All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello there, we're in process of deploying Splunk Cloud. We have installed the Microsoft Office 365 App for splunk along with all the required add-ons. The app is working as intended except that we'r... See more...
Hello there, we're in process of deploying Splunk Cloud. We have installed the Microsoft Office 365 App for splunk along with all the required add-ons. The app is working as intended except that we're not getting any Message Trace data. We followed the instructions to properly setup the the Add-on Input and assigned the API permissions on the Azure side. For whatever reason we're still not getting any Trace Data. It looks like problem it's on the Azure side, we have assigned the appropriate API permissions as stated in the documentation. Is there anything else that needs to be setup on the Azure - or Splunk side to get Exchange Trace data?   We followed this instructions for Splunk add-on for Microsoft Office 365 integration. https://docs.splunk.com/Documentation/AddOns/released/MSO365/ConfigureappinAzureAD Any help would be highly appreciated. 
How to detect CVE-2024-3094 with Splunk?
Hi all,   Im trying to understand how rotation certificates used for SSO works in a search head cluster. We have a searchhead cluster where we have SSO working already. As for initial setup, I unde... See more...
Hi all,   Im trying to understand how rotation certificates used for SSO works in a search head cluster. We have a searchhead cluster where we have SSO working already. As for initial setup, I understand we can download SPmetadata.xml file from splunk SAML settings page. However, during rotation, how do we create this as we are using a cert thats already existing and we want to rotate the server side certificate? If we just download SPmetadata.xml for creating request for IDP, this will have same cert as we are using. If we rotate the cert first at our side so we can download SPmetadata.xml  to create request for IDP, then this will end up in error as IDP wont detect server side certificate during this, obviously.  
I am trying to setup Azure Event hub to Splunk using the tutorial here.   I followed the tutorial as is   I gave the right permissions (Azure Event hub Data owner as well) to the application but i... See more...
I am trying to setup Azure Event hub to Splunk using the tutorial here.   I followed the tutorial as is   I gave the right permissions (Azure Event hub Data owner as well) to the application but it always gives authentication failed. What am I doing wrong 
Hi everyone. I'm currently trying to install the Universal Forwarder on a Windows client. I haven't installed any previous versions of the Universal Forwarder on this client before. After reaching th... See more...
Hi everyone. I'm currently trying to install the Universal Forwarder on a Windows client. I haven't installed any previous versions of the Universal Forwarder on this client before. After reaching the final stages of the installation, unfortunately, it rolls back and displays a message indicating that the installation wizard did not complete. I'm also attaching the AppCrash report for your reference. Could you please provide some guidance on this? Edit 1: I would like to add that the client is part of a domain, and it is not beneficial whether I perform the installation with the domain admin user or the local admin user, as I still encounter errors. Version=1 EventType=APPCRASH