All Topics

Top

All Topics

Panel_1: <set token="V20">$result.value_20$</set> <set token="V40">$result.value_40$</set> <set token="V0">$result.value_0$</set> <set token="V100">$result.value_100$</set> Panel_2: <format... See more...
Panel_1: <set token="V20">$result.value_20$</set> <set token="V40">$result.value_40$</set> <set token="V0">$result.value_0$</set> <set token="V100">$result.value_100$</set> Panel_2: <format type="color" field="&gt;6hrs-&lt;8hrs"> <colorPalette type="expression">case(value&lt;="$V20$", "#006400", value&gt;"$V20$" AND value&lt;="$V40$", "#ffb200", value&gt;"$V40$", "#800000")</colorPalette> </format> <format type="color" field="&gt;8hrs-&lt;10hrs"> <colorPalette type="expression">case(value&lt;="$V20$", "#006400", value&gt;"$V20$" AND value&lt;="$V40$", "#ffb200", value&gt;"$V40$", "#800000")</colorPalette> </format> <format type="color" field="&gt;10hrs-&lt;12hrs"> <colorPalette type="expression">case(value&lt;="$V20$", "#006400", value&gt;"$V20$" AND value&lt;="$V40$", "#ffb200", value&gt;"$V40$", "#800000")</colorPalette> </format> <format type="color" field="&gt;12hrs-&lt;14hrs"> <colorPalette type="expression">case(value&lt;="$V20$", "#006400", value&gt;"$V20$" AND value&lt;="$V40$", "#ffb200", value&gt;"$V40$", "#800000")</colorPalette> </format> <format type="color" field="&gt;14hrs-&lt;16hrs"> <colorPalette type="expression">case(value&lt;="$V20$", "#006400", value&gt;"$V20$" AND value&lt;="$V40$", "#ffb200", value&gt;"$V40$", "#800000")</colorPalette> </format> The above is Scenario, i have created the tokens from the Panel_1 result and passing those tokens into the Colorpalette expression to highlight the cells dynamically. But i can't able to reach the desired output. How can i reach the desired output?
I want to download the trial version of Splunk Enterprise. Managed to register it. Whenever I try to login to Splunk.com, it keep showing 403 error. I tried with both Chrome and Firefox, same error. ... See more...
I want to download the trial version of Splunk Enterprise. Managed to register it. Whenever I try to login to Splunk.com, it keep showing 403 error. I tried with both Chrome and Firefox, same error. Both browser are latest version. I already tried following   When I clicked on Login, it will redirect to following and shown 403 error   https://www.splunk.com/saml/login?module=nav&redirecturl=https://www.splunk.com/   Windows 11 (updated with latest MS patches) and home network   - rebooted the laptop and router - Clear cache of browsers - Added www.splunk.com to trusted zone - Disabled Windows Firewall - Disabled AV   Anything else I should be checking?
Hello, I have events in this format: <servername> <metricname> <epochtime> <metricvalue>   These events comes from HEC to an heavy forwarder and are then forwarded to indexers. I would like to se... See more...
Hello, I have events in this format: <servername> <metricname> <epochtime> <metricvalue>   These events comes from HEC to an heavy forwarder and are then forwarded to indexers. I would like to set Splunk to recognize <epochtime> as the event timestamp. <servername> and <metricname> are alphanumerical words with no whitespaces inside, while <metricvalue> is numerical. <epochtime> is a 10 digits, integer epoch time.   I've set up props.conf file on heavy forwarder as follows: [sourcetypename] TIME_FORMAT = %s   But events are not indexed with the correct timestamp. I also tried to add this property: TIME_PREFIX = \S+\s\S+\s But no luck.   Can you help me understand what am I doing wrong?   EDIT---- Log example: mywebserver123 SOME_METRIC 1706569460 5 myotherwebserver456.domain.com ANY_OTHER_NAME 1706569582 3
I am trying to install credential package to Splunk universal forwarder. Need help with few queries as below. When I am downloading the package from splunk cloud platform Apps--> Universal forward... See more...
I am trying to install credential package to Splunk universal forwarder. Need help with few queries as below. When I am downloading the package from splunk cloud platform Apps--> Universal forwarder -->download UF cred. The package is getting downloaded to my local machine but I am unable to locate the downloaded package in  my machine. please assist me where can I find the downloaded credential package
Hi, Would you mind to help on this?, I have been working for days to figure out how can I pass a lookup file subsearch as "like" condition in main search, something like: To examples: 1)  . ... See more...
