All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team, I want to have a query which displays me all types of exceptions occured in the last 30 days in a table way or else in a graphical way. We just wanted to see the count of the exceptions ... See more...
Hi Team, I want to have a query which displays me all types of exceptions occured in the last 30 days in a table way or else in a graphical way. We just wanted to see the count of the exceptions every 30 days. I have been using this query but it didnt work. Iam new to splunk so please help me to find out index=dev | rex field=_raw "\b(?(java|javax).[\w.]+Exception)" | chart count by exception_type
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are s... See more...
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are still open in SOAR. I have written a playbook to check the status of these tickets in Service Now then close the event in SOAR if certain conditions are met. I am having trouble finding out how I can run this playbook on all of the events in the source as I can only select 50 at a time. If someone could point me in the right direction to run this playbook on all of the events in the source that would be very helpful. Thank you for reading.
I have build such customized search page by Advance XML before.  The example is like this : It will add more input fields on the search page, but still keep the UI features of search results. ... See more...
I have build such customized search page by Advance XML before.  The example is like this : It will add more input fields on the search page, but still keep the UI features of search results. Our users love this!!  and this is why we couldn't  upgrade our Splunk to the latest version ( which is not support the Advance XML ) Is there anyway that I could customized the search page by Simple XML Dashboard?  
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are s... See more...
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are still open in SOAR. I have written a playbook to check the status of these tickets in Service Now then close the event in SOAR if certain conditions are met. I am having trouble finding out how I can run this playbook on all of the events in the source as I can only select 50 at a time. If someone could point me in the right direction to run this playbook on all of the events in the source that would be very helpful. Thank you for reading.  
Hi all! Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves o... See more...
Hi all! Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves out instead of them calling through to IT desk. We don't want a snow alert to trigger every time they show up in the splunk seach however, instead if they have had an alert created in the last 4 hours for example they are not included and it only checks for new people in that time frame. After the time period has elapsed they can then be included in the alert again. I have the search to a point where it is finding the users with issues and creating a transaction so we are getting them at the point they would be calling us, just stuck on that last bit.  index=prd_example sourcetype=LogSource "host=Host* | transaction UserID EventDescription maxspan=4h | table UserID EventDescription LockoutTime FirstName LastName EventCode eventcount | where eventcount >= 3 | sort -_time Any help would be greatly appreciated. I'm not even sure if this can be done at the splunk level or needs to be done at the SNow end
Please let me know which metric to use to create detectors: 1. EC2 Status Check: The possible values for state change events for instances are: pending running stopping stopped shutting-down ... See more...
Please let me know which metric to use to create detectors: 1. EC2 Status Check: The possible values for state change events for instances are: pending running stopping stopped shutting-down terminated 2. ACM Cert events: ACM Certificate Approaching Expiration event ACM Certificate Expired event ACM Certificate Available event ACM Certificate Renewal Action Required event
Hello and thank you for your time. I would like to run a search in splunk, using the results against inputlookup lists to return the stats or multiple stats. Example: My search is: index="MyIndex... See more...
Hello and thank you for your time. I would like to run a search in splunk, using the results against inputlookup lists to return the stats or multiple stats. Example: My search is: index="MyIndex" AND host="MyHost" AND (*string1* OR "*string2*" OR "*string3*") | dedup user | table user user_results user.name1 user.name2 user.name3 using those results: | inputlookup ACBounceList_a-c.csv | inputlookup append=t ACBounceList_d-g.csv | inputlookup append=t ACBounceList_h-l.csv | inputlookup append=t ACBounceList_m-q.csv | inputlookup append=t ACBounceList_r-s.csv | inputlookup append=t ACBounceList_t-v.csv | inputlookup append=t ACBounceList_w-z.csv | stats count by field_stats_wanted | where inputlookup_user = user_results   resulting in: field_stats_wanted                     count value1                                                     30 value2                                                     35 etc                                                            etc   Any assistance with this would be greatly appreciated.
Hello everyone, Here is the story, we have a search head cluster with three members, lets call them sh1, sh2, sh3. these 3 search heads are not in the same domain/vlan, so each one used to have its ... See more...
Hello everyone, Here is the story, we have a search head cluster with three members, lets call them sh1, sh2, sh3. these 3 search heads are not in the same domain/vlan, so each one used to have its own config of the SMTP server. Now we are having issues sending reports from Splunk. and I noticed that all 3 search heads are using just one SMTP server so the emails will not be delivered. I tried to put the correct config for each search head in .../system/local/alert_actions.conf but still not working. For now I will try to allow the search heads to communicate with all SMTP servers. but i am not sure it is the best solution. Is there a config I am missing about the email setting in a search head cluster? Thank you.
I have been investigating a particular search an api user runs which has become markedly slower past a specific date.  When looking in the audittrail internal logs, what I noticed is that there is no... See more...
I have been investigating a particular search an api user runs which has become markedly slower past a specific date.  When looking in the audittrail internal logs, what I noticed is that there is no significant increase in event count, however the "total_slices" number significantly increases from before the date through after the date. I couldn't find much information in the documentation on what this value represents.  Does this mean the data within each event increased around that time?
