All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Does Splunk integrate with WebEx Calling (not WebEx Meetings or WebEx Contact Center) for CDR reporting, similar to how it integrates with CUCM?
Hi all, I'm trying to dynamically replace single backslashes with double backslashes in a search string and use the result to search across a field (e.g., FileSource). Here's what I’ve tried: |... See more...
Hi all, I'm trying to dynamically replace single backslashes with double backslashes in a search string and use the result to search across a field (e.g., FileSource). Here's what I’ve tried: | eval text_search="*\\Test\abc\test\abc\xxx\OUT\*" | eval text_search_escaped=replace(text_search, "\\\\", "\\\\\\\\") | search FileSource=text_search_escaped The output of text_search_escaped looks correct (with double backslashes), and if I run a manual search like below, I do get results: index=... FileSource="*\\Test\\abc\\test\\abc\\xxx\\OUT\\*" However, when I try to use the text_search_escaped variable inside search, I get no results. Am I missing something in how Splunk treats dynamic fields inside search? Is there a better way to pass an escaped Windows-style path to a search clause?
Hello, How to create sample JSON data and display it in tree structure? I used makeresults to create sample JSON data below | makeresults | eval data = "{\"name\":\"John Doe\",\"age\":30,\"addres... See more...
Hello, How to create sample JSON data and display it in tree structure? I used makeresults to create sample JSON data below | makeresults | eval data = "{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" The search result is below. My expected output is below. I have the option to select "list" from the drop down, but this option is only available if I import the data to an index.  Please help. Thanks   JSON data: { "name": "John Doe", "age": 30, "address": { "street": "123 Main St", "city": "Anytown", "state": "CA", "zip": "12345" }, "interests": [ "reading", "hiking", "coding" ] }  
I've been writing new pipelines to my Edge Processors when I discovered that no destination values are showing up for me to select. We only have two, our default destination of our cloud instance and... See more...
I've been writing new pipelines to my Edge Processors when I discovered that no destination values are showing up for me to select. We only have two, our default destination of our cloud instance and an additional cloud instance. When I go to create a new pipeline or modify an old one that already is configured to go to the default destination, it doesn't show up. The ones already created are still working and sending data in. Any idea what could be causing this to happen? This occurred very recently. Prior to this I was able to create Pipelines and add a destination. Even a work-around would be appreciated. Thanks!
Hello, I would like some help to convert the TAI64N format to "%m/%d/%Y %H:%M:%S", I tried to use following query: | makeresults | eval identifier="@4000000068022d4b072a211c" | eval tai64n_hex = ... See more...
Hello, I would like some help to convert the TAI64N format to "%m/%d/%Y %H:%M:%S", I tried to use following query: | makeresults | eval identifier="@4000000068022d4b072a211c" | eval tai64n_hex = substr(identifier, 2) | eval tai64_seconds = tonumber(substr(tai64n_hex, 1, 16), 16) - tonumber("4000000000000000", 16) | eval tai64_nanoseconds = tonumber(substr(tai64n_hex, 17, 8), 16) | eval tai64_milliseconds = round(tai64_nanoseconds / 1000000, 3) | eval formatted_time = strftime(tai64_seconds, "%m-%d-%Y %H:%M:%S") . "." . printf("%03d", round(tai64_milliseconds, 0)) | table formatted_time But the value that's returning is incorrect, sometime the time ~5 seconds beyond the _time and sometime it's ~5 seconds behind the _time. I don't see the precise value being shown. The formatted_time should give me an output "2025-04-18 10:45:21.120" but i get this "04-18-2025 10:40:00.120" Can someone assist me on this?
Need to provide user upload lookup only on one particular app permission. Hi I need to assign permission to particular role/User so that they can upload there CSV lookup files to only that perticular... See more...
Need to provide user upload lookup only on one particular app permission. Hi I need to assign permission to particular role/User so that they can upload there CSV lookup files to only that perticular app, not to any other apps. Can anyone help me with it.
