All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

below is my scenario described by Oracle DBA I have two indexes INDEXA fieldA fieldB fieldC INDEXB fieldA fieldX fieldY fieldZ First I need to join them both, it will be kind of LEFT JO... See more...
below is my scenario described by Oracle DBA I have two indexes INDEXA fieldA fieldB fieldC INDEXB fieldA fieldX fieldY fieldZ First I need to join them both, it will be kind of LEFT JOIN as you porbably noticed by fieldA. Then group it by filedA+FieldZ and count each group.   In DBA language something like : select a.fieldA, b.filedZ, count(*) from indexA A left join indexB B on a.fieldA=b.fieldA group by a.fieldA, b.filedZ   any hints ?   K.  
Hi All,     TagData [ [-] { [-] Key: Application Value: Test_App } { [-] Key: Email Value: test@abc.com } ]     I have nested json data as ... See more...
Hi All,     TagData [ [-] { [-] Key: Application Value: Test_App } { [-] Key: Email Value: test@abc.com } ]     I have nested json data as above. I want to extract Email field value and map it to new field - owner_email . This need to be done during indexing time. With normal splunk search , I am getting way : index=*_test sourcetype="test:sourcetype" source="*:test" | array2object path="TagData" key="Key" value="Value" | rename "TagData.Email" as owner_email Please help me how to achieve this during indexing time. How do I update props.conf file ? Regards, PNV
Hi everyone, I am writing the Python script to move the knowledge object to another app. For example, with the Lookup file: I can do it with the REST API endpoint  servicesNS/<user>/<app_name>/dat... See more...
Hi everyone, I am writing the Python script to move the knowledge object to another app. For example, with the Lookup file: I can do it with the REST API endpoint  servicesNS/<user>/<app_name>/data/lookup-table-files/<lookup_file_name/move   But I can't find the function to do that with the Splunk Python SDK. https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.4/client.html#splunklib.client.Configurations  If you have experience with Splunk SDK, please share it with me. Thank!
I assume the answer is to check Forwader management on setting or to check Forwader Deployment: in monitoring console. Is there any other way?
Assume for the moment that these work individually: Outputs1 [tcpout] defaultGroup = primary_indexers forceTimebasedAutoLB = true forwardedindex.2.whitelist = (_audit|_introspection|_internal) ... See more...
Assume for the moment that these work individually: Outputs1 [tcpout] defaultGroup = primary_indexers forceTimebasedAutoLB = true forwardedindex.2.whitelist = (_audit|_introspection|_internal) useSSL = true [indexer_discovery:company] pass4SymmKey = passhere manager_uri = https://clustermanager:8089 [tcpout:primary_indexers] indexerDiscovery = company sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem Outputs2 [tcpout] defaultGroup = heavy_forwarders forceTimebasedAutoLB = true forwardedindex.2.whitelist = (_audit|_introspection|_internal) useSSL = true [tcpout:primary_heavy_forwarders] server = y.y.y.y:9997 sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem If I understand the documentation correctly all we would need to do is this: [tcpout] defaultGroup = primary_indexers, primary_heavy_forwarders forceTimebasedAutoLB = true forwardedindex.2.whitelist = (_audit|_introspection|_internal) useSSL = true [indexer_discovery:company] pass4SymmKey = passhere manager_uri = https://clustermanager:8089 [tcpout:primary_indexers] indexerDiscovery = company sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem [tcpout:primary_heavy_forwarders] server = y.y.y.y:9997 sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem Is this correct? In this configuration the exact same data would be flowing to both destinations? There would be no issues binding the certifcates to different stanzas? I appreciate the responses.
Hello,  my current search is  index=winsec source=WinEventLog:Security EventCode=6272 | eval date_hour = strftime(_time, "%H") | where date_hour >= 19 OR date_hour <=06 | timechart count(src_... See more...
Hello,  my current search is  index=winsec source=WinEventLog:Security EventCode=6272 | eval date_hour = strftime(_time, "%H") | where date_hour >= 19 OR date_hour <=06 | timechart count(src_user) This provides me with a graph of logins made after hours. I want to expand the acceptable items to include the entire days of saturday/sunday as well. When I attempt to add this, i get "no results" what would be the best way to include that? 
I am using  Splunk Enterprise Version: 9.2.1 and installed IT Essentials Learn but getting error fetching use case families. Is ITSI a prerequisite for ITE? I installed the app using the GUI.
Hi there, I am trying to get some data from MS Defender into a Splunk query.  My original KQL query in azure contains | JOIN KIND INNER. to concat DeviceProcess and DeviceRegistry tables. The Splu... See more...
Hi there, I am trying to get some data from MS Defender into a Splunk query.  My original KQL query in azure contains | JOIN KIND INNER. to concat DeviceProcess and DeviceRegistry tables. The Splunk app I am using:  Splunk https://splunkbase.splunk.com/app/5518    So basically I'd like to do concatenation between DeviceProcess and DeviceRegistry events in advanced hunting query | advhunt in splunk SPL. Is there a suitable Splunk query for this kind of purpose?