I am created below query to get the hourly report of certain tasks. I go the final timechart values for four different "connectiontype" below. But I like to rename the column name to something else. ... See more...
I am created below query to get the hourly report of certain tasks. I go the final timechart values for four different "connectiontype" below. But I like to rename the column name to something else.  
Hey guys, Hope y'all are doing well! I wanted to experiment with Splunk's Deep Learning module to perform some tasks. As mentioned in the "barebone_template" there are two methods to pull data fro... See more...
Hey guys, Hope y'all are doing well! I wanted to experiment with Splunk's Deep Learning module to perform some tasks. As mentioned in the "barebone_template" there are two methods to pull data from splunk in. Because I want the data to be live, I want to be able to run a search inside the Jupiter notebook itself, hence proceeding with method 1. Method 1 is done using Splunk's "dsdlsupport" Python library. But when I used the same commands they have in their template, it throws the following error for their default settings: I wanted to check if someone has faced/solved this issue already before diving into their source code myself. Thank you and have a nice day   Best,
Can someone help me with these regex on inputs.conf on universal forwarder? For some reason, isn't working. Much appreciated! blacklist7 = EventCode=4673 Process_Name="C:\Program Files\WindowsA... See more...
Can someone help me with these regex on inputs.conf on universal forwarder? For some reason, isn't working. Much appreciated! blacklist7 = EventCode=4673 Process_Name="C:\Program Files\WindowsApps\AD2F1837.myHP_25.52341.876.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe" blacklist8 = EventCode=4673 Process_Name="C:\Program Files\WindowsApps\AD2F1837.myHP_26.52343.948.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe"
Hi All, I have a search query that allows me to pull results from an index summary. One of the fields is a time/date field. The data is pull from a database and is a schedule so the time in this f... See more...
Hi All, I have a search query that allows me to pull results from an index summary. One of the fields is a time/date field. The data is pull from a database and is a schedule so the time in this field is not the indexed field. I would like to search on the time field and have the below query which allows me to do this. However i would like to move this into a dashboard and have a timepicker. Is this possible to do this? I need to have a time picker to grab the correct index summary data, then again for the field.   index=summary sourcetype=prod source=service DESCR="Central Extra" | dedup SI_START,NAME,DESCR | eval sTime=strptime(SI_START,"%Y-%m-%d %H:%M:%S") | sort 0 -sTime | eval eventday=strptime(SI_START,"%Y-%m-%d %H:%M:%S") | bucket eventday span=1d | eval eventday=strftime(eventday,"%Y-%m-%d") | eval eventday1=strptime(eventday,"%Y-%m-%d") | eval min_Date=strptime("2023-10-11","%Y-%m-%d") | eval max_Date=strptime("2023-10-14","%Y-%m-%d") | where (eventday1 >= min_Date AND eventday1 < max_Date) | eval record=substr(CODE, -14, 1) | eval record=case(record==1,"YES", record==0,"NO") | stats count(eval(record="YES")) as events_record count(record) as events by NAME | eval percentage_record=(events/events_record)*100 | fillnull value=0 percentage_record | search percentage_record<100 | sort +percentage_record -events      
Hello, we are trying to work out how much data our Splunk instances search through on average. so we've written a search that tells us our platform is running 75-80,000 searches a day, this would be... See more...
Hello, we are trying to work out how much data our Splunk instances search through on average. so we've written a search that tells us our platform is running 75-80,000 searches a day, this would be only a few manual searches and the rest coming from saved / correlation searches. Is there anywhere in the system or a search we can write that would say for instance these 75,000 searches, searched through a total of 750gb of data...  We are researching the possibility of moving to a platform that costs per search, so if we can get these figures we can see how much a like for like replacement would actually cost.
Hi, I'm trying to utilize the new feature as adding custom field in Asset & Identity Framework but I'm getting a error after adding the new field.   Thanks for your help!!..  
Hello everyone I have a problem with the Splunk Adon "IBM QRadar SOAR Add-on for Splunk". We were able to install the add-on successfully. When creating a new alert you can also select the alert ac... See more...
Hello everyone I have a problem with the Splunk Adon "IBM QRadar SOAR Add-on for Splunk". We were able to install the add-on successfully. When creating a new alert you can also select the alert action. However, the form for the individual fields for Qraddar is not displayed for me. However, it works for the Splunk team members. According to the Splunk team, the only difference between me and them is that they have administrator rights. Is it correct that the alert action can only be used with administrator rights? Thank you
I can get total disconnects but can't seem to find a way to get total of how may users who disconnected 10 or more times.     Here is my search:   index=gbts-vconnection sourcetype=VMWareVDM_debug... See more...
I can get total disconnects but can't seem to find a way to get total of how may users who disconnected 10 or more times.     Here is my search:   index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=host2) OR host=Host1) earliest=$time_tok.earliest$ latest=$time_tok.latest$ | rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds  | rename IONS as "User ID" Device as "User Device" | convert timeformat="%m-%d-%Y" ctime(_time) AS date |timechart span=1d limit=0 , count  
I'm trying to create own Splunk (dashboard) queries for Okta data analysis. I'm having issues because a specific field has a space in the value and it's causing the dashboard to not be able to retrie... See more...
