All Topics

Top

All Topics

Let’s talk thresholding. Have you set up static thresholds? Tired of static thresholds triggering false alarms? Interested in dynamic, adaptive thresholds but don’t know where to start or s... See more...
Let’s talk thresholding. Have you set up static thresholds? Tired of static thresholds triggering false alarms? Interested in dynamic, adaptive thresholds but don’t know where to start or spend too much time setting them up? Dive into the world of adaptive thresholds and discover how they help drive accurate alerting so you can reduce false positives, cut alert noise, and better understand when something’s gone wrong. The best part? Find out how ML-Assisted Thresholding takes it a step further by configuring adaptive thresholds for you at the click of a button. It’s time to embrace the new era of alerting and efficiency!   Topics covered include: The importance of adaptive thresholding in ITSI How to use machine learning to help automatically create adaptive thresholds in Splunk ITSI Behind-the-scenes of the recommendation algorithm powered by Splunk AI Who will benefit: Splunk Administrator, VP of IT Operations, IT Operations Manager, IT Operations Engineer, IT Operations Analyst, IT Systems Engineer IT Systems Analyst, Systems Administrator, IT Support Analyst, Incident Responders, Platform Engineers, Frontend Engineers, Site Reliability Engineers, DevOps Engineers, Directors of Web and eCommerce, Director of UI / UX and Mobile App Developers and more!
Hey Experts, I'm new to splunk and I'm trying to extract APP WEB and MNOPQ from a field called result. Can someone please guide me on how to achieve this? Any help or example queries would be greatly... See more...
Hey Experts, I'm new to splunk and I'm trying to extract APP WEB and MNOPQ from a field called result. Can someone please guide me on how to achieve this? Any help or example queries would be greatly appreciated. Thank You! Fi a:\abc\def\MNOPQ.txt content is expected to include "A H Dis Query,0,0" Fi a:\abc\def\APP.txt content is expected to include "A H Dis Query,0,0" Fi a:\abc\def\WEB.txt content is expected to include "A H Dis Query,0,0"
Hi to everyone,  I have recently installed Splunk enterprise (9.1.2) on an ubuntu 20.04 with the add-on "Splunk App for Stream" (8.1.1). . On another VM (also ubuntu 20.04, IP : 192.168.182.134 ) I... See more...
Hi to everyone,  I have recently installed Splunk enterprise (9.1.2) on an ubuntu 20.04 with the add-on "Splunk App for Stream" (8.1.1). . On another VM (also ubuntu 20.04, IP : 192.168.182.134 ) I put my UF (9.1.2). In the UF, I put the add-on "Splunk Add-on for Stream Forwarders" (8.1.1) to capture stream/packets. My streamfwd.conf file is : [streamfwd] logConfig = streamfwdlog.conf port = 8889 ipAddr = 192.168.182.134 netflowReceiver.0.decodingThreads = 4 indexer.0.uri = http://192.168.182.132:8088 [streamfwdcapture] netflowReceiver.0.ip = 192.168.182.134 netflowReceiver.0.interface = ens33 netflowReceiver.0.port = 9995 netflowReceiver.0.decoder = netflow And in my streamfwd.log I have this : 2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:817) stream.CaptureServer - Found DataDirectory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/data 2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:823) stream.CaptureServer - Found UIDirectory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/ui 2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:896) stream.CaptureServer - Default configuration directory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/default 2024-02-12 01:28:53 INFO [140717870847936] (CaptureServer.cpp:1918) stream.CaptureServer - Netflow receiver configuration defined; disabling default automatic promiscuous mode packet capture on all available interfaces. Configure one or more streamfwdcapture parameters in streamfwd.conf to enable network packet capture. 2024-02-12 01:28:53 INFO [140717870847936] (SnifferReactor/SnifferReactor.cpp:327) stream.SnifferReactor - No packet processors configured 2024-02-12 01:28:54 INFO [140717870847936] (CaptureServer.cpp:2001) stream.CaptureServer - Starting data capture 2024-02-12 01:28:54 INFO [140717870847936] (SnifferReactor/SnifferReactor.cpp:161) stream.SnifferReactor - Starting network capture: sniffer 2024-02-12 01:28:54 INFO [140717870847936] (CaptureServer.cpp:2362) stream.CaptureServer - Done pinging stream senders (config was updated) 2024-02-12 01:28:54 INFO [140717870847936] (main.cpp:1109) stream.main - streamfwd has started successfully (version 8.1.1 build afdcef4b) 2024-02-12 01:28:54 INFO [140717870847936] (main.cpp:1111) stream.main - web interface listening on port 8889 But, in my splunk_stream_app I have this :    If anyone can help me to fix this issue, I will be glad to read it.
