All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We setup two cluster managers with load balancer, according to this document.  According to the document, The active manager should respond with 200 for health check probe while the standby managers... See more...
We setup two cluster managers with load balancer, according to this document.  According to the document, The active manager should respond with 200 for health check probe while the standby managers respond with 503. However, in our case, both responds with 200. In addition, when running the following command on each cluster manager, instead of listing all cluster managers, only the current node is output. What could be the problem in the setup?   splunk cluster-manager-redundancy -show-status  
Hi, the size of my Splunk database is at around >1TB+. I would like to know about all available Indexes and especially all of the associated SourceTypes and the amount of it. The search in WebUI ... See more...
Hi, the size of my Splunk database is at around >1TB+. I would like to know about all available Indexes and especially all of the associated SourceTypes and the amount of it. The search in WebUI works no problem for the last 24hrs but searching for all of the data takes forever and times out. I'm aware that saved searches would be an option but i'm curious to know if  a script would work which recursive scans the database and process all SourceTypes.data file like < /opt/splunk/var/lib/splunk/sampledb/db/db_1680195600_1672423200_0/SourceTypes.data < /opt/splunk/var/lib/splunk/sampledb/db/db_1698782400_1680199200_1/SourceTypes.data ... ... Would this be a feasable option? Many thanks
Can you dynamically change the charts (ie. from bar to line), using a dropdown menu? At the moment, I've created multiple charts and utilizing show and hide (depending on the options selected), to s... See more...
Can you dynamically change the charts (ie. from bar to line), using a dropdown menu? At the moment, I've created multiple charts and utilizing show and hide (depending on the options selected), to serve this purpose.   I was wondering if there's an easier/cleaner/simpler way of achieving this.
Hi All, I have a field called content.payload and the value is like .How to extract these values {fileName=ExchangeRates.csv, periodName=202403, status=SUCCESS, subject=, businessEventMessage=Reque... See more...
Hi All, I have a field called content.payload and the value is like .How to extract these values {fileName=ExchangeRates.csv, periodName=202403, status=SUCCESS, subject=, businessEventMessage=RequestID: 101524, GL Monthly Rates - Validate and upload program}
Hi, I am trying to do a chart overlay using a normal distribution graphic based upon the mean and standard deviation acquired from the fieldsummary command. I can generate the values in perl (bel... See more...
Hi, I am trying to do a chart overlay using a normal distribution graphic based upon the mean and standard deviation acquired from the fieldsummary command. I can generate the values in perl (below) for a bell curve. Can you tell me how to do this in the Splunk Dashboard xml? Thanks. #!/usr/bin/perl # min, max, count, mean, stdev all come from the fieldsummary command. $min = 0.442; $max = 0.507; $mean = 0.4835625; $stdev = 0.014440074377630105; $count = 128; $pi = 3.141592653589793238462; # The numbers above do not indicate a Gaussian distribution. # Create an artificial normal distribution (for the plot overlay) # based on 6-sigma. $min = sprintf("%.3f", $mean - 3.0*$stdev); # use sprintf as a rounding function $max = sprintf("%.3f", $mean + 3.0*$stdev); $interval = ($max - $min)/($count - 1); $x = $min; for ($i=0; $i<$count; $i++) { $y = (1.0/($stdev*sqrt(2.0*$pi))) * exp(-0.5*((($x-$mean)/$stdev)**2)); $myFIELD[$i] = sprintf(%.3f",$y); printf("myFIELD[$i]\n"); $x = $x + $interval; } exit;
Hello, Can anyone help me with the query that lists all the savedsearches in my splunk system along with the time taken by them to run completely?
just moved to Almalinux 9.3 (from rhel 7 yikes!) systemd managed boot start works fine. my problem is when I tried to deploy an app with a restart, splunk was not able to start up complaining it was ... See more...
just moved to Almalinux 9.3 (from rhel 7 yikes!) systemd managed boot start works fine. my problem is when I tried to deploy an app with a restart, splunk was not able to start up complaining it was managed by systemd. has anyone else come across this? Splunk 9.0.5
I'm investigating why Splunk is keeping data beyond retention period stated in frozenTimePeriodInSecs? How can i fix this?  
I have logs being monitored form winodws as below:   [monitor://D:\Logs\*] sourcetype = abc index = def I also currently have info logs being null routed which applies to  all the //D:\Logs\jkl.... See more...
