All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Stopping splunkd is taking up to 6 minutes to complete.  We have a process that snapshots the instance and we are stopping splunkd prior to taking that snapshot.  Previously with v9.0.1 we did not ex... See more...
Stopping splunkd is taking up to 6 minutes to complete.  We have a process that snapshots the instance and we are stopping splunkd prior to taking that snapshot.  Previously with v9.0.1 we did not experience this; now we are on v9.2.1. While shutting down I am monitoring spklunkd.log and the only errors I am seeing has to do with the HFs.  'TcpInputProc [65700 tcp] - Waiting for all connections to close before shutting down TcpInputProcessor '. Has anyone else experienced something similar post upgrade?  
Hi All, This the query which i try to get status.But in the table its shows both error and success.PFA screenshot | eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error... See more...
Hi All, This the query which i try to get status.But in the table its shows both error and success.PFA screenshot | eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
How can i resolve this error  "Couldn't complete HTTP request: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure".  I keep getting this error on splunkforwarder when... See more...
How can i resolve this error  "Couldn't complete HTTP request: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure".  I keep getting this error on splunkforwarder when i run SPLUNK_HOME/splunk list monitor,  SPLUNK_HOME/splunk list inputstatus.
I am trying to compute the R-squared value of a set of measured values, to verify the performance or accuracy of a predictive model. But I can't figure out how to go about this or if Splunk has a fun... See more...
I am trying to compute the R-squared value of a set of measured values, to verify the performance or accuracy of a predictive model. But I can't figure out how to go about this or if Splunk has a function or command for this Thanks
I have a dashboard that I use when checking if a server is compliant.  It looks normal in the dashboard but when I export it as a PDF the last column gets moved to a new page.  I found this in ./etc/... See more...
I have a dashboard that I use when checking if a server is compliant.  It looks normal in the dashboard but when I export it as a PDF the last column gets moved to a new page.  I found this in ./etc/system/bin/pdfgen_endpoint.py DEFAULT_PAPER_ORIENTATION = 'portrait' What I can't find is a way of overriding the default to change it to landscape.  Does such a file exist?  If not, beyond changing the code, any ideas on how to get a landscape report so the final column will be on the same page? TIA Joe
Hello, I am currently working on building out a GUI for the software I work on and am looking for a way to query data from our Splunk instance to use in our front-end. I have looked at the documenta... See more...
Hello, I am currently working on building out a GUI for the software I work on and am looking for a way to query data from our Splunk instance to use in our front-end. I have looked at the documentation here Splunk Design System as well as some code examples here GitHub - splunk/react_search_example, but I cannot find a straight forward answer for how to hook into our Splunk instance and query data from it. From the documentation and examples it seems like what I am trying to is definitely possible, I just can't figure out how.  Any help is greatly appreciated. Kevin
hello I need to determine the app name based on a lookup table for the SPL search below. the SPL search results has a field, called SQL, which has the sql syntax which contains one of the keywords i... See more...
hello I need to determine the app name based on a lookup table for the SPL search below. the SPL search results has a field, called SQL, which has the sql syntax which contains one of the keywords in a field of the lookup table. I am not sure if join, union, inputlookup, lookup and/or combination of where command will solve this puzzle. Any help is apreciated. the lookup file name is: lookup_weblogic_app.csv the lookup file sample values are: lk_wlc_app_short lk_wlc_app_name ART Attendance Roster Tool Building_Mailer Building Mailer SCBT Service Center Billing Tool SPL search results: SQL ''' as "FIELD",''Missing Value'' AS "ERROR" from scbt_owner.SCBT_LOAD_CLOB_DATA_WORK ''' as "something ",''Missing Value'' AS "ERROR" from ART_owner.ART_LOAD_CLOB_DATA_WORK from Building_Mailer_owner.Building_Mailer_ SPL final outcome desire: lk_wlc_app_short SQL scbt ''' as "FIELD",''Missing Value'' AS "ERROR" from scbt_owner.SCBT_LOAD_CLOB_DATA_WORK ATR ''' as "something ",''Missing Value'' AS "ERROR" from ART_owner.ART_LOAD_CLOB_DATA_WORK Building_Mailer from Building_Mailer_owner.Building_Mailer_
Hello,  I have just started to ingest some log files that are split up by lines e.g. -------- however for some reason Splunk is splitting the one log file into multiple events, can someone help me ... See more...