Hi, I have the statics table panel created in the dashboard. Please could you help me to reduce the panel width? Thanks.
Why does the URA not update itself efter a scan? I've had several apps installed for more than 2 weeks, and still I get the same message: ---------------------------------------- Details This... See more...
Why does the URA not update itself efter a scan? I've had several apps installed for more than 2 weeks, and still I get the same message: ---------------------------------------- Details This newly installed App has not completed the necessary scan. Version 1.1.6 Application Path /opt/splunk/etc/apps/it_essentials_learn Required Action Please check again in 24 hours when the necessary scan is complete. --------------------------------------- Even if I force a scan, nothing changes.
I have a filter of Entity which has token t_entity and in drilldown it has All, C2V ,C2C and Cases . And I have different panels of this which is showing counts. I have a separate panel of C2V counts... See more...
I have a filter of Entity which has token t_entity and in drilldown it has All, C2V ,C2C and Cases . And I have different panels of this which is showing counts. I have a separate panel of C2V counts which I only want to show when it is selected from the filter . Filter name-Entity Token Name- t_entity How is this possible to show a panel when we select it from the filter.
Hello, I have the following data:  I want to use this data to setup a dashboard. In this dashboard I want to show the current duration of equipment where the Status is not "null" (null is a string... See more...
Hello, I have the following data:  I want to use this data to setup a dashboard. In this dashboard I want to show the current duration of equipment where the Status is not "null" (null is a string in this case and not a null value) Each JobID only has one EquipmentID The same status can occur and disappear multiple times per JobID There are around 10 different status I want to the results to show only durations above 60 seconds If the current time is 12:21 I would like the to look like this. EquipmentID   Duration Most_recent_status 2 120 Z   Time EquipmentID Status JobID 12:00 1 "null" 10 12:01 2 "null" 20 12:02 2 X 20 12:03 2 X 20 12:04 1 X 10 12:05 1 Y 10 12:06 1 Y 20 12:07 2 Y 20 12:08 1 X 10 12:09 2 Y 20 12:10 1 "null" 11 12:11 2 "null" 21 12:12 2 "null" 21 12:13 1 "null" 11 12:14 1 "null" 11 12:15 2 X 21 12:16 1 X 11 12:17 2 X 21 12:18 1 "null" 11 12:19 2 Z 21 12:20 2 Z 21   This is the query I use now only the duration_now resets every time a new event occurs  index=X sourcetype=Y JobID!=”null” |sort _time 0 | stats last(_time) as first_time last(Status) as "First_Status" latest(status) as Last_status latest(_time) as latest_times values(EquipmentID) as Equipment by JobID | eval final_duration = case(Last_status ="null", round(latest_times - first_time,2)) | eval duration_now = case(isnull(final_duration), round(now() - first_time,2)) | eval first_time=strftime(first_time, "%Y-%m-%d %H:%M:%S") | eval latest_times=strftime(latest_times, "%Y-%m-%d %H:%M:%S") | sort - first_time Any help would be greatly appreciated
Hi Team,    I want to implement HF as in HA in container setup. can you help here ? 
We have two different sites/regions into Splunk cloud one is Northamerica & other in Europe. There's an ES migration planned in such a way that all the alerts or data reporting to Europe region will ... See more...
We have two different sites/regions into Splunk cloud one is Northamerica & other in Europe. There's an ES migration planned in such a way that all the alerts or data reporting to Europe region will be migrated to NorthAmerica region. & there will be only one ES in Northamerica region.   This is a unique scenario & have never done any such migration, can the community please help me on how to plan such type of migration. Need to prepare a comprehensive plan for this ES migration & highlight all possible changes/modification/risks that needs to be addressed & also need to figure out the dependencies.   Please help here if any insights
Hello, my DB connect displaying this error when I´m trying to access: Can not communicate with task server, check your settings I´ve configured app before and all was working but then I start to ... See more...
Hello, my DB connect displaying this error when I´m trying to access: Can not communicate with task server, check your settings I´ve configured app before and all was working but then I start to receive this error in web app. DB connect app not showing any configured DBs just errors. Can you suggest ? BR
Hi guys, I've tried to setup an alert with two alert actions (email and Slack) from a custom app. When the alert has triggered, 02-09-2024 21:40:04.155 +0000 INFO SavedSplunker - savedsearch_id="n... See more...
