All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am looking to make a "pulse" dashboard for a host on my network, it will pulse green up when up and red when down. so far I have: index=index sourcetype=sourcetype log_type=type hostname=host | ... See more...
I am looking to make a "pulse" dashboard for a host on my network, it will pulse green up when up and red when down. so far I have: index=index sourcetype=sourcetype log_type=type hostname=host | eval logs=case(count>0, "1", count=0, "2")  | eval Status=case(Logs=1, "Green", Logs=2, "Red") I believe there is an error in the case line with the count. I have to be missing something.  any insight would be helpful!
Hi All, Which Capability do i assign to Splunk user to upload image in Dashboard Studio
HI I'm trying to run a search via CLI from federated Splunk instance > Splunk cloud. Everything is configured correctly and I have access to all indexes that on Splunk Cloud from Federated Instance... See more...
HI I'm trying to run a search via CLI from federated Splunk instance > Splunk cloud. Everything is configured correctly and I have access to all indexes that on Splunk Cloud from Federated Instance  via web interface But when I'm trying to check connection via CLI on Federated Search instance splunk display app -uri https://<splunk cloud uri>:8089 I get this error:  argument uri is not supported by this handler splunk Also, while trying to execute a search from Federated Search: splunk search "index="some remote index on splunk cloud" | head 10" I'm getting the following error: ERROR: Unknown error for indexer: <splunk cloud>. Search results may be incomplete. If this occurs frequently , check on the peer.   Please assist 
I want to forward the logs to third party server from heavy forwarder over http. Here is my outputs.conf [httpout] defaultGroup = otel_hec_group [httpout:otel_hec_group] #server = thirdparty... See more...
I want to forward the logs to third party server from heavy forwarder over http. Here is my outputs.conf [httpout] defaultGroup = otel_hec_group [httpout:otel_hec_group] #server = thirdparty_server:8443 uri = http://thirdparty_server:8443 useSSL = false sourcetype = hf_to_otel disabled = false sslVerifyServerCert = false headers = {"Host": "hf_server", "Content-Type": "application/json"} timeout = 30 but i don't receive logs in third party server and i don't find any error in splunkd logs aswell. @SplunkSE 
Users with an Admin or Power role are able to view the Seclytics dashboard provided by the "Seclytics for Splunk App". However, when users with the "User" role attempt to access the same dashboard, t... See more...
Users with an Admin or Power role are able to view the Seclytics dashboard provided by the "Seclytics for Splunk App". However, when users with the "User" role attempt to access the same dashboard, the content does not display. Additionally, we discovered that the lookup file "event_by_days.csv" is missing from the expected directory: /opt/splunk/etc/apps/seclytics-splunk-app/lookups/. We would like to understand the following: Why is the dashboard visible to Admin/Power roles but not to the User role? Are there specific role-based permissions required to access this dashboard? Or is there a configuration change needed on our end to ensure all roles can access the content correctly? Seclytics for Splunk App 
Hi All, As old estreamer add -on is replaced by new app Cisco security cloud ( https://splunkbase.splunk.com/app/7404) , we have installed new app and testing in distributed environment. We are faci... See more...
Hi All, As old estreamer add -on is replaced by new app Cisco security cloud ( https://splunkbase.splunk.com/app/7404) , we have installed new app and testing in distributed environment. We are facing one issue with intrusion event packet logs which are streaming from FMC into splunk. Whenever "packet data" field in intrusion event packets greater than 4k bytes, it is missing in splunk logs.Only packetdata field is missing, remaining complete log is visible in splunk. And there are no errors related to parsing, truncating issues in splunk _internal index. Does anyone has faced the same issue or any fix for this?
Hey all - I have a need to search for events in Splunk that contain two specific values in one field. I want the results to return only those events that have both values in them. I'm trying to use t... See more...
Hey all - I have a need to search for events in Splunk that contain two specific values in one field. I want the results to return only those events that have both values in them. I'm trying to use this: (my_field_name="value1" AND my_field_name="value2") This still returns results that have either value1, or value2, not events that contain both. How would I query for results that contain only both values, not individual values?
Hi, I have dataset in the following format Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01 I need to be able to only display / render the latest status for a given... See more...
Hi, I have dataset in the following format Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01 I need to be able to only display / render the latest status for a given name My output should like the following since the status as of 04/24/2025 15:30:03 is the most recent status. ABC,F, 04/24/2025 15:30:03 Appreciate your help.