EventTime=133562052818303743 ReportType=2 Consent=1 UploadTime=133562052827678946 ReportStatus=268435456 ReportIdentifier=6a213693-13e6-41a8-8c33-245355f1efbf IntegratorReportIdentifier=5ed072f0-3e6e-4ece-a001-6e76acdb8b27 Wow64Host=34404 NsAppName=splunkd.exe OriginalFilename=splunkd.exe AppSessionGuid=000031bc-0000-000c-9fd1-8bb8fa81da01 TargetAppId=W:00061d36d7ec41eb4da589a3b7ff905efd8600000904!00009bb194c1f79d67ef2b5434b1914ec98a520e1989!splunkd.exe TargetAppVer=2024//03//21:00:03:19!399d613!splunkd.exe BootId=4294967295 TargetAsId=32379 IsFatal=1 EtwNonCollectReason=1 Response.BucketId=bb8a2b9d5336153e35c1c445cd31e043 Response.BucketTable=4 Response.LegacyBucketId=1567749949376028739 Response.type=4 Sig[0].Name=Application Name Sig[0].Value=splunkd.exe Sig[1].Name=Application Version Sig[1].Value=2306.256.26107.30017 Sig[2].Name=Application Timestamp Sig[2].Value=65fb7947 Sig[3].Name=Fault Module Name Sig[3].Value=mimalloc-override.dll Sig[4].Name=Fault Module Version Sig[4].Value=0.0.0.0 Sig[5].Name=Fault Module Timestamp Sig[5].Value=65dfbfa9 Sig[6].Name=Exception Code Sig[6].Value=c0000005 Sig[7].Name=Exception Offset Sig[7].Value=0000000000002ad5 DynamicSig[1].Name=OS Version DynamicSig[1].Value=10.0.20348.2.0.0.400.8 DynamicSig[2].Name=Locale ID DynamicSig[2].Value=1033 DynamicSig[22].Name=Additional Information 1 DynamicSig[22].Value=c13a DynamicSig[23].Name=Additional Information 2 DynamicSig[23].Value=c13a0933a69b5a9aa04a609346aaa13d DynamicSig[24].Name=Additional Information 3 DynamicSig[24].Value=e9e6 DynamicSig[25].Name=Additional Information 4 DynamicSig[25].Value=e9e669e3acebdf636ea1556b4596e7dd UI[2]=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe UI[5]=Close UI[8]=splunkd service stopped working and was closed UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available. UI[10]=&Close LoadedModule[0]=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll LoadedModule[2]=C:\Windows\System32\KERNEL32.DLL LoadedModule[3]=C:\Windows\System32\KERNELBASE.dll LoadedModule[4]=C:\Windows\System32\CRYPT32.dll LoadedModule[5]=C:\Windows\System32\ucrtbase.dll LoadedModule[6]=C:\Windows\System32\bcrypt.dll LoadedModule[7]=C:\Windows\System32\ADVAPI32.dll LoadedModule[8]=C:\Windows\System32\msvcrt.dll LoadedModule[9]=C:\Windows\System32\sechost.dll LoadedModule[10]=C:\Windows\System32\RPCRT4.dll LoadedModule[11]=C:\Program Files\SplunkUniversalForwarder\bin\mimalloc-override.dll LoadedModule[12]=C:\Windows\System32\WS2_32.dll LoadedModule[13]=C:\Windows\System32\USER32.dll LoadedModule[14]=C:\Windows\System32\win32u.dll LoadedModule[15]=C:\Windows\System32\GDI32.dll LoadedModule[16]=C:\Windows\System32\gdi32full.dll LoadedModule[17]=C:\Windows\System32\msvcp_win.dll LoadedModule[18]=C:\Windows\System32\SHELL32.dll LoadedModule[19]=C:\Windows\System32\ole32.dll LoadedModule[20]=C:\Windows\System32\combase.dll LoadedModule[21]=C:\Windows\SYSTEM32\ACTIVEDS.dll LoadedModule[22]=C:\Windows\SYSTEM32\pdh.dll LoadedModule[23]=C:\Windows\System32\OLEAUT32.dll LoadedModule[24]=C:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll LoadedModule[25]=C:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll LoadedModule[26]=C:\Windows\SYSTEM32\WINHTTP.dll LoadedModule[27]=C:\Program Files\SplunkUniversalForwarder\bin\SSLEAY32.dll LoadedModule[28]=C:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll LoadedModule[29]=C:\Program Files\SplunkUniversalForwarder\bin\archive.dll LoadedModule[30]=C:\Program