All Topics

Top

All Topics

Hi,   I am trying to configure UF installed on windows machines to send logs to HF and then HF to forward these logs to indexer.   I found some questions but mostly they were very high level.   ... See more...
Hi,   I am trying to configure UF installed on windows machines to send logs to HF and then HF to forward these logs to indexer.   I found some questions but mostly they were very high level.   If someone can explain how will it work, that would be great.
Hi, i'm using the splunk cloud platform for a  school project. When I import my csv files into splunk, it doesn't seem to recognise the headers of my csv as a field. Does anyone know how to get splun... See more...
Hi, i'm using the splunk cloud platform for a  school project. When I import my csv files into splunk, it doesn't seem to recognise the headers of my csv as a field. Does anyone know how to get splunk to recognise my headers? thanks for any help
I am joining two splunk query to capture the  values which is not present in subquery.  Trying to find the account which opend today but not posted. But quary not retuning any values. Let me know i... See more...
I am joining two splunk query to capture the  values which is not present in subquery.  Trying to find the account which opend today but not posted. But quary not retuning any values. Let me know if we have other way to get the values ?   Query 1 :  Returns Account opened today.  index=a  "digital account opened" | rename msg.requestID AccountID | table AccountID Query 2 : Account posted today. index=b "/api/posted" 200  | rex "GET /api/posted (?<accountID>\d+) HTTP 1.1" table AccountID   Final Query :  index=a  "digital account opened" | rename msg.requestID AccountID | table AccountID  | join type=left  AccountIDOpened [ search index=b "/api/posted" 200  | rex "GET /api/posted (?<accountID>\d+) HTTP 1.1" table AccountID ] | search AccountIDOpened =null | table _time,AccountIDOpened  
Hello, I currently upload data into a lookup table and have to also separately send this data manually to another team on a daily basis. Unfortunately, they do not/cannot have access to the lookup t... See more...
Hello, I currently upload data into a lookup table and have to also separately send this data manually to another team on a daily basis. Unfortunately, they do not/cannot have access to the lookup table in Splunk. Is there a way to automate this a little more by sending the data in the lookup table into a report and have that report emailed to a group of users daily?    
Hi , We have onboarded Salesforce in our environment. However when we run the queries, we could notice below errors are getting continuously across the instance whenever any query is being run and a... See more...
Hi , We have onboarded Salesforce in our environment. However when we run the queries, we could notice below errors are getting continuously across the instance whenever any query is being run and also showing on all the dashboards. [idx-i- xxxx.splunkcloud.com,idx-i-04xxxx.xxxx.splunkcloud.com,idx-i-075xxx.xxx.splunkcloud.com.idx-i- Oaxxx.xxxx.splunkcloud.com,idx-i-0be.xxxx splunkcloud.com,sh-i-026xxx.xxxx.splunkcloud.com] Could not load lookup=LOOKUP-SFDC-USER_NAME
Hi everyone, i'm using splunk for a school project and I need to upload a csv to splunk to make data visualisations. When I upload the file and get to the preview, it seems to recognise the table hea... See more...
Hi everyone, i'm using splunk for a school project and I need to upload a csv to splunk to make data visualisations. When I upload the file and get to the preview, it seems to recognise the table headers but when I actually upload the file, the fields don't recognise the file headers as a field. I tried manually selecting the fields but it didn't seem to work well when I tried to visualise it. The csv data and what happens after I import it are below. Appreciate any help I can get!                
UNABLE TO EXACTLY LOCATE AND INSTALL SOAR TO LINUX  IF POSSIBLE CAN U PLZ SEND INSTALLATION PROCESS
Lets say i would like to query for message that has a URL field with values other than X,Y,Z added as query parameters , how do i go about this ? TIA
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is ava... See more...
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is available at 127.0.0.0:8000 I just desapeared because I was able to earlier. I dont know if a misconfigured something   Appreciate the help  
The nature of Splunk is for data aggregation and standardization from digests. Could it be possible to utilize it to preprocess data for a large language model?
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.... See more...
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.  But in splunk we are getting connectionpool.py and modinput.py error for the Dynatrace API Version 2 input. DEBUG pid=xxxxx tid=MainThread file=connectionpool.py:_new_conn:1018 DEBUG pid=xxxxx tid=MainThread file=base_modinput.py:log_debug:298 please guide me to fix this issue, thank you  
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! ... See more...
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData><RenderingInfo Culture='en-US'><Message>Creating RunspacePool object 
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the ... See more...
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the string I have the following  Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc' (?<=duser=)(.*?)(?= dvc) I just don't quite understand how the field extraction part is supposed to work...  I have tried... | rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'"  and | rex field=_raw "duser=\s+(?<User>[^\\]*)" No errors, just not getting any data in a User field.   Thanks in advance.    
We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspec... See more...
We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspects. I’m thinking about scripted input, and a dedicated dashboard to monitor and verify all the settings. Do you have any other suggestions, by any chance?
1
My current search is -    | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, operatingSystemVersion | eval ... See more...
My current search is -    | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, operatingSystemVersion | eval host = coalesce(host, cn)] | fillnull value="0" total_events | stats sparkline(sum(event_count)) AS event_count_sparkline sum(event_count) AS total_events BY host How do I get operatingSystem to display in my table?   When I add it to the end of my search BY host, operatingSystem my stats break in the table.
