All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

My query returns multiple rows, one for each environment that meets a certain condition. I would like to trigger an alert for each row (environment) that meets the condition. Is there a way to do thi... See more...
My query returns multiple rows, one for each environment that meets a certain condition. I would like to trigger an alert for each row (environment) that meets the condition. Is there a way to do this in Splunk?
Hello there. I have IIS logs being ingested into Splunk. The sourcetype is currently set to "iis:test" props.conf: [iis:test] TZ = UTC TIME_FORMAT = %Y-%m-%d %H:%M:%S TRANSFORMS-8_AssignToIndex =... See more...
Hello there. I have IIS logs being ingested into Splunk. The sourcetype is currently set to "iis:test" props.conf: [iis:test] TZ = UTC TIME_FORMAT = %Y-%m-%d %H:%M:%S TRANSFORMS-8_AssignToIndex = setindex_dev, setindex_qa, setindex_stage, setindex_prod transforms.conf: [setindex_dev] SOURCE_KEY = MetaData:Host REGEX = (?i)^host::web-dev-2\d{1}.*$ DEST_KEY = _MetaData:Index FORMAT = wf_dev_i [setindex_qa] SOURCE_KEY = MetaData:Host REGEX = (?i)^host::web-qa-2\d{1}.*$ DEST_KEY = _MetaData:Index FORMAT = wf_qa_i [setindex_stage] SOURCE_KEY = MetaData:Host REGEX = (?i)^host::web-stg-2\d{1}.*$ DEST_KEY = _MetaData:Index FORMAT = wf_stage_i [setindex_prod] SOURCE_KEY = MetaData:Host REGEX = (?i)^host::web-2\d{1}.*$ DEST_KEY = _MetaData:Index FORMAT = wf_prod_i   This should send the events coming from the host web-dev-20 to the wf_dev_i index. Instead, they go to the main index. I have the same configuration set for other sources and it works fine. What am I missing here? Thank you, Claudio
I have a generic catchall for syslog traffic that is breaking when i try and use an acceptFrom for a subnet.   --- Generic Catchall ---- [udp://514] connection_host = ip index = syslog sourcety... See more...
I have a generic catchall for syslog traffic that is breaking when i try and use an acceptFrom for a subnet.   --- Generic Catchall ---- [udp://514] connection_host = ip index = syslog sourcetype = syslog   The catch all functions correctly when using a single specific IP going to specified index : [udp://192.168.1.1:514] host = srv-lb-2 connection_host = none index = a10 sourcetype = syslog     But if I try and add a new UDP input to capture a full /24 to shove it in a separate index, that overrides/disables the generic input from the first one. I do see messages in the checkpoint index however the [udp://514] from the first block stops.   [udp://514] acceptFrom = 192.168.2.0/24 connection_host = ip index = checkpoint sourcetype = syslog   Anyone know how to do this in a way that works please?? Thanks! 
I need to change the value of the "Trigger" parameter from "Once" to "For each result" for multiple alerts. But I can't find the parameter where its stored to change it via API.    
I have the following Query: index=obh_prod sourcetype=obh:edge:api proxy!="ow*" | lookup blink_six_providers ProviderId as pxrq_h_x-corapi-target-id OUTPUT ProviderId ProviderName | fillnull value... See more...
I have the following Query: index=obh_prod sourcetype=obh:edge:api proxy!="ow*" | lookup blink_six_providers ProviderId as pxrq_h_x-corapi-target-id OUTPUT ProviderId ProviderName | fillnull value=target_id ProviderId ProviderName | dedup ProviderName ProviderId | table ProviderId ProviderName If no values are found ProviderId, ProviderName should both get the value of pxrq_h_x-corapi-target-id. If actually now produces: ProviderId ProviderName pxrq_h_x-corapi-target-id pxrq_h_x-corapi-target-id IIDP06300 Valiant Bank AG IIDP00761 Aargauische Kantonalbank       If should produce the following if the xrq_h_x-corapi-target-id e.g. contains IIDP099999 and this value is not found in the lookup. How do I get the contents of the variable and  not the name of the variable itself?   ProviderId ProviderName IIDP099999 IIDP099999 IIDP06300 Valiant Bank AG IIDP00761 Aargauische Kantonalbank  
I have a dashboard that show/hide panel whenever option/s in checkbox is ticked, which is already working. My problem is whenever I select the option as default value, the panel is still hidden whene... See more...