Please help me to Optimize this Splunk Query index:: rasp_ NOT [inputlookup Scanners_Ext.csv | fields forwarded_for] NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | field... See more...
Please help me to Optimize this Splunk Query index:: rasp_ NOT [inputlookup Scanners_Ext.csv | fields forwarded_for] NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | fields forwarded_for] NOT [inputlookup vz_nets.csv | rename netblock AS forwarded_for | fields forwarded_for] NOT (forwarded_for="140.108.26.152" OR forwarded_for="" OR forwarded_for="10.*" OR forwarded_for=null) app!="" app!="\"*\"" app!="VASTID*" host!="10.215*" host!="ip-10-*" host!="carogngsa*" host!="carogngta*" host!="carofuzedd** host!="*ebiz*" host!="echo*" host!="not logged" host!="onm*" host!="tfnm*" host!="voip*" host!="wfm*" category!="Config*" category!="Depend*" category!="Stat*" category!="Large*" category!="Uncaught*" category!="Unvalidated Redirect" category!="License" category!="*Parse*" action=* | stats count
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter f... See more...
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter for one user or all users. I created a change form  to prefix the selected user with "production\" and run a query In the  panel that retrieves firewall events  where the user = the new token value (prefixed with "production\") since the user in the firewall index is prefixed with "production". the issue is that the set token  runs whenever i change the value in the multiselect and appends "production\" to the token value multiple times Is there a way to set the token AFTER the user has set the filter? also how do I filter for ALL events (when the user select ALL in the multiselect input? below is my XML code. Thanks in advance. <dashboard version="1.1" theme="light"> <label>new firewall</label> <row> <panel> <title> Request Information</title> <input type="multiselect" token="webuser" searchWhenChanged="true"> <label>User</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <delimiter> </delimiter> <fieldForLabel>UserName</fieldForLabel> <fieldForValue>UserName</fieldForValue> <search> <query>| inputlookup my_users.csv | dedup UserName | table UserName</query> </search> <change> <set token="webuser">prod\\$webuser$</set> </change> </input> <input type="time" token="webtime" searchWhenChanged="true"> <label></label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> <table> <search> <query>( index = main sourcetype = firewall ) action=blocked | search [ inputlookup my_users.csv | eval userName = "prod\\".UserName | rename userName as user | table user ] |table _time, $webuser$ index, action |search user=$webuser$</query> <earliest>$webtime.earliest$</earliest> <latest>$webtime.latest$</latest> </search> <option name="drilldown">cell</option> </table> </panel> </row> </dashboard>      
I'd like to include this in an email alert. I've got various emails to alert when going over but I'd like to show the number of warnings in that 60 day rolling window. 
Hi Team, I am using following CURL command curl -k -u admin:password -X POST https://<host>:<port>/servicesNS/akanksha_goel1/search/saved/searches/Clickstream-Microsurvey-Failure-Alert-Rule... See more...
Hi Team, I am using following CURL command curl -k -u admin:password -X POST https://<host>:<port>/servicesNS/akanksha_goel1/search/saved/searches/Clickstream-Microsurvey-Failure-Alert-Rule-Dev -d "disabled=1" --max-time 60 -H "Content-Type: application/x-www-form-urlencoded" But I am getting error as Error: read ECONNRESET kindly help us resolve the issue!
I just upgraded to 9.4 and I got the new 9.3+ warning in SplunkWeb about the alert_actions.conf allowedDomainList setting not being set and that I should fix it. I have now set the list correctly in... See more...
I just upgraded to 9.4 and I got the new 9.3+ warning in SplunkWeb about the alert_actions.conf allowedDomainList setting not being set and that I should fix it. I have now set the list correctly in an app and deployed the app to machine: /opt/splunk/etc/apps/my_app/local/alert_action.conf [email] allowedDomainList = mydomain.com,myotherdomain.com I then restart Splunk and I get no warnings. I then run the command: /opt/splunk/bin/splunk cmd btool alert_actions list email I see the following: [email] allowedDomainList = mydomain.com,myotherdomain.com I then go into SplunkWeb and I do not see the allowedDomainList warning in the messages list - the issue is fixed. I then go into Settings->Server Settings->Email Domains->Allowed Domains and this setting is empty. I would expect to see "mydomain.com,myotherdomain.com" in the setting control. Even when I have set everything correctly and Splunk Btool shows the right setting and I have restarted Splunk , why is the setting not showing up?
I am trying to create a new finding-based detection to group findings together when the risk score exceeds a threshold, similar to the RBA concept. However, I am encountering an issue: when the find... See more...
