All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/de... See more...
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/default.xml)? from:       <nav> <view name="summary"/> <collection label="NEW"> <view name="summary_new"/> </collection> </nav>       to:       <nav> <view name="summary_new"/> <collection label="OLD"> <view name="summary"/> </collection> </nav>         Currently the user must use UI to create a custom navigation setting (by creating local/data/ui/nav/default.xml).
How do I migrate Dashboards and alerts from older standalone search head to new standalone search 
Hi all, I try to develop a custom Python script and i want to input parameter from Search to my script. Could i do it? Example my script name is compare (already register on searchhead), and it nee... See more...
Hi all, I try to develop a custom Python script and i want to input parameter from Search to my script. Could i do it? Example my script name is compare (already register on searchhead), and it need 2 parameter to work, like:  | makeresults a=1 | compare file1.csv file2.csv (file1.csv, file2.csv is parameter). Thanks so much.
I'm in General Settings. I Enabled SSL (HTTPS) in Splunk Web. I restarted Splunk. It reads unable to connect. Warning Potential Security Risk Ahead because it is a self sign certificate. I pressed on... See more...
I'm in General Settings. I Enabled SSL (HTTPS) in Splunk Web. I restarted Splunk. It reads unable to connect. Warning Potential Security Risk Ahead because it is a self sign certificate. I pressed on Go Back Button(Recommended) when I should of pressed advanced and continue. Now All I get is a window That reads Unable to Connect. The Warning Potential Security Risk Ahead window is no longer available. I can't press advanced and continue. What do I do? I can't access Splunk. The connection was reset it says.
Hi Team , In my Splunk Environment(Universal Forwarder) after updating SSL certificate I'm getting these error in Splunk UI how can I overcome this error. I'm attaching screenshots here please cou... See more...
Hi Team , In my Splunk Environment(Universal Forwarder) after updating SSL certificate I'm getting these error in Splunk UI how can I overcome this error. I'm attaching screenshots here please could you help on this ?    
We ran into this known issue with the AD servers having indexing delays of a couple of days when enabling evt_resolve_ad_obj. What confuses us is the fact that a UF restart backfills days of missing ... See more...
We ran into this known issue with the AD servers having indexing delays of a couple of days when enabling evt_resolve_ad_obj. What confuses us is the fact that a UF restart backfills days of missing security data, and since the restart, we can have a week where there are no delays. Why does the restart manage to do this backfill?
Hi, and sorry if this question was already answered in any other thread.   Thanks in advance for the help. I had an index in which the current size was over 10 GB,  for deleting the data I tried t... See more...
Hi, and sorry if this question was already answered in any other thread.   Thanks in advance for the help. I had an index in which the current size was over 10 GB,  for deleting the data I tried to reduce it's max size and searchable retention. My question is what is going to happen with the data? Will it be deleted from the servers or archived? I am confused because I am seeing the event counts stuck with the same value as it was before changing the retention config. Previous index config: Current Size 10 GB, Max Size: 0, Event Count: 10M, Earliest Event: 5 Months, Latest Event: 1 day, Searchable Retention: 365 days,  Archive Retention: blank, Self Storage: blank, Status: enabled Then, I changed the parameters  "Max Size" to  "200 MB" and "Searchable Retention" to "1 Day". Besides, when running the following query,  I see the warm storage size pretty much with the same size (bouncing a few mbs).     |dbinspect index=_internal *<index-name>* | stats sum(sizeOnDiskMB) by state       Any help greatly appreciated.  
Hello, my name is Richie Martinez. I'm in my last year of undergrad school studying computer science. I currently work as a CSOC cyber analyst intern at Pacific Northwest National labs and I'm workin... See more...
Hello, my name is Richie Martinez. I'm in my last year of undergrad school studying computer science. I currently work as a CSOC cyber analyst intern at Pacific Northwest National labs and I'm working on a project to create discreet alerts for EC2-VMs, IAM-identity findings and S3-storage buckets. AWS organizes Findings into three categories: EC2 - VMs IAM - identity findings S3 - storage buckets Eventually, the PNNL CSOC may create additional discreet alerts for each of those categories, but for now, a single "catch-all" alert is utilized to fold in the Findings to the CSOC's workflow. Any help for this project would be greatly appreciated. Thank you, Richie Martinez richie.martinez@pnnl.gov
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(countr... See more...
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(country_name) Brazil Norway Spain ------------------------------------------------------------------ How do I write a query (using join or append)- to output  only "Spain" in the results. Thanks!
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks.   Sample Log lines: Script exception for job id... See more...
