All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

The other day a few alerts surfaced showing I had 6 large windows data buckets stuck "Fixup Task - In Progress". I ran a query        | dbinspect index=windows corruptonly=true | search bucket... See more...
The other day a few alerts surfaced showing I had 6 large windows data buckets stuck "Fixup Task - In Progress". I ran a query        | dbinspect index=windows corruptonly=true | search bucketId IN (windows~nnnn~guid,...) | fields bucketId, path, splunk_server, corruptReason, state       and  found all the primary db_<buckets> from the alerts were corrupt.  You can also see it on the IDXCM bucket status. I tried a few fsck repairs commands on the indexers where the primary buckets resided, but it failed due to error >>> failReason=No bloomfilter then I tried >>>       ./splunk fsck repair --one-bucket --bucket-path=/<path> --index-name=<indexName> --debug --v --backfill-never         After that it cleared and splunkd.log showed  >>> Successfully released lock for bucket with path... I hope this information helps.
I am trying to create a table with  # pyUserIdentifier pyStatusMessage Count of occurences 1 user1234 Couldn't connect to server 1     Our logs have the following json pattern. Any help is highl... See more...
I am trying to create a table with  # pyUserIdentifier pyStatusMessage Count of occurences 1 user1234 Couldn't connect to server 1     Our logs have the following json pattern. Any help is highly appreciated.     Please see below sample log. JSON log: "pyOptions":"{\"HasTelephonyPriv\":\"true\",\"isSnapshotOnly\":\"\",\"pyAutoLogin\":\"\",\"pyClientHandle\":\"HEWR40W8VLO39ZP5OVIBJKMZKEF8YETH5A\",\"pyDeviceState\":\"\",\"pyNumberOfLines\":\"3\",\"pyPegaCTIError\":\"\",\"pyTelephonyMode\":\"1\",\"pyThisPageAsJSON\":\"\",\"pyUserIdentifier\":\"user1234\",\"pyUserName\":\"\",\"pyUserPassword\":\"\",\"pyWorkMode\":\"Busy\",\"queue\":[ \"\"] }" ,"pyPageExists":"false" ,"pyPort":"7017" ,"pyPresenceAgent":"H-GET" ,"pySelectedLinkName":"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYAPBX1" ,\"pySSLProtocolVersion\":\"TLSv1.2\",\"pyStatusMessage\":\"Couldn't connect to server\",\"pyStatusValue\":\"Fail\",\"pySwitchType\":\"Avaya EAS CM\",\"pyVendor\":\"Avaya\",\"pyWorkgroupPhoneBook\":\"true\",\"pzInsKey\":\"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYAPBX1\",\"pzLoadTime\":\"May 3, 2024 9:00:35 AM CDT\",\"pzOriginalInstanceKey\":\"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYA-1\",\"pzPageNameBase\":\"D_CTILinkInfo\",\"LogoutReasonCodes\":[ ],\"NotReadyReasonCodes\":[ ], ,"pyThisDN":"24181" ,"pyWorkMode":"Busy"
I am able to pull my AD users account information successfully except for their email addresses.  What am I doing wrong? Apologize since I am still learning.   | inputlookup AD_Obj_User WHERE dom... See more...
I am able to pull my AD users account information successfully except for their email addresses.  What am I doing wrong? Apologize since I am still learning.   | inputlookup AD_Obj_User WHERE domain="mydomain" | fields domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated | table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated | eval uac_details=replace(mvjoin(uac_details,":"),"([\r\n]+)",":") | makemv delim=":" uac_details | search [| makeresults | eval uac_details=replace("#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#","#empty#","") | makemv delim="," uac_details | eval mfilt_uac=mvfilter(match(uac_details,"^\w+")) | eval search=if(isnull(mfilt_uac),"","uac_details=\"".mvjoin(mfilt_uac,"\" AND uac_details=\"")."\"") | table search] | sort 0 sAMAccountName | rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
I would like to display the Name of a drop down option in the label of a panel.  The token for the drop down filter is $value$.  How would I display the Name, such as MY VALUE 1, MY VALUE 2, etc. as ... See more...
