All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a monitoring search, that we are viewing both as a graph and when drilling in, as the events. When viewing the events, the information is correct, no issue, but when viewing the data as a char... See more...
I have a monitoring search, that we are viewing both as a graph and when drilling in, as the events. When viewing the events, the information is correct, no issue, but when viewing the data as a chart, every once in a while we get an error. Normally the graphs bars are counting by the Clinet_IP and the number of event it sees, but for some it randomly switches to counting by by the user name (while still saying it's the Client_IP).... For clarification, most user names are either 'unknown' or 'domain\123456' but some are just '123456' and it's those that are causing issues. I don't want to take out the usernames from the search, as it provides valuable information when the team is drilling into the events, but this error is annoying to deal with. This is the search we are running: index="pan_logs" | search action=blocked NOT "symantec" | fillnull user value="N/A" | stats values(http_category) values(dest_name) values(user) as UserName count by client_ip | sort -count | head 100
I have a dashboard with a drill-down and want to add an external link to each row, where each row will have customized link that goes to the same website, but a different part of the website. For... See more...
I have a dashboard with a drill-down and want to add an external link to each row, where each row will have customized link that goes to the same website, but a different part of the website. For example, if I am pulling data from Jira, I have multiple items in Splunk and now I want to have a link that would open JIRA website, but with the info for that specific item. Thank you in advance!
Please any help will be appreciated. We have a lookup test_pci_asset.csv with a field nt_host values of nt_host are host1 host2 Raw log in splunk host fields are host1.abc.com We are tryin... See more...
Please any help will be appreciated. We have a lookup test_pci_asset.csv with a field nt_host values of nt_host are host1 host2 Raw log in splunk host fields are host1.abc.com We are trying to use automatic lookup to match the host field so when we run a query it can pull back host1.abc.com as host. We tried the following with WILDCARD(nt_host) but no luck. Props and transforms below props.conf [default] LOOKUP-test_pci_asset.csv = test_pci_asset nt_host AS host OUTPUTNEW bunit category city ip owner transforms.conf [test_pci_asset] batch_index_query = 0 case_sensitive_match = 0 filename = test_pci_asset.csv match_type = WILDCARD(nt_host)
I am getting these errors in my internal logs: ERROR SearchOperator:kv - Cannot compile RE \"(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*)\s*(?[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)\s*(?[^,']*'[^']*'|[^,"]*"[^"... See more...
I am getting these errors in my internal logs: ERROR SearchOperator:kv - Cannot compile RE \"(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*)\s*(?[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)\s*(?[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)\" for transform 'field_extraction_for_scm_system': Regex: two named subpatterns have the same name (PCRE2_DUPNAMES not set). Couldn't figure out how to fix it.
Hello plp i am trying to do a xml , where a user set a start time (writing in a box) them the end time, and those 2 time tokens send to a query to search in that range time. Any clue about this? Than... See more...
Hello plp i am trying to do a xml , where a user set a start time (writing in a box) them the end time, and those 2 time tokens send to a query to search in that range time. Any clue about this? Thanks!!
Please any help will be appreciated. We have a lookup test_pci_asset.csv with a field nt_host values of nt_host are host1 host2 Raw log in splunk host fields are host1.abc.com We are tryin... See more...
Please any help will be appreciated. We have a lookup test_pci_asset.csv with a field nt_host values of nt_host are host1 host2 Raw log in splunk host fields are host1.abc.com We are trying to use automatic lookup to match the host field so when we run a query it can pull back host1.abc.com as host. We tried the following with WILDCARD(nt_host) but no luck. Props and transforms below props.conf [default] LOOKUP-test_pci_asset.csv = test_pci_asset nt_host AS host OUTPUTNEW bunit category city ip owner transforms.conf [test_pci_asset] batch_index_query = 0 case_sensitive_match = 0 filename = test_pci_asset.csv match_type = WILDCARD(nt_host)
Hello, I've been trying to get my splunk instance to send out email alerts using Amazon SES SMTP server without much luck. The error in my python.log file seems to suggest that it is not collec... See more...
Hello, I've been trying to get my splunk instance to send out email alerts using Amazon SES SMTP server without much luck. The error in my python.log file seems to suggest that it is not collecting the correct server I have configured under Settings -> Server settings -> Email settings - or alert_actions.conf The error being: ERROR sendemail:142 - Sending email. ... server="localhost" ERROR sendemail:473 - [Errno 111] Connection refused while sending mail to: email@domain.com oddly enough, it gathers email@domain.com just fine as defined in my alert definition. I've seen other posts on here suggesting that values in savedsearches.conf can override the action.email.mailserver configuration, but I see no such file in my local config directory or any other suggestion of a conflict for action.email.mailserver
Assume you have a lookup table and you want to load the lookup table and then search the lookup table for a value or values but you don't know which field/column the value(s) might be in in the looku... See more...
