All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below: D... See more...
I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below: DNS Identified_Host host1.domain.com host1.domain.com host1-admin.domain.com host1.domain.com host1-mgt.domain.com host1.domain.com host2.domain.com host2.domain.com host2-admin.com host2.domain.com host2-mgt.admin.com host2.domain.com host3.domain.com host3.domain.com host3-admin.com host3.domain.com   From this example. it's shown that Indetified_Host is the main name of the host. I need to find out which hosts in Identified_Hosts have values in DNS with the same name but also end with -admin and/or -mgt. 
Hi, For some reason we cannot receive data to _interal or other indexes(all of them). Old indexes are still available through database. It looks like a generic problem, not related to any specific i... See more...
Hi, For some reason we cannot receive data to _interal or other indexes(all of them). Old indexes are still available through database. It looks like a generic problem, not related to any specific index. All I can see is _audit. Maybe it's ok to backup $SPLUNK_HOME/etc, and then reinstall splunk sw? or if possible restart some processes, or modify config file. input, output.conf   Rgds Geir
  Hello all, I have created and applied the configuration in props.conf file: SEDCMD-XXXXX = s/XXXXXX//g The field I wanted deleted is deleted from the logs... or it appears that way.  Looking a... See more...
  Hello all, I have created and applied the configuration in props.conf file: SEDCMD-XXXXX = s/XXXXXX//g The field I wanted deleted is deleted from the logs... or it appears that way.  Looking at the raw logs, the field/values are not there, but once I expand it (with the tab in the upper-left corner of the log entry), the field is there...? As if that field/value pair was not deleted but hidden?? The field shows in the left-side column of "All Fields" too. Hope someone can guide/explain it - I have not been able to find an answer (if it even has one)... Thanks!
Hello I am working on creating a dashboard to monitor some data flow info. this dashboard will have many panels so I was thinking I could hide them all when loaded and then only display the ones tha... See more...
Hello I am working on creating a dashboard to monitor some data flow info. this dashboard will have many panels so I was thinking I could hide them all when loaded and then only display the ones that the user selects in a multiselect input(maybe a better way?). I am unsure how to accomplish this though or if it can even be done. Does anyone have any ideas on how I could accomplish this task? Thanks for the help!
Hello, We currently have the following chart created. I would like to show each district split by week over a 4wk time period as shown in the Administration bar below. However, I'm struggling to get ... See more...
Hello, We currently have the following chart created. I would like to show each district split by week over a 4wk time period as shown in the Administration bar below. However, I'm struggling to get the results we want. Any assistance would be greatly appreciated!   Base search:   ```Grab badging data for the previous week``` index=* sourcetype="ms:sql" CARDNUM=* earliest=-4w@w latest=-0@w | bin span=1d _time | eval week_number=strftime(_time,"%U") | dedup _time CARDNUM | rename CARDNUM as badgeid ```lookup Ceridian and Active Directory and return fields associated with employeeID and badgeid``` | join type=left badgeid ```Use HR records to filter on only Active and LOA employees``` [search index=identities sourcetype="hr:ceridian" ("Employee Status"="Active" OR "Employee Status"="LOA*") earliest=-1d@d latest=@d | eval "Employee ID"=ltrim(tostring('Employee ID'),"0") | stats count by "Employee ID" | rename "Employee ID" as employeeID | fields - count ```Filter on Hybrid Remote users in Active Directory that are not Board Members and are in the Non-Branch region``` | lookup Employee_Data_AD_Extract.csv employeeID OUTPUT badgeid badgeid_1 RemoteStatus District employeeID Region] | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches" ```Calculate the number of badge check-ins in a given week by badgeid``` |stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid week_number ```Compensate for temporary badge check-in (primary badge= badgeid temporary badge =badgeid_1``` | append [|stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid_1 week_number | rename badgeid_1 as badgeid ] | eval interval=case('weekly_badge_in'>=3,">=3", 'weekly_badge_in'<3,"<3") ```Calulation to determine the number of employees within District that are Hybrid Remote but have not badged-in ``` | join District [| inputlookup Employee_Data_AD_Extract.csv | fields badgeid badgeid_1 RemoteStatus District employeeID Region | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches" | stats count as total by District]  
Hello, Our customer has decided to end use of Splunk in lieu of Sumo Logic, but we are looking to keep up internal use of Splunk due to 110GB worth of Perpetual licensing we have leftover.  We are ... See more...