I would like to display the Name of a drop down option in the label of a panel.  The token for the drop down filter is $value$.  How would I display the Name, such as MY VALUE 1, MY VALUE 2, etc. as a token?  I tried label.$value$ and that did not work for me.    
REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","... See more...
REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}",   Below is my splunk query: index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body{}{}.headers{}{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber |mvexpand transactionReferenceNumber |table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber Can someone suggest me how to retrive the channel from this request. Its empty forme. also its inside the body->headers->channel. how to retrive the second element from the request input. please someone reply as it is very urgent to complete my work  
Hello, I set up a dashboard with ABSOLUTE mode but want to change it to GRID mode. Is that possible?  I am asking because I created a bunch of tables (6) and only 3 of them are showing at the top. ... See more...
Hello, I set up a dashboard with ABSOLUTE mode but want to change it to GRID mode. Is that possible?  I am asking because I created a bunch of tables (6) and only 3 of them are showing at the top. The ones at the bottom aren't. I think it has to do with a GRID line around the top 3 and the bottom 3 aren't in that grid line. I need to be able to show all 6 tables. Any help?
Hi, all,    I am looking for a way to chart the the average cpu and memory per process for all the hosts in two indexes? The scenario that I have been working on is that I have a bunch of machi... See more...
Hi, all,    I am looking for a way to chart the the average cpu and memory per process for all the hosts in two indexes? The scenario that I have been working on is that I have a bunch of machines running roughly 4 or 5 java applications per host.... and I am looking for a way to make a time series chart with the average cpu and memory used by each java processes in a dashboard...   like  host 1 site 1 average cpu chart and average memory chart site 2 average cpu chart and average memory chart site 3 average cpu chart and average memory chart  site 4 average cpu chart and average memory chart  host 2 site 1 average cpu chart and average memory chart site 2 average cpu chart and average memory chart site 3 average cpu chart and average memory chart  site 4 average cpu chart and average memory chart  site 5 average cpu chart and average memory chart  site 6 average cpu chart and average memory chart    I tried to get the top processes via hosts, via this code  ``` | mstats max("NIX.ps_metric.pctCPU") AS CPU,max("NIX.ps_metric.pctMEM") AS MEM WHERE ("index"="first_index" OR "index"="second_index") AND "host"="test_host" span=5m BY host ARGS COMMAND | top limit=20 COMMAND BY CPU MEM host | chart values(CPU) as CPU, values(MEM) as MEM over COMMAND BY host ``` but all i get is the top processes like by run command and not the actual processes, they seem to be grouped under the java process.... java      CPU  ,  MEMORY crond   cpu, memory bash  cpu, memory     Is there a way to split the monitoring to get something useable?   Ideally, I would like to alert when a particular site is being over worked, like CPU > 85%...   Ta,   Lane
Hi Splunk Developers, we are currently investigating whether we can improve the UI and UX of our splunk classic dashboards. Therefore we are looking for UI/UX frameworks or tools that we could integ... See more...
Hi Splunk Developers, we are currently investigating whether we can improve the UI and UX of our splunk classic dashboards. Therefore we are looking for UI/UX frameworks or tools that we could integrate in splunk.  Unfortunately we are struggling to include anything other than simple javascript, html and css.  What we are trying to include: lit (https://lit.dev) but splunk completely ignores custom created html tags. they simply dont appear in the dashboard, eventhough splunk doesnt mark them as "red"/wrong. Question: Do any of you use any other UI/UX frameworks or tools for your splunk dashboards to make them more "state of the art", "responsive" and "appealing" to imporve the User Experience? If yes, what are you using? + Were you able to make use of lit.dev?
Hello there, I have a problem with one of our Splunk installations on Windows. The server certificate is expired and I'm unable to renew it. I've tried renaming C:\Program Files\Splunk\etc\auth\serv... See more...
