All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am aware of forwarder -> indexer -> search head. However, when reading about streaming commands, Splunk states "A distributable streaming command runs on the indexer or the search head, depending o... See more...
I am aware of forwarder -> indexer -> search head. However, when reading about streaming commands, Splunk states "A distributable streaming command runs on the indexer or the search head, depending on where in the search the command is invoked." I am very confused as I read this as saying that there are searches on the indexer, and then there searches on the search head. But my understanding is that the search head is used to search events on the indexer, and that there is no searching the indexer without the search head.  What is the difference between a search on the indexer and a search on the search head?  https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Commandsbytype
I have written and tested some rules using "Ingest Actions". I used the "Sample" indexed data and everything seems fine, so I saved my rules.  There is a button "Deploy" with one option, Export for ... See more...
I have written and tested some rules using "Ingest Actions". I used the "Sample" indexed data and everything seems fine, so I saved my rules.  There is a button "Deploy" with one option, Export for Manual Deployment. Do I have to do that?
I have a dashboard built with Dashboard Studio with several Single Value Visualizations. When I enable showLastUpdated, the "Open in Search", "Layers", "Clone" and "Delete" options are lost for the v... See more...
I have a dashboard built with Dashboard Studio with several Single Value Visualizations. When I enable showLastUpdated, the "Open in Search", "Layers", "Clone" and "Delete" options are lost for the visualizations on the left side of the browser window because the hover-over option menu is cut off by the edge of the window.  I have attempted to adjust the zoom level but that does not change the issue. This is happening in both Safari and Chrome::     For now, the work-around of disabling showLastUpdated is the only way of resolving this, but I would like to have it enabled and to see the full options bar.   Thanks!  -SR 
Why I can't  I see data on Splunk ES Non-corporate Web Uploads? When I click on the user, I get mariangelie.rodriguez+castellano is not a known identity.  
Hello. Is there a Way to show splunk dashboard with digital signage display? I know you can use software like magic info, but the splunk web page require login and i cannot see a supported login pag... See more...
Hello. Is there a Way to show splunk dashboard with digital signage display? I know you can use software like magic info, but the splunk web page require login and i cannot see a supported login page in magic info. Are the other softwares that can be used to broadcast splunk dashboards? I am aware that there is a splunk app name SLIDESHOW, but that also require splunk login. Thank you
Hello, I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the ... See more...
Hello, I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the duration of time and logs it's ingesting, but that is not an acceptable solution for this dashboard. Is there a better way to write this code or another way for me to produce the results?   index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" [search index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16",Source_Network_Address) | top limit=1 Source_Network_Address | dedup Source_Network_Address | rename Source_Network_Address as c_ip | table c_ip]   My goal is to take information from first panel in my dashboard and then use that information to do a different search in another panel      
Hi,  I have following setup. Splunk HF running on 9.1.2 Splunk Dbconnect latest version - 3.15 Splunk DBX Add on for oracle DB JDBC - 2.2.0 ( has ojdbc8-21.7.0.0.jar) Configured to use JRE from... See more...
Hi,  I have following setup. Splunk HF running on 9.1.2 Splunk Dbconnect latest version - 3.15 Splunk DBX Add on for oracle DB JDBC - 2.2.0 ( has ojdbc8-21.7.0.0.jar) Configured to use JRE from Oracle's Open jdk-18.0.2 Our Oracle database is running on 19c.  I have re-loaded the driver. I have verified the connectivity from the Splunk HF server to DB server via telnet/curl and connection exists ( had to open firewall). However, when I try create a connection getting errors like "IO Error: Network Adapater could not establish connection) from the internal logs.  Suspected, it could be an issue with jdbc driver, so downloaded "ojdbc8-21.1.0.0.jar" from oracle and placed them under drivers folder within splunk_app_db_connect as well as in the lib folder within the DBX add-on. re-loaded the driver and I can see internal logs loading the new jar, but still same issue. Any pointers/thoughts to troubleshoot? java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection (CONNECTION_ID=5gNEcEZfSnyI6PN7r2LGog==) at oracle.jdbc.driver.T4CConnection.handleLogonNetException(T4CConnection.java:892) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:697) at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1041) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:89) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:732) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:648) at com.splunk.dbx.service.driver.DelegatingDriver.connect(DelegatingDriver.java:25) Thanks in advance.