For multiple sourcetypes, linecount is 2, while clearly, it should be 1. Has anybody encountered this case?
I installed Splunk Forwarder 9.4.1 on macOS 15.4 and on first run I get a bunch of permission errors: Warning: cannot create "/Applications/SplunkForwarder/var/log/splunk Warning: cannot create "/Ap... See more...
I installed Splunk Forwarder 9.4.1 on macOS 15.4 and on first run I get a bunch of permission errors: Warning: cannot create "/Applications/SplunkForwarder/var/log/splunk Warning: cannot create "/Applications/SplunkForwarder/var/log/introspection" Warning: cannot create "/Applications/SplunkForwarder/var/log/watchdog" Warning: cannot create "/Applications/SplunkForwarder/var/log/client_events" This appears to be your first time running this version of Splunk. Could not open log file "/Applications/SplunkForwarder/var/log/splunk/first_install.log" for writing (2).   However these folders have the right permissions. A bit lost as to what to do here. 
I am trying to locate some data between two indexes, the common items are the src_interface and the network device name, but the data gets jumbled up when searching over longer periods of time. This ... See more...
I am trying to locate some data between two indexes, the common items are the src_interface and the network device name, but the data gets jumbled up when searching over longer periods of time. This is what I am using now.  index=network "arp-inspection" OR "packets received" | rename mnemonic as Port_Status | rename Network_Device TO "NetworkDeviceName" | rename src_interface TO "src_int" | join type=inner "NetworkDeviceName" , "src_int" [ search index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*"] | table  device_time, NetworkDeviceName, User_Name, src_int, src_ip, src_mac, message_text, Location, Port_Status  
Hi splunk community, I have a question on logs cloning/redirection Purpose : Extract logs containing "network-guest", and don't redirect this logs to a distant HF, but only to local indexers LOGS ... See more...
Hi splunk community, I have a question on logs cloning/redirection Purpose : Extract logs containing "network-guest", and don't redirect this logs to a distant HF, but only to local indexers LOGS ENTRY CONFIG Into an app Splunk_TA_FIREWALL inputs.conf [tcp://22000] sourcetype = fw:firewall index = fw_index _TCP_ROUTING = local_indexers This logs are perfectly working and are stored on my local indexers Now this logs must be cloned and redirected to a distant HF but not the logs containing "network-guest" THat my props and transforms config props.conf [fw:firewall] TRANSFORMS-clone = fwfirewall-route-network-guest-, fwfirewall-clone transforms.conf [fwfirewall-route-network-guest] REGEX = \bNETWORK-GUEST\b DEST_KEY = _SYSLOG_ROUTING FORMAT = local_indexers [fwfirewalll-clone] DEST_KEY = _SYSLOG_ROUTING FORMAT = distant_HF REGEX = . When I check into the logs, on the distant splunk, I don't see NETWORK-GUEST logs anymore, and I can see those logs on the local splunk Question is, I'm not sure I'm doing that the right way, and not sure if it works 100% Has someone a good knowledge on this kind of configuration ? Thanks a lot for the help Nico
Hi there, after investigation my Search Head instance I found this in my task bar. Can somebody say is it expected behaviour?
We have 40 dc server sending logs to onprem indexers but i see on Deployment server i can see only on App which has outputs.co
Hi We upgraded our ES7 to ES8 onprem and are testing it.   We currently have the issue, that the created investigations are not shown in the MissionControl. If we oben a finding that is assigned t... See more...
Hi We upgraded our ES7 to ES8 onprem and are testing it.   We currently have the issue, that the created investigations are not shown in the MissionControl. If we oben a finding that is assigned to an investigation, we can open them from there. If I read the documentation, the investigations should appear besides the findings inside of MissionControl . Did anyone have the same issue and have a solution for it? Thanks for your help/hints.
