All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have log entries that have the following format : [<connectorName>|<scope>]<sp> The following are examples of the connector context for a connector named "my-connector": [my-connector|worker] ... See more...
I have log entries that have the following format : [<connectorName>|<scope>]<sp> The following are examples of the connector context for a connector named "my-connector": [my-connector|worker] [other-connector|task-0] [my-connector|task-0|offsets] I would like to extract the name of the connectors and build stats. The tasks or other metadata are not needed. For example : Connector Count my-connector 2 other-connector 2   As the entries have different formats, how can I do this?
Dears,        After upgraded Splunk from 9.1.2 version to 9.2.0 version, the deployment server not showing the clients, but Splunk receiving logs from clients, and also the client agents showing on ... See more...
Dears,        After upgraded Splunk from 9.1.2 version to 9.2.0 version, the deployment server not showing the clients, but Splunk receiving logs from clients, and also the client agents showing on all Splunk servers under setting --> Forwarder Managment except Deployment server, I don't know how that occurred, I didn't change anything. Kindly your support for that.   Best Regards, 
I believe this app or associated links to the app have been compromised. Consider removing it from the Splunkbase See Virustotal links below http[:]//emergingthreats[.]net https://www.virusto... See more...
I believe this app or associated links to the app have been compromised. Consider removing it from the Splunkbase See Virustotal links below http[:]//emergingthreats[.]net https://www.virustotal.com/gui/url/5232edc39848e69279fee041a84db6fb5bd0f9fff35f448392bbb56e242b0662 https://www.virustotal.com/graph/embed/gc54e4c8b7f474be6832766fdef4f5643aa60c68a16ee410fa54f99e4f6ca1b5b?theme=dark <iframe src="https://www.virustotal.com/graph/embed/gc54e4c8b7f474be6832766fdef4f5643aa60c68a16ee410fa54f99e4f6ca1b5b?theme=dark" width="700" height="400"> </iframe>
Hi everyone. Is there any way to resolve GPO GUID or SID within Windows Security Logs? For instance, when we change any GPO in the domain it is logged under EventCode 5136. There is a CN name inside... See more...
Hi everyone. Is there any way to resolve GPO GUID or SID within Windows Security Logs? For instance, when we change any GPO in the domain it is logged under EventCode 5136. There is a CN name inside the log that can be used for getting the Display name of GPO.  Thanks 
Hello Community, Any assistance given will be appreciated. Trying to figure out why my table not populating. <form version="1.1" theme="dark"> <label>ATM Analyzer</label> <fieldset submitButton... See more...
Hello Community, Any assistance given will be appreciated. Trying to figure out why my table not populating. <form version="1.1" theme="dark"> <label>ATM Analyzer</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="status_token"> <label>Status</label> <fieldForLabel>eventstatus</fieldForLabel> <fieldForValue>eventstatus</fieldForValue> <selectFirstChoice>true</selectFirstChoice> <search> <query>index=atm source="D:\\Program Files\\file.dat" | dedup eventstatus | table eventstatus</query> </search> <default>INFO</default> <initialValue>INFO</initialValue> </input> <input type="dropdown" token="atm_token" searchWhenChanged="false"> <label>ATM</label> <selectFirstChoice>true</selectFirstChoice> <search> <query>index=atm source="D:\\Program Files\\file.dat" | search eventstatus=$status_token$ | dedup atmnumber | table atmnumber</query> </search> <fieldForLabel>atmnumber</fieldForLabel> <fieldForValue>atmnumber</fieldForValue> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="event_token"> <label>Event</label> <selectFirstChoice>true</selectFirstChoice> <search> <query>index=atm source="D:\\Program Files\\file.dat" | search (eventstatus=$status_token$ AND atmnumber=$atm_token$) | dedup eventtype | table eventtype</query> </search> <fieldForLabel>eventtype</fieldForLabel> <fieldForValue>eventtype</fieldForValue> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="time" token="timerange"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table> <search> <query>index=atm source="D:\\Program Files\\file.dat" where (eventstatus=$status_token$ AND atmnumber="atm_token" AND eventtype=$event_token$) | rename eventtime as Time, eventstatus as Status, atmnumner as ATM, eventtype as Fault, eventdescription as Description | table Time Status ATM Fault Description</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>  
I am trying to achieve below requirement 1- Calculate the error rate label for multiple application if Error Rate greater than50%, mark "DOWN" in red; if Error Rate > 5% & <50%, mark "ISSUE" in Orang... See more...
