All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am indexing a file 3 times a day in splunk. Timings are around 8:30 am , 1:30 pm and 5:15 pm these are not fixed timings as job generating the file is dependent on predecessor jobs and every day ti... See more...
I am indexing a file 3 times a day in splunk. Timings are around 8:30 am , 1:30 pm and 5:15 pm these are not fixed timings as job generating the file is dependent on predecessor jobs and every day timings may vary a little bit. Each time same job runs and produce data that i want to use to create a report but i want create a seperate report for all three runs. For example i want to make dashboard for 8:30 am run so events of 1:30 and 5:15 pm should not appear in the searchs for this dashboard. So i have to identify my events based on a timestamp range. Can someone help me out how can i identify events based on timestamps they indexed ?
I have a requirement where my query has to capture the error from the logs,look for its respective Description and Comments from the lookup file and then after perform statistics based on the Comment... See more...
I have a requirement where my query has to capture the error from the logs,look for its respective Description and Comments from the lookup file and then after perform statistics based on the Comments Now what I want is,on comparing it with the lookup file threshold column,error ghf count is 250 and it exceeds the threshold,so its Comments should no longer be Medium,instead it has to be changed as High(Upgraded).. Kindly let me know how to proceed with it. Thanks in advance!!
Hi, last week, I had full administrative access with Splunk but opened Splunk this morning and it appears my role may have changed; I now have what appears to be limited visibility into the Settings ... See more...
Hi, last week, I had full administrative access with Splunk but opened Splunk this morning and it appears my role may have changed; I now have what appears to be limited visibility into the Settings menu, something to that a normal end-user role might see. Looking for some SPL that would detect if changes were made to my account, when those changes were made, what changes were made, and who made those changes. Any help with this is appreciated.
Hello, I have taken over a Splunk infrastructure from a colleague of mine, and I would like to verify that I have the current cluster key in my possession before the upgrade. Is there any ligh... See more...
Hello, I have taken over a Splunk infrastructure from a colleague of mine, and I would like to verify that I have the current cluster key in my possession before the upgrade. Is there any light, non intrusive command (requiring authentication) that I can run and verify that I have the correct security key? Thanks.
hi all, I have some scheduled report, in log the result is succesful, the search works fine and the pdf in the mail looks rigth. but when i try to see the results on web interfece appears that error... See more...
hi all, I have some scheduled report, in log the result is succesful, the search works fine and the pdf in the mail looks rigth. but when i try to see the results on web interfece appears that error "There are no results because the first scheduled run of the report has not completed." I tried to clone or to create a new report but same issue, it's running with admin privileges Splunk is in 7.2.1 version Thanks in advance
I'm using base search in my dashboard, In dashboard panels , one created using base search query and other one is using normal query. but base search one is giving three events less than the nor... See more...
I'm using base search in my dashboard, In dashboard panels , one created using base search query and other one is using normal query. but base search one is giving three events less than the normal query( Which is correct and accurate). So i doubted that base search will ignore event's if it will take more time to run query. (here i'm trying to count the events based on specific fields) If any one knows please clarify. And one more thing , but sometimes base search is also giving accurate results(but it's very rare, one time only i saw).
Hi I need help with some home automation energy usage. I have a device that sends watt usage every 10 seconds to my Splunk. From this I calculate the difference between each reading like in the tab... See more...
Hi I need help with some home automation energy usage. I have a device that sends watt usage every 10 seconds to my Splunk. From this I calculate the difference between each reading like in the table below. watt 5 -15 2 -5 3 6 640 -4 -2 15 From this I do some eval like this: eval case(watt < 680 AND watt > 620,"heater_on",1=1,"other") This gives me that the heater is turning on. Problem are when reading goes over more than one line like the table below: Question is how to I use Splunk to sum some nearby rows so I get the slow changing devices? watt 5 -15 2 -5 3 6 138 505 -4 -2 15
Hi can I perform a search on a value that is returned from a CASE function in the same search. eval filter=case( ( (IST_time_hour=23 AND IST_time_min>=00) OR (IST_time_hour=00 AND IST_time_min<... See more...
