All Topics

Top

All Topics

We are in the process of implementing SAML configuration in Splunk, utilizing an external .pem certificate. However, Splunk does not accept this certificate. How can we obtain an external certificate... See more...
We are in the process of implementing SAML configuration in Splunk, utilizing an external .pem certificate. However, Splunk does not accept this certificate. How can we obtain an external certificate in Splunk to successfully configure SAML? Additionally, for SAML integration, we are utilizing NetIQ Access Manager.
I have a Splunk result like below. VM col1 col2 vm1 car sedan vm2 car sedan vm3 plane Priv vm4 bike Fazer vm5 bike thunder   I would like to make them in a below f... See more...
I have a Splunk result like below. VM col1 col2 vm1 car sedan vm2 car sedan vm3 plane Priv vm4 bike Fazer vm5 bike thunder   I would like to make them in a below format, would you please suggest me. I want to merge the same value into one (columns merge)    
Hello I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or m... See more...
Hello I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or multiple IDs. The idea is that the first panel lists IDs. The next panel in the dashboard will search an index but only for IDs from the first panel.  For example: Panel 1 index=db source=MSGTBL MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>" | eval MSGID1="MSGID="+MSGID+" OR" | table MSGID might give you a table of MSGIDs: MSGID=56454GF-5RT1KL-566IOS-FT5GFAS OR MSGID=56454GF-65WE-566IOS-5845UIK OR MSGID=SD8734-DFH745-DFHJ7867-GKJH8 OR I can then set that as a token like <done> <set token="tokMSGID1">$result.MSGID1$</set> </done>   The issue im having is that if there is only a single MSGID it will have an 'OR' at the end as well as the last result in a set of IDs would have the 'OR' at the end. Can anyone tell me search-wise how to handle this? Thanks!  
Hi, When I execute this search index=foo | stats count by _raw, sourcetype, source, host | where count>1 , I'm able to observe events with counts higher than 1. However, I'm uncertain if these ... See more...
Hi, When I execute this search index=foo | stats count by _raw, sourcetype, source, host | where count>1 , I'm able to observe events with counts higher than 1. However, I'm uncertain if these events are being duplicated. Is there an alternative search method I can use to verify whether these events are being double-ingested? Thanks..
Hello, at the moment we are indexing JSON files in Splunk and then rename the fields with a Field Alias function. This leads to the problem, that we cannot use tStats on these renamed fields anymore.... See more...
Hello, at the moment we are indexing JSON files in Splunk and then rename the fields with a Field Alias function. This leads to the problem, that we cannot use tStats on these renamed fields anymore.   Now to the question: Is there a way to rename the fields with splunk before indexing the data? The goal is that we can use tStats on all fields with the new renamed names.
index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn") | table saber_color, Jname, strengths, mentor, skill, domain, mission index-=sith broker sithlord!=dar... See more...
index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn") | table saber_color, Jname, strengths, mentor, skill, domain, mission index-=sith broker sithlord!=darth_maul | table saber_color, Sname, strength, teacher, actions I need to list where Jname=Sname, but I need to list all columns The third one is where the Jname!=Sname The caveat is I cannot use the join for this query. This helped however I am unable to utilize the index drill down for each in the search otherwise the query is 75% white noise. index=jedi OR index=sith | eval name=coalesce(Jname, Sname) | stats values(name) as names by saber_color strengths | where mvcount(names)=1 Please help.
Hi, I want to import the entities via csv to entity management in Splunk ITSI, so please help me with this. Thanks
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, status, tracking_method, Last_boot, First_found_date, last_activity, hostname, domain, etc. I want to ingest a... See more...
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, status, tracking_method, Last_boot, First_found_date, last_activity, hostname, domain, etc. I want to ingest as metrics data. Is it possible? I'd appreciate any guidance or examples how to achieve this.? Thanks in advance
Getting "Unexpected error downloading update: Connection reset by peer" while trying to install add-on from splunkbase (via 'Find more apps)   Internet is connected, I'm able to access splunk a... See more...
Getting "Unexpected error downloading update: Connection reset by peer" while trying to install add-on from splunkbase (via 'Find more apps)   Internet is connected, I'm able to access splunk application as well. Only the installation is failing. Earlier to this, I was getting SSL error when I try to open this page. Then I set sslVerifyServerCert to false, after which the page started loading. I'm not sure if some SSL related blocking still exists.  Any suggestions around getting through this? 
