All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have html tags like <p> <br> <a href="www.google/com target=_blank"> & so on in my raw data, I want to capture everything except these html tags . Please help me with regex sample raw data A... See more...
Hi, I have html tags like <p> <br> <a href="www.google/com target=_blank"> & so on in my raw data, I want to capture everything except these html tags . Please help me with regex sample raw data A flaw in the way Internet Explorer handles a specific HTTP request could allow arbitrary code to execute in the context of the logged-on user, should the <UL> <LI> The first vulnerability occurs because Internet Explorer does not correctly determine an obr in a pop-up window.</LI> <LI> The t type that is returned from a Web server during XML data binding.</LI> </UL> <P> &quot;Location: URL:ms-its:C:WINDOWSHelpiexplore.::/itsrt.htm&quot; <P> :<P><A HREF='http://blogs.msdn.com/embres/archive/20/81.aspx' TARGET='_blank'>October Security Updates are (finally) available!</A><BR>
Hello, I'm installing the .NET Agent in a Windows 10 VM. When I run the \dotNetAgentSetup64-23.12.0.10912\Installer.bat file I get the following error: I can't find the missing key. I execute... See more...
Hello, I'm installing the .NET Agent in a Windows 10 VM. When I run the \dotNetAgentSetup64-23.12.0.10912\Installer.bat file I get the following error: I can't find the missing key. I execute the install batch with the option "Run as Administrator" Any ideas? Help? Thank you Here the install logs: Action ended 11:15:47: SetCoordinatorServiceUserNTAuthoritySystem. Return value 1. Action start 11:15:47: AppSearch. MSI (s) (3C:6C) [11:15:47:838]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\AppDynamics\dotNet Agent 3: 2 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\AppDynamics\dotNet Agent 3: 2 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (s) (3C:6C) [11:15:47:840]: PROPERTY CHANGE: Adding WIXNETFX4RELEASEINSTALLED property. Its value is '#528372'. MSI (s) (3C:6C) [11:15:47:840]: Doing action: SetWIX_IS_NETFRAMEWORK_462_OR_LATER_INSTALLED Action ended 11:15:47: AppSearch. Return value 1. MSI (s) (3C:6C) [11:15:47:840]: PROPERTY CHANGE: Adding WIX_IS_NETFRAMEWORK_462_OR_LATER_INSTALLED property. Its value is '1'. Action start 11:15:47: SetWIX_IS_NETFRAMEWORK_462_OR_LATER_INSTALLED. MSI (s) (3C:6C) [11:15:47:841]: Doing action: LaunchConditions Action ended 11:15:47: SetWIX_IS_NETFRAMEWORK_462_OR_LATER_INSTALLED. Return value 1. Action start 11:15:47: LaunchConditions. MSI (s) (3C:6C) [11:15:47:842]: Product: AppDynamics .NET Agent -- AppDynamics .NET Agent installer requires administrative privileges. Action ended 11:15:47: LaunchConditions. Return value 3. Action ended 11:15:47: INSTALL. Return value 3. MSI (s) (3C:6C) [11:15:47:844]: Note: 1: 1708 MSI (s) (3C:6C) [11:15:47:844]: Product: AppDynamics .NET Agent -- Installation failed. MSI (s) (3C:6C) [11:15:47:845]: Windows Installer installed the product. Product Name: AppDynamics .NET Agent. Product Version: 23.12.0. Product Language: 1033. Manufacturer: AppDynamics. Installation success or error status: 1603. MSI (s) (3C:6C) [11:15:47:848]: Deferring clean up of packages/files, if any exist MSI (s) (3C:6C) [11:15:47:848]: MainEngineThread is returning 1603 MSI (s) (3C:A8) [11:15:47:848]: No System Restore sequence number for this installation. === Logging stopped: 1/24/2024 11:15:47 === MSI (s) (3C:A8) [11:15:47:849]: User policy value 'DisableRollback' is 0 MSI (s) (3C:A8) [11:15:47:849]: Machine policy value 'DisableRollback' is 0 MSI (s) (3C:A8) [11:15:47:849]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (3C:A8) [11:15:47:849]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (3C:A8) [11:15:47:850]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (3C:A8) [11:15:47:850]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (D4:24) [11:15:47:851]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (D4:24) [11:15:47:852]: MainEngineThread is returning 1603 === Verbose logging stopped: 1/24/2024 11:15:47 ===
Does Cisco FMC is compatible with Splunk Enterprise 8.2.7? do you have compatiblity matri
Hi, I have the situation that the need for Installation management tier on 2 sites (DC and DR) on VPC server. the problem is, I don't have the permission to capture the Vmotion from 1 site to anothe... See more...
