All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

hI Currently trying to test an HTTP event collector token by directly sending events to the cloud before we use the HEC for a OpenTelemetry Connector, but we are getting stuck at 403 Forbidden error... See more...
hI Currently trying to test an HTTP event collector token by directly sending events to the cloud before we use the HEC for a OpenTelemetry Connector, but we are getting stuck at 403 Forbidden error. Is there something wrong with this curl command?  Not sure if it affects anything but we are still on the Splunk Cloud Classic Screenshots attached, appreciate any help we can get!
When trying to schedule a PDF delivery for a dashboard, the error message Parameter "name" must be 100 characters or less is displayed. The dashboard runs fine, export PDF has no issues. Where do I f... See more...
When trying to schedule a PDF delivery for a dashboard, the error message Parameter "name" must be 100 characters or less is displayed. The dashboard runs fine, export PDF has no issues. Where do I find this "name" parameter?
Hi, The AppD ansible collection for machine agent has an issue where if you want to change the values of tier, application, or node_name but they already have values in the conf file, you cannot cha... See more...
Hi, The AppD ansible collection for machine agent has an issue where if you want to change the values of tier, application, or node_name but they already have values in the conf file, you cannot change them without first uninstalling and then re-installing the agent. I can't give a link to the git repo, because the Ansible collection does not expose which git repo the collection was synced from. The collection page is https://galaxy.ansible.com/ui/repo/published/appdynamics/agents/, which also contains a tarball of the code. This specific code is both: roles/java/tasks/merging-controller-info.yml (starting line 98) roles/machine/tasks/merging-controller-info.yml (starting line 108) I can submit a PR for this if you point me to the git repo for it, or I would request that it either. Any suggestions or a way through?
Hi, In our environment, we utilize Windows security logs for our security purposes. To reduce licensing costs, I'm considering switching the render XML setting to false. I'm wondering if this is adv... See more...
Hi, In our environment, we utilize Windows security logs for our security purposes. To reduce licensing costs, I'm considering switching the render XML setting to false. I'm wondering if this is advisable, especially given our focus on security use cases. Could you highlight the major distinctions between using XML and non-XML formats for these logs? Thanks.
Hi team, I have the following search code, and I want to trigger an alert when the condition is 'OFFLINE'. Note that we receive logs every 2 minutes, and the alert should be triggered only once; sub... See more...
Hi team, I have the following search code, and I want to trigger an alert when the condition is 'OFFLINE'. Note that we receive logs every 2 minutes, and the alert should be triggered only once; subsequent alerts should be suppressed. Similarly, when the condition becomes 'ONLINE', I want to trigger an alert only once, with subsequent alerts being suppressed. I hope my requirement is clear. index= "XXXX" invoked_component="YYYYY" "Genesys system is available" | spath input=_raw output=new_field path=response_details.response_payload.entities{} | mvexpand new_field | fields new_field | spath input=new_field output=serialNumber path=serialNumber | spath input=new_field output=onlineStatus path=onlineStatus | where serialNumber!="" | lookup Genesys_Monitoring.csv serialNumber | where Country="Egypt" | stats count(eval(onlineStatus="OFFLINE")) AS offline_count count(eval(onlineStatus="ONLINE")) AS online_count | fillnull value=0 offline_count | fillnull value=0 online_count | eval condition=case( offline_count=0 AND online_count>0,"ONLINE", offline_count>0 AND online_count=0,"OFFLINE", offline_count>0 AND online_count>0 AND online_count>offline_count, "OFFLINE", offline_count>0 AND online_count>0 AND offline_count>online_count, "OFFLINE", offline_count=0 AND online_count=0, "No data") | search condition="OFFLINE" OR condition="ONLINE" | table condition  
Hello, Is it possible to get the serial numbers of windows/linux machines being ingested to splunk using the splunk add-on for windows or linux?   Thanks  
Our custom app had changes to the views and these changes are not getting updated. I have zipped the custom app and followed the install from file process. The custom app passed the AppInspection ver... See more...
Our custom app had changes to the views and these changes are not getting updated. I have zipped the custom app and followed the install from file process. The custom app passed the AppInspection version 3.0.3 after I figured out how to run the slim generate-manifest command. It took a few tries to get it correct, but I have uploaded this custom app to Splunk Cloud. When I use the app, I expect the latest xml code for our custom views to be used, but the data is not displaying correctly in the chart. When I click on Open in search icon, I get an old version of the view search query, so that explains why the chart looks funny.  Has anyone dealt with this before? Are there tricks to clearing out the obsolete views when uploading a new version? I have incremented the minor and release versions, based on other reasons. I do know the cloud expects the versions to increment. Our last working version was 1.0.115 and my current version is 1.1.7. 
my Linux webserver is running Apache and I'd like to Splunk to analyze the logs. I'm using the "Splunk App for Web Analytics". I followed the documentation and imported my Apache log files and instal... See more...
my Linux webserver is running Apache and I'd like to Splunk to analyze the logs. I'm using the "Splunk App for Web Analytics". I followed the documentation and imported my Apache log files and installed the "Splunk Add-on for Apache Web Server". My Apache logs are getting properly parsed in Splunk and updated the eventtype web-traffic to point to the logs  by source type. I'm running into a problem configuring the Web Analytics app. It found two log files (access_log and ssl_access_log) and i pointed them to the site's domain. access_log appears to be configured correctly but ssl_access_log gives the error "Site not configured". lastly, running "Generate user sessions" and "generate pages" shows zero events. There are no results in any of the App dashboard menus, but i do see plenty of logs in the raw search. Any idea what's going on? Here are two screen shots of my configs:
Hi Everybody, Maybe a noob question, when I configure the Javascript agent I noticed that you just have to copy paste a script in the main page of your web app, the AppKey value is included in tha... See more...
