All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi guys,   I started today with Splunk and have one question.   I want to use an or function that if the second "or" the third row is active I got the trigger.   Any ideas how to do it? | ev... See more...
Hi guys,   I started today with Splunk and have one question.   I want to use an or function that if the second "or" the third row is active I got the trigger.   Any ideas how to do it? | eval last_backup_t =strptime(last_backup, "%Y-%m-%d %H:%M:%S.%N%z") | where last_backup_t < relative_time(now(), "-2d@d") | search is_offline= true Thanks
Hi, we are ingesting Couchbase JSON Documents into Splunk Cloud using Kafka.   When I open the same document (1st one ingested in Splunk - _raw and 2nd one is Couchbase JSON) and compare in Visual ... See more...
Hi, we are ingesting Couchbase JSON Documents into Splunk Cloud using Kafka.   When I open the same document (1st one ingested in Splunk - _raw and 2nd one is Couchbase JSON) and compare in Visual Studio Code, I can see differences as shown below: Splunk syntax highlighted data for this record is identical to original Couchbase JSON. Can you please help me understand why _raw is showing this data differently and also is there any way to get _raw data in the same format at original JSON? Thank you.  
Hello, https://docs.appdynamics.com/appd/21.x/latest/en/infrastructure-visibility/monitor-kubernetes-with-the-cluster-agent/install-the-cluster-agent/validate-the-cluster-agent-installation 1.Valid... See more...
Hello, https://docs.appdynamics.com/appd/21.x/latest/en/infrastructure-visibility/monitor-kubernetes-with-the-cluster-agent/install-the-cluster-agent/validate-the-cluster-agent-installation 1.Validate the Cluster Agent Installation 2.we  have deployed appdynamics using EKS on AWS 3.we have succefully deployed it using helm chart 4.but in the dashboard it says no data available 5.We have installed cluster agent and Visibility infra using the above documentation and we are not able to get the visual data in the console and in the metrics browser it just says no data available. We are using EKS cluster 1.25 version with 2 nodes and we have deployed bank-of-anothos application in our cluster 6.# To install InfraViz   installInfraViz: true # AppDynamics controller info controllerInfo:   url: https://cat202312051119163.saas.appdynamics.com:443   account: My account name   username: My username   password: My password   accessKey: my access key    globalAccount: my account name # Infra Viz config infra Viz:   nodeOS: "linux"   enableMasters: true   stdoutLogging: true   enableContainerHostId: true enable Server viz : true   enable Docker viz : false # Net viz config net Viz:   enabled: true   net Viz Port: 3892 screenshot link: Screenshot 2023-12-13 at 3.07.16 PM.png  Please tell Work around for above issues. Thanks
Hi Team, We received a requirement to monitor the Webservices Utilities: Message monitor in SAP systems. PFA screenshot for reference. Please confirm do we have option in SAP ABAP agent to monitor t... See more...
Hi Team, We received a requirement to monitor the Webservices Utilities: Message monitor in SAP systems. PFA screenshot for reference. Please confirm do we have option in SAP ABAP agent to monitor the below error/log messages. Thanks Selvan
I want to extract only the process name value from the logs and store in a table: Input Log: ------------- <30>1 2023-12-13T06:22:20.197Z 10.205.101.94 4 CGA3001I [sev="INFO" msg="Event" event="Da... See more...
I want to extract only the process name value from the logs and store in a table: Input Log: ------------- <30>1 2023-12-13T06:22:20.197Z 10.205.101.94 4 CGA3001I [sev="INFO" msg="Event" event="Data is getting from process name: C:\\ProgramFiles\\notepad.exe. Now we can try to write the logs. Mode: Operational"] Output: ---------- C:\\ProgramFiles\\notepad.exe I have tried with the command :- regex "(?<=Process name:).*?(?=\.\s+)" | table Process But didn't get any data
I set up the Microsoft Teams Add-On For Splunk yesterday and am successfully ingesting data from our tenant. My query is regarding the relationship between the volume of incoming webhooks from Azure,... See more...