Hi, I have the situation that the need for Installation management tier on 2 sites (DC and DR) on VPC server. the problem is, I don't have the permission to capture the Vmotion from 1 site to another. Why I need to install the management tier to both sites because, I want to upgrade the OS currently RHEL 7.9 (EOS soon) to RHEL 8.9, and the compan And, If I just Installed both sites, how to sync the data from 1 management tier to another, do I need to copy the data every day or just once. need help, Would Be Appreciated
Hi all, today I successfully updated Splunk Enterprise to 9.1.3 (from 9.1.2) on a Windows 10 22H2 Pro machine with the newest Windows updates (January 2024).  Then I wanted to update the Universal ... See more...
Hi all, today I successfully updated Splunk Enterprise to 9.1.3 (from 9.1.2) on a Windows 10 22H2 Pro machine with the newest Windows updates (January 2024).  Then I wanted to update the Universal Forwarder on this machine, too. Actually, there's 9.1.2 running and everything is working fine. But updating to 9.1.3 doesn't work. Near to the end of the installation process, the installation is rolled back to 9.1.2. Before the rollback there are coming up some more windows for a very short time. And then there are more then one message windows saying, that the installation failed. You then have to click on OK in every message window to finish successfully the rollback. I don't see why the update is failing. Does anyone have the same issue? And how did you solve this issue? Thank you.
Hi All,   Just wanted to get your feedback on the below issue we have right now with our new Splunk Cloud instance.   Unlike in enterprise version where you can assign the index to an app, we don... See more...
Hi All,   Just wanted to get your feedback on the below issue we have right now with our new Splunk Cloud instance.   Unlike in enterprise version where you can assign the index to an app, we don't see the same option available in Splunk Cloud Version. Does anyone know know how Apps to which index to search without defining it? When you create new indexes, app column shows as 000-self-service and not the app we want to?   Thank you
I have a file that's updated every 5 minutes, it's populated my capturing a value in a URL using python code. (the value is "OK" or "bad"). I want to use the new file (that created every 5 minutes) i... See more...
I have a file that's updated every 5 minutes, it's populated my capturing a value in a URL using python code. (the value is "OK" or "bad"). I want to use the new file (that created every 5 minutes) in a splunk classic dashboard. I'm using the splunk cloud enterprise, and I'm not sure how to go about automating this process.  Is there a way to update/replace a file in the lookup table files? Or some other way I can go about adding in the new file after every refresh to the dashboard?  
I terminated an aws instance that also happens to be my cluster manager, so now when I created another cluster manager I get an error message saying that my license is already in use when I add the s... See more...
I terminated an aws instance that also happens to be my cluster manager, so now when I created another cluster manager I get an error message saying that my license is already in use when I add the same license to my nodes. Please how can I solve this issue. Thank you.  Error [00020000] Instance name "indexer02" License key 5C52DA5145AD67B8188604C49962D12F2C3B2CF1B82A6878E46F68CA2812807B used by peer is already in use by another peer in the deployment. Last Connect Time:2024-01-23T19:23:35.000+00:00; Failed 6 out of 6 times.
My Search are as follow: sourcetype = linux_audits (type=system_shutdown) OR (type=system_reboot) | table ... I would like to have a table display the following: 1. host 2. time (of when system_s... See more...
My Search are as follow: sourcetype = linux_audits (type=system_shutdown) OR (type=system_reboot) | table ... I would like to have a table display the following: 1. host 2. time (of when system_shutdown happen) 3. time ( of when system_reboot happen) 4.  duration (of how long that take the system been down for) How do i do that?          
Hoping this is something simple with lookahead/lookback that I'm missing... trying to extract multi-line fields from ANSI 835 files indexed in chunks by line count, so 10K line events (unfortunately,... See more...
