due to the nature of the lookup. My question is then, how do I go about extracting the 'Date' values from the lookup and use them to chart against BY from? I have the following search to try and conver the text date string into a usable time value:- | inputlookup dxpt_mails.csv | search Date="09*" | eval sent_date=strptime(Date,"%d-%b-%Y %H:%M:%S") | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(sent_date) The sample lookup file is as such:- Date From Subject sent_date 09-Apr-2020 09:05:13 +0100 FormSubmission@test.com Pensions & retirement request a call back Form Submission 2020-04-09T09:05:13 09-Apr-2020 09:51:19 +0100 FormSubmission@test.com Life change address Form Submission 2020-04-09T09:51:19 09-Apr-2020 10:02:48 +0100 FormSubmission@test.com Life change address Form Submission 2020-04-09T10:02:48 09-Apr-2020 10:23:58 +0100 FormSubmission@test.com Life change address Form Submission 2020-04-09T10:23:58 09-Apr-2020 10:22:16 +0100 FormSubmission@test.com Life request sum assured Form Submission 2020-04-09T10:22:16 09-Apr-2020 10:35:56 +0100 FormSubmission@test.com Life change address Form Submission 2020-04-09T10:35:56 Thank you to anyone able to assist, and a happy easter to you all!
Hello, I am trying to regroup Business transaction by features and I am searching where the regex is executed for transaction detection. I would like to regroup theses BT with a regex: /store-... See more...
Hello, I am trying to regroup Business transaction by features and I am searching where the regex is executed for transaction detection. I would like to regroup theses BT with a regex: /store-11111-name-for-the-store.aspx /store-22222-name-for-the-store-longer.aspx /store-3333333-short-store-name.aspx The regex that will be used: \/store-\d*(-\w*)*\.aspx Does anyone know if the regex is evaluated on the agent or on the controller? Thank you for any answer.
Hello, I would like to modify some use cases provided by default in SSE, i tried to do it via the gui but it doesn't work. When browsing app files, i noticed that cases information is stored in... See more...
Hello, I would like to modify some use cases provided by default in SSE, i tried to do it via the gui but it doesn't work. When browsing app files, i noticed that cases information is stored in multiple json files which i tried to modify but this didn't changed in the gui. Is there any way to do it ? Also, i tried to add custom content, it is possible from the gui but i have many rules to add, is there any file (like savedsearch.conf for example) that enables loading all the rules and other components like the MITRE, description at once unstead of doing it one by one in the gui ? Thank you
Hello, I'm having an issue with maxming GeoLite database update. Even I'm updating the database on Splunk the Country found for some IPs still be incorrect when using iplocation command. Wha... See more...
Hello, I'm having an issue with maxming GeoLite database update. Even I'm updating the database on Splunk the Country found for some IPs still be incorrect when using iplocation command. What I did on Splunk: Checked IPs showing Country mismatch are updated in the new version of the DB Update GeoLite database on all search heads, indexers and deployment server Restarted all Splunk infrastructure Splunk version : Entreprise 6.3.2 Can you please help me figure why Splunk seems still using old database datas even it doesn't exists anymore? Thanks in advance for your help.
I’m running VMWare Horizon View 7 in my organization. Now with COVID-19 Shelter in place we all need to WFH. How do I monitor user activity and know what the user experience is when connecting to VDI... See more...
I’m running VMWare Horizon View 7 in my organization. Now with COVID-19 Shelter in place we all need to WFH. How do I monitor user activity and know what the user experience is when connecting to VDI? I know VMWare Horizon View has vRealize Operations Manager for View but it’s limited.
Hi, I know this topic isn't the first here, but I have some problem to get a good anwser for this specific problem. In fact, we have a syslog server who collecting data from devices and we nee... See more...
Hi, I know this topic isn't the first here, but I have some problem to get a good anwser for this specific problem. In fact, we have a syslog server who collecting data from devices and we need to forward it to our Splunk server. In our case syslog server running on syslog-ng and about our splunk server, we have only one server used to indexes and search. My question is to know what is the best practices to forward data from our syslog-ng server to our splunk instance ? For now, our syslog forward it directly over udp:514 but we have some problem with that (if splunk restart we loose some data and every-data are indexed in a unique index). we need to know if its better to install an Universal forwarder on the syslog-ng to forward or install syslog-ng to our splunk instance and then monitor files sent by our syslog server over udp:514 ? Thks for your help.
I am monitoring my PKI certificates with a PowerShell script which returns the number of valide days for each certificats in a Excel document on my splunk server. My script is running each days to... See more...
I am monitoring my PKI certificates with a PowerShell script which returns the number of valide days for each certificats in a Excel document on my splunk server. My script is running each days to update my value "validity", the problem is I have multiple entry for each certificat with the validity diffrents on my dashboard. How can I only update the value "validity" after that my scritp run and not have a new entry ? My que ry: index = "index_pki" sourcetype = "splunk_csv" | statistics count by ReqID, CN, Template, Validity, NotAfter, NotBefore, San, Tumbprint | where validity <30 | sort Validity And the printscrenn Thanks a lot
Unable to find app in splunk base however it is showing individually but not when i am trying to search from search head. https://splunkbase.splunk.com/app/1739/#/details
I have an event in my log that contains the following information * Event Time * Post Event Time 1 * Post Event Time 2 * Post Event Time 3 The original event sends the time as UTC+0. I have... See more...
I have an event in my log that contains the following information * Event Time * Post Event Time 1 * Post Event Time 2 * Post Event Time 3 The original event sends the time as UTC+0. I have adjusted my sourcetype to set the TZ as required and the logs are now coming in with the appropriate offset into SPLUNK instance. For example the TZ is set to +8. If my time was 12:30pm then the log comes through as follows for example: * Event Time ==> 12:30pm 09/04/2020 ==> this is accurate as my props is doing what I want it to do. The problem is that the other time fields in the event (the source is CEF) show as "alphabetic" fields (string) so not true times. * PostTime1 ==> APR 09 04:30:00 * PostTime2 ==> APR 09 04:30:00 * PostTime 3 ==> APR 09 04:30:00 I can adjust the times by using strp/strf time to get what I need but what I would like to know is can I do this at ingest time (so via something like props/transforms) as opposed to in a search? The Event Time (ingest time) works exactly as required so that doesnt need to change. This is purely for the other non "_time" fields.
i want to get data's from 8am ysterday to 8am today..