All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Trying to get our Crowdstrike FDR set-up with the splunk TA. Tried resetting the Crowdstrike FDR API twice with the same error. error response recieved from server: unexpected error <class splunkl... See more...
Trying to get our Crowdstrike FDR set-up with the splunk TA. Tried resetting the Crowdstrike FDR API twice with the same error. error response recieved from server: unexpected error <class splunklib.reset_handler.error.resterror> from python handler: rest error [400]: bad request -- an error occured (accessdenied) when calling the listbuckets operation: access denied. see splunkd.log/python.log for more details. Any thoughts?
Hi, i need to add filter to error query into total transaction query so that i can get filtered error counts as well as total transaction in two column with service name  This below query i am usin... See more...
Hi, i need to add filter to error query into total transaction query so that i can get filtered error counts as well as total transaction in two column with service name  This below query i am using to get total transaction and total errors index="iss" Environment=PROD | where Appid IN ("APP-61", "APP-85", "APP-69", "APP-41", "APP-57", "APP-71", "APP-50", "APP-87") | rex field=_raw " (?<service_name>\w+)-prod" | eval err_flag = if(level="ERROR", 1,0) | eval success_flag = if(level!="ERROR", 1,0) | stats sum(err_flag) as Total_Errors, sum(success_flag) as Total_Successes by service_name | eval Total_Transaction = (Total_Successes+Total_Errors) | fields service_name, Total_Transaction, Total_Errors, Total_Successes i need to add search filter into errors so that it will only count those filtered errors not all errors and merge this below query into above one in err_flag line index="iss" Environment=PROD "Invalid JS format" OR ":[down and unable to retrieve response" OR "[Unexpected error occurred" OR ": [An unknown error has occurred" OR "exception" OR OR IN THE SERVICE" OR "emplateErrorHandler : handleError :" OR "j.SocketException: Connection reset]" OR "Power Error Code" OR "[Couldn't kickstart handshaking]" OR "[Remote host terminated the handshake]" OR "Caused by:[JNObject" OR "processor during S call" OR javx OR "Error while calling" OR level="ERROR" NOT "NOT MATCH THE CTRACT" NOT "prea_too_large" NOT g-500 NOT G-400 NOT "re-submit the request" NOT "yuu is null" NOT "igests data" NOT "characters" NOT "Asset type" NOT "Inputs U" NOT "[null" NOT "Invalid gii"   Please help me it would be wonderful, Thankyou
can you please suggest query to pull all the index and sourcetype lag/delay for last 30 days
Hi. I am a new splunk user with a question: When splunk is ingesting data we get a monitoring system warning about 10% FS Availability. Then the FS space returns to a value > 10% availability. Is th... See more...
Hi. I am a new splunk user with a question: When splunk is ingesting data we get a monitoring system warning about 10% FS Availability. Then the FS space returns to a value > 10% availability. Is there a file/location where temporary data is written while ingestion is happening?   Thanks 
I've Admin rights and when I click on any tag permission (Settings --> tags), I get the following error: The requested URL was rejected. Please consult with your administrator. Any idea why this ... See more...
I've Admin rights and when I click on any tag permission (Settings --> tags), I get the following error: The requested URL was rejected. Please consult with your administrator. Any idea why this is happening?  
Hi, After installing the Splunk Otel collector, i see the instance name of my VM is appearing in the below format subscription_id/resource_group_name/resource_provider_namespace/resource_name I wa... See more...
Hi, After installing the Splunk Otel collector, i see the instance name of my VM is appearing in the below format subscription_id/resource_group_name/resource_provider_namespace/resource_name I was looking for an option to change the name to only "resource_name" (which is the server name) Please assist where and how can i do , so it will be easy for identification.
Hello All, I have a lookup file with multiple columns: fieldA, fieldB, fieldC. I need to publish timechart for each value under fieldA based on search conditions of fieldB and fieldC. Thus, I want... See more...