Hello, Our customer has decided to end use of Splunk in lieu of Sumo Logic, but we are looking to keep up internal use of Splunk due to 110GB worth of Perpetual licensing we have leftover.  We are currently filtering out non-essentials, and for us one of the big players is linux syslog.  I am attempting to use transforms and props to filter out everything that aren't authentication failures.  The regular expression is looking for the string of text "authentication failure".  I tested my regex in regex101 and everything checks out, but when I turn on the syslog sourcetype, the proverbial flood gates are still opening up. Can someone take a look at these and let me know what looks wrong here?  The transforms are meant to bring in only events with "authentication failure" and toss out everything else. Props.conf [syslog] TRANSFORMS-set=set_parsing,set_null Transforms.conf [set_parse] REGEX = \bauthentication\b\s\bfailure\b DEST_KEY = queue FORMAT = indexQueue [set_null] REGEX = . DEST_KEY = queue FORMAT = nullQueue
Hello! we would like to extend our alarm for our users' monthly failed logon. I have created the following script. There is a problem with the table. The table is not showing me the "Workstation" an... See more...
Hello! we would like to extend our alarm for our users' monthly failed logon. I have created the following script. There is a problem with the table. The table is not showing me the "Workstation" and "Source_Network_Address", the Affected and the Count are working fine. I did some troubleshooting and found out that the command line with "stats count as" is the reason, as it works without that and shows everything except Count then of course. Does anyone have an idea how I can create a table and a counter? index=*..... (Account_Name="*" OR Group_Name="*") EventCode="4625" NOT EventCode IN ("4735", "4737", "4755") NOT Account_Name="*$*" Name | eval time=_time | eval Operator=mvindex(Account_Name, 0) | eval Affected=mvindex(Account_Name, 1) | eval Group=mvindex(Account_Name, 2) | eval Workstation=mvindex(Workstation_Name, 0) | eval Group=if(isnull(Group),Group_Name,Group) | eval Workstation=if(isnull(Workstation),"",Workstation) | eval Workstation=nullif(Workstation,"") | eval Affected=if(isnull(Affected),Account_Name,Affected) | eval ExpirationTime=if(isnull(Expiration_time),"",Expiration_time) | rex field=Message "(?<Message>[^\n]+)" | stats count as Count by Affected | table Affected, Workstation, Source_Network_Address, Count | sort -Count
Hi all, rex "WifiCountryDetails\W+(?<WifiCountryDetails>[\w*\s*]+)" We r using the above Rex for getting the Wi-Fi country details... But the problem is while fetching the data, if the Wi-Fi co... See more...
Hi all, rex "WifiCountryDetails\W+(?<WifiCountryDetails>[\w*\s*]+)" We r using the above Rex for getting the Wi-Fi country details... But the problem is while fetching the data, if the Wi-Fi country name is empty it automatically gathers the next field value in it.. But if the wificountrydetails are empty it has to show empty in the data, please let me know how to achieve it.
Hi, How do I limit the results per host? I have any (random) search query. I have 10 hosts. For each hosts, hundreds of events are shown. In a statistics table, I want to show only 1 event, per host... See more...
Hi, How do I limit the results per host? I have any (random) search query. I have 10 hosts. For each hosts, hundreds of events are shown. In a statistics table, I want to show only 1 event, per host. This way, I can check if each host has the logfile. It doesn't matter what the contents of the logfile are. How do I perform this search? This statistics table, or splunk dashboard, will have the following function: Check if log exists on every server
Hi, I would like to implement the following behavior in Dashboard studio: when a user clicks on a line chart showing the trend of a flow in terms of error count, I would like to show in a drill down... See more...
Hi, I would like to implement the following behavior in Dashboard studio: when a user clicks on a line chart showing the trend of a flow in terms of error count, I would like to show in a drill down graph the trend of all the errors per that specific flow. I tried with the following token : flow= click.value2  but it does not work. Any hint? thank you Best Regards  
Hi team, I have currently configured my Otel Collector to send traces data from the adservice (Otel-demo service) to AppDynamics over a proxy. My problem is that AppDynamics doesn't show any ingeste... See more...
