All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

App: https://splunkbase.splunk.com/app/833 It looks like the nfsiostat.sh script is not compatible with the RHEL9. I'm testing with Rocky9.2 and the nfsiostat command output is already different to ... See more...
App: https://splunkbase.splunk.com/app/833 It looks like the nfsiostat.sh script is not compatible with the RHEL9. I'm testing with Rocky9.2 and the nfsiostat command output is already different to 7.9. EDIT: It seems to support RHEL9 explicitly (without the new columns), but NOT Rocky9. Example from 7.9:       # nfsiostat server:/mnt/yumrepo mounted on /repos/pkg.repo.d: op/s rpc bklog 33.88 0.00 read: ops/s kB/s kB/op retrans avg RTT (ms) avg exe (ms) 1.382 43.682 31.613 3357 (0.0%) 0.612 1.551 write: ops/s kB/s kB/op retrans avg RTT (ms) avg exe (ms) 4.595 138.038 30.041 1041 (0.0%) 1.659 11.039       Example from Rocky9.2: - First op/s => ops/s - 2 new metrics: "avg queue (ms)" and "errors"       server:/mnt/yumrepo mounted on /repos/pkg.repo.d: ops/s rpc bklog 0.453 0.000 read: ops/s kB/s kB/op retrans avg RTT (ms) avg exe (ms) avg queue (ms) errors 0.000 0.001 1.356 0 (0.0%) 0.096 0.108 0.006 0 (0.0%) write: ops/s kB/s kB/op retrans avg RTT (ms) avg exe (ms) avg queue (ms) errors 0.001 0.035 25.519 0 (0.0%) 0.562 0.600 0.027 0 (0.0%)        nfsiostat.sh script cannot parse the new format and currently I get something like this:       # /usr/ipbx/splunkforwarder/etc/apps/Splunk_TA_nix/bin/nfsiostat.sh Mount Path r_op/s w_op/s r_KB/s w_KB/s rpc_backlog r_avg_RTT w_avg_RTT r_avg_exe w_avg_exe server:/mnt/yumrepo /repos/pkg.repo.d read: write: ops/s ops/s 0.000 avg avg RTT RTT 0.000 0.001 rpc 0.096 0.108 0.001 0.453 read: 0.000 ops/s avg RTT write: kB/o ops/s rpc mounted      
Two of my indexer is not working they are not receiving data from Universal forwarder. when i run the command ./splunk display listen so it shows 9998 is listening and ./splunk list forward-server ... See more...
Two of my indexer is not working they are not receiving data from Universal forwarder. when i run the command ./splunk display listen so it shows 9998 is listening and ./splunk list forward-server gives the below result. Active forwards: 10.246.250.154:9998 (ssl) Configured but inactive forwards: 10.246.250.155:9998 10.246.250.156:9998   Let me know what i can do to activate the other two indexers
Hi, Looking for some assistance with Regex to blacklist  inputs.conf on Windows Systems.  We modified inputs.conf located: /opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf ... See more...
Hi, Looking for some assistance with Regex to blacklist  inputs.conf on Windows Systems.  We modified inputs.conf located: /opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf         Applied Regex :   blacklist1 = EventCode="4688" $XmlRegex="<Data Name='NewProcessName'> (C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe)|(C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumCX.exe) </Data>"   I attempted all available methods to blacklist the events above, but they did not take effect. Do we need to make modifications in order to successfully blacklist them? Thanks
Hi All We are trying to get the incidents which are in open state (ie AlertStatus only equal to CREATE) . Table Out is below : Here IncidentID 1414821 has both AlertStatus = CLEAR and CREA... See more...
Hi All We are trying to get the incidents which are in open state (ie AlertStatus only equal to CREATE) . Table Out is below : Here IncidentID 1414821 has both AlertStatus = CLEAR and CREATE , this Incident ID should not get displayed . We need IncidentID only with Alertstaus = CREATE. we ran with | eval IncidentID=case(AlertStatus="CREATE" AND AlertStatus!="CLEAR",IncidentID) | table IncidentID AlertStatus  When we run an Query it should only Display IncidentID value 1437718   Thanks and Regards      
Hi All, Created test user and assign the viwer roles and provided read only access, the above screen not the test user not able to see the under the knowledge objects, how yo remove the knowledge obj... See more...