Hello All, I have a lookup file with multiple columns: fieldA, fieldB, fieldC. I need to publish timechart for each value under fieldA based on search conditions of fieldB and fieldC. Thus, I want your guidance to understand how to build multiple timecharts from same field by reading the required field values from lookup file. Any inputs and information would be very helpful. Thank you Taruchit
below csv file getting generated which is ingested into splunk. These are the file counts created date wise on different folders. My rex command does not pickup the date, filepath and count. Please h... See more...
below csv file getting generated which is ingested into splunk. These are the file counts created date wise on different folders. My rex command does not pickup the date, filepath and count. Please help how we can extract these field from below csv raw data.   "Date","Folder","FileCount" "11-07-2023","E:\Intra\I\IE\Processed\Error","381" "11-08-2023","E:\Intra\I\IE\Processed\Error","263" "11-09-2023","E:\Intra\I\IE\Processed\Error","223" "11-10-2023","E:\Intra\I\IE\Processed\Error","133" "11-11-2023","E:\Intra\I\IE\Processed\Error","3" "11-12-2023","E:\Intra\I\IE\Processed\Success","4" "11-13-2023","E:\Intra\I\IE\Processed\Success","4"","218" "11-14-2023","E:\Intra\I\IE\Processed\Success","4"","200" "11-15-2023","E:\Intra\I\IE\Processed\Error","284"
Hi,  I am looking for a solution to remove UTF-8 character encoding from the logs I have a regular expression that works in the search field, but I would like to find an automated solution for Sp... See more...
Hi,  I am looking for a solution to remove UTF-8 character encoding from the logs I have a regular expression that works in the search field, but I would like to find an automated solution for Splunk Cloud. | rex mode=sed "s/\x1B\[[0-9;]*[mK]//g" Sample log line: 2023-11-15 11:47:21,605 backend_2023.2.8: INFO  [-dispatcher-7] vip.service.northbound.MrpServiceakkaAddress=akka://backend, akkaUid=2193530468036521242 MRP Service is alive and active. Any idea? Thanks for help. 
Hi, I am trying to configure OpenTelemetry (OTEL) to send metrics and our custom metrics to our SAAS controller, but I get a lot of "Forbidden" errors : Exporting failed. The error is not retryable... See more...
Hi, I am trying to configure OpenTelemetry (OTEL) to send metrics and our custom metrics to our SAAS controller, but I get a lot of "Forbidden" errors : Exporting failed. The error is not retryable. Dropping data. {"kind": "exporter", "data_type": "metrics", "name": "otlphttp", "error": "Permanent error: error exporting items, request to https://pdx-sls-agent-api.saas.appdynamics.com/v1/metrics responded with HTTP Status Code 403", "dropped_items": 35} Double-check the endpoint and the API key. Also, I carefully checked the configuration.  Does anyone have an idea? please  Please note: Our account is a new and trail account (I got it after discussing it with the accounts manager and explaining our needs). Thanks Diab 
For my dashboard, I am using the following regex. Although the current date is displayed at the end of the dashboard and the oldest date is displayed at the top, I require the date format to be mm-dd... See more...
For my dashboard, I am using the following regex. Although the current date is displayed at the end of the dashboard and the oldest date is displayed at the top, I require the date format to be mm-dd-yy only. My dashboard should show the most recent date at the top. Give me your finest recommendations, please. | eval date=strftime(_time, "%m-%d-%y") | stats count by date,
Hello all, I use Splunk API in order to export an SPL search. All queries are working well on my local dev environment and most work on production server. All queries that include or read from a c... See more...
Hello all, I use Splunk API in order to export an SPL search. All queries are working well on my local dev environment and most work on production server. All queries that include or read from a certain query (let's call it "SessionEntities") seem to return empty. For instance the query, " | inputlookup  SessionEntities", returns empty. The same query works both localy and even stranger, works on Splunk search page on the same server, while with the same query and different lookup, it returns with results. That lookup is no different than the others (no bigger content size), but still. Anyone has an idea of why could this be happening?
Error thrown: Internal configuration file error. Something wrong within the package or installation step. Contact your administrator for support. Detail: Error: duplicate l keys is not allowed at ap... See more...
Error thrown: Internal configuration file error. Something wrong within the package or installation step. Contact your administrator for support. Detail: Error: duplicate l keys is not allowed at appendError. I'm trying to create a new app in Splunk add-on builder. This error is thrown whenever I load the app's inputs or configuration page
Hi all, I am new to SPLUNK and would appreciate some community wisdom. We are trying to get data from an external AWS s3 bucket (hosted and managed by 3rd party supplier) onto our internal enterpris... See more...
