All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

hi With the xml below, i display a complex bar chart that you can see in the screenshot I would like to modify 3 things : 1 - I need to delete "Number" under the X axis 2 - Under each bar... See more...
hi With the xml below, i display a complex bar chart that you can see in the screenshot I would like to modify 3 things : 1 - I need to delete "Number" under the X axis 2 - Under each bar of the chart I would like to have the scale that is actually in the legend Could you help me please? 3- I need to do an average on process_cpu_used_percent field Something like : | eval cpu_range=case(avg(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20", <row> <panel> <title>CPU overall usage</title> <chart> <search> <query> `CPU` | fields process_cpu_used_percent host | eval host=upper(host) | eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20", process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40", process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60", process_cpu_used_percent>60 AND process_cpu_used_percent <=80,"60-80", process_cpu_used_percent>80 AND process_cpu_used_percent <=100,"80-100") | chart dc(host) as "Number" by cpu_range | append [| makeresults | fields - _time | eval cpu_range="0-20,20-40,40-60,60-80,80-100" | makemv cpu_range delim="," | mvexpand cpu_range | eval "Number"=0] | dedup cpu_range | sort cpu_range | transpose header_field=cpu_range | search column!="_*" | rename column as cpu_range</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <option name="charting.axisTitleX.text">CPU Usage (%)</option> <option name="charting.axisTitleY.text">Number of hosts</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.maximumNumber">1000</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">linear</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"0-20":0x49B849,"20-40":0x006EAA,"40-60":0xE0AC16,"60-80":0xDA742E,"80-100":0xC84535}</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row>
I have some saved Splunk reports. I am calling these reports every hour by JAVA API call. If any hour due to some issue my query failed, I am updating that entry in table. Next hour, while running th... See more...
I have some saved Splunk reports. I am calling these reports every hour by JAVA API call. If any hour due to some issue my query failed, I am updating that entry in table. Next hour, while running this query, i want to run for last 2 hour time range, instead of 1 hour. Is there any way, I can control time range of saved search. I didn't have any time field in my report. I am using Splunk Enterprise Security 7.2.5.1 .
Particular host if frequently down in linux. Kindly help me the steps to find the root cause and fix the issue.
I am using Sankey to track source and targets using both status code errors and counts. It works fine however I would like to know how to lift the limit of 3 items in the group along with the totals ... See more...
I am using Sankey to track source and targets using both status code errors and counts. It works fine however I would like to know how to lift the limit of 3 items in the group along with the totals for "Others". The rollup is hiding data which I would like to see in the tooltip.
Hi Team, I have a KPI with split by entity say "Ent1". I have made a correlation search using this KPI and in the triggered email, i want to send this entity in the subject line. Can anybody h... See more...
Hi Team, I have a KPI with split by entity say "Ent1". I have made a correlation search using this KPI and in the triggered email, i want to send this entity in the subject line. Can anybody help me in this regard. Thanks
I'm trying to implement CSV based lookup's in Splunk, the sample csv looks like below We get the hostnames from Logs, but not Zone or Department, So all I need is to enter Zone E in the search bar... See more...
I'm trying to implement CSV based lookup's in Splunk, the sample csv looks like below We get the hostnames from Logs, but not Zone or Department, So all I need is to enter Zone E in the search bar and get all the logs or transactions with the sidebar where I can choose PC's from Zone E, below is the setup. This file Located /opt/splunk/etc/apps/search/lookups/ zones.csv Host, Zone, Department MEL2ITD001, Zone E, ITM MEL2ACD001, Zone F, FIN This file Located /opt/splunk/etc/apps/search/local transforms.conf [zones] filename = zones.csv but I can't get this to work, any suggestion would be really appreciated.
After deploy splunk-connect-for-k8s 1.3, I saw lots of warning msg from splunk-splunk-kubernetes-logging: 2020-02-19 02:50:09 +0000 [warn]: #0 [containers.log] /var/log/containers/splunk-splunk-ku... See more...