Hello,  I have just started to ingest some log files that are split up by lines e.g. -------- however for some reason Splunk is splitting the one log file into multiple events, can someone help me figure this out? example log attached. My input file is currently set as: [monitor://C:\ProgramData\XXX\XXX\CaseManagement*.log] disabled = 0 interval = 60 index = XXXXlogs sourcetype = jlogs Do I need a props file and if so what do I put in it?
Hello All, I have an LDAPsearch app installed in one of the onprem Heavy Forwarders and I need to index the search out put into an index we have created. Our IDX and SH are on splunk cloud. Would a... See more...
Hello All, I have an LDAPsearch app installed in one of the onprem Heavy Forwarders and I need to index the search out put into an index we have created. Our IDX and SH are on splunk cloud. Would appreciate all the suggestions Thanks in advance. Murali
I have a status field with two string values Dropped and Notdropped. If the value comes as Dropped, I want to show the background color as Green and if the value comes as Notdropped color should be g... See more...
I have a status field with two string values Dropped and Notdropped. If the value comes as Dropped, I want to show the background color as Green and if the value comes as Notdropped color should be green.  How can i achive in single card value in splunk studio. 
Hello, If possible, I need help on getting a Percentage of Uptime for a Transaction overtime.  I have a Search created that creates a Transaction, it's based on: startwith=Create endswith=Close k... See more...
Hello, If possible, I need help on getting a Percentage of Uptime for a Transaction overtime.  I have a Search created that creates a Transaction, it's based on: startwith=Create endswith=Close keepevicted=true The events are coming from OpsGenie for when an alert is created and closed.  Is there anyway to take the time from either between Create/Close or Close/Create for a one week timeframe to obtain the percentage? Thanks for all of the help, let me know if any more details are needed. Tom    
Afternoon All i'd like some help please with some SPL logic that i just cant crack   I have data on some user in our Active Directory system and i am trying to: create a new column with actio... See more...
Afternoon All i'd like some help please with some SPL logic that i just cant crack   I have data on some user in our Active Directory system and i am trying to: create a new column with actions identify those who have no logged in for more than 61 days and is so the action should return "reset password" here's the part that i am having an issue with below. the first two lines are working as expected returning last_logon_total  day, month, year i have a new field i created called 'action' that i want to return a value in of those users who have not logged in for more than 61 days.. but i cant get the spl right. | eval epoch_lastLogonTimestamp_date = strptime(lastLogonTimestamp, "%Y-%m-%dT%H:%M:%S") | eval last_logon_total = strftime(epoch_lastLogonTimestamp_date, "%d/%m/%Y") | eval action = if(last_logon_total = relative_time(), "-61d@d", "reset password")   any ideas ?   Thanks Paula    
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For e... See more...
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For example the message contain multiple values like(success,processed,completed) then i want to label the corresponding file as success,if it contains like(failed,failure) i want to label as failure file.How to implement this using SPL query.Below query i tried but i am not getting properly.     index=mulesoft environment=DEV applicationName="Test" |stats values(content.FileName) as Filename1 values(content.ErrorMsg) as errormsg values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId | eval SuccessFileName=case(match(message, "File put Succesfully*|Successfully created file data*|Archive file processed successfully*|Summary of all Batch*|processed successfully for file name*|SUCCESS") AND not match(priority,"ERROR|WARN"),FileName1,1=1,null()) | eval FailureFileName=case(match(message,"Failed to process file:"),FileName1,1=1,null()) |table SuccessFileName FailureFileName Response correlationId      
Can anyone help me to provide the URL to download or steps of how to use Splunk AI. 
