All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Good Morning! I rarely get to dabble in SPL, and as such, some (probably simple) things stump me.  That is what brought me here today. I have a scenario in which I need to pull SYSLOG events from a... See more...
Good Morning! I rarely get to dabble in SPL, and as such, some (probably simple) things stump me.  That is what brought me here today. I have a scenario in which I need to pull SYSLOG events from a series of machines that all report the field names.  One of those machines is the authoritative source of values, which all of the other systems should have.  As an example, I have 3 machines... M1, M2, M3, and each machine reports three field/value pairs... sync-timestamp, version-number, machine-name. I need to compare the sync-timestamp of M1 with the sync-timestamp of the other two machines.  My idea is to assign the "sync-timestamp value WHERE computer-name=M1" to a variable by which to compare the other two machines' values.  I intend to use this report to ultimately create an alert, so we know if machines are not syncing properly. I just cannot figure out the syntax to make this happen.  Can anyone provide some guidance on this? Thank you in advance!
I have the following script, but it keeps erroring out. def connect_to_splunk(username,password,host='http://xxxxxxxx.splunkcloud.com',port='8089',owner='admin',app='search',sharing='user'     t... See more...
I have the following script, but it keeps erroring out. def connect_to_splunk(username,password,host='http://xxxxxxxx.splunkcloud.com',port='8089',owner='admin',app='search',sharing='user'     try:         service=client.connect(username=username,password=password,host=host,port=port,owner=owner,app='search',sharing=sharing)         if splunk_service:             print("Splunk login successful")             print("......................" )     except Exception as e:         print(e) def main():     try:         splunk_service = connect_to_splunk(username='xxxxxx',password='xxxxxxx')     except Exception as e:         print(e)     There is no error from the debugger (Using Visual Studio).  Would appreciate any assistance.
Greetings. I'm trying to count all calls in this: index="my_data" resourceId="sip*" "CONNECTED" Where not in this: index="my_data" resourceId="sip*" "ENDED" This works when the latter is <1... See more...
Greetings. I'm trying to count all calls in this: index="my_data" resourceId="sip*" "CONNECTED" Where not in this: index="my_data" resourceId="sip*" "ENDED" This works when the latter is <10k (subsearch)   index="my_data" resourceId="sip*" "CONNECTED" NOT [ search index="my_data" resourceId="sip*" "ENDED" | table guid ]   And I can use a join for more than >10k because the TOTAL is not 10k (join limits)   index="my_data" resourceId="sip*" "CONNECTED" | table guid meta | join type=left guid [ search index="my_data" resourceId="sip*" "ENDED" | table guid timestamp ] | search NOT timestamp="*"    But neither 'feel' great. I'm making my way through the PDF found here but not figured out 'the best' way to do this (if such a thing exists). https://community.splunk.com/t5/Splunk-Search/how-to-exclude-the-subsearch-result-from-main-search/m-p/572567 So while there are several questions related to 'excluding subsearch' results, I have not found many that help with this 10k issue (subsearch results more than 10k and a join works, as long as my total values is less than 10k). PLUS - joins are kinda sucky, amirite?  I mean, that's like what the first things that Nick Mealy says in that pdf. So just looking for more options to try and learn! Thank you!  
Windows domain controller Server not reporting win security events in Splunkcloud We have a Windows Server acting as a Domain Controller, the Splunk forwarder is installed on this server and it forw... See more...
Windows domain controller Server not reporting win security events in Splunkcloud We have a Windows Server acting as a Domain Controller, the Splunk forwarder is installed on this server and it forwards to our local onpremise Heavy Forwarder which then uploads to Splunk cloud. The Windows domain controller server in question is displaying Windows event logs for application and system but not for security. So it is partially working but somehow the security events are not making it to the cloud. However it was working completely working 100% fine before, and later stopped working. Around the time it stopped working, we added it to msad (for domain controller specific inputs) but did not make any other changes. 
We have set up cluster monitoring for K8s cluster to monitor when pods get killed, failed, etc. The Alert we get looks like the following: We have hundreds of pods and namespaces in the cluster ... See more...
We have set up cluster monitoring for K8s cluster to monitor when pods get killed, failed, etc. The Alert we get looks like the following: We have hundreds of pods and namespaces in the cluster and I would like the alert summary to contain namespace and pod name, otherwise I don't know if it's something I can ignore or not. For example is someone is in a dev namespace testing a new app the pod alerts might go off a lot and there is not way to know if this is a production namespace/pod without going into the app. And When I wake up in the morning with 100 email alerts for pods failing i don't know if prod id falling over or someone set up a new namespace to test... It doesn't seem to be possible to get the pod name, even though it's available in the dashboard view of the event: All I want is Email/HTML template to include the namespace and Pod name, but that doesn't seem to be possible today.
I have an alert that fires and while generating the alert, uses appendpipe to collect fields and generate an event in another index for collection by a third party tool. Is there a way to add the ... See more...
I have an alert that fires and while generating the alert, uses appendpipe to collect fields and generate an event in another index for collection by a third party tool. Is there a way to add the View Results link to the event that's generated so that it can map it in our third party tool to link the analysts back to the original alert?
