All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm working on splunk data feed outage alert: The following data feed has been detected down: Index=a  sourcetype=splunkd  host=b. Is there someone can point me to the right direction of troublesh... See more...
I'm working on splunk data feed outage alert: The following data feed has been detected down: Index=a  sourcetype=splunkd  host=b. Is there someone can point me to the right direction of troubleshooting this issue. Thanks a lot.
Please give me examples of agentless and agent- based onboarding in splunk
While sending a rest api request to change the owner of a knowledge object i am getting the following error "You do not have permission to share objects at the system level" even though the user has ... See more...
While sending a rest api request to change the owner of a knowledge object i am getting the following error "You do not have permission to share objects at the system level" even though the user has "sc_admin" role. Is there any specific capability that is missing that is needed for this ?
Hi, We have stopped getting o365 logs when looked for the errors I see the below error. Does it mean client secret is expired? level=ERROR pid=22156 tid=MainThread logger=splunk_ta_o365.modinputs.ma... See more...
Hi, We have stopped getting o365 logs when looked for the errors I see the below error. Does it mean client secret is expired? level=ERROR pid=22156 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:72 | datainput=b'xoar_Management_Exchange' start_time=1715152233 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 135, in run executor.run(adapter) File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/batch.py", line 54, in run for jobs in delegate.discover(): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 225, in discover self._clear_expired_markers() File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 294, in _clear_expired_markers checkpoint.sweep() File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/checkpoint.py", line 86, in sweep return self._store.sweep() File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/checkpoint.py", line 258, in sweep indexes = self.build_indexes(fp) File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/checkpoint.py", line 189, in build_indexes indexes[key] = pos File "/opt/splunk/etc/apps/splunk_ta_o365/lib/sortedcontainers/sorteddict.py", line 300, in __setitem__ dict.__setitem__(self, key, value) MemoryError
Hello i am try to deploy wordpress + PHP agent in Docker using dockerfile. regarding this articel: https://docs.appdynamics.com/appd/24.x/latest/en/application-monitoring/install-app-server-agents... See more...
Hello i am try to deploy wordpress + PHP agent in Docker using dockerfile. regarding this articel: https://docs.appdynamics.com/appd/24.x/latest/en/application-monitoring/install-app-server-agents/php-agent/php-agent-configuration-settings/node-reuse-for-php-agent i already config the appdynamics agent.in following the conformation that refer on that link. this my dockerfile: FROM wordpress:php7.4 # Install required dependencies RUN apt-get update && apt-get install -y wget tar && \ apt-get clean && rm -rf /var/lib/apt/lists/* # Copy phpinfo COPY phpinfo.php /var/www/html # Download and extract AppDynamics PHP Agent – use this to download agent from AppDynamics Download Portal WORKDIR /var/www/html # Copy downloaded AppDynamics PHP Agent - use this if the agent is already downloaded in the docker working dir RUN mkdir -p /opt/appdynamics COPY appdynamics-php-agent-linux_x64 /opt/appdynamics/ RUN chmod -R a+w /opt/appdynamics/ # Install AppDynamics PHP Agent RUN cd /opt/appdynamics/appdynamics-php-agent-linux_x64/ && ./install.sh -s -a=abcde@abcde -e /usr/local/lib/php/extensions/no-debug-non-zts-20190902 -i /usr/local/etc/php/conf.d -p /usr/bin -v 7.4 abcde.saas.appdynamics.com 443 WordPress-Docker Bakcend-Tier Backend-Node # Expose port 80 EXPOSE 80 my goal is my agent can use container name,hostname,hostid,prefix or what ever in automaticaly using reuseNode feature insted of manualy fill the Node name in every instalation PHP agent, can we do that? because in Nodejs agent we can do that even my application running on Docker.
Hi, I'm new to Splunk, so I apologize if this question seems naive. While experimenting with calculated fields, I found some inconsistent results. Consequently, I removed these fields and tested dir... See more...
