All Topics

Top

All Topics

Hi,  I have following setup. Splunk HF running on 9.1.2 Splunk Dbconnect latest version - 3.15 Splunk DBX Add on for oracle DB JDBC - 2.2.0 ( has ojdbc8-21.7.0.0.jar) Configured to use JRE from... See more...
Hi,  I have following setup. Splunk HF running on 9.1.2 Splunk Dbconnect latest version - 3.15 Splunk DBX Add on for oracle DB JDBC - 2.2.0 ( has ojdbc8-21.7.0.0.jar) Configured to use JRE from Oracle's Open jdk-18.0.2 Our Oracle database is running on 19c.  I have re-loaded the driver. I have verified the connectivity from the Splunk HF server to DB server via telnet/curl and connection exists ( had to open firewall). However, when I try create a connection getting errors like "IO Error: Network Adapater could not establish connection) from the internal logs.  Suspected, it could be an issue with jdbc driver, so downloaded "ojdbc8-21.1.0.0.jar" from oracle and placed them under drivers folder within splunk_app_db_connect as well as in the lib folder within the DBX add-on. re-loaded the driver and I can see internal logs loading the new jar, but still same issue. Any pointers/thoughts to troubleshoot? java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection (CONNECTION_ID=5gNEcEZfSnyI6PN7r2LGog==) at oracle.jdbc.driver.T4CConnection.handleLogonNetException(T4CConnection.java:892) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:697) at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1041) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:89) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:732) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:648) at com.splunk.dbx.service.driver.DelegatingDriver.connect(DelegatingDriver.java:25) Thanks in advance.
Hi there, I'm new to Splunk and will be grateful for advice  I have the following events:     { PROJECT_NAME = project1 JOB_NAME = jobA JOB_RESULT = success } { PROJECT_NAME = pr... See more...
Hi there, I'm new to Splunk and will be grateful for advice  I have the following events:     { PROJECT_NAME = project1 JOB_NAME = jobA JOB_RESULT = success } { PROJECT_NAME = project2 JOB_NAME = job2 JOB_RESULT = fail }     I need to build the following table: JOB_NAME TOTAL_SUCCESS TOTAL_FAILS "for each JOB_NAME in PROJECT_NAME" "sum of JOB_RESULT success for JOB_RESULT " "sum of JOB_RESULT fail for JOB_RESULT "               Could you please help with queries for the table?  Many thanks in advance!
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry... See more...
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry its SUPER long)     2024-01-08 12:09:43.000, LOAD_DATE="2024-01-08 12:09:43.0", EVENT_LENGTH="14912", ID="3f29f958-af6e-4050-919e-fb23fc27e2bc", MSG_src="PXXXX", MSG_DOMAIN="APP", MSG_TYPE="INBOUND", MSG_DATA="<?xml version='1.0' encoding='UTF-8'?> <Message> <header> <domain>APP</domain> <source>PXXXX</source> <messageType>INBOUND</messageType> <eventId>f8y6jk45-af6e-4050-919e-fb23fc27e2bc</eventId> </header> <parsing> <parsingStatus>SUCCESS</parsingStatus> <parsingStatusDesc>Success</parsingStatusDesc> <formType>1234</formType> </parsing> <ABC> <Code>ABC</Code> <Number>209819</Number> <sequence>0236</sequence> <ReceiptDate>2024-01-08T00:00:00.000-05:00</ReceiptDate> <FirstDate>2024-01-08T00:00:00.000-05:00</FirstDate> <Status>SUCCESS</Status> <location>xxxxxxxx</location> <id>ci1704729189245.431902@fdsahl86ceb40c</id> <format>ABCD</format> </ABC> <applicationDetails> <applicationGlobalId>500168938</applicationGlobalId> <applicationType>ABC</applicationType> <applicationSubtype>UNKNOWN</applicationSubtype> <applicationNumber>123456</applicationNumber> <applicationRelationships> <applicationRelationship> <ReasonCode>XYZ</ReasonCode> <Desc>BLAH