All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am wondering why the two following requests, when applied to exactly the same time range, return a different value: index=<my_index> logid=0000000013 | stats count index=<my_index> logid=13 | st... See more...
I am wondering why the two following requests, when applied to exactly the same time range, return a different value: index=<my_index> logid=0000000013 | stats count index=<my_index> logid=13 | stats count The first one returns many more results than the second. (The type indicated by Splunk for this field is "number" not "string".)
I have been struggling to create a dynamic dropdown in Splunk Dashboard studio. I have watched several video but I think they mostly talk about Classic Dashboards. I have also read the documentation ... See more...
I have been struggling to create a dynamic dropdown in Splunk Dashboard studio. I have watched several video but I think they mostly talk about Classic Dashboards. I have also read the documentation but it has been of no help. My Sample Problem is: A: B,C,D W: X,Y,Z I want to create two dropdowns. Dropdown1: A, W Dropdown 2:  If "A", then "B","C,"D" options If "B", then "X","Y,"Z" options I am unable to figure out how to do this. Any help will be much appreciated. Thank you all.  
Hi, Could any one pls figure out from these below logs to achieve the use case like when we launch rdp,proxy from secretserver, we are seeing some drop in the connection eg. like look for error and ... See more...
Hi, Could any one pls figure out from these below logs to achieve the use case like when we launch rdp,proxy from secretserver, we are seeing some drop in the connection eg. like look for error and handshake in logs sample event for client 2024-01-12 05:03:37,391 [CID:] [C:] [TID:197] ERROR Thycotic.RDPProxy.CLI.Session.ProxyConnection - Error encountered in RDP handshake for client 192.168.1.1 - (null) System.Exception: Assertion violated: stream.ReadByteInto(bufferStream) == 0x03 at Thycotic.RDPProxy.ContractSlim.Assert(Boolean condition, String conditionStr, String actualStr) at Thycotic.RDPProxy.Readers.ConnectionRequestProvider.ReadConnectionRequest(Stream stream, AuthenticationState clientState) at Thycotic.RDPProxy.CLI.Session.ProxyConnection.<DoHandshakeAndForward>d__20.MoveNext() sample event for user 2024-01-12 05:02:11,920 [CID:] [C:] [TID:266] ERROR Thycotic.DE.Feature.SS.RdpProxy.EngineRdpProxySessionService - An error was encountered while attempt to fetch proxy credentials for user 'chrisbronet' - (null) another usecase is like the discovery process from ad to secretserver eg, scan ad and finds the local id creates the id and pwd in to the secret server. sample events: 1) 2024-01-11 23:39:36,183 [CID:] [C:] [TID:83] ERROR Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner - WMI (IIS) Unable to connect to xyzwin.abc.com with Exception System.Threading.ThreadAbortException: Thread was being aborted. at System.Management.IEnumWbemClassObject.Next_(Int32 lTimeout, UInt32 uCount, IWbemClassObject_DoNotMarshal[] apObjects, UInt32& puReturned) at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext() at Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner.<>c__DisplayClass10_0.<IsIisRunningWmi>b__0(Object x) - (null) 2) 2024-01-11 23:29:47,675 [CID:] [C:] [TID:PriorityScheduler Thread @ Normal] ERROR Thycotic.Discovery.Sources.Scanners.MachinePreDiscoveryTester - Could not connect to xyx.win.abc.com with port pre-check. Please open port(s) [135, 445] - (null) 3) 2024-01-11 23:32:32,163 [CID:] [C:] [TID:PriorityScheduler Elastic Thread @ Normal] ERROR Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner - Service Controller (IIS) Unable to connect to xyz.win.abc.com with Exception System.InvalidOperationException: Cannot open W3SVC service on computer 'xyz.win.abc.com'. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) ... 1 line omitted ... at System.ServiceProcess.ServiceController.get_Status() at Thycotic.Discovery.Sources.Scanners.Dependency.ApplicationPoolScanner.IsIisRunningServiceController() - (null) Thankyou  
Dears, Need assistance with a Splunk query to retrieve data from two sources: source X and source Y. I want to match records where child_file_id in source Y matches file_id in source X and retrieve ... See more...
Dears, Need assistance with a Splunk query to retrieve data from two sources: source X and source Y. I want to match records where child_file_id in source Y matches file_id in source X and retrieve the combined data. How can I achieve this?   So, in my source X, specifically Stealer_* there are records, each of which includes a file_id, which is illustrated as 3382 in my example.     So, when I search for file_id, I find 6 events, all structured similarly but with different values, all sharing the same file_id. In another source, I have data related to source X. To establish connections between them, I use child_file_id as a relational identifier, similar to a database key. As depicted in the screenshot below, you can see that the child_file_id corresponds to the same file_id in the first source."         How can I construct a Splunk query to achieve this? Specifically, I want to retrieve the entire result set in a single query and table. In this query, the data from source 2 (child_file_id) should be duplicated in each event from the first source, creating a unified result.   Final output  something like this  srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field2,srouce_field2 BR.