Hi, I'm new to Splunk, so I apologize if this question seems naive. While experimenting with calculated fields, I found some inconsistent results. Consequently, I removed these fields and tested directly in the search. I'm aware that the syntax I'm using here with eval is not the one specified in the documentation, but I'm using it to simulate the calculated field (and it yields the same results). I've seen this use of eval elsewhere but only for very simple things. When I run: stats sum(eval((bytes/(1024*1024)))) as MB , it works. However, when I run stats sum(eval(round(bytes/(1024*1024),2))) as MB I get results, but they are totally inconsistent. What could be happening? Where is my mistake? (Note that I'm not looking for the correct solution - I already have it - but I want to understand why this syntax doesn't work.) Thanks.
Hi ,   I am trying to achieve an automation whereon i will be running a query and then passing the IP's  which i need to send to akamai via POST API. I know, edgegridauth library can be used to ach... See more...
Hi ,   I am trying to achieve an automation whereon i will be running a query and then passing the IP's  which i need to send to akamai via POST API. I know, edgegridauth library can be used to achieve the same but got stuck on how the action would be configured . Can someone help.    
I am getting the Duplicate events in Splunk from Aws cloud watch and I am sending data from only one source to the Splunk . How do I resolve it.
Hello, I was playing with Network Explorer feature and it looks only bandwidht metric is available on a Network Map. On the video which I found on youtube, there is a panel available where metrics c... See more...
Hello, I was playing with Network Explorer feature and it looks only bandwidht metric is available on a Network Map. On the video which I found on youtube, there is a panel available where metrics can be changed (color by...). How to enable that? Is it still available in this feature? I'd like to see either latency or packet loss instead of bandwidth. https://www.splunk.com/en_us/resources/videos/network-explorer-overview.html?locale=en_us Thanks!
Hello I have lookup file which have content like this name                   count                          time abc                          3                               04-24 cdf         ... See more...
Hello I have lookup file which have content like this name                   count                          time abc                          3                               04-24 cdf                           2                                 04-24 but i want the content of  the lookup file to be like this name                 count                   time abc                            1                       04-24 abc                           1                        04-24 abc                           1                        04-24 cdf                            1                       04-24 cdf                            1                        04-24 how will i able to do this?
  Note : this query is not for the billing ingestion using splunk add-ons' and ingestion   Splunk Observability Cloud counts the number of metric time series (MTS) sent during each hour in the mon... See more...
  Note : this query is not for the billing ingestion using splunk add-ons' and ingestion   Splunk Observability Cloud counts the number of metric time series (MTS) sent during each hour in the month how can I acess any of the billing data through api both hourly and monthly  lhttps://docs.splunk.com/observability/en/admin/subscription-usage/imm-billing.html 
How to get splunk billing usage data hourly and monthly through API's  
I try to plot a line graph where the x-axis is an index  and y-axis is a random value. I also trying to add an annotation where the annotationX is an index. Below is the code for the visualization. ... See more...
I try to plot a line graph where the x-axis is an index  and y-axis is a random value. I also trying to add an annotation where the annotationX is an index. Below is the code for the visualization.     "visualizations": { "viz_kHEXe45c": { "type": "splunk.area", "dataSources": { "primary": "ds_Search_1", "annotation": "ds_annotation_markers" }, "options": { "x": "> primary | seriesByIndex(0)", "annotationX": "> annotation | seriesByIndex(0)", "annotationLabel": "> annotation | seriesByIndex(1)", "annotationColor": "> annotation | seriesByIndex(2)", "nullValueDisplay": "zero" }, "title": "Test Event Annotation", "showProgressBar": false, "showLastUpdated": false } }, "dataSources": { "ds_Search_1": { "type": "ds.search", "options": { "query": "| makeresults count=15\n| streamstats count\n| eval index=count\n| eval value=random()%100\n| fields index value" }, "name": "ds_Search_1" }, "ds_annotation_markers": { "type": "ds.search", "options": { "query": "| makeresults count=3\n| streamstats count\n| eval index=count\n| eval score = random()%3 +1\n| eval status = case(score=1,\"server error detected\", score=2, \"unknown user access\", score=3, \"status cleared\")\n| eval color = case(score=1,\"#f44271\", score=2, \"#f4a941\", score=3, \"#41f49a\")\n| table index status color" }, "name": "ds_annotation_markers" } },       Below is the line graph output shown based on the code above.   Could anyone please help how to add the annotation on the line graph when the x-axis is a non-time based number type?  