BLAH BLAH</Desc> <applicationGlobalId>123456789</applicationGlobalId> <applicationNumber>123456</applicationNumber> <applicationSubtype>UNKNOWN</applicationSubtype> <applicationType>RED</applicationType> </applicationRelationship> </applicationRelationships> <applicationPatents/> <applicationStatuses> <applicationStatus> <statusCode>APPROVED</statusCode> <statusDescription>APPROVED</statusDescription> <statusStartDate>2017-11-30T00:00:00.000-05:00</statusStartDate> </applicationStatus> </applicationStatuses> <applicationProperties/> </applicationDetails> <InboundDetails> <InboundType>Reply</InboundType> <InboundSubtype>Reply2</InboundSubtype> <InboundSequenceNumber>0236</InboundSequenceNumber> </InboundDetails> <form> <attributes>123-4560910-0001"/> <attribute description="EXPIRATION DATE" name="Expiration Date" value="03/31/2024"/> <attribute description="name" name="name_holder" value="Place Inc."/> <attribute description="NUMBER" name="number" value="209819"/> <attribute description="Bunch of strings" name="Desc"/> </attributes> <List> <items/> </List> <infoList> <info> <Type>Information goes here</Type> <name>Me Formal</name> <phoneNumber>+1 (111) 222-333</phoneNumber> <addressLine1>1234 Road Drive</addressLine1> <city>Place, MO</city> <zipCode>12345</zipCode> <emailAddress>me.formal@domain.com</emailAddress> <partyContacts> <partyContact> <Date>2024-01-04T00:00:00.000-05:00</Date> <state>MO</state> <emailAddress>me.formal@domain.com</emailAddress> <addressLine1>1234 Road Drive</addressLine1> <city>Place</city> <country>UNITED STATES</country> <phoneNumber>+1 (111) 222-333</phoneNumber> <zipCode>12345</zipCode> <name>Me Formal</name> <contactType>United States</contactType> </partyContact> </partyContacts> </info> </infoList> </form> <Information> <Number>11,222,333</Number> <IssueDate>2023-12-12</IssueDate> <ApprovalDate>2017-11-30</ApprovalDate> <ExpirationDate>2035-11-06</ExpirationDate> <SubType>Y</SubType> <Status>SUCCESS</Status> </Information> <index/> <additionalInfo> <attributes> <attribute description="title" name="title" value="Letter"/> </attributes> <fileDetails> <fileDetail> <Toc>application||form</Toc> <title>FABDC REDS</title> <fileName>file.pdf</fileName> <fileType>pdf</fileType> <formType>Long sting of data</formType> <filePath>\\filepath\file.pdf</filePath> </fileDetail> <fileDetail> <abcdToc>v1-place||v1-2-file-name</abcdToc> <title>Letter</title> <fileName>letter.pdf</fileName> <fileType>pdf</fileType> <filePath>\\us\letter.pdf</filePath> </fileDetail> <fileDetail> <abcdToc>information</abcdToc> <title>11-222-333</title> <fileName>11-222-333.pdf</fileName> <fileType>pdf</fileType> <filePath>\\ab\11-222-333.pdf</filePath> </fileDetail> </fileDetails> <tags/> </additionalInfo> </Message>"     At the end, I am trying to get the data from the "<fileDetails>" section, specifically the "<title>" for each file. It would have to be multi-value since there may, for a single record, be a single OR multiple Titles. I've tried a few variations of spath, as well as xmlkv, but as of yet haven't found anything that has given me the results I am expecting. For the example above I would expect to have 3 "Titles":     FABDC REDS Letter 11-222-333     Any ideas how to get this data out? Thanks for the help!
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be ... See more...
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be 30 each day, but sometimes there are only 29 due to errors. Is it possible to visualize that info against the expected number of 30? Or even just visualize it on the dashboard report as 29/30?