I'm trying to create own Splunk (dashboard) queries for Okta data analysis. I'm having issues because a specific field has a space in the value and it's causing the dashboard to not be able to retrieve data (when I know there is data). 3 other drop-down menus work fine (there is no spaces in the values there). My main suspicion that the reason of failure is because of that spaces.  I'm trying to transform the values and remove spaces, in the hope that would help.  I Found some recommendations online and examples of functions, but I'm not very experienced with Splunk, can anyone explain step by step how I could solve that issue? If the name of my field with issues is "actor.displayName"  (it has multiple spaces in the values). Examples found online: 1) | rex mode=sed field=A "s/ //g" 2) | eval nospace=trim(A) 3)| rex field=field1 "(?<newfield>\S+)" 4)|eval NewField=trim(OldField) Has anyone encountered this issue before? Thanks for help!
Hello Team, I'm using docker image of tomcat to deploy an spring boot app and configured the java agent as per instructions. All though I see the following message [AD Agent init] 02 Nov 2023 1... See more...
Hello Team, I'm using docker image of tomcat to deploy an spring boot app and configured the java agent as per instructions. All though I see the following message [AD Agent init] 02 Nov 2023 13:30:10,183 INFO JavaAgent - Started AppDynamics Java Agent Successfully. Right after that I see the following error. I replaced the first part of saas controller name to test to sanitise the original url. There's no proxy in my case. Not sure what is happening AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 ERROR ConfigurationChannel - Fatal transport error while connecting to URL [/controller/instance/0/applicationConfiguration]: java.net.UnknownHostException: https://test.saas.appdynamics.com : Name or service not known [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN ConfigurationChannel - Could not connect to the controller/invalid response from controller, cannot get initialization information, controller host [https://test.saas.appdynamics.com ], port[443], exception [Fatal transport error while connecting to URL [/controller/instance/0/applicationConfiguration]] [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN AgentErrorProcessor - Agent error occurred, [name,transformId]=[com.singularity.CONFIG.ConfigurationChannel - java.net.UnknownHostException,2147483647] [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 WARN AgentErrorProcessor - 3 instance(s) remaining before error log is silenced [AD Thread Pool-Global0] 02 Nov 2023 13:19:18,496 ERROR ConfigurationChannel - Exception: https://test.saas.appdynamics.com : Name or service not known java.net.UnknownHostException: https://test.saas.appdynamics.com : Name or service not known at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method) ~[?:1.8.0_212] at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:929) ~[?:1.8.0_212] at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1324) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName0(InetAddress.java:1277) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName(InetAddress.java:1193) ~[?:1.8.0_212] at java.net.InetAddress.getAllByName(InetAddress.java:1127) ~[?:1.8.0_212] at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:112) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.13.jar:4.5.13] at com.singularity.ee.util.httpclient.SimpleHttpClientWrapper.executeHttpOperation(SimpleHttpClientWrapper.java:302) ~[appagent.jar:?] at com.singularity.ee.util.httpclient.SimpleHttpClientWrapper.executeHttpOperation(SimpleHttpClientWrapper.java:217) ~[appagent.jar:?] at com.singularity.ee.rest.RESTRequest.sendRequestTracked(RESTRequest.java:395) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.RESTRequest.sendRequest(RESTRequest.java:337) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.controller.request.AControllerRequest.sendRequest(AControllerRequest.java:129) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.rest.controller.request.ABinaryControllerRequest.sendRequest(ABinaryControllerRequest.java:36) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.registerApplicationServer(ConfigurationChannel.java:1437) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.access$100(ConfigurationChannel.java:122) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel$UnregisteredConfigurationState.nextTransition(ConfigurationChannel.java:785) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.refreshConfiguration(ConfigurationChannel.java:555) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.agent.appagent.kernel.config.xml.XMLConfigManager$AgentConfigurationRefreshTask.run(XMLConfigManager.java:653) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.AgentScheduledExecutorServiceImpl$SafeRunnable.run(AgentScheduledExecutorServiceImpl.java:122) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[?:1.8.0_212] at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask$Sync.innerRunAndReset(ADFutureTask.java:335) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask.runAndReset(ADFutureTask.java:152) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.access$101(ADScheduledThreadPoolExecutor.java:119) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.runPeriodic(ADScheduledThreadPoolExecutor.java:206) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.run(ADScheduledThreadPoolExecutor.java:236) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.runTask(ADThreadPoolExecutor.java:694) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.run(ADThreadPoolExecutor.java:726) ~[appagent.jar:Server Agent #23.10.0.35234 v23.10.0 GA compatible with 4.4.1.0 r67092cab6cbe60eed5a0453a32f699ca06e301e7 release/23.10.0] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
Hi Team,   i have a basic search, where i need to alert when particular process name not available in raw data or last 15 minutes data. Plz suggest how to get the trigger.   Thanks, Vijay K.