All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Dear All, To create the below table for the Notable dashboard in  ES, can you please advise. Thanks    User1  User1  User2 User2 Splunk Search Pending Closed  Pending Closed  Rule ... See more...
Dear All, To create the below table for the Notable dashboard in  ES, can you please advise. Thanks    User1  User1  User2 User2 Splunk Search Pending Closed  Pending Closed  Rule 1         Rule 2        
how should I merge this 2 query into 1: query 1) index="XXXX" source="XXXX"|search "SupplierRTI_AlphaAesar" |stats count AS "Total",count(eval(STATUS=="fail")) AS Failure|eval Faliurerate=(Failur... See more...
how should I merge this 2 query into 1: query 1) index="XXXX" source="XXXX"|search "SupplierRTI_AlphaAesar" |stats count AS "Total",count(eval(STATUS=="fail")) AS Failure|eval Faliurerate=(Failure/Total)*100|eval SuccessRate=100-Faliurerate|table Total,SuccessRate query 2) index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/SupplierRTI.log"|search "SupplierRTI_AlphaAesar" | timechart span=1w count I want a report like this how should I form the query?    
I am subscribed to a 3rd party threat intelligence called Group-IB.  I have the Group-IBapp for splunk installed on my search head.  My question is in regards to tuning as I have done very little to... See more...
I am subscribed to a 3rd party threat intelligence called Group-IB.  I have the Group-IBapp for splunk installed on my search head.  My question is in regards to tuning as I have done very little to none. Should I expect that the threat intelligence that is streaming in is being ran against the events in my environment automatically? Assuming the threat intelligence is CIM compliant, should I expect that my Enterprise Security will make a notable event if there is a match?
Hi, When trying to download the enterprise security app, I'm getting the following comment: "This app restricts downloads to a defined list of users. Your user profile was not found in the list of ... See more...
Hi, When trying to download the enterprise security app, I'm getting the following comment: "This app restricts downloads to a defined list of users. Your user profile was not found in the list of authorized users..." What can I do to download it?
After modifying the Controller's certificate and creating a new one, then after I tried to start the Controller again, but it did not start, nor did the event service. ERROR [2024-01-06 14:15:56,85... See more...
After modifying the Controller's certificate and creating a new one, then after I tried to start the Controller again, but it did not start, nor did the event service. ERROR [2024-01-06 14:15:56,850] com.appdynamics.orcha.extensions.es.health.StoreNodeHealth: Failed to connect to welcomeb/2001:0:2851:782c:1451:2eab:3b33:ff4d:9080 ERROR [2024-01-06 14:16:00,870] com.appdynamics.orcha.extensions.es.health.StoreNodeHealth: Connection failure while checking for number of data nodes on the host: welcomeB ERROR [2024-01-06 14:16:02,866] com.appdynamics.platformadmin.core.job.JobProcessor: Platform/Job [1/a6631ee1-e56a-4689-8d9a-4da5127b1e01]: Stage [es_cluster_health_stage] failed due to [Unable to check health of Events Service hosts [welcomeB] through port 9080.] INFO [2024-01-06 14:16:12,208] com.appdynamics.platformadmin.resources.VersionResource: Found Enterprise Console version 23.9.0-10017, 14:17:24,850] com.appdynamics.platformadmin.es.job.stages.ESClusterHealthCheckStage: Failed to reach URL [http://welcomeB:9080/v1/store/report] ! java.net.ConnectException: Connection refused: connect ! at 14:17:38,858] com.appdynamics.platformadmin.es.job.stages.ESClusterHealthCheckStage: Failed to reach URL [http://welcomeB:9080/v1/store/report] ! java.net.ConnectException: Connection refused: connect ! at 4da5127b1e01]: Stage [es_cluster_health_stage] failed due to [Unable to check health of Events Service hosts [welcomeB] through port 9080.] INFO [2024-01-06 14:18:12,207] com.appdynamics.platformadmin.resources.VersionResource: Found Enterprise Console version 23.9.0-10017, build INFO [2024-01-06 14:18:43,400] com.appdynamics.orcha.modules.modules.UriExec: Sending request to: http://localhost:8090/controller/rest/serverstatus INFO [2024-01-06 14:18:56,827] com.appdynamics.orcha.extensions.es.health.StoreNodeHealth: Connection failure while checking node health status on the host: welcomeB ERROR [2024-01-06 14:18:56,827] com.appdynamics.orcha.extensions.es.health.StoreNodeHealth: Failed to connect to welcomeb/2001:0:2851:782c:1451:2eab:3b33:ff4d:9080 ERROR [2024-01-06 14:18:56,839] com.appdynamics.platformadmin.es.job.stages.ESClusterHealthCheckStage: Failed to reach URL [http://welcomeB:9080/v1/store/report] ! java.net.ConnectException: Connection refused: connect ! at ES
Hello, After upgrading from 8.2 to 9.1 I noticed a change in the nav bar affecting most of the custom apps. On the right end of the nav bar, where the app logo (file appIcon*.png from the <appnam... See more...
