All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, can you please tell me what happens to email alerts if the smtp used for email delivery is temporary offline? Is there a buffer where alerts are saved and then are sent once the smtp server ... See more...
Hello, can you please tell me what happens to email alerts if the smtp used for email delivery is temporary offline? Is there a buffer where alerts are saved and then are sent once the smtp server becomes available again? Is there a link to Splunk documentation about that? Thank you, Andrea
Hi, I am trying to get the information how many datasources and endpoints we have Integrated in to splunk.How can we get this information can anyone pls provide me a query to find this ..
I don’t know if this is the right place to ask, but I’m currently looking for three members for BotS v7 coming 7th December in Tokyo.   if anyone interested, give me a reply to this post, or if ... See more...
I don’t know if this is the right place to ask, but I’m currently looking for three members for BotS v7 coming 7th December in Tokyo.   if anyone interested, give me a reply to this post, or if anyone knows the right place for me to look for members, greatly appreciated if you’d let me know!
CrowdStrike Falcon FileVantage Technical Add-On https://splunkbase.splunk.com/app/7090 When the api return more than one event, the result in splunk is one event with the all jsons merged toget... See more...
CrowdStrike Falcon FileVantage Technical Add-On https://splunkbase.splunk.com/app/7090 When the api return more than one event, the result in splunk is one event with the all jsons merged together making splunk json parsing to fail. For the python code it is seem to be what was wished with the join here  :         ~/etc/apps/TA_crowdstrike_falcon_filevantage/bin/TA_crowdstrike_falcon_filevantage_rh_crowdstrike_filevantage_json.py try: helper.log_info(f"{log_label}: Preparing to send: {len(event_data)} FileVantage events to Splunk index: {data_index}") --> events = '\n'.join(json.dumps(line) for line in event_data) filevantage_data = helper.new_event(source=helper.get_input_type(), index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=events) ew.write_event(filevantage_data) helper.log_info(f"{log_label}: Data for {len(event_data)} events from FileVantage successfully pushed to Splunk index: {data_index}")           So it is important to make a proper splunk props.conf to un-split events with a LINE_BREAKER :           splunk@ncesplkpoc01:~/etc/apps/TA_crowdstrike_falcon_filevantage$ cat local/props.conf [crowdstrike:filevantage:json] SHOULD_LINEMERGE = false LINE_BREAKER = \n NO_BINARY_CHECK = true            
Hello, I wonder if there are plans to extend the MITRE ATTACK Framework coverage for ICS? How could someone build-upon what this SSE brings in features to add additional Framework elements? Any st... See more...
Hello, I wonder if there are plans to extend the MITRE ATTACK Framework coverage for ICS? How could someone build-upon what this SSE brings in features to add additional Framework elements? Any step-by-step guide that could be shared? Thanks, Mihaly
I have a saved search with 'n' number of results and I need to setup an alert mail for the results by creating an alert. If I use the |map "savedsearch", the result is no events found. But there is ... See more...
I have a saved search with 'n' number of results and I need to setup an alert mail for the results by creating an alert. If I use the |map "savedsearch", the result is no events found. But there is event in the result of the saved search. Please help me on this
Hi, Once a month we receive a file via email that we manually upload to Splunk as a lookup CSV file.  The current process is to delete the old file and to upload the new one, keeping the same file n... See more...
Hi, Once a month we receive a file via email that we manually upload to Splunk as a lookup CSV file.  The current process is to delete the old file and to upload the new one, keeping the same file name. The existing reports use this file without any issues. There is now a requirement to compare the current file with the previous version and highlight if any values have been added or removed (the columns stay the same). Initially I wanted to use the "inputlookup" and "collect" commands to output the data into an index and then build a search to compare the data based on the ingest time, effectively comparing the 2 files. However, I`m getting the following error: "The lookup table 'test.csv' requires a .csv or KV store lookup definition." The file actually exists and it`s located in "/opt/splunk/etc/apps/test_app/lookups/test.csv" The lookup definition also exists: "test_LD" I suspect this is caused by the size of the lookup file (approx. 36 MB) and wanted to ask for suggestions or workarounds ? Many thanks.
