All Topics

Top

All Topics

I have a panel in a dashboard that plot a trend line for last 24 Hrs. Now I wanna create a new alert query that should follow the trendline of panel. If the output of alert query doesn't match (no... See more...
I have a panel in a dashboard that plot a trend line for last 24 Hrs. Now I wanna create a new alert query that should follow the trendline of panel. If the output of alert query doesn't match (not exactly but to an extent) the pattern of panel query then it should trigger an alert. 
I've recently been advised that our organization is intending to do away with the production domain where our current Splunk cluster resides, and move everything over two the other domain in use. Thi... See more...
I've recently been advised that our organization is intending to do away with the production domain where our current Splunk cluster resides, and move everything over two the other domain in use. This implementation does currently have nodes in two different domains, and the domain to go away happens to house both our Cluster Manager and four indexers in a two-site configuration running Splunk Enterprise 9.1.1. I don't yet have all the details (ie, is the IP/hostname changing or not) but in an effort to do some pre-emptive housecleaning and change the 'serverName' on one of the indexers in advance to go from FQDN to just the hostname, I got CM complaints that it couldn't rejoin the cluster due to the GUID belonging to another indexer.   01-16-2024 13:43:03.307 +0000 ERROR ClusterMasterPeerHandler [25028 TcpChannelThread] - Cannot add peer=X.X.X.X mgmtport=8089 (reason: Peer with guid=<GUID> is already registered and UP).   This error feels a little bit like a chicken/egg situation. Essentially I just had put the CM into maintenance-mode, stopped the peer, updated serverName in server.conf and started it back up. Perhaps I should have used 'splunk offline' vs 'splunk stop' here? This has me thinking the operation we're about to undertake is a fairly complex one. I haven't been able to find any relatively recent posts about doing something similar aside from a 2016 blog post that makes no mention of GUID and presume it was referring to stand-alone indexers vs clustered. Changing the GUID is presumably a non-starter due to the existing buckets all referencing it in their names... Long story short, I'm looking for an order of operations and some dos/donts for an undertaking like this.
I have to trim ITSI KV store collection size. I have created a local itsi_notable_event_retention.conf file in $SPLUNK_HOME/etc/apps/SA-ITOA/local/. I override the default values of retentionTimeInSe... See more...
I have to trim ITSI KV store collection size. I have created a local itsi_notable_event_retention.conf file in $SPLUNK_HOME/etc/apps/SA-ITOA/local/. I override the default values of retentionTimeInSec to 3 months. However the no of objects in the collection are still growing and hence the collection size. How do I trim the collection size?  I followed this document Modify notable event KV store collections in ITSI - Splunk Documentation. Please assist.
Hello, I am adding an Alert Action with Splunk Add-on Builder, but when I click “save” it basically goes in timeout.     01-16-2024 17:01:31.340 +0100 ERROR HttpClientRequest [24831 TcpChanne... See more...
Hello, I am adding an Alert Action with Splunk Add-on Builder, but when I click “save” it basically goes in timeout.     01-16-2024 17:01:31.340 +0100 ERROR HttpClientRequest [24831 TcpChannelThread] - HTTP client error=Read Timeout while accessing server=http://127.0.0.1:8065 for request=http://127.0.0.1:8065/en-US/custom/splunk_app_addon-builder/app_edit_modularalert/add_modular_alert.   In the meanwhile if I open a new tab on the browser, whichever page I request falls in timeout as well.     01-16-2024 17:02:18.114 +0100 ERROR HttpClientRequest [7954 TcpChannelThread] - HTTP client error=Read Timeout while accessing server=http://127.0.0.1:8065 for request=http://127.0.0.1:8065/en-US.   Looking into the /opt/splunk/etc/apps folder it seems my app stuck in TA-splunk-myapp_temp_output folder meanwhile is saving. splunk@SearchHead:~/etc/apps > ls -latr drwxrwxrwx 10 splunk splunk 4096 Jan 15 16:02 TA-splunk-myapp … drwxrwxrwx 3 splunk splunk 4096 Jan 16 16:53 TA-splunk-myapp_temp_output   I also tried to: cancel the TA-splunk-myapp_temp_output folder, restart Splunk and try again saving. increase performance from 16CPU/32GB to 32CPU/64GB but I have the same issue. It seems that the timeout comes from the “appserver” that runs on port 8065. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf   appServerPorts = <positive integer>[, <positive integer>, <positive integer> ...] * Port number(s) for the python-based application server to listen on. This port is bound only on the loopback interface -- it is not exposed to the network at large. * Generally, you should only set one port number here. For most deployments a single application server won't be a performance bottleneck. However you can provide a comma-separated list of port numbers here and splunkd will start a load-balanced application server on each one. * At one time, setting this to zero indicated that the web service should be run in a legacy mode as a separate service, but as of Splunk 8.0 this is no longer supported. * Default: 8065   I am thinking about: Put the logs in DEBUG Adding other ports to start load-balanced application server   Any suggestion is really appreciated.   Thanks a lot, Edoardo
Hello everyone,  I'm working on Splunk Entreprise and on the Search & Reporting app.  I made many drop-down menu to filter my data.  I've a special field who can be "void" and with value.  How ... See more...
