All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, splunkers: My customer want to monitoring the following 2 things: 1. The status of logs collection. Thats means they wan to ensure that all logs were indexed to splunk. 2. The status of sp... See more...
Hi, splunkers: My customer want to monitoring the following 2 things: 1. The status of logs collection. Thats means they wan to ensure that all logs were indexed to splunk. 2. The status of splunk. Send the splunk web message (like the message in the image) to their centralized monitoring platform them in real time if there are any warn or error occured because they almost don't care about splunk monitoring console. Any idea for these?
Hi! We have some searches on a dashboard that work way too long as they include several subsearches and calculate data for the latest 30 days, that lead daily scheduled pdf of that dashboard not to... See more...
Hi! We have some searches on a dashboard that work way too long as they include several subsearches and calculate data for the latest 30 days, that lead daily scheduled pdf of that dashboard not to send pdf by email with pdf-sending error. We splitted heavy searches into several ones but from day to day it may take different time to complete each of them. Is there a way to set up saved searches to run in sequence not only by setting a sparse schedule for them?
I want to create alert to check on all indexes event count and alert the list of all indexes that have no events in the last 24 hours
My application wants to sent dat to SPLUNK via Monitor files and directories and meantime via HTTP Event Collector. My application will format the data them required. Can I use the same data source ... See more...
My application wants to sent dat to SPLUNK via Monitor files and directories and meantime via HTTP Event Collector. My application will format the data them required. Can I use the same data source type to sent to data with different format via different method(Monitor files and directories and meantime via HTTP Event Collector).
We wonder whether the WinEventLog can be applied to the Endpoint datamodels. It seems to us that - Endpoint.Process fits greatly win event id 4688 (A new process has been created). Endpoint.... See more...
We wonder whether the WinEventLog can be applied to the Endpoint datamodels. It seems to us that - Endpoint.Process fits greatly win event id 4688 (A new process has been created). Endpoint.Service could be populated with win event ID 4697 (A new service was installed) However Source types for the Splunk Add-on for Windows lists for the CIM data models - Application State, Authentication, Change Analysis, Performance, Updates and Vulnerabilities, while Application State is listed as deprecated.
I have some questions that i hope someone can help me clarifying them : 1) In an indexer cluster, can i install apps and add-ons on each indexer separatly without pushing all using the cluster mast... See more...
I have some questions that i hope someone can help me clarifying them : 1) In an indexer cluster, can i install apps and add-ons on each indexer separatly without pushing all using the cluster master? 2)If i will use cluster master, should i untar the apps and add-ons that i put in /master-apps or no need for the unpacking step ? 3)how to use sendtoindexer app if i have an indexer cluster ?, I mean , what should be written in the text file exactly ? thanks in advance
Is there a way to grasp user engagement within splunk. For example, in regards to all users under "user" role, I would like to try to report on the following: 1) how long they stay on a specific da... See more...
Is there a way to grasp user engagement within splunk. For example, in regards to all users under "user" role, I would like to try to report on the following: 1) how long they stay on a specific dashboard 2) login / log off time 3) are they experiencing any errors help on any of the above would be greatly appreciated.
Is there an environment variable or a setting for defaul.yml I can set for python.version = python3 so that it is added to the server.conf? docker run -dt --restart=always --name=splunk--hostname... See more...
Is there an environment variable or a setting for defaul.yml I can set for python.version = python3 so that it is added to the server.conf? docker run -dt --restart=always --name=splunk--hostname=splunk --privileged -p 8000:8000 -p 8001:8001 \ -v /home/user/mysplunkinstallation/default.yml:/tmp/defaults/default.yml \ -e SPLUNK_START_ARGS=--accept-license \ -e SPLUNK_PASSWORD=splunk\ splunk/splunk:8.0.2
i want to display multiple fields in single value display, how to display multiple fields in single value display panal (CPU,Disk Space,RAM)
I'm new to splunk and need further guidance to be able to accomplish my dashboard for Pi-Hole: Could some expert guide me how? Queries Blocked tag=dns tag=network tag=resolution query_type=bl... See more...
I'm new to splunk and need further guidance to be able to accomplish my dashboard for Pi-Hole: Could some expert guide me how? Queries Blocked tag=dns tag=network tag=resolution query_type=blocked |stats count Total Queries sourcetype="pihole:log*" tag=dns tag=network tag=resolution query |stats count How do I create splunk query to get the total percentage of the two results Queries Blocked/Total queries x 100 = ? I just need the exact value so i can just simply copy and paste the good answer here to my splunk field. Your input is highly appreciated.
I have two query 1: sourcetype=A error=499 2: sourcetype=A X=* 2nd query is almost equal to total transactions. I would like to make timechart of % of error count on X events. Basicall... See more...