Hi there, I'm new to Splunk and will be grateful for advice  I have the following events:     { PROJECT_NAME = project1 JOB_NAME = jobA JOB_RESULT = success } { PROJECT_NAME = pr... See more...
Hi there, I'm new to Splunk and will be grateful for advice  I have the following events:     { PROJECT_NAME = project1 JOB_NAME = jobA JOB_RESULT = success } { PROJECT_NAME = project2 JOB_NAME = job2 JOB_RESULT = fail }     I need to build the following table: JOB_NAME TOTAL_SUCCESS TOTAL_FAILS "for each JOB_NAME in PROJECT_NAME" "sum of JOB_RESULT success for JOB_RESULT " "sum of JOB_RESULT fail for JOB_RESULT "               Could you please help with queries for the table?  Many thanks in advance!
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry... See more...
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry its SUPER long)     2024-01-08 12:09:43.000, LOAD_DATE="2024-01-08 12:09:43.0", EVENT_LENGTH="14912", ID="3f29f958-af6e-4050-919e-fb23fc27e2bc", MSG_src="PXXXX", MSG_DOMAIN="APP", MSG_TYPE="INBOUND", MSG_DATA="<?xml version='1.0' encoding='UTF-8'?> <Message> <header> <domain>APP</domain> <source>PXXXX</source> <messageType>INBOUND</messageType> <eventId>f8y6jk45-af6e-4050-919e-fb23fc27e2bc</eventId> </header> <parsing> <parsingStatus>SUCCESS</parsingStatus> <parsingStatusDesc>Success</parsingStatusDesc> <formType>1234</formType> </parsing> <ABC> <Code>ABC</Code> <Number>209819</Number> <sequence>0236</sequence> <ReceiptDate>2024-01-08T00:00:00.000-05:00</ReceiptDate> <FirstDate>2024-01-08T00:00:00.000-05:00</FirstDate> <Status>SUCCESS</Status> <location>xxxxxxxx</location> <id>ci1704729189245.431902@fdsahl86ceb40c</id> <format>ABCD</format> </ABC> <applicationDetails> <applicationGlobalId>500168938</applicationGlobalId> <applicationType>ABC</applicationType> <applicationSubtype>UNKNOWN</applicationSubtype> <applicationNumber>123456</applicationNumber> <applicationRelationships> <applicationRelationship> <ReasonCode>XYZ</ReasonCode> <Desc>BLAH BLAH BLAH</Desc> <applicationGlobalId>123456789</applicationGlobalId> <applicationNumber>123456</applicationNumber> <applicationSubtype>UNKNOWN</applicationSubtype> <applicationType>RED</applicationType> </applicationRelationship> </applicationRelationships> <applicationPatents/> <applicationStatuses> <applicationStatus> <statusCode>APPROVED</statusCode> <statusDescription>APPROVED</statusDescription> <statusStartDate>2017-11-30T00:00:00.000-05:00</statusStartDate> </applicationStatus> </applicationStatuses> <applicationProperties/> </applicationDetails> <InboundDetails> <InboundType>Reply</InboundType> <InboundSubtype>Reply2</InboundSubtype> <InboundSequenceNumber>0236</InboundSequenceNumber> </InboundDetails> <form> <attributes>123-4560910-0001"/> <attribute description="EXPIRATION DATE" name="Expiration Date" value="03/31/2024"/> <attribute description="name" name="name_holder" value="Place Inc."/> <attribute description="NUMBER" name="number" value="209819"/> <attribute description="Bunch of strings" name="Desc"/> </attributes> <List> <items/> </List> <infoList> <info> <Type>Information goes here</Type> <name>Me Formal</name> <phoneNumber>+1 (111) 222-333</phoneNumber> <addressLine1>1234 Road Drive</addressLine1> <city>Place, MO</city> <zipCode>12345</zipCode> <emailAddress>me.formal@domain.com</emailAddress> <partyContacts> <partyContact> <Date>2024-01-04T00:00:00.000-05:00</Date> <state>MO</state> <emailAddress>me.formal@domain.com</emailAddress> <addressLine1>1234 Road Drive</addressLine1> <city>Place</city> <country>UNITED STATES</country> <phoneNumber>+1 (111) 222-333</phoneNumber> <zipCode>12345</zipCode> <name>Me Formal</name> <contactType>United