Hello everyone,  I'm working on Splunk Entreprise and on the Search & Reporting app.  I made many drop-down menu to filter my data.  I've a special field who can be "void" and with value.  How can I make include the void value on the drop-down menu's ?  Because when I select "*" on the drop-down menu Splunk return all the value of the field but I want to select the "void" value too. Thanks in advance!
I was looking for quite a long time but I'm still wondering whether or not the SAAS portfolio is covered by the Spanish ENS . I found that the cloud is ISO 27001 because does the hyperscalers support... See more...
I was looking for quite a long time but I'm still wondering whether or not the SAAS portfolio is covered by the Spanish ENS . I found that the cloud is ISO 27001 because does the hyperscalers supporting it (GCP/AWS) but the Signalfx doesn't seem to be within compliant regarding the use of customers certificates and the lack of native 2FA.
We are using perfmon and I have built some dashboards to show memory/cpu usage and alerts that trigger if each is going above a certain %, is there a way you can obtain the total memory assigned to a... See more...
We are using perfmon and I have built some dashboards to show memory/cpu usage and alerts that trigger if each is going above a certain %, is there a way you can obtain the total memory assigned to a server?  What I want to do is to be able to create a table from the total assigned memory and place it in the above dashboards so our testers know how much memory a server has without me manually creating a table with each stat in.
i need to change  a indexer for a data send by a universal forward, i've this data source_type="pippo" with sourcetype:"paperino" and index="pluto" so i need to send all of this data in another index... See more...
i need to change  a indexer for a data send by a universal forward, i've this data source_type="pippo" with sourcetype:"paperino" and index="pluto" so i need to send all of this data in another index like index="nino" i try with a props.conf and transforms.conf but it doesn't work
Hi team, I'm trying to send a curl request from my local machine to a Splunk server, but I'm encountering the following error. Have you come across this error before? I've found similar issues on st... See more...
Hi team, I'm trying to send a curl request from my local machine to a Splunk server, but I'm encountering the following error. Have you come across this error before? I've found similar issues on stackoverflow, but none of the solutions seem to work for me. I thought reaching out here might provide quick support in case anyone has experienced a specific issue related to this. Thank you in advance for your assistance. aaa.bbb@MyComputer-xxx ~ % curl https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXXX-XXXX-XXXX-XXXX-XXXX" -d '{"event": "cheesecake"}' --insecure Output: curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version Thanks
Hello, I have two saved searches saved in the same app in a SH with Enterprise Security: from Splunk ES Content Management section, one has type "Saved Search", the other has type "Correlation Sea... See more...
Hello, I have two saved searches saved in the same app in a SH with Enterprise Security: from Splunk ES Content Management section, one has type "Saved Search", the other has type "Correlation Search". Do you know what's the specific parameter (guess in the savedsearches.conf file) that is used in Splunk to distinguish between the two search types? Specifically, I would like to turn the Search1 to type "Correlation Search" as reported for search2. Thank you in advance, have a nice day!
Can I download the free trial on my Chromebook?
Hi,   I am trying to blacklist Windows Event ID 4769 from a particular User ID. Is this possible to be implemented.    I already added the following Blacklist but it didnt seem to work.  blackli... See more...
Hi,   I am trying to blacklist Windows Event ID 4769 from a particular User ID. Is this possible to be implemented.    I already added the following Blacklist but it didnt seem to work.  blacklist = EventCode="4769" User="Account Name"
Hello All, I have a dashboard with trellis layout in the panel. I need to drilldown based on the dynamic values for which trellis is generated. The challenge is out of three charts that trellis give... See more...