I have two query 1: sourcetype=A error=499 2: sourcetype=A X=* 2nd query is almost equal to total transactions. I would like to make timechart of % of error count on X events. Basically I want to make timechart that will tell if error code increase is because of volume increase etc,
Would appreciate suggestions on how and what to change in our IdP environment and/or our Splunk instance's SAML configuration, to get around this "Saml response does not contain group information" er... See more...
Would appreciate suggestions on how and what to change in our IdP environment and/or our Splunk instance's SAML configuration, to get around this "Saml response does not contain group information" error: Screenshot of our internal SSO IdP configuration: Relevant bits from authentication.conf : [authentication] authSettings = saml authType = SAML [userToRoleMap_SAML] doerj001 = admin::::joe.doer@whatever.local smitr003 = user::::roger.smith@whatever.local incom017 = user::::margarita.incognito@whatever.local [roleMap_SAML] admin = doerj001 user = smitr003;incom017 [saml] clientCert = /opt/splunk/etc/auth/server.pem entityId = monitor.splunk.bu.whatever.local fqdn = https://monitor.splunk.bu.whatever.local idpCertPath = idpCert.pem idpSSOUrl = https://idp.myid.whatever.local/idp/SSO.saml2 inboundSignatureAlgorithm = RSA-SHA256 issuerId = https://idp.myid.whatever.local nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified redirectAfterLogoutToUrl = https://monitor.splunk.bu.whatever.local/en-US/account/login?loginType=splunk redirectPort = 443 replicateCertificates = false signAuthnRequest = true signatureAlgorithm = RSA-SHA256 signedAssertion = false sloBinding = HTTP-POST sslPassword = ************ ssoBinding = HTTP-POST [authenticationResponseAttrMap_SAML] role = sapid Excerpt from the SAML response: <saml:AttributeStatement> <saml:Attribute Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Roger</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="middlename" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"></saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="preferred_username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">smitr003</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">roger.smith@whatever.local</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> Appreciate specific suggestions on what we need to change and how, to get this working. (Please do not send me to RTFM - been doing this for the past week and my head hurts - unless the pages you're sending me to contain those specific suggestions.) Thanks!
Search -- |source1 | stats count(source1.field1) by (source1.field2) | sort 0 source1.field2 Search Output source1.field2 | count dev | 6 prod | 5 uat | 7 qa | 8 ... See more...
Search -- |source1 | stats count(source1.field1) by (source1.field2) | sort 0 source1.field2 Search Output source1.field2 | count dev | 6 prod | 5 uat | 7 qa | 8 How can we add count values of 'prod' and 'uat' & also to display the field value as below , Is this doable ? * source1.field2 | count dev | 6 prod + uat | 12 qa | 8
search query 1 | stats count by source1.field1 | where blah ==blah | rename field1 as "Y-098" Y-098 || Count 1.Instagram -- 56 2.twitter -- 78 search query 2 | stats count by source2... See more...
search query 1 | stats count by source1.field1 | where blah ==blah | rename field1 as "Y-098" Y-098 || Count 1.Instagram -- 56 2.twitter -- 78 search query 2 | stats count by source2.field2 | where blah ==blah | rename field2 as "Vr-234" Vr-234 || Count 1.Instagram_active_user -- 34 2.twitter_active_user --21 How can i combine the above 2 searches to be displayed under one output as shown below to be used in Overlay Chart , also is there any way to rename the "Count" Field Field-Name-1 | Count | Field-Name-2 | Count Instagram | 56 | Instagram_active_user | 34 twitter | 78 | twitter_active_user | 21
I'd like to know if there's a way to get alerted if a dashboard is not performing as expected for a user. How do i query for list of all reports that are throwing errors in a dashboard? Is that possi... See more...
I'd like to know if there's a way to get alerted if a dashboard is not performing as expected for a user. How do i query for list of all reports that are throwing errors in a dashboard? Is that possible?
Splunk n00b here with a question. I have a query I would like to display on a bar graph dashboard visual. Here is the query: index=wsi_tax_summary sourcetype=stash partnerId=* error_msg_servic... See more...
Splunk n00b here with a question. I have a query I would like to display on a bar graph dashboard visual. Here is the query: index=wsi_tax_summary sourcetype=stash partnerId=* error_msg_service=* ein=* ein!="" tax_year=2019 capability=109* | eval error_msg_service = case(match(error_msg_service, "OK"), "Success", 1==1, "Fail") | stats dc(intuit_tid) as Total by partnerId error_msg_service | chart limit=0 useother=f sum(Total) as Total by partnerId error_msg_service | eval total_request = Fail + Success | eval "Success Rate" = round(((Success/total_request)*100),2) | fieldformat "Success Rate"=tostring('Success Rate')+"%" | sort "Success Rate" | fields partnerId "Success Rate" Since I'm aiming for a bar graph, the values on Y axis should be partnerId and the X axis should be a value called "Success Rate", which I created with several eval statements. When I click into "visual", nothing produces. Looks like I can only do it with a chart or timechart function Anyone know how I can achieve this?