Hello, I have been using the Splunk SIEM tool for some time. I have integrated security data to be reused by IBMi servers. The information included in Splunk is such that it is generated by the IB... See more...
Hello, I have been using the Splunk SIEM tool for some time. I have integrated security data to be reused by IBMi servers. The information included in Splunk is such that it is generated by the IBMi, so I wonder whether Splunk understands the data it receives ?  An example is that when IBMi sends a zone call Remote_IP, can Splunk know that it is an IP address? Do I have to change the format of his data ? I also wonder how to do data correlation on Splunk? Thanks in advance for reading.      
Hi All, I want to extract email  from json event in splunk. Query I am using is :     index=*sec sourcetype=test | eval tags_json=spath(_raw, "Tag{}"), final_tag_json=json_object() | foreach... See more...
Hi All, I want to extract email  from json event in splunk. Query I am using is :     index=*sec sourcetype=test | eval tags_json=spath(_raw, "Tag{}"), final_tag_json=json_object() | foreach mode=multivalue tags_json [ | eval final_tag_json=json_set(final_tag_json, spath('<<ITEM>>', "Key"), spath('<<ITEM>>', "Value"))] | spath input=final_tag_json | rex field=Email "(?<email>^\w+@abc.com$)"     Raw data :     "Tag": [{"Key": "app", "Value": “test”_value}, {"Key": "key1", "Value": "value1"}, {"Key": "key2", "Value": "value2"}, {"Key": “email”, "Value": “test@abc.com}],     I want email to be mapped to contact when indexed. How can I achieve this ? Please help me Regards, pnv
How we can configure disk space alert using Splunk . is it possible 
How i update the test_MID_IP.csv  with the output IP, so that next time it runs with updated list index=abc IP!="10.*" [| inputlookup ip_tracking.csv | rename test_DATA AS MID | format ] | loo... See more...
How i update the test_MID_IP.csv  with the output IP, so that next time it runs with updated list index=abc IP!="10.*" [| inputlookup ip_tracking.csv | rename test_DATA AS MID | format ] | lookup test_MID_IP.csv test_IP as IP OUTPUT test_IP | eval match=if('IP'== test_IP, "yes", "no") | search match=no | stats count by IP
I had defined the complete path in inputs.conf and restarted the Splunkforwarder but got error in Splunkd logs. Kindly refer the attachment.  
i am creating a dashboard view using HTML/CSS code but after saving the dashboard is showing in text format only  below is the code and dashboard how is looking  <dashboard> <label>Manual-supress... See more...
i am creating a dashboard view using HTML/CSS code but after saving the dashboard is showing in text format only  below is the code and dashboard how is looking  <dashboard> <label>Manual-supression</label> <description>Please enter the values for your One-Time-Blackout.</description> <row> <panel> <html> <![CDATA[ <style> .container { width: 100%; max-width: 600px; margin: 0 auto; padding: 20px; background: white; border-radius: 10px; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); } .container h1 { color: #4CAF50; text-align: center; } .form-group { margin-bottom: 15px; } .form-group label { display: block; font-weight: bold; } .form-group input, .form-group select, .form-group textarea { width: 100%; padding: 10px; border: 1px solid #ccc; border-radius: 5px; } .form-group input[type="datetime-local"] { padding: 8px; } .save-button { display: block; width: 100%; padding: 10px; background-color: #4CAF50; color: white; border: none; border-radius: 5px; cursor: pointer; text-align: center; font-size: 16px; } </style> <div class="container"> <h1>One-Time-Blackout</h1> <div class="form-group"> <label for="blackoutFilter">Blackout Filter</label> <input type="text" id="blackoutFilter" placeholder="Please enter a blackout filter or a blackout filter list separated by commas."> </div> <div class="form-group"> <label for="startDate">Start Date and Time</label> <input type="datetime-local" id="startDate"> </div> <div class="form-group"> <label for="endDate">End Date and Time</label> <input type="datetime-local" id="endDate"> </div> <div class="form-group"> <label for="timeZone">Time Zone</label> <select id="timeZone"> <option value="UTC+0">UTC +0h</option> <!-- Add other time zones as needed --> </select> </div> <div class="form-group"> <label for="blackoutActive">Blackout Active</label> <select id="blackoutActive"> <option value="true">True</option> <option value="false">False</option> </select> </div> <div class="form-group"> <label for="description">Description</label> <textarea id="description" placeholder="Additional information about this entry."></textarea> </div> <button class="save-button">Save</button> </div> ]]> </html> </panel> </row> </dashboard>   O/p looks in text format:   Manual-supression Please enter the values for your One-Time-Blackout. <style> .container { width: 100%; max-width: 600px; margin: 0 auto; padding: 20px; background: white; border-radius: 10px; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); } .container h1 { color: #4CAF50; text-align: center; } .form-group { margin-bottom: 15px; } .form-group label { display: block; font-weight: bold; } .form-group input, .form-group select, .form-group textarea { width: 100%; padding: 10px; border: 1px solid #ccc; border-radius: 5px; } .form-group input[type="datetime-local"] { padding: 8px; } .save-button { display: block; width: 100%; padding: 10px; background-color: #4CAF50; color: white; border: none; border-radius: 5px; cursor: pointer; text-align: center; font-size: 16px; } </style> <div class="container"> <h1>One-Time-Blackout</h1> <div class="form-group"> <label for="blackoutFilter">Blackout Filter</label> <input type="text" id="blackoutFilter" placeholder="Please enter a blackout filter or a blackout filter list separated by commas."> </div> <div class="form-group"> <label for="startDate">Start Date and Time</label> <input type="datetime-local" id="startDate"> </div> <div class="form-group"> <label for="endDate">End Date and Time</label> <input type="datetime-local" id="endDate"> </div> <div class="form-group"> <label for="timeZone">Time Zone</label> <select id="timeZone"> <option value="UTC+0">UTC +0h</option> <!-- Add other time zones as needed --> </select> </div> <div class="form-group"> <label for="blackoutActive">Blackout Active</label> <select id="blackoutActive"> <option value="true">True</option> <option value="false">False</option> </select> </div> <div class="form-group"> <label for="description">Description</label> <textarea id="description" placeholder="Additional information about this entry."></textarea> </div> <button class="save-button">Save</button> </div>    
f this is my current quey... <I am currently sending metric-data to O11y and receiving data through the splunk sim command. What I'm curious about is that I want to optimize my current query using ... See more...
