All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have below json and I want table of url and corresponding duration.   { "details": { "sub-trans": [ { "app-trans-id": "123", "sub-trans-id": "234", "startTime": "2024-01-18T12:37:12.482Z", ... See more...
I have below json and I want table of url and corresponding duration.   { "details": { "sub-trans": [ { "app-trans-id": "123", "sub-trans-id": "234", "startTime": "2024-01-18T12:37:12.482Z", "endTime": "2024-01-18T12:37:12.502Z", "duration": 20, "req": { "url": "http://abc123", }, { "app-trans-id": "123", "sub-trans-id": "567", "startTime": "2024-01-18T12:37:12.506Z", "endTime": "2024-01-18T12:37:12.550Z", "duration": 44, "req": { "url": "https://xyz567", }, ] } }   I am using below splunk query but duration field is not populating in table. Kindly help index=hello |spath output=url details.sub-trans{}.req.url| mvexpand url |spath output=duration details.sub-trans{}.duration |mvexpand duration |table url,duration
I got 2 fields from same splunk index field1 have rows 1,2,3,4,5 and field2 have rows 10,12 I want new field3 with data from both field1 and field2. Please suggest. field1   field2 1   ... See more...
I got 2 fields from same splunk index field1 have rows 1,2,3,4,5 and field2 have rows 10,12 I want new field3 with data from both field1 and field2. Please suggest. field1   field2 1   10 2   12 3     4     5       field3 1 2 3 4 5 10 12
Hola buen día comunidad, tengo un problema y espero me puedan ayudar, yo necesito configurar un asset de la app http para que haga una peticion get, al configurarla en la pestaña de asset settings ha... See more...
Hola buen día comunidad, tengo un problema y espero me puedan ayudar, yo necesito configurar un asset de la app http para que haga una peticion get, al configurarla en la pestaña de asset settings hay un campo que se llama base_url este es obligatorio de llenar, el detalle es que esa base url es dinamica la voy a tomar de los artifacts por medio de un flujo, cada url es diferente,  hasta ahora no e podido resolverlo, espero su ayuda gracias
I want the base url of the asset of the http app to be dynamic and filled with the information that I take from the sources (artifact) through a flow, as I would do to replace the one that is inserte... See more...
I want the base url of the asset of the http app to be dynamic and filled with the information that I take from the sources (artifact) through a flow, as I would do to replace the one that is inserted in the asset By default, this is in the http app with the get data method
Hi All, I'm trying to calculate the failureRate as a percentage between the NumberOfAuthErrors column and the TotalRequest column, but i do not get any values. I do have two columns of values. I wo... See more...
Hi All, I'm trying to calculate the failureRate as a percentage between the NumberOfAuthErrors column and the TotalRequest column, but i do not get any values. I do have two columns of values. I would like to calculate the failureRate for each ROW.   [SEARCH] | bin _time span=15m | stats count as NumberOfAuthErrors by _time | append [ SEARCH | bin _time span=15m | stats count as TotalRequest by _time ] | stats values(NumberOfAuthErrors) AS NumberOfAuthErrors, values(TotalRequest) AS TotalRequest | eval failureRate = round((NumberOfAuthErrors / TotalRequest) * 100,3) | table TotalRequest NumberOfAuthErrors failureRate     thanks
Hi,  I am looking for a search to list out all of the indexes in Splunk. I know how to get the full but looking for a clear way to get a list of the ones being used and actively received data with... See more...
Hi,  I am looking for a search to list out all of the indexes in Splunk. I know how to get the full but looking for a clear way to get a list of the ones being used and actively received data within the last 30 days.   Thanks in advance!    
Good Morning, I am running into an issue where my two newest Server 2022 endpoints have events that are showing up non-XML, whereas all my other endpoints are outputting in XML. I have renderXml=tru... See more...