Hello, After upgrading from 8.2 to 9.1 I noticed a change in the nav bar affecting most of the custom apps. On the right end of the nav bar, where the app logo (file appIcon*.png from the <appname>/static folder) is displayed, the app label (which is configured in app.conf as "label" in the [ui] section) is simply not showing. Strangely enough, for some applications, like "Search & Reporting", the text label is still appearing. But for the majority of the 3rd party apps from the splunkbase, and also for my own custom apps, the label is not showing at all. (For the record: the logo icon is showing, but the text label is not) This is very annoying. After some investigation, it seems that it is NOT an issue of some CSS styling. Because according to the Web Inspector in a browser, the html "span" element that should hold the app label, is NOT populated with the value configured in app.conf/[ui]/label. The "span" element is just empty Why is that ? Regards, mr
Hi All, The Bloodhound TA creates a KV store lookup.  I've been asked to take the entries in the KV store and turn them into events.  I've setup an alert, but I'm not seeing the alert fire.  The SPL... See more...
Hi All, The Bloodhound TA creates a KV store lookup.  I've been asked to take the entries in the KV store and turn them into events.  I've setup an alert, but I'm not seeing the alert fire.  The SPL looks like this   | inputlookup path_principals_lookup | eval domain_id=if(isnull(domain_id), "NULL_domain_id", domain_id) | eval domain_name=if(isnull(domain_name), "NULL_domain_name", domain_name) | eval group=if(isnull(group), "NULL_Group", group) | eval non_tier_zero_principal=if(isnull(non_tier_zero_principal), "NULL_non_tier_zero_principal", non_tier_zero_principal) | eval path_id=if(isnull(path_id), "NULL_path_id", path_id) | eval path_title=if(isnull(path_title), "NULL_path_title", path_title) | eval principal=if(isnull(principal), "NULL_principal", principal) | eval tier_zero_principal=if(isnull(tier_zero_principal), "NULL_tier_zero_principal", tier_zero_principal) | eval user=if(isnull(user), "NULL_user", user) | dedup domain_id, domain_name, group, non_tier_zero_principal, path_id, path_title, principal, tier_zero_principal, user   I see statistics, but that doesn't fire the alert.  Is there something I'm missing to turn the values in the kvstore into events to be alerted on? TIA, Joe
I know there are similar posts about this, but I am not sure on what to do or tweak here. Messages I am getting are similar to this: 01-05-2024 09:35:07.049 -0800 INFO Metrics - group=queue, ingest... See more...
I know there are similar posts about this, but I am not sure on what to do or tweak here. Messages I am getting are similar to this: 01-05-2024 09:35:07.049 -0800 INFO Metrics - group=queue, ingest_pipe=1, name=indexqueue, blocked=true, max_size_kb=500, current_size_kb=499, current_size=815, largest_size=1764, smallest_size=0 I already set parallelIngestionPipelines = 2 Also, there is no indication of resource exhaustion on these Heavy Forwarders. CPU is constantly below 25% and RAM is low as well. What else can I check/do/configure to avoid this? Also, what happens to the data when this happens? Thank you!
Hello Splunkers, I wanted to setup an alert for changing password parameters for ex, we have policy of 15 min characters which includes at least 1 number lowercase , 1 number uppercase , 1 special c... See more...
Hello Splunkers, I wanted to setup an alert for changing password parameters for ex, we have policy of 15 min characters which includes at least 1 number lowercase , 1 number uppercase , 1 special characters I want an alert to trigger if someone modifies this password rule.    Thanks!
Hi all, I am trying to use the Single Value Visualization in a dashboard to keep an all time running count of my field "id". The issue I'm running into is I have duplicate logs for "id" that are gi... See more...
Hi all, I am trying to use the Single Value Visualization in a dashboard to keep an all time running count of my field "id". The issue I'm running into is I have duplicate logs for "id" that are giving me an incorrect number. When I am running a search with the SPL below and dedup I get the correct number of events. But when I try to convert that into the Visualization I am having issues. Any help is appreciated, thanks! Index="xx" label="xx" id=* | dedup id
Hello Splunkers, I need some help in understanding the difference between Auditd logging on Linux and the traditional way of capturing the log files under the var/log/* , what is it that Auditd prov... See more...
Hello Splunkers, I need some help in understanding the difference between Auditd logging on Linux and the traditional way of capturing the log files under the var/log/* , what is it that Auditd provides which we cannot get that from var/log/* Secondly, I'm already collecting the basic Audit files that are under /var/log/ using the standard TA_Nix , if i want to go with Auditd , is there a different Add-on for this , What are the available options. Appreciate some insight on this from experienced techies.   Thank you, Moh...!
I have a CSV export from splunk, and two of the columns are timestamps.  Both were converted to human-readable using convert ctime(fieldname) in the splunk query, and show as decimal numbers in the C... See more...
