All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I am uploading a .tgz file with js script, png and css inside my /appserver/static folder of my app. After uploading and installing the app in splunk cloud, i am unable to use the script. Any ... See more...
Hi, I am uploading a .tgz file with js script, png and css inside my /appserver/static folder of my app. After uploading and installing the app in splunk cloud, i am unable to use the script. Any idea on this.  
Hi folks, I have a use case where I am having different types of events in a single sourcetype. I want to apply different timestamp extractions for both the events. I am using TIME_PREFIX and MAX_T... See more...
Hi folks, I have a use case where I am having different types of events in a single sourcetype. I want to apply different timestamp extractions for both the events. I am using TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD to extract the timestamp from event #1. However, the same rules won't be useful for event #2. Is there a way to extract the timestamp values from both the events in a single sourcetype? Event #1 Timestamp should be extracted as (Oct  9 23:57:37.887) Oct 10 05:27:48 192.168.100.1 593155: *Oct  9 23:57:37.887: blah blah blah Event #2 Timestamp should be extracted as (Feb 13 11:27:46) Feb 13 11:27:46 100.80.8.22 %abc-INFO-000: blah blah blah TIME_PREFIX = \s[^\s]+\s\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s[^\s]+:\s|\s[^\s]+\s\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s MAX_TIMESTAMP_LOOKAHEAD = 30
Hello I'm using Splunk cloud and i want to delete multiple alerts from list. i was trying to do it with curl but got errors that i cannot figure out. is there any other way ?
Hello, I'm trying to configure the PureStorage Unified addon, and keep getting the Something went wrong error Addon:https://splunkbase.splunk.com/app/5513   Configuration page failed to load,... See more...
Hello, I'm trying to configure the PureStorage Unified addon, and keep getting the Something went wrong error Addon:https://splunkbase.splunk.com/app/5513   Configuration page failed to load, the server reported internal errors which may indicate you do not have access to this page. Error: Request failed with status code 500 ERR0002   On checking the logs, I'm seeing the following error every time I access the configuration page 07-09-2024 11:40:38.666 +0100 ERROR AdminManagerExternal [438068 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 124, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 345, in _format_all_response\n self._encrypt_raw_credentials(cont["entry"])\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 375, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\credentials.py", line 293, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\utils.py", line 153, in wrapper\n return func(*args, **kwargs)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\credentials.py", line 341, in _get_all_passwords\n return self._get_clear_passwords(passwords)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\credentials.py", line 324, in _get_clear_passwords\n clear_password += field_clear[index]\nTypeError: can only concatenate str (not "NoneType") to str\n". See splunkd.log/python.log for more details.   This is a disturbed environment, running Splunk 9.2.2 on Virtual Windows 2019 Servers To confuse matters, this app works and is configurable on my test server; The only difference being the test server is a stand alone installation PureStorage Unified Add-on for Splunk 
Hello,  Please I would like to know if there are best practices to migrate a single search head instance with ITSI to a search head cluster.  I have a deployer and the ITSI running production searc... See more...
Hello,  Please I would like to know if there are best practices to migrate a single search head instance with ITSI to a search head cluster.  I have a deployer and the ITSI running production search head should become part of the search head cluster, initially as the only existing member.  When everything will be up and running I will add other 2 servers.  I have read something about Enterprise Security migration related to bundle size limits, for example, but found few things About ITSI.  Thank you in advance and warm regards.   
Hello, I'm trying to get a full coverage of data from Azure from metrics to risky sign-ins, so I try to figured out the best ways to collect events. So far I work with both addons Cloud services ... See more...
Hello, I'm trying to get a full coverage of data from Azure from metrics to risky sign-ins, so I try to figured out the best ways to collect events. So far I work with both addons Cloud services & Microsoft Azure for my needs, based on this graphic to help myself https://jasonconger.com/splunk-azure-gdi/ But I'm facing the issue of subscriptions inputs settings for both addons, basically I understand that we have to set each subscriptions by ourselves, but it means we could miss some of them and especially the new created ones. So I was thinking of a script API based which get all the subscriptions from Azure then push an inputs in Splunkcloud. I've the feeling I'm not be the only one facing this problem, so I told me maybe someone might have found a better way to collect automatically all subscriptions.  Thanks in advance for your help ! Ben
 
When I add a limit to a timechart to reduce the number of visible series (improve dashboard performance) it changes the value of Total when using addtotals. Example:   | timechart span=1s avg(host... See more...
When I add a limit to a timechart to reduce the number of visible series (improve dashboard performance) it changes the value of Total when using addtotals. Example:   | timechart span=1s avg(host_usage) by host useother=true | addtotals   The below gives me a lower overall total than the above:   | timechart span=1s avg(host_usage) by host limit=5 useother=true | addtotals   I thought Other was supposed to be the total of all other values not explicitly displayed?
I have a scenario where events are coming from one index =sample field= status as status 1, 2, 3, 4 , and 5. I have to exclude all the status which is present in the other index =services  as status ... See more...