Good Morning, I am running into an issue where my two newest Server 2022 endpoints have events that are showing up non-XML, whereas all my other endpoints are outputting in XML. I have renderXml=true in the inputs.conf and the inputs.conf files in the Splunk_TA_windows are the same for each endpoint. I can't find the difference causing this. One thing I have learned through this is that I may prefer non-XML so if these two endpoints are not respecting renderXml=true, how do I know all the others will respect the false value to match them all up? Is there somewhere overriding this? I have not edited any \etc\system\default\inputs.conf files. They're all in local or an app. Thank you in advance! Edit: I am on Splunk Cloud. Scott
I have a chart formed like below and it's dynamic columns are created based on processes date. By default now the column header sort is happing from lower to higher value but I am looking in a format... See more...
I have a chart formed like below and it's dynamic columns are created based on processes date. By default now the column header sort is happing from lower to higher value but I am looking in a format where headers of processDates are higher to lower. Query: |chart latest(Count) as Count by Name ,ProcessDate Current Output: Name    20240101  20240102  20240103 xyz NA NA NA 123 NA NANA NA     Expecting output: Name    20240103 20240102  20240101 xyz NA NA NA 123 NA NANA NA    
Is there a way to disable all email capabilities for a particular role in Splunk? The data in our deployment has to be strictly contained for compliance reasons, so email capability should be strictl... See more...
Is there a way to disable all email capabilities for a particular role in Splunk? The data in our deployment has to be strictly contained for compliance reasons, so email capability should be strictly limited to users with admin access. Is there a way to do this? I'm having a hard time finding this in the docs. 
I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using ... See more...
I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using the access token, to get organisation details.  So I know the access token is ok:       curl -s 'https://api.amp.cisco.com/v3/organizations?size=10' \ --header "Authorization: Bearer eyJhbGciOiJ....."       When I enter the same value in the access_token field in the HTTP app and test connectivity, I always receive the following error status code: error 401 Data from server: {"errors":["Missing token"]} I'm not sure what to enter for the Type of Authentication Token, so maybe that's where I'm messing it up.  I think it should be Bearer, because that's the only thing in POSTMAN header other than the token itself. Note that I haven't entered anything in any of the other authentication fields (username, password, url, Client ID, Client Secret).  And also - I get the same error if I don't enter anything in the access token field.  Basically, it's just ignored.
Hi all,   I get the following error under the index=_internal and the jira ticket is not created.    WARN sendmodalert [28064 AlertNotifierWorker-0] - action=jira_service_desk_replay - Alert acti... See more...
Hi all,   I get the following error under the index=_internal and the jira ticket is not created.    WARN sendmodalert [28064 AlertNotifierWorker-0] - action=jira_service_desk_replay - Alert action script returned error code=4  Do you have any idea what the problem might be?  
Hi Guys   We are getting logs through syslog with its priority / facility data “ <14>1” prepended with every events as below;     <14>1 2024-01-18T13:45:06.621+0000 756565656565701b-cd27-475e-ba... See more...
Hi Guys   We are getting logs through syslog with its priority / facility data “ <14>1” prepended with every events as below;     <14>1 2024-01-18T13:45:06.621+0000 756565656565701b-cd27-475e-bab4-3e0e0893d273 <14>1 2024-01-18T13:39:47.014+0000 565gt5t54t-cd27-475e-bab4-565656565gh       We are trying to remove this prefix texts “<14>1” using SEDCMD  on props.conf as below;   [source::tcp:7514] SEDCMD-strip-tcp-priority=s/^<\d+>//   This is doing almost very close help by removing “<14>” but still “1” is coming up in events. Can some one please help us how to remove this prefix “ <14>1” on every events using SEDCMD ?     Regards.
Hello,  I've been researching this online for over a day and nothing seems to be working for me.  I have 2 EVAL IF statements that simply looks at the network.connectType field.   | eval MOBILE=if(n... See more...
