All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Unable to import splunk-sdk  and splunklib python. Here are the error's I'm getting while importing. Any suggestions?    splunklib: error: command 'C:\\Program Files (x86)\\Microsoft Visual S... See more...
Unable to import splunk-sdk  and splunklib python. Here are the error's I'm getting while importing. Any suggestions?    splunklib: error: command 'C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\BuildTools\\VC\\Tools\\MSVC\\14.39.33519\\bin\\HostX86\\x64\\cl.exe' failed with exit code 2 [end of output] note: This error originates from a subprocess, and is likely not a problem with pip. ERROR: Failed building wheel for pycrypto Running setup.py clean for pycrypto Failed to build pycrypto ERROR: Could not build wheels for pycrypto, which is required to install pyproject.toml-based projects   splunk-sdk : line 18, in <module> from splunklib.six.moves import map ModuleNotFoundError: No module named 'splunklib.six.moves' [end of output] note: This error originates from a subprocess, and is likely not a problem with pip. error: metadata-generation-failed × Encountered error while generating package metadata. ╰─> See above for output.
walmart_2.xml walmart_3.xml walmart_4.xml Scenerio I   When using below configuration in Inputs.conf we can able to monitor in splunk   [monitor://D:\scada_server\walmart_2.xml] disabled ... See more...
walmart_2.xml walmart_3.xml walmart_4.xml Scenerio I   When using below configuration in Inputs.conf we can able to monitor in splunk   [monitor://D:\scada_server\walmart_2.xml] disabled = false host = WALVAU-VIDI-1 index = 2313917_2797418_scada sourcetype = Scada_walmart_alarm crcSalt = <SOURCE> CHECK_METHOD = entire_md5   Scenerio 2   Hello Splunkers!! I need your help to fix this issue. When using below configuration in Inputs.conf we can't able to monitor in splunk.   [monitor://D:\scada_server\walmart_*.xml] disabled = false host = WALVAU-VIDI-1 index = 2313917_2797418_scada sourcetype = Scada_walmart_alarm crcSalt = <SOURCE> CHECK_METHOD = entire_md5   Please suggest some workaround.
Hi Team, We have a search head cluster and indexer cluster in our current Splunk environment.  The data to the indexer earlier was provided by multiple forwarders which had the endpoint for the Inde... See more...
Hi Team, We have a search head cluster and indexer cluster in our current Splunk environment.  The data to the indexer earlier was provided by multiple forwarders which had the endpoint for the Indexer. Now, since it is a multi-indexer architecture, we need a common point for the forwarder to point the data Please provide suggestions on how to set up the forwarders -> Deployment Server ->Cluster master architecture. I came across this one. But confused with the meaning of deployment client  https://community.splunk.com/t5/Deployment-Architecture/How-to-set-up-new-deployment-server-in-a-clustered-environment/m-p/514847   Thanks in advance!
When i try to create a manual notable, i get the following error.    
Hi All, I have prepared a dropdown using this solution- https://community.splunk.com/t5/Dashboards-Visualizations/Custom-Time-dropdown/m-p/677806#M55517 From this solution i used this query to crea... See more...
Hi All, I have prepared a dropdown using this solution- https://community.splunk.com/t5/Dashboards-Visualizations/Custom-Time-dropdown/m-p/677806#M55517 From this solution i used this query to create the dropdown. | makeresults | addinfo | eval date=mvrange(info_min_time,info_max_time,"1mon") | mvexpand date | sort - date | eval Month=strftime(date,"%b-%y") | table Month date How to use this in the query so that the search will take only selected month. Also for some other charts the query should take the date till the selected month. For example if Jan 24 is selected, the chart should show data till dec 23. How can i achieve these 2 requirements? can anyone help me!  
Hello,   May I please know how to display a popup as soon as the dashboard opens? If there is any HTML code or a JS file for it please do let me know .....You valuable suggestions are required... ... See more...
Hello,   May I please know how to display a popup as soon as the dashboard opens? If there is any HTML code or a JS file for it please do let me know .....You valuable suggestions are required...  
Can , anyone help me where can I find the above dashboard in splunk , in Monitoring console.
Hi Team, I am unable to extract the Timestamp value from the below message in splunk events using rex command and add that value to new field. I request you to kindly look into this and help me out ... See more...