Hi, Would you mind to help on this?, I have been working for days to figure out how can I pass a lookup file subsearch as "like" condition in main search, something like: To examples: 1)  . . main search| where like(onerowevent, "%".[search [| inputlookup blabla.csv| <whatever_condition_to_make_onecompare_field>|table onecompare }]."%"]]) 2) . . main search| eval onerowevent=if(like(onerowevent,, "%".[search [| inputlookup blabla.csv| <whatever_condition_to_make_onecompare_field>|table onecompare }]."%"]])),onerowevent,"")
Hi Splunkers,   I dont need the value in first line and need that value later in search to filter, so I tried tis way to skip the value dmz type IN (if($machine$=="DMZ",true,$machine$) ... See more...
Hi Splunkers,   I dont need the value in first line and need that value later in search to filter, so I tried tis way to skip the value dmz type IN (if($machine$=="DMZ",true,$machine$) Is that will work? Thanks in Advance!
My current serach is -    | from datamodel:Remote_Access_Authentication.local | append [| inputlookup Domain | rename name as company_domain] | dest_nt_domain   How do I get the search to only li... See more...
My current serach is -    | from datamodel:Remote_Access_Authentication.local | append [| inputlookup Domain | rename name as company_domain] | dest_nt_domain   How do I get the search to only list items in my table where | search dest_nt_domain=company_domain?  Is there another command other than append that I can use with inputlookup?  I do not need to add it to the list.   Just trying to get the data in to compare against the datamodel. 
Hi ,    I have a JSON object of following type :   {  "time": "14040404.550055", "Food_24ww": {      "Grains" : {               "status" : "OK",              "report": {                   "... See more...
Hi ,    I have a JSON object of following type :   {  "time": "14040404.550055", "Food_24ww": {      "Grains" : {               "status" : "OK",              "report": {                   "2014": {                           "type" :"rice",                           "prod" : "50",                           "rate"  : "30"                   },                "2015": {                        "type": "pulses",                        "prod" : "50",                       "rate"  : "30"                }       } },    "Beverages" : {           "status": "Good",        "2014": {            "type" :"pepsi",           "prod" : "50",           "rate"  : "60"         },      "2015": {          "type": "coke",          "prod" : "55",          "rate"  : "30"       }    }  } }   I want to extract all the key values inside "report" key for "Grains" and "Beverages". Means , for Grains , I want 2014 (and key values inside it), 2015 (and key values inside it) , similarly for Beverages.   Now the challenge is none of the JSON keys until "reports" are constant.  The first key "Food_24ww" and the next level "Grains" and "Beverages" are not constant.    Thanks
Hello. I am a Splunk newbie. I have a question about the replication factor in searchhead clustering. Looking at the docs it says that search artifacts are only replicated for scheduled saved sea... See more...
Hello. I am a Splunk newbie. I have a question about the replication factor in searchhead clustering. Looking at the docs it says that search artifacts are only replicated for scheduled saved searches. https://docs.splunk.com/Documentation/Splunk/9.1.2/DistSearch/ChooseSHCreplicationfactor   I'm curious as to the reason and advantage of duplicating search artifacts only in this case. And, then, in the case of real-time search, is it correct that search artifacts are not replicated and only remain on the local server? In that case, in a clustering environment, member 2 should not be able to see the search results of member 1. But I can view it by using the loadjob command in member2. Then, wouldn’t it be possible to view real-time search artifacts as well? Thank you
Hello Team, We have deployed machine agent as an  side car(different container within a pod) for  apache in OSE. It's working for most of the pod but for one pod we are getting below error. code-ex... See more...
Hello Team, We have deployed machine agent as an  side car(different container within a pod) for  apache in OSE. It's working for most of the pod but for one pod we are getting below error. code-external-site-ui-sit-50-gm9np==> [system-thread-0] 23 Jan 2024 08:22:14,654 DEBUG RegistrationTask - Encountered error during registration. com.appdynamics.voltron.rest.client.NonRestException: Method: SimMachinesAgentService#registerMachine(SimMachineMinimalDto) - Result: 401 Unauthorized - content:   at com.appdynamics.voltron.rest.client.VoltronErrorDecoder.decode(VoltronErrorDecoder.java:62) ~[rest-client-1.1.0.245.jar:?] at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:156) ~[feign-core-10.7.4.jar:?] at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:80) ~[feign-core-10.7.4.jar:?] at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:100) ~[feign-core-10.7.4.jar:?] at com.sun.proxy.$Proxy114.registerMachine(Unknown Source) ~[?:?] at com.appdynamics.agent.sim.registration.RegistrationTask.run(RegistrationTask.java:147) [machineagent.jar:Machine Agent v23.9.1.3731 GA compatible with 4.4.1.0 Build Date 2023-09-20 05:14:38] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:834) [?:?] code-external-site-ui-sit-50-gm9np==> [system-thread-0] 23 Jan 2024 08:22:17,189 DEBUG GlobalTagsConfigsDecider - Global tags enabled: false code-external-site-ui-sit-50-gm9np==> [system-thread-0] 23 Jan 2024 08:22:17,189 DEBUG RegistrationTask - Running registration task code-external-site-ui-sit-50-gm9np==> [system-thread-0] 23 Jan 2024 08:22:17,256  WARN RegistrationTask - Encountered error during registration. Will retry in 60 seconds. code-external-site-ui-sit-50-gm9np==> [system-thread-0] 23 Jan 2024 08:22:17,256 DEBUG RegistrationTask - Encountered error during registration.   We have cross-verified and everything looks good from the configuration end.    Kindly help us with your suggestions.