Hi can I perform a search on a value that is returned from a CASE function in the same search. eval filter=case( ( (IST_time_hour=23 AND IST_time_min>=00) OR (IST_time_hour=00 AND IST_time_min<30) ),"1" ,( (IST_time_hour=00 AND IST_time_min>=30) OR (IST_time_hour=01 AND IST_time_min<59) ),"2" ,( (IST_time_hour=02 AND IST_time_min>=00) OR (IST_time_hour=03 AND IST_time_min<30) ),"3" ,( (IST_time_hour=03 AND IST_time_min>=30) OR (IST_time_hour=04 AND IST_time_min<59) ),"4" ,( (IST_time_hour=05 AND IST_time_min>=00) OR (IST_time_hour=06 AND IST_time_min<30) ),"5" ,( (IST_time_hour=06 AND IST_time_min>=30) OR (IST_time_hour=07 AND IST_time_min<59) ),"6" ,( (IST_time_hour=08 AND IST_time_min>=00) OR (IST_time_hour=09 AND IST_time_min<30) ),"7" ,( (IST_time_hour=09 AND IST_time_min>=30) OR (IST_time_hour=10 AND IST_time_min<59) ),"8" ,( (IST_time_hour=11 AND IST_time_min>=00) OR (IST_time_hour=12 AND IST_time_min<30) ),"9" ,( (IST_time_hour=12 AND IST_time_min>=30) OR (IST_time_hour=13 AND IST_time_min<59) ),"10" ,( (IST_time_hour=14 AND IST_time_min>=00) OR (IST_time_hour=15 AND IST_time_min<30) ),"11" ,( (IST_time_hour=15 AND IST_time_min>=30) OR (IST_time_hour=16 AND IST_time_min<59) ),"12" ,( (IST_time_hour=17 AND IST_time_min>=00) OR (IST_time_hour=18 AND IST_time_min<30) ),"13" ,( (IST_time_hour=18 AND IST_time_min>=30) OR (IST_time_hour=19 AND IST_time_min<59) ),"14" ,( (IST_time_hour=20 AND IST_time_min>=00) OR (IST_time_hour=21 AND IST_time_min<30) ),"15" ,( (IST_time_hour=21 AND IST_time_min>=30) OR (IST_time_hour=22 AND IST_time_min<59) ),"15" ) |search abc=filter Please help guys as to how to proceed in a situation like this. If this is not possible whether is it possible to store the filter value in a token which can be used in another search simultaneously.
What is the difference between services and servicesNS in splunk rest api. Can someone explain it in detail? Thanks in advance.
How to fix this error on UF , getting error while forwarding data from UF to HF. 03-30-2020 07:01:00.193 -0400 INFO ExecProcessor - setting reschedule_ms=59807, for command=python "D:\Program Fi... See more...
How to fix this error on UF , getting error while forwarding data from UF to HF. 03-30-2020 07:01:00.193 -0400 INFO ExecProcessor - setting reschedule_ms=59807, for command=python "D:\Program Files\SplunkUniversalForwarder\etc\apps\NPL_Script_Inputs\bin\Scripts\Get_Stream_Data.py" 03-30-2020 07:01:38.398 -0400 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 100 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.
Hi, I have a source file something like this Samplefile_Infobar_20200331 and I would like to view the source as Samplefile_Infobar_2020-03-31 on Splunk search head (With hyphens between the yyyymm... See more...
Hi, I have a source file something like this Samplefile_Infobar_20200331 and I would like to view the source as Samplefile_Infobar_2020-03-31 on Splunk search head (With hyphens between the yyyymmdd). How to do it. Thanks
I have a IoT Device That has an Webserver Running. then I open the webpage http://iot-device.local/data I get an json response. How do I get this response into Splunk? I tried to setup ... See more...
I have a IoT Device That has an Webserver Running. then I open the webpage http://iot-device.local/data I get an json response. How do I get this response into Splunk? I tried to setup HTTP Event collections but I think this is the opposite way...
I am using splunk to aggregate events from an estate of endpoints. I have notifications in place for known issues and problems based upon the event type. However, I have a need to be notified when ... See more...
I am using splunk to aggregate events from an estate of endpoints. I have notifications in place for known issues and problems based upon the event type. However, I have a need to be notified when any event starts to be reported that has not previously been reported in volume. Any suggestions?
Hello experts, I would like to display this json to the table mentioned below. Please help. Thank you. {"body":[{"srl":"1A","Num":60,"Type":"x1"}, {"srl":"2A","Type":"x2"}], "date":158552... See more...
Hello experts, I would like to display this json to the table mentioned below. Please help. Thank you. {"body":[{"srl":"1A","Num":60,"Type":"x1"}, {"srl":"2A","Type":"x2"}], "date":1585522807308} srl---Num---Type ~~~~~~~~~~~~ 1A---60 ----x1 2A--None---x2
I have looked into all conf files. Only eventtypes.conf and tags.conf contain stanza of fschange and sourcetype is fs_notification. I didn't find way to generate events of fs_notification.
Hi, I have sample xml as shown below, I'm trying to show the panel based on the choice but it is not working. Please help on this. required: If I select first drop down panel will be display... See more...