Hello there, I have a problem with one of our Splunk installations on Windows. The server certificate is expired and I'm unable to renew it. I've tried renaming C:\Program Files\Splunk\etc\auth\server.pem and restarting Splunk, which ends with that: The certificate generation script did not generate the expected certificate file:C:\Program Files\Splunk\etc\auth\server.pem. Splunkd port communication will not work. SSL certificate generation failed. And I also tried this command: C:\Program Files\Splunk\bin>splunk createssl server-cert -d "C:\Program Files\Splunk\etc\auth" -n server -c *servername* Which also fails with this: CreateProcess: error 193 Command failed (ret=-1), exiting. Anyone knows how to fix this? Thanks in advance. Best regards Alex
Hi All, I have the below json format. REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redempt... See more...
Hi All, I have the below json format. REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}", RESPONSE="{"body":{"model":{"isRedeemed":true,"transactionReferenceNumber":"6200754043","redeemType":"Original","redemptionFailureReasonType":null,"redemptionEquipmentMake":"Apple","redemptionEquipmentModel":"iPhone 14 Pro Max 128GB Deep Purple","redemptionEquipmentMemory":"128 GB","committedPrice":1,"additionalFees":0},"code":200,"messages":null,"isSuccess":true},"headers":{"connection":"close","content-type":"application/json;charset=utf-8","set-cookie":["AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899F8C6DFC23D16712EBB4CB423C132BEE67F4F3CB94A24AC7D3196B970C175CF4E9;PATH=/","AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899F8C6DFC23D16712EBB4CB423C132BEE67F4F3CB94A24AC7D3196B970C175CF4E9;PATH=/;SECURE;SAMESITE=None","visid_incap_968152=mMXe9betSnmAGjb6EkS6d8pCNGYAAAAAQUIPAAAAAACzpzJ8pi0eFle6ni7emEj9; expires=Fri, 02 May 2025 07:32:03 GMT; HttpOnly; path=/; Domain=.likewize.com","nlbi_968152=pTYgM3uDpkZMpK2uILjsZwAAAABT3d67R/8WtJ556QqTUFQd; path=/; Domain=.likewize.com","incap_ses_677_968152=NKgET8f8eCtwLRsU8y9lCcpCNGYAAAAAghYI7GnE7TXEfi+SGl0EKw==; path=/; Domain=.likewize.com"],"content-length":"354","server":"Jetty(9.4.45.v20220203)"}}", RETRYNO="0", ENDPOINT="https://apptium.freedommobile.ca/Activation.TradeUp", OPERATION="/FPC/Redemption/Redeem", METHOD="POST", CONNECTORID="0748a993-4566-48ae-9885-2a4dce9de585", CONNECTORNAME="Likewize", CONNECTORTYPE="Application", CONNECTORSUBTYPE="REST", STARTTIME="1714700999019", ENDTIME="1714701003106", RESPONSETIME="4087", SUCCESS="1", CLIENT="eportal-services", CREATEDDATE="2024-05-03 01:50:03", USERNAME="BMashiana@FreedomMobile.ca", SESSIONID="_dd9ad114-bb2b-4c7f-a7aa-cfc3b929f674", ACTIONID="6e9c5f97-27bc-42fb-b1d3-61a701e4a708", TRACKID="3618c3e3-9bd1-4acc-af6a-f71f31b9092c"   How do I retrieve the account number, channel code, serialNumber from REQUEST and transactionReferenceNumber from RESPONSE using splunk query. I have tried using spath and its not working out for me and displays a blank result. Please help asap. index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |table accountNumber
Hi all, I need to use SplunkDB connect to connect to a MongoDB on prem instance. I've installed Splunk DBX Add-on for MongoDB  but I understand that it works only with Atlas MongoDB and not with Mo... See more...