Does splunk shares common userbase amongst all splunk products? Which API request fetch Audit logs or events for splunk users?
When I try to use below code to test the API search:     var context = new Context(Scheme.Https, "www.splunk.com", 443); using (var service = new Service(context, new Namespace(user: "nobody", app... See more...
When I try to use below code to test the API search:     var context = new Context(Scheme.Https, "www.splunk.com", 443); using (var service = new Service(context, new Namespace(user: "nobody", app: "search"))) { Run(service).Wait(); } /// <summary> /// Called when [search]. /// </summary> /// <param name="service">The service.</param> /// <returns></returns> static async Task Run(Service service) { await service.LogOnAsync("aaa", "bbb"); //// Simple oneshot search using (SearchResultStream stream = await service.SearchOneShotAsync("search index=test_index | head 5")) { foreach (SearchResult result in stream) { Console.WriteLine(result); } } }     But failed, get the error message: XmlException: Unexpected DTD declaration. Line 1, position 3. Question: int this line: new Namespace(user: "nobody", app: "search") how to define the "user" and "app" parameters value? I try to use this way: var service = new Service(new Uri("https://www.splunk.com")); but still failed and got the same error message.  
Hi, below are the log details. index=ABC sourcetype=logging_0 Below are the values of "ErrorMessages" field: invalid - 5 count unprocessable - 7 count (5 invalid pair + 2 others) no user foundv... See more...
Hi, below are the log details. index=ABC sourcetype=logging_0 Below are the values of "ErrorMessages" field: invalid - 5 count unprocessable - 7 count (5 invalid pair + 2 others) no user foundv- 3 count invalid message process - 3 count process failed- 3 count   Now I have to eliminate ErrorMessage=invalid and ErrorMessage=unprocessable. Then show all other  ErrorMessage. But the problem here is , "unprocessable" ErrorMessage will show for other messages as well. so we cannot fully eliminate the "unprocessable" ErrorMessage. Whenever "Invalid" ErrorMessage is logging that time "unprocessable" ErrorMessage also will be logged. So we need to eliminate this pair only. Not every "unprocessable" ErrorMessage.   Expected result: unprocessable - 2 count no user foundv- 3 count invalid message process - 3 count process failed- 3 count   I tried with join using requestId but its not resulting anything because i am using | search ErrorMessage="Invalid" and elimated this in next query so its not searching for other ErrorMessages.   Can someone please help.    
hello, Could anyone assist me in creating a correlation search to detect triggered alerts across all searches. This will enable us to monitor counts and automatically notify us if any situation esca... See more...
hello, Could anyone assist me in creating a correlation search to detect triggered alerts across all searches. This will enable us to monitor counts and automatically notify us if any situation escalates beyond control. Thanks
Hi All, Need a help to write a query based on the field "Timestamp" which is different from "_time" value. Sample Event in XML Format: Email: xyz@gmail.com RoleName: User RowKey: 123456 Timesta... See more...
Hi All, Need a help to write a query based on the field "Timestamp" which is different from "_time" value. Sample Event in XML Format: Email: xyz@gmail.com RoleName: User RowKey: 123456 Timestamp: 2023-12-13T23:56:18.200016+00:00 UserId: mno UserName: acho This is one of the sample event in xml format and there is a specific field as "Timestamp" in the event and this "Timestamp" field is completely different from _time value. Hence I want to pull only the "Timestamp" value for a particular day might be yesterday 2023-12-13 i.e. from 2023-12-13 00:00:00 to 2023-12-13 23:59:59 So how can I write the query for the same. index=abc host=xyz sourcetype=xxx
Hi Team,I am using a query which has same index and source but fetch two results based on the search and combine to a single table..now i want to display the result along with the timestamp it appear... See more...
Hi Team,I am using a query which has same index and source but fetch two results based on the search and combine to a single table..now i want to display the result along with the timestamp it appears in ascending order index=index1 source=source1 CASE("latest") AND "id" AND "dynamoDB data retrieved for ids" AND "material"| eval PST=_time-28800 | eval PST_TIME3=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIdsCount path=dataNotFoundIdsCount | stats values(*) as * by _raw | table dataNotFoundIdsCount, PST_TIME3 | sort- PST_TIME3| appendcols [search index=index1 source=source1 CASE("latest") AND "id" AND "sns published count" AND "material"| eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath snsPublishedCount output=snsPublishedCount |spath output=republishType path=republishType| spath output=version path=republishInput.version| spath output=publish path=republishInput.publish| spath output=nspConsumerList path=republishInput.nspConsumerList{} | spath output=objectType path=republishInput.objectType | stats values(*) as * by _raw | table snsPublishedCount,republishType,version,publish, nspConsumerList,objectType,PST_TIME4 | sort- PST_TIME4 ] |table PST_TIME4 objectType version republishType publish nspConsumerList snsPublishedCount dataNotFoundIdsCount  
Hi All, I am facing error using wildcard in multivalue field. I am using mvfind to find a string.     eval test_loc=case(isnotnull(Region,%bangalore%), Bangalore)     I am just giving pa... See more...