Hello i need your help,   i did a free trial 14 days for splunk, about a hour ago. If i want so access instance, it isnt even accessable, like gray-mode. Should i just wait or did i something wro... See more...
Hello i need your help,   i did a free trial 14 days for splunk, about a hour ago. If i want so access instance, it isnt even accessable, like gray-mode. Should i just wait or did i something wrong?   Thanks for your help
How to find endpoints of our Splunk instance 
How Send an alert if one event doesn't occur in 10 min with below format data. The data will send every 1 hour with 30mins interval. example:  alert has trigger for the below data is 2:40 _... See more...
How Send an alert if one event doesn't occur in 10 min with below format data. The data will send every 1 hour with 30mins interval. example:  alert has trigger for the below data is 2:40 _time ID Bill_ID 2024-01-12T03:10:53.000-06:00 TTF5 80124 2024-01-12T03:08:07.000-06:00 TFB6 84958       2024-01-12T02:34:54.000-06:00 TFB6 84958 2024-01-12T02:09:48.000-06:00 TTF5 80124 2024-01-12T02:07:02.000-06:00 TFB6 84958 2024-01-12T01:36:59.000-06:00 TTF5 80124 2024-01-12T01:33:37.000-06:00 TFB6 84958 2024-01-12T01:11:13.000-06:00 TTF5 80124 2024-01-12T01:07:22.000-06:00 TFB6 84958 2024-01-12T00:37:08.000-06:00 TTF5 80124 2024-01-12T00:35:08.000-06:00 TFB6 84958 2024-01-12T00:11:16.000-06:00 TTF5 80124 2024-01-12T00:10:20.000-06:00 TFB6 84958 2024-01-11T23:36:19.000-06:00 TTF5 80124 2024-01-11T23:34:17.000-06:00 TFB6 84958
Hello, I am using a Filler Gauge in one of my dashboards and I would like to use values with 2 decimal values, but I do not see any precision option for Gauge Viz.  for example, I would like to ... See more...
Hello, I am using a Filler Gauge in one of my dashboards and I would like to use values with 2 decimal values, but I do not see any precision option for Gauge Viz.  for example, I would like to display this as 99.60 and not 100. Is it not possible to do at the moment in dashboard studio or is there any workaround available to achieve this? Thank you.  
"reqUser":"mhundi","evtTime":"2023-06-08 14:04:06.504","access":"SELECT","resource":"dsc60180_ici_sde_tz_db/vehicle_master/light_truck_lob_flag,lincoln_lob_flag,model_e_lob_flag,vehicle_make_desc,veh... See more...
"reqUser":"mhundi","evtTime":"2023-06-08 14:04:06.504","access":"SELECT","resource":"dsc60180_ici_sde_tz_db/vehicle_master/light_truck_lob_flag,lincoln_lob_flag,model_e_lob_flag,vehicle_make_desc,vehicle_type_desc,warranty_start_date,vehicle_type_desc,warranty_start_date","resType":"@column","action":"select","result":1,"agent":"hiveServer2","policy":101343,"enforcer":"ranger-acl","sess":"00ef27f9-75a4-4821-9e8a-60f16af6b962","cliType":"HIVESERVER2","cliIP":"19.51.78.185","reqData":"SELECT * FROM (SELECT `Left`.`advisor_name`, `Left`.`appointment_created_by`, `Left`.`appointment_datetime   Fields to be extract  reqUser, evtTime, resource    
Hi all, I have list of 3k+ servers for which i want to check data flow from specific index. How can i do this with optimize search
This page states:  You can't delete default indexes and third-party indexes from the Indexes page.    Can I still delete default indexes through the CLI?  
Is it possible to run a playbook on demand, meaning a manual trigger by an analyst such as clicking a playbook during a workbook step? I have a use case where I want to run a playbook, but only from ... See more...
Is it possible to run a playbook on demand, meaning a manual trigger by an analyst such as clicking a playbook during a workbook step? I have a use case where I want to run a playbook, but only from user initiation. I could implement some logic for user interaction at the container, but I'd prefer not to have something waiting for input until a user can get to it.
When a container is created that contains multiple artifacts from a forwarded Splunk event, I noticed playbooks are running against every artifact that has been added, causing duplicate actions. R... See more...
When a container is created that contains multiple artifacts from a forwarded Splunk event, I noticed playbooks are running against every artifact that has been added, causing duplicate actions. Reading through the boards here a bit a possible solution was adding logic to check for a container tag on run. Use a decision block to see if a tag exists, if so simply end, otherwise continue and add a tag when complete. My problem is this appears to work when testing against existing containers (debug against existing container ID and all artifacts), but when a new container is created it seems to ignore this and run multiple times. My guess is the playbook is being run concurrently for each of the artifacts instead of one at a time. 1. What is causing the problem? 2. What is best practice to prevent this from occurring?
i see the splunk query  index="sample" "log_processed.env"=prod "log_processed.app"=sample "log_processed.traceId"=90cf115a05ebb87b2 | table _time, log_processed.message this is displaying the e... See more...
i see the splunk query  index="sample" "log_processed.env"=prod "log_processed.app"=sample "log_processed.traceId"=90cf115a05ebb87b2 | table _time, log_processed.message this is displaying the empty messages in a table cell . i could the event in the raw format. do i have any limit to see the whole message in table box .