Hi Team, I am unable to extract the Timestamp value from the below message in splunk events using rex command and add that value to new field. I request you to kindly look into this and help me out in extracting that value to the new field by name TIME. Below is the event message. The Timestamp value is 20240301. We have to extract the similar values and add those value to the field TIME Dataframe row : {"_c0":{"0":"{","1":" \"0\": {","2":" \"jobname\": \"A001_GVE_ADHOC_AUDIT\"","3":" \"status\": \"ENDED NOTOK\"","4":" \"Timestamp\": \"20240301\"","5":" }","6":" \"1\": {","7":" \"jobname\": \"BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_TSYS\"","8":" \"status\": \"ENDED NOTOK\"","9":" \"Timestamp\": \"20240301\"","10":" }","11":" \"2\": {","12":" \"jobname\": \"BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_TSYS_WEEKLY\"","13":" \"status\": \"ENDED NOTOK\"","14":" \"Timestamp\": \"20240301\"","15":" }","16":" \"3\": {","17":" \"jobname\": \"D001_GVE_SOFT_MATCHING_GDH_CA\"","18":" \"status\": \"ENDED NOTOK\"","19":" \"Timestamp\": \"20240301\"","20":" }","21":" \"4\": {","22":" \"jobname\": \"D100_AKS_CDWH_SQOOP_TRX_ORG\"","23":" \"status\": \"ENDED NOTOK\"","24":" \"Timestamp\": \"20240301\"","25":" }","26":" \"5\": {","27":" \"jobname\": \"D100_AKS_CDWH_SQOOP_TYP_123\"","28":" \"status\": \"ENDED NOTOK\"","29":" \"Timestamp\": \"20240301\"","30":" }","31":" \"6\": {","32":" \"jobname\": \"D100_AKS_CDWH_SQOOP_TYP_45\"","33":" \"status\": \"ENDED OK\"","34":" \"Timestamp\": \"20240301\"","35":" }","36":" \"7\": {","37":" \"jobname\": \"D100_AKS_CDWH_SQOOP_TYP_ENPW\"","38":" \"status\": \"ENDED NOTOK\"","39":" \"Timestamp\": \"20240301\"","40":" }","41":" \"8\": {","42":" \"jobname\": \"D100_AKS_CDWH_SQOOP_TYP_T\"","43":" \"status\": \"ENDED NOTOK\"","44":" \"Timestamp\": \"20240301\"","45":" }","46":" \"9\": {","47":" \"jobname\": \"DREAMPC_CALC_ML_NAMESAPCE\"","48":" \"status\": \"ENDED NOTOK\"","49":" \"Timestamp\": \"20240301\"","50":" }","51":" \"10\": {","52":" \"jobname\": \"DREAMPC_MEMORY_AlERT_SIT\"","53":" \"status\": \"ENDED NOTOK\"","54":" \"Timestamp\": \"20240301\"","55":" }","56":" \"11\": {","57":" \"jobname\": \"DREAM_BDV_NBR_PRE_REQUISITE_TLX_LSP_3RD_PARTY_TRNS\"","58":" \"status\": \"ENDED NOTOK\"","59":" \"Timestamp\": \"20240301\"","60":" }","61":" \"12\": {","62":" \"jobname\": \"DREAM_BDV_NBR_PRE_REQUISITE_TLX_LSP_3RD_PARTY_TRNS_WEEKLY\"","63":" \"status\": \"ENDED NOTOK\"","64":" \"Timestamp\": \"20240301\"","65":" }","66":" \"13\": {","67":" \"jobname\": \"DREAM_BDV_NBR_STG_TLX_LSP_3RD_PARTY_TRNS\"","68":" \"status\": \"ENDED OK\"","69":" \"Timestamp\": \"20240301\"","70":" }","71":" \"14\": {","72":" \"jobname\": \"DREAM_BDV_NBR_STG_TLX_LSP_3RD_PARTY_TRNS_WEEKLY\"","73":" \"status\": \"ENDED OK\"","74":" \"Timestamp\": \"20240301\"","75":" }","76":" \"15\": {","77":" \"jobname\": \"DREAM_BDV_NBR_TLX_LSP_3RD_PARTY_TRNS\"","78":" \"status\": \"ENDED OK\"","79":" \"Timestamp\": \"20240301\"","80":" }","81":" \"16\": {","82":" \"jobname\": \"DREAM_BDV_NBR_TLX_LSP_3RD_PARTY_TRNS_WEEKLY\"","83":" \"status\": \"ENDED OK\"","84":" \"Timestamp\": \"20240301\"","85":" }","86":" \"17\": {","87":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_GDH\"","88":" \"status\": \"ENDED OK\"","89":" \"Timestamp\": \"20240301\"","90":" }","91":" \"18\": {","92":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_GDH_WEEKLY\"","93":" \"status\": \"ENDED