Hoping this is something simple with lookahead/lookback that I'm missing... trying to extract multi-line fields from ANSI 835 files indexed in chunks by line count, so 10K line events (unfortunately, I have no control over the sourcetype / event breaking for these).  My rex is matching the pattern, but after the first match it skips the second and matches the third.  Then it skips the fourth and matches the fifth, etc.  The capture groups start and ends with the same pattern (CLP*), and there can be all kinds of variations in the number of lines, type of lines (starting characters), number of * delimited fields (without or without values) in each line, and multiple types of special characters.  The constants are the tilde ~ line breaks, and that I need everything between each CLP* occurrence.  In the example 835 below, I would need to have three multi-line fields extracted starting with (1) 77777777*, then (2) 77777778*, and (3) 77777779*, but my rex is only getting (1) and (3).  Also, I know there are some redundancies (m and n+, etc), doesn't appear they're impacting the results... though happy to eat that sandwich if I'm wrong.  Any help with this would be much appreciated! Cheers!   | rex max_match=0 "(?msi)CLP\*(?P<clmevent>.*?)\n+\CLP\*"   Example 835: N4*Carson*NV*89701~ PER*BL*Nevada Medicaid*TE*8776383472*EM*nvmmis.edisupport@dxc.com~ N1*PE*SUMMER*XX*6666666666~ REF*TJ*111111111~ CLP*77777777*4*72232*0**MC*6666666666666~ CAS*OA*147*50016*0~ CAS*CO*26*22216*0~ NM1*QC*1*TOM*SMITH****MR*77777777777~ NM1*74*1*ALAN*PARKER****C*88888888888~ NM1*PR*2*PACIFI*****PI* 9999~ NM1*GB*1*BARRY*CARRY****MI*666666666~ REF*EA*8888888~ DTM*232*20180314~ DTM*233*20180317~ SE*22*0001~ ST*835*0002~ BPR*H*0*C*NON************20180615~ TRN*1*100004765*5555555555~ DTM*405*20180613~ N1*PR*DIVISON OF HEALTH CARE FINANCING AND POLICY~ N3*1100 East William Street Suite 101~ N4*Carson*NV*89701~ PER*BL*Nevada Medicaid*TE*8776383472*EM*nvmmis.edisupport@dxc.com~ N1*PE*VALLEY*XX*6666666666~ REF*TJ*530824679~ LX*1~ CLP*77777778*2*3002*0**MC*6666666666667~ CAS*OA*176*3002*0~ NM1*QC*1*BOB*THOMAS****MR*55555555555~ NM1*74*1*ALAN*JACKSON****C*66666666666~ REF*EA*8888888~ DTM*232*20171001~ DTM*233*20171002~ CLP*77777779*4*41231.04*0**MC*6666666666668~ CAS*OA*147*9365.04*0~ CAS*CO*26*31866*0~ NM1*QC*1*HELD*ALLEN****MR*77777777778~ NM1*74*1*RYAN*LARRY****C*88888888889~ NM1*PR*2*SENIOR*****PI* 8888~
I have filed "Labels" with multiple value in the single filed. I need to see only OS value red hat(linux) or windows 2019 I  tried eval in SPL but as a result I gut eather first value or empty cell... See more...
I have filed "Labels" with multiple value in the single filed. I need to see only OS value red hat(linux) or windows 2019 I  tried eval in SPL but as a result I gut eather first value or empty cell. Thank you. Please see eval statement and sample data below. -------- | eval Labels= split (Labels, " ") ------------------------------ Sample data before eval development red hat(linux) main_ucmdb or contingency production red hat(linux) main_ucmdb or  production windows 2019 wintel server microsoft windows server 2019 standard main_ucmdb
We are using 'Splunk App for Lookup File Editing' version 4.0.1.  There are two issues that bother me.  First is the continuous popup about 'Save Backup'.  I need a way of turning this off since most... See more...
We are using 'Splunk App for Lookup File Editing' version 4.0.1.  There are two issues that bother me.  First is the continuous popup about 'Save Backup'.  I need a way of turning this off since most of the time my edits are of adhoc lookups and I don't want a backup.  Second is the can't save error message I get in Firefox.  I have to quit Firefox, restart, and then I can save.  After a number of adhoc lookups I get the error message again.  Any work arounds beyond restarting the browser?
Hi, Could anyone pls help me in adding the navigation menu to the dashboard like in the pic shown below eg. Event Search.   Thanks in advance  
Hi Everyone, I want to create a new Use case to detect Suspicious activity on insecure ports from remote to local and local to remote. I didn't understand how do I write the query as source IP/Des... See more...
Hi Everyone, I want to create a new Use case to detect Suspicious activity on insecure ports from remote to local and local to remote. I didn't understand how do I write the query as source IP/Destination IP as remote. Is there any way to define the "Context" like Remote and Local?  I want to define for L2R rule destination IP should be remote and for R2L Source IP should be Remote. I have tried with the reverse condition but it didn't worked properly.  Example: For L2R I have mentioned all the Local IP network segment as not category (Source IP!= 10.0.0.0/8) and for R2L vice versa (Destination IP!=10.0.0.0/8).    Can anyone help me with this please? 
I am using the Sideview App trying to monitor usage by users.  There is a Pain field in the User Activity report.  Does anyone know what this Pain field is trying to show?
Hi,  UF etc/apps/remo/local  placed the inputs,outputs,props and tranforms configuration files  and search the data in indexer+SearchHead  servers , Events  are received Successfully. [monitor://E... See more...