After deploy splunk-connect-for-k8s 1.3, I saw lots of warning msg from splunk-splunk-kubernetes-logging: 2020-02-19 02:50:09 +0000 [warn]: #0 [containers.log] /var/log/containers/splunk-splunk-kubernetes-logging-4wqnj_default_splunk-fluentd-k8s-logs-e403ac1d989b252566536f844f3817ac9334ac1dbc80bbfeda04fb063dac65a8.log unreadable. It is excluded and would be examined next time. it seems all of the pods logs are skipped and unreadable, I can find them under /var/log/containers, but they are softlinks. Not sure if this caused any issues. K8s cluster is deployed by kubespray. lrwxrwxrwx 1 root root 127 Feb 18 21:47 splunk-splunk-kubernetes-logging-4wqnj_default_splunk-fluentd-k8s-logs-e403ac1d989b252566536f844f3817ac9334ac1dbc80bbfeda04fb063dac65a8.log -> /var/log/pods/default_splunk-splunk-kubernetes-logging-4wqnj_56c07fb2-d86d-411b-92a4-7c214919a33d/splunk-fluentd-k8s-logs/0.log Wonder if anyone has seen this before and maybe I misconfigured something or there is any solutions for this... Thanks in advance!
Hi, I've been working on a splunk add on and inside the validate_input section, I make an API call to splunkd to get an unencrypted version of the input to validate it. However all my api calls from ... See more...
Hi, I've been working on a splunk add on and inside the validate_input section, I make an API call to splunkd to get an unencrypted version of the input to validate it. However all my api calls from the add on script to the splunk API (ie calling localhost:8089/servicesNS/nobody/my-addon/my-addon) to get this data never receive a response and eventually timeout BUT ONLY when the validate_input section is called from the UI (for example after an input data change). If I hit the endpoint in postman with the same headers/paramters it goes through fine. External calls to websites like google.com work fine, and return responses when triggered from the UI. Does anyone have any idea as to why call originating from the UI would always cause these timeouts ONLY when calling splunkd? Any tips on how I could go about debugging this issue?
Dear support team. we have some question about GCP's GCS integration. our data file has been saved into GCP's GCS. so we need to receive these data to Splunk. how to get GCS's data into Splunk... See more...
Dear support team. we have some question about GCP's GCS integration. our data file has been saved into GCP's GCS. so we need to receive these data to Splunk. how to get GCS's data into Splunk? we already install GCP ADD-ON to Splunk. if you have any question about it, please let me know. Thanks, John.
Hello Team, We would like to set up a machine agent for the AIX Servers. Please let us know which machine agent we need to install. I tried to install machineagent-bundle-64bit-linux-4.5.16... See more...
Hello Team, We would like to set up a machine agent for the AIX Servers. Please let us know which machine agent we need to install. I tried to install machineagent-bundle-64bit-linux-4.5.16.2357.zip but getting jre issue (java can not execute). Any suggestion or package I have to use which is compatible with 4.5.5 on-prem controller or anything to fix jre issue. Thanks in advance
Hello everyone, can you get information from an information point in a service endpoint? I already tried to implement this using the same class but it is not reflected in the service endpoint
I would like retrieve data from Solarwinds when events trigger via Syslog. I know you can use the Solarwinds Splunk App but I would like to use Syslog instead.
Hi All, I have this issue that device is not logging to splunk. When I checked the splunkd.log I have found this error. Note I change the URL and server name already for security purposes 02... See more...
Hi All, I have this issue that device is not logging to splunk. When I checked the splunkd.log I have found this error. Note I change the URL and server name already for security purposes 02-18-2020 10:19:52.849 +1000 ERROR TcpOutputFd - Connection to host=172.x.x.x:9997 failed 02-18-2020 10:21:22.458 +1000 ERROR X509 - X509 certificate (CN=BXXXXX,OU=X ,O=X,L=X,ST=X C=X) alternate name (BX,BX.bxxy.net) did not match any allowed names (BZ) Do you have any idea what this error means? It seems to me that the heavy forwarder of the device does not match the name of the one allowed on the indexer Thanks,
I would like to create a dashboard in Splunk on my ExtraHop ML security detections. How do I do this?
I have logs with below format: Feb 18 23:25:49 ip-x-x-x-x customerService 2020-02-18T23:25:49.340Z level=INFO component=customerServiceresource message="Request {"customerDetails":{"customerName... See more...