OK\"","94":" \"Timestamp\": \"20240301\"","95":" }","96":" \"19\": {","97":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_SAMCONTDEPOT\"","98":" \"status\": \"ENDED NOTOK\"","99":" \"Timestamp\": \"20240301\"","100":" }","101":" \"20\": {","102":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_TLXLSP_TRXN\"","103":" \"status\": \"ENDED NOTOK\"","104":" \"Timestamp\": \"20240301\"","105":" }","106":" \"21\": {","107":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_TRADEABR\"","108":" \"status\": \"ENDED OK\"","109":" \"Timestamp\": \"20240301\"","110":" }","111":" \"22\": {","112":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_TRADEABR_WEEKLY\"","113":" \"status\": \"ENDED OK\"","114":" \"Timestamp\": \"20240301\"","115":" }","116":" \"23\": {","117":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_TRADESON\"","118":" \"status\": \"ENDED NOTOK\"","119":" \"Timestamp\": \"20240301\"","120":" }","121":" \"24\": {","122":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_TRADESON_WEEKLY\"","123":" \"status\": \"ENDED OK\"","124":" \"Timestamp\": \"20240301\"","125":" }","126":" \"25\": {","127":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_ZCI\"","128":" \"status\": \"ENDED NOTOK\"","129":" \"Timestamp\": \"20240301\"","130":" }","131":" \"26\": {","132":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_ZCI_WEEKLY\"","133":" \"status\": \"ENDED NOTOK\"","134":" \"Timestamp\": \"20240301\"","135":" }","136":" \"27\": {","137":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_ZPI\"","138":" \"status\": \"ENDED NOTOK\"","139":" \"Timestamp\": \"20240301\"","140":" }","141":" \"28\": {","142":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQUISITE_ZPI_WEEKLY\"","143":" \"status\": \"ENDED NOTOK\"","144":" \"Timestamp\": \"20240301\"","145":" }","146":" \"29\": {","147":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQ_SAMCONTDEPOT_WEEKLY\"","148":" \"status\": \"ENDED NOTOK\"","149":" \"Timestamp\": \"20240301\"","150":" }","151":" \"30\": {","152":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQ_TALANX_TRAN\"","153":" \"status\": \"ENDED NOTOK\"","154":" \"Timestamp\": \"20240301\"","155":" }","156":" \"31\": {","157":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQ_TALANX_TRAN_WEEKLY\"","158":" \"status\": \"ENDED NOTOK\"","159":" \"Timestamp\": \"20240301\"","160":" }","161":" \"32\": {","162":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_PRE_REQ_TLXLSP_TRXN_WEEKLY\"","163":" \"status\": \"ENDED NOTOK\"","164":" \"Timestamp\": \"20240301\"","165":" }","166":" \"33\": {","167":" \"jobname\": \"DREAM_BDV_NEW_BUSINESS_REPORTING_STG_TRADEABR\"","168":" \"status\": \"ENDED NOTOK\"","169":" \"Timestamp\": \"20240301\"","170":" }","171":" \"34\": {","172":" \"jobname\": \"DREAM_BUILD_GDH_MIS_BDV_01\"","173":" \"status\": \"ENDED OK\"","174":" \"Timestamp\": \"20240301\"","175":" }","176":" \"35\": {","177":" \"jobname\": \"DREAM_BUILD_GDH_MIS_BDV_02\"","178":" \"status\": \"ENDED OK\"","179":" \"Timestamp\": \"20240301\"","180":" }","181":" \"36\": {","182":" \"jobname\": \"DREAM_BUILD_GDH_MIS_BDV_03\"","183":" \"status\": \"ENDED OK\"","184":" \"Timestamp\": \"20240301\"","185":" }","186":" \"37\": {","187":" \"jobname\": \"DREAM_BUILD_GDH_MIS_BDV_04\"","188":" \"status\": \"ENDED OK\"","189":" \"Timestamp\": \"20240301\"","190":" }","191":" \"38\": {","192":" \"jobname\": \"DREAM_BUILD_GDH_MIS_BDV_LINK\"","193":" \"status\": \"ENDED