Hi Everybody, Maybe a noob question, when I configure the Javascript agent I noticed that you just have to copy paste a script in the main page of your web app, the AppKey value is included in that script, but this AppKey is visible if you open the dev tools of any browser, is there any problem or risk if I let the AppKey visible in my web app?, any suggestion on how to hide it? I'm working with Sveltekit, but I guess it will be the same for most javascript frameworks.
I wish I were more well-versed in the various deployment architectures for Splunk and what they mean as far as app / add-on deployment, but I'm not and am stuck at the moment. A customer has asked w... See more...
I wish I were more well-versed in the various deployment architectures for Splunk and what they mean as far as app / add-on deployment, but I'm not and am stuck at the moment. A customer has asked whether an app we have published to Splunkbase support Search Head Clustering.  Having read through some documentation on what it is and how it works, I'm still uncertain as to what that means with respect to my app.   Does anyone know (or can point me to a resource that I've yet to unearth) what does "support Search Head Clustering" mean and how would I know whether my app supports it / what must be done by an app developer to support it? I can say with certainty that we did not do anything special during the development process to support this, but that doesn't mean it isn't support inherently ... so I'm at a loss. 
We are in the process of implementing SAML configuration in Splunk, utilizing an external .pem certificate. However, Splunk does not accept this certificate. How can we obtain an external certificate... See more...
We are in the process of implementing SAML configuration in Splunk, utilizing an external .pem certificate. However, Splunk does not accept this certificate. How can we obtain an external certificate in Splunk to successfully configure SAML? Additionally, for SAML integration, we are utilizing NetIQ Access Manager.
I have a Splunk result like below. VM col1 col2 vm1 car sedan vm2 car sedan vm3 plane Priv vm4 bike Fazer vm5 bike thunder   I would like to make them in a below f... See more...
I have a Splunk result like below. VM col1 col2 vm1 car sedan vm2 car sedan vm3 plane Priv vm4 bike Fazer vm5 bike thunder   I would like to make them in a below format, would you please suggest me. I want to merge the same value into one (columns merge)    
Hello I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or m... See more...
Hello I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or multiple IDs. The idea is that the first panel lists IDs. The next panel in the dashboard will search an index but only for IDs from the first panel.  For example: Panel 1 index=db source=MSGTBL MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>" | eval MSGID1="MSGID="+MSGID+" OR" | table MSGID might give you a table of MSGIDs: MSGID=56454GF-5RT1KL-566IOS-FT5GFAS OR MSGID=56454GF-65WE-566IOS-5845UIK OR MSGID=SD8734-DFH745-DFHJ7867-GKJH8 OR I can then set that as a token like <done> <set token="tokMSGID1">$result.MSGID1$</set> </done>   The issue im having is that if there is only a single MSGID it will have an 'OR' at the end as well as the last result in a set of IDs would have the 'OR' at the end. Can anyone tell me search-wise how to handle this? Thanks!  
Hi, When I execute this search index=foo | stats count by _raw, sourcetype, source, host | where count>1 , I'm able to observe events with counts higher than 1. However, I'm uncertain if these ... See more...
Hi, When I execute this search index=foo | stats count by _raw, sourcetype, source, host | where count>1 , I'm able to observe events with counts higher than 1. However, I'm uncertain if these events are being duplicated. Is there an alternative search method I can use to verify whether these events are being double-ingested? Thanks..
Hello, at the moment we are indexing JSON files in Splunk and then rename the fields with a Field Alias function. This leads to the problem, that we cannot use tStats on these renamed fields anymore.... See more...
Hello, at the moment we are indexing JSON files in Splunk and then rename the fields with a Field Alias function. This leads to the problem, that we cannot use tStats on these renamed fields anymore.   Now to the question: Is there a way to rename the fields with splunk before indexing the data? The goal is that we can use tStats on all fields with the new renamed names.
index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn") | table saber_color, Jname, strengths, mentor, skill, domain, mission index-=sith broker sithlord!=dar... See more...
index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn") | table saber_color, Jname, strengths, mentor, skill, domain, mission index-=sith broker sithlord!=darth_maul | table saber_color, Sname, strength, teacher, actions I need to list where Jname=Sname, but I need to list all columns The third one is where the Jname!=Sname The caveat is I cannot use the join for this query. This helped however I am unable to utilize the index drill down for each in the search otherwise the query is 75% white noise. index=jedi OR index=sith | eval name=coalesce(Jname, Sname) | stats values(name) as names by saber_color strengths | where mvcount(names)=1 Please help.
Hi, I want to import the entities via csv to entity management in Splunk ITSI, so please help me with this. Thanks
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, status, tracking_method, Last_boot, First_found_date, last_activity, hostname, domain, etc. I want to ingest a... See more...
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, status, tracking_method, Last_boot, First_found_date, last_activity, hostname, domain, etc. I want to ingest as metrics data. Is it possible? I'd appreciate any guidance or examples how to achieve this.? Thanks in advance
Getting "Unexpected error downloading update: Connection reset by peer" while trying to install add-on from splunkbase (via 'Find more apps)   Internet is connected, I'm able to access splunk a... See more...
Getting "Unexpected error downloading update: Connection reset by peer" while trying to install add-on from splunkbase (via 'Find more apps)   Internet is connected, I'm able to access splunk application as well. Only the installation is failing. Earlier to this, I was getting SSL error when I try to open this page. Then I set sslVerifyServerCert to false, after which the page started loading. I'm not sure if some SSL related blocking still exists.  Any suggestions around getting through this? 
Does splunk shares common userbase amongst all splunk products? Which API request fetch Audit logs or events for splunk users?