All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

When can customers with existing SOAR instances expect to get migrated from the trial MC instance?
Hi, I want to simply know bandwidth usage by url (I span on 10s for not flooding) then I divide by 10 I wrote this, it seems ok  (but not sure) -  is it correct ? uri="/myappli/*" | timechart su... See more...
Hi, I want to simply know bandwidth usage by url (I span on 10s for not flooding) then I divide by 10 I wrote this, it seems ok  (but not sure) -  is it correct ? uri="/myappli/*" | timechart sum(eval(round(bytes/1024/1024))) AS MB span=10s Thanks    
I want to see 100% when the "No results found. " message comes.
Hi community Splunk, I have a issus when install Splunk Enterprise Security in Deployer. I have Splunk enviroment, it have 3 Search Head Cluster, 2 Indexer Cluster and 1 Master Node (Master Node is r... See more...
Hi community Splunk, I have a issus when install Splunk Enterprise Security in Deployer. I have Splunk enviroment, it have 3 Search Head Cluster, 2 Indexer Cluster and 1 Master Node (Master Node is roles of Deployer and License Master) and all version Splunk Enterprise in each components is 9.1.0.2. I want to install Splunk ES 7.2 Apps to Search Head Cluster with guild of Splunk (https://docs.splunk.com/Documentation/ES/7.2.0/Install/InstallEnterpriseSecuritySHC ) . When i install Splunk ES Apps in Deployer, an error occurs as this image : Please help me the solution of this issue. Thanks for all the contributions!  
Hi, i have 2 lookup tables, which are lookup A and B. Both of the lookups contain field Hostname and IP. There is some scenario like below: Lookup A Hostname        IP Host   A           10.10.10... See more...
Hi, i have 2 lookup tables, which are lookup A and B. Both of the lookups contain field Hostname and IP. There is some scenario like below: Lookup A Hostname        IP Host   A           10.10.10.1                            10.10.10.2 Host    B          172.1.1.1   Lookup B Hostname        IP Host   A           10.10.10.1 Host    B          172.1.1.1                            172.1.1.2 Based on scenario above,  I need a result on IP which lookup A and B does not match based on Host. But as long 1 IP in lookup A matches with lookup B, it is fine and lookup B should not have multiple IP. So, it should not match even have match IP. For your info,both lookups have multiple IPs for a host. Based on above lookup sample, Host A should match and Host B should not match based on my condition. Please assist on this. Thank you
Hi All,  We are a Splunk Cloud customer having ES.   Is there a way to fetch the ISP,  domain info for an IP address directly in the splunk results ?  I have looked at this post  : https://community.... See more...
Hi All,  We are a Splunk Cloud customer having ES.   Is there a way to fetch the ISP,  domain info for an IP address directly in the splunk results ?  I have looked at this post  : https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-query-whois-by-ip/m-p/316975 but Domain Tools add on requires a paid subscription.   Alternatively i know that we can setup a workflow to perform whois lookup via right click implementation but that is again a manual task and it ends up redirecting us to whois website.  I am looking for something open source that can fetch me the ISP and domain for an IP-address easily.  Any thoughts or suggestions ?  Any ES users how do you accomplish this ?
Folks, I'm new to SPL worlds. Please advice right direction to learn splunk search.   Environment: proxy log search Situation: Some clients sent massive HTTP request in a small period of time to ... See more...
Folks, I'm new to SPL worlds. Please advice right direction to learn splunk search.   Environment: proxy log search Situation: Some clients sent massive HTTP request in a small period of time to various destinations. (I doubt this clients are infected by malware) How can I find this client by Splunk search with proxy or firewall log? transaction command will help to find how many sessions generated by single IP, but I don't know next steps.   
Hi, I am new to the Observability. I am looking for the steps to integrate Splunk Observability cloud with SMTP server for email notifications. I have looking in the document but could not find any... See more...
Hi, I am new to the Observability. I am looking for the steps to integrate Splunk Observability cloud with SMTP server for email notifications. I have looking in the document but could not find any specific topic as we have in splunk docs  for Splunk Enterprise/Cloud.   Please help . Rgds\Uday    
my question is very simple.  This returns nothing:   sourcetype=my_sourcetype   This returns X amount of events (same amount as index=my_index):   index=my_index AND sourcetype=my_sourcetype... See more...
my question is very simple.  This returns nothing:   sourcetype=my_sourcetype   This returns X amount of events (same amount as index=my_index):   index=my_index AND sourcetype=my_sourcetype   Search is in: Verbose Mode what am I missing?!  howcome another filter returns more events?