Hi all, I need to use SplunkDB connect to connect to a MongoDB on prem instance. I've installed Splunk DBX Add-on for MongoDB  but I understand that it works only with Atlas MongoDB and not with Mongo on prem installation. I tried to follow this suggestion https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-use-Splunk-DB-Connect-to-search-MongoDB/m-p/210569 but the format of stanza is  quite different.  I try to create a connection using the MongoDB Atlas Connection Type, I receive this error: Command failed with error 40324 (Location40324): 'Unrecognized pipeline stage name: '$sql' Any suggestion ? Fabrizio    
Hi Team,   Could you please help me on below issue. I am using splunk App soar export for to push notable to Splunk phantom, but it was creating 2 same artifacts in one container, can you guide ho... See more...
Hi Team,   Could you please help me on below issue. I am using splunk App soar export for to push notable to Splunk phantom, but it was creating 2 same artifacts in one container, can you guide how can i avoid create multiple artifact in one container Thanks in advance
Hello, I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) fo... See more...
Hello, I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) for a specific path. Baiscally I created a server class for the inputs.conf deployment, adding this: ###### OS Logs ###### [WinEventLog://Security] disabled = 0 index = windows_tmp followTail=true start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = (EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)) renderXml=false     I already tested the regex in regex101 https://regex101.com/r/LIaMnU/1 and it seems working fine, but in Splunk I'm receiving all the events as the whitelist is not applied. Am I missing something?    
Hi All, JAVA App Agent is not showing in Tier and Node also in app agent logs I can see following message. [AD Thread Pool-Global1] 02 May 2024 21:21:31,149 INFO DynamicRulesManager - The config di... See more...
Hi All, JAVA App Agent is not showing in Tier and Node also in app agent logs I can see following message. [AD Thread Pool-Global1] 02 May 2024 21:21:31,149 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:21:55,817 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:21:55,832 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:22:55,833 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:22:55,848 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:23:55,849 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:23:55,866 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global1] 02 May 2024 21:25:53,942 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:25:58,948 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:30:53,887 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:35:53,895 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:40:53,906 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:45:53,910 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global0] 02 May 2024 21:49:56,265 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:49:56,279 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:50:53,910 INFO DynamicRulesManager - The config directory /apps/dynamics/ver23.2.0.34668/conf/outbound--2 is not initialized, not writing /apps/dynamics/ver23.2.0.34668/conf/outbound--2/bcirules.xml [AD Thread Pool-Global1] 02 May 2024 21:50:56,280 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global0] 02 May 2024 21:50:56,295 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:51:56,296 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) [AD Thread Pool-Global1] 02 May 2024 21:51:56,309 WARN NetVizConfigurationChannel - NetViz: Number of communication failures with netviz agent exceeded maximum allowed [3]. Disabling config requests. [AD Thread Pool-Global0] 02 May 2024 21:52:56,310 ERROR NetVizAgentRequest - Fatal transport error while connecting to URL [http://127.0.0.1:3892/api/agentinfo?timestamp=0&agentType=APP_AGENT&agentVersion=3.2.0]: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:3892 [/127.0.0.1] failed: Connection refused (Connection refused) Regards, Mandar Kadam
Hi All, I am trying to get count of enabled and disabled from field. Then i want to show the field values based on latest correlation ID.The currstatus field will run for every 10 min. "content.cur... See more...
Hi All, I am trying to get count of enabled and disabled from field. Then i want to show the field values based on latest correlation ID.The currstatus field will run for every 10 min. "content.currStatus"="*" |stats values(content.currStatus) as currStatus by latest(correlationId)|where currStatus!="Interface has no entry found in object Store"|stats count by currStatus    
Hi All, I am trying to extract a value from the indexed field. i.e from source field . I have added the regex in props.conf  Example :  source = 234234324234:us-west-2:firehose_list_tags_for... See more...