OK\"","194":" \"Timestamp\": \"20240301\"","195":" }","196":" \"39\": {","197":" \"jobname\": \"DREAM_BUILD_GDH_MIS_BDV_UNION\"","198":" \"status\": \"ENDED OK\"","199":" \"Timestamp\": \"20240301\"","200":" }","201":" \"40\": {","202":" \"jobname\": \"DREAM_CALC_BDV_CONTROL_COPY\"","203":" \"status\": \"ENDED NOTOK\"","204":" \"Timestamp\": \"20240301\"","205":" }","206":" \"41\": {","207":" \"jobname\": \"DREAM_CDWH_TLX_LSP_3RD_PARTY_TRNS_FACT_OUTBOUND_WEEKLY\"","208":" \"status\": \"ENDED OK\"","209":" \"Timestamp\": \"20240301\"","210":" }","211":" \"42\": {","212":" \"jobname\": \"DREAM_FILE_DELETION_OUTBOUND\"","213":" \"status\": \"ENDED NOTOK\"","214":" \"Timestamp\": \"20240301\"","215":" }","216":" \"43\": {","217":" \"jobname\": \"DREAM_FVDB_TLX_LSP_3RD_PARTY_TRNS_FACT_OUTBOUND_WEEKLY\"","218":" \"status\": \"ENDED OK\"","219":" \"Timestamp\": \"20240301\"","220":" }","221":" \"44\": {","222":" \"jobname\": \"DREAM_FVDB_TOCSV_TLX_LSP_3RD_PARTY_TRNS_FACT_OUTBOUND_WEEKLY\"","223":" \"status\": \"ENDED OK\"","224":" \"Timestamp\": \"20240301\"","225":" }","226":" \"45\": {","227":" \"jobname\": \"DREAM_GVE_GDH_NEW_BUSINESS_FACT_OUTBOUND\"","228":" \"status\": \"ENDED OK\"","229":" \"Timestamp\": \"20240301\"","230":" }","231":" \"46\": {","232":" \"jobname\": \"DREAM_GVE_TLX_LSP_3RD_PARTY_TRNS_FACT_OUTBOUND_WEEKLY\"","233":" \"status\": \"ENDED OK\"","234":" \"Timestamp\": \"20240301\"","235":" }","236":" \"47\": {","237":" \"jobname\": \"DREAM_MEMORY_ALERT_SIT\"","238":" \"status\": \"ENDED OK\"","239":" \"Timestamp\": \"20240301\"","240":" }","241":" \"48\": {","242":" \"jobname\": \"DREAM_MIS_BDV_GMOMIS46_GDH_CORRECTION\"","243":" \"status\": \"ENDED OK\"","244":" \"Timestamp\": \"20240301\"","245":" }","246":" \"49\": {","247":" \"jobname\": \"DREAM_MIS_BDV_TALANXLSP_INVENTORY_THIRD_PARTY_PRE_REQUISITE\"","248":" \"status\": \"ENDED NOTOK\"","249":" \"Timestamp\": \"20240301\"","250":" }","251":" \"50\": {","252":" \"jobname\": \"DREAM_MIS_BDV_TALANX_INSURANCE_PRE_REQUISITE\"","253":" \"status\": \"ENDED OK\"","254":" \"Timestamp\": \"20240301\"","255":" }","256":" \"51\": {","257":" \"jobname\": \"DREAM_MIS_BDV_TALANX_INSURANCE_WEEKLY_PRE_REQUISITE\"","258":" \"status\": \"ENDED OK\"","259":" \"Timestamp\": \"20240301\"","260":" }","261":" \"52\": {","262":" \"jobname\": \"DREAM_MIS_BDV_TALANX_LSP3P_INV\"","263":" \"status\": \"ENDED NOTOK\"","264":" \"Timestamp\": \"20240301\"","265":" }","266":" \"53\": {","267":" \"jobname\": \"DREAM_MIS_BDV_TALANX_LSP3P_TRANSACTION\"","268":" \"status\": \"ENDED NOTOK\"","269":" \"Timestamp\": \"20240301\"","270":" }","271":" \"54\": {","272":" \"jobname\": \"DREAM_MIS_BDV_TSYS_STOCK_PRE_REQUISITE\"","273":" \"status\": \"ENDED NOTOK\"","274":" \"Timestamp\": \"20240301\"","275":" }","276":" \"55\": {","277":" \"jobname\": \"DREAM_MIS_BDV_TSYS_STOCK_PRE_REQUISITE_WEEKLY\"","278":" \"status\": \"ENDED OK\"","279":" \"Timestamp\": \"20240301\"","280":" }","281":" \"56\": {","282":" \"jobname\": \"DREAM_MIS_PRECHECK_TALANXLSPDB_INVENTORY\"","283":" \"status\": \"ENDED NOTOK\"","284":" \"Timestamp\": \"20240301\"","285":" }","286":" \"57\": {","287":" \"jobname\": \"DREAM_MIS_PRECHECK_ZCI_INVENTORY_MONTHLY\"","288":" \"status\": \"ENDED OK\"","289":" \"Timestamp\": \"20240301\"","290":" }","291":" \"58\": {","292":" \"jobname\": \"DREAM_MIS_PRECHECK_ZCI_TRANSACTION_MONTHLY\"","293":" \"status\": \"ENDED OK\"","294":" \"Timestamp\": \"20240301\"","295":" }","296":" \"59\": {","297":" \"jobname\": \"DREAM_MIS_PRECHECK_ZPI_INVENTORY_MONTHLY\"","298":" \"status\": \"ENDED