Hi All, I am facing error using wildcard in multivalue field. I am using mvfind to find a string.     eval test_loc=case(isnotnull(Region,%bangalore%), Bangalore)     I am just giving part of eval statement here Example  : Region =  "sh bangalore Test" The above eval statement should work on this Region and set test_loc = Bangalore. I tried passing * and % (*bangalore*, %bangalore%) , but am getting error.  Please help me. Thanks , poojitha NV
Hello! I'm new to splunk so any help is much appreciated. I have two queries of different index.  Query1: index=rdc sourcetype=sellers-marketplace-api-prod custom_data | search "custom_data.result.i... See more...
Hello! I'm new to splunk so any help is much appreciated. I have two queries of different index.  Query1: index=rdc sourcetype=sellers-marketplace-api-prod custom_data | search "custom_data.result.id"="*" | dedup custom_data.result.id | timechart span=1h count   Query2: index=leads host="pa*" seller_summary | spath input="Data" | search "0.lead.form.page_name"="seller_summary" | dedup 0.id | timechart span=1h count I would like to write a query that executes Query1-Query2 for the counts in each hour. It should be in the same format. Thank you!!
Hi,  I need help in a splunk search.  My requirement is get the stats for failed and successful count along with the percentage of Failed and  Successful  and at last I would need to fetch the stat... See more...
Hi,  I need help in a splunk search.  My requirement is get the stats for failed and successful count along with the percentage of Failed and  Successful  and at last I would need to fetch the stats only when the failed % is > 10 % My query works fine  until the below index=abcd | eval status= case(statuscode < 400, "Success", statuscode > 399,"Failed") | stats count(status) as TOTAL  count(eval(status="Success")) as Success_count  count(eval(status="Failed")) as Failed_count  by Name, URL | eval Success%= ((Success_count /TOTAL)*100) | eval Failed%= ((Failed_count /TOTAL)*100) The above works and I get the table with Name URL TOTAL  Success_count   Failed_count   Success% Failed% Now, when I add the below to the above query, It fails  | where Failed% > 10 How do I get the failed% > 10 with the above table. Please assist
I have a data like this. {     env: prod    host: prod01    name: appName    info: {       data: [ ...      ]      indicators: [         {           details: {              A.runTime: 434 ... See more...
I have a data like this. {     env: prod    host: prod01    name: appName    info: {       data: [ ...      ]      indicators: [         {           details: {              A.runTime: 434            A.Count: 0            B.runTime: 0            B.Count: 0            ....                     }          name: timeCountIndicator          status: UP        }        {           details: {             A.downCount: 2            A.nullCount: 0            B.downCount: 0            B.nullCount: 0            ....                   }          name: downCountIndicator          status: UP        }      ]      status: DOWN    }    metrics: { ...    }    ping: 1 } I only want to extract fields in info.indicators{}.details ONLY when info.indicators{}.name of that field is "timeCountIndicator". I tried to use spath combined with table, mvexpand and where ... | spath path=info.indicators{} output=indicators | table indicators |mvexpand indicators| where match(indicators,"timeCountIndicator") It returns a record as a string, however. And it's really hard to convert string back to fields which is hard to process. (Technically extract/rex can deal with it, but it takes a REALLY long time to extract every fields in details when I need only some fields) Is there any way to deal with this in the easier way?
Hello - I have several dashboards that are presenting the user with a pop up box    Reviewing the Browser Console, I see the following: The culprit seems to be common.js Th... See more...
Hello - I have several dashboards that are presenting the user with a pop up box    Reviewing the Browser Console, I see the following: The culprit seems to be common.js The dashboard is already using the version=1.1, that I have seen in other posts.  The dashboard doesn't reference any .js scripts nor does it use any lookups to generate results. <form version="1.1" hideEdit="false"> Any suggestions are appreciated.  Thank you. However, this issue persists.