Hi Team, We have opted for 250 GB of licensing on daily basis.  So if the license is reaching more than 70% (i.e. 175 GB) i need to get an alert similarly if the license is getting reached 80% and m... See more...
Hi Team, We have opted for 250 GB of licensing on daily basis.  So if the license is reaching more than 70% (i.e. 175 GB) i need to get an alert similarly if the license is getting reached 80% and more (i.e. 200 GB) then i need to get another alert. And finally if it crossed more than 90% (i.e. 225 GB) i need to get another alert.   So can you help me with the Search query.
Hi, I have  database1 and database2,  I have query1 to get the data from database1 and query2 to get data from database2. query3 to get unique values from databse2 which doesn't exist in database1. ... See more...
Hi, I have  database1 and database2,  I have query1 to get the data from database1 and query2 to get data from database2. query3 to get unique values from databse2 which doesn't exist in database1. Now my requirement is to combine the common values in both the databases using a query1 & query2 and also unique values from query2 from database2 which doesn't exist in database1. Please provide me the Splunk query.
Dear Team, Is it possible to join a Splunk license server through proxies? I found this but I don't know if it applies to this context: https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Con... See more...
Dear Team, Is it possible to join a Splunk license server through proxies? I found this but I don't know if it applies to this context: https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/ConfigureSplunkforproxy   Regards,      
I have installed splunk and added windows systems to splunk through universal forwarder, but I have a problem with default system names, these names confusing me when I check their status, I want to ... See more...
I have installed splunk and added windows systems to splunk through universal forwarder, but I have a problem with default system names, these names confusing me when I check their status, I want to consider alias name or rename hostname so that I diagnose system with it's name in search.  For example, I want to change hostname "WIN-KLV1NNUJO8P" to "mydashboard" . Please help me, I can't find answer for this problem and solutions that I found in the internet not working
Can some one help me with query for getting logs in descending order based on API execution time which printed on logs.
Hi everyone, I would want to ask if I can create a field alias for _indextime and _time then set this alias as a default field for all sourcetype?
Hello. I am a security researcher analysing the CVE-2023-46214 vulnerability.  I think this vulnerability have a problem using exsl:document. So I want to block packets containing exsl:document, bu... See more...
Hello. I am a security researcher analysing the CVE-2023-46214 vulnerability.  I think this vulnerability have a problem using exsl:document. So I want to block packets containing exsl:document, but do you use exsl:document in real life? Is this a feature that is officially supported by Splunk?
Hello, I have a windows machine with UF installed on that machine. How can I configure my Universal forwarder to ingest windows performance monitoring logs into SPLUNK. Our Windows Source server is ... See more...
Hello, I have a windows machine with UF installed on that machine. How can I configure my Universal forwarder to ingest windows performance monitoring logs into SPLUNK. Our Windows Source server is located in different location SPLUNK should be getting performance data from. Any help would be greatly appreciated. Thank you!  
January 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another edition of indexEducation, the newsletter that takes an untraditional twist on wha... See more...