Hello All, I have a dashboard with trellis layout in the panel. I need to drilldown based on the dynamic values for which trellis is generated. The challenge is out of three charts that trellis gives, the drilldown works on two of them. On the third one, no action happens when I click over the chart.   <row> <panel> <title> <chart> <search> <query>index=... </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleratio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">collapsed</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.overlayFields">median_count</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">none</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">0</option> <option name="trellis.size">small</option> <drilldown> <link target="_blank">/xxx/yyy/zzz?test_Tok=$trellis.value$</link> </drilldown> </chart> </panel> </row>   The trellis gives vertical column charts arranged one after the other horizontally. Thus, your inputs to resolve the issue will be very helpful. Thank you Taruchit
Hi, I am using splunk enterprise 9.0.5.1 since about a month and have been experimenting with a dashboard (studio) for application insights. I am now trying to get nfs info in my dashboard, because... See more...
Hi, I am using splunk enterprise 9.0.5.1 since about a month and have been experimenting with a dashboard (studio) for application insights. I am now trying to get nfs info in my dashboard, because the nfs shares don't have logical names i have created a simple, small lookup csv with 2 fields app-name and nfs-name.  This is working fine : index=summary type=isilon_nfs-quota-alert (path="*appsdata*") | lookup apps-nfs.csv nfs-name as path output nfs-name as found, app-name as application | where isnotnull(found) | table path, found, application, quota it fetches all the nfs info from all the nfs'es in my apps-nfs.csv But.... I don't want the entire list... I want to use a filter in my apps-nfs.csv first on app-name and can't get that to work. Eventually i want to use the app-name token of my dashboard to filter but i can 't even get a simple search working. How do i filter app-name in the csv before fetching the nfs info, for instance with an IN list... app1, app2, app5, etc    
Hello, I am just getting started in the Cyber industry. I have no background in IT or Cyber and wanted to learn Splunk. Where should I start at and what elearning videos should I start with?
Hello. When I try to save experiment in Splunk machine learning toolkit smart forecasting, I get an error "Cannot validate experiment". Does anyone have a clue what this could be referring to? Maybe ... See more...
Hello. When I try to save experiment in Splunk machine learning toolkit smart forecasting, I get an error "Cannot validate experiment". Does anyone have a clue what this could be referring to? Maybe I need permissions to be able to do that?
Hi There, I have noticed that the cloud monitoring console is reporting a critical bucket. I only have one and have attached a screenshot. The small % is 100.  Unfortunately, I am not certain as to... See more...
Hi There, I have noticed that the cloud monitoring console is reporting a critical bucket. I only have one and have attached a screenshot. The small % is 100.  Unfortunately, I am not certain as to what this really means and whether it is something to worry about or not. Any help would be appreciated, Jamie
I have this lookup I want the total count when the timeval is latest. (in this case 2023) any solution
I am tasked to do the application upgrades on splunk & also to find out the applications which are not being used much so we can uninstall them & save some cost around it.  Can someone help me with ... See more...
I am tasked to do the application upgrades on splunk & also to find out the applications which are not being used much so we can uninstall them & save some cost around it.  Can someone help me with the desired steps to upgrade the applications in splunk across regions & also how can i list down the apps which are not being used.
I have a use case where I want to setup Splunk Alerts for certain Exception events. I have already defined standard Error messages for these individual Exceptions. Below is a sample use case: Except... See more...
I have a use case where I want to setup Splunk Alerts for certain Exception events. I have already defined standard Error messages for these individual Exceptions. Below is a sample use case: Exception Event 1:                                  Exception Event 2: Standard Error Message 1                  Common Message Common Message In the above use case, when Exception Event 1 happens, it outputs 2 messages to the Log (Standard Error Message 1 and Common Message). When Exception Event 2 happens, it only outputs the Common Message to the log. For defining Splunk Alert for the Event 1, I want to ensure that I am checking the 2 counts of search results matching both the Message 1 and Common Message to ensure that both these searches return the same results count for a given time period. Is it possible to achieve this type of Splunk query using eval and If statement? My objective is to ensure that I am able to accurately identify scenario for the Exception Event 1 occurring where both the messages would be output to the logs in the same count.