All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I have been running the following query on a DB using dbxquery and i want to push the data to an INDEX. I was thinking of setting up an alert with additional _time(| eval time = now() ) and... See more...
Hi I have been running the following query on a DB using dbxquery and i want to push the data to an INDEX. I was thinking of setting up an alert with additional _time(| eval time = now() ) and then push the data to an index every X minutes. So i am unsure how to do this? Below is an example of the query. | dbxquery query="select ProcName=program_name,Status=status, LoginName=convert(char(12),suser_name(suid)),HostName=hostname,ProcessId=hostprocess, Blk=blocked,DBName=convert(char(15),db_name(dbid)), Cmd_TransName=rtrim(convert(char(15),cmd))+'/'+rtrim(convert(char(15),tran_name)), CPU=cpu,PhyIOCmd=physical_io,TimeBlk=time_blocked,NetWorkPSize=network_pktsz, m.SPID,creationTime=s.loggedindatetime,m.CPUTime,m.WaitTime,memUsageKB=m.MemUsageKB,m.LogicalReads,m.PhysicalReads,m.LocksHeld,m.TableAccesses,m.IndexAccesses from master..sysprocesses s , master.dbo.monProcessActivity m where m.SPID = s.spid order by DBName" connection="PAC-PLO-ENV" Thanks in advance Rob
Hi Team, Just wanted to check with you what is the difference between host and NetworkDeviceName in Cisco ISE context? I had use the SPL queries below and have different results. index=cisco_... See more...
Hi Team, Just wanted to check with you what is the difference between host and NetworkDeviceName in Cisco ISE context? I had use the SPL queries below and have different results. index=cisco_ise | stats count by host index=cisco_ise | stats count by NetworkDeviceName A little background on Architecture, we have Syslog servers (Splunk Forwarders as well) where cisco ise traffic logs are written, then we use Splunk file monitoring to check those cisco ise traffic logs and ingest it to Splunk. We also have Splunk Add-on for Cisco ISE installed on those Syslog servers/Splunk Forwarders. Then we have that Splunk Add-on for Cisco ISE also on our Indexer Tier and Search Tier for field extraction and other conf. On our Search Head, we have the SplunkApp for Cisco ISE. Regards, Jaracan
I have a file in a directory, whose timestamp is changed everyday using "touch" command. The contents might change after 3 months but not daily. I need to monitor this file in splunk and read the c... See more...
I have a file in a directory, whose timestamp is changed everyday using "touch" command. The contents might change after 3 months but not daily. I need to monitor this file in splunk and read the contents even if they are same.
Hello All I have problem with Splunk ES, today I've noticed that there is no new alert in Incident Review Panel. I have checked notable index, and there is also no new alert. The same situatio... See more...
Hello All I have problem with Splunk ES, today I've noticed that there is no new alert in Incident Review Panel. I have checked notable index, and there is also no new alert. The same situation in case of information in threat_activity index. My humble question is where I can start investigate the issue, in my opinion it's problem with matching data against searches. Thanks BR Dawid
I am using an app that pulls data from a provider (aws). Our current setup is as follows: App is installed on a heavy forwarder. The HF is configured with authentication to AWS, and can pull it'... See more...
I am using an app that pulls data from a provider (aws). Our current setup is as follows: App is installed on a heavy forwarder. The HF is configured with authentication to AWS, and can pull it's data. HF collects AWS datas and forwards to indexer. Indexer has the app for required indexing (transforms, props, etc). SHC has the app installed for reports / dashboards / searches and alerts. Most of the app works fine, but 1 thing that isn't working is lookups. There is a search that populates the lookup that gets scheduled. Running the search on HF doesn't work, it throws an error (but i dont think that trying to populate the lookup on the HF is right). I can run the command that populates the lookup on the SHC, but it doesn't return any results: the custom command executes AWS API calls, but the SHCs are authorized to make API calls. Is there a way to retrieve the data via the HF and then populate it into the lookup in the SHC some how? Or would I need to authorize the SHC to AWS?
HI , im new splunk . and i would like to know. types of logs which can be indexed into splunk and collector and port details. Like, json , using HEC collector and which port.
Hello, Splunk query provided in correct responses. I have A query which filters the data on a specific day and provided the results. Here we index the CSV data every day by using CRCSALT= as we n... See more...
Hello, Splunk query provided in correct responses. I have A query which filters the data on a specific day and provided the results. Here we index the CSV data every day by using CRCSALT= as we need the whole data set to be reindex even if there is no change in data set. in the Query I have used a Eval command to print a value CAP-M1 , M2, M3 etc for each query outcome as a unique identifier. but by query provided corrects unique values while executing. for Example I have a Query A with unique value CAP-M1 and Query B suppose to print unique value as CAP-M2 but in the query B it keeps providing Value M1 instead of M2. in the screen shot it suppose to print M4 for all days but its printing various values Similarly for other searched also. Is this due to some cache memory issue in splunk? Thanks
Hi, I am using Splunk version 8.0.1 with python version-3 and now I want to use splunk mobile but Splunk Cloud Gateway is not compatible with python 3 ..So is there any way using which I can make sp... See more...