NOTOK\"","299":" \"Timestamp\": \"20240301\"","300":" }","301":" \"60\": {","302":" \"jobname\": \"DREAM_MIS_PRECHECK_ZPI_TRANSACTION_MONTHLY\"","303":" \"status\": \"ENDED OK\"","304":" \"Timestamp\": \"20240301\"","305":" }","306":" \"61\": {","307":" \"jobname\": \"DREAM_MIS_VP_FACTOR_PRE_PROCESSING\"","308":" \"status\": \"ENDED OK\"","309":" \"Timestamp\": \"20240301\"","310":" }","311":" \"62\": {","312":" \"jobname\": \"DREAM_NEW_BUSINESS_DETECTION_TLX_LSP3P_TRANSACTION\"","313":" \"status\": \"ENDED NOTOK\"","314":" \"Timestamp\": \"20240301\"","315":" }","316":" \"63\": {","317":" \"jobname\": \"DREAM_PRECHECK_GDH_DAILY_DATA\"","318":" \"status\": \"ENDED NOTOK\"","319":" \"Timestamp\": \"20240301\"","320":" }","321":" \"64\": {","322":" \"jobname\": \"DREAM_PRECHECK_TLX_DAILY_DATA_LSP3P_INV\"","323":" \"status\": \"ENDED OK\"","324":" \"Timestamp\": \"20240301\"","325":" }","326":" \"65\": {","327":" \"jobname\": \"DREAM_PRECHECK_TLX_DAILY_DATA_LSP3P_TRANSACTION\"","328":" \"status\": \"ENDED NOTOK\"","329":" \"Timestamp\": \"20240301\"","330":" }","331":" \"66\": {","332":" \"jobname\": \"DREAM_PRECHECK_TLX_LSP3P_TRANSACTION_DAILY\"","333":" \"status\": \"ENDED NOTOK\"","334":" \"Timestamp\": \"20240301\"","335":" }","336":" \"67\": {","337":" \"jobname\": \"DREAM_RDL_GDH_NEW_BUSINESS_FACT\"","338":" \"status\": \"ENDED NOTOK\"","339":" \"Timestamp\": \"20240301\"","340":" }","341":" \"68\": {","342":" \"jobname\": \"DREAM_RDL_STG_GDH_NEW_BUSINESS_FACT\"","343":" \"status\": \"ENDED NOTOK\"","344":" \"Timestamp\": \"20240301\"","345":" }","346":" \"69\": {","347":" \"jobname\": \"DREAM_RDL_STG_TLX_LSP_3RD_PARTY_TRNS_FACT\"","348":" \"status\": \"ENDED OK\"","349":" \"Timestamp\": \"20240301\"","350":" }","351":" \"70\": {","352":" \"jobname\": \"DREAM_RDL_STG_TLX_LSP_3RD_PARTY_TRNS_FACT_WEEKLY\"","353":" \"status\": \"ENDED OK\"","354":" \"Timestamp\": \"20240301\"","355":" }","356":" \"71\": {","357":" \"jobname\": \"DREAM_RDL_TLX_LSP_3RD_PARTY_TRNS_FACT\"","358":" \"status\": \"ENDED NOTOK\"","359":" \"Timestamp\": \"20240301\"","360":" }","361":" \"72\": {","362":" \"jobname\": \"DREAM_RDL_TLX_LSP_3RD_PARTY_TRNS_FACT_WEEKLY\"","363":" \"status\": \"ENDED OK\"","364":" \"Timestamp\": \"20240301\"","365":" }","366":" \"73\": {","367":" \"jobname\": \"DREAM_REDUCE_FILE_SIZE\"","368":" \"status\": \"ENDED NOTOK\"","369":" \"Timestamp\": \"20240301\"","370":" }","371":" \"74\": {","372":" \"jobname\": \"DREAM_SDM_STG_GMARS_FDWRISK_FACT\"","373":" \"status\": \"ENDED NOTOK\"","374":" \"Timestamp\": \"20240301\"","375":" }","376":" \"75\": {","377":" \"jobname\": \"DREAM_SDM_STG_TLX_LSP_3RD_PARTY_TRNS_FACT_WEEKLY\"","378":" \"status\": \"ENDED OK\"","379":" \"Timestamp\": \"20240301\"","380":" }","381":" \"76\": {","382":" \"jobname\": \"DREAM_TDM_STG_TALANXLSP_TRANSACTION_THIRD_PARTY_NB_FACT_WEEKLY\"","383":" \"status\": \"ENDED OK\"","384":" \"Timestamp\": \"20240301\"","385":" }","386":" \"77\": {","387":" \"jobname\": \"M002_GVE_SALES_KEY_MATCH_MAP_GVE_TO_DC\"","388":" \"status\": \"ENDED OK\"","389":" \"Timestamp\": \"20240301\"","390":" }","391":" \"78\": {","392":" \"jobname\": \"M003_GVE_AKS_PAYMNET_TRANSACTION_LOAD\"","393":" \"status\": \"ENDED NOTOK\"","394":" \"Timestamp\": \"20240301\"","395":" }","396":"}"}}   
  "I want to deploy my settings to another search head while using a virtual machine. However, whenever I attempt to authorize, the following error occurs:"     Bad Request — editTracker failed, ... See more...