Assume you have a lookup table and you want to load the lookup table and then search the lookup table for a value or values but you don't know which field/column the value(s) might be in in the lookup table. How can you search the lookup table for the value(s) without defining every possible field=value combination in the search? For example the following fails: | inputlookup uid_host_ip_mac.csv | search myuserid OR myhostname OR myip OR mymac | table _time uid host ip mac | sort - _time But the below would work: | inputlookup uid_host_ip_mac.csv | search uid=myuserid OR uid=myhostname OR uid=myip OR uid=mymac OR host=myuserid OR host=myhostname OR host=myip OR host=mymac OR ip=myuserid OR ip=myhostname OR ip=myip OR ip=mymac OR mac=myuserid OR mac=myhostname OR mac=myip OR mac=mymac | table _time uid host ip mac | sort - _time Obviously in this case I know which field=value pairs go together so I wouldn't in reality use all these possible combinations in this example, but if I didn't know which field=value pairs went together, how could I keyword search the lookup table like in the first example?
Getting this errror in Heavy forwarder logs: 02-06-2020 18:28:00.283 +0000 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. 02-06-2020 18:28:08.696 +0000 ERROR HttpInputDataH... See more...
Getting this errror in Heavy forwarder logs: 02-06-2020 18:28:00.283 +0000 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. 02-06-2020 18:28:08.696 +0000 ERROR HttpInputDataHandler - Parsing error : Server is busy 02-06-2020 18:28:08.703 +0000 ERROR HttpInputDataHandler - Parsing error : Server is busy 02-06-2020 18:28:09.881 +0000 WARN TailReader - Could not send data to output queue (parsingQueue), retrying... 02-06-2020 18:28:16.717 +0000 ERROR HttpInputDataHandler - Parsing error : Server is busy 02-06-2020 18:28:16.725 +0000 ERROR HttpInputDataHandler - Parsing error : Server is busy 02-06-2020 18:28:20.075 +0000 WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to output group US-EAST-1-INDEXER-CLUSTER has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. 02-06-2020 18:28:21.717 +0000 ERROR HttpInputDataHandler - Parsing error : Server is busy 02-06-2020 18:28:21.726 +0000 ERROR HttpInputDataHandler - Parsing error : Server is busy 02-06-2020 18:28:24.881 +0000 INFO TailReader - ...continuing. 02-06-2020 18:28:29.847 +0000 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. No error spotted in indexer logs. Data is being received via HTTP Event Collector on Heavy Forwarder.
I have an enterprise and a forwarder on the remote system Mid Jan 2020 I am not receiving any events from the forwarder. The team who build this hasn't documented about how it was configured. I r... See more...
I have an enterprise and a forwarder on the remote system Mid Jan 2020 I am not receiving any events from the forwarder. The team who build this hasn't documented about how it was configured. I referred all the documentation on the splunk>answers and I have tried with no luck to find the cause and fix. I am a newbie on splunk. Both servers are on AWS. Nothing changed as per my knowledge last month. Please help rectify.
Hi All, I am trying to use the fillnull to populate empty values within the same field with unique values. For example, the first empty value found in field1, insert unknown1. The second empty val... See more...
Hi All, I am trying to use the fillnull to populate empty values within the same field with unique values. For example, the first empty value found in field1, insert unknown1. The second empty value found in field1, insert unknown2, etc... Any suggestions?
search made before ...| stats values(user) as AllUsers, values(usr_mod) as ModifiedUsers And it returns two lists Usr1 Usr4 Usr3 Usr2 Usr2 Usr1 Usr4 ... See more...
search made before ...| stats values(user) as AllUsers, values(usr_mod) as ModifiedUsers And it returns two lists Usr1 Usr4 Usr3 Usr2 Usr2 Usr1 Usr4 My purpose is to get the users that weren't modified i.e: Usr3 Thanks in advanced, Rsaude
A selection of users in Bogota, Colombia are getting: IDP failed to authenticate request. Status code="Responder" Check splunkd.log for more information about the failure. Multiple users here ... See more...
A selection of users in Bogota, Colombia are getting: IDP failed to authenticate request. Status code="Responder" Check splunkd.log for more information about the failure. Multiple users here in Raleigh, NC can access the logs fine. I have read several articles indicating this is an SSO issue But we are not doing SSO with Splunk I do not know how to look at this splunkd.log either
Hi! I am trying to leverage splunk for NERC Compliance, but more than just logging. I want to get baseline configuration which captures OS, Patches, Software, and Port and Services. My idea was... See more...
Hi! I am trying to leverage splunk for NERC Compliance, but more than just logging. I want to get baseline configuration which captures OS, Patches, Software, and Port and Services. My idea was to have the system generate the information and write it to a file and have the splunk universal forwarder monitor the file daily. There would be a cronjob that would run daily to execute the commands like: 1) netstat -ano 2) uname -r 3) rpm -qa This would then get ingested into Splunk. How has the community been using Splunk for NERC Baseline compliance? Are there any add-ons that could help? It would need to be able to track changes to the baseline of allowable port and services, change records of the change, and run reports on a baseline of a particular day. This last part I was thinking of using a dash board or creating a table. Thoughts or suggestion?