Hi, I am using Splunk version 8.0.1 with python version-3 and now I want to use splunk mobile but Splunk Cloud Gateway is not compatible with python 3 ..So is there any way using which I can make splunk (with python3) to work with splunk mobile? or any idea when python version 3 compatible version will be released? Thanks,
I want a dashboard to be created for port scan(to detect 2000 port scan attempts from one single IP towards single destination within 5 min) I tried creating one dashboard but the values in the da... See more...
I want a dashboard to be created for port scan(to detect 2000 port scan attempts from one single IP towards single destination within 5 min) I tried creating one dashboard but the values in the dashboard keep on changing every time the dashboard refreshes. I want a dashboard that will display all the port scan attempts for last 24 hrs satisfying the condition (2000 port scan attempts in 5 min) and the values in the dashboard should stay till 24 hrs.
I need to fetch data from salesforce in Splunk using Splunk Connector, 'Order By' is mandatory in Splunk and but it does not support 'Order By desc'. I need to sort the data in Order By Desc onl... See more...
I need to fetch data from salesforce in Splunk using Splunk Connector, 'Order By' is mandatory in Splunk and but it does not support 'Order By desc'. I need to sort the data in Order By Desc only. Any way to do it in connector.Please suggest
The submit button will not change the search if the time and condition are the same. To solve this problem, is there any way to make the search run again even if the condition or time value is the sa... See more...
The submit button will not change the search if the time and condition are the same. To solve this problem, is there any way to make the search run again even if the condition or time value is the same when pressing the submit button?
Hi. I want to pin a specific panel at the top when scrolling like the default app search & reporting. To do this, read the code for the fixed option and for fixing specific panels when scrolling... See more...
Hi. I want to pin a specific panel at the top when scrolling like the default app search & reporting. To do this, read the code for the fixed option and for fixing specific panels when scrolling. Also, in order to materialize this phenomenon, the code of the whole body must be bundled once again with a div. By the way, even if I tie it with a div, it doesn't tie at all. How do we solve it? Thank you...
I built a dashboard (step 1 :)) and would like to add the ability to chose the search mode (via a drop down menu, etc), with the default set as fast mode. Is this possible? Thank you!
I have just upgraded splunk enterprise from 7.1.2 to 8.0.2 Web service fails to come up with error messages: 2020-02-23 10:37:55,767 ERROR [5e529c52d37fbf0415d5d0] admin:421 - Failed to fetch ... See more...
I have just upgraded splunk enterprise from 7.1.2 to 8.0.2 Web service fails to come up with error messages: 2020-02-23 10:37:55,767 ERROR [5e529c52d37fbf0415d5d0] admin:421 - Failed to fetch DMC settings to verify status 2020-02-23 10:37:55,767 ERROR [5e529c52d37fbf0415d5d0] admin:422 - [HTTP 404] https://127.0.0.1:8089/services/dmc-conf/settings/settings; [{'code': None, 'text': 'Not Found', 'type': 'ERROR'}] Not sure what to do with this now - would be great if someone could please point me in the right direction, short of a downgrade. Thanks!
I have a single Splunk server running on Windows Server 2019 Standard. I migrated it from another Windows Server 2019 box that was running out of capacity. Everything seems to work great except the c... See more...
I have a single Splunk server running on Windows Server 2019 Standard. I migrated it from another Windows Server 2019 box that was running out of capacity. Everything seems to work great except the configuration pages for the apps/TA's. They just sit at "Loading". I tried removing the apps, restarting splunk and reinstalling them in hopes that it would let me configure, but I get the same issue. Any suggestions?
Hello everyone I would like to know the steps to aches below questions can anyone please help me 1. How to move data from cold bucket to hot bucket ( I have already gone through some steps in ... See more...
Hello everyone I would like to know the steps to aches below questions can anyone please help me 1. How to move data from cold bucket to hot bucket ( I have already gone through some steps in community like take the back up of cold bucket and replace the hot bucket with that something like that but I was not clear ..) Can anyone please help me with the steps 2.. Second in a log I have 2 different kind of logs I want to send those to different indexes Ex : I have a and b in the log i want to send a to index1 and b to index2 Can anyone please provide the steps to achieve above
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:129) at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:97) at com.mysql.cj.jdbc.exceptions.SQLExcepti... See more...