I am trying to achieve below requirement 1- Calculate the error rate label for multiple application if Error Rate greater than50%, mark "DOWN" in red; if Error Rate > 5% & <50%, mark "ISSUE" in Orange; else "UP" in Green. 2- After label column done then needs to create new widget with single value and check the all the labels (DOWN, ISSUE, UP) if any (at least one) APIs in Error Rate is "DOWN", show "DOWN" in red; If any APIs in Error Rate is "ISSUE", show "ISSUE" in orange; else "UP" in green. Note- I need single text value result This is code i wrote till now but still not able to fullfill my requirement   <panel> <single> <title>Error Rate</title> <search> <query> app_name-abc OR app_name=xyz | rex field msg "\"[^\"]*\"\s(?&lt;status&gt;\d+)" | stats count(eval(status&gt;-200 AND status&lt;-300)) as pass count, count(eval(status&gt;-400)) as fail_count by cf_app_name | eval error rate (fail_count/ (pass_count + fail_count)) 100 | eval label if (error rate &gt; 50, "DOWN", if(error_rate &gt; 5, "ISSUE", "UP")) | eval error rate round(error_rate, 2) "X" rename error_rate AS "Error_rate(percent)" | stats count(eval(label="DOWN")) as down_count, count(eval (label-"ISSUE")) as issue count, count(eval (label-"UP")) as up_count | rangemap field-issue_count low-0-0 high-2-99 default-low | eval Status-case(down_count &gt;-1, "DOWN", down_count=0 AND issue_count&gt;-1, "ISSUE", 1--1, "UP") </query> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="field">Status</option> <option name="rangeValues">ISSUE, UP</option> <option name="rangeColors">orange, green</option> <option name="drilldown">none</option> <option name="field"> Status</option> <option name="drilldown">none</option> </single> </panel>          
Hi Everyone,  I am looking for a little advice, I am currently searching splunk against multiple sets of variables to see if there are any events in the past 90 days, however I am running into an i... See more...
Hi Everyone,  I am looking for a little advice, I am currently searching splunk against multiple sets of variables to see if there are any events in the past 90 days, however I am running into an issue with there being too many events that my search is parsing through. I dont need to see the total number of events that matched, only need to see if there were at least 10 events that matched. Since there are 100+ sets of variables to check, doing it by hand one at a time seems tedious and lengthy. Would you be able to help me limit the events parsed so that it stops checking a set once it reaches a predetermined amount? Here is an example of my search:  index=blah sourcetype=blah (name=Name1 ip=IP1 id=id1) OR (name=Name2 ip=IP2 id=id2) OR (name=Name3 ip=IP3 id=id3) OR .... (name=Name105 ip=IP105 id=id105) | stats count by name, ip, id Any and all help would be appreciated
Hi , I want to connect live data of various applications from Appdynamics to splunk  itsi in csv format how to achieve this . Can anyone help me.It will be greatful if some guidance i get from this ... See more...
Hi , I want to connect live data of various applications from Appdynamics to splunk  itsi in csv format how to achieve this . Can anyone help me.It will be greatful if some guidance i get from this community. Thanks and Regards, Abhigyan.
I have a table and a couple of panels on my dashboard. I would like to click a table row and display/hide certain panels depending on the value of a specific column. name gender age Alice f... See more...
I have a table and a couple of panels on my dashboard. I would like to click a table row and display/hide certain panels depending on the value of a specific column. name gender age Alice female 18 Bob male 22 For instance, I have the above table. I would like to display panel A and hide panel B when I click a row with gender=female, and display panel B and hide panel A when I click a row with gender=male. Let's say panel A depends on token panelA and panel B depends on token panelB. How should I do that? I am thinking about doing that in the drilldown setting but I do not know how to set or unset with a condition.
Splunk sirs,  I am trying to add a boolean column to my data called 'new_IP_detected' which will tell me whether an answer IP is new compared to answer IPs from a previous time range. Both searche... See more...
Splunk sirs,  I am trying to add a boolean column to my data called 'new_IP_detected' which will tell me whether an answer IP is new compared to answer IPs from a previous time range. Both searches are from the same index and sourcetype, and I only want to compare whether or not an answer IP from -24h to now is in the list of answer IPs from -30d to -24h. My search so far: index=[sample index] sourcetype=[sample sourcetype] earliest=-24h latest=now NOT [ search index=[sample index] sourcetype=[sample sourcetype] earliest=-30d latest=-24h | stats count by answer | table answer] | stats count by answer | table answer As of right now I am getting no results which I believe is expected (meaning there are no new IPs in the last 24 hrs). How would I add 'new_IP_detected' column over the last 30 days?