I get "Error: CLIENT_PLUGIN_AUTH is required" when trying to setup a collector to connect to 3 older Mysql db systems. AppDynamics Controller build 23.9.2-1074  mysql Ver 14.14 Distrib 5.1.73 RHEL... See more...
I get "Error: CLIENT_PLUGIN_AUTH is required" when trying to setup a collector to connect to 3 older Mysql db systems. AppDynamics Controller build 23.9.2-1074  mysql Ver 14.14 Distrib 5.1.73 RHEL 6.1 Is there a way in the collector to change the MySQL JDBC driver to a lower version?
Hello, How to pass data/token from a report to another report?   Thank you for your help I am trying to run a weekly report that produces top 4 students (out of 100), then once I find out the top... See more...
Hello, How to pass data/token from a report to another report?   Thank you for your help I am trying to run a weekly report that produces top 4 students (out of 100), then once I find out the top 4 students, I will run another report that provides detailed information about grades for those 4 students For example: Report 1 StudentID Name GPA Percentile Email 101 Student1 4 100% Student1@email.com 102 Student2 3 90% Student2@email.com 103 Student3 2 70% Student3@email.com 104 Student4 1 40% Student4@email.com Report 2 StudentID Course Grade 101 Math 100 101 English 95 102 Math 90 102 English 90  
Hi all, Very new to Splunk so apologies if this is a very basic question. I've looked around and haven't found a conclusive answer so far. I'm building an app that will require an API token from a 3... See more...
Hi all, Very new to Splunk so apologies if this is a very basic question. I've looked around and haven't found a conclusive answer so far. I'm building an app that will require an API token from a 3rd party system during the setup step. What I don't understand is how I can store that API token via a call to storage/passwords without also requiring the user to enter their Splunk credentials or a Splunk API token. Would really appreciate if someone could point out how I can do this! Ideally, I'm looking to use the JS SDK, so I'd need some way to create an instance of the Service object without needing admin user credentials being manually entered.  Thanks in advance!
Hello, we've encountered a problem with the TA-crowdstrike-falcon-event-streams TA, which was functional in the past. Splunk Enterprise onPrem VERSION=9.1.2 BUILD=b6b9c8185839 PRODUCT=splunk ... See more...
Hello, we've encountered a problem with the TA-crowdstrike-falcon-event-streams TA, which was functional in the past. Splunk Enterprise onPrem VERSION=9.1.2 BUILD=b6b9c8185839 PRODUCT=splunk PLATFORM=Linux-x86_64 When opening the UI to configure the crowdstrike Auth we'll end up with Err 500. Same for the other views. I've tried to reinstall it, but it didn't change anything. Splunkd logs the following:     01-26-2024 16:13:29.817 +0100 ERROR AdminManagerExternal [3102377 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 706, in urlopen\n chunked=chunked,\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 382, in _make_request\n self._validate_conn(conn)\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn\n conn.connect()\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connection.py", line 421, in connect\n tls_in_tls=tls_in_tls,\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket\n ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl\n return ssl_context.wrap_socket(sock)\n File "/opt/splunk/lib/python3.7/ssl.py", line 428, in wrap_socket\n session=session\n File "/opt/splunk/lib/python3.7/ssl.py", line 878, in _create\n self.do_handshake()\n File "/opt/splunk/lib/python3.7/ssl.py", line 1147, in do_handshake\n self._sslobj.do_handshake()\nssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/opt/splunk/lib/python3.7/site-packages/requests/adapters.py", line 449, in send\n timeout=timeout\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 756, in urlopen\n method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]\n File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/retry.py", line 574, in increment\n raise MaxRetryError(_pool, url, error or ResponseError(cause))\nurllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/TA-crowdstrike-falcon-event-streams/configs/conf-ta_crowdstrike_falcon_event_streams_settings/_reload (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 124, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 162, in get\n self.reload()\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 259, in reload\n action="_reload",\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 320, in wrapper\n return request_fun(self, *args, **kwargs)\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 79, in new_f\n val = f(*args, **kwargs)\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 727, in get\n response = self.http.get(path, all_headers, **query)\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 1254, in get\n return self.request(url, { 'method': "GET", 'headers': headers })\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 1316, in request\n response = self.handler(url, message, **kwargs)\n File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/solnlib/splunk_rest_client.py", line 147, in request\n **kwargs,\n File "/opt/splunk/lib/python3.7/site-packages/requests/api.py", line 61, in request\n return session.request(method=method, url=url, **kwargs)\n File "/opt/splunk/lib/python3.7/site-packages/requests/sessions.py", line 542, in request\n resp = self.send(prep, **send_kwargs)\n File "/opt/splunk/lib/python3.7/site-packages/requests/sessions.py", line 655, in send\n r = adapter.send(request, **kwargs)\n File "/opt/splunk/lib/python3.7/site-packages/requests/adapters.py", line 514, in send\n raise SSLError(e, request=request)\nrequests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/TA-crowdstrike-falcon-event-streams/configs/conf-ta_crowdstrike_falcon_event_streams_settings/_reload (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))\n". See splunkd.log/python.log for more details.     inputs.conf   [splunktcp-ssl:8089] disabled = 0 requireClientCert = false sslVersions = * [...] [SSL] serverCert = <path> requireClientCert = true allowSslRenegotiation = true sslCommonNameToCheck = <others> 127.0.0.1,SplunkServerDefaultCert   server.conf   [sslConfig] enableSplunkdSSL = true sslVersions = tls1.2 serverCert = /opt/splunk/etc/auth/<path>.pem sslRootCAPath = /opt/splunk/etc/auth/<path>.pem requireClientCert = true sslVerifyServerName = true sslVerifyServerCert = true sslCommonNameToCheck = <FQDNs> cliVerifyServerName = false sslPassword = <pw>     We're looking forward for your help! Thank you!