All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello All I am new to Splunk and need to develop an interactive dash board. Would be great if anyone can help with this. My dash board should have couple of radio button; 1. Search by Input p... See more...
Hello All I am new to Splunk and need to develop an interactive dash board. Would be great if anyone can help with this. My dash board should have couple of radio button; 1. Search by Input parameters 2. Seach by Output parameters By selection the option "Search by Input parameters", a. I want to display 5 text fields (which are input parameters) and a submit button b. Allow the user to key in the text fields and submit c. Display the results in a table format By selection the option "Search by Output`parameters", a. I want to display 5 text fields (which are output parameters) and a submit button b. Allow the user to key in the text fields and submit c. Display the results in a table format
Running into an issue where TA-pfsense is only creating three sourcetypes- pfsense:filterlog pfsense:dhclient pfsense I'm not that Splunk savey. Looking at the props and transforms, and the... See more...
Running into an issue where TA-pfsense is only creating three sourcetypes- pfsense:filterlog pfsense:dhclient pfsense I'm not that Splunk savey. Looking at the props and transforms, and then the data in splunk (_raw). I'm wondering if the lack of time being in the raw log is throwing off the transforms to create sourcetype. example raw log not getting sourcetyped by the app (so ends up with sourcetype=pfsense) /index.php: User logged out for user 'admin' from: 192.168.1.151 (Local Database) OR sendmsg: Permission denied Example of raw log getting sourcetyped as pfsense:dhclient which is not addressed in the props. Mar 28 22:13:03 dhclient: FAIL Looking at the transforms' [pfsense_sourcetyper] REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+) I'm assuming it gets past the time stamp, and the following is what gets grabbed as sourcetype to append to pfsense: With this assumption, the raw logs without time in the raw simply get sourcetyped pfsense. This is causing OpenVPN logs, nginx, dhcpd etc to not accurately get sourcetyped and fields extracted as they are sourcetyped simply 'pfsense'.
Hello, I am trying to set up my Cordova application with AppDynamic using EUM. With the iPhone, I was able to set it up using the provided Cordova plugin (appd-plugin-eum-mobile). However, for and... See more...
Hello, I am trying to set up my Cordova application with AppDynamic using EUM. With the iPhone, I was able to set it up using the provided Cordova plugin (appd-plugin-eum-mobile). However, for android, I am not able to install the application on my phone when appd plugin is added. I am getting the below error when trying to install the Android apk on my device or simulator. I have tried to follow your documentation on my existing Cordova project and also on a new empty Cordova project but I get the same exception. Additionally, I have to also create a blank android project and followed the steps to manually install the android AppD agent but I end up with the same results. I have tried a combination of the Gradle version with the AppD version. But I was never able to install my apk on my phone or simulator and ended up with the below error. I believe `gradle plugin 'adeum'` is giving some issue when generation the APK. The project gets built successfully but fails to install on the device. I was able to instrument my iOS application. Build Fail Error: Installation did not succeed. The application could not be installed: INSTALL_FAILED_INVALID_APK The APKs are invalid. Logcat Console: 2020-03-27 17:57:08.202 4911-4911/? I/studio.deploy: Streaming succeeded for '/data/app/com.example.myapplication-V0VU29_rzIMVeWBTR4be6A==/base.apk' 2020-03-27 17:57:08.202 4911-4911/? I/studio.deploy: package 2020-03-27 17:57:08.202 4911-4911/? I/studio.deploy: install-commit 2020-03-27 17:57:08.202 4911-4911/? I/studio.deploy: 2047134392 2020-03-27 17:56:18.605 2360-2942/? D/PowerUI: can't show warning due to - plugged: true status unknown: false 2020-03-27 17:57:08.301 1291-1336/? I/ActivityManager: Force stopping com.example.myapplication appid=10234 user=-1: installPackageLI 2020-03-27 17:57:08.301 1291-1351/? W/PackageManager: Scanning Failed. com.android.server.pm.PackageManagerException: