All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have inherited an old on-prem Splunk 7.0.2 installation that I'm now trying to reconfigure to forward data to our SplunkCloud instance. I have installed the SplunkCloud app on the search-head th... See more...
I have inherited an old on-prem Splunk 7.0.2 installation that I'm now trying to reconfigure to forward data to our SplunkCloud instance. I have installed the SplunkCloud app on the search-head that is acting as deploy-server. It is now forwarding its internal logs to the cloud as expected. Now I want to remove the old forward-servers. When I execute: ./splunk list forward-server I get this: Active forwards: 10.yy.167.67:9997 (ssl) inputs1.q.splunkcloud.com:9997 (ssl) Configured but inactive forwards: 10.yy.167.68:9997 inputs10.q.splunkcloud.com:9997 inputs11.q.splunkcloud.com:9997 inputs12.q.splunkcloud.com:9997 inputs13.q.splunkcloud.com:9997 inputs14.q.splunkcloud.com:9997 inputs15.q.splunkcloud.com:9997 inputs2.q.splunkcloud.com:9997 inputs3.q.splunkcloud.com:9997 inputs4.q.splunkcloud.com:9997 inputs5.q.splunkcloud.com:9997 inputs6.q.splunkcloud.com:9997 inputs7.q.splunkcloud.com:9997 inputs8.q.splunkcloud.com:9997 inputs9.q.splunkcloud.com:9997 This looks correct. Then I execute: ./splunk remove forward-server 10.yy.167.68:9997 and get this message: In handler 'tcpout-server': Type = outputs, Context = (user: nobody, app:, root: /opt/splunk/etc), Acting as = nobody: Invalid configuration context: Cannot read configuration if user context is set but app context is not I get the same kind of message if I try to do this in the web gui. I have tried to find the configuration file that contains this forward-server config but I cannot locate it. It should be /splunk/etc/system/local/outputs.conf but there is no such file. I have tried grabbing for the IP address in the entire /etc directory structure but got no matches! Does anyone have any input on how to proceed? Regards, Andreas
Good morning you lovely lot, I have a theoretically simple regex extraction, but it is slaying me. If one of you would be so kind as to assist, it would be greatly appreciated. You'll see below th... See more...
Good morning you lovely lot, I have a theoretically simple regex extraction, but it is slaying me. If one of you would be so kind as to assist, it would be greatly appreciated. You'll see below the event that the extraction is required from. Essentially, we require to capture the 'role(s)' that a user may have. The opening tag is and then the role itself is contained within . The issue is that is used throughout the events and also that a user may have one, or multiple roles. As such, the regex requires to capture the first role found after and then subsequently each other role if found before terminating on . I've gotten close-ish, but cannot capture each role individually, instead either the first, last or ALL values between the tags of 'items'. Please help as it's absolutely ending me - I'm not exactly great with regex as it's all fairly new to me. Event Sample: /><jobtitle>Digital Content</jobtitle><emarketingoptout /><contactpref /><roles><item>INVEST_IFA</item><item>PROTECT_IFA</item><item>RS_IFA</item><item>SOLICITOR</item></roles><permissions><item>INVEST_APPS</item><item>PROTECT_APPS</item><item>RS_APPS</item><item>SOL_APPS</item><item>UPDATE_PROFILE</item> Regex so far (awful I know): All Items: `(<item>(?<role>[\w]*)\<\/item>+?)` First or last depending upon greed: `[\w\W]+((<item>+(?<role>[\w]*)\<\/item>)+)<\/roles`
Hi, Our customer is looking to monitoring "Dynamics 365 CRM", via Appdynamics. I am not able to find any document or extension, would you please me help to understand whether Dynamics 365 monit... See more...
Hi, Our customer is looking to monitoring "Dynamics 365 CRM", via Appdynamics. I am not able to find any document or extension, would you please me help to understand whether Dynamics 365 monitoring via Appdynamics is supported or not supported? As per my understanding "Dynamics has X++ programming platform and has his own performance insight. How we start the monitoring of Dynamics 365 via AppDynamics SaaS. Regards Harinder Rana
お世話になります。 項目名に月の値を入れたいです。 現在検討している方法は別カラムに月の値(2020-03)を設定し、【予定】という項目の先頭に月の値(2020-03)をセットして、 【2020-03予定】という項目名にしたいのですが、実現方法がわかりません。 どのような方法があるか教えてください。
Hi @Ryan.Paredez , Thanks or helping out in receiving SaaS instance link. I would like to extend the same, which is due for today to expire today. I have tried the options through in website, ... See more...