I have logs with below format: Feb 18 23:25:49 ip-x-x-x-x customerService 2020-02-18T23:25:49.340Z level=INFO component=customerServiceresource message="Request {"customerDetails":{"customerName":"Jack","bank":"xxx","action":"decline"}} Feb 18 23:25:49 ip-x-x-x-x customerService 2020-02-18T23:25:49.340Z level=INFO component=customerServiceresource message="Request {"customerDetails":{"customerName":"mike","bank":"xxx","action":"approve"}} Feb 18 23:25:49 ip-x-x-x-x customerService 2020-02-18T23:25:49.340Z level=INFO component=customerServiceresource message="Request {"customerDetails":{"customerName":"holden","bank":"yyy","action":"approve"}} Feb 18 23:25:49 ip-x-x-x-x customerService 2020-02-18T23:25:49.340Z level=INFO component=customerServiceresource message="Request {"customerDetails":{"customerName":"leslie","bank":"yyy","action":"decline"}} 1) Get the count records where bank is xxx and action is approve 2) Get the count records where bank is yyy and action is decline 3) display all records that are having bank yyy and action is decline (displaying point 2)
I've created a dashboard with a couple of bar graphs and two tables. Both bar graphs have drilldowns that set/unset two tokens to hide/unhide the related table. Also those tokens are used as part of ... See more...
I've created a dashboard with a couple of bar graphs and two tables. Both bar graphs have drilldowns that set/unset two tokens to hide/unhide the related table. Also those tokens are used as part of the respective table search query. Using the UI option to convert the dashboard to HTML does nothing when clicking the "Convert Dashboard" button. Checking the logs I found that web_service.log complains about something in line 63 of drilldown.py (in the python3 path): TypeError: a bytes-like object is required, not 'str' That line is a call to logger.warn, passing some string parameters to %s and %d placeholders. If you remove the placeholders and the parameters, and feed logger.warn a literal string, "Convert Dashboard" now works. I feel this is an issue with the migration to Python3 (and the change from byte strings to unicode in strings, from Python2), although I'm not sure if it lays entirely on the side of Splunk or if there's something on my server configuration that might have something to do with it. I'd file a bug report but I don't have an active support contract.
Using version 4.0. I've been able to get basic queries using ldap_filter to work after some edits to myLDAP2.py (the code was overwriting what the user specified in the ldap command) Now I'm try... See more...
Using version 4.0. I've been able to get basic queries using ldap_filter to work after some edits to myLDAP2.py (the code was overwriting what the user specified in the ldap command) Now I'm trying to request specific attrs, such as: | ldap server=ldap.example.com ldap_filter="(uid=username)" attrs="cn" I get no results. Then looking in myLDAP2.py, around lines 305-318, following the comment: # check what attributes will be returned, default all The "default all" case is implemented, but the: else: # no, we only`enter code here` get certain attributes back ...case isn't implemented at all, it just prints a debug line. I could probably implement this, but before I spend a lot of time doing so, it would be nice to know: is there a more recent dev version where this is implemented is there a git repo or the like where development for this project is tracked? Thanks for your time, Jim
Hi - I have a requirement to build an API that will report on the "up time" of my application. I'm looking to use Browser Synthetic Monitoring to test every 15 minutes or so, but I'm wondering if Ap... See more...
Hi - I have a requirement to build an API that will report on the "up time" of my application. I'm looking to use Browser Synthetic Monitoring to test every 15 minutes or so, but I'm wondering if AppD can then export the results of this test to an external system to make it available in my reporting API. Any suggestions would be much appreciated.
Searching: index=sec_windows source=wineventlog:security EventCode=4776 action=failure should return a field called Error_Code which signifies the error encountered by the authenticating user. Thi... See more...
Searching: index=sec_windows source=wineventlog:security EventCode=4776 action=failure should return a field called Error_Code which signifies the error encountered by the authenticating user. This field parses "-" for everything which is incorrect. I have tried to use field extractor, but that still hasn't worked. I don't know why. If I extract the field "inline": | rex field=Message "Error\sCode:\s+(?0[^\s]+)" it works but there are way too many events to do this
Hi Team, How I can find and get information about the oracle tablespaces and datafile used and free space in Splunk dashboard? If it is utilized more than 90% threshold...how I can set alert fo... See more...
Hi Team, How I can find and get information about the oracle tablespaces and datafile used and free space in Splunk dashboard? If it is utilized more than 90% threshold...how I can set alert for that Oracle database in Splunk?