Hello Splunk lovers!  I stacked when i was realize kafka connect on Splunk to KafkaBroker with error "LZ4 compression not implemented". Maybe someone has already had and solved this problem.  So, h... See more...
Hello Splunk lovers!  I stacked when i was realize kafka connect on Splunk to KafkaBroker with error "LZ4 compression not implemented". Maybe someone has already had and solved this problem.  So, how can I solve this problem, please help ?  
I want to alert if a result changes. There are probably dozens of ways to do this, but I think I'm missing the really simple obvious solution. I've been looking at diff, and I can get this to work in... See more...
I want to alert if a result changes. There are probably dozens of ways to do this, but I think I'm missing the really simple obvious solution. I've been looking at diff, and I can get this to work in search results - providing a single "event" result containing either "Results are the same" or some stats if a difference is found. The expression looks like this: index=testapp ErrorlogTotalCount |diff I could add an attribute, but it's not really needed because the result is static except for the log count. The default position values of 1 and 2, comparing the newest result to the prior one, is also perfect because we want to catch when the number changes. My difficulty is setting up an alert to catch this. Since I always get 1 event back, I can't alert on a count of events. Maybe I can use a custom trigger condition, but I'm not finding a document that explains how to use that field. This is probably possible with other search commands such as delta or streamstats but to me those appear to be overkill. Let me know what I am missing please. Thanks for the help.
想了解下,SPlunk 单台服务器,最多可以接入多大的数据量 ,可以给工
Hello, I have a below values in lookup and trying to achieve below bar chart view.  Country     old_limit        old_spend_limit      new_limit          new_spend_limit    USA            84000    ... See more...
Hello, I have a below values in lookup and trying to achieve below bar chart view.  Country     old_limit        old_spend_limit      new_limit          new_spend_limit    USA            84000             37000                       121000                   43000   Canada     149000           103000                     214000                 128000 old_limit = PRE new_limit = POST    
How to display other fields on the same row when aggregating using stats max(field)? Thank you for your help.  For example: I am trying to display the same row that has the highest TotalScore=240 ... See more...
How to display other fields on the same row when aggregating using stats max(field)? Thank you for your help.  For example: I am trying to display the same row that has the highest TotalScore=240 Class Name Subject TotalScore Score1 Score2   Score3 ClassA Name2 English 240 80 90 70 My Splunk Search | index=scoreindex    | stats values(Name) as Name, values(Subject) as Subject,  max(TotalScore) as TotalScore, max(Score1) as Score1, max(Score2) as Score2, max(Score3) as Score3 by Class | table Class Name, Subject, Total Score, Score1, Score2, Score3 I think my search below is going to display the following. Class Name Subject TotalScore Score1 Score2   Score3 ClassA Name1 Name2 Name3 Math English 240 85 95 80 This is the whole data in table format from scoreindex Class Name Subject TotalScore Score1 Score2   Score3 ClassA Name1 Math 170 60 40 70 ClassA Name1 English 195 85 60 50 ClassA Name2 Math 175 50 60 65 ClassA Name2 English 240 80 90 70 ClassA Name3 Math 170 40 60 70 ClassA Name3 English 230 55 95 80
We are using the Splunk Universal Forwarder on Windows servers to capture event viewer logs into Splunk.  We have a known issue with a product causing a large number of events to be recorded in the e... See more...
We are using the Splunk Universal Forwarder on Windows servers to capture event viewer logs into Splunk.  We have a known issue with a product causing a large number of events to be recorded in the event viewer which are then sent into Splunk.  How can we filter out a specific event from the Universal Forwarder so that it is not sent into Splunk?
In a modified  search_mrsparkle/templates/pages/base.html, we have a <script> tag inserted just before the </body> tag, as follows: <script src="${make_url('/static/js/abcxyz.js')}"></script></bod... See more...