Package /data/app/com.example.myapplication-MFkL8J6KrcEk8s6fIMCuvw==/base.apk code is missing at com.android.server.pm.PackageManagerService.assertCodePolicy(PackageManagerService.java:11561) at com.android.server.pm.PackageManagerService.assertPackageIsValid(PackageManagerService.java:11719) at com.android.server.pm.PackageManagerService.scanPackageNewLI(PackageManagerService.java:10962) at com.android.server.pm.PackageManagerService.scanPackageTracedLI(PackageManagerService.java:10729) at com.android.server.pm.PackageManagerService.installPackagesLI(PackageManagerService.java:16986) at com.android.server.pm.PackageManagerService.installPackagesTracedLI(PackageManagerService.java:16315) at com.android.server.pm.PackageManagerService.lambda$processInstallRequestsAsync$13$PackageManagerService(PackageManagerService.java:14598) at com.android.server.pm.-$$Lambda$PackageManagerService$S4WxZjKnT0iu1kmEXSrs7BiizN4.run(Unknown Source:6) at android.os.Handler.handleCallback(Handler.java:883) at android.os.Handler.dispatchMessage(Handler.java:100) at android.os.Looper.loop(Looper.java:214) at android.os.HandlerThread.run(HandlerThread.java:67) at com.android.server.ServiceThread.run(ServiceThread.java:44) 2020-03-27 17:57:08.302 1009-1630/? E/installd: Failed to delete /data/app/vmdl2047134392.tmp: No such file or directory 2020-03-27 17:57:08.307 4911-4911/? E/studio.deploy: Failure [INSTALL_FAILED_INVALID_APK: Scanning Failed.: Package /data/app/com.example.myapplication-MFkL8J6KrcEk8s6fIMCuvw==/base.apk code is missing] Android Studio: 3.6.1 Gradle Version 5.6.4 and 6.2.2 AppD Android Agent: 5.3.1558 and 5.3.1565 Cordova Version: 8.0.0 Android version: 10
hello, We have one searchhead and one indexer server running on separate VMs. wondering where should we install website monitoring application? any tip or advise is much appreciated. regards, ... See more...
hello, We have one searchhead and one indexer server running on separate VMs. wondering where should we install website monitoring application? any tip or advise is much appreciated. regards, SR
Hello, 1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when... See more...
Hello, 1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when it comes to data models but i have successfully built a couple now and they are working (mostly) but I am having fairly specific problem when trying to search one of them. I have been searching and banging my head against the wall for a couple of days and I am hoping someone can help. So here's the deal... If I run this search it works and genrates a table with the requested fields: | datamodel Data_Mode_Name summariesonly=true search | search src_ip=* | table src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index If I include a default_field like sourcetype or source or an internal_field like _time the search runs but the table come back blank. Here's an example of one that fails: | datamodel Data_Mode_Name summariesonly=true search | search src_ip=* | table _time, src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index I'm running Splunk Enterprise v7.14 I'm really hoping this is something simple that I am just missing. Any help would be greatly appreciated! Cheers, -Mark W.
Hi. I observe a problem with requests to my controller through the application Ldapsearch. Users (with the role Power) cannot fulfill the request through. An error occurs while executing the re... See more...
Hi. I observe a problem with requests to my controller through the application Ldapsearch. Users (with the role Power) cannot fulfill the request through. An error occurs while executing the request External search command 'ldapsearch' returned error code 1. Script output = "error_message=password is mandatory in simple bind ". See attachment. I, under the role of administrator (Admin), easily perform ldap requests. Stanza is configured correctly. The connection test passes. The account under which requests are made in ldap and integration with AD in attribute worth the value UserAccountControl - DONT_EXPIRE_PASSWORD. Users with the Power role have been granted application ldapsearch rights Please, what other suggestions could there be ?
Hello experts and splunkers, I have batch job log files being indexed into Splunk. The actual log looks like below. It's essentially telling JobA started at 5:35:42 and finished at 5:36:12, a... See more...