Hi All, Created test user and assign the viwer roles and provided read only access, the above screen not the test user not able to see the under the knowledge objects, how yo remove the knowledge objects? Please help me the process? I need to remove tags,eventypes,lookups,userinterface..................  
I am trying to setup the drop down value from one dashboard to another dashboard. On the first dashboard I setup the interactions to set the token value. Do I need to setup anything on the second das... See more...
I am trying to setup the drop down value from one dashboard to another dashboard. On the first dashboard I setup the interactions to set the token value. Do I need to setup anything on the second dashboard?
Hello! I'm working on setting up the integration between Splunk SOAR and Splunk using the Splunk App for SOAR Export. I was able to configure my SOAR server in the app and verify connectivity, but I... See more...
Hello! I'm working on setting up the integration between Splunk SOAR and Splunk using the Splunk App for SOAR Export. I was able to configure my SOAR server in the app and verify connectivity, but I'm running into errors when trying to use the alert action associated with the app. When using the "Send to SOAR" alert action, I receive "Alert script returned error code 5" in the logs. I wasn't able to find any information regarding this error code so I'm not sure what could be causing it. Any help would be appreciated, thank you!
Hey Community, We have 2 BIG-IP load balancer VMs and need to have the OS logs (like audit.d) forwarded to Splunk. So, this is not about the F5 application logs themselves, but the OS logs from the ... See more...
Hey Community, We have 2 BIG-IP load balancer VMs and need to have the OS logs (like audit.d) forwarded to Splunk. So, this is not about the F5 application logs themselves, but the OS logs from the underlying system. Is there a way to do this? Much appreciate your support.
I have time series data like this: _time digital_value: can be either 0.1 or 1 (see Note) analog_value: can be 0, 100, 500, 1000, 5000, 10000 Note) It's actually 0 or 1, but 0 doesn't show in a... See more...
I have time series data like this: _time digital_value: can be either 0.1 or 1 (see Note) analog_value: can be 0, 100, 500, 1000, 5000, 10000 Note) It's actually 0 or 1, but 0 doesn't show in a bar graph.   I want to plot this data in a diagram like this: X axis = _time digital_value=0.1 as a red bar digital_value=1 as a green bar analog_value as an overlaid line graph, with log scale Y axis To colorize digital_value, I understand I must split it into two series, like this:   | digital_value_red = if(digital_value=0.1, 0.1, null()) | digital_value_green = if(digital_value=1, 1, null()) | fields -digital_value   However, this creates two bars per data point, where only the non-null one is shown and the other one leaves a gap. That way, I don't have equally spaced bars along the X axis any more. See this example:       So, stacked bars? Yes, but that doesn't work with log scale Y axis for the overlaid line graph. So, calculate log(analog_value)  and plot that a linear Y axis? While that produces a proper visual, you can't read the value of analog_value any more (only it's log).   Any ideas how I can achieve a colorized bar graph + log scale overlay?
Hi Splunkers,    I'm having a drodown for index_value with console, standard and aws as options, also having separate pie charts for standard, console and aws, when we click the pie chart in any one... See more...
Hi Splunkers,    I'm having a drodown for index_value with console, standard and aws as options, also having separate pie charts for standard, console and aws, when we click the pie chart in any one of these 3, it will take to another dashboard, over there i need to mark the value of index_valrue of drilldown as standard if we select the standard pie chart in the drilldown of new dashboard that is same for all other two selections. Thanks in Advance, Manoj Kumar S
Try to get error failures from live integration and create Splunk alert for every continuous 5 Alerts
Hi Team,   Is it possible to automate the entity creation in Splunk ITSI from CMDB? Currently, we are creating entities manually and adding the required fields and values in order to map the servi... See more...
Hi Team,   Is it possible to automate the entity creation in Splunk ITSI from CMDB? Currently, we are creating entities manually and adding the required fields and values in order to map the service.   Regards, Dayananda
Hi, I have a query like: index=federated:ccs_rmail sourcetype="rmail:KIC:reports" | dedup _time | timechart span=1mon sum(cisco_*) as cisco_* | addtotals | eval rep_perc = round(cisco_stoppedbyre... See more...
