All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Last year 2019 we have deployed Splunk Cloud in our environment . Post which we have configured the logs into Splunk Cloud and the data seems to be searchable as per the retention policy post retenti... See more...
Last year 2019 we have deployed Splunk Cloud in our environment . Post which we have configured the logs into Splunk Cloud and the data seems to be searchable as per the retention policy post retention policy the data seems to be getting deleted from the system so this is how it should work. So when i searched the data for few indexes i was shocked to see the data is available from 2014 in Splunk Cloud. We have deployed Splunk Cloud only last year then how come is it showing the event timestamp as 2014 date. And also when i search with index=* for 2014 year as a whole i can see more than 20000+ events and shocked. When i checked the log files of those data from 2014 in few source files i can see that the log file doesn't have the date in it and only the time is present so if the date is not present in the log file it should take the system time but still how come it assign with the event timestamp as 2014. And another set of logs i can able to see the log file with latest timestamp i.e with date and time in it but still the event time seems to be assigning with 2014 date and time. Its getting confused a lot why come it is assigning with 2014 date and time. So I have ran the query adding the index time field into the query for the whole year of 2014 as mentioned below: index=* host=* source=* | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | stats count by _time indextime host index source sourcetype I can see the index time with latest timestamp whereas the eventtime seems to be with 2014 date and time. Its really confusing how come the recently indexed data (Based on index time) it is assigning with very old timestamp. So kindly let us know how it works. Or what is the issue behind it. How the bucket concept work in Splunk Cloud? Any one can help on this request please.
Hello everyone, I have some barcharts and column chart panels in my dashboard. If there are less results the view perfect along with the name.. But if we pull up 30 days report, it combines all the... See more...
Hello everyone, I have some barcharts and column chart panels in my dashboard. If there are less results the view perfect along with the name.. But if we pull up 30 days report, it combines all the results and the view is not good. So I would like to add horizontal scrollbar, like how the default scroll bar will be added to statistical table. So it possible to set scrollbar in column chart?
Recently i moved alerts/reports/dashboards from app to another. The alert was created in launcher app and moved to an app called cap , The problem is when the results are sent to my email id and when... See more...
Recently i moved alerts/reports/dashboards from app to another. The alert was created in launcher app and moved to an app called cap , The problem is when the results are sent to my email id and when i hover the mouse over "view results in splunk" it shows the url of the cap app but when i click on it, it takes to the url of the launcher app and shows the results. Can someone please help
My dashboard has 20 Panels with a depends on tag in XML. Based on user selection from a checkbox, a javascript sets and unsets the tokens that are used in depends on the class. Now 3 panels are displ... See more...
My dashboard has 20 Panels with a depends on tag in XML. Based on user selection from a checkbox, a javascript sets and unsets the tokens that are used in depends on the class. Now 3 panels are displayed one below the other as per user selection in the checkbox, but these panels are in order of how they are in the XML file. Now, I want the order to be set based on the user click. I am looking for a js that sets panels in a way that the latest click from the checkbox, should make that pannel append on tap of other panels, pushing the existing panels below it. To simply put, I want the user clicked selection from the checkbox to be the topmost panel in order of the dashboard.
Hi, we're thinking to install the Splunk Cloud Gateway app on a local Splunk Instance not yet connected to internet. Looking at the manual seems that we need to open port to the Cloud Service, but we... See more...
Hi, we're thinking to install the Splunk Cloud Gateway app on a local Splunk Instance not yet connected to internet. Looking at the manual seems that we need to open port to the Cloud Service, but we don't understand if we need also to provide a public ip for our Splunk local Instance or if it's not needed and so it's sufficient to open communication with the Splunk Cloud Service. Any suggestion or support? Thanks and best regards Tomaso
Hi All, Hope you all are doing good. I have to check 2 table from different sources and get a new table where its says match or not match. Column1 Column2 One abc abc match pqr xyz not m... See more...