Hello community members, Has anyone successfully integrated the Backbase fintech product with Splunk for logging and monitoring purposes? If so, could you share your insights, experiences, and any t... See more...
Hello community members, Has anyone successfully integrated the Backbase fintech product with Splunk for logging and monitoring purposes? If so, could you share your insights, experiences, and any tips on how to effectively set up and maintain this integration? Thank you in advance for your help!
we need to set up an alert if a server no java process for 15mins, only one alert was sent until the issue was solved. Do we need to create 2 windows for this? | mstats count(os.cpu.pct.used) as c w... See more...
we need to set up an alert if a server no java process for 15mins, only one alert was sent until the issue was solved. Do we need to create 2 windows for this? | mstats count(os.cpu.pct.used) as c where index=cpet-os-metrics host_ip IN (10.0.0.1,10.0.0.2) by  host_ip | join host type=left     [| mstats avg(ps_metric.pctMEM) as avg_mem_java avg(ps_metric.pctCPU) as avg_cpu_java count(ps_metric.pctMEM) as ct_java_proc where index=cpet-os-metrics host_ip IN (10.0.0.1,10.0.0.2) sourcetype=ps_metric COMMAND=java by host host_ip COMMAND USER ] | fields - c | eval is_java_running = if(ct_java_proc>0, 1, 0)
Hello all, I send some logs from multiple endpoints to a standalone Splunk HTTP Event Collector. Many logs are sent successfully but some of them (same index, same endpoint, ...) . But some of them ... See more...
Hello all, I send some logs from multiple endpoints to a standalone Splunk HTTP Event Collector. Many logs are sent successfully but some of them (same index, same endpoint, ...) . But some of them get 403 when sending and are not sent. I think maybe it's for threads or sockets. Any ideas are appreciated
I want to calculate the Percentage of status code for 200 out of Total counts of Status code by time. I have written query as per below by using append cols. Below query is working but it is not givi... See more...
I want to calculate the Percentage of status code for 200 out of Total counts of Status code by time. I have written query as per below by using append cols. Below query is working but it is not giving percentage every minute or by _time wise. I want this Percentage of status code for 200 by _time also. So can anybody help me out on this how to write this query. index=* sourcetype=* host=* | stats count(sc_status) as Totalcount | appendcols [ search index=* sourcetype=* host=* sc_status=200 | stats count(sc_status) as Count200 ] | eval Percent200=Round((Count200/Totalcount)*100,2) | fields _time Count200 Totalcount Percent200
Hi all, I am trying to authenticate a user against REST API but when testing via CURL, it is failing when using LB URL(F5). User has replicated across all SHC members and can login via UI. # curl -... See more...
Hi all, I am trying to authenticate a user against REST API but when testing via CURL, it is failing when using LB URL(F5). User has replicated across all SHC members and can login via UI. # curl -k https://Splunk-LB-URL:8089/services/auth/login -d username=user -d password='password' <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN" code="incorrect_username_or_password">Login failed</msg> </messages> </response>   But when I try this same against the SH member directly, it works. # curl -k https://Splunk-SearchHead:8089/services/auth/login -d username=user -d password='password' <response> <sessionKey>gULiq_E7abGyEchXyw7rxzwi83Fhdh8gIGjPGBouFUd37GuXF</sessionKey> <messages> <msg code=""></msg> </messages> </response>   Initially I thought it could be something on the LB side but then for "admin" user, LB URL works just fine.  # curl -k https://Splunk-LB-URL:8089/services/auth/login -d username=admin -d password='password' <response> <sessionKey>gULiq_E7abGyEchXyw7rxzwi83Fhdh8gIGjPGBouFUd37GuXF</sessionKey> <messages> <msg code=""></msg> </messages> </response>   Has anyone come across issue like this? Why would admin work fine on LB but a new local user works only against direct SH and not via load balancer? 
Hello guys Hope you are doing great! I want to configure a query, some guys are disabled in AD and also, in Splunk ES when i open the Identity Investigatior it is showing also a disabled (cn=*,ou=d... See more...
Hello guys Hope you are doing great! I want to configure a query, some guys are disabled in AD and also, in Splunk ES when i open the Identity Investigatior it is showing also a disabled (cn=*,ou=disabled,ou=united,ou=accounts,dc=global,dc=ual,dc=com) But in users it showing his role on under the roles but it should be need to sho as no_access,  Now I want build a query and create a alert Can you please help me on this  Ani