  "I want to deploy my settings to another search head while using a virtual machine. However, whenever I attempt to authorize, the following error occurs:"     Bad Request — editTracker failed, reason='WARN: path=/masterlm/usage: This license does not support being a remote master. from ip=172.18.0.3'      
Please add proxy support for this applications.
For years I have kept a standalone Splunk Enterprise running on Macbooks.  Typically I keep MacOS in sleep or running mode overnight.  Splunk will run until I reboot (or forced restart).  Never had a... See more...
For years I have kept a standalone Splunk Enterprise running on Macbooks.  Typically I keep MacOS in sleep or running mode overnight.  Splunk will run until I reboot (or forced restart).  Never had a problem. But in the past two weeks, I had two nights during which splunkd on one Macbook entered a "frozen" state in that it will respond to some HTTP queries (e.g., listing dashboards) but all search jobs stopped responding.  I had to either run the Splunk launcher to stop it then relaunch, or reboot. Meanwhile, another Macbook continues to run Splunk fine (in sleep mode). Anyone experience the same?  What could be possible causes?  Neither instance has any recurring jobs or ingestion.  Current version is 9.1.2.  The problematic one runs MacOS 12.7.3/M1. (Last updated some weeks ago.)  The other one runs the same MacOS on Intel.
Hi, Have anyone faced this issue where you received a Unauthorized 401 error response from ServiceNow? The scenario is as below. We are using a AD service account userA to interact with Service... See more...
Hi, Have anyone faced this issue where you received a Unauthorized 401 error response from ServiceNow? The scenario is as below. We are using a AD service account userA to interact with ServiceNow for incident creation . On Splunk Side, we are using Basic Auth. On AD, user account is set to never expired.   So far below we have checked the service account status. No changes was made but the issue was sudden. Ran the query  >index=_internal sourcetype="ta_snow_ticket host IN ( search head) Above query was the one, we saw the Return code is 401 (Unauthorized) What else can be checked? As of now, we are planning to reset the service account password and try again. But if it works the issue is finding what cause the password to be changed when it have been set to never expires.  
Hi All,   I've been using the Addon Builder to create some modular inputs and associated AddOn configuration pages including account names. I've also shoehorned in some custom search commands which... See more...
Hi All,   I've been using the Addon Builder to create some modular inputs and associated AddOn configuration pages including account names. I've also shoehorned in some custom search commands which use the automatically generated configuration settings from the Web GUI. One thing I noticed was when you deploy the app to a search head cluster Addon Configuration changes do not migrate across the cluster. I thought it used REST endpoints to make these changes so they should replicate across the cluster? Might be worth putting something in the documentation so users are aware that the apps Addonbuilder makes will not be fully functional in a search head cluster environment.   The only solution we've found is to manually log into each Search Head in the cluster and make the changes on each one individually.