I have a CSV export from splunk, and two of the columns are timestamps.  Both were converted to human-readable using convert ctime(fieldname) in the splunk query, and show as decimal numbers in the CSV file. For example,  01/03/2024 12:49:48.192 is represented as 45294.5345855556 in the CSV file How do I convert that decimal to a human-readable timestamp in Excel? Thanks!
Hey,  Is there a way in which I can export my dashboard pdf using python and splunk-sdk so as to get the same result you would if you clicked on the export button? 
Hi Splunk Team I am having issues while fetching data from 2 stats count fields together. Below is the query: index=test_index | rex "\.(?<TestMQ>.*)\@" | eval Priority_Level=case(Priority="... See more...
Hi Splunk Team I am having issues while fetching data from 2 stats count fields together. Below is the query: index=test_index | rex "\.(?<TestMQ>.*)\@" | eval Priority_Level=case(Priority="Low", "Low", Priority="Medium", "Medium", Priority="High", "High") | stats count as TotalCount, count(eval(Priority_Level="Low")) as Low, count(eval(Priority_Level="Medium")) as Medium, count(eval(Priority_Level="High")) as High by TestMQ This gives me result like example below: TestMQ    | TotalCount | Low | Medium | High MQNam1 | 120               | 0       | 0               | 0 MQNam2 | 152               | 0       | 0               | 0 .. The problem is that I am getting "0" value for Low, Medium & High columns - which is not correct. I want to combine both the stats and show the group by results of both the fields. If I run the same query with separate stats - it gives individual data correctly. Case 1: stats count as TotalCount by TestMQ index=test_index | rex "\.(?<TestMQ>.*)\@" | eval Priority_Level=case(Priority="Low", "Low", Priority="Medium", "Medium", Priority="High", "High") | stats count as TotalCount by TestMQ Example Output: TestMQ     | TotalCount MQName  | 201 Case 2: stats count as PriorityCount by Priority_Level index=test_index | rex "\.(?<TestMQ>.*)\@" | eval Priority_Level=case(Priority="Low", "Low", Priority="Medium", "Medium", Priority="High", "High") | stats count as PriorityCount by Priority_Level Example Output:  Priority_Level | PriorityCount  High                    |  20 Medium             |  53 Low                     |  78 Please help and suggest. @ITWhisperer - kindly assist. 
How to upgrade existing Add-on apps to newer add-on version on different computers.
Hi experts, We are getting this error consistently while querying data from Splunk Enterprise hosted in the company's internal network.  Exception in receiving splunk data 145java.lang.RuntimeExce... See more...
Hi experts, We are getting this error consistently while querying data from Splunk Enterprise hosted in the company's internal network.  Exception in receiving splunk data 145java.lang.RuntimeException: HTTPS hostname wrong: should be <splunk_enterprise_url - splunk.org.company.com>   The line of code that causes this is String query = "<splunk valid query>"; Job job = service.getJobs().create(query);   Splunk SDK Version used: 1.9.5   Connection to Splunk is established as follows: String token = System.getenv("SPLUNK_TOKEN"); ServiceArgs loginArgs = new ServiceArgs(); loginArgs.setPort(8089); loginArgs.setHost("splunk.org.company.com"); loginArgs.setScheme("https"); loginArgs.setToken(String.format("Bearer %s", token)); service = new Service(loginArgs); log.info("service val is {}", service.toString()); Service.setValidateCertificates(false); This was working few days ago and suddenly it has stopped. We checked the server certificate and it valid till March 2024.  The program querying the splunk is called from a runner hosted on AWS and it has no network restrictions.  Not sure what is the issue. But this issue is getting reproduced consistently.   Note: Surprisingly, the same program runs fine on local machine.  Cannot find out what would be the issue? Any help will be appreciated.       
I want to have a query that can show me the percentage of error rate in the "AccountDetailsController" service of my application. We have the metrics data coming in from splunk so If that has to be u... See more...
I want to have a query that can show me the percentage of error rate in the "AccountDetailsController" service of my application. We have the metrics data coming in from splunk so If that has to be used or however we can do this. Please help
Hi, I have requirement to add the lookup data into dashboard panels. Please could you review and help on this? how to add the lookup data into the spl query to display region fullname? SPl:   ind... See more...
Hi, I have requirement to add the lookup data into dashboard panels. Please could you review and help on this? how to add the lookup data into the spl query to display region fullname? SPl:   index=abc sourcetype=a.1 source=a.2  | search region IN (a,b,c,d,e,f,g,h,i,j,l,m) | chart count by region Lookup data: look file name regiondetails.csv Alias Name a america b brazil c canada d dubai
I would want to know how to view those deleted messages from the splunk bar?  Example, if i accidentally deleted a messages from the splunk bar, how can i view those messages again either from the we... See more...
I would want to know how to view those deleted messages from the splunk bar?  Example, if i accidentally deleted a messages from the splunk bar, how can i view those messages again either from the web ui or cli.
Hi, How can we install the Splunk Enterprise Compatibility app on Splunk Cloud? Are there any modifications needed to ensure it's compatible with Splunk Cloud?