Hello, I'd like to know the process of compiling a Splunk app in a Windows environment, specifically using the default folder containing the props file to create a customized app. Thanks
we have an scheduled alert configured in splunk which is working  fine as per event from the user logs but its delayed in sending email as alert notification 
We are using splunk metrics-toolkit app to check the logs. created two indexes 1.metrics 2. platform_benefits and one token for the index metrics In metrics-toolkit app.dev file we are using one to... See more...
We are using splunk metrics-toolkit app to check the logs. created two indexes 1.metrics 2. platform_benefits and one token for the index metrics In metrics-toolkit app.dev file we are using one token  As a result it's is logging only metrics index data in splunk, we have both metrics and platform_benefits dashboards  Is there any way to configure  two tokens inside the app.dev yaml file to get both index logs? https://github.com/mulesoft-catalyst/metrics-toolkit/blob/main/src/main/resources/properties/secure/_template.yaml
Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies  other helps me find consistencies sourcetype="my_s... See more...
Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies  other helps me find consistencies sourcetype="my_source" someLog consistencies  This gives me both consistencies and inconsistencies: sourcetype="my_source" someLog  Note that someLog  is just a text used an identifier that's common for both the queries. if the someField was logged as inconsistent it can be logged as consistent in the future.   How can I find those values of someField that are truly inconsistent in a given time frame, retrospectively?i.e. if currently values are inconsistent I want to be able to search (in the past or future relative to the current search) those values that are truly inconsistent - not part of the consistent results in that time frame
What is the latest version of Splunk Enterprise supported on RHEL 7.x?
Hi, Instead of passing the username and password in a plain text format, I was trying the basicauth extension for authentication and monitoring the oracledb and require some assistance, as after add... See more...
Hi, Instead of passing the username and password in a plain text format, I was trying the basicauth extension for authentication and monitoring the oracledb and require some assistance, as after adding the below details in the agent_config.yml , The splunk otel collector is not starting up and am seeing error. Kindy help. In agent_config.yml extensions:    basicauth:    htpasswd:        file: /etc/otel/collector/.htpasswd receivers:   oracledb/demo:   protocols:      http:        auth:           authenticator: basicauth    endpoint: <hostname:port>    service: <DBname> service:    metrics:        receivers: [oracledb/demo]    
I am working on building a query to search retrospectively and potentially run a report. Let's say the first search is index=some_index "inconsistencies" | dedup someField and the second is index... See more...
I am working on building a query to search retrospectively and potentially run a report. Let's say the first search is index=some_index "inconsistencies" | dedup someField and the second is index=some_index "consistent" someField IN (fieldValuesFromPrevMsg) | dedup someField   I want to check whether a field seen in the first search is part of the second search (which has a slightly different query but has same field) in a custom time frame.(could be in the future relative to the first search or in the past) I'm new to splunk, can someone please help me with this?    
Hi, I am fetching data from service now add on to splunk for one of the service now cmdb table. While fetching the field name is splitting as below  How do i fix this
Hi, it's unclear from the app description about what this app allows for. Is it helping for radius configuration for splunk authentication ? Or is it for monitoring any radius server logs, even if ... See more...
Hi, it's unclear from the app description about what this app allows for. Is it helping for radius configuration for splunk authentication ? Or is it for monitoring any radius server logs, even if you don't use it within splunk ?
Hello,  I have seen a few of the spath topics around, but wasn't able to understand enough to make it work for my data.  I would like to create a line chart using pointlist values - it contains tim... See more...