f this is my current quey... <I am currently sending metric-data to O11y and receiving data through the splunk sim command. What I'm curious about is that I want to optimize my current query using base-search. Is this possible?> | sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum(by=['CONNECTION_STATUS']).publish(label='A')" resolution=10 | tail 20 | stats avg(_value) as avg_val by _time, CONNECTION_STATUS <row> <panel id="connections"> <html depends="$hiddenForCSS$"> <style> #connections{ width: 15% !important; } </style> </html> <single> <title>Connections</title> <search> <query>| sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum().publish(label='A')" | stats sum(_value) as host_sum by _time</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>$time_set$</refresh> <refreshType>delay</refreshType> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">151</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x555","0x118832","0x1182f3","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,50,70]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">0</option> <option name="showTrendIndicator">0</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> </panel> <panel id="Con_state"> <html depends="$hiddenForCSS$"> <style> #Con_state{ width: 34% !important; } </style> </html> <single> <title>Connections by state</title> <search> <query>| sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum(by=['CONNECTION_STATUS']).publish(label='A')" resolution=10 | tail 20 | stats avg(_value) as avg_val by _time, CONNECTION_STATUS</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>$time_set$</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">174</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">0</option> <option name="trellis.size">medium</option> <option name="useColors">1</option> </single> </panel></row>    
HI guys, I try to add new license Splunk on WebUI and CLI, Both Failed. On CLI, I see error /opt/splunk/etc/licenses/enterprise/24.7.License: failed to parse license because: The license payload s... See more...
HI guys, I try to add new license Splunk on WebUI and CLI, Both Failed. On CLI, I see error /opt/splunk/etc/licenses/enterprise/24.7.License: failed to parse license because: The license payload seems to be empty On WebUI, when I add I get 500 Error, on search following recommend on error page  index=_internal host="monitor*" source=*web_service.log log_level=ERROR requestid=666fdcbe397fd164249e90 I get this 2024-06-17 13:50:38,231 ERROR [666fdcbe397fd164249e90] error:338 - Traceback (most recent call last): File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 628, in respond self._do_respond(path_info) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 680, in _do_respond self.body.process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 982, in process super(RequestBody, self).process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 559, in process proc(self) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 225, in process_multipart_form_data process_multipart(entity) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 217, in process_multipart part.process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 557, in process self.default_proc() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 717, in default_proc self.file = self.read_into_file() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 731, in read_into_file fp_out = self.make_file() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 513, in make_file return tempfile.TemporaryFile() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 586, in TemporaryFile prefix, suffix, dir, output_type = _sanitize_params(prefix, suffix, dir) File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 126, in _sanitize_params dir = gettempdir() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 294, in gettempdir tempdir = _get_default_tempdir() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 229, in _get_default_tempdir dirlist) FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']  Any one know why? Thank you for your time
i want to get list of scheduled saved searches with the name and the searches itself. can anybody help?
Hi Splunk We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data throug... See more...
Hi Splunk We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data through the DB Connect App. We would like to know if there will be any issues with the Heavy Forwarder sending data to the Indexer running version 7. Of course, it is best to upgrade to the same version, but we would like to first check if there are any issues in this process.  If you need more information about this Configuration, ask for me anytime.
I cannot renew my developer license according https://dev.splunk.com/enterprise/dev_license/. I get the same error code 400 every time. I also cannot get a response when I send an email to devinfo@sp... See more...
I cannot renew my developer license according https://dev.splunk.com/enterprise/dev_license/. I get the same error code 400 every time. I also cannot get a response when I send an email to devinfo@splunk.com. What should I do?
Hi, I want to ask where i can find the indexed data stored as per the below, i found the bucket consist of the RAW data, index file and some meta data :