All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is ava... See more...
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is available at 127.0.0.0:8000 I just desapeared because I was able to earlier. I dont know if a misconfigured something   Appreciate the help  
The nature of Splunk is for data aggregation and standardization from digests. Could it be possible to utilize it to preprocess data for a large language model?
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.... See more...
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.  But in splunk we are getting connectionpool.py and modinput.py error for the Dynatrace API Version 2 input. DEBUG pid=xxxxx tid=MainThread file=connectionpool.py:_new_conn:1018 DEBUG pid=xxxxx tid=MainThread file=base_modinput.py:log_debug:298 please guide me to fix this issue, thank you  
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! ... See more...
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData><RenderingInfo Culture='en-US'><Message>Creating RunspacePool object 
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the ... See more...
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the string I have the following  Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc' (?<=duser=)(.*?)(?= dvc) I just don't quite understand how the field extraction part is supposed to work...  I have tried... | rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'"  and | rex field=_raw "duser=\s+(?<User>[^\\]*)" No errors, just not getting any data in a User field.   Thanks in advance.    
We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspec... See more...
We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspects. I’m thinking about scripted input, and a dedicated dashboard to monitor and verify all the settings. Do you have any other suggestions, by any chance?
1
My current search is -    | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, operatingSystemVersion | eval ... See more...
My current search is -    | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, operatingSystemVersion | eval host = coalesce(host, cn)] | fillnull value="0" total_events | stats sparkline(sum(event_count)) AS event_count_sparkline sum(event_count) AS total_events BY host How do I get operatingSystem to display in my table?   When I add it to the end of my search BY host, operatingSystem my stats break in the table.
I get "Error: CLIENT_PLUGIN_AUTH is required" when trying to setup a collector to connect to 3 older Mysql db systems. AppDynamics Controller build 23.9.2-1074  mysql Ver 14.14 Distrib 5.1.73 RHEL... See more...
I get "Error: CLIENT_PLUGIN_AUTH is required" when trying to setup a collector to connect to 3 older Mysql db systems. AppDynamics Controller build 23.9.2-1074  mysql Ver 14.14 Distrib 5.1.73 RHEL 6.1 Is there a way in the collector to change the MySQL JDBC driver to a lower version?
Hello, How to pass data/token from a report to another report?   Thank you for your help I am trying to run a weekly report that produces top 4 students (out of 100), then once I find out the top... See more...
Hello, How to pass data/token from a report to another report?   Thank you for your help I am trying to run a weekly report that produces top 4 students (out of 100), then once I find out the top 4 students, I will run another report that provides detailed information about grades for those 4 students For example: Report 1 StudentID Name GPA Percentile Email 101 Student1 4 100% Student1@email.com 102 Student2 3 90% Student2@email.com 103 Student3 2 70% Student3@email.com 104 Student4 1 40% Student4@email.com Report 2 StudentID Course Grade 101 Math 100 101 English 95 102 Math 90 102 English 90  
Hi all, Very new to Splunk so apologies if this is a very basic question. I've looked around and haven't found a conclusive answer so far. I'm building an app that will require an API token from a 3... See more...
Hi all, Very new to Splunk so apologies if this is a very basic question. I've looked around and haven't found a conclusive answer so far. I'm building an app that will require an API token from a 3rd party system during the setup step. What I don't understand is how I can store that API token via a call to storage/passwords without also requiring the user to enter their Splunk credentials or a Splunk API token. Would really appreciate if someone could point out how I can do this! Ideally, I'm looking to use the JS SDK, so I'd need some way to create an instance of the Service object without needing admin user credentials being manually entered.  Thanks in advance!
Hello, we've encountered a problem with the TA-crowdstrike-falcon-event-streams TA, which was functional in the past. Splunk Enterprise onPrem VERSION=9.1.2 BUILD=b6b9c8185839 PRODUCT=splunk ... See more...