Hello experts and splunkers, I have batch job log files being indexed into Splunk. The actual log looks like below. It's essentially telling JobA started at 5:35:42 and finished at 5:36:12, and JobA again started at 5:36:12 and finished at 5:36:43. 0,2020-02-09T05:36:43,Server1,End,JobA ,2020-02-09T05:36:12,Server1,Start,JobA 0,2020-02-09T05:36:12,Server1,End,JobA ,2020-02-09T05:35:42,Server1,Start,JobA When the log file is indexed and I search the index, Splunk returns the same 4 events but in a different sequence like below: 0,2020-02-09T05:36:43,Server1,End,JobA 0,2020-02-09T05:36:12,Server1,End,JobA ,2020-02-09T05:36:12,Server1,Start,JobA ,2020-02-09T05:35:42,Server1,Start,JobA As you can see, the 2nd and 3rd events have the same _time and the sequence is flipped as compared to the original sequence. It seems Splunk automatically sort the event by _time when returning events. I need the result returned in the original sequence. Is there any way to instruct Splunk return events in the original, actual sequence?
I have tried using username-admin and password- but unable to login. Message: if you installed this instance , use the username and password you created at installation.
Please join me and the splunk community in donating your processing power to COVID-19 research. If you know how to use folding at home, and want to donate as part of the splunk community, please j... See more...
Please join me and the splunk community in donating your processing power to COVID-19 research. If you know how to use folding at home, and want to donate as part of the splunk community, please join our team below: https://stats.foldingathome.org/team/238889 If you're new to folding at home, please visit the link below for more details on how you can contribute your idle CPU/GPU to help researchers of COVID-19: https://foldingathome.org If you decide to contribute, please join our team! Thanks, be well and do good work!
Hi, Am looking for a python example involving Scripted SAML-SSO Authentication on a Splunk Cloud subscription. I could not get the examples given at github etc..to work as they involve sending passw... See more...
Hi, Am looking for a python example involving Scripted SAML-SSO Authentication on a Splunk Cloud subscription. I could not get the examples given at github etc..to work as they involve sending password values while my Splunk Login attempts would not be passing any (SAML configuration doesn't need me to). Appreciate if some one can point me to it or share lines that could work. Thanks VC
Hi, Can you please point me into right direction or already answered good topic about one Splunk search where I have indexed. Example data: Value, Passed Yo, Yes Yo, Yes Yo, No Bro, No Bro,... See more...
Hi, Can you please point me into right direction or already answered good topic about one Splunk search where I have indexed. Example data: Value, Passed Yo, Yes Yo, Yes Yo, No Bro, No Bro, Yes Now I want first to dedup (or get unique vaules into array -> Yo and Bro) and then get chart results in percentages like Yo 75% Yes, 25% No Bro 50% Yes, 50% No. And probably put in into Chart where X axis will be Yo, Bro, .... and Y axis percentage in 2 colors. Thanks.
I have python code in several apps that I need to deploy in SplunkCloud. I'd like to log error conditions. As these apps need to be deployed/updated regularly, I want to directly upload them and N... See more...
I have python code in several apps that I need to deploy in SplunkCloud. I'd like to log error conditions. As these apps need to be deployed/updated regularly, I want to directly upload them and NOT have them trigger delays for manual vetting by SplunkCloud. Documentation suggests that SPLUNK_HOME/var/log//.log should be acceptable However, even with this, appinspect tells me " logging.FileHandler could be used to receive data from outside or log data to outside." How do I setup python logging to avoid delays with manual checks going into SplunkCloud?
Hello, How can I import json files inside the application i.e. cisco app? Thanks,
hello all, I'm trying to install Controller jobs and I get this error. Task failed: Upload os packages prerequisite validation script on host: smartnet-virtual-machine as user: smartnet with me... See more...
hello all, I'm trying to install Controller jobs and I get this error. Task failed: Upload os packages prerequisite validation script on host: smartnet-virtual-machine as user: smartnet with message: Error occurred while performing the file operation: copy java.nio.file.AccessDeniedException: /home/smartnet/appdynamics/platform/product/controller/check-prerequisite-packages.sh Can anyone help?