HI, I have a critical issue , When I run $SPLUNK_HOME/bin/splunk apply shcluster-bundle it runs successfully but when i open the searh head members no apps are installed !! . Is there any additional ... See more...
HI, I have a critical issue , When I run $SPLUNK_HOME/bin/splunk apply shcluster-bundle it runs successfully but when i open the searh head members no apps are installed !! . Is there any additional command that must be done for the bundle to take place and for the apps to appear in the search heads? or there is something wrong that i did ?
Hi splunkers, My entprise security threat artifacts dashboard doesn't working. It's stuck in "search waiting for input" . I don't change any configuration. Also threat_artifacts view file %... See more...
Hi splunkers, My entprise security threat artifacts dashboard doesn't working. It's stuck in "search waiting for input" . I don't change any configuration. Also threat_artifacts view file %100 correct , I check in splunk free enterprise security service in cloud. All of dashboards view in same page. it's a another problem. How ı fix this. Or how can ı find a problem. ?
Data example: <Asset href="/company/rest-1.v1/Data/Story/2530981/6709286" id="Story:2530981:6709286"><Attribute name="Status.Name">Ready</Attribute><Attribute name="Number">B-107445</Attribute><A... See more...
Data example: <Asset href="/company/rest-1.v1/Data/Story/2530981/6709286" id="Story:2530981:6709286"><Attribute name="Status.Name">Ready</Attribute><Attribute name="Number">B-107445</Attribute><Attribute name="Name">Upgrade Splunk Windows TA</Attribute><Attribute name="ChangeDate">2020-01-29T13:49:44.337</Attribute><Attribute name="CreateDate">2019-03-12T12:49:22.703</Attribute><Attribute name="Owners.Name"><Value>owner one</Value><Value>owner two</Value></Attribute></Asset> & <Asset href="/company/rest-1.v1/Data/Story/3644941/6720976" id="Story:3644941:6720976"><Attribute name="Status.Name">Ready</Attribute><Attribute name="Number">B-143465</Attribute><Attribute name="Name">Review/Upgrade Splunk_TA_Nix to v7</Attribute><Attribute name="ChangeDate">2020-01-30T12:54:07.103</Attribute><Attribute name="CreateDate">2020-01-15T10:40:49.307</Attribute><Attribute name="Owners.Name"><Value>owner one</Value></Attribute></Asset> I've gotten my XML to seperate into events finally, but I'm being thrown by trying to get the fields to work. I'd like to have Status.Name = Ready Number = B-143465 ChangeDate = 2020-01-30T12:54:07.103 and so on I created this regex using the field extractor and regex101: ^(?:[^>\n]*>){2}(?P<Status_Name>\w+\s+\w+|\w+)(?:[^>\n]*>){2}(?P<Number>\w+\-\d+)[^ \n]* \w+="\w+">(?P<Name>[^<]+)[^ \n]* \w+="\w+">(?P<ChangeDate>[^<]+)(?:[^"\n]*"){2}>(?<CreateDate>[^<]+)(?:[^"\n]*"){2}><\w+>(?P<Owners_Name>\w+\s+\w+) which gets me most of the way there, but it won't work for the multiple owner values. Can someone suggest a fix here? Also, if you could also suggest some help in implementing the regex in a transforms, I'd appreciate it. I think I can call it using PROPS ... REPORT-V1 = v1_fields TRANSFORMS [v1_fields] REGEX = ^(?:[^>\n]*>){2}(?P<Status_Name>\w+\s+\w+|\w+)(?:[^>\n]*>){2}(?P<Number>\w+\-\d+)[^ \n]* \w+="\w+">(?P<Name>[^<]+)[^ \n]* \w+="\w+">(?P<ChangeDate>[^<]+)(?:[^"\n]*"){2}>(?<CreateDate>[^<]+)(?:[^"\n]*"){2}><\w+>(?P<Owners_Name>\w+\s+\w+) But I don't know if I need to add a FORMAT = $1::$2 line (nor do I know what that line does ... ) Any help you can provide here would be great. I've also tried KV_MODE=xml on the search head, but that doesn't give me the field names I want, just values for Asset.Attribute Asset.Attribute.Value etc Thanks
I'm having to search across two indexes and am looking for a particular string of text, called "sampletext" Example: index=sso sourcetype="ping*" "my sampletext here" Now, I would also like t... See more...
I'm having to search across two indexes and am looking for a particular string of text, called "sampletext" Example: index=sso sourcetype="ping*" "my sampletext here" Now, I would also like to search the sourecetype=Active Directory for two of its fields as I would like to include Active Directories department and description fields to my query: Example: index=msad sourcetype=ActiveDirectory department=* description=* The problem is it's not pulling the Active Directory fields because I am searching for a particular string of text "sampletext" and it's only pulling back the fields under the sso index. How do I pull the event data that contains the string text under index=sso AND pull the Active Directory fields, department and description under those events too? Is this possible? Any help is greatly appreciated!