Hi  I'm trying to configure scs4 using the following documentation Quickstart Guide - Splunk Connect for Syslog . But when I run the sudo systemctl start sc4s command, I get errors during initializ... See more...
Hi  I'm trying to configure scs4 using the following documentation Quickstart Guide - Splunk Connect for Syslog . But when I run the sudo systemctl start sc4s command, I get errors during initialization: Please do you have any idea what's going on ? Knowing also that I've configured the podman http-proxy.conf file to add my proxy.  
How to store logs in minIO (on-premises) from Splunk. I created bucket named splunk. I successfully mc cp test.txt s3/splunk-bucket but splunk can't loads files into bucket. My indexes.conf fil... See more...
How to store logs in minIO (on-premises) from Splunk. I created bucket named splunk. I successfully mc cp test.txt s3/splunk-bucket but splunk can't loads files into bucket. My indexes.conf file: [smartstore] homePath = $SPLUNK_DB/smartstoredb/db coldPath = $SPLUNK_DB/smartstoredb/colddb thawedPath = $SPLUNK_DB/smartstoredb/thaweddb remotePath = volume:s3 [volume:s3] storageType = remote path = s3://splunk remote.s3.access_key = minioadmin remote.s3.secret_key = minioadmin remote.s3.supports_versioning = false remote.s3.endpoint = http://10.10.10.1:9000 minIO config.json config.json { "version": "10", "aliases": { "gcs": { "url": "https://storage.googleapis.com", "accessKey": "YOUR-ACCESS-KEY-HERE", "secretKey": "YOUR-SECRET-KEY-HERE", "api": "S3v2", "path": "dns" }, "local": { "url": "http://10.10.10.1:9000", "accessKey": "minioadmin", "secretKey": "minioadmin", "api": "s3v4", "path": "auto" }, "play": { "url": "http://10.10.10.1:9000", "accessKey": "minioadmin", "secretKey": "minioadmin", "api": "S3v4", "path": "auto" }, "s3": { "url": "http://10.10.10.1:9000", "accessKey": "minioadmin", "secretKey": "minioadmin", "api": "s3v4", "path": "auto" } } } ps: I have 3 indexers and cluster master
Cry for help! I installed an add on in Splunk, but he can't open it normally, only a white screen appears.My Splunk version is 9.0.4. How should I solve this problem? Thank all! Here is the  secti... See more...
Cry for help! I installed an add on in Splunk, but he can't open it normally, only a white screen appears.My Splunk version is 9.0.4. How should I solve this problem? Thank all! Here is the  section error logs in web_services.log     2023-12-01 10:16:41,411 ERROR [65694209637fbde458fdd0] startup:112 - Unable to read in product version information; [HTTP 401] Client is not authenticated 2023-12-01 10:16:41,412 INFO [65694209637fbde458fdd0] startup:139 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True 2023-12-01 10:16:41,413 INFO [65694209637fbde458fdd0] i18n_catalog:46 - i18ncatalog: translations_retrieved=0.0004456043243408203 etag_calculated=4.3392181396484375e-05 overall=0.0004889965057373047 2023-12-01 10:16:41,413 ERROR [65694209647fbde459b3d0] startup:112 - Unable to read in product version information; [HTTP 401] Client is not authenticated 2023-12-01 10:16:41,415 INFO [65694209647fbde459b3d0] startup:139 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True 2023-12-01 10:16:41,416 INFO [65694209647fbde459b3d0] _cplogging:216 - [01/Dec/2023:10:16:41] ENGINE Started monitor thread 'Monitor'. 2023-12-01 10:16:41,416 INFO [65694209647fbde459b3d0] root:168 - ENGINE: Started monitor thread 'Monitor'. 2023-12-01 10:16:41,427 ERROR [65694209647fbde459b3d0] config:149 - [HTTP 401] Client is not authenticated Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/config.py", line 147, in getServerZoneInfoNoMem return times.getServerZoneinfo() File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/times.py", line 163, in getServerZoneinfo serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz', sessionKey=sessionKey) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 625, in simpleRequest raise splunk.AuthenticationFailed splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated 2023-12-01 10:16:45,150 ERROR [6569420d237fbde4dc8290] startup:112 - Unable to read in product version information; [HTTP 401] Client is not authenticated 2023-12-01 10:16:45,151 INFO [6569420d237fbde4dc8290] startup:139 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True 2023-12-01 10:16:45,159 ERROR [6569420d237fbde4dc8290] config:149 - [HTTP 401] Client is not authenticated Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/config.py", line 147, in getServerZoneInfoNoMem return times.getServerZoneinfo() File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/times.py", line 163, in getServerZoneinfo serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz', sessionKey=sessionKey) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 625, in simpleRequest raise splunk.AuthenticationFailed splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated         2023-12-01 10:36:53,327 INFO [656946c5357fdfe823efd0] error:321 - Masking the original 404 message: 'Nothing matches the given URI' with 'Page not found!' for security reasons 2023-12-01 10:36:53,329 INFO [656946c5347fdfe82389d0] error:321 - Masking the original 404 message: 'Nothing matches the given URI' with 'Page not found!' for security reasons 2023-12-01 10:36:53,342 INFO [656946c5357fdfe8216b90] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 10:36:53,430 INFO [656946c56c7fdfe818afd0] error:321 - Masking the original 404 message: 'Nothing matches the given URI' with 'Page not found!' for security reasons 2023-12-01 10:36:54,307 INFO [656946c64b7fdfe00b3e50] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 10:36:54,307 ERROR [656946c64b7fdfe00b3e50] utility:58 - name=javascript, class=Splunk.Error, lineNumber=3845, message=Uncaught TypeError: Cannot set properties of undefined (setting 'loadParams'), fileName=https://10.85.182.69:8000/zh-CN/manager/search/apps/local?msgid=5419270.9466664794685945 2023-12-01 10:36:54,307 ERROR [656946c64b7fdfe00b3e50] utility:58 - name=javascript, class=Splunk.Error, lineNumber=5, message=Uncaught TypeError: Cannot read properties of undefined (reading 'regional'), fileName=https://10.85.182.69:8000/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2/js/common.min.js         2023-12-01 10:37:37,961 INFO [656946f1f27fdfe8cddb50] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/0.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:37,963 INFO [656946f1f37fdfe80cb390] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/3.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:37,964 INFO [656946f1f37fdfe80b8c90] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/1.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:37,968 INFO [656946f1f57fdfe8c9a1d0] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/4.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:38,388 INFO [656946f2607fdfbc5dbad0] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/5.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:39,706 INFO [656946f3b27fdfe05e77d0] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/1.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:39,707 INFO [656946f3b27fdfbc533750] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/5.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:39,709 INFO [656946f3b17fdfe008eed0] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/0.js' was not found.' with 'Page not found!' for security reasons         2023-12-01 10:59:07,462 INFO [65694bfb747fdfbc38f550] error:321 - Masking the original 404 message: 'The path '/en-US/static/app/search/$token_image_url$' was not found.' with 'Page not found!' for security reasons 2023-12-01 11:00:14,001 INFO [65694c3df97fdfbc5ccc50] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 11:00:14,072 INFO [65694c3df97fdfbc5ccc50] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 11:00:14,175 INFO [65694c3df97fdfbc5ccc50] cached:163 - /opt/splunk/etc/apps/search/appserver/static/setup.json 2023-12-01 11:00:14,437 INFO [65694c3df97fdfbc5ccc50] view:1137 - PERF - viewType=fastpath viewTime=0.2445s templateTime=0.0666s 2023-12-01 11:00:14,535 INFO [65694c3e807fdfe071d9d0] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 11:00:14,610 INFO [65694c3e957fdfe039f090] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 11:00:16,799 INFO [65694c40ca7fdfbc56c4d0] error:321 - Masking the original 404 message: 'The path '/en-US/static/app/search/$token_image_url$' was not found.' with 'Page not found!' for security reasons     such as this:     What problem caused the white screen to occur? If you could help me, I would be extremely grateful!  