Hello Splunkers!!   I want to configure SSL certificate in Splunk so that my Splunk web URL communicate over https. To obtain "privKeyPath" in web.conf I have used below two commands. splunk ... See more...
Hello Splunkers!!   I want to configure SSL certificate in Splunk so that my Splunk web URL communicate over https. To obtain "privKeyPath" in web.conf I have used below two commands. splunk cmd openssl genrsa -aes256 -out SplunkPrivateKey.key 2048 splunk cmd openssl rsa -in SplunkPrivateKey.key -out splunk_key.key   To obtain "serverCert" in web.conf I have used below two commands. splunk cmd openssl x509 -in splunk.cer -out splunk.pem Note : splunk.cer  is with me ( Provided by organization so I am obtaining self signed certificate) [settings] enableSplunkWebSSL = 1 privKeyPath = D:\Splunk\etc\auth\mycert\splunk_key.key serverCert = D:\Splunk\etc\auth\mycert\splunk.pem I have used all the above commands and configure the certificate under the paths but still Splunk web is not working securely. Please suggest me any other modification or alteration I need to do ?  Thanks in advance !!
Can i monitor a file in search head?
Hi team, I had upgraded from 9.0.5 version to 9.1.2 and upgradation successfully completed, but splunk web page can't reach this page  window displayed. and verified the bin  directory E:\splunk\... See more...
Hi team, I had upgraded from 9.0.5 version to 9.1.2 and upgradation successfully completed, but splunk web page can't reach this page  window displayed. and verified the bin  directory E:\splunk\bin>openssl s_client -connect simdoowwww:443 WARNING: can't open config file: ::::::/openssl.cnf connect: No such file or directory connect:errno=0     web.conf   [settings] enableSplunkWebSSL = 1 privKeyPath =a $SPLUNK_HOME\etc\auth\custom\myServerPrivateKey.key serverCert = $SPLUNK_HOME\etc\auth\custom\gddjkowww.ap.kinely.com.pem httpport = 443     The above configuration  in back end system, but page can't read this page displayed please help me on that.    
Hi all, I am new to splunk, and i have got the following error: "Field '_time' should have numerical values"  when I try to run a timechart command. I have got a csv file 'try.csv', which I re... See more...
Hi all, I am new to splunk, and i have got the following error: "Field '_time' should have numerical values"  when I try to run a timechart command. I have got a csv file 'try.csv', which I read in some fields to display, but when I initiate a timechart command I get the above error. The csv file 'try.csv' has a column named _time, which has an ISO8601 time I would appreciate any guide or help I can get, as I am relatively new to splunk Thanks
Hello everyone, I'm currently working on a Dashboard to visualize Database latency across various machines, and I'm encountering an issue with the Line Chart's SPL (Search Processing Language). The ... See more...
Hello everyone, I'm currently working on a Dashboard to visualize Database latency across various machines, and I'm encountering an issue with the Line Chart's SPL (Search Processing Language). The SPL requirement is to retrieve all values of the field ms_per_block grouped by ds_file_path and machine. Here's my SPL: index=development sourcetype=custom_function user_action=database_test ds_file=* | eval ds_file_path=ds_path."\\".ds_file | search ds_file_path="\\\\swmfs\\orca_db_january_2024\\type\\rwo.ds" | chart values(ms_per_block) by ds_file_path machine My result: My goal is to have the output where each ds_file_path value is listed in individual rows along with the corresponding machine and ms_per_block values in separate rows. I've tried using the table command: | table ds_file_path, machine, ms_per_block But this doesn't give me the desired output. The machine name is under a field, whereas I need the machine name to be a separate field, each containing its respective ms_per_block value. I feel like I'm missing something here. Any guidance on how to achieve this would be greatly appreciated. Thanks in advance!  
Hello Splunk Community, I am trying to extract the "timestamp":"1715235824441" with proper details. Could anyone help me on this. Thanks in advance .   Regards, Sahitya