I have a dashboard that show/hide panel whenever option/s in checkbox is ticked, which is already working. My problem is whenever I select the option as default value, the panel is still hidden whenever I open the dashboard. Any idea on this? or am I missing something   Heres some part of my xml. <input type="checkbox" token="check"> <label>Category Type</label> <choice value="db_gc_wait">DB GC Waits</choice> <choice value="concurrent_manager">Concurrent Managers</choice> <choice value="blocking_session">Blocking Session</choice> <choice value="longrunning_job">Long Running Jobs</choice> <choice value="crm_top_request">CRM Top Requests</choice> <choice value="workflow_mailer">Workflow Mailer</choice> <change> <condition match="$check$ = &quot;db_gc_wait&quot;"> <set token="show_db_gc_wait">1</set> <unset token="show_concurrent_manager"></unset> <unset token="show_blocking_session"></unset> <unset token="show_longrunning_job"></unset> <unset token="show_crm_top_request"></unset> <unset token="show_workflow_mailer"></unset> </condition> ... <condition match="$check$ = &quot;db_gc_wait concurrent_manager blocking_session longrunning_job crm_top_request workflow_mailer&quot;"> <set token="show_db_gc_wait">1</set> <set token="show_concurrent_manager">1</set> <set token="show_blocking_session">1</set> <set token="show_longrunning_job">1</set> <set token="show_crm_top_request">1</set> <set token="show_workflow_mailer">1</set> </condition> <!-- Unset all tokens --> <condition> <unset token="show_db_gc_wait"></unset> <unset token="show_concurrent_manager"></unset> <unset token="show_blocking_session"></unset> <unset token="show_longrunning_job"></unset> <unset token="show_crm_top_request"></unset> <unset token="show_workflow_mailer"></unset> </condition> </change> ... <row> <panel depends="$show_db_gc_wait$"> <table> <title>Database GC Waits</title> <search> <query> MY QUERY</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <option name="drilldown">cell</option> </table> </panel> </row>
Hi I have a lot of alerts in my Splunk apps Is there a way to count the number of alerts returning result by days, by month... Is it possible ? Thanks 
Hello folks,  I have a question about multiple checkbox, I'm using them to fill a "IN" command in my search and I have an "All option" and I was thinking if is it possible when I check this "All opt... See more...
Hello folks,  I have a question about multiple checkbox, I'm using them to fill a "IN" command in my search and I have an "All option" and I was thinking if is it possible when I check this "All option"  the others will be unchecked like in this example below: 1:   2: and if possible only using XML (without JavaScript).  
I have a windows server and it's OS got crashed but i have the splunk database  in the another drive which is fine now the steps I have performed are in the new splunk installation are: 1. Copied th... See more...
I have a windows server and it's OS got crashed but i have the splunk database  in the another drive which is fine now the steps I have performed are in the new splunk installation are: 1. Copied the configurations of the previous splunk application from the backup i have in to the new application. 2. Changed the database location and created the database structure in another drive apart from C: drive. 3. Now from the earlier database i copied the indexed data in to the new data base where i have overwritten the already present indexes which are created as per the indexer configuration. 4. Now when i restart the splunk i am getting a "DIRTY_DATABASE File (.dirty_database)" file generated. 5. But i can see the data in the indexes when i ran a search So, the question is whether the procedure i followed is correct or is there any other way to do this Thanks, Your well wisher
I'm struggling to find documents on AppDynamics Saas for ingestion capability in an agentless approach. Basically, I know I have to find a way of monitoring  SAP CPI (in the cloud) and no agent ca... See more...
I'm struggling to find documents on AppDynamics Saas for ingestion capability in an agentless approach. Basically, I know I have to find a way of monitoring  SAP CPI (in the cloud) and no agent can be installed there. I need a way of calling data from an external source and then gathering it in AppD or directly shipping the data to AppD. Does a feature like this exist and where are they documented? Best regards
Hello All,  Please let me know how to install the AppDynamics platform UI because I can see no product in the downloads folder. Not able to install appdynamics console i.e. platform file also the... See more...
Hello All,  Please let me know how to install the AppDynamics platform UI because I can see no product in the downloads folder. Not able to install appdynamics console i.e. platform file also the file is not available in the download portal Thanks, Sujal ^ Post edited bu @Ryan.Paredez for minor edits to the title and body for clarity.
Hi, i have lookup which list out all red hat linux. for example, in my lookup have red hat 7, red hat 8 and so on. i need to correlate OS log with the lookup. but my OS log is not standardized as be... See more...
