All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, We had setup an alert that runs everyday, it's been working fine until today. Today, we see that alert is triggered with no results, but when we run search same search for same timerange, ... See more...
Hi All, We had setup an alert that runs everyday, it's been working fine until today. Today, we see that alert is triggered with no results, but when we run search same search for same timerange, it is showing the results. Here is the entry in the scheduler.log 03-26-2020 03:20:36.406 -0400 INFO SavedSplunker - savedsearch_id="nobody;myapp;alertname", search_type="scheduled", user="test", app="myapp", savedsearch_name="alertname", priority=default, status=success, digest_mode=1, scheduled_time=1585207200, window_time=0, dispatch_time=1585207235, run_time=0.170, result_count=1, alert_actions="email", sid="scheduler__test_Qk1TX1dNX0lOVEdfTUVUUklDUw__RMD522d64366074c1a92_at_1585207200_23138", suppressed=0, thread_id="AlertNotifierWorker-0" When I tried checking the results of the triggered alert, it is showing that the alert was no longer exist, and when I tried with |loadjob scheduler__test_Qk1TX1dNX0lOVEdfTUVUUklDUw__RMD522d64366074c1a92_at_1585207200_23138 it says that sid doesn't exist. I have checked in the dispatch directory and I don't a directory with the name of the that sid. Could anyone help me to see to find out what were the results of the alert and if any issues with the alert
Hi, I am using the Splunk Cloud trial. I want to install the Splunk Cloud Gateway add-on, but it throws an error message: "Error downloading update from https://splunkbase.splunk.com/app/4250/... See more...
Hi, I am using the Splunk Cloud trial. I want to install the Splunk Cloud Gateway add-on, but it throws an error message: "Error downloading update from https://splunkbase.splunk.com/app/4250/release/1.10.0/download/: Not Found" I checked on the add-ons splunkbase and the last version of that app/add-on is 1.9, so I think that's the problem (I think latest version was 1.10 but was deleted for some reason), as I am using a trial I cannot request technical support. In this splunk cloud instance I cannot install an app from file. How can I solve this problem? Thanks!
Hi, When I perform any search in Splunk, the left side has Interesting Fields and Selected fields showing a list of the attributes returned. If I select pod from the Selected fields (currently ... See more...
Hi, When I perform any search in Splunk, the left side has Interesting Fields and Selected fields showing a list of the attributes returned. If I select pod from the Selected fields (currently showing "35" against it), I am shown the top log producing pods in our Kubernetes cluster. But when I click into the top pod that, according to this, has generated over 100,000 log events today, no results are shown and instead, a message: "No results found. Try increasing the time range" . We have only installed the logging Helm chart, not the metrics one, since this is a daemonset that runs on every node and we only need logging. Thanks.
I have Java program accessing HTTPS the HEC with Token; I have tracing on for the SSL Handshake; it goes thru handshake, *** ClientHello, TLSv1.2 *** ServerHello, TLSv1.2 when actual event ... See more...
I have Java program accessing HTTPS the HEC with Token; I have tracing on for the SSL Handshake; it goes thru handshake, *** ClientHello, TLSv1.2 *** ServerHello, TLSv1.2 when actual event is written, then get: Failed write of Log Event: {"text":"The requested URL was not found on this server.","code":404} Reply: {"text":"The requested URL was not found on this server.","code":404} ErrorCode: 404 Failed write of Log Event: {"text":"The requested URL was not found on this server.","code":404} OkHttp ConnectionPool, called close() OkHttp ConnectionPool, called closeInternal(true) OkHttp ConnectionPool, SEND TLSv1.2 ALERT: warning, description = close_notify CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 AESGCM encrypt: key= 0000: dc 8f 84 2a b6 a6 30 8d 18 d7 6c d0 e8 85 82 51 ......0...l....Q So the HEC acknowledges both the client and itself, then fails. Anybody know what this issue would be? Thanks, Steve.
Is there an add-onn or way to get the RSS data for webex into splunk to know its health status? .I used https://splunkbase.splunk.com/app/2646/ Thanks in Advance
Auditing - When multiple functions of adding and removing a role, only the adding of the role is audited. How do I fix?
Hi, I need to monitor a system that has around 40 components. Each one of them can be up and running or down at any point in time. I would like to create a matrix of, let's say 5x8 were each cell ... See more...