I have a scenario where events are coming from one index =sample field= status as status 1, 2, 3, 4 , and 5. I have to exclude all the status which is present in the other index =services  as status 1 and 2. How can i achieve it. I am trying the below query in the base query to exclude  but it is not working index=sample status=* ''''''base query"'''   |search NOT [search index="service"   earliest=-24h latest=now  |search status IN (1,2)| table  status]
I want to extract the below field into two fields  i want to extract the Name and version both as two fields can some one help me on this.    
How to get all saved searches with their names and their respective search
i have integrated virus total  app with Splunk SIEM through API key and but in the apps its not showing any results 
I have a saved search but I don't know the name of that saved search how do I get it.
Hi experts, I am in early experiment journey with Splunk App for DSDL (aka DLTK) to pull in some events into Jupyter note book by way of Option 2, i.e:  <SPL search> | fit MLTKContainer mode=stage... See more...
Hi experts, I am in early experiment journey with Splunk App for DSDL (aka DLTK) to pull in some events into Jupyter note book by way of Option 2, i.e:  <SPL search> | fit MLTKContainer mode=stage algo=my_test * into app:my_test_data where my_test is just cloned from barebone_template, and I want the input data file to be created with name of "my_test_data". I ran into following error since the SPL returns 500+ events: Input event count exceeds max_inputs for MLTKContainer (100000), model will be fit on a sample of events. To configure limits, use mlspl.conf or the "Settings" tab in the app navigation bar. Upon checking mlspl.confg and fair enough max_input is set as default 100,000. However, the resulting my_test_data.csv only contains 1153 lines and excluding the header row only 1152 of events of interest. Why don't I get 100,000 events into the csv file and it's not a disk space issue either having verified it. More importantly, how can I get the full 100,000 events into my csv file? Any advice is greatly appreciated. Thanks, MCW
I am using SaaS 23.11.7-1552 How can I create a dash studio time series for all nodes in a particular tier?  Currently I've defined an app variable.  When a user views the dashboard, he selects the ... See more...
I am using SaaS 23.11.7-1552 How can I create a dash studio time series for all nodes in a particular tier?  Currently I've defined an app variable.  When a user views the dashboard, he selects the appropriate app.  However I can't figure out how to create or use another variable where the user selects the tier within the app.  When defining a tier variable, I am not allowed to enter $AppName for the app name. I see the docs talk about nested variables but do not say how to create them, nor can I find any examples. thanks
Hi Team, I have two different fields (Ex. A and B). Value A will come for some results and B will come for some. While I am using below query, it is only pulling A or B. index="XYZ" (ProxyPath="... See more...
Hi Team, I have two different fields (Ex. A and B). Value A will come for some results and B will come for some. While I am using below query, it is only pulling A or B. index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | stats count by A StatusCode - only A events are getting displayed index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | stats count by B StatusCode - only B events are getting displayed index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | stats count by A B StatusCode - it is not displaying any table   How to display both A and B colums combined and have the status code as well in the table?
Is there a Regex to convert the epoch to human readable time upon ingestion ?     [1720450799] Error: Got check result for service 'CPU Usage' on host. [1720450799] Error: Got check result for se... See more...
Is there a Regex to convert the epoch to human readable time upon ingestion ?     [1720450799] Error: Got check result for service 'CPU Usage' on host. [1720450799] Error: Got check result for service 'Disk Usage var' on host. [1720450799] Error: Got check result for service 'Disk Usage opt' on host.
Is there a way to monitor disconnects on a host (with a deployed universal forwarder) that cannot reach the Indexer? We have an on prem solution. Simply trying to use this host to monitor if network ... See more...
Is there a way to monitor disconnects on a host (with a deployed universal forwarder) that cannot reach the Indexer? We have an on prem solution. Simply trying to use this host to monitor if network A can reach network B because the host is in Network A and the index is in network B.   
Hello All,    Im trying to use Splunk and Tableau and in order to do so I need to use the Splunk ODBC Driver. I've followed these instructions: https://docs.splunk.com/Documentation/ODBC/3.1.1/UseO... See more...
Hello All,    Im trying to use Splunk and Tableau and in order to do so I need to use the Splunk ODBC Driver. I've followed these instructions: https://docs.splunk.com/Documentation/ODBC/3.1.1/UseODBC/InstallationmacOS and downloaded the driver, however the driver only give options for MacOS 11.6. I've tried downloading that driver however the download error I get is "File wasn't available on site".  I'm wondering if anyone has any solutions I could try to download this driver    Thanks
Hi All, I have one set of output having 8 closed tickets for two consecutive months as a result of splunk query. I also need to check whether each one of them breached SLAs or not based on their lev... See more...
Hi All, I have one set of output having 8 closed tickets for two consecutive months as a result of splunk query. I also need to check whether each one of them breached SLAs or not based on their level of priority. How to traverse through each and every record through splunk query? Please Note: I also need to put in the formula to check which tickets got breached and what is the breach age and finally average age for breach of tickets. Please suggest how to proceed with this use case.