Hello,  I have seen a few of the spath topics around, but wasn't able to understand enough to make it work for my data.  I would like to create a line chart using pointlist values - it contains timestamp in epoch and CPU% Search I tried but not working as expected to extract this data: index="splunk_test" source="test.json" | spath output=pointlist path=series{}.pointlist{}{} | mvexpand pointlist | table pointlist Please see below sample json. {"status": "ok", "res_type": "time_series", "resp_version": 1, "query": "system.cpu.idle{*}", "from_date": 1698796800000, "to_date": 1701388799000, "series": [{"unit": [{"family": "percentage", "id": 17, "name": "percent", "short_name": "%", "plural": "percent", "scale_factor": 1.0}, null], "query_index": 0, "aggr": null, "metric": "system.cpu.idle", "tag_set": [], "expression": "system.cpu.idle{*}", "scope": "*", "interval": 14400, "length": 180, "start": 1698796800000, "end": 1701388799000, "pointlist": [[1698796800000.0, 67.48220718526889], [1698811200000.0, 67.15981521730248], [1698825600000.0, 67.07217666403122], [1698840000000.0, 64.72434584884627], [1698854400000.0, 64.0411289094932], [1698868800000.0, 64.17585938553243], [1698883200000.0, 64.044969119166], [1698897600000.0, 63.448143595246194], [1698912000000.0, 63.80226399404451], [1698926400000.0, 63.93216493520908], [1698940800000.0, 63.983679174088145], [1701331200000.0, 63.3783379315815], [1701345600000.0, 63.45321248782884], [1701360000000.0, 63.452383398041064], [1701374400000.0, 63.46314971048991]], "display_name": "system.cpu.idle", "attributes": {}}], "values": [], "times": [], "message": "", "group_by": []} can you please help how I can achieve this? Thank you. Regards, Madhav
Hi, i need to find a way to present all alerts in a dashboard(Classic/Studio). users don't want to get mail for each alert, they prefer to see (maybe in a table ) all the alerts in one page + the al... See more...
Hi, i need to find a way to present all alerts in a dashboard(Classic/Studio). users don't want to get mail for each alert, they prefer to see (maybe in a table ) all the alerts in one page + the alert's last result. and maybe to click on the alert and get the last search. is it possible to create an alerts dashboard? thanks, Maayan
Hi, I need to find all time_interval for each machine where there is no data (no row for Name) . (to goal is to create an alert if there was no data in a time interval for a machine) for example... See more...
Hi, I need to find all time_interval for each machine where there is no data (no row for Name) . (to goal is to create an alert if there was no data in a time interval for a machine) for example, if we look at one day and machine X. if there was data in time interval 8:00-10:00, 10:00-12:00. I need to return X and the rest of the interval (12:00-1:00,1:00-2:00,..) i wrote the following command:  | chart count(Name) over machine by time_interval i get a table with all interval and machines. cell=0 if there is no data. i want to return all cell =0 (i need the interval and machine where cell=0) but i didn't succeed. i also tried to save the query and do left join but it doenst work. it's a very simple mission, some can help me with that? thanks, Maayan
Query should return last/latest available data when there is no data for the selected time range
I am trying to set up custom user data to capture user id of the user using Ajax request payload via HTTP method and URL method but unable to execute with both methods and it is not showing up in the... See more...
I am trying to set up custom user data to capture user id of the user using Ajax request payload via HTTP method and URL method but unable to execute with both methods and it is not showing up in the Network tab under developer tools. Could someone help me what could be the issue?
Hi I have to create correlation searches in Splunk ES My cron schedule will be */60**** Is it better to use a real-time schedule or a continuous schedule? Is it necessary to fill the time range (... See more...
Hi I have to create correlation searches in Splunk ES My cron schedule will be */60**** Is it better to use a real-time schedule or a continuous schedule? Is it necessary to fill the time range (start time and end time)? Last question : if an alert event exists, does it means that this event will be created many times in the incident review dashboard? I need to creat just an incident for the same alert. How to do this? Thanks in advance  
Hi All, I have created a detector that monitors splunk environment. I am trying to customize message in alert message and trying to pass {{dimensions.AWSUniqueId}}. When the alert notification is ... See more...
Hi All, I have created a detector that monitors splunk environment. I am trying to customize message in alert message and trying to pass {{dimensions.AWSUniqueId}}. When the alert notification is sent, this variable is empty. Can anyone please let me know why is this happening. Regards, PNV