Hi guys, I've tried to setup an alert with two alert actions (email and Slack) from a custom app. When the alert has triggered, 02-09-2024 21:40:04.155 +0000 INFO SavedSplunker - savedsearch_id="nobody;abc example alert (NONPRD)", search_type="scheduled", search_streaming=0, user="myself@myself.com", app="abc", savedsearch_name="example (NONPRD)", priority=default, status=success, digest_mode=1, durable_cursor=0, scheduled_time=1707514800, window_time=-1, dispatch_time=xxxxxxxx, run_time=0.884, result_count=2, alert_actions="email", sid="scheduler_xxxxxxxxxx", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool="standard_perf"   However, i've received email alert but not slack alert, is there anyway to debug why the slack alert was not sent when there are two alert actions? How to know when the webhook URL is correct and working? Can someone please provide the complete steps to troubleshoot issues like this? Thank you! T
Hi All, I am using a mstats for a mteric and I am evaluating my hour and minute field something like below:   | mstats rate_avg(abc*) prestats=false WHERE "index"="def" span=3m | rename rate_avg(... See more...
Hi All, I am using a mstats for a mteric and I am evaluating my hour and minute field something like below:   | mstats rate_avg(abc*) prestats=false WHERE "index"="def" span=3m | rename rate_avg(* as *, *) as * | eval Date=strftime(_time,"%m/%d/%Y") | eval hour=strftime(_time,"%H") | eval minute=strftime(_time,"%M") | transpose column_name=instance | rename "row 1" as MessagesRead | eval MessagesRead=ROUND(MessagesRead,0) | where MessagesRead < 1 Now I am unable to to use the below filter condition | search NOT (instance="*xyz*" AND hour=09 AND (minute>=00 AND minute<=15))     as I dont want to alert for a particular instance only from 9 to 9:15, but it should alert for other instance for this time period.   Now before the transpose the instance does not exist and I cant use the filter and after transpose I am unable to filter on hour and minute.   Can u please help in filtering after transpose?
I have log entries that have the following format : [<connectorName>|<scope>]<sp> The following are examples of the connector context for a connector named "my-connector": [my-connector|worker] ... See more...
I have log entries that have the following format : [<connectorName>|<scope>]<sp> The following are examples of the connector context for a connector named "my-connector": [my-connector|worker] [other-connector|task-0] [my-connector|task-0|offsets] I would like to extract the name of the connectors and build stats. The tasks or other metadata are not needed. For example : Connector Count my-connector 2 other-connector 2   As the entries have different formats, how can I do this?
Dears,        After upgraded Splunk from 9.1.2 version to 9.2.0 version, the deployment server not showing the clients, but Splunk receiving logs from clients, and also the client agents showing on ... See more...
Dears,        After upgraded Splunk from 9.1.2 version to 9.2.0 version, the deployment server not showing the clients, but Splunk receiving logs from clients, and also the client agents showing on all Splunk servers under setting --> Forwarder Managment except Deployment server, I don't know how that occurred, I didn't change anything. Kindly your support for that.   Best Regards, 
I believe this app or associated links to the app have been compromised. Consider removing it from the Splunkbase See Virustotal links below http[:]//emergingthreats[.]net https://www.virusto... See more...
I believe this app or associated links to the app have been compromised. Consider removing it from the Splunkbase See Virustotal links below http[:]//emergingthreats[.]net https://www.virustotal.com/gui/url/5232edc39848e69279fee041a84db6fb5bd0f9fff35f448392bbb56e242b0662 https://www.virustotal.com/graph/embed/gc54e4c8b7f474be6832766fdef4f5643aa60c68a16ee410fa54f99e4f6ca1b5b?theme=dark <iframe src="https://www.virustotal.com/graph/embed/gc54e4c8b7f474be6832766fdef4f5643aa60c68a16ee410fa54f99e4f6ca1b5b?theme=dark" width="700" height="400"> </iframe>
Hi everyone. Is there any way to resolve GPO GUID or SID within Windows Security Logs? For instance, when we change any GPO in the domain it is logged under EventCode 5136. There is a CN name inside... See more...
Hi everyone. Is there any way to resolve GPO GUID or SID within Windows Security Logs? For instance, when we change any GPO in the domain it is logged under EventCode 5136. There is a CN name inside the log that can be used for getting the Display name of GPO.  Thanks 
Hello Community, Any assistance given will be appreciated. Trying to figure out why my table not populating. <form version="1.1" theme="dark"> <label>ATM Analyzer</label> <fieldset submitButton... See more...