I'm trying to determine which of my companies application logs aren't being split correctly but I'm having a hard time getting a regex search that only returns results that fit the scenario. The ... See more...
I'm trying to determine which of my companies application logs aren't being split correctly but I'm having a hard time getting a regex search that only returns results that fit the scenario. The problem part of the raw log is [SKY_LOG_END]\n[SKY_LOG_START] Any help would be appreciated.
I'm trying to make a search that allows me to see users resting and changing their password. I have this SPL: index=wineventlog EventCode=4723 OR EventCode=4724 | eval Modifier = mvindex (Accoun... See more...
I'm trying to make a search that allows me to see users resting and changing their password. I have this SPL: index=wineventlog EventCode=4723 OR EventCode=4724 | eval Modifier = mvindex (Account_Name, 0) | eval Member_Modified = mvindex (Account_Name, 1) | eval Modifier_Domain = mvindex (Account_Domain, 0) | eval Modified_Domain = mvindex (Account_Domain, 1) | table _time, Modifier, Member_Modified, EventCode This shows me all the changes of the event codes in my environment, I was wondering if there was a way to take away the users that have both a 4724 (reset) and then a 4723(changed) that way I can see what users still have to change their password after the reset.
Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown). For instance, when having two post-process searches from a base search . I want to ... See more...
Is it possible to refer to a specific post-process search in you dashboard, by use of a token (input dropdown). For instance, when having two post-process searches from a base search . I want to refer to either one of the post-process search by using a token in my a panel . This however doesn't seem to work, see example below, <form> <search id="BaseSearchQ"> <query>SOME Base Search QUERY</query> </search> <search base="BaseSearchQ" id="PostProcessQ1"> <query>SOME Post Process QUERY1</query> </search> <search base="BaseSearchQ" id="PostProcessQ2"> <query>SOME Post Process QUERY2</query> </search> <row> <panel> <input type="dropdown" token="selectedtok" searchWhenChanged="true"> <label>Service Provider</label> <choice value="PostProcessQ1">Windows</choice> <choice value="PostProcessQ2">Linux</choice> </input> <single> <title>TEST_FOO</title> <search base="$selectedOS$"> <query>VISUALIZATION</query> </search> </panel> </row> ...
I am not getting any results back using dedup search query: index=prdidx sourcetype="OUTPUT" source="http-access.log" NOT "ELB-HealthChecker/2" | rex "(?((\d+)\.(\d+)\.(\d+)\.(\d+))) (?P[^ ... See more...
I am not getting any results back using dedup search query: index=prdidx sourcetype="OUTPUT" source="http-access.log" NOT "ELB-HealthChecker/2" | rex "(?((\d+)\.(\d+)\.(\d+)\.(\d+))) (?P[^ ]+) (?P[^ ]+) \[(?P[^\]]+)\] \"(?P[^\"]+)\" (?\d+) (?\d+) (?\d+) \"(?P[^\"]+)\" \"(?P[^\"]+)\" \"(?P[^\"]+)\"" | search NOT user_name=- |search NOT user_name=test|dedup session_id search data: x.x.x.x estsdfasf dsfads [06/Feb/2020:08:13:23 -0800] "GET https://google.com HTTP/1.1" 200 5925 0.0200 "https://google.com/6492" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" "gbhaxl" x.x.x.x sadfkanfadskf lsds [06/Feb/2020:08:13:23 -0800] "GET https://tests.com/generate HTTP/1.1" - - - "https://tests.com/34490" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0" "el1z6d" x.x.x.x estsdfasf dsfads [06/Feb/2020:08:13:23 -0800] "GET https://google.com HTTP/1.1" 200 5925 0.0200 "https://google.com/6492" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" "gbhaxl"
Hi, I installed Machine Agent v4.5.8.2073 GA on one of my servers in the home view of appdynamics under "Servers". I see the server agent, 2 agents, twice grayed: server01-java server01  ... See more...
Hi, I installed Machine Agent v4.5.8.2073 GA on one of my servers in the home view of appdynamics under "Servers". I see the server agent, 2 agents, twice grayed: server01-java server01   when I click it a window opens saying "Advanced features will be available with Server Visibility license" I do have available licenses.   why is it still grayed?
Hi all, We are currently using Splunk v 7.2. I am integrating Splunk with OMI and seeing issues in configuring the state changes for Splunk alerts. I am looking if Splunk could send a All Clear... See more...
Hi all, We are currently using Splunk v 7.2. I am integrating Splunk with OMI and seeing issues in configuring the state changes for Splunk alerts. I am looking if Splunk could send a All Clear/ Resolved notification every time an alert triggers. This would be highly helpful to determine the state change and to track the tickets down. Please let me know if this feature is already available in Splunk or can be expected atleast in future releases.