I set up the Microsoft Teams Add-On For Splunk yesterday and am successfully ingesting data from our tenant. My query is regarding the relationship between the volume of incoming webhooks from Azure, and the callrecord events: As I understand it (and this is likely the root cause ), Azure pushes a change notification to the Splunk webhook each time a call ends, containing the unique call ID. The Teams Call Record app/input runs on a schedule (in my case every five minutes) and retrieves all the call records it's received change notifications for since it last ran. I would, therefore, expect there to be an equal number of m365:webhook and m365:teams:callRecord events, but there aren't. I'm typically seeing a 3:2 ratio of webhook to callRecord events.  I believe the 'id' field in the webhook event and the callRecords matches (this is the identifier splunk uses to retrieve the callRecord using graphAPI) and I would have expected the id in each event type to be unique, but there appear to be many duplicates in both event types. If I look at my data for yesterday I can see: 4163 webhook events 3867 callRecord events But if I dedup on 'id', I see: 2614 webhook events 2586 callRecord events ...which still doesn't match (although it's much closer) and is a lot of duplicates. Any bright ideas, folks?
I have 2 multivalue fields (old and new) containing group lists for 1 or more users. The new values is the list of groups that replace the old groups For example: user 1 has an old value of group1,... See more...
I have 2 multivalue fields (old and new) containing group lists for 1 or more users. The new values is the list of groups that replace the old groups For example: user 1 has an old value of group1, group2, group3 user 1 has a new value of group1, group2, group3, group4, and group5 user 2 has an old value of group3, group4, group5 user 1 has a new value of group4, group5, group6, group7, and group8 I'm trying to return group4 and group5 for user and group7 and group8 for user2
Hi, I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but we see the data from yesterday and today, and each graph line is separate.  ... See more...
Hi, I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but we see the data from yesterday and today, and each graph line is separate.  I want to see the lines together, one superimposed on the other. please could you suggest?   please can you suggest to compare them? Current SPL:   basesearch earliest=-1d@d latest=now | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | timechart span=15m count by Day Current visualization: Expected visualization is:    
Hi all, For this sort of json string, how can I extract KeyA, KeyB, KeyC?  { "KeyA": [ { "path": "/attibuteA", "op": "replace", "value": "hello" }, { "path": "/attibuteB", "op": "replace", "value":... See more...
Hi all, For this sort of json string, how can I extract KeyA, KeyB, KeyC?  { "KeyA": [ { "path": "/attibuteA", "op": "replace", "value": "hello" }, { "path": "/attibuteB", "op": "replace", "value": "hi" } ], "KeyB": [ { "path": "/attibuteA", "op": "replace", "value": "" }, { "path": "/attibuteC", "op": "replace", "value": "hey" }, { "path": "/attibuteD", "op": "replace", "value": "hello" } ], "KeyC": [ { "path": "/attibuteE", "op": "replace", "value": "" } ] }   My ideal output would look like: Key path op value KeyA attibuteA replace hello KeyA attibuteB replace hi KeyB attibuteA replace   KeyB attibuteC replace hey KeyB attibuteD replace hello Keyc attibuteE replace     Many thanks^
| table Status, timeval, CompanyCode, CN |appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN] these are the last two lin... See more...
| table Status, timeval, CompanyCode, CN |appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN] these are the last two lines of a search , so in this search if in fields (Status, timeval, CompanyCode, CN) there is no values or the all the fields are empty then i have to display a message which in this case is "thats not cool" , it is working but in the result as you can see all the empty fields are also displaying in the result . But I want only the error field if other fields are empty. Can anyone help?  
Hello,   I am trying to create some dashboards in ES and some other apps.  For convenience I would like to be able to access them from app drop-down menu, but I can`t find way to do so. Can someon... See more...
Hello,   I am trying to create some dashboards in ES and some other apps.  For convenience I would like to be able to access them from app drop-down menu, but I can`t find way to do so. Can someone tell me if this is even possible? If yes how!  P.S. We are using Splunk cloud deployment. 
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, _time, status etc. I need to create a metric index. Do I need to change field names in the csv file to align w... See more...