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:129) at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:97) at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:835) at com.mysql.cj.jdbc.ConnectionImpl.(ConnectionImpl.java:455) at com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:240) at com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:199) at java.sql.DriverManager.getConnection(DriverManager.java:664) at java.sql.DriverManager.getConnection(DriverManager.java:208) at org.apache.commons.dbcp2.DriverManagerConnectionFactory.createConnection(DriverManagerConnectionFactory.java:89) at org.apache.commons.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:260) at org.apache.commons.pool2.impl.GenericObjectPool.create(GenericObjectPool.java:889) at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:433) at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:362) at org.apache.commons.dbcp2.PoolingDataSource.getConnection(PoolingDataSource.java:134) at com.appdynamics.dbmon.dbagent.collector.db.relational.dbconnection.DataSourceManager.getConnection(DataSourceManager.java:67) at com.singularity.ee.agent.dbagent.collector.db.ADBAvailabilityCollector.getConnection(ADBAvailabilityCollector.java:158) at com.singularity.ee.agent.dbagent.collector.db.relational.RelationalDBAvailabilityCollector.collectDBAvailabilityMetrics(RelationalDBAvailabilityCollector.java:67) at com.singularity.ee.agent.dbagent.collector.db.ADBAvailabilityCollector.run(ADBAvailabilityCollector.java:109) at com.singularity.ee.util.javaspecific.scheduler.AgentScheduledExecutorServiceImpl$SafeRunnable.run(AgentScheduledExecutorServiceImpl.java:122) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask$Sync.innerRunAndReset(ADFutureTask.java:335) at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask.runAndReset(ADFutureTask.java:152) at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.access$101(ADScheduledThreadPoolExecutor.java:119) at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.runPeriodic(ADScheduledThreadPoolExecutor.java:206) at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.run(ADScheduledThreadPoolExecutor.java:236) at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.runTask(ADThreadPoolExecutor.java:694) at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.run(ADThreadPoolExecutor.java:726) at java.lang.Thread.run(Thread.java:745)
Hi I am cloning a sourcetype twice. (Using TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA,CLONE_SOURCETYPE_JAVA1) Then in the transforms i define it [CLONE_SOURCETYPE_JAVA1] CLONE_SOURCETYPE = su... See more...
Hi I am cloning a sourcetype twice. (Using TRANSFORMS-CLONE = CLONE_SOURCETYPE_JAVA,CLONE_SOURCETYPE_JAVA1) Then in the transforms i define it [CLONE_SOURCETYPE_JAVA1] CLONE_SOURCETYPE = sun_jvm REGEX = . [CLONE_SOURCETYPE_JAVA] CLONE_SOURCETYPE = GC11 REGEX = . sun_jvm works but GC11 does not (it takes in all lines as one event), i have reduced it down to the timestamp that i think it causing the issue. It looks that a small difference in the timestamp brackets [ ] is causing the issue for Slunk not to pick up the GC11 correctly, Working one(sun_jvm) 2020-02-17T20:06:26.345+0100: 0.567: GC 9216K->4524K(32256K), 0.0132560 secs: 2020-02-17T20:06:26.345+0100: 0.567: GC 9216K->4524K(32256K), 0.0132560 secs: 2020-02-17T20:06:26.345+0100: 0.567: GC 9216K->4524K(32256K), 0.0132560 secs: [sun_jvm] MAX_TIMESTAMP_LOOKAHEAD = 30 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N TIME_PREFIX = ^ SHOULD_LINEMERGE = false category = Custom disabled = false pulldown_type = true Non working(GC11) [2020-01-31T21:15:58.195+0100] GC(8) Pause Full (System.gc()) 82M->11M(1024M) 11.992ms [2020-01-31T22:15:58.204+0100] GC(9) Pause Full (System.gc()) 81M->11M(1024M) 9.231ms [2020-01-31T23:15:58.215+0100] GC(10) Pause Full (System.gc()) 81M->11M(1024M) 10.501ms [GC11] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N+0100] TIME_PREFIX = ^\[ MAX_TIMESTAMP_LOOKAHEAD = 100 If i send the data directly into GC11 it works, but if i send it as a clone it picks up the data as one big event and does not break it down into multiple lines. Other information might be i take it in and clone it with this, however with the sun_jvm i am able to break it down into multiple lines, but not the for GC11. Any help would be great thanks [G1] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3} TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 28 DATETIME_CONFIG = NO_BINARY_CHECK = true category = Custom pulldown_type = 1 disabled = false
Hello i have this configuration in transforms.conf: [adjust_flight_fields] INGEST_EVAL = flight_id=Designator.Flight_no."_".strftime(strptime(Schedule_time_departure, "%Y-%m-%d %H:%M")... See more...
Hello i have this configuration in transforms.conf: [adjust_flight_fields] INGEST_EVAL = flight_id=Designator.Flight_no."_".strftime(strptime(Schedule_time_departure, "%Y-%m-%d %H:%M"), "%s"), registration_prefix:=if(isnull(registration_prefix), "", registration_prefix), Tail_no:=registration_prefix.Tail_no i see the flight_id field under "selected fields" but when im trying to use it in search such as index=* flight_id=dhdhd i get no results. also, if im searching for flight_id !=fdfd then im getting results without the id i selected can someone tell me what is the problem ? thanks
Hi, I have events in the following format. It would either be a "Successful log in" or a "Unsuccessful login". I'm trying to do a CIM Mapping under Authentication Data Model and need the values to... See more...
Hi, I have events in the following format. It would either be a "Successful log in" or a "Unsuccessful login". I'm trying to do a CIM Mapping under Authentication Data Model and need the values to show up as either success or failure to map correctly. But struggling a bit with this. 1|Sun, 23 Feb 2020 22:31:10 +1000|INFO||||||user "ABCD" (1): Successful log in. (API Connection) Thanks, AKN