Hi, i have lookup which list out all red hat linux. for example, in my lookup have red hat 7, red hat 8 and so on. i need to correlate OS log with the lookup. but my OS log is not standardized as below: Red Hat Linux Enterprise 7.1, Red Hat Linux Enterprise Server 8.6 and so on. How do i make it as standardized OS as lookup above using regex. Please assist on this. Thank you
I have some logs coming into splunk and there are parsing correctly without any issues Index= xxx sourcetype=splunk-logs But now the logs time zone changed now i have to update the time zone in pro... See more...
I have some logs coming into splunk and there are parsing correctly without any issues Index= xxx sourcetype=splunk-logs But now the logs time zone changed now i have to update the time zone in props.conf So where can I find this existing sourcetype=splunk-logs in splunk  
My inputs.conf on the rasberryPi look like this:   [monitor:///var/log/pihole.log] disabled = 0 sourcetype = pihole index = main [monitor:///var/log/pihole-FTL.log] disabled = 0 sourcetype = p... See more...
My inputs.conf on the rasberryPi look like this:   [monitor:///var/log/pihole.log] disabled = 0 sourcetype = pihole index = main [monitor:///var/log/pihole-FTL.log] disabled = 0 sourcetype = pihole:ftl index = main     Both log files exist in /var/log, but only one sourcetype gets sent to my indexer and that`s "pihole:ftl". Any assistance would be greatly appreciated.
I can't understand this, all other stuff works great, i receive all the information i enabled, i have installed these apps both on forwarders and search heads, all that is missing is the "savedsearch... See more...
I can't understand this, all other stuff works great, i receive all the information i enabled, i have installed these apps both on forwarders and search heads, all that is missing is the "savedsearches.conf". I would appreciate suggestions because for the moment is very important to obtain these searches for me.
I  have events with the following keys: key1, key2 & key3. I would like to get the change events i.e. events that their key1, key2 & key3 values are not in the events of previous day.  What shoul... See more...
I  have events with the following keys: key1, key2 & key3. I would like to get the change events i.e. events that their key1, key2 & key3 values are not in the events of previous day.  What should the query look like?
I have a dropdown with two values PROD and TEST. Based on my selection in my panels in the dashboard I have to choose a different index for my search. How can I do this? Example of two searches: (wh... See more...
I have a dropdown with two values PROD and TEST. Based on my selection in my panels in the dashboard I have to choose a different index for my search. How can I do this? Example of two searches: (which also includes other tokens. These can be ignored. Both searches work if I directly put in the right index 1/  index=<IF PROD then AAA_prod_index else AAA_test_index> sourcetype IN (abc:edge:api, abc:edge:api)  proxy!="ow*" $client_token$ $target_token$ | rex mode=sed field=proxy "s#^(.*?)_(.*)$#*_\2#" | stats count by proxy 2/ index=<IF PROD then BBB_prod_index else BBB_test_index> sourcetype=accesslog  tenant=$tenant_token$ | stats count by HTTPStatusCode
I recently upgraded or rather installed a Splunk UF version 9.1.1 which communicates back to Splunk Cloud but I seem to get an Unsupported error on the console. Is using version 9.1.1. of a forwarder... See more...
I recently upgraded or rather installed a Splunk UF version 9.1.1 which communicates back to Splunk Cloud but I seem to get an Unsupported error on the console. Is using version 9.1.1. of a forwarder not supported with the below Splunk Cloud? Version:9.0.2209.3    Build:ec7eaea0bba6  Experience: Victoria
Hi Friends, I am trying to create a bar chart with trends (as line) for numbers of tickets received for every month. I need to show the data label for only one month in the chart. Please let me know... See more...
Hi Friends, I am trying to create a bar chart with trends (as line) for numbers of tickets received for every month. I need to show the data label for only one month in the chart. Please let me know how we can achieve this.  Currently, it shows the data label for all months but I need to show it for the first month alone. Thanks.
All the timestamps in the JSON we receive are UTC, but the TA ignores the time zone in the ISO 8601 string, so it defaults to local time. Thus, all our events are timestamped several hours into the f... See more...
All the timestamps in the JSON we receive are UTC, but the TA ignores the time zone in the ISO 8601 string, so it defaults to local time. Thus, all our events are timestamped several hours into the future. I noticed that the timestamps Google provides vary from millisecond to nanosecond precision, but trailing zeros are truncated before the "Z" is tacked on. This makes it difficult to specify a time format with a trailing time zone that will work for every event. But instead, shouldn't all the source types have TZ = UTC in props? Am I the only one with this problem?