Hi All, I am trying to extract a value from the indexed field. i.e from source field . I have added the regex in props.conf  Example :  source = 234234324234:us-west-2:firehose_list_tags_for_resource I want everything after second : (colon) as service i.e firehose_list_tags_for_resource I have added in props.conf as below : EXTRACT-service = source([^:]+:[^:]+:(?<service>.+)$) This has created the field service but fetching wrong value. It is fetching last part of raw data. Please can anyone help me to understand how can I extract field value from indexed data ? Should I add in transforms.conf as well ? Please can anyone guide me. It helps me lot Regards, PNV
I have an input created in DB Connect app to few the necessary rows from a DB2 table. The job is scheduled to run on daily basis and to fetch only the previous day's data. I have left the "Max rows ... See more...
I have an input created in DB Connect app to few the necessary rows from a DB2 table. The job is scheduled to run on daily basis and to fetch only the previous day's data. I have left the "Max rows to retrieve" and "Fetch size" to default settings. Whenever my job runs, by default it is logging the same records twice. I am not sure what is causing this issue. I have attached screenshot of the entries belong to a primary key field where two events are indexed for each record. Could anyone help me in troubleshooting the issue?
Hey Folks,  We are trying to deployed the machine agent on EKS 1.27. The version of the machine agent is v22.3.0.  The pod gets stuck with the below error :   Error in custom provider, javax.xml... See more...
Hey Folks,  We are trying to deployed the machine agent on EKS 1.27. The version of the machine agent is v22.3.0.  The pod gets stuck with the below error :   Error in custom provider, javax.xml.ws.WebServiceException: Failed to get a response from /info using a GET request.   The error encountered is: java.net.SocketException: Connection refused   [machineagent.jar:Machine Agent v22.3.0-3296 GA compatible with 4.4.1.0 Build Date 2022-03-18 19:50:59]   Could not start up the machine agent due to: Failed to get a response from /info using a GET request. The error encountered is: java.net.SocketException: Connection refused Please see startup.log in the current working directory for details
Hello Splunkers! Imagine a scenario: There is a test environment with Splunk being deployed in ubuntu-server 20.04 virtual machine as All-in-One deployment scenario.  There is a Windows Server 2... See more...
Hello Splunkers! Imagine a scenario: There is a test environment with Splunk being deployed in ubuntu-server 20.04 virtual machine as All-in-One deployment scenario.  There is a Windows Server 2019, that is sending WindowsEvent Logs from Application and Security using Splunk Universal forwarder along with Splunk add-on for Microsoft Windows. In the normal situation where there is a stable network connection between Windows Server 2019 and ubuntu machine with Splunk, the logs are delivered to Splunk with no problems. However, imagine there is an adversary who executed a script to disable the network connection on the Windows Server 2019 and performed some malicious actions on that machine and then, went to event viewer application and cleared the security logs so that they never reach Splunk. My question is, how can we make the Security Logs that were deleted by adversary on Windows Server 2019 through Event Viewer, still reach the Splunk? To clarify, let's say after adversary disabled the network access to Splunk, and then deleted some users in the domain controller, then cleared the Security logs in the event viewer. What can we do, so that we still get these logs of adversary's activity on Windows Server in Splunk for further investigation? Feel free to ask any additional questions in case this scenario is unclear at some parts.  Thanks in advance for taking your time reading and replying to this post! 
I have written a splunk query and used streamstats command to make my output look like this: Query Used: ... | streamstats current= f last(History) as Status by Ticket Id | ... Current Out... See more...
I have written a splunk query and used streamstats command to make my output look like this: Query Used: ... | streamstats current= f last(History) as Status by Ticket Id | ... Current Output:                            Ticket ID Priority    Status 1234 4321 5678 P1 Closed In Progress 8765  P2  Closed   However I want to remove the record 4321 and look at all the closed tickets for Priority P1 and P2, but since it is also of P1 priority the entire record is getting removed for P1 when I use this query: ... | streamstats current= f last(History) as Status by Ticket Id | where NOT Status IN ("In Progress") | ... Output: Ticket ID Priority   Status 8765  P2  Closed   How do I only remove 4321 as it is  "In Progress" Status. Please help. Expected Output: Ticket ID Priority   Status 1234                                                  5678 P1  Closed 8765  P2  Closed