January 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another edition of indexEducation, the newsletter that takes an untraditional twist on what’s new with Splunk Education. We hope the updates about our courses, certification, and technical training will feed your obsession to learn, grow, and advance your careers. Let’s get started with an index for maximum performance readability: Training You Gotta Take | Things You Needa Know | Places You’ll Wanna Go  Training You Gotta Take New Stuff for the New Year | Ring it In If self-improvement is on your list of new year’s resolutions, then ring in the new year with fresh Splunk Education courses published regularly in the Splunk learning catalog. Learning is a valuable way to improve your outlook and your opportunities, so get started by exploring the Splunk Training and Enablement Platform (STEP) to find courses tailored to your interests in security, cloud, and Observability. Also, make sure to take a peek at our most recent Release Announcements. If you're considering signing up for paid training, remember to touch base with your Org Manager to access your company's Training Units. New year, new you! Gotta Get Current | Tune into New Releases Say Hola | Embracing Diversity in Education  In our vast world of 8 billion individuals and more than 7,000 languages, Splunk Education is committed to ensuring that we all feel a bit more connected by offering educational and certification materials in a broader range of languages. We're excited to announce the availability of free, self-paced eLearning courses featuring Spanish subtitles. Stay tuned for an expanding selection of content and subtitles in various languages. Muchas gracias for joining us on this journey! Gotta Be Clear | Spanish Captions are Here Things You Needa Know The Proof |  Learning Splunk is a Career-Booster  A picture paints a thousand words, but an infographic validates it with facts and figures.  Last month we shared our Splunk 2023 Career Impact Report showing that proficiency in using Splunk offers a competitive edge for users and customers. Prefer a snapshot of the report? Then, check out the stats and metrics behind the survey in the new Career Impact Survey Infographic. [Sneak peek: More proficient Splunk users earn 131% more than less proficient users.]  Needa Know the Numbers | Quantify your Career Resilience Rewards are In the Cards | Get Schooled, Get Swag! With Splunk’s Learning Rewards Program you may be well on your way to earning that classic, old school Splunk T-shirt you’ve had your eye on or one of the top-selling Splunk items we sold at .conf23. Learners earn points for each paid Splunk Education course completed, which can then be redeemed for super-fun Splunk swag. Blankets, and batteries, and backpacks, oh my!  Needa Know How to Earn | Rewards for Paid Course Completion Places You’ll Wanna Go Our New Learn Splunk Site | All the Ways to Learn Splunk Discover Splunk mastery on the new Learn Splunk site, offering flexible learning tailored to your pace. Dive into self-paced courses, ranging from free basics to advanced eLearning with labs, available anytime, anywhere. Enhance your skills with expert-led, interactive training, both virtually and in-person, through our Authorized Learning Partners in multiple languages. Elevate your career with our wide range of industry-recognized certifications, validating your Splunk expertise and enhancing your professional value. Find us at Learn Splunk and get started on your own comprehensive, adaptable learning journey. Wanna Learn on Your Terms | Check Out the New Learn Splunk Site Splunk University | The Ultimate .conf® Learning Experience Splunk University offers an immersive pre-conference training program designed to enhance your understanding and mastery of Splunk products. Engage in a dynamic, interactive, and hands-on environment to gain new insights and deepen your Splunk expertise. Tailored to your learning objectives, we offer one-, two-, and three-day boot camps. Stay tuned for detailed information about Splunk University at .conf24, coming soon. Meanwhile, if you wanna’ go places, explore everything that Splunk Training and Certification offers to get you moving in the right direction. Wanna Go Get Schooled | Take it to Vegas Find Your Way | Learning Bits and Breadcrumbs Go Global | Learn in Your Own Language, In Your Own Region Go to STEP | Get Upskilled Go Discuss Stuff | Join the Community Go Social | LinkedIn for News Go Share | Subscribe to the Newsletter   Thanks for sharing a few minutes of your day with us – whether you’re looking to grow your mind, career, or spirit, you can bet your sweet SaaS, we got you. If you think of anything else we may have missed, please reach out to us at indexEducation@splunk.com.  Answer to Index This: When it’s military time  
Hello All, I have created an Alert with the following query, Issue I'm having here is, I'm not receiving email alert even if the condition is met and events are returned.   | dbxquery query="SELEC... See more...
Hello All, I have created an Alert with the following query, Issue I'm having here is, I'm not receiving email alert even if the condition is met and events are returned.   | dbxquery query="SELECT eventTriggeredDate, APPLICATION_NAME, APPLICATION_NAMEENV, APPLICATION_GROUP, eventChain, eventType, eventMessage, eventMod, eventRule, eventSeverity FROM Admin.console.v_ES_RelevantEvents55 WHERE eventTriggeredDays <= 7 AND (APPLICATION_NAME='ABC_PRD' OR APPLICATION_NAME='XYZ-PRD') AND APPLICATION_NAMEENV='PRD'" connection="TESTING_DEV" | lookup users_email.csv "Application Name" as APPLICATION_NAME OUTPUT "Admin email" as Admin_email "QA email" as QA_email "Developers email" as Developers_email | lookup policy_details.csv policy_name as eventRule OUTPUT policy_description | eval users_mail = Admin_email.",".Developers_email.",".QA_email | stats count as Total_Events values(eventChain) as "Event Policy/Rule" values(eventType) as "Event Type" values(eventMod) as "Event Mod/Policy" values(eventRule) as "Event Rule" values(users_mail) as users_mail values(eventMessage) as eventMessage values(policy_description) as policy_description by APPLICATION_NAME, eventSeverity | eval eventMessage=mvindex(eventMessage, 0, 20) | where Total_Events > 10 | table APPLICATION_NAME, Total_Events, eventSeverity, "Event Type", "Event Rule", users_mail, eventMessage, policy_description | rename APPLICATION_NAME as application_name, Total_Events as number_of_events, eventSeverity as event_severity, "Event Type" as event_type, "Event Rule" as event_rule, eventMessage as event_message   I have given email list as $result.users_mail$, the values from the filed users_mail. I see the alert being triggered but i don't receive an email. Also is there a way we can add external links to the Splunk Alerts?