Hello, I have a set of Grade (Math, English, Science) data for Student1 and Student2 from 2/8/2024  to 3/1/2024 How to display timechart multivalues without colon? The complete search is down ... See more...
Hello, I have a set of Grade (Math, English, Science) data for Student1 and Student2 from 2/8/2024  to 3/1/2024 How to display timechart multivalues without colon? The complete search is down below.   Thank you so much for your help. This is the result with colon Is it possible to display the data like the following?  Should I parse the data to get the display like below or is there a better way to do this? Student Grades 2/8/2024 2/15/2024 2/22/2024 2/29/2024 Student1 EnglishGrade 10 7 7 10 Student1 MathGrade 10 7 7 10 Student1 ScienceGrade 10 7 7 10 Student2 EnglishGrade 9 6 7 9 Student2 MathGrade 9 6 7 9 Student2 ScienceGrade 9 6 7 9 Here's the search   | makeresults format=csv data="_time,Student,MathGrade,EnglishGrade,ScienceGrade 1707368400,Student1,10,10,10 1707454800,Student1,9,9,9 1707541200,Student1,8,8,8 1707627600,Student1,7,7,7 1707714000,Student1,6,6,6 1707800400,Student1,5,5,5 1707886800,Student1,6,6,6 1707973200,Student1,7,7,7 1708059600,Student1,8,8,8 1708146000,Student1,9,9,9 1708232400,Student1,10,10,10 1708318800,Student1,10,10,10 1708405200,Student1,9,9,9 1708491600,Student1,8,8,8 1708578000,Student1,7,7,7 1708664400,Student1,6,6,6 1708750800,Student1,5,5,5 1708837200,Student1,6,6,6 1708923600,Student1,7,7,7 1709010000,Student1,8,8,8 1709096400,Student1,9,9,9 1709182800,Student1,10,10,10 1709269200,Student1,10,10,10 1707368400,Student2,9,9,9 1707454800,Student2,5,5,5 1707541200,Student2,6,6,6 1707627600,Student2,7,7,7 1707714000,Student2,8,8,8 1707800400,Student2,9,9,9 1707886800,Student2,5,5,5 1707973200,Student2,6,6,6 1708059600,Student2,7,7,7 1708146000,Student2,8,8,8 1708232400,Student2,9,9,9 1708318800,Student2,9,9,9 1708405200,Student2,5,5,5 1708491600,Student2,6,6,6 1708578000,Student2,7,7,7 1708664400,Student2,8,8,8 1708750800,Student2,9,9,9 1708837200,Student2,5,5,5 1708923600,Student2,6,6,6 1709010000,Student2,7,7,7 1709096400,Student2,8,8,8 1709182800,Student2,9,9,9 1709269200,Student2,9,9,9" | table _time, Student, MathGrade, EnglishGrade, ScienceGrade | timechart span=1w first(MathGrade) as MathGrade, first(EnglishGrade) as EnglishGrade, first(ScienceGrade) as ScienceGrade by Student useother=f limit=0 | eval _time = strftime(_time,"%m/%d/%Y") | fields - _span _spandays | transpose 0 header_field=_time column_name=Grades    
Hello everyone, I am trying to use Splunk to create an ongoing patching countdown that will be Single Value (Days Until Patch) on my Dashboard. How can I go about accomplishing this? I was able to ca... See more...
Hello everyone, I am trying to use Splunk to create an ongoing patching countdown that will be Single Value (Days Until Patch) on my Dashboard. How can I go about accomplishing this? I was able to calculate 1 patch cycle, but I am not sure how to get it to recalculate for every month. Right now for example, it is telling me the next patch date is 2/29/2024. Hoping someone already has a solution built out. Thank you for any assistance!    This is what I have so far: | makeresults | eval start= strptime("02-01-2024", "%m-%d-%Y") | eval startStr=strftime(start, "%D") | eval PatchDate = relative_time(start ,"+28d") | eval PatchDateString= strftime(PatchDate, "%D") | eval PriorPatchDate = relative_time(start ,"-28d") | eval PriorPatchDateString = strftime(PriorPatchDate, "%D") | eval daysCountD= strftime(PatchDate - now(), "%d") | table daysCountD PriorPatchDateString PatchDateString
I am trying to run the following search: index=tripwire LogCategory="Audit Event" AND "/etc/pki/rpm-gpg/RPM-GPG-KEY-shibboleth-7" AND "myserver.mydomain.com" | rex max_match=0 field=_raw "(?<li... See more...