States</contactType> </partyContact> </partyContacts> </info> </infoList> </form> <Information> <Number>11,222,333</Number> <IssueDate>2023-12-12</IssueDate> <ApprovalDate>2017-11-30</ApprovalDate> <ExpirationDate>2035-11-06</ExpirationDate> <SubType>Y</SubType> <Status>SUCCESS</Status> </Information> <index/> <additionalInfo> <attributes> <attribute description="title" name="title" value="Letter"/> </attributes> <fileDetails> <fileDetail> <Toc>application||form</Toc> <title>FABDC REDS</title> <fileName>file.pdf</fileName> <fileType>pdf</fileType> <formType>Long sting of data</formType> <filePath>\\filepath\file.pdf</filePath> </fileDetail> <fileDetail> <abcdToc>v1-place||v1-2-file-name</abcdToc> <title>Letter</title> <fileName>letter.pdf</fileName> <fileType>pdf</fileType> <filePath>\\us\letter.pdf</filePath> </fileDetail> <fileDetail> <abcdToc>information</abcdToc> <title>11-222-333</title> <fileName>11-222-333.pdf</fileName> <fileType>pdf</fileType> <filePath>\\ab\11-222-333.pdf</filePath> </fileDetail> </fileDetails> <tags/> </additionalInfo> </Message>"     At the end, I am trying to get the data from the "<fileDetails>" section, specifically the "<title>" for each file. It would have to be multi-value since there may, for a single record, be a single OR multiple Titles. I've tried a few variations of spath, as well as xmlkv, but as of yet haven't found anything that has given me the results I am expecting. For the example above I would expect to have 3 "Titles":     FABDC REDS Letter 11-222-333     Any ideas how to get this data out? Thanks for the help!
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be ... See more...
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be 30 each day, but sometimes there are only 29 due to errors. Is it possible to visualize that info against the expected number of 30? Or even just visualize it on the dashboard report as 29/30?
Hello, I'd like to know the process of compiling a Splunk app in a Windows environment, specifically using the default folder containing the props file to create a customized app. Thanks
we have an scheduled alert configured in splunk which is working  fine as per event from the user logs but its delayed in sending email as alert notification 
We are using splunk metrics-toolkit app to check the logs. created two indexes 1.metrics 2. platform_benefits and one token for the index metrics In metrics-toolkit app.dev file we are using one to... See more...
We are using splunk metrics-toolkit app to check the logs. created two indexes 1.metrics 2. platform_benefits and one token for the index metrics In metrics-toolkit app.dev file we are using one token  As a result it's is logging only metrics index data in splunk, we have both metrics and platform_benefits dashboards  Is there any way to configure  two tokens inside the app.dev yaml file to get both index logs? https://github.com/mulesoft-catalyst/metrics-toolkit/blob/main/src/main/resources/properties/secure/_template.yaml
Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies  other helps me find consistencies sourcetype="my_s... See more...
Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies  other helps me find consistencies sourcetype="my_source" someLog consistencies  This gives me both consistencies and inconsistencies: sourcetype="my_source" someLog  Note that someLog  is just a text used an identifier that's common for both the queries. if the someField was logged as inconsistent it can be logged as consistent in the future.   How can I find those values of someField that are truly inconsistent in a given time frame, retrospectively?i.e. if currently values are inconsistent I want to be able to search (in the past or future relative to the current search) those values that are truly inconsistent - not part of the consistent results in that time frame
What is the latest version of Splunk Enterprise supported on RHEL 7.x?