I am trying to create a new finding-based detection to group findings together when the risk score exceeds a threshold, similar to the RBA concept. However, I am encountering an issue: when the finding (notable) is created, no Entity appears in the Incident Review dashboard, even though the fields risk_object, normalized_risk_object, and risk_object_type have values. Has anyone experienced the same issue?
As the title suggests I have a scenario where I have two fields for a single value panel, the first is a number I want to display, but the second field I want to use to color the visualization.  the ... See more...
As the title suggests I have a scenario where I have two fields for a single value panel, the first is a number I want to display, but the second field I want to use to color the visualization.  the color field is a threshold so if i am under threshold green over threshold red and it is returned as a simple boolean 0-1 my basic stats output looks like this, two values, the first is my number displayed, the 2nd my threshold I want to color off of. | stats values(PercentChange) as PercentChange latest(threshold) as threshold the question is how do I tell dashboard studio to color off of the secondary field instead of the field defined as my display value?
I think Splunk doesn't have a built-in/defined sourcetype for ExtremeCloud XIQ logs. Can we define a custom sourcetype, like `extremecloud:xiq`, in the syslog server(splunk_metadata.csv)? If so, how ... See more...
I think Splunk doesn't have a built-in/defined sourcetype for ExtremeCloud XIQ logs. Can we define a custom sourcetype, like `extremecloud:xiq`, in the syslog server(splunk_metadata.csv)? If so, how do we make sure the logs coming from ExtremeCloud XIQ platform land in the "extreme" index and use the "extremecloud:xiq" sourcetype?
Dears,,, The KV Store initialization on our search head cluster was previously working fine. However, unexpectedly, we are now encountering the error: "KV Store initialization has not been completed... See more...
Dears,,, The KV Store initialization on our search head cluster was previously working fine. However, unexpectedly, we are now encountering the error: "KV Store initialization has not been completed yet", and the KV Store status shows as "starting." I attempted a rolling restart across the search heads, but the issue persists. Kindly provide your support to resolve this issues  @gcusello  @woodcock  Thank you in advance.    
The following query return the expected result on Postman but return a different result on Javacsript fetch: search host="hydra-notifications-engine-prod*" index="federated:rh_jboss" "notifications-... See more...
The following query return the expected result on Postman but return a different result on Javacsript fetch: search host="hydra-notifications-engine-prod*" index="federated:rh_jboss" "notifications-engine ReportProcessor :" | eval chartingField=case(match(_raw,"Channel\s*EMAIL \|"),"Email",match(_raw,"Channel\s*GOOGLECHAT \|"),"Google Chat",match(_raw,"Channel\s*IRC \|"),"IRC",match(_raw,"Channel\s*SLACK \|"),"Slack",match(_raw,"Channel\s*SMS \|"),"SMS") |timechart span="1d" count by chartingField What is issue?
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.   I want to prefix the selected user with "production\" and r... See more...
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.   I want to prefix the selected user with "production\" and run a query In a panel that retrieves firewall events  where the user = the new token value (prefixed with "production\") since the user in the firewall index is prefixed with "production". The first time I select the user from the lookup the query retrieves  events. the next time I select another user the set token does not prefix the token with "production". instead it searches with the user selected value and returns no events. the done block apparently only executes the first time through below is xml. Thanks in advance. <label>firewall blocks</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="username" searchWhenChanged="true"> <label>username</label> <fieldForLabel>username</fieldForLabel> <fieldForValue>username</fieldForValue> <search> <query>| inputlookup test_users.csv | table username</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="username">prod\\$username$</set> </done> </search> </input> </fieldset> <row> <panel> <table> <search> <query> index=firewall sourcetype=firewall user = "$username$" | table $username$ user action </query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel>
I am trying to remove everything before the { character to preserve the JSON format. I am using SEDCMD-keepjson = s/^[^{]{/{/ in the sourcetype configuration, but it fails to apply correctly. However... See more...
I am trying to remove everything before the { character to preserve the JSON format. I am using SEDCMD-keepjson = s/^[^{]{/{/ in the sourcetype configuration, but it fails to apply correctly. However, when I use the search command | rex mode=sed "s/^[^{]{/{/", it successfully removes the unwanted text. I am wondering what could be causing this issue. The sourcetype settings are configured on both the Search Head (SH) and Heavy Forwarder (HF) Mar 28 13:11:57 abcdeabcdev01w.abcdabcd.local {<json_log>}