Hello, We're having trial of Splunk Observability Cloud Service.   We tried to deploy the integration guided example (the Hipster Shop app).     Data graph can be seen in APM and Infrastructure, but... See more...
Hello, We're having trial of Splunk Observability Cloud Service.   We tried to deploy the integration guided example (the Hipster Shop app).     Data graph can be seen in APM and Infrastructure, but got error in all RUM dashboards: request to http://rum-api-service.o11y-rum/api/rum/v3/node-metrics failed, reason: getaddrinfo ENOTFOUND rum-api-service.o11y-rum   I’m afraid if I defined those RUM related environment variables incorrectly during the deployment: RUM_REALM=jp0 RUM_AUTH=<RUM token> RUM_APP_NAME=Hipster_Shop                                               ß arbitrary RUM_ENVIRONMENT=Hipster_Shop_Jump_Start              ß arbitrary   As we haven't bought the service yet, can't submit support ticket to Splunk support... Would anyone please help? Thanks and Regards  
Hello, How do I set a flag in based on field value in multiple row? For example: In the following table,  network-1 is set to yes because server-1 that is on network-1 is also on fw-network-1 that... See more...
Hello, How do I set a flag in based on field value in multiple row? For example: In the following table,  network-1 is set to yes because server-1 that is on network-1 is also on fw-network-1 that is behind a firewall.    Please suggest. Thank you!! server network firewall server-1 network-1 yes server-1 fw-network-1 yes server-2 network-2 no server-3 network-1 yes server-3 fw-network-1 yes server-4 network-2 no server-5 network-3 yes server-5 fw-network-3 yes
We would like to ask for help regarding the DB Connect for DB2, we are currently trying to connect the DB2 of an IBM I Server but to no avail, are there any method needs to be done first for a DB2 on... See more...
We would like to ask for help regarding the DB Connect for DB2, we are currently trying to connect the DB2 of an IBM I Server but to no avail, are there any method needs to be done first for a DB2 on IBM-I be able to successfully connect on SPLUNK?
Splunk search  " EventCode="4688" AND earliest="5/8/2024:10:07:20" latest="5/8/2024:10:17:20 "  Could you please the time search is correct 
I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users.  The data for the wineventlog index is pretty limited, so it looks like I would... See more...
I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users.  The data for the wineventlog index is pretty limited, so it looks like I would have to reference another index like activedirectory, that contains similar data.  I was thinking I could reference the "OU" field in the activedirectory index so that this is possible, but I'm struggling  on what I need to combine in order to make this search work.  I've looked at using coalesce, and can get results from both indexes/sourcetypes, but can't seem to just limit my search using EventCode=4740 and OU=Test Users Group. (index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=*) | eval Account_Name = lower( coalesce( Account_Name, sAMAccountName)) | search Account_Name="test-user" Some of the key fields that I'm trying to reference from the indexes are as follows: index = wineventlog sourcetype = wineventlog EventCode=4740 Security_ID = domain\test-user Account_Name = test-user Account_Name = dc index = activedirectory sourcetype = ActiveDirectory Account_Name = test-user sAMAccountName = test-user OU = Test Users Group
Hi,  how can I rewrite the following search using tstats and datamodel Network_Traffic? index=*pan* sourcetype="pan:threat" severity IN ("high", "critical") so far I have tested the following: | ... See more...
Hi,  how can I rewrite the following search using tstats and datamodel Network_Traffic? index=*pan* sourcetype="pan:threat" severity IN ("high", "critical") so far I have tested the following: | tstats count from datamodel=Network_Traffic by All_Traffic.src_ip but given the fact that “severity” is not a field included in the datamodel but just in the index, how can I add the condition severity IN ("high", "critical")?   thank you!
Hello, I'm new to Dashboard Studio. I'm looking for a way to show/hide certain visualizations based on user selection in a dropdown, e.g. based on token value. As I understand, this is pretty easy t... See more...
Hello, I'm new to Dashboard Studio. I'm looking for a way to show/hide certain visualizations based on user selection in a dropdown, e.g. based on token value. As I understand, this is pretty easy to achieve in the older (xml-based) version of Dashboards using the "depends" attribute. Is there an equivalent of this in Dashboard Studio? I wasn't able to find any good info on this.