Need AppDynamics lab for practicing the (EUM and Synthetic monitoring)End user monitoring and business analytics
I want to repeat same alert 3 times, 5 minutes apart like morning call. please let me know How can I do it. Can I organize the logic into queries? or is there any alert option for it?   this is m... See more...
I want to repeat same alert 3 times, 5 minutes apart like morning call. please let me know How can I do it. Can I organize the logic into queries? or is there any alert option for it?   this is my query for alert event.       index="main" sourcetype="orcl_sourcetype" | sort by _time | tail 1 | where CNT < 10        
We have added custom snippet to track additional information like User and SAP FIORI application details. Whenever there is a Script error or AJAX error while loading an application, data that captur... See more...
We have added custom snippet to track additional information like User and SAP FIORI application details. Whenever there is a Script error or AJAX error while loading an application, data that captured by custom snippet was not reflecting on to EUM dashboard. Sometimes the data is not collected even if there are no errors. We are not able to identify any particular reason for this inconsistency. Below is the code we have added in the custom snippet. <script charset="UTF-8" type="text/javascript"> window["adrum-start-time"] = new Date().getTime(); function getCustInfo() { if (!!sap) { var userId = sap.ushell.Container.getService("UserInfo").getUser().getId(); var userName = sap.ushell.Container.getService("UserInfo").getUser().getFullName(); if(sap.ushell.services.AppConfiguration.getCurrentApplication() != undefined) { var AppTitle = sap.ushell.services.AppConfiguration.getCurrentApplication().text; var CompID = sap.ushell.services.AppConfiguration.getCurrentApplication().applicationDependencies.name; if (sap.ushell.services.AppConfiguration.getCurrentApplication().reservedParameters['sap-fiori-id'] == undefined) { var AppDevType = 'Custom' } else { var AppDevType = 'SAP' var AppID = sap.ushell.services.AppConfiguration.getCurrentApplication().reservedParameters['sap-fiori-id'][0]; } } } return { "userId": userId, "userName": userName, "AppTitle": AppTitle, "CompID": CompID, "AppDevType": AppDevType, "SIB_APPID": AppID } } window['adrum-config'] = { userEventInfo: { "PageView" : function(context){ return { userData: getCustInfo() } }, "Ajax": function(context) { return { userData: getCustInfo() } }, "VPageView" : function(context){ return { userData: getCustInfo() } } } }; (function(config){ config.appKey = "AD-AAB-ACE-TNP"; config.adrumExtUrlHttp = "http://cdn.appdynamics.com"; config.adrumExtUrlHttps = "https://cdn.appdynamics.com"; config.beaconUrlHttp = "http://pdx-col.eum-appdynamics.com"; config.beaconUrlHttps = "https://pdx-col.eum-appdynamics.com"; config.useHTTPSAlways = true; config.resTiming = {"bufSize":200,"clearResTimingOnBeaconSend":true}; config.maxUrlLength = 512; config.Isabapapp = true; config.page = { "title" : function title() { return document.title; } } })(window["adrum-config"] || (window["adrum-config"] = {})); </script> <script src="//cdn.appdynamics.com/adrum/adrum-23.3.0.4265.js"></script> Any help would be appreciated. Thanks!  
Hello All,  I need to convert the Timeline with different times into one. For example: 12:05AM 12:10AM 12:15AM should be  taken as 12AM 1:05AM 1:10AM 1:15AM should be  taken as 1AM and vice versa... See more...