I understand that there are 2 approved architectures for multi site search head clustering. One, where each site has their own independent search head clustering that has search affinity with index c... See more...
I understand that there are 2 approved architectures for multi site search head clustering. One, where each site has their own independent search head clustering that has search affinity with index clusters, and a second option where there is a search head cluster stretched across the two sites. For the first option where the search head clusters are independent to each site, I have read that search head clusters are not site-aware. Does this mean that things saved through the search head cluster on site 1 would not replicate to site 2? For example, if I were to create a new dashboard at site 1 on the web UI through the search head cluster, that would not replicate to site 2?
Hello fellow Splunkthiasts! I need some insights to understand how comparison functions in mstats could be used. Consider the following query:   | mstats latest(cpu_metric.*) as * WHERE index="osn... See more...
Hello fellow Splunkthiasts! I need some insights to understand how comparison functions in mstats could be used. Consider the following query:   | mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all BY host | where pctUser > 50   As expected, it returns a list of hosts having latest CPU usage value higher than 50%. However, according to mstats command reference, I can have comparison expression within WHERE clause and I'd expect it would be more efficient to rewrite the above query like this:   | mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all pctUser > 50 BY host   Unfortunately, this doesn't return any results. I tried to refer to metric before aggregation with no luck:   | mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all cpu_metric.pctUser > 50 BY host   What am I missing here?
Hello Guys, I have weird problem with Javascript after the latest upgrade(8.2.8 to 9.0.6). Javascript Code     var queryResults = smAlerteGetter.data("results"); console.log("Sear... See more...
Hello Guys, I have weird problem with Javascript after the latest upgrade(8.2.8 to 9.0.6). Javascript Code     var queryResults = smAlerteGetter.data("results"); console.log("Search done", queryResults); console.log("pimba - ---- " + JSON.stringify(queryResults)); // when we have the result queryResults.on("data", function() { console.log("Data received");     We should received the events and should see the log "Data received". The query goes well and we can see in the Activity Jobs that we received our events. However we have other splunk apps with similar scripts that have the correct behavior. Do we miss something in our app or configurations related to Javascript ? Please help!
Hi Team, We have 4 Search heads are in cluster in that one Search head is getting the KV store PORT issue asking that change the port remaining 3 SHs working fine. We are unable to restart the Splun... See more...
Hi Team, We have 4 Search heads are in cluster in that one Search head is getting the KV store PORT issue asking that change the port remaining 3 SHs working fine. We are unable to restart the Splunk on that particular SH. If i check the SH cluster status only 3 servers are showing now. Splunk installed version: 9.0.4.1 for error visibility Please find the attached.  Regards, Siva.  
How do we capture multiple URLs in a single event? Log1: type=EXECVE msg=audit(1695798790.101:25214323): argc=17 a1="http://127.0.0.1:8080" a2="http://10.0.2.20" a3="https://google.com/data/involve... See more...
How do we capture multiple URLs in a single event? Log1: type=EXECVE msg=audit(1695798790.101:25214323): argc=17 a1="http://127.0.0.1:8080" a2="http://10.0.2.20" a3="https://google.com/data/involvement/" a4=cat   Log2: type=EXECVE msg=audit(1695798790.100:25214323):  a2="https://facebook.com" a3="-o" a4="http://127.0.0.1/index.html" a5="-kis" a6="-x" a7="http://10.0.0.10:8080"   Currently I'm using below regex which captures only one URL, | rex field=_raw ".*\"(?<URL>((http|https):\/\/(\S+|\d+\.\d+\.\d+\.\d+\S+)))\"" Need all the URLs in the output.  
Hi, We have just upgraded to 9.1.1 and our HEC seems to have stopped working.  Calling it from a simple PowerShell script worked the day before and running it now throws this error : Unable to con... See more...
Hi, We have just upgraded to 9.1.1 and our HEC seems to have stopped working.  Calling it from a simple PowerShell script worked the day before and running it now throws this error : Unable to connect to the remote server No connection could be made because the target machine actively refused it xxx.xxx.xxx.xxx:8088 So, headed over to the Forwarder where it should be listening, and the tokens do still exist in the Inputs.conf in "/opt/splunkforwarder/etc/apps/splunk_httpinput/local" However, issuing the list command gives us the following : $SPLUNK_HOME/bin/splunk http-event-collector list -uri https://localhost:8089 Token Not Found The HEC is Enabled in the Global Settings but we are also not seeing anything listening on Port 8088 Splunk Enterprise on a Linux build.
Hello, looks like when we enable or disable app from deployment server (GUI for instance) then app.conf in deployment-apps is edited, pushed on forwarders then edited again? Thanks.
Hi ,  I am trying to write a query which compare all field values for a particular field and fetch the results if its not same accordingly with its details. Below is my input : FieldA    FieldB ho... See more...