Hi All, Hope you all are doing good. I have to check 2 table from different sources and get a new table where its says match or not match. Column1 Column2 One abc abc match pqr xyz not match I tried to use a query to get the details but still it is not working reason maybe due to logs coming on different time. My query index=main source="Replicationlogs_*.txt" AND sourcetype=replication Store.* | rex field=source Replicationlogs_(?<store_number>\d{4}).txt | search store_number=* | dedup SCD | stats count by SCD store_number | rename SCD as SCD1 | appendcols [search index=main source=*.log sourcetype=nitrogen_logs (SCD!=: AND SCD!=-) | rex field=source (?<store_number>\d{4}).log | search store_number=* | dedup SCD | stats count by SCD store_number ] | eval Match=if(match(SCD1,SCD),"Yes","No") | fillnull value=0 | fields - count And the values i get are like this:- STORE.brand 0010 No STORE.c-lens-fit STORE.bridge-size 0010 No STORE.c-lens-issue-history STORE.c-lens-fit 0010 No STORE.c-lens-payment-history STORE.c-lens-issue-history 0010 No STORE.contact-detail STORE.c-lens-payment-history 0010 No STORE.cust-c-lens-contract STORE.c-lens-status-history 0010 No STORE.cust-c-lens-scheme 17 matches should appear but as they not in same row so the match is not displaying. Please help me resolve this issue. Thanks in advance
Hello, I have a dashboard which contains couple of panels and it receives events once in a month for a year calendar. I have specific dates for each months. Let's say for the current month it ... See more...
Hello, I have a dashboard which contains couple of panels and it receives events once in a month for a year calendar. I have specific dates for each months. Let's say for the current month it has events on 10-02-2020 and earliest is "02/10/2020:00:00:00 and latest is "02/10/2020:24:00:00", In the next month it will be on 20-03-2020, In such a way every month it has events on a specific day. When I load the dashboard the earliest and latest values should be set for the current month on the day when events arrived. When the next month(March) events arrives the earliest and latest should be set as earliest = "03/20/2020:00:00:00 and latest is "03/20/2020:24:00:00". The earliest and latest values should not change until next month date is matched.
Hi, We want to use the KNN algo included in PyOD library (https://pyod.readthedocs.io/en/latest/index.html) As this library is not included in the app, is there any way to add it? Or should we j... See more...
Hi, We want to use the KNN algo included in PyOD library (https://pyod.readthedocs.io/en/latest/index.html) As this library is not included in the app, is there any way to add it? Or should we just copy and modify the classes/methods we are interested in into the algo? Any best practice guide for this? Regards.
I am trying to run the following tstats search: | tstats summariesonly=true estdc(Malware_Attacks.dest) as "infected_hosts" where "Malware_Attacks.action=allowed" from datamodel="Malware"."Malwar... See more...
I am trying to run the following tstats search: | tstats summariesonly=true estdc(Malware_Attacks.dest) as "infected_hosts" where "Malware_Attacks.action=allowed" from datamodel="Malware"."Malware_Attacks" | where 'infected_hosts'>100 | eval const_dedup_id="const_dedup_id" but I get the error: Error in 'TsidxStats': WHERE clause is not an exact query Any help would be appreciated Thx
Hello team, I have some power users which they can create dashboard but in permissions they dont see any other users except to share it with except: *Everyone *-theirOwnRole- *power *user ... See more...
Hello team, I have some power users which they can create dashboard but in permissions they dont see any other users except to share it with except: *Everyone *-theirOwnRole- *power *user I checked the documentation: https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/DashboardPermissions "Power user role options If you have the power role and its default capabilities, you can do the following. Provide other users with read and write access to the dashboard. Admin role options If you have the admin role and its default capabilties, you can do the following. Create dashboards that are private, visible in a specific app context, or visible in all apps. Provide other users and roles with read and write access to the dashboard." And it says power user should be able to share with users and admin with users and roles. Question is why my power user cannot see any other users under permissions except these 4? Any ideas? Thank you
I am trying to create a search that gets the top value of a search and saves it to a variable: | eval top=[| eval MB_in=bytes_in/1024/1024 | stats sum(MB_in) by c_ip | rename sum(MB_in) as "Tota... See more...
I am trying to create a search that gets the top value of a search and saves it to a variable: | eval top=[| eval MB_in=bytes_in/1024/1024 | stats sum(MB_in) by c_ip | rename sum(MB_in) as "Total Megabytes in" | sort -"Total Megabytes in" | head 1 | eval topval=c_ip | return $topval] I want to then use this value in the main search. This is currently returning the following error: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
Hi there, How can i get my _internal logs from my Fargate instance of Splunk? Ideally get them sent to CloudWatch or get a copy of them off the instance to a different location? Thanks!