Hi, I need to monitor a system that has around 40 components. Each one of them can be up and running or down at any point in time. I would like to create a matrix of, let's say 5x8 were each cell represents a component and the color tells if it is up or down. How can I achieve that? Many thanks
So I have some data that I'm trying to extract the application name from. These are Citrix ICA syslog events. Here's the 2 snippets I'm trying to match. One I'd like to stop at " - startTime" the... See more...
So I have some data that I'm trying to extract the application name from. These are Citrix ICA syslog events. Here's the 2 snippets I'm trying to match. One I'd like to stop at " - startTime" the other stop at the $. Both are the same field applicationName. applicationName SXe Staging GCAST-2 - startTime applicationName HDS 2016 VIRTUAL DESKTOP TEST $S88-166 - startTime The italic text is what I'd like to get for the field value "applicationName" Here is what I have come up with that does capture to - startTime. rex "applicationName (?<AAAAAAA>.+)(?=(\s-\sstartTime))" However when I try rex "applicationName (?<AAAAAAA>.+)(?=(\s-\sstartTime|$))" rex "applicationName (?<AAAAAAA>.+)(?=(\s-\sstartTime|\$))" rex "applicationName (?<AAAAAAA>.+)(?=(\s-\sstartTime|\\$))" rex "applicationName (?<AAAAAAA>[^$].+)(?=(\s-\sstartTime))" rex "applicationName (?<AAAAAAA>[^\$|startTime].+)" It doesn't quite work right. Anyway I'm just trying to limit the results to actual application names, not this extra bit of data that Citrix someone has thrown into the field. Like these, the two Windows 10 events should really be the same field value. SXe Staging GCAST-2 HDS 2016 VIRTUAL DESKTOP TEST $S88-166 Canada Greatplains Windows 10 $A41-29-3D5DDA4A-0001 aSa ex Menu Windows 10 $A67-37-3D5C3C71-0001
Hi.. I have a dataset with each identifier having multiple events. Each event can have a TransactionType which can have one of the two values (Solution or Applied). And each event will have a Status ... See more...
Hi.. I have a dataset with each identifier having multiple events. Each event can have a TransactionType which can have one of the two values (Solution or Applied). And each event will have a Status with one of the 3 values (Success/Failure/Exception). I need to generate a summary statistics with one row for each identifier. And counts of Success/Failure/Exception for each of the two transactiontype values and this has to come in the columns as shown in the Image.
I want to schedule last 24hours of my dashboard graphs as pdf. How can I do this using a conf file and also which conf file to use?
Please let me know what are the options to integrate Splunk panels into SharePoint? (Reports and panels). our idea is to have same dashboard in Splunk and in a Sharepoint page.
I would like to get results by identifying a patterns with in string filed based on the string match/pattern/occurrence. Ex:: File_name filed has a collection of string values like ABCD , ABCDG, ... See more...
I would like to get results by identifying a patterns with in string filed based on the string match/pattern/occurrence. Ex:: File_name filed has a collection of string values like ABCD , ABCDG, ABCGRC, ABCD21,ABCDXYZ ,INDIAUS,INDIABritain,INDIAAus.... I need to get below output based on count of occurrences of word in each value of File_name filed. Patters:: ABCD INDIA ABC and so on.. Hint: ABCD has occurred 4 times in ABCD,ABCDG,ABCD21,ABCDXYZ and INDIA 3 times and so on.
I've got data say in following format (*there may be more than three types of exception) Name,Exception,count Jack,Null Pointer Exception,10 Jack,Number Format Exception,10 Ja... See more...
I've got data say in following format (*there may be more than three types of exception) Name,Exception,count Jack,Null Pointer Exception,10 Jack,Number Format Exception,10 Jack,Other Exception,10 Tom,Null Pointer Exception,20 Tom,Number Format Exception,20 Tom,Other Exception,20 Dave,Null Pointer Exception,30 Dave,Number Format Exception,30 Dave,Other Exception,30 Required output is something like: Name, Rank for Null Pointer Exception, Rank for Number format Exception... Jack , 3 , 3 , 3 Tom , 2 , 2 , 2 Dave , 1 , 1 , 1 Any simple SPL can you suggest? Thank you.
Recently we've upgraded from Splunk 7.0.2 to 8.0.2. Splunk is running on a Redhat Linux server. I've installed the corresponding UniversalForwarder 8.0.2 on two Windows servers. Also all installed ap... See more...