Hi ,  I am trying to write a query which compare all field values for a particular field and fetch the results if its not same accordingly with its details. Below is my input : FieldA    FieldB host1        26 host2        29 host3        29 I want to compare all field values from fieldB , and if its not same then i want to fetch that count with its fieldA value. eg :  here 26 is not equal to other 2 field values , then fieldB value with fieldA values has to be displayed. I tried with if condition | eventstats list(fieldB) as counts | eval value1=mvindex(counts,-2) | eval value2=mvindex(counts,-1) | | eval value3=mvindex(counts,-0) | eval value=if(('value1'=='value2') AND ('value2'=='value3'),"0",""1") Also with below query: |stats dc(metric_value) as count | eval value=if(count>1,"0","1") But with above 2 , i m not able pull its host name where that value is not same. Note: fieldB is dynamic Help me with this !!
Hi, There is a bug in the Splunk Enterprise Installer for 9.1.1 on Windows. During the upgrade (coming from 8.2.8) it processes the dashboard XML files obvisously looking for statments to change dur... See more...
Hi, There is a bug in the Splunk Enterprise Installer for 9.1.1 on Windows. During the upgrade (coming from 8.2.8) it processes the dashboard XML files obvisously looking for statments to change during the upgrade. There seems to be an errorneous conversion of UTF8 files when the upgrade process saves them again on Windows and all special characters like äÄöÖüÜ got eliminated and replaced by special characters across all dashboards by the upgrade. We had to manually check all dashboards after the upgrade. Be warned. Regards
I had a interview question that what is search sequence of knowledge object in splunk.Please helpme regarding this,  
Hi there, I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help? Query 1:   index=mssql sourcetype=SQL_Query source=Sales_C... See more...
Hi there, I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help? Query 1:   index=mssql sourcetype=SQL_Query source=Sales_Contracts_Activations* OR source=Sales_Contracts_Activations_BOM     Query 2:   index=mssql sourcetype=SQL_Query source=Esigns CALLBACK_STATUS="SUCCESS" STATUS=Complete  
Hello all, We have a Splunk alert that searches for high temperature events on Juniper routers, it's a very straight forward search:   index=main CHASSISD_FRU_HIGH_TEMP_CONDITION OR CHASSISD_OVER_... See more...
Hello all, We have a Splunk alert that searches for high temperature events on Juniper routers, it's a very straight forward search:   index=main CHASSISD_FRU_HIGH_TEMP_CONDITION OR CHASSISD_OVER_TEMP_SHUTDOWN_TIME OR CHASSISD_OVER_TEMP_CONDITION OR CHASSISD_TEMP_HOT_NOTICE OR CHASSISD_FPC_OPTICS_HOT_NOTICE OR CHASSISD_HIGH_TEMP_CONDITION OR (CHASSISD "Temperature back to normal") NOT UI_CMDLINE_READ_LINE     I'd like this Splunk alert to ignore temperature alarm events on the host router4-utah when FPC 11 = FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/* is running hot, the events always come in the following order within 25 seconds of each other:   The alarm trigger events:   Sep 27 05:26:00 re0.router4-utah chassisd[7726]: CHASSISD_BLOWERS_SPEED_FULL: Fans and impellers being set to full speed [system warm] Sep 27 05:26:00 re0.router4-utah alarmd[7895]: Alarm set: Temp sensor color=YELLOW, class=CHASSIS, reason=Temperature Warm Sep 27 05:26:00 re0.router4-utah craftd[7730]: Minor alarm set, Temperature Warm Sep 27 05:26:00 re0.router4-utah chassisd[7726]: CHASSISD_HIGH_TEMP_CONDITION: Chassis temperature over 60 degrees C (but no fan/impeller failure detected) Sep 27 05:26:02 re0.router4-utah chassisd[7726]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Over Temperature! (jnxContentsContainerIndex 7, jnxContentsL1Index 12, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/*, jnxOperatingTemp 91)     The alarm clear events:   Sep 27 05:26:21 re0.router4-utah alarmd[7895]: Alarm cleared: Temp sensor color=YELLOW, class=CHASSIS, reason=Temperature Warm Sep 27 05:26:21 re0.router4-utah craftd[7730]: Minor alarm cleared, Temperature Warm     The goal is to keep the normal temperature alert running as it always has, but somehow ignore the host router4-utah when it triggers and clears temperature alarms on FPC11. I think the easiest way to say this is any temp alarm that triggers and clears on router4-utah that is surrounded within 25 seconds of this line:   Sep 27 05:26:02 re0.router4-utah chassisd[7726]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Over Temperature! (jnxContentsContainerIndex 7, jnxContentsL1Index 12, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/*, jnxOperatingTemp 91)     Any assistance one can provide is much appreciated! Thanks.
index=botsv1 sourcetype="stream:http" | timechart max(date_year)
Hi Everyone, after i select the source type i am getting below error while using ingest actions. I had to update the pass4symmkey as ingest actions required to setup custom pass4symmkey Connection ... See more...
Hi Everyone, after i select the source type i am getting below error while using ingest actions. I had to update the pass4symmkey as ingest actions required to setup custom pass4symmkey Connection testing failed in all remote clients: [https://*.*.*.*:8089]. This can be caused by misconfiguration of secret key or event capture is not supported in those remote splunk instances.   ANy idea what is happening?