Hi All, I am trying to write a query where we have to check all the jobs in success or not built status before the jobs get failed at Release stage.
I can't seem to set/unset a token based on whether some search result is equal or not to 1. Can anybody point out why this doesn't work: <form> <label>TEMP Endpoint Processes Clone</label> ... See more...
I can't seem to set/unset a token based on whether some search result is equal or not to 1. Can anybody point out why this doesn't work: <form> <label>TEMP Endpoint Processes Clone</label> <fieldset submitButton="true" autoRun="false"> <input type="text" token="number" searchWhenChanged="false"> <label>Host count</label> <default>100</default> <initialValue>100</initialValue> </input> </fieldset> <row> <panel> <html> <p>host_count=$host_count$</p> <p>host_count1 is 1=$host_count1$</p> <p>host_count2 catchall=$host_count2$</p> <p>gotuniquehost=$gotuniquehost$</p> </html> </panel> </row> <row> <panel> <table> <search> <done> <condition match="$result.host_count$ == 1"> <set token="gotuniquehost">True</set> <set token="host_count">$result.host_count$</set> <set token="host_count1">$result.host_count$</set> </condition> <condition> <unset token="gotuniquehost"></unset> <set token="host_count">$result.host_count$</set> <set token="host_count2">$result.host_count$</set> </condition> </done> <query>|stats count as host_count | eval host_count=$number$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> And yet this is working: <form> <label>TEMP Endpoint Processes Clone</label> <fieldset submitButton="true" autoRun="false"> <input type="text" token="number" searchWhenChanged="false"> <label>Host count</label> <default>100</default> <initialValue>100</initialValue> </input> </fieldset> <row> <panel> <html> <p>host_count=$host_count$</p> <p>host_count1 gt 1=$host_count1$</p> <p>host_count2 lt 1=$host_count2$</p> <p>host_count3 catchall=$host_count2$</p> <p>gotuniquehost=$gotuniquehost$</p> </html> </panel> </row> <row> <panel> <table> <search> <done> <condition match="$result.host_count$ &gt; 1"> <unset token="gotuniquehost"></unset> <set token="host_count">$result.host_count$</set> <set token="host_count1">$result.host_count$</set> </condition> <condition match="$result.host_count$ &lt; 1"> <unset token="gotuniquehost"></unset> <set token="host_count">$result.host_count$</set> <set token="host_count2">$result.host_count$</set> </condition> <condition> <set token="gotuniquehost">True</set> <set token="host_count">$result.host_count$</set> <set token="host_count3">$result.host_count$</set> </condition> </done> <query>|stats count as host_count | eval host_count=$number$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> I run splunk enterprise 7.3.3. This seems to be a bug.
I am trying to save the top 1 value of a field from a search to a variable. I then want to use this value to input into a separate search.
Him What is the most convenient way to backup Splunk configuration file for different Splunk islands? We are migrating our customers to Splunk 8 and want to make sure that configuration is backed u... See more...
Him What is the most convenient way to backup Splunk configuration file for different Splunk islands? We are migrating our customers to Splunk 8 and want to make sure that configuration is backed up periodically. Can we use Splunk API for it? Bests,
Hi I am unable to get dbxquery data out to an alert. When i run the alert normally i can see that data, when i put it into an alert it also is fine. But it wont send the data to an email add... See more...