Hi, So I’m working on creating an alert in Splunk, but I’m having some issues with setting up the query. The goal of the alert is to trigger when a shared drive or folder in Google Drive has been sh... See more...
Hi, So I’m working on creating an alert in Splunk, but I’m having some issues with setting up the query. The goal of the alert is to trigger when a shared drive or folder in Google Drive has been shared externally for longer than a set period of time. I’ve seen some mentions of using the poolPeriod and fschange functions, but those seem to be better suited for system directories rather than Google Drive.   Any advice on how to start setting up this query?
Hello,   I am trying to count how many days out of the last 12 months our users logged into two of our servers.  And in the end I want it to display the days out of the 12 months the users logged... See more...
Hello,   I am trying to count how many days out of the last 12 months our users logged into two of our servers.  And in the end I want it to display the days out of the 12 months the users logged in. SO if a user logged in 4 time in one day it should count it as 1 day.   I have tried the "timechart span=1d count by Account_Name"    this looked promising but timechart groups Account_names in OTHER field that is misleading because there are other accounts in that field.   index=windows source="WinEventLog:Security" EventCode=4624 host IN (Server1, Server2) Logon_Type IN (10, 7) | eval Account_Name = mvindex(Account_Name,1) | timechart span=1d count by Account_Name | untable _time Account_Name count  
Hi team,   I am working with Splunk Cloud "Classic" experience, and I installed one official app with different configurations. In my case, my focus is with props.conf in the stanza "sourcetype" wh... See more...
Hi team,   I am working with Splunk Cloud "Classic" experience, and I installed one official app with different configurations. In my case, my focus is with props.conf in the stanza "sourcetype" where this props.conf creates a field called "action". I need to change this field "action" without modifying the official app, so, I created a new custom app with new props and stanza sourcetype with field "action" adding other characteristics. After that, splunk cloud continues applying the old configuration from the official app and it didn't take the new attributes. Note: I am using default folder in each apps for locate the props file because Splunk Cloud doesn't allow using local folder Someone know, how can I do that? priority precedence fields by sourcetype
We just installed the forwarder on one of our VIOS systems to ensure we could get this working, however each time we try to start it up we see the below in our splunkd.log   02-09-2024 13:28:54.797... See more...
We just installed the forwarder on one of our VIOS systems to ensure we could get this working, however each time we try to start it up we see the below in our splunkd.log   02-09-2024 13:28:54.797 -0600 WARN ulimit [80544161 MainThread] - A system resource limit on this machine is below the minimum recommended value: system_resource = Data segment size (ulimit -d); current_limit = 134217728; recommended_minimum_value = 536870912. Change the operating system resource limits to meet the minimum recommended values for Splunk Enterprise. 02-09-2024 13:28:54.797 -0600 INFO ulimit [80544161 MainThread] - Limit: data file size: unlimited 02-09-2024 13:28:55.258 -0600 WARN Thread [86376799 HTTPDispatch] - HTTPDispatch: about to throw a ThreadException: pthread_create: Not enough space; 43 threads active. Trying to create batchreader0   We issued the ulimit -d command to update this to unlimited, however still seeing the issue.    
Hi I am planning to migrate Splunk Cloud to On-Premises Platform. Looking for road map and potential challenges . Any one?
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101.... See more...
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101.com/r/Usr7Ki/1 However, in Splunk, it doesn't find anything. The command is (just added double quotes to wrap the regex) rex "\"submission_id\\\":(?<subID>\d+)"  Any ideas and suggestions are appreciated!
Hello!  I am trying to send syslogs to splunk from network devices using udp. I have one heavy forwarder and two indexers, does it matter which indexer i set up to listen for the data?
What is the most elegant way of searching for events where a field is not in a list of values?   For example: index=foo | iplocation foo_src_ip | search Country IN ("France", "United States") wo... See more...
What is the most elegant way of searching for events where a field is not in a list of values?   For example: index=foo | iplocation foo_src_ip | search Country IN ("France", "United States") works great.    But what if I want all events where the IP was not from those countries (the  inverse answer), like "Canada", "Mexico". Thanks for any assistance. Bob
How can we integrate Atlassian tools like Jira with Splunk. What are the technical details that we need to have in order to connect Jira with Splunk.   
Hi, I am very new to this environment and i was having a trouble in login as I have forgot the password and admin detail is there any way, I can reset it.    thanks