Hello All,  I need to convert the Timeline with different times into one. For example: 12:05AM 12:10AM 12:15AM should be  taken as 12AM 1:05AM 1:10AM 1:15AM should be  taken as 1AM and vice versa. Can you please help me to write a query for this. Timeline Top 10 Values Count %   01:10:02 AM 2 0.368%   01:20:02 PM 2 0.368%   01:30:02 AM 2 0.368%   01:35:02 PM 2 0.368%   01:45:02 PM 2 0.368%   01:50:02 AM 2 0.368%   02:05:02 PM 2 0.368%   02:10:02 PM 2 0.368%   02:40:02 PM 2 0.368%   03:05:02 PM Thank you. 
Hi All,  How do you customize the table width of results of custom search from a drilldown? I am not able to find any documentation on this. 
I'm not a programmer but I am trying to get the display of my graph to depict "No Results" or "N/A" when the Where command can't find the specific name within the csv. Rather what I get is all of the... See more...
I'm not a programmer but I am trying to get the display of my graph to depict "No Results" or "N/A" when the Where command can't find the specific name within the csv. Rather what I get is all of the servers listed within the excel. Here is quick example: This works for me index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathroom" | return host=$X_Furniture ] | timechart span=5m count by host But what happens is if a user types "where Room="Bathr00mZ"....see below......I get a list of all the servers listed in my csv which is what I don't want. I rather have it say "No Results" or "N/A" index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathr00mZ" | return host=$X_Furniture ] | timechart span=5m count by host I've tried this: index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathr00mZ" | eval res=if(Room=="Bathroom",X_Furniture,"Null") ] | timechart span=5m count by host But this still comes back with the list of all the servers. 
I customize a dashboard page and I put a submit button on it.How can I use the Javascript monitor the button's click to send a request to Splunk and have Splunk execuse a SPL? This is my Js code: ... See more...
I customize a dashboard page and I put a submit button on it.How can I use the Javascript monitor the button's click to send a request to Splunk and have Splunk execuse a SPL? This is my Js code:   require([ "jquery", ], function ($) { $(document).on('click', '#btn_submit', function () { setTimeout(function time() { var temp_a = document.getElementById('temp_a').value var temp_b = document.getElementById('temp_b').value }, 100); }); });   and the dashboard source code is:   <dashboard script="test.js"> <label>test_js_action</label> <row> <panel> <html> <div> <button id="btn_submit">submit</button> </div> </html> </panel> </row> </dashboard>   By the way, I saw a sample using the splunkjs/mvc to send request ,but I cant't get whole code. only know the Js head is:   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function ($, mvc) {   Thank you very much if you could provide a solution.
Hi, how can we reset password for admin user from CLI. Currently i have indexer using Splunk 9.1.1 in testing environment and i forgot the username and password. There were some bin command that will... See more...
Hi, how can we reset password for admin user from CLI. Currently i have indexer using Splunk 9.1.1 in testing environment and i forgot the username and password. There were some bin command that will prompt for Splunk username and password, so i need to reset the username and password. Please help. Thank you.
I am very new using Splunk but I am enjoying it a lot so far. I am being tasked with writing a document on how to verify that all Domain Controller's logs are going into Splunk for the SecOps team t... See more...
I am very new using Splunk but I am enjoying it a lot so far. I am being tasked with writing a document on how to verify that all Domain Controller's logs are going into Splunk for the SecOps team to action on a daily basis. Can someone please point to a good document on this process? Thank you in advance! 
Hello, regarding filtering Splunk roles, we would like to only allow transforming commands (stats, timechart...) for users on a specific search head. This search head is not part of the cluster, onl... See more...
Hello, regarding filtering Splunk roles, we would like to only allow transforming commands (stats, timechart...) for users on a specific search head. This search head is not part of the cluster, only querying clustered indexers. The aim is to avoid specific users from accessing raw indexes data, only show statistics. At the moment we use summary indexing in local index by scheduling reports with sistats or sitimechart but it's long and heavy to convert searches. Thanks for your help.