Hello, we've encountered a problem with the TA-crowdstrike-falcon-event-streams TA, which was functional in the past. Splunk Enterprise onPrem VERSION=9.1.2 BUILD=b6b9c8185839 PRODUCT=splunk PLATFORM=Linux-x86_64 When opening the UI to configure the crowdstrike Auth we'll end up with Err 500. Same for the other views. I've tried to reinstall it, but it didn't change anything. Splunkd logs the following:     01-26-2024 16:13:29.817 +0100 ERROR AdminManagerExternal [3102377 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 706, in urlopen\n chunked=chunked,\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 382, in _make_request\n self._validate_conn(conn)\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn\n conn.connect()\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connection.py", line 421, in connect\n tls_in_tls=tls_in_tls,\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket\n ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl\n return ssl_context.wrap_socket(sock)\n File "/opt/splunk/lib/python3.7/ssl.py", line 428, in wrap_socket\n session=session\n File "/opt/splunk/lib/python3.7/ssl.py", line 878, in _create\n self.do_handshake()\n File "/opt/splunk/lib/python3.7/ssl.py", line 1147, in do_handshake\n self._sslobj.do_handshake()\nssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/opt/splunk/lib/python3.7/site-packages/requests/adapters.py", line 449, in send\n timeout=timeout\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 756, in urlopen\n method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/retry.py", line 574, in increment\n raise MaxRetryError(_pool, url, error or ResponseError(cause))\nurllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/TA-crowdstrike-falcon-event-streams/configs/conf-ta_crowdstrike_falcon_event_streams_settings/_reload (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 124, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 162, in get\n self.reload()\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 259, in reload\n action="_reload",\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 320, in wrapper\n return request_fun(self, *args, **kwargs)\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 79, in new_f\n val = f(*args, **kwargs)\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 727, in get\n response = self.http.get(path, all_headers, **query)\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 1254, in get\n return self.request(url, { 'method': "GET", 'headers': headers })\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 1316, in request\n response = self.handler(url, message, **kwargs)\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/solnlib/splunk_rest_client.py", line 147, in request\n **kwargs,\n File "/opt/splunk/lib/python3.7/site-packages/requests/api.py", line 61, in request\n return session.request(method=method, url=url, **kwargs)\n File "/opt/splunk/lib/python3.7/site-packages/requests/sessions.py", line 542, in request\n resp = self.send(prep, **send_kwargs)\n File "/opt/splunk/lib/python3.7/site-packages/requests/sessions.py", line 655, in send\n r = adapter.send(request, **kwargs)\n File "/opt/splunk/lib/python3.7/site-packages/requests/adapters.py", line 514, in send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/TA-crowdstrike-falcon-event-streams/configs/conf-ta_crowdstrike_falcon_event_streams_settings/_reload (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))\n". See splunkd.log/python.log for more details.     inputs.conf   [splunktcp-ssl:8089] disabled = 0 requireClientCert = false sslVersions = * [...] [SSL] serverCert = <path> requireClientCert = true allowSslRenegotiation = true sslCommonNameToCheck = <others> 127.0.0.1,SplunkServerDefaultCert   server.conf   [sslConfig] enableSplunkdSSL = true sslVersions = tls1.2 serverCert = /opt/splunk/etc/auth/<path>.pem sslRootCAPath = /opt/splunk/etc/auth/<path>.pem requireClientCert = true sslVerifyServerName = true sslVerifyServerCert = true sslCommonNameToCheck = <FQDNs> cliVerifyServerName = false sslPassword = <pw>     We're looking forward for your help! Thank you!
I ave a couple of scheduled reports that I SCP off of our splunk enterprise.  Both reports are in /opt/splunk/etc/apps/search/lookups.  One of the reports I setup a while ago and it's permissions loo... See more...
I ave a couple of scheduled reports that I SCP off of our splunk enterprise.  Both reports are in /opt/splunk/etc/apps/search/lookups.  One of the reports I setup a while ago and it's permissions look right and I can SCP it (file1.csv).  The new report gives me a permission denied when I try to copy it (file2.csv). File 1: -rw-r-----. 1 splunk splunk 306519 Jan 26 05:00 file1.csv -rw-------. 1 splunk splunk 1177070 Jan 26 03:00 file2.csv   Not sure how to get file2.csv group readable so I can copy it off.
Hello everyone,  I'm currently trying to optimize Splunk with disk space and index.  I read about : Changing the parameter "Pause indexing if free disk space (in MB) falls below" Never modify th... See more...