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks.   Sample Log lines: Script exception for job id 'ABc12345' : Too many rows: 500. Script exception for job id 'XyZ78943' : Too many DMLs: 20.   Results should be: Too many rows: 500. Too many DMLs: 20.
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more  fields name with dynamic values and also empty values .   so what we need as i... See more...
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more  fields name with dynamic values and also empty values .   so what we need as in dashboard if we make any changes it should be reflect in lookup table and the fields will be dynamic here , and in dashboard we could have text box to update the fileds  
Hi all,   I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0. | rest /services/search/jobs/xx__xx_c3BsdW5rL... See more...
Hi all,   I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0. | rest /services/search/jobs/xx__xx_c3BsdW5rLWRhc2hib2FyZC1hcHAtMg__getter_1695998843.535512 splunk_server=local | fields resultCount   Do I need to do something in my app in order to see the resultCount field? The jobs are generated by javascript, very similar script between apps, just change the search. I'm running version 9.0.6, in last version 8.2.8 I always see the resultCount    
Hello I'm trying to count events by field called "UserAgent" If im searching for the events without any calculated field im getting results from different UserAgents But once im using eval, I don'... See more...
Hello I'm trying to count events by field called "UserAgent" If im searching for the events without any calculated field im getting results from different UserAgents But once im using eval, I don't get the expected results For example: I've tried this eval and im getting only "android" also im searching for "ios" only with    "ContextData.UserAgent"=*ios*   as part of my query    | eval UserAgent = if("ContextData.UserAgent"="*ios*","ios","android")    what im doing wrong ?
Hello All! Trying to set up CAC Based Auth for SPLUNK 9.1.1 on Windows Server 2022 for the first time. I have successfully setup LDAP and am able to sign into Splunk using an AD username/password wi... See more...
Hello All! Trying to set up CAC Based Auth for SPLUNK 9.1.1 on Windows Server 2022 for the first time. I have successfully setup LDAP and am able to sign into Splunk using an AD username/password without any issues. When I add in the requiredClientCert, enableCertBasedAuth and certBasedUserAuthMethod stanzas, and attempt to access the Splunk GUI, all users are immediately greeted with an 'Unauthorized' message. I've been fighting this for about a week now, and Splunk support hasn't been able to help me pin this down yet. Any assistance would be greatly appreciated. I've ensured TLS 1.2 registry keys exist in SCHANNEL to Enable TLS 1.2. Corresponding logs from splunkd.log for the logon attempt are:   09-29-2023 09:02:43.191 -0400 INFO AuthenticationProviderLDAP [12404 TcpChannelThread] - Could not find user=" \x84\x07\xd8\xb6\x05" with strategy="123_LDAP" 09-29-2023 09:02:43.192 -0400 ERROR HTTPAuthManager [12404 TcpChannelThread] - SSO failed - User does not exist: \x84\x07\xd8\xb6\x05 09-29-2023 09:02:43.192 -0400 ERROR UiAuth [12404 TcpChannelThread] - user= \x84\x07\xd8\xb6\x05 action=login status=failure reason=sso-failed useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" clientip=<ip> 09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - SAN OtherName not found for configured OIDs in client certificate 09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - CertBasedUserAuth: error fetching username from client certificate   authentication.conf:   [splunk_auth] minPasswordLength = 8 minPasswordUppercase = 0 minPasswordLowercase = 0 minPasswordSpecial = 0 minPasswordDigit = 0 [authentication] authSettings = 123_LDAP authType = LDAP [123_LDAP] SSLEnabled = 1 anonymous_referrals = 0 bindDN = CN=<Account>,OU=Service Accounts,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL bindDNpassword = <removed> charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = OU=SPLUNK Groups,OU=Groups,DC=<command>,DC=NAVY,DC=MIL groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = DC.<Command>.NAVY.MIL nestedGroups = 1 network_timeout = 20 pagelimit = -1 port = 636 realNameAttribute = displayName sizelimit = 1000 timelimit = 15 userBaseDN = OU=Users,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL userNameAttribute = userprincipalname [roleMap_LDAP] admin = SPLUNK AUDITOR can_delete = SPLUNK AUDITOR network = SPLUNK NETWORK user = SPLUNK AUDITOR;SPLUNK USERS   web.conf   [settings] enableSplunkWebSSL = true privKeyPath = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_key.pem serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem sslPassword = <removed> requireClientCert = true sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem enableCertBasedUserAuth=true SSOMode=permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod=PIV   server.conf   [sslConfig] enableSplunkdSSL = true sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem sslPassword = <removed> cliVerifyServerName = true sslVersions = tls1.2 sslVerifyServerCert = true [general] serverName = SPKVSPLUNK2 pass4SymmKey = <removed> trustedIP = 127.0.0.1            
Hi, I've been hunting through the REST API Documentation , as well as searching online, for the correct endpoint/curl request for maintaining sourcetypes, but haven't found anything. It is a trivial... See more...