I want to transpose the below row to column. Host drive_Name utilization   aaa D 20   bbb D 30   aaa E 60     want to covert above table result as below. Host D E ... See more...
I want to transpose the below row to column. Host drive_Name utilization   aaa D 20   bbb D 30   aaa E 60     want to covert above table result as below. Host D E aaa 20 60 bbb 30  
I'm looking for a way to split a JSON array into multiple events, but it keeps getting indexed as a single event. I've tried using various parameters in props.conf, but none of them seem to work. D... See more...
I'm looking for a way to split a JSON array into multiple events, but it keeps getting indexed as a single event. I've tried using various parameters in props.conf, but none of them seem to work. Does anyone know how to split the array into separate events based on my condition? I want it to appear as two sets of events. JSON string: Splunk Search Head:      
Hello Folks, I'm encountering an issue with Splunk Cloud where it indicates that the winrm module is not found. I'm attempting to install and run a custom alert action packaged Python application th... See more...
Hello Folks, I'm encountering an issue with Splunk Cloud where it indicates that the winrm module is not found. I'm attempting to install and run a custom alert action packaged Python application that uses winrm to establish a remote connection to a target server for cleanup processes. However, after installation and testing, I discovered that winrm is not installed in the Splunk Cloud environment used by our organization. Is there any workaround to achieve this and proceed further? Issue: ModuleNotFoundError:No module named 'winrm Script block that uses winrm: import winrm import sys import argparse import os def clean_old_files(TargetServer, FolderPath, FileThresholdInMinutes, UserName, Password): # Initialize return values deleted_files = [] deleted_count = 0 #print(f"Connecting to server: {TargetServer}...") #remove above print statement in next deployment. try: # Establish a WinRM session session = winrm.Session(TargetServer, auth=(UserName, Password), transport='ntlm') #splunkcloud Splunk ITSI Module for Application Performance Monitoring 
Hi All We got this requirement to print the timestamp in mail subject for scheduled report. the timestamp should indicate the time it got sent. for exg, the report runs twice a day so if it runs 6 ... See more...
Hi All We got this requirement to print the timestamp in mail subject for scheduled report. the timestamp should indicate the time it got sent. for exg, the report runs twice a day so if it runs 6 am and 6 pm, the mail subject should indicate dd-mm-yyyy 06:00:00 or 18:00:00 Please help.
We have an alert showing users that are authenticating after working hours for security reasons, I'm sure y'all familiar with, but at the same time, we know who leaves their workstations on during th... See more...
We have an alert showing users that are authenticating after working hours for security reasons, I'm sure y'all familiar with, but at the same time, we know who leaves their workstations on during the night. However, we have recently received alerts with "unknown" users reported in the alert. But after checking the host's event viewer (Security Log) and comparing with the timestamps in the alert, the event logs shows the users. Any idea how we can edit our search string, or what may have caused the string to return the unknown value?
I've read through some of the Splunk documentation and previously one of my colleagues already configured the "Windows server health" content pack, but when I check the "OS:Performance.WIN.Memory" I ... See more...
I've read through some of the Splunk documentation and previously one of my colleagues already configured the "Windows server health" content pack, but when I check the "OS:Performance.WIN.Memory" I only see 4 metrics and cannot get the overall % memory utilization because I do not have the total amount to begin with. These are the only metrics I have: Available_MBytes Cache_Bytes Page_Reads/sec Install and configure the Content Pack for Monitoring Microsoft Windows - Splunk Documentation
Hello, all i am fairly new to the Splunk community and I'm attempting to reset my Splunk admin password and for whatever reason it does not work i go and delete the "etc/passwd" and restart my Splunk... See more...
Hello, all i am fairly new to the Splunk community and I'm attempting to reset my Splunk admin password and for whatever reason it does not work i go and delete the "etc/passwd" and restart my Splunk instance and attempt to login to the web interface, but it never prompts me for a reset. I have even tried commands to do it manually, but nothing works. Has anyone else had a problem like this?