Hi team, I have currently configured my Otel Collector to send traces data from the adservice (Otel-demo service) to AppDynamics over a proxy. My problem is that AppDynamics doesn't show any ingested data in the Otel section (No Data available). The collector logs show no errors. This is my Collector config: config: | receivers: otlp: protocols: grpc: http: processors: resource: attributes: - key: appdynamics.controller.account action: upsert value: "company" - key: appdynamics.controller.host action: upsert value: "company.saas.appdynamics.com" - key: appdynamics.controller.port action: upsert value: 443 batch: send_batch_size: 90 timeout: 30s exporters: otlphttp: endpoint: "https://some-agent-api.saas.appdynamics.com" headers: {"x-api-key": "<some-api-key>"} logging: verbosity: detailed sampling_initial: 10 sampling_thereafter: 5 extensions: zpages: service: telemetry: logs: level: debug extensions: [zpages] pipelines: traces: receivers: [otlp] processors: [resource, batch] exporters: [logging, otlphttp] env: - name: HTTPS_PROXY value: proxy.company.com:8080
Good day, What screen do users get when they attempt to reply to a poll after clicking on the link to the poll, even if the maximum number of replies allowed is 100? If the poll has already reached ... See more...
Good day, What screen do users get when they attempt to reply to a poll after clicking on the link to the poll, even if the maximum number of replies allowed is 100? If the poll has already reached its maximum number of responses. Will they still have the opportunity to see the replies chart that illustrates how everyone else answered the questions? This is the outcome that I am hoping for. Many thanks
Hi, How are you? Thank you for the community! I have tried to search logs using API as per Creating searches using the REST API - Splunk Documentation this seems complex anyhow possible but by my ex... See more...
Hi, How are you? Thank you for the community! I have tried to search logs using API as per Creating searches using the REST API - Splunk Documentation this seems complex anyhow possible but by my experience this has been impossible for me until now. How to search in Splunk using the API? Here what I found https://community.splunk.com/t5/Building-for-the-Splunk-Platform/How-to-collect-debug-logs-for-apps-on-Splunk-Cloud/m-p/586144 . Kind regards, Tiago
how to make splunk rest api sid remains unchanged
Hello comrades! I just wonder, does splunk detects logs similarity by it's pattern? Many thanks.
I've tried to enable boot-start on *nix and Windows, but after the machine reboots, Splunk Forwarder still cannot start automatically. Can anyone have solutions for this case?
Hello, How do I add a dropdown or a text on any location in the Dashboard Studio? I tried to put inside the rectangle in the middle of my dashboard, but it stayed in the top of the dashboard below ... See more...
Hello, How do I add a dropdown or a text on any location in the Dashboard Studio? I tried to put inside the rectangle in the middle of my dashboard, but it stayed in the top of the dashboard below the title. I tried to move "inputs" section in the JSON source code, but it didn't seem to work. Also, whenever I made changes in the source code, I wasn't able to revert it back easily like it did on the classic dashboard. Please suggest. Thank you.
Hi, I am new to Splunk and am looking for a search that is able to identify duplicate field values. We have an issue in Tenable that assets have duplicate asset IDs. My initial search is: index=t... See more...
Hi, I am new to Splunk and am looking for a search that is able to identify duplicate field values. We have an issue in Tenable that assets have duplicate asset IDs. My initial search is: index=tenable sourcetype=tenable:io:assets | stats count by hostnames, agent_uuid Lists hostnames with ther unique ID on a table. Need to just show hostnames with the same agent_uuid. I don't know if I need to export this and put it on a lookup table and then compare the agent_uuid values from there and just show the duplicates but I was hoping for a more straight forward search to do this. Thank you.
Hi all,   I am trying to get  Azure AD B2C to work as SAML provider for Splunk    anyone managed to get this to work ?    please advise,  I followed all the available online resources but noth... See more...
Hi all,   I am trying to get  Azure AD B2C to work as SAML provider for Splunk    anyone managed to get this to work ?    please advise,  I followed all the available online resources but nothing is working 
The splunk DLTK 5.1.0 documentation suggests below : No indexer distribution Data is processed on the search head and sent to the container environment. Data cannot be processed in a distributed... See more...
The splunk DLTK 5.1.0 documentation suggests below : No indexer distribution Data is processed on the search head and sent to the container environment. Data cannot be processed in a distributed manner, such as streaming data in parallel from indexers to one or many containers. However, all advantages of search in a distributed Splunk platform deployment still exist. Does the above imply that data from splunk are not distributed (such as data parallelism) among multiple containers in the Kubernetes execution environment during training or inference phase ? Further, is the distribution only vertical in nature (multi CPU or multi GPU in a single container) or the jobs can scale horizontally as well (multiple containers) with each container working on a partition of data ? Further, for executing Tensorflow, PyTorch, Spark or Dask jobs do we need to have required operators/services pre-installed prior to (Spark K8s operator for example) submitting the jobs from Splunk Jupyter notebook ? Or are these services setup during DLTK app installation and configuration in Splunk ? Appreciate any inputs on above query. Thanks in advance !