Hi @Ryan.Paredez , Thanks or helping out in receiving SaaS instance link. I would like to extend the same, which is due for today to expire today. I have tried the options through in website, But nothing notifies me that my free trial is extended. Thanks and Regards, Lenin M
Most of Splunk Custom Visualizations do not have drilldown enabled by default. The Outlier Chart visualization provided by Machine Learning Toolkit app also does not have drilldown enabled by default... See more...
Most of Splunk Custom Visualizations do not have drilldown enabled by default. The Outlier Chart visualization provided by Machine Learning Toolkit app also does not have drilldown enabled by default. How to drilldown from Outlier chart? PS: Documenting answer for question asked in Splunk User Group on Slack for future reference.
Hello, I having issue regarding in splunk web that suddenly stopped working. this is the error splunk@splunk:/etc$ cd .. splunk@splunk:/$ systemctl status splunk ? splunk.service - LSB: Sta... See more...
Hello, I having issue regarding in splunk web that suddenly stopped working. this is the error splunk@splunk:/etc$ cd .. splunk@splunk:/$ systemctl status splunk ? splunk.service - LSB: Start splunk Loaded: loaded (/etc/init.d/splunk; generated) Active: failed (Result: exit-code) since Wed 2020-03-18 08:15:10 +04; 1h 37min ago Docs: man:systemd-sysv-generator(8) Process: 2273 ExecStart=/etc/init.d/splunk start (code=exited, status=8) Mar 18 08:15:10 splunk systemd[1]: Starting LSB: Start splunk... Mar 18 08:15:10 splunk splunk[2273]: Starting Splunk... Mar 18 08:15:10 splunk splunk[2273]: Error: SPLUNK_HOME setting of "/storage/splunk/splunk-home" found in /opt/splunk/etc/spl Mar 18 08:15:10 splunk systemd[1]: splunk.service: Control process exited, code=exited, status=8/n/a Mar 18 08:15:10 splunk systemd[1]: splunk.service: Failed with result 'exit-code'. Mar 18 08:15:10 splunk systemd[1]: Failed to start LSB: Start splunk.
We are trying to add a load balancer in front of our Splunk Search Head Cluster (SHC), according to the official doc, we need layer-7/application level load balancer which provides session stickiness... See more...
We are trying to add a load balancer in front of our Splunk Search Head Cluster (SHC), according to the official doc, we need layer-7/application level load balancer which provides session stickiness. The thing I don't quite understand is since SHC is doing replication across all members, why does user need to be on the same search head? We also have following in the web.conf to prevent logging user out due to session timeout. We are using SAML SSO, so user won't get a login screen even it times out. So does anyone know why we would need session stickiness? tools.sessions.timeout = 3600 ui_inactivity_timeout = 0
Hi, I'm having trouble with the Windows Defender TA. I have the package distributed to my UF, and it's pulling logs into the correct index. The TA is also installed on my single instance search he... See more...
Hi, I'm having trouble with the Windows Defender TA. I have the package distributed to my UF, and it's pulling logs into the correct index. The TA is also installed on my single instance search head/indexer. sourcetype is XmlWinEventLog source is XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational There seems to be a stack of fields extracted. None are CIM aligned. It does not seem to be observing any of the tags.conf, or props.conf. Has anyone got any ideas? Cheers!
I am using Enterprise Security and most of our searches are correlation searches. One of my searches is not able to be done in a correlation search so I have resorted to just an alert which then sen... See more...