Hello everyone,  I'm currently trying to optimize Splunk with disk space and index.  I read about : Changing the parameter "Pause indexing if free disk space (in MB) falls below" Never modify the indexes.conf parameters  And some others posts of the community But I'm not quite sure about the solution for my problems :  The coldToFrozenDir/Script parameters are empty. Kind regards, Tybe
Hello Every Body.   I'm starting this question be couse i'm traying to genrate detections for goole workspace invader as that post about 365.  https://www.splunk.com/en_us/blog/security/hunting-m3... See more...
Hello Every Body.   I'm starting this question be couse i'm traying to genrate detections for goole workspace invader as that post about 365.  https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-blue-team-s-guide-to-initial-access-vectors.html.  But i can not find google work space  login logs in actual ingest. We installed  the ad-don and newest apps abalaible in the splunkbase and could not find it. surfin into the splunk web we could't fund an euivalent searchs as the link attached.    Some bady had the same problem?  how can I solved it? 
Hi Splunkers, I have a problem with timestamp on our platform. Here some assumption and acquired knowledge. Knowledge _time =  is the event time (the time which is present in the event. In other w... See more...
Hi Splunkers, I have a problem with timestamp on our platform. Here some assumption and acquired knowledge. Knowledge _time =  is the event time (the time which is present in the event. In other words: the time when the event was generated. _indextime = is the index time or, if you prefer, the time when the events have been indexed. Issue with timezone shown can be related to user settings, that can be changed under username -> Preferences -> Timezone. Environment: a Splunk Cloud SaaS platform with logs ingested in different ways: Forwarder (both UF and HF) API Syslog File monitoring Issue: If I expand the event and I examinate the _time field:  Why, in my case, time event and time shown are different? Important additional Info Our user settings timezone are set on GMT+1 (due we are in Italy) for all users. You see a Windows events as sample, but the problem is present on all logs: it doesn't matter what log source I consider and how it is sending events to Splunk. Every log show time difference. The difference between _time and time shown is always on 1 hour, for every events on every log sources. I searched here on community and I found other topics about this issue, some of them has been very useful to gain a basic knowledge like Difference Between Event Time and _time  but, due we are on cloud (with limited chance to set some file and parameter that are involved) and the issue is for all events, I'm still locked on this problem.   
Hi Team, We are trying to onboard AWS cloudwatch metrics and events data to splunk , we decided to go with splunk Add on for AWS pull mechanism. I am trying to configure a custom namespace and metri... See more...
Hi Team, We are trying to onboard AWS cloudwatch metrics and events data to splunk , we decided to go with splunk Add on for AWS pull mechanism. I am trying to configure a custom namespace and metrics created in  AWS to splunk , I am unable to see the metrics there . I edited the default aws namespaces and added my custom namespace . Is this right method to add my custom metrics. Can someone guide here. 
Hi, I have a dashboard with 91 panels in different rows. The first panel is a panel created for the sole purpose of doing a base search. The search is simple: index=myIndex The other 90 panels... See more...
Hi, I have a dashboard with 91 panels in different rows. The first panel is a panel created for the sole purpose of doing a base search. The search is simple: index=myIndex The other 90 panels all do subsearches on this main search. This is to prevent CPU spikes. The problem that I'm facing right now is that the first panel is showing in the dashboard but it serves no purpose being showed. My question: How do I hide (not remove) this panel visually?  
Hi, So my task is to extract a field from a query and search for that field. That query will give an object value as a string and want to extract data from there.  In summary, I need 3 things 1.... See more...
Hi, So my task is to extract a field from a query and search for that field. That query will give an object value as a string and want to extract data from there.  In summary, I need 3 things 1.  plain query to get the data and extract a particular field. 2. Use that field as an input for the second query. 3. Get object data as a string as a result, extract fields from there, and generate a report from it in tabular format. I was able to reach till 1st step and extract the field from it.  but I am unable to search for it. below is the query I tried. sourcetype="mykube.source" "failed request"  | rex "failed request:(?<request_id>[\w-]+)" | table request_id | head 1 | eval req_query = request_id | search req_query if I try till `head 1` I get first request_id but after that result is empty for me.
I'm trying to install a few apps in Splunk.    The dialogue says, "Enter your Splunk.com username and password to download the app."   I use the username/password combination I'm using for splunk.com... See more...
I'm trying to install a few apps in Splunk.    The dialogue says, "Enter your Splunk.com username and password to download the app."   I use the username/password combination I'm using for splunk.com and I continually get back an error message "Incorrect username or password".