Hi,  UF etc/apps/remo/local  placed the inputs,outputs,props and tranforms configuration files  and search the data in indexer+SearchHead  servers , Events  are received Successfully. [monitor://E:\KS Application GBR (GR)\sbxLogs\] index = ks_dev sourcetype = ks_logs crcSalt = <SOURCE>   [tcpout:bprserver] server = 1.2.3.4:9997 useACK = true [ks_logs] TRANSFORMS--null = EXCLUDE_INFO_WARN_events [EXCLUDE_INFO_WARN_events] REGEX = ^[\d|-]*\s[\d|:|,]*\s(INFO|WARN).*$ DEST_KEY = queue FORMAT = nullQueue   Same configuration updated in the deployment server etc\deploymentapps\ksapp\local [monitor://E:\KS Application GBR (GR)\sbxLogs\] index = ks_dev sourcetype = ks_logs crcSalt = <SOURCE> [tcpout:bprserver] server = 1.2 3.4:9997 useACK = true [ks_logs] TRANSFORMS--null = EXCLUDE_INFO_WARN_events [EXCLUDE_INFO_WARN_events] REGEX = ^[\d|-]*\s[\d|:|,]*\s(INFO|WARN).*$ DEST_KEY = queue FORMAT = nullQueue   Events are receiving  the SH+indexer server Note: in my account there is no HeavyForwarder instance. please help how to do configuration in deployment server.                
HI  Can someone please let me know how to convert the time from the format hh:mm:ss.6Q  to hh:mm:ss ??     
Hello, I've a simple requirement but new to Splunk so facing some challenges and hoping for some luck! My application writes HEARTBEAT messages every 2 min to log files to multiple sources. I'm jus... See more...
Hello, I've a simple requirement but new to Splunk so facing some challenges and hoping for some luck! My application writes HEARTBEAT messages every 2 min to log files to multiple sources. I'm just trying to create an alert and send email if heartbeat messages aren't written in last 5 min.  It may look simple but I also need to know which sources doesn't have heartbeat messages.  I've tried with below query which works but sometimes giving me incorrect results. So, looking for an better and simple solution.   index = index1 earliest=-5m latest=now source IN (dev-*api.log) ("testapi" AND "HEARTBEAT") | fields source | append [ search index = index1 earliest=-2w@w0 latest=now source IN (dev-*api.log) ("testapi" AND "HEARTBEAT") | stats dc(source) as source_list by source | fields source ] | rex field=_raw "HEARTBEAT for (?<APIName>.*).jar (?<Version>.*)" | stats count as #heartbeats, latest(Version) as Versions by APIName, JVM | eval Status=case(('#heartbeats' <= 1 OR isnull('#heartbeats')), "NOT RUNNING", '#heartbeats' > 1, "RUNNING") | table APIName, Versions, Status   Appreciate the help! Thanks.
Hi  Can someone please let me know how i can find the difference between the 2 fields Start-Time and End-Time in the below search.  Format of time extracted by the query is :  Start-Time = 202... See more...
Hi  Can someone please let me know how i can find the difference between the 2 fields Start-Time and End-Time in the below search.  Format of time extracted by the query is :  Start-Time = 2024-01-23T11:38:59.0000000Z End-Time = 2024-01-23T11:39:03.0000000Z Query :  `macro_events_prod_srt_shareholders_esa` eocEnv = PRO * "MICROSOFT.DATAFACTORY" activityName = Merge_Disclosure_Request 741b5db8-da47-468b-b883-a06ef137519a | eval Dreqid=case('category'="PipelineRuns",'properties.Parameters.DisclosureRequestId','category'="ActivityRuns",'properties.Input.storedProcedureParameters.DisclosureRequestId.value',1=1,"") | eval end_time=case('end'="1601-01-01T00:00:00.0000000Z", "Still-Running",1=1,'end') | table eocEnv , start , end_time , pipelineName , activityName, pipelineRunId,level , status , category , Type , Dreqid, properties.Error.errorCode , properties.Error.message | rename Dreqid as "Disclosure request id" , eocEnv as "Environment" , EOC_ResourceGroup as " Resource_Group" , activityName as "Activity Name" , pipelineName as "Pipeline Name" , operationName as "Operation Name" , pipelineRunId as "Run_Id" , level as "Level" , status as "STATUS" , category as "Category" , start as "Start-Time" , end_time as "End-Time" , properties.Error.errorCode as "Error-Code" , properties.Error.message as "Error-Message" | sort -"Start-Time"          
Hello everyone. Is it possible to configure a BT to capture snapshots from just a single tier? For example: I want my BT called: instance/instance{id} to capture  transaction snapshots from a sing... See more...
Hello everyone. Is it possible to configure a BT to capture snapshots from just a single tier? For example: I want my BT called: instance/instance{id} to capture  transaction snapshots from a single tier called: portal-api. Can I exclude the other ones? Or can i select specific tiers for the bt? Thank you!