Hi, I've been hunting through the REST API Documentation , as well as searching online, for the correct endpoint/curl request for maintaining sourcetypes, but haven't found anything. It is a trivial task using the UI, but my use case is that I want to spin up a splunk instance using a script, as part of an automated test process, so UI input won' meet the requirement. Can anyone point me in the right direction?
Hi,  We upgraded the Splunk DB Connect app to version 3.14.1, and the drivers as well ojdbc11.jar v.21.11 (Innovation Release)along  with orai18n.jar. While trying to add new input we noticed that f... See more...
Hi,  We upgraded the Splunk DB Connect app to version 3.14.1, and the drivers as well ojdbc11.jar v.21.11 (Innovation Release)along  with orai18n.jar. While trying to add new input we noticed that for some connections we got the error "cannot get schemas". However we are able to add inputs and connections are working. The versions of databases are oracle 19.19 and 12.1.0.2. We downgraded the version of the driver to ojdbc11.jar v.19.20 (Long Term Release) along with respective orai18n.jar but still we "cannot get schemas". All the permissions to the user are given.  In the _internal index we encounter this error message: „Unable to get schemas metadata java.sql.SQLException: Non supported character set (add orai18n.jar in your classpath): EE8ISO8859P2”  but the orai18n.jar is already there. Any kind of help or idea would be appreciated. Thank you in advance !
Hi there, I want to send email who have 4625 over 20 login fail count. I have search there is no problem about search but i couldn't figure out to send emails to specific users who have 4625 login f... See more...
Hi there, I want to send email who have 4625 over 20 login fail count. I have search there is no problem about search but i couldn't figure out to send emails to specific users who have 4625 login fail events. I know trigger action like send mail but i couldn't figure out how to send specific users. I don't want to send email to a group, i need send email to specific users who have 4625 events.   Any help would be appreciated!
Hi Splunk Experts, The timewrap command is using d(24 hr) format, but I'm wondering is it possible to make it Today format. Ex: If Current time is 10AM, then it's displaying timechart of 12 AM ... See more...
Hi Splunk Experts, The timewrap command is using d(24 hr) format, but I'm wondering is it possible to make it Today format. Ex: If Current time is 10AM, then it's displaying timechart of 12 AM to 10AM (12, 14, 16, 18, 20, 22, 00, 02, 04, 06, 08, 10), but I'm looking for 00 AM to 22 (00, 02, 04, 06, 08, 10, 12, 14, 16, 18, 20, 22). Any advice would be much appreciated.   index="_internal" error | timechart span=10m count as Counts | timewrap d series=exact time_format="%Y-%m-%d"  
Some of the event logs in Splunk are getting truncated at the beginning. Tried some prop's to break before date, line_breaking at new line but nothing seems to be working. Truncated events 9/29/23... See more...
Some of the event logs in Splunk are getting truncated at the beginning. Tried some prop's to break before date, line_breaking at new line but nothing seems to be working. Truncated events 9/29/23 5:40:46.000 AM entFacing:1x.1xx.1xx.2xx/4565 to inside:1x.9x.x4x.x4x/43 duration 0:00:00 bytes 0 9/29/23 5:40:36.000 AM 53 (1x.x8.2xx.2xx/34) 9/29/23 5:37:21.000 AM bytes 1275 Well parsed events -  2023-09-29T05:57:57-04:00 1x.xx.2.1xx %ASA-6-302014: Teardown TCP connection 758830654 for ARCC:1xx.x7.9x.1x/xx to inside:1x.2xx.6x.x1/xx17 duration 0:00:00 bytes 0 Failover primary closed 2023-09-29T05:57:57-04:00 1x.xx.2.1xx %ASA-6-302021: Teardown ICMP connection for faddr 1x0.x5.0.1x/0 gaddr 1x.2x6.1xx6.x6/0 laddr 1x.xx6.1xx.x6/0 type 3 code 1   My props TZ = UTC SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 disabled=false TIME_FORMAT=%Y-%m-%dT%H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=32
Hello comrades,   I'm just curios is there anyway to shorten frequent words? For example: <Data Name='IpAddress'>::ffff:10.95.81.99</Data> IpAddress to ipaddr or something like IPa.   Many than... See more...
Hello comrades,   I'm just curios is there anyway to shorten frequent words? For example: <Data Name='IpAddress'>::ffff:10.95.81.99</Data> IpAddress to ipaddr or something like IPa.   Many thanks,