I am using Enterprise Security and most of our searches are correlation searches. One of my searches is not able to be done in a correlation search so I have resorted to just an alert which then sends a notable event to ES (this is because I need a per event trigger which correlation doesn't let me do). The alert works and gives me the details I want in ES (basic info such as user details). However I would like a drill down search to open something like a table view with additional information. The problem is that I can't seem to find a way to add the token from the notable event to the drill down. For example my search is index=foo sourcetype=goo | bin _time span=5m | stats count by user src The alert is configured as Alert Type = real-time Trigger Alert when "per-result" Suppression = 8 hours based on user field Trigger action ==> when triggered - Notable The notable trigger event can't be edited. I then went into the advanced edit options of this alert and configured a drill down to be as follows (note $user$) index=foo sourcetype=goo $user$ | bin _time span=5m | stats count by user src | where count > 10 | table src user count I thought this may be because I am passing the wrong token, so I edited the code as follows (note $result.user) but still no go index=foo sourcetype=goo $result.user$ | bin _time span=5m | stats count by user src | where count > 10 | table src user count Is there a way this can be done? Do I need to maybe in code generate the token to then be used (i.e. like a dashboard "set token"?
| mstats c(System.System_Up_Time) as Uptime prestats=t WHERE index="em_metrics" AND host="*" by host,metric_name span=1m | where Uptime < (now() - 2160000) | eval diff=tostring(now() - Uptime,"du... See more...
| mstats c(System.System_Up_Time) as Uptime prestats=t WHERE index="em_metrics" AND host="*" by host,metric_name span=1m | where Uptime < (now() - 2160000) | eval diff=tostring(now() - Uptime,"duration") | fields host Uptime diff | sort – Uptime getting no result i have 2 hosts one host is coming metric log(System.System_Up_Time) other host is not coming so i want to display it as down
Hi All, I have a Dashboard and it has * | table index, URL, Volume, failure, Avg_Resp, AvgResp_Status, 90thPerc, RER, Avg_ThresholdMS, 90thPerc_ThresholdMS, Thershold_TimePeriod | sort Volume desc... See more...
Hi All, I have a Dashboard and it has * | table index, URL, Volume, failure, Avg_Resp, AvgResp_Status, 90thPerc, RER, Avg_ThresholdMS, 90thPerc_ThresholdMS, Thershold_TimePeriod | sort Volume desc I have saved this search as Dash board panel, but the URLs which are displayed on the dashboard do not have any links to "VIEW EVENT" for each URL when we click on it, can you please help how to enable this. Thank you
We would like to use the AVI Networks App for Splunk which I’m aware requires use of the associated Add-on. We are using AVI Vantage platform version 18.2.5. We are using Splunk Enterprise ver... See more...
We would like to use the AVI Networks App for Splunk which I’m aware requires use of the associated Add-on. We are using AVI Vantage platform version 18.2.5. We are using Splunk Enterprise version 7.2.6. I have used these sources to find out how to configure the add-on: https://splunkbase.splunk.com/app/4155/#/details https://avinetworks.com/docs/18.1/streaming-avi-logs-to-external-server/ I have created an AVI Vantage analytics profile with the following log streaming settings. I have used the defaults for all values with the following exceptions: This is output from the command 'ss -tuw' on one of the AVI controllers: Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 172.xxx.xxx.2:35338 10.xxx.xxx.140:5054 tcp ESTAB 0 0 172.xxx.xxx.2:35336 10.xxx.xxx.140:5054 tcp ESTAB 0 0 172.xxx.xxx.2:35340 10.xxx.xxx.140:5054 Netcat output from AVI controller (nc -z -v splunk-1.tvm.foo.bar.bay 9998) Connection to splunk-1.tvm.foo.bar.bay 9998 port [tcp/*] succeeded! I’ve created a Splunk TCP data input as follows (/opt/splunk/etc/apps/TA-avi-vantage-add-on/local/inputs.conf): [tcp://9998] connection_host = ip index = avi-data sourcetype = syslog After creating the input, I restarted Splunk. I can see that splunkd is listening on the port (sudo lsof -i -P -n | grep LISTEN) splunkd 23104 splunk 65u IPv4 957961696 0t0 TCP *:9998 (LISTEN) Splunk has not received any data from AVI into Splunk and am wondering if you are aware of some steps I may have missed or if there are some tips you can offer to get this working. Does something need to be restarted on the AVI controller or in the UI?