I am trying to run the following search: index=tripwire LogCategory="Audit Event" AND "/etc/pki/rpm-gpg/RPM-GPG-KEY-shibboleth-7" AND "myserver.mydomain.com" | rex max_match=0 field=_raw "(?<lineData>[^\n]+)" | rex field=Msg "'(?<FilePath>.*)' accessed by" | rex field=_raw "accessed\sby\s'(?<Audit_UserName>.*)'.\sType" | table _time, FilePath, Audit_UserName However, the way I am splitting the multiline data doesn't appear to be working with this data. Here is a sample of the data as viewed in Notepad++ with symbols; Every line ends in CR LF  However, in Splunk it isn't splitting up the events.  What am I missing here?  I have had this work with similar data but unsure what is different in this situation. TIA!
HOw to retrieve NPA and NXX from CNAC.ca using splunk query. 
When a lookup is updated via | outputlookup, does that change the modified time?  For example - search for a lookup or kvstore name and see the SPL that gives overall usage, then have the option to ... See more...
When a lookup is updated via | outputlookup, does that change the modified time?  For example - search for a lookup or kvstore name and see the SPL that gives overall usage, then have the option to filter to only those SPL searches that have an outputlookup that modify the file. index=abc sourcetype=xyz | stats count | outputlookup append=true newlookup.csv How can i track whether outputlokkup file is updated or not using _internal or _audit index. Pleae suggest the splunk query to get the status 
Using the DECRYPT2 app, I have a search that uses the decrypt command to decode a encoded string. It returns results as a table just fine. I created a email alert using this search but the email aler... See more...
Using the DECRYPT2 app, I have a search that uses the decrypt command to decode a encoded string. It returns results as a table just fine. I created a email alert using this search but the email alert fails to trigger unless I remove the decrypted field from the table.  I would like the email alert to be sent which includes the decoded value from the decrypted field. Anyone might know what the issue is? 
Hello, How to use specific start date in weekly timechart? For example: I have a set of Grade (Math, English, Science) data for Student1 and Student2 from 2/8/2024  to 3/1/2024 When I use time... See more...
Hello, How to use specific start date in weekly timechart? For example: I have a set of Grade (Math, English, Science) data for Student1 and Student2 from 2/8/2024  to 3/1/2024 When I use timechart weekly, it always starts with 02/08/2024. | timechart span=1w first(MathGrade) by Student useother=f limit=0 How do I start from other date, such as 02/09/2024 or 02/10/2024? Thank you for your help Here's the search   | makeresults format=csv data="_time,Student,MathGrade,EnglishGrade,ScienceGrade 1707368400,Student1,10,10,10 1707454800,Student1,9,9,9 1707541200,Student1,8,8,8 1707627600,Student1,7,7,7 1707714000,Student1,6,6,6 1707800400,Student1,5,5,5 1707886800,Student1,6,6,6 1707973200,Student1,7,7,7 1708059600,Student1,8,8,8 1708146000,Student1,9,9,9 1708232400,Student1,10,10,10 1708318800,Student1,10,10,10 1708405200,Student1,9,9,9 1708491600,Student1,8,8,8 1708578000,Student1,7,7,7 1708664400,Student1,6,6,6 1708750800,Student1,5,5,5 1708837200,Student1,6,6,6 1708923600,Student1,7,7,7 1709010000,Student1,8,8,8 1709096400,Student1,9,9,9 1709182800,Student1,10,10,10 1709269200,Student1,10,10,10 1707368400,Student2,9,9,9 1707454800,Student2,5,5,5 1707541200,Student2,6,6,6 1707627600,Student2,7,7,7 1707714000,Student2,8,8,8 1707800400,Student2,9,9,9 1707886800,Student2,5,5,5 1707973200,Student2,6,6,6 1708059600,Student2,7,7,7 1708146000,Student2,8,8,8 1708232400,Student2,9,9,9 1708318800,Student2,9,9,9 1708405200,Student2,5,5,5 1708491600,Student2,6,6,6 1708578000,Student2,7,7,7 1708664400,Student2,8,8,8 1708750800,Student2,9,9,9 1708837200,Student2,5,5,5 1708923600,Student2,6,6,6 1709010000,Student2,7,7,7 1709096400,Student2,8,8,8 1709182800,Student2,9,9,9 1709269200,Student2,9,9,9" | table _time, Student, MathGrade, EnglishGrade, ScienceGrade | timechart span=1w first(MathGrade) by Student useother=f limit=0