Files\SplunkUniversalForwarder\bin\mimalloc-redirect.dll LoadedModule[31]=C:\Program Files\SplunkUniversalForwarder\bin\VCRUNTIME140.dll LoadedModule[32]=C:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll LoadedModule[33]=C:\Program Files\SplunkUniversalForwarder\bin\LIBEAY32.dll LoadedModule[34]=C:\Program Files\SplunkUniversalForwarder\bin\MSVCP140.dll LoadedModule[35]=C:\Windows\SYSTEM32\adsldpc.dll LoadedModule[36]=C:\Windows\System32\WLDAP32.dll LoadedModule[37]=C:\Windows\System32\bcryptprimitives.dll LoadedModule[38]=C:\Program Files\McAfee\Solidcore\SCINJECT_x64.DLL LoadedModule[39]=C:\Windows\System32\WINTRUST.dll LoadedModule[40]=C:\Windows\SYSTEM32\NETAPI32.dll LoadedModule[41]=C:\Windows\SYSTEM32\MPR.dll LoadedModule[42]=C:\Windows\SYSTEM32\SAMCLI.DLL LoadedModule[43]=C:\Windows\SYSTEM32\NETUTILS.DLL LoadedModule[44]=C:\Windows\SYSTEM32\MSASN1.dll LoadedModule[45]=C:\Windows\SYSTEM32\wkscli.dll State[0].Key=Transport.DoneStage1 State[0].Value=1 OsInfo[0].Key=vermaj OsInfo[0].Value=10 OsInfo[1].Key=vermin OsInfo[1].Value=0 OsInfo[2].Key=verbld OsInfo[2].Value=20348 OsInfo[3].Key=ubr OsInfo[3].Value=2322 OsInfo[4].Key=versp OsInfo[4].Value=0 OsInfo[5].Key=arch OsInfo[5].Value=9 OsInfo[6].Key=lcid OsInfo[6].Value=1033 OsInfo[7].Key=geoid OsInfo[7].Value=244 OsInfo[8].Key=sku OsInfo[8].Value=8 OsInfo[9].Key=domain OsInfo[9].Value=1 OsInfo[10].Key=prodsuite OsInfo[10].Value=400 OsInfo[11].Key=ntprodtype OsInfo[11].Value=3 OsInfo[12].Key=platid OsInfo[12].Value=10 OsInfo[13].Key=sr OsInfo[13].Value=0 OsInfo[14].Key=tmsi OsInfo[14].Value=222600573 OsInfo[15].Key=osinsty OsInfo[15].Value=2 OsInfo[16].Key=iever OsInfo[16].Value=11.1.20348.0-11.0.1000 OsInfo[17].Key=portos OsInfo[17].Value=0 OsInfo[18].Key=ram OsInfo[18].Value=32768 OsInfo[19].Key=svolsz OsInfo[19].Value=99 OsInfo[20].Key=wimbt OsInfo[20].Value=0 OsInfo[21].Key=blddt OsInfo[21].Value=210507 OsInfo[22].Key=bldtm OsInfo[22].Value=1500 OsInfo[23].Key=bldbrch OsInfo[23].Value=fe_release OsInfo[24].Key=bldchk OsInfo[24].Value=0 OsInfo[25].Key=wpvermaj OsInfo[25].Value=0 OsInfo[26].Key=wpvermin OsInfo[26].Value=0 OsInfo[27].Key=wpbuildmaj OsInfo[27].Value=0 OsInfo[28].Key=wpbuildmin OsInfo[28].Value=0 OsInfo[29].Key=osver OsInfo[29].Value=10.0.20348.2322.amd64fre.fe_release.210507-1500 OsInfo[30].Key=buildflightid OsInfo[31].Key=edition OsInfo[31].Value=ServerDatacenter OsInfo[32].Key=ring OsInfo[32].Value=Retail OsInfo[33].Key=expid OsInfo[34].Key=fconid OsInfo[35].Key=containerid OsInfo[36].Key=containertype OsInfo[37].Key=edu OsInfo[37].Value=0 OsInfo[38].Key=servicinginprogress OsInfo[38].Value=0 FriendlyEventName=Stopped working ConsentKey=APPCRASH AppName=splunkd service AppPath=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe NsPartner=windows NsGroup=windows8 ApplicationIdentity=C750D84D7F48DB77161DC8FC07E09CE5 MetadataHash=1491437884
Hello, does editing ES roles on Permissions page is same as editing ES roles in Splunk's native edit role page? I guess they both point to ES authorize.conf but native's one can work with custom ro... See more...
Hello, does editing ES roles on Permissions page is same as editing ES roles in Splunk's native edit role page? I guess they both point to ES authorize.conf but native's one can work with custom roles? Thanks.  
The query produces multiple pages of results. How do I move the total to the top (first) row for convenience?   search query | eval dayOfWeek=strftime(_time, "%A"), date=strftime(_time, "%Y-%m-%d... See more...