Recently we've upgraded from Splunk 7.0.2 to 8.0.2. Splunk is running on a Redhat Linux server. I've installed the corresponding UniversalForwarder 8.0.2 on two Windows servers. Also all installed apps and addons were updated to the most recent versions. While executing searches or additional apps I keep getting the error "Could not load lookup=LOOKUP-app4_for_windows_security". Anyone any idea how to solve this ? I'm pretty new to Splunk so any help is appreciated highly.
We have created a summary Index in Splunk with a cron schedule to run every 15 minutes but while using that Summary Index ad setting the time as today ,We are not getting any data,WHat could be the r... See more...
We have created a summary Index in Splunk with a cron schedule to run every 15 minutes but while using that Summary Index ad setting the time as today ,We are not getting any data,WHat could be the reason ?
Hello, One of the dashboards has a makeresults query like below, with about 250 append statements. | makeresults| eval active="true"| makemv delim="," active| eval code="1234"| makemv delim=",... See more...
Hello, One of the dashboards has a makeresults query like below, with about 250 append statements. | makeresults| eval active="true"| makemv delim="," active| eval code="1234"| makemv delim="," code| eval portfolio="ABC"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0001"| makemv delim="," id | append [| makeresults| eval active="true"| makemv delim="," active| eval code="2345"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra="Infra2"| makemv delim="," infra| eval interfaces="Infra2"| makemv delim="," interfaces| eval id="0002"| makemv delim="," id] | append [| makeresults| eval active="true"| makemv delim="," active| eval code="3456"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=" list missing for the application"| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0003"| makemv delim="," id] .... and so on The query gets executed fine on Splunk v7.0 but is stuck on v7.3. The job progress remains at 0% and gets stuck. I tried updating the configuration in limits.conf but in vain. max_mem_usage_mb = 500 [searchresults] maxresultrows = 86400 Has anyone faced such a problem in v7.3.3? If I decrease the append statements to say 180, the query gets executed. So, it seems the issue is related to memory/result size but I haven't found any solution yet. Thanks in advance.
Is there a way to create a container in Phantom using results from a Splunk search?
Hi All, Is there any faster way to extract fields with this format on props and transforms file? like Key value pair ? There's a lot more field than that , that's why im finding an easier way to... See more...
Hi All, Is there any faster way to extract fields with this format on props and transforms file? like Key value pair ? There's a lot more field than that , that's why im finding an easier way to extract field value 2020/03/01-10:01:01 [firstname "JOHN"] [surename "DOE"] [age "30"] [state "NY"] [id "10001"] 2020/03/01-10:01:02 [firstname "Julie"] [age "58"] [state "AU"] [id "10002"] 2020/03/01-10:01:02 [firstname "MEGAN"][middlename "myra"] [surename "DOE"] [age "58"] [state "AU"] [id "10052"]
I have created a hotel bookings dashboard with multiple dropdowns (example: Content Source, Market, Point of Sale etc.) to see results for my date selection with Time dropdown. My main timestamp (T... See more...
I have created a hotel bookings dashboard with multiple dropdowns (example: Content Source, Market, Point of Sale etc.) to see results for my date selection with Time dropdown. My main timestamp (TimeLine dropdown) set to open the dashboard with Week to date to show the results in the reports in dashboard and other multiselect dropdowns (Channels, Market, Point of Sale) set for Year to date to load the data for it. [Content Source means Amadeus, Sabre, Galileo, Booking.com etc., Market means UK, US, Canada, India, Dubai etc., Point of Sale: ABC, DEF, XYZ companies). When I select main timestamp dropdown (TimeLine with Time) to Month to date then I expect to show all other multiselect dropdown inputs same as Month to date for all reports in the dashboard.
I'm currently working to onboard logs from O365 using the Splunk Add-on for Microsoft Office 365 but am unsure what reply/redirect url should be set to in the Azure application. When this function... See more...
I'm currently working to onboard logs from O365 using the Splunk Add-on for Microsoft Office 365 but am unsure what reply/redirect url should be set to in the Azure application. When this functionality was included in the Splunk Add-On for Microsoft Cloud Services, the value to use for the reply url was given in the add-on, but there's no redirect/reply value in the O365 add-on. Can't find any reference to it in the documentation either, so am unsure as to what it should be, or even if it's needed anymore. Can anyone advise? Thanks