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, _time, status etc. I need to create a metric index. Do I need to change field names in the csv file to align with Splunk expectation or can I import data as it is? I'd appreciate any guidance or examples how to achieve this.? Thanks in advance
Hi, have a requests to restore 40weeks logs from dynamic data archive storage data for one of the index on splunk cloud.may i know process and best practices if any
The ssl is enabled and can not change when using Splunk Clound free trial, where I can find/download the certificate.
How can Splunk query which IPs have been requested continuously for more than 3 days? And there are multiple values in the firewallSource field, how can we know which IPs have both WAF and ATE in requ... See more...
How can Splunk query which IPs have been requested continuously for more than 3 days? And there are multiple values in the firewallSource field, how can we know which IPs have both WAF and ATE in requests during a certain time period_ LIMITED?
I'm currently working on crafting a Splunk Query to identify systems that have been inactive for a specified duration (which can vary based on user requirements). My intention is to utilize "Windows ... See more...
I'm currently working on crafting a Splunk Query to identify systems that have been inactive for a specified duration (which can vary based on user requirements). My intention is to utilize "Windows event logs" as the data source, focusing on EventCode=4624. Primarily, I'll be manipulating the default field "_time" as there isn't another relevant field available. I'd appreciate any guidance or suggestions you might have in this regard.
Hello, I am trying to determine why my table on Dashboard Studio is showing "No Data" but it shows on Dashboard Classic. I referenced the report in the code and I am using a token for data input. Wh... See more...
Hello, I am trying to determine why my table on Dashboard Studio is showing "No Data" but it shows on Dashboard Classic. I referenced the report in the code and I am using a token for data input. Whenever I open in search, it pulls up all the data I need, but just does not show in the Dashboard. {     "type": "ds.savedSearch",     "options": {         "ref": "E.1_Malicious_Emails_Inbound"     } }   I also checked the APP permissions, and they are in the same app and readable between the report and dashboard. Just No Data. Has anyone ran into an issue like this?    
Hello, I'm trying to install Splunk ITSI 4.17.1 in a Search Head Cluster with Splunk Enterprise 9.1.2. I already extract the .spl in the directory $SPLUNK_HOME$/etc/shcluster/apps but when I execut... See more...
Hello, I'm trying to install Splunk ITSI 4.17.1 in a Search Head Cluster with Splunk Enterprise 9.1.2. I already extract the .spl in the directory $SPLUNK_HOME$/etc/shcluster/apps but when I execute the command splunk apply shcluster-bundle it shows that it has deployed everything correctly but when I go to the Search  Heads none of the ITSI apps are deployed. i just made a test deploying another simple app just for testing purposes and it worked. Do you have any idea?
Here is a snippet of the URL I am sending and the time format in which it needs to be: startTime=2023-12-01T16%3A27%3A45.000Z&endTime=2023-12-01T16%3A32%3A45.000Z However, when I try to send "l... See more...
Here is a snippet of the URL I am sending and the time format in which it needs to be: startTime=2023-12-01T16%3A27%3A45.000Z&endTime=2023-12-01T16%3A32%3A45.000Z However, when I try to send "latesttime" or "earliesttime", splunk is sending it in epoch. How do I get the proper format of time for the URL within the workflow action? Thanks!
Hello, I'm trying to find information on how to use Splunk with Visual Studio Code. I have an authentication token on my development instance. I've installed the Visual Studio Code Extension for S... See more...
Hello, I'm trying to find information on how to use Splunk with Visual Studio Code. I have an authentication token on my development instance. I've installed the Visual Studio Code Extension for Splunk on GitHub. I'm lost from here on. What do I enter in the url and webroot fields in the launch.json file? "configurations": [ { "type": "chrome", "request": "launch", "name": "Launch Chrome against localhost", "url": "https://<host name>:8080", "webRoot": "${workspaceFolder}" } ] This opens Splunk in my Chrome browser, but it is an empty search field. I created splnb file in VSC, but when I run it, I receive ERROR: Unauthorized. Thanks in advance for any direction provided. God bless, Genesius