In a modified  search_mrsparkle/templates/pages/base.html, we have a <script> tag inserted just before the </body> tag, as follows: <script src="${make_url('/static/js/abcxyz.js')}"></script></body> with abcxyz.js placed in the search_mrsparkle/exposed/js directory. The abcxyz.js file has the following code:   require(['splunkjs/mvc'], function(mvc) { ... } which performs some magical stuff on the web page.  But when the page loads, the debugging console reports "require is not defined".  This used to work under SE 9.0.0.1 (and earlier) but now fails under SE 9.1.1. Yes, we realize we are modifying Splunk-delivered code, but we have requirements that required us taking these drastic actions. Anyone have any ideas on how to remedy this issue? --------------------------------------------------------------------------- @mhoustonludlam_ @C_Mooney
How to assign the value of param name original to the source in the | collect statement index=123  | eval original=abcd,  | collect index=qaz source=original    
Hi Forum, I have written a script that pull off the receive power from optical transceivers on every hour.   All is well with this except, as the values are a measurement in loss, they are negative ... See more...
Hi Forum, I have written a script that pull off the receive power from optical transceivers on every hour.   All is well with this except, as the values are a measurement in loss, they are negative values in bells. I would really like to represent this with the single value radial - I can get it to work with a perfectly with a marker gauge but having that "rev counter" type representation would not only be so cool bit so useful to get power readings at  glance on our long range transmission kit, its such a perfect representation I think for this kind of measurement, and would really appeal to that more "scientific" engineering type of audience. When I use the single value radial I cannot for the life of me work out where I can adjust the scale (ideally -40dBm to 0dBm.  I just expected this to be like managing any other sort of float (I am working with a decimal number, not a string or anything), just to happens to be a negative value. Am I just missing something really silly?  Any help would be gratefully received - I'm using dashboard studio if that makes a difference.   Thank you
index=sample(Consumer="prod") ServiceName="product.services.prd.*" | stats count(eval(HTTPStatus >= 400 AND HTTPStatus < 500)) AS 'fourxxErrors', count(eval(HTTPStatus >= 500 AND HTTPStatus < 600)) ... See more...
index=sample(Consumer="prod") ServiceName="product.services.prd.*" | stats count(eval(HTTPStatus >= 400 AND HTTPStatus < 500)) AS 'fourxxErrors', count(eval(HTTPStatus >= 500 AND HTTPStatus < 600)) AS 'fivexxErrors', count AS 'TotalRequests' | eval 'fourxxPercentage' = if('TotalRequests' > 0, ('fourxxErrors' / 'TotalRequests') * 100, 0), 'fivexxPercentage' = if('TotalRequests' > 0, ('fivexxErrors' / 'TotalRequests') * 100, 0) | table "fourxxPercentage", "fivexxPercentage" The result is showing as 0 for both fields inside the table "fourxxPercentage", "fivexxPercentage". Actually, fourxxErrors and fivexxErrors count are greater than 0. Is that because it's not showing the decimal values?
I'm working with data from this search index=my_index sourcetype=my_sourcetype (rule=policy_1 OR rule=policy_2 OR rule=policy_3) [ | inputlookup my_list_of_urls.csv ] | rename url AS my_url | s... See more...
I'm working with data from this search index=my_index sourcetype=my_sourcetype (rule=policy_1 OR rule=policy_2 OR rule=policy_3) [ | inputlookup my_list_of_urls.csv ] | rename url AS my_url | stats count by my_url | table my_url The events look like this 02ef65dc96524dabba54a950da7cb0d8.fp.measure.office.com/ 0434c399ca884247875a286a10c969f4.fp.measure.office.com/ 14f8c4d0e9b7be86933be5d3c9fb91d7.fp.measure.office.com/ 3d8e055913534ff7b3c23101fd1f3ca6.fp.measure.office.com/ 4334ede7832f44c5badcfd5a6459a1a2.fp.measure.office.com/ 5d44dec60c9b4788fb26426c1e151f46.fp.measure.office.com/ 5f021e1b8d3646398fab8ce59f8a6bbd.fp.measure.office.com/ 6f6c23c1671f72c36d6179fdeabd1f56.fp.measure.office.com/ 7106ea87c1e2ed0aebc9baca86f9af34.fp.measure.office.com/ 88c88084fe454cbc8629332c6422e8a4.fp.measure.office.com/ 982db5012df7494a88c242d426e07be6.fp.measure.office.com/ a478076af2deaf28abcbe5ceb8bdb648.fp.measure.office.com/ aad.cs.dds.microsoft.com/ In the my_list_of_urls.csv there are these entries *.microsoft.com/ microsoft.com/ *.office.com/ office.com/ What I'm trying to do is get the microsoft.com and office.com from the results instead of the full url.  I'm stumped on how to do it.  Any help is appreciated. TIA, Joe