Hi, I have sample xml as shown below, I'm trying to show the panel based on the choice but it is not working. Please help on this. required: If I select first drop down panel will be displayed dynamically and than if i select any value in 2nd drop down, Corresponding panel will be displayed at the same time first panel has be hided. same like 3rd drop down, if select any value in 3rd drop down than 1st & 2nd panels will be hided and 3rd panel will be opened. Could you please check with my sample xml and suggest me where it wrong. Thanks in advance. <form> <label>Test</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="tkn_sourcetype" searchWhenChanged="true"> <label>Select Sourcetype</label> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> <choice value="*">ALL</choice> <initialValue>*</initialValue> <change> <condition label="sourcetype"> <set token="token_sourcetype"></set> <unset token="token_component"></unset> <unset token="token_group"></unset> </condition> </change> <search> <query>index=_internal sourcetype=* | dedup sourcetype | table sourcetype</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="tkn_component" searchWhenChanged="true"> <label>Select Component</label> <fieldForLabel>component</fieldForLabel> <fieldForValue>component</fieldForValue> <choice value="*">All</choice> <initialValue>*</initialValue> <change> <condition label="component"> <set token="token_component"></set> <unset token="token_sourcetype"></unset> <unset token="token_group"></unset> </condition> </change> <search> <query>index=_internal sourcetype="$tkn_sourcetype$" component=* | dedup component | table component</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="tkn_group" searchWhenChanged="true"> <label>select group</label> <fieldForLabel>group</fieldForLabel> <fieldForValue>group</fieldForValue> <choice value="*">All</choice> <change> <condition label="group"> <set token="token_group"></set> <unset token="token_sourcetype"></unset> <unset token="token_component"></unset> </condition> </change> <search> <query>index=_internal sourcetype="$tkn_sourcetype$" component="$tkn_source$" | dedup group | table group</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> </fieldset> <row depends="$token_sourcetype$"> <panel> <chart> <title>test</title> <search> <query>index=_internal sourcetype="$tkn_sourcetype$" | stats count by sourcetype</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> <row depends="$token_component$"> <panel> <chart> <title>test</title> <search> <query>index=_internal component="$tkn_component$" | stats count by component</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> <row depends="$token_group$"> <panel> <chart> <title>test</title> <search> <query>index=_internal component="$tkn_group$" | stats count by component</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> </form>
Hello, I've installed Proofpoint - ET Splunk TA v1.1.5 on Splunk Enterprise v7.2.9.1 and I need to configure a Proxy for exit on Internet. - Issue: I need to use a Proxy for exit on Internet,... See more...
Hello, I've installed Proofpoint - ET Splunk TA v1.1.5 on Splunk Enterprise v7.2.9.1 and I need to configure a Proxy for exit on Internet. - Issue: I need to use a Proxy for exit on Internet, and when I set Proxy globally on OS, I can contact all sites, but Proofpoint - ET Splunk TA cannot contact Proofpoint API through Proxy, I assume that App contact Proofpoint API directly. After some debugging, I've seen line 101 on $SPLUNK_HOME/etc/apps/TA-etintel/bin/update_repdata.py file that reports def make_url(authcode, fname): url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format( authcode, fname) request = Request(url) logger.debug("Version is %s", VERSION) agent = "ET-SPLUNK-TA (" + VERSION + ")" logger.debug("User-agent is %s", agent) request.add_header("User-agent", agent) return request I want to know how to setup Proxy lines into the script for exit Internet. I suggest to make a modification on next App version, and add option to allow the user to modify Proxy Settings through App Web Interface on Splunk. Any suggestion for quick resolve with a WA? Regards
Hi All, What would be the impact if i use "%Q" rather than "%6Q" ? Cause i'm seeing a 20min time delay on Splunk ingestion, is this because of this or not ? Log Example: - 2020-03-08-1... See more...
Hi All, What would be the impact if i use "%Q" rather than "%6Q" ? Cause i'm seeing a 20min time delay on Splunk ingestion, is this because of this or not ? Log Example: - 2020-03-08-15.31.10.838384 - 2020-02-01-18.25.15.738385 https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Commontimeformatvariables https://docs.splunk.com/Documentation/Splunk/8.0.2/Troubleshooting/Troubleshootingeventsindexingdelay
Hi team! We are currently using the sdk version 1.6.6 and Splunk enterprise 6.5.4 , is this sdk compatiblewith Splunk 7.3.4? We will upgrade soon. Can you recommend us a nuew version? Thank you.
I would like to add a line break in the label in order to have the full title as well as the value and the percentage Actually : Desired outcome : End of SPL used : .... | eve... See more...
I would like to add a line break in the label in order to have the full title as well as the value and the percentage Actually : Desired outcome : End of SPL used : .... | eventstats sum(tache) as total_tache | eval percent = round((tache/total_tache)*100,2) | eval DR=DR." (".'tache'.")".",".'percent'."%" | rex mode=sed field=DR "s/,/\n/g" I tried to use the command "sed", it works in a table but not in a pie chart. Can you help me ?