I have logs being monitored form winodws as below:   [monitor://D:\Logs\*] sourcetype = abc index = def I also currently have info logs being null routed which applies to  all the //D:\Logs\jkl.txt and therefor we dont see any logs from //D:\Logs\jkl.txt in Splunk.   Now without modifying the nullroute in props and transforms, I want to ingest logs from //D:\Logs\jkl.txt, how can i avoid the null route to not apply on this specific logs?
Hello Team, Deployment with: - HF with ACK when sending to Indexer - HEC on HF with ACK - application sending events via HEC on HF with ACK Still in this model there is a chance that some of the... See more...
Hello Team, Deployment with: - HF with ACK when sending to Indexer - HEC on HF with ACK - application sending events via HEC on HF with ACK Still in this model there is a chance that some of the events will be missed. Application might get ACK from HEC, but if the event is still on the HF output queue (not yet sent to the indexer) and we have non-gracefull reboot of HF (so that it could not flush out it's output queue). Can you confirm ? What would be the best way to address it ? So that once the application receives ACK we do have end to end guarantee that event is indexed ? Thanks, Michal  
Question in the title. Thanks in advance!
Hello everyone,  I turn to you because I have a little problem. I have an MFT server that generates logs in a directory. In this directory the log files are stored in directories that have the name ... See more...
Hello everyone,  I turn to you because I have a little problem. I have an MFT server that generates logs in a directory. In this directory the log files are stored in directories that have the name of the day. And the log files have the name 1000005847456.log. For example, today’s logs 23 April 2024 are stored in the 2024-04-23/ directory.  For now, I have this input.conf file : [monitor:///data/logs/.../100000*.log] disabled=false sourcetype=log4j host=PC followTail=0 index=test_wild  When I launch the Universal Forwarder, it starts listing all files in/data/logs/.../ . And it also starts to send the data in the log directory as of 4 days ago. I am not looking to retrieve the old log data but the log data of today. I don’t understand this behavior of the Universal Forwarder. Could someone help me? 
Hey everyone,  I currently have a use case for which I set up a Splunk Enterprise environment in an Ubuntu VM (VMware) and want to build an app with the Add-on Builder, which uses a Python Script as... See more...
Hey everyone,  I currently have a use case for which I set up a Splunk Enterprise environment in an Ubuntu VM (VMware) and want to build an app with the Add-on Builder, which uses a Python Script as Input Method to make an API-Call to get my data into Splunk. That's the goal at least.   The VM communicates with the Internet just fine (even if via proxy) and my python script gets the data from the API-Endpoint. However, if I try to enter the proxy credentials from my VM into the Configuration of the Add-on Builder I get the following Error: "There was a problem connecting to the App Certification service. The service might not be available at this time, or you might need to verify your proxy settings and try again."  Now, assuming that I did not mess up the proxy credentials, my next best bet would be that I need to give my Splunk environment a certificate to adequately communicate with the proxy. So we finally reach my question:  Where would I need to place such a certificate file in the directory structure, so that the the Splunk add-on app can find it?  
Hi, I'd like to use a text box input field to add a string value into a multiselect in order to use multiselect token to filter out values currently in multiselect (with true) for each search query I... See more...
Hi, I'd like to use a text box input field to add a string value into a multiselect in order to use multiselect token to filter out values currently in multiselect (with true) for each search query I use <input type="text" token="filter_out_text_input" id="filter_out_text_input"> <label>Enter a log event you want to filter out</label> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="multiselect" token="filter_out_option" id="filter_out_option"> <label>List to filter out log events</label> <valuePrefix>NOT "*</valuePrefix> <valueSuffix>*"</valueSuffix> <delimiter> OR </delimiter> </input>   . . . <title>$app$ Error Frequency</title> <chart> <search> <query>index="$app$-$env$" logLevel="ERROR" $filter_out_option$ $filter_out_text_input$ | eval filter_out_option="$filter_out_option$" | where isnotnull(filter_out_option) AND filter_out_option!="" | eval filter_out_text_input="$filter_out_text_input$" | where isnotnull(filter_out_text_input) AND filter_out_text_input!="" | multikv | eval ReportKey="error rate" | timechart span=30m count by ReportKey</query> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.chart">area</option> <option name="charting.chart.nullValueMode">connect</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">1</option> <option name="refresh.display">progressbar</option> </chart>   I would like to filter out error strings for the above search  Thanks in advance
I'm trying to use an outer join but I am not getting the desired output. Looks like the query in the left has less events than the sub search query.  Could that be the reason for outer join not worki... See more...