Hi, I have a query like: index=federated:ccs_rmail sourcetype="rmail:KIC:reports" | dedup _time | timechart span=1mon sum(cisco_*) as cisco_* | addtotals | eval rep_perc = round(cisco_stoppedbyreputation/Total*100,2), spam_perc =round(cisco_spam/Total*100,2), virus_perc=round(cisco_virus/Total*100,6) | table cisco_stoppedbyreputation,rep_perc,cisco_spam,spam_perc,cisco_virus,virus_perc | rename cisco_spam as spam, cisco_virus as virus,cisco_stoppedbyreputation as reputation | transpose The result look like: column row 1 reputation 740284221 rep_perc 82.46 spam 9695175 spam_perc 1.08 virus 700 virus_perc 0.000078 Is it possible to have something like this? Name # % reputation 740284221 82.46 spam 9695175 1.08 virus 700 0.000078 Thanks, Emile
Hi I'm seeing an error message in my es search head, How we can sort out this issue Search peer idx-xxx.com has the following message: The metric event is not properly structured, source=nmon_perfda... See more...
Hi I'm seeing an error message in my es search head, How we can sort out this issue Search peer idx-xxx.com has the following message: The metric event is not properly structured, source=nmon_perfdata_metrics, sourcetype=nmon_metrics_csv, host=xyz, index=unix-metrics. Metric event data without a metric name and properly formated numerical values are invalid and cannot be indexed. Ensure the input metric data is not malformed, have one or more keys of the form "metric_name:<metric>" (e.g..."metric_name:cpu.idle") with corresponding floating point values. Thanks
Can anyone help me regarding creation of alerts for continuous errors
To access Splunk Cloud after logging its asking the Splunk Tenant Name could you specify what should I need to enter to get access. Thankyou
Hi, From the context menu of a "username" field value I choose "new search", then the below SPL was automatically added into the search bar and returned 0 events. * user="aaa" However if I changed... See more...
Hi, From the context menu of a "username" field value I choose "new search", then the below SPL was automatically added into the search bar and returned 0 events. * user="aaa" However if I changed the SPL to index=* user="aaa" then it showed events related to that user. Why * user="aaa" did not work?  
Hi, ii had recently install UF v9.0.5 on our windows hosts to send logs to a heavy forwarder, and is getting below messages in the splunkd logs in windows host. Can i know what are these info about... See more...
Hi, ii had recently install UF v9.0.5 on our windows hosts to send logs to a heavy forwarder, and is getting below messages in the splunkd logs in windows host. Can i know what are these info about? ERROR TcpOutputFd [2404 TcpOutEloop] - Read error. An existing connection was forcibly closed by remote host INFO AutoLoadBalancedConnectionStrategy [2404 TcpOutEloop] - Connection to 10.xx.xx.xx:9997 closed. Read error. An existing connection was forcibly closed by remote host WARN AutoLoadBalancedConnectionStrategy [2404 TcpOutEloop] - Possibe duplication of events with channel=source::C:\Programs Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::xxxxx011|splunkd|2606, streamId=0, offset=0 on host=10.xx.xx.xx:9997 Thanks
Hi Team,   Created test user and assign the viwer  role, and login to test Credentials and select the manage app setting operation  , it displayed the Splunk 404 Forbidden Error window displaye... See more...
Hi Team,   Created test user and assign the viwer  role, and login to test Credentials and select the manage app setting operation  , it displayed the Splunk 404 Forbidden Error window displayed  again click here option displayed in the window  again click and login credentials and click the manage setting working .   How to overcome the 404 Forbidden Error? please help me.     Regards, Vijay .K
Hi, I'm trying to integrate splunk to our springboot java application, I believe that I have made all the required integration steps but the logs are not showing up in our splunk account.    Thank... See more...
Hi, I'm trying to integrate splunk to our springboot java application, I believe that I have made all the required integration steps but the logs are not showing up in our splunk account.    Thanks,   Jerome