Hi I am unable to get dbxquery data out to an alert. When i run the alert normally i can see that data, when i put it into an alert it also is fine. But it wont send the data to an email address, i get the following error below. 02-24-2020 11:24:05.142 +0100 ERROR ScriptRunner - stderr from '/hp737srv2/apps/splunk/bin/python /hp737srv2/apps/splunk/etc/apps/search/bin/sendemail.py "results_link=http://hp737srv:8000/app/Murex/@go?sid=scheduler__admin__Murex__RMD53b83008a35dc2834_at_1582539840_32896" "ssname=PAC_PLO_blockedSybProc_TO_BE_DELETED_2" "graceful=True" "trigger_time=1582539844" results_file="/hp737srv2/apps/splunk/var/run/splunk/dispatch/scheduler__admin__Murex__RMD53b83008a35dc2834_at_1582539840_32896/results.csv.gz"': _csv.Error: line contains NULL byte Below is the query that i am using. I am running it with a cron * * * * * for testing. | dbxquery query="select ProcName=program_name,Status=status, LoginName=convert(char(12),suser_name(suid)),HostName=hostname,ProcessId=hostprocess, Blk=blocked,DBName=convert(char(15),db_name(dbid)), Cmd_TransName=rtrim(convert(char(15),cmd))+'/'+rtrim(convert(char(15),tran_name)), CPU=cpu,PhyIOCmd=physical_io,TimeBlk=time_blocked,NetWorkPSize=network_pktsz, m.SPID,creationTime=s.loggedindatetime,m.CPUTime,m.WaitTime,memUsageKB=m.MemUsageKB,m.LogicalReads,m.PhysicalReads,m.LocksHeld,m.TableAccesses,m.IndexAccesses from master..sysprocesses s , master.dbo.monProcessActivity m where m.SPID = s.spid order by DBName" connection="PAC-PLO-ENV" | eval tmNow=now() | convert ctime(tnow) | eval timeNow=strftime(tmNow, "%Y-%m-%d %H:%M:%S") | eval ctime=strptime(creationTime,"%Y-%m-%d %H:%M:%S") | eval ctime=strptime(creationTime,"%Y-%m-%d %H:%M:%S") | eval timeDiff=tmNow - ctime | eval cpuPerc= CPUTime / timeDiff *100 | eval UpTime= tostring(timeDiff,"duration") | sort -CPUTime | search "SPID"="*" | table ProcessId, SPID, HostName, ProcName Below is the data i can see, but i just cant get it into a email!! any ideas would be great thanks
i have these 2 directories being monitored by a forwarder. One i indexing and another is not. They have the same root folder E:\FTP\BatFolder\Logs (Data is being ingested) E:\FTP\BatFolder\CE\CS... See more...
i have these 2 directories being monitored by a forwarder. One i indexing and another is not. They have the same root folder E:\FTP\BatFolder\Logs (Data is being ingested) E:\FTP\BatFolder\CE\CSVtoSplunk (Data is not being forwarded) All are just csv files I am pretty sure i have correct props since its parsing the files coming from these 2 directories I am also encountering this warning also on the _internal 02-24-2020 05:21:19.588 -0500 WARN AdminManager - Handler 'remote_monitor' has not performed any capability checks for this operation (requestedAction=edit, customAction="enable", item="E:\FTP\BatFolder\CE\CSVtoSplunk "). This may be a bug. is anyone here experiencing same issue?
Hi Team, We are using Splunk Cloud in our environment. I just created a report and i can able to see the option as Embed Report and also i have tested out the website it works fine. But i want ... See more...
Hi Team, We are using Splunk Cloud in our environment. I just created a report and i can able to see the option as Embed Report and also i have tested out the website it works fine. But i want to know how to embed the Dashboard as a whole in an external website from Splunk Cloud. Is the feasibility embed Dashboard is available for Splunk Cloud or not kindly let us know. If there is any feasibility kindly help on the same.
Hello I got complains that a users cannot login in splunk(Ldap setup) with error "Login failed" and if they wait 10 minutes , then is successful. I checked the logs splunkd and there are Timeout ... See more...
Hello I got complains that a users cannot login in splunk(Ldap setup) with error "Login failed" and if they wait 10 minutes , then is successful. I checked the logs splunkd and there are Timeout messages once in a while as well as a lot of "Operation Error" but not else more precise. If I go in UI -> reload authentication strategy - > No error and everything is success, as well as I can see users under different mapped groups. I have tried some different troubleshoot methods but nothing works. 1. Tried to run from unix terminal : ldapsearch -x –h myLdapserver –p myLdapserverport –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*" -> ldap_result: Can't contact LDAP server (-1) so I am not sure is the command correct and is it correct that I run it not like this ./splunk ldapsearch...? I must be that the command is wrong because if there was somthing wrong with the ldap server then I guess all login attempts was going to fail all of the time which is not the case. How can I troubleshoot if the problem is comming due to a long wait(there are two timeout settings in authentication.conf ) How to check if the problem is due to some of these are too low? I tried also to run | ldapsearch in splunk UI - result: after 2-3 minütes waiting seeming as it runs: External search command 'ldapsearch' returned error code 1. Script output = "error_message=AttributeError at "/pack/splunk/etc/apps/SA-ldapsearch/bin/packages/app/init.py", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace' ".