Hi, Instead of passing the username and password in a plain text format, I was trying the basicauth extension for authentication and monitoring the oracledb and require some assistance, as after add... See more...
Hi, Instead of passing the username and password in a plain text format, I was trying the basicauth extension for authentication and monitoring the oracledb and require some assistance, as after adding the below details in the agent_config.yml , The splunk otel collector is not starting up and am seeing error. Kindy help. In agent_config.yml extensions:    basicauth:    htpasswd:        file: /etc/otel/collector/.htpasswd receivers:   oracledb/demo:   protocols:      http:        auth:           authenticator: basicauth    endpoint: <hostname:port>    service: <DBname> service:    metrics:        receivers: [oracledb/demo]    
I am working on building a query to search retrospectively and potentially run a report. Let's say the first search is index=some_index "inconsistencies" | dedup someField and the second is index... See more...
I am working on building a query to search retrospectively and potentially run a report. Let's say the first search is index=some_index "inconsistencies" | dedup someField and the second is index=some_index "consistent" someField IN (fieldValuesFromPrevMsg) | dedup someField   I want to check whether a field seen in the first search is part of the second search (which has a slightly different query but has same field) in a custom time frame.(could be in the future relative to the first search or in the past) I'm new to splunk, can someone please help me with this?    
Hi, I am fetching data from service now add on to splunk for one of the service now cmdb table. While fetching the field name is splitting as below  How do i fix this
Hi, it's unclear from the app description about what this app allows for. Is it helping for radius configuration for splunk authentication ? Or is it for monitoring any radius server logs, even if ... See more...
Hi, it's unclear from the app description about what this app allows for. Is it helping for radius configuration for splunk authentication ? Or is it for monitoring any radius server logs, even if you don't use it within splunk ?
Hello,  I have seen a few of the spath topics around, but wasn't able to understand enough to make it work for my data.  I would like to create a line chart using pointlist values - it contains tim... See more...
Hello,  I have seen a few of the spath topics around, but wasn't able to understand enough to make it work for my data.  I would like to create a line chart using pointlist values - it contains timestamp in epoch and CPU% Search I tried but not working as expected to extract this data: index="splunk_test" source="test.json" | spath output=pointlist path=series{}.pointlist{}{} | mvexpand pointlist | table pointlist Please see below sample json. {"status": "ok", "res_type": "time_series", "resp_version": 1, "query": "system.cpu.idle{*}", "from_date": 1698796800000, "to_date": 1701388799000, "series": [{"unit": [{"family": "percentage", "id": 17, "name": "percent", "short_name": "%", "plural": "percent", "scale_factor": 1.0}, null], "query_index": 0, "aggr": null, "metric": "system.cpu.idle", "tag_set": [], "expression": "system.cpu.idle{*}", "scope": "*", "interval": 14400, "length": 180, "start": 1698796800000, "end": 1701388799000, "pointlist": [[1698796800000.0, 67.48220718526889], [1698811200000.0, 67.15981521730248], [1698825600000.0, 67.07217666403122], [1698840000000.0, 64.72434584884627], [1698854400000.0, 64.0411289094932], [1698868800000.0, 64.17585938553243], [1698883200000.0, 64.044969119166], [1698897600000.0, 63.448143595246194], [1698912000000.0, 63.80226399404451], [1698926400000.0, 63.93216493520908], [1698940800000.0, 63.983679174088145], [1701331200000.0, 63.3783379315815], [1701345600000.0, 63.45321248782884], [1701360000000.0, 63.452383398041064], [1701374400000.0, 63.46314971048991]], "display_name": "system.cpu.idle", "attributes": {}}], "values": [], "times": [], "message": "", "group_by": []} can you please help how I can achieve this? Thank you. Regards, Madhav