Hello Community, Any assistance given will be appreciated. Trying to figure out why my table not populating. <form version="1.1" theme="dark"> <label>ATM Analyzer</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="status_token"> <label>Status</label> <fieldForLabel>eventstatus</fieldForLabel> <fieldForValue>eventstatus</fieldForValue> <selectFirstChoice>true</selectFirstChoice> <search> <query>index=atm source="D:\\Program Files\\file.dat" | dedup eventstatus | table eventstatus</query> </search> <default>INFO</default> <initialValue>INFO</initialValue> </input> <input type="dropdown" token="atm_token" searchWhenChanged="false"> <label>ATM</label> <selectFirstChoice>true</selectFirstChoice> <search> <query>index=atm source="D:\\Program Files\\file.dat" | search eventstatus=$status_token$ | dedup atmnumber | table atmnumber</query> </search> <fieldForLabel>atmnumber</fieldForLabel> <fieldForValue>atmnumber</fieldForValue> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="event_token"> <label>Event</label> <selectFirstChoice>true</selectFirstChoice> <search> <query>index=atm source="D:\\Program Files\\file.dat" | search (eventstatus=$status_token$ AND atmnumber=$atm_token$) | dedup eventtype | table eventtype</query> </search> <fieldForLabel>eventtype</fieldForLabel> <fieldForValue>eventtype</fieldForValue> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="time" token="timerange"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table> <search> <query>index=atm source="D:\\Program Files\\file.dat" where (eventstatus=$status_token$ AND atmnumber="atm_token" AND eventtype=$event_token$) | rename eventtime as Time, eventstatus as Status, atmnumner as ATM, eventtype as Fault, eventdescription as Description | table Time Status ATM Fault Description</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>  
I am trying to achieve below requirement 1- Calculate the error rate label for multiple application if Error Rate greater than50%, mark "DOWN" in red; if Error Rate > 5% & <50%, mark "ISSUE" in Orang... See more...
I am trying to achieve below requirement 1- Calculate the error rate label for multiple application if Error Rate greater than50%, mark "DOWN" in red; if Error Rate > 5% & <50%, mark "ISSUE" in Orange; else "UP" in Green. 2- After label column done then needs to create new widget with single value and check the all the labels (DOWN, ISSUE, UP) if any (at least one) APIs in Error Rate is "DOWN", show "DOWN" in red; If any APIs in Error Rate is "ISSUE", show "ISSUE" in orange; else "UP" in green. Note- I need single text value result This is code i wrote till now but still not able to fullfill my requirement   <panel> <single> <title>Error Rate</title> <search> <query> app_name-abc OR app_name=xyz | rex field msg "\"[^\"]*\"\s(?&lt;status&gt;\d+)" | stats count(eval(status&gt;-200 AND status&lt;-300)) as pass count, count(eval(status&gt;-400)) as fail_count by cf_app_name | eval error rate (fail_count/ (pass_count + fail_count)) 100 | eval label if (error rate &gt; 50, "DOWN", if(error_rate &gt; 5, "ISSUE", "UP")) | eval error rate round(error_rate, 2) "X" rename error_rate AS "Error_rate(percent)" | stats count(eval(label="DOWN")) as down_count, count(eval (label-"ISSUE")) as issue count, count(eval (label-"UP")) as up_count | rangemap field-issue_count low-0-0 high-2-99 default-low | eval Status-case(down_count &gt;-1, "DOWN", down_count=0 AND issue_count&gt;-1, "ISSUE", 1--1, "UP") </query> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="field">Status</option> <option name="rangeValues">ISSUE, UP</option> <option name="rangeColors">orange, green</option> <option name="drilldown">none</option> <option name="field"> Status</option> <option name="drilldown">none</option> </single> </panel>          
Hi Everyone,  I am looking for a little advice, I am currently searching splunk against multiple sets of variables to see if there are any events in the past 90 days, however I am running into an i... See more...
Hi Everyone,  I am looking for a little advice, I am currently searching splunk against multiple sets of variables to see if there are any events in the past 90 days, however I am running into an issue with there being too many events that my search is parsing through. I dont need to see the total number of events that matched, only need to see if there were at least 10 events that matched. Since there are 100+ sets of variables to check, doing it by hand one at a time seems tedious and lengthy. Would you be able to help me limit the events parsed so that it stops checking a set once it reaches a predetermined amount? Here is an example of my search:  index=blah sourcetype=blah (name=Name1 ip=IP1 id=id1) OR (name=Name2 ip=IP2 id=id2) OR (name=Name3 ip=IP3 id=id3) OR .... (name=Name105 ip=IP105 id=id105) | stats count by name, ip, id Any and all help would be appreciated
Hi , I want to connect live data of various applications from Appdynamics to splunk  itsi in csv format how to achieve this . Can anyone help me.It will be greatful if some guidance i get from this ... See more...
Hi , I want to connect live data of various applications from Appdynamics to splunk  itsi in csv format how to achieve this . Can anyone help me.It will be greatful if some guidance i get from this community. Thanks and Regards, Abhigyan.