There are 4 dropdowns D1 D2 D3 D4 All are having unique searches and I want to pass the data accordingly into the single panel. Ex: D1 dropdown using index=A, D2 using index=B, D3 using inde... See more...
There are 4 dropdowns D1 D2 D3 D4 All are having unique searches and I want to pass the data accordingly into the single panel. Ex: D1 dropdown using index=A, D2 using index=B, D3 using index=C as a base search. Now when user select any value in D1 dropdown, then data is reflect into single panel and when D2 dropdwon selected then D2 token data should pass into the same panel.
DropdownA DropdownB DropdownC DropdownD I have single panel and it should change the search based on the above 4 dropdowns which is using unique searches. Ex: when I select DropdownA, dashbo... See more...
DropdownA DropdownB DropdownC DropdownD I have single panel and it should change the search based on the above 4 dropdowns which is using unique searches. Ex: when I select DropdownA, dashboard panel should execute index=A when I select DropdownB , dashboard panel should execute index=B
I am running version 8.x. I want to add the capability to run a custom Linux bash script as Alert Action with the OOTB search app. I did the following: 1 - create a file called alert_actions.conf ... See more...
I am running version 8.x. I want to add the capability to run a custom Linux bash script as Alert Action with the OOTB search app. I did the following: 1 - create a file called alert_actions.conf in the /opt/splunk/etc/apps/search/default directory and have the following content. [sendsnmptrap] is_custom = 1 label = Send SNMP Traps description = Custom action to send search result as SNMP traps ttl = 120 disabled = 0 ----how can I call the script? 2 - I create the script in as /opt/splunk/etc/apps/search/bin/sendsnmptrap.sh with the very basic command & parameter
My security people want me to use an openJDK product from Azul Systems. I get an error when saving the configuration settings {'jre_need': 'Need Oracle Corporation JRE version 1.8 or OpenSDK 1.8',... See more...
My security people want me to use an openJDK product from Azul Systems. I get an error when saving the configuration settings {'jre_need': 'Need Oracle Corporation JRE version 1.8 or OpenSDK 1.8', 'jre_using': 'Using Azul Systems, Inc. JRE version 1.8, OpenJDK 64-Bit Server VM', 'message': 'Unsupported JRE detected'} validate java command: /opt/splunk-nexusJDK/zulu8.44.0.10-sa-jdk8.0.242-linux_x64/jre/bin/java. Azul suggested this override in JVM options "-XX:+OverrideVMProperties -Djava.vm.vendor="Oracle Corporation" ". That didn't work either. DB_Connect works fine with standard Oracle Java and Oracle's openJDK Has anyone been successful using an alternative java engine like this? Thanks in advance.
Hi Splunk, I'm getting an error after installing splunk sdk for python. The error is: Traceback (most recent call last): File "./shelltest.py", line 4, in import splunk.Intersplunk ... See more...
Hi Splunk, I'm getting an error after installing splunk sdk for python. The error is: Traceback (most recent call last): File "./shelltest.py", line 4, in import splunk.Intersplunk ImportError: No module named splunk.Intersplunk I can see the splunk.Intersplunk module in dir: /apps/splunk/lib/python2.7/site-packages/splunk The program is basic: !/usr/bin/env python import sys import subprocess import splunk.Intersplunk cmdargs = str(sys.argv) program_name = "/lm_tmp/yourscript.sh" subprocess.call([program_name, cmdargs]) PYTHONPATH variable in .bash_profile is: PYTHONPATH=/apps/splunk/etc/apps/splunk-sdk-python NOTE, if i replace import splunk.Intersplunk with import splunklib the program runs without any issue. Is there something wrong with python path? Anyone, been at it for awhile and currently stumped. Thx
We need to ingest syslog data. Rather then send to a syslog server, then read data from disk with a Forwarder, it seems like sending directly to a Forwarder listening on port 514 would be more effici... See more...
We need to ingest syslog data. Rather then send to a syslog server, then read data from disk with a Forwarder, it seems like sending directly to a Forwarder listening on port 514 would be more efficient. Are there any problems with doing this?