Hi, I have a couple of questions: 1. How can I suppress all health rules for a particular time on a daily basis 2. Can I create policy like for 6 AM to 6 PM it will go to other people and then... See more...
Hi, I have a couple of questions: 1. How can I suppress all health rules for a particular time on a daily basis 2. Can I create policy like for 6 AM to 6 PM it will go to other people and then 6 PM to next 5:59 AM it will go to different people/Email DL's 3. Can I change the alert timing from UTC to some other?
Similar to https://answers.splunk.com/answers/642213/nslookup-on-network-tools-app-with-specified-dns-s.html First off, fantastic app; I'm really getting a lot of use out of specifically the prebu... See more...
Similar to https://answers.splunk.com/answers/642213/nslookup-on-network-tools-app-with-specified-dns-s.html First off, fantastic app; I'm really getting a lot of use out of specifically the prebuilt workflow actions! I'm curious if there is any way I can specify a whois server with the command? I have a bunch of non-public data on my personal whois server that isn't getting read... I'm not sure I'm good enough to make a PR for this in the repo. Thanks for the help!
Have a table like this , how Type Country Reporting US reporting CAN Reporting IN... See more...
Have a table like this , how Type Country Reporting US reporting CAN Reporting IND COnsolidated US Consolidate CAN Consolidated IND How do i display as Type Country Reporting US CAN IND Consolidated US CAN IND
Hello, I am trying to convert the working search url below for curl commands to app specific Working url - https://test.splunkcloud.com:8089/services/search/jobs Convert to app specific ht... See more...
Hello, I am trying to convert the working search url below for curl commands to app specific Working url - https://test.splunkcloud.com:8089/services/search/jobs Convert to app specific https://test.splunkcloud.com:8089/en-US/app/Sim/services/search/jobs Getting error 405 method not allowed when running app specific query above for app Sim, what is the way to change the working url for Sim app specific so I can use the curl command to run the query in sim app
Hi team! We would like to upgrade the Splunk platform, but we cannot upgrade the UF. Because of that, we were wondering the followings questions: What would be the minimum universal forwarder c... See more...
Hi team! We would like to upgrade the Splunk platform, but we cannot upgrade the UF. Because of that, we were wondering the followings questions: What would be the minimum universal forwarder compatible with Splunk 7.3.4? According to the compatibility table, the 6.0.x – 6.1.x versions require of an special configuration in the universal forwarder. How is this change performed? And, once it has been performed, will the dispatch still work well before the upgrade? We understand that maybe in those cases, it would make sense to ask for a universal forwarder upgrade. According to the compatibility table, the 6.2.x – 6.6.x versions do not require of an special configuration, but they do not allow the dispatch of metric data. We have been looking for this functionality in the Splunk documentation,- which, by the way, have found to be very interesting -, and it only appears from the version 7 onwards. Could it be that there is no 6.5.x version available? We specially comment it because in this case, we should not have to take into account anything more. Could you help us with these? We would be very much thankful.
Hi all, I have .csv file with the multiple columns. But only one will be used to compare results, name of that column is exampleIP. My goal is to compare ip address from that column with the co... See more...
Hi all, I have .csv file with the multiple columns. But only one will be used to compare results, name of that column is exampleIP. My goal is to compare ip address from that column with the column client.ipaddress from index=blah. If it matches, output new column: Match with the results of Yes or No. exampleip -------------- 1.1.1.1 2.2.2.2 3.3.3.3 index=blah | table client.ipaddress 2.2.2.2 3.3.3.3 desired output |table exampleip, client.ipaddress, match --------- 1.1.1.1 | | No 2.2.2.2 | 2.2.2.2 | yes 3.3.3.3 | 3.3.3.3 | yes I have already tried to apply different answers from similar subjects but no luck. Also, is there a way to add other columns from index=blah in the end table result? Thanks all in advance
Hi, I am currently trying to read logs file of size 10Gb. I have changed thruput to 0 but still takes about 30 min-1 hr for Splunk to finish reading the file. Is there a way to increase the readin... See more...
Hi, I am currently trying to read logs file of size 10Gb. I have changed thruput to 0 but still takes about 30 min-1 hr for Splunk to finish reading the file. Is there a way to increase the reading speed further for splunk UF.