The query produces multiple pages of results. How do I move the total to the top (first) row for convenience?   search query | eval dayOfWeek=strftime(_time, "%A"), date=strftime(_time, "%Y-%m-%d") | eval dayNum=case(dayOfWeek=="Sunday", 1, dayOfWeek=="Monday", 2, dayOfWeek=="Tuesday", 3, dayOfWeek=="Wednesday", 4, dayOfWeek=="Thursday", 5, dayOfWeek=="Friday", 6, dayOfWeek=="Saturday", 7) | stats count as "Session count" by dayOfWeek, date | addtotals col=t row=f label="Month total" |sort date desc  
As per the below screenshot my server is not giving any health status of hec port 8088. Due to this I am not able to publish anything by using hec token in Splunk for an example : curl -k "Authori... See more...
As per the below screenshot my server is not giving any health status of hec port 8088. Due to this I am not able to publish anything by using hec token in Splunk for an example : curl -k "Authorization: Splunk ee6d8a90-4863-4789-9ff1-fda810bee6f2" http://walvau-vidi-1:8000/services/collector/event -d '{"event": "hello world"}'. Please guide me what will issue, how I investigate further on this. default inputs.conf : [http] disabled=1 port=8088 enableSSL=1 dedicatedIoThreads=2 maxThreads = 0 maxSockets = 0 useDeploymentServer=0 # ssl settings are similar to mgmt server sslVersions=*,-ssl2 allowSslCompression=true allowSslRenegotiation=true ackIdleCleanup=true local inputs.conf: [http] disabled = 0 enableSSL = 0
Hello Bitdefender team,  Could you kindly assist with updating the Bitdefender GravityZone Add-on for Splunk? Currently, we are experiencing difficulties uploading the add-on per the integrations in... See more...
Hello Bitdefender team,  Could you kindly assist with updating the Bitdefender GravityZone Add-on for Splunk? Currently, we are experiencing difficulties uploading the add-on per the integrations instructions provided in: https://www.bitdefender.com/business/support/en/77211-171475-splunk.html  and we're receiving the following error message: “The Add-on Builder version used to create this app (4.1.0) is below the minimum required version of 4.1.3. Please re-generate your add-on using Add-on Builder 4.1.3 or later. File: default/addon_builder.conf Line Number: 4” Your prompt attention to this matter would be greatly appreciated.    
Hello Team, As per https://docs.splunk.com/Documentation/Splunk/9.2.0/DistSearch/Knowledgebundlereplication "The search head needs to distribute this material to its search peers so that they can p... See more...
Hello Team, As per https://docs.splunk.com/Documentation/Splunk/9.2.0/DistSearch/Knowledgebundlereplication "The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf" Or "The knowledge bundle consists of a set of files that the search peers ordinarily need in order to perform their searches" Could you please give me one example why we really need it ? I had the impression that to return search results to SH indexer just need SPL query and it's locally indexed data + metadata. One of my guesses for a good example were: lookup files, but i guess indexer should not need any lookup files since that job is done be search head, not indexer. The same with other KO objects like tags, event types, macros etc...-> those objects should not be needed on the indexer to perform search, those are used by search head to enrich data returned by the indexer. Another theory: we distribute those files not to help with searching, but with parsing and indexing (for example using props.conf and transforms.conf). Maybe that is the case ? Extra question: the conf files delivered in the bundle: if i do understand correctly those settings are in memory only, not modifying any existing conf files on the indexer ? But at the same modifying memory settings for (for example) index.conf ? If so - i should be able to run "splunk btool indexes list" to see something different  then "splunk show" -> to compare the diff between current configuration files versus those sent from bundle and applied in memory ? What are the best practices here ? What am i missing ? Thanks, Michal  
I would like to create a scheduled search sending multi-line Slack notification via Splunk API.  I can create the search, there's no problem. Slack notification also works, but only limit to a singl... See more...