Hello,  I've been researching this online for over a day and nothing seems to be working for me.  I have 2 EVAL IF statements that simply looks at the network.connectType field.   | eval MOBILE=if(network.connectType="MOBILE","1","0") | eval WIFI=if(network.connectType="WIFI","1","0") I am in need of creating a table that would show the count of MOBILE, WIFI, TOTAL, by Branch. i.e  Branch | Total | WIFI | MOBILE I'm able to create the table, but the two evals always show the same counts as the Total count.  I can't figure out why I am doing wrong. The search I am using is the following: index=main "details.package"="com.siteone.mobilepro", "details.tag"="Connectivity Service", event=NoConnectivityEvent, "details.message.additionalInfo.NetworkAccessStatus"="None" | fields network.connectType, event, userSettings.site | eval MOBILE=if(network.connectType="MOBILE","1","0") | eval WIFI=if(network.connectType="WIFI","1","0") | stats values("userSettings.site") as Branch, count(event) as "Total Disconnects", count(MOBILE) as "Cellular Disconnects", count(WIFI) as "Wifi Disconnects" by "userSettings.site" | table Branch, "Total Disconnects", "Wifi Disconnects", "Cellular Disconnects"   Any help on this would be awesome and much appreciated. Thanks    
Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security. As usual when I put a question here, let me share a minimal of context and assumption. Environment: A completely on prem... See more...
Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security. As usual when I put a question here, let me share a minimal of context and assumption. Environment: A completely on prem Splunk Enterprise (no Slunk Cloud SaaS). Currently, only one SH Clustered indexers Task:  Install and configure a SH with Splunk Enterprise Security. Assumption: I know the full installation procedure (doc + Splunk Enterprise Admin course) I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI: > splunk edit cluster-config -mode searchhead -manager_uri https://<manager node address> -secret <cluster secret>   Questions: This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those". SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?
<14> prefix is displayed in splunk logs, what does it mean, why is it displayed? Can anyone answer this question please?
Hi team,  I've completed all the configurations according to the steps provided in the following link for integrating Jamf Protect and Splunk: https://learn.jamf.com/bundle/jamf-protect-documentati... See more...
Hi team,  I've completed all the configurations according to the steps provided in the following link for integrating Jamf Protect and Splunk: https://learn.jamf.com/bundle/jamf-protect-documentation/page/Splunk_Integration.html Under the "Testing the Event Collector Token" section, when I execute the command as instructed in "Using the values obtained in step 1," I can see the log I sent from my local machine on the Splunk search head. However, logs from other clients, especially JamfPro logs, are not visible. I can confirm that the logs are being captured by using tcpdump on the heavy forwarder, but they are not appearing in search results. What could be the reason for this? Additionally, where can I check error logs from the CLI to investigate this further? Thanks
Hello, We have PROD and DEV instance that are both running Mission Control with the following versions below: PROD - ES v7.1.1, Mission Control v3.0.2 DEV - ES v7.3.0, Mission Control v3.0.2 PROD... See more...
Hello, We have PROD and DEV instance that are both running Mission Control with the following versions below: PROD - ES v7.1.1, Mission Control v3.0.2 DEV - ES v7.3.0, Mission Control v3.0.2 PROD works fine and incidents are tally between ES and MC. Unfortunately for DEV, some of the notables from ES are not flowing into MC.  Is this an issue with the latest version of ES? I've looked into the latest release notes of both ES and MC, and it's not listed in the "Known Issues" page. Can't find anything helpful too in the internal logs. Any insights will be highly appreciated. Thank you!
Hello,   is it possible to analyse the utilisation of enterprise security, I assume it is currently not used in our company, but I would like to be able to prove this in statistics   Thanks Pad
We are due to go line on the following Monday and we wanted to erase all of our Test mission control incidents so we have a clean slate, How is this possible?
"CEF:0|Bitdefender|GravityZone|6.35.1-1|35|Product Modules Status|5|BitdefenderGZModule=modules dvchost=xxx      BitdefenderGZComputerFQDN=xxxxx dvc=x.x.x.x deviceExternalId=xxxxx BitdefenderGZIsCont... See more...
"CEF:0|Bitdefender|GravityZone|6.35.1-1|35|Product Modules Status|5|BitdefenderGZModule=modules dvchost=xxx      BitdefenderGZComputerFQDN=xxxxx dvc=x.x.x.x deviceExternalId=xxxxx BitdefenderGZIsContainerHost=0 BitdefenderGZMalwareModuleStatus=enabled BitdefenderGZBehavioralScanAVCModuleStatus=enabled BitdefenderGZDataLossPreventionModuleStatus=disabled"   The logs are from Bitdefender and they show a time diff of +15 hrs. and there is no timestamp in logs no other source types from same HF show the behavior only bit-defender logs. All the help is appreciated to correct the time.