I'm trying to use an outer join but I am not getting the desired output. Looks like the query in the left has less events than the sub search query.  Could that be the reason for outer join not working. I can't use STATS because both the queries have multiple indexes & sourcetypes. 
How can I create a custom table in Splunk view that stores some user credentials and How can I create a button that opens the new record form using which users can submit the information in splunk?I ... See more...
How can I create a custom table in Splunk view that stores some user credentials and How can I create a button that opens the new record form using which users can submit the information in splunk?I have attached an image for reference.
I want to add a download/export button which I am able to do so but the issue is the result of the csv is also visible in the panel like below. I want to show only the download button while hiding th... See more...
I want to add a download/export button which I am able to do so but the issue is the result of the csv is also visible in the panel like below. I want to show only the download button while hiding the results panel which I am not able to do.   <row> <panel> <table> <search> <done> <eval token="date">strftime(now(), "%d-%m-%Y")</eval> <set token="sid">$job.sid$</set> </done> <query>index=test</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> <html> <a href="/api/search/jobs/$sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=test_$date$.csv&amp;outputMode=csv" class="button js-button">Download</a> <style> .button { background-color: steelblue; border-radius: 5px; color: white; padding: .5em; text-decoration: none; } .button:focus, .button:hover { background-color: #2A4E6C; color: White; } </style> </html> </panel> </row>
Hello.   We are deploying a new search head in our splunk environment. We are using windows 2019 servers as platform. The nearch head is not working. We can see these errors on the indexer:   WAR... See more...
Hello.   We are deploying a new search head in our splunk environment. We are using windows 2019 servers as platform. The nearch head is not working. We can see these errors on the indexer:   WARN BundleDataProcessor [12404 TcpChannelThread] - Failed to create file E:\Splunk\var\run\searchpeers\[search_head_hostname]-1713866571.e035b54cfcafb33b.tmp\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\ta_microsoft_graph_security_add_on_for_splunk\aob_py2\cloudconnectlib\splunktacollectorlib\data_collection\ta_checkpoint_mng.py while untarring E:\Splunk\var\run\searchpeers\[search_head_hostname]-1713866571.bundle: The system cannot find the path specified. The file name (including the path) exceeds the limit of 260 characters on  windows OS. How can we use this addon?  
Hi All, We have a strange problem here. On a Linux syslog server, the logs from different systems are each saved as a file. These files are monitored by Splunk UF and forwarded to two heavy forwar... See more...
Hi All, We have a strange problem here. On a Linux syslog server, the logs from different systems are each saved as a file. These files are monitored by Splunk UF and forwarded to two heavy forwarders to be saved on the indexer. We have now noticed that the number of events in the Splunk index sometimes differs from the syslog data delivered, sometimes events are missing in the middle. Since reports and alerts are configured on the Splunk data, it is of course essential that ALL events arrive in Splunk. Is such a behavior known, where can I find how many events have been processed on the HFs, for example? Regards Klaus    
Hi All, I have field called filename .SO i want to populate the result from the filename field and i created two joins to separate. Is there any other way without using Join Success File and Fail... See more...
Hi All, I have field called filename .SO i want to populate the result from the filename field and i created two joins to separate. Is there any other way without using Join Success File and Failure File   | join CorrelationId type=left [ | search index=mulesoft applicationName IN (TEST) AND message IN ("*File put Succesfully*" ,"*successful Call*" , "*file processed successfully*" , "*Archive file processed successfully*" , "*processed successfully for file name*") | rename content.Filename as SuccessFileName correlationId as CorrelationId | table CorrelationId SuccessFileName | stats values(*) as * by CorrelationId] | table CorrelationId InterfaceName ApplicationName FileList SuccessFileName Timestamp | join CorrelationId type=left [ | search index=mulesoft applicationName IN (p-oracle-fin-processor , p-oracle-fin-processor-2 , p-wd-finance-api) AND priority IN (ERROR,WARN) | rename content.Filename as FailureFileName correlationId as CorrelationId timestamp as ErrorTimestamp content.ErrorType as ErrorType content.ErrorMsg as ErrorMsg | table FailureFileName CorrelationId ErrorType ErrorMsg ErrorTimestamp