Hi all, I am new to SPLUNK and would appreciate some community wisdom. We are trying to get data from an external AWS s3 bucket (hosted and managed by 3rd party supplier) onto our internal enterprise SPLUNK instance. We do not have any AWS accounts.  We have considered whitelisting but it is not secure enough. The supplier does not use AWS firehose Any ideas? 
@LukeMurphey  I'm trying to run the File/Directory Information Input app (v1.4.5) on a universal forwarder. It's a windows server and I've installed the latest version of python 3 (and set the app t... See more...
@LukeMurphey  I'm trying to run the File/Directory Information Input app (v1.4.5) on a universal forwarder. It's a windows server and I've installed the latest version of python 3 (and set the app to use 3). I keep getting the same 3 errors in splunkd (copied from another post as my system is isolated): "09-18-2019 10:47:10.099 +0200 ERROR ModularInputs - Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified. 09-18-2019 10:47:10.356 +0200 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts 09-18-2019 10:47:10.356 +0200 ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined in the app "file_meta_data": Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified.." (Except it says Python3.exe instead of python). Other posts with these errors did not have python installed, or one said their path environment variable was incorrect but didn't elaborate. My path is set with the 2 default values from the installer if that matters.
Hi I am trying to use the hyperlink markdown you shared with someone else, but when I add the  [Markdown Guide](https://www.markdownguide.org) inside the email body of sending an email action (SMTP... See more...
Hi I am trying to use the hyperlink markdown you shared with someone else, but when I add the  [Markdown Guide](https://www.markdownguide.org) inside the email body of sending an email action (SMTP), I get exactly above without a link added, just text, no hyperlink.  Anybody who could help me figure out how I can get a hyperlink to show in the body of the send email action?  I am on version 5.3.2.88192 - I also tried the ,<a> tag with the href and that doesn't work either.
  Hi Splunk Gurus... As you can see, non English words length function not working as expected. checked the old posts, documentations, but no luck. any suggestions please. thanks.      | makeresu... See more...
  Hi Splunk Gurus... As you can see, non English words length function not working as expected. checked the old posts, documentations, but no luck. any suggestions please. thanks.      | makeresults | eval _raw="இடும்பைக்கு" | eval length=len(_raw) | table _raw length this produces: _raw length இடும்பைக்கு 11 (that word இடும்பைக்கு is actually 6 charactors, not 11)      
Hi I wanted to remove unwanted events from my data, To ingest as cleanest as possible and for better line breaking etc. These events are not like regular logs. Since these are generated by a script ... See more...
Hi I wanted to remove unwanted events from my data, To ingest as cleanest as possible and for better line breaking etc. These events are not like regular logs. Since these are generated by a script which runs everyday at 12 am and log file rotates and gets renamed as logfile.log.<date> Here is the pattern that I wanted to remove using SEDCMD and apply it in props.conf [09/13/2023 00:00:00]       <Event was scheduled based on job definition.> [10/12/2023 23:58:01]       <Executing at CA_AGENT> [11/12/2023 23:58:01]        ----------------------------------------
How to display one row table in a pie chart? Thank you for your help. index=test ---- Score calculation ----- | table Score1, Score2, Score3, Score4 Score1 Score2 Score3 Score4 70 50... See more...
How to display one row table in a pie chart? Thank you for your help. index=test ---- Score calculation ----- | table Score1, Score2, Score3, Score4 Score1 Score2 Score3 Score4 70 50 60 90 My expected Pie Chart:       
Hi folks I've a KVstore containing the following values: hostname, IP address. This KVstore is updated every hour to ensure that the host name and IP address always match. The KVStore is updated us... See more...
Hi folks I've a KVstore containing the following values: hostname, IP address. This KVstore is updated every hour to ensure that the host name and IP address always match. The KVStore is updated using saved search. The reason is that the environment (IP … hostname relationship) changes very often (DHCP) I was thinking about the automatic lookup when logs containing an IP address are ingested to enrich them with the hostname corresponding at the time of ingestion and not the one corresponding during the next search? Unfortunately ingest-time lookup is not available in Splunk Cloud Platform and this functionality is also only for CSV file lookup. And also the solution with intermediate forwarder is not suitable for me. Any advice ?