I would like to create a scheduled search sending multi-line Slack notification via Splunk API.  I can create the search, there's no problem. Slack notification also works, but only limit to a single line notification. I would like to split the notification into multi-lines. I am using "Slack Notification Alert" App and I have tried a few characters like "\n", "\r", "<br />", "\" and none of them worked. It seems that all of these are escaped and the Slack message is still a one-liner like "test\ntest" instead of "test test" Of course I can use a browser to go to Splunk web UI and change it there but we need to do this in scale and changing it manually instead of via API is not efficient at all. Please help, thanks a lot! Slack Notification Alert
After attending a Splunk 9.2 webinar yesterday (3/28/24), I pulled a fresh docker container down using the  "latest" tag and found that I had v.9.0.9 rather than v.9.2.1. Is it possible that this is ... See more...
After attending a Splunk 9.2 webinar yesterday (3/28/24), I pulled a fresh docker container down using the  "latest" tag and found that I had v.9.0.9 rather than v.9.2.1. Is it possible that this is a  reoccurrence  of a build issue mentioned in this old post https://community.splunk.com/t5/Deployment-Architecture/Why-is-Docker-latest-not-on-most-recent-version/td-p/600958 ?
On my splunk instance while using cyberchef for Splunk, I encounter a message  that the last build was 2 years ago. I checked splunkbase and apps.splunk.com which only has the latest version from ove... See more...
On my splunk instance while using cyberchef for Splunk, I encounter a message  that the last build was 2 years ago. I checked splunkbase and apps.splunk.com which only has the latest version from over two years ago. Any suggestions on how I can get this app upgraded or am I just kinda stuck where I am for now until they come up with an upgrade on splunkbase?
Hi Experts,  I have a list of dates in the field called my_date like below: 45123 45127 45130 How can I convert this?  Thank you!
Hi All We have DB agents and the SQL servers are still using TLS 1.1 and 1.0. Can this affect the DB metrics reporting to AppD.  Regards Fadil
Hi We are looking a way to integrate Checkmarx with Splunk what will be the best way?
I want to compare pervious hour data with present hour data and get the percentage using below query. |mstats sum(transaction) as Trans where index=host-metrics service=login application IN(app1, ap... See more...
I want to compare pervious hour data with present hour data and get the percentage using below query. |mstats sum(transaction) as Trans where index=host-metrics service=login application IN(app1, app2, app3, app4) span=1h by application
From the Subject Title, what I mean is it will increase the row count and decrease the column count - that is my intention. After a series of mathematical computations, I ended up with the following... See more...
From the Subject Title, what I mean is it will increase the row count and decrease the column count - that is my intention. After a series of mathematical computations, I ended up with the following table: Unixtime_A Total_A Unixtime_B Total_B imaginary_unix_1 1 imaginary_unix_3 4 imaginary_unix_2 2 imaginary_unix_1 5 imaginary_unix_3 3 imaginary_unix_4 6 Notes: Unixtime_A may not equal Unixtime_B, but they are formatted the same that is snapped to the month with @mon (unixtime) Total_A and Total_B were the result of various conditional counts, so they need to be seperate fields   The desired table is: Unixtime_AB Total_A Total_B imaginary_unix_1 1   imaginary_unix_2 2   imaginary_unix_3 3   imaginary_unix_3   4 imaginary_unix_1   5 imaginary_unix_4   6 Which I can then use | fillnull and use a simple stats to sum both totals by Unixtime_AB. Like so:   | stats sum(Total_A), sum(Total_B) by Unixtime_AB     I'm not 100% sure if transpose, untable, or xyseries could do this - or if I was misusing them somehow.
Hi,  What are the options to integrate Appdynamics with zabbix or the other way around to send data from zabbix to AppDynamics Thanks Akhila
I've been struggling to decide the best method to instrument a Java web app running on Azure App Service. There's plenty of documentation for AKS services, ECS services and so on. There's even docume... See more...
I've been struggling to decide the best method to instrument a Java web app running on Azure App Service. There's plenty of documentation for AKS services, ECS services and so on. There's even documentation for .NET services running as an Azure App Service but nothing for my use case.  Is there any documentation available for this specific scenario? I've read and re-read the Java APM documentation but I still feel a bit lost.  Thank you for any help and suggestions!