All Topics

Top

All Topics

Hello, I'm facing an issue when trying to create a user or access to savedsearch list. for example When I use the Splunk web interface to create a user, the page remains blank and doesn't display a... See more...
Hello, I'm facing an issue when trying to create a user or access to savedsearch list. for example When I use the Splunk web interface to create a user, the page remains blank and doesn't display as expected, as shown in the screenshot. Additionally,   I attempted to create a user through the CLI using the "splunk add" command, but I received no response, as indicated in the screenshot.   Have you encountered this problem before? How can I debug it? I'd like to mention that even when I attempt to view saved searches, the page remains blank and doesn't display them.   Thank you
my DN field value "cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr" I need rex to extract anything after "="and end ",ou=" if it see "=" need to stop two ... See more...
my DN field value "cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr" I need rex to extract anything after "="and end ",ou=" if it see "=" need to stop two letter and "," so in this instance cn field as "first_field" value="jsuwus, jkhzdhkjc"  ou field as "2_field" value="sdsfefv accounts" ou field as "3_field" value="ffdsrew users" dc field as "4_field" value="hgsywy" dc field as "5_field" value="tre" dc field as "6_field" value="hyt" dc field as "7_field" value=kuhytr" Thanks in advance
We recently had a short metric gaps in the controller UI (SaaS Controller) for several apps and different agents (DB, App and Machine). The log files of all the different agents all have a common ... See more...
We recently had a short metric gaps in the controller UI (SaaS Controller) for several apps and different agents (DB, App and Machine). The log files of all the different agents all have a common theme: "Connection back off limitation in effect" "Fatal transport error while connecting to URL" also comes up sometimes as a similar error logged by agents. I did a quick search online and this seems to be an AppD agent specific log file entry. The AppD community also had about 12 entries going back to 2017, all with no clear solution to this error message. (Summary below) Docs site search returns nothing. I opened an AppD support case and will see what they say, but it is frustrating to see that this is a common thing reported by different agents without a clear cause for it documented anywhere. I wonder why something like this is logged the way it is which makes me think its something to do with a limitation on the Controller side of things, when all other community posts and agent logs make it look like it is not Controller related.  Examples of our recent issue: * I tried to redact the important bits DB Agent v23.2.2 [Entity-Registration-Scheduler-19] 31 Oct 2023 10:50:25,932 WARN EntityRegistrar - Fail to register [DBSession] entities: java.lang.RuntimeException: Connection back off limitation in effect: /controller/instance/***/registerServerSatelliteEntity at com.singularity.ee.agent.dbagent.task.reporter.EntityRegistrar.registerEntities(EntityRegistrar.java:276) ~[db-agent.jar:Database Agent v23.2.0.0 GA compatible with 4.5.2.0 Build Date 2023-02-22] Other DB Agent v23.2.2 [<**DB Collector Name***>-Transient-Event-Scheduler-2] 31 Oct 2023 10:51:22,737 WARN SystemAgentTransientEventChannel - Error sending event data to controller: Connection back off limitation in effect: /controller/instance/***/transient-channel Different DB agent v23.8.8 [<**DB Collector Name***>-Scheduler-3] 31 Oct 2023 10:51:52,288 INFO ADBCollector - Collected one-minute data for *** [Entity-Registration-Scheduler-2] 31 Oct 2023 10:51:52,850 WARN EntityRegistrar - Fail to register [Query] entities: java.lang.RuntimeException: Connection back off limitation in effect: /controller/instance/3945944/registerSQLQuery SIM (Machine)Agent **ServerName**==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:56,554 ERROR ManagedMonitorDelegate - Error sending metrics - will requeue for later transmission com.singularity.ee.agent.commonservices.metricgeneration.metrics.MetricSendException: Connection back off limitation in effect: /controller/instance/***/metrics SIM Agent v22x ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 ERROR ManagedMonitorDelegate - Fatal transport error while connecting to URL [/controller/instance/***/metrics]: org.apache.http.conn.ConnectTimeoutException: Connect to ***:443 [***/***, ***, ***] failed: connect timed out ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 WARN ManagedMonitorDelegate - Error sending metric data to controller:Fatal transport error while connecting to URL [/controller/instance/***/metrics] ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 ERROR ManagedMonitorDelegate - Error sending metrics - will requeue for later transmission com.singularity.ee.agent.commonservices.metricgeneration.metrics.MetricSendException: Fatal transport error while connecting to URL [/controller/instance/***/metrics] Summary of other AppD community posts with a similar error from agent log files: 2017 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/Azure-Cloud-Service-No-load-detected-App-agent-status-0/td-p/26538 No solutions in ticket/unresolved 2017 Community post no 2 https://community.appdynamics.com/t5/Dynamic-Languages-Node-JS-Python/Could-not-connect-to-the-controller-invalid-response-from/td-p/28680 Python agent issues Mentions proxy setup for outbound requests from agent server, but no clear answer other than bringing the node online on controller, whatever that means 2017 Community post no3 https://community.appdynamics.com/t5/NET-Agent-Installation/Failed-to-add-web-app-to-AppDynamics/td-p/23699 No confirmed solution, but last posts suggests using non ssl settings which is not a great solution if that is the fix 2017 Community post no4 https://community.appdynamics.com/t5/NET-Agent-Installation/net-Agent-registering-issue/td-p/29595 Proxy setting highlighted but no ultimate solution 2018 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/BT-requests-and-survival/td-p/29629 Answers do not address the "Connection back off limitation in effect" issue 2018 Community post no2 https://community.appdynamics.com/t5/NET-Agent-Installation/After-NET-Agent-upgrade-to-4-3-7-1-we-are-not-seeing-load-for/td-p/34528 Issue shown in one log file extract but not addressed 2018 Community post no3 https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Unable-to-connect-to-the-controller/td-p/30857 No final solution 2018 Community post no4 https://community.appdynamics.com/t5/NET-Agent-Installation/Need-help-on-installation-of-agent/td-p/34673 Post never had a resolution 2019 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/no-metrics-in-controller-after-net-agent-installation-in-linux/td-p/37848 Possible issue with AppDynamicsConfig.json No clear answer/solution 2019 Community post no2 https://community.appdynamics.com/t5/NET-Agent-Installation/Net-core-agent-Linux-is-not-connecting-to-the-saas-controller/td-p/37867 No solution 2021 Community post https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-install-the-NET-Core-Microservices-Agent-for-Windows/ta-p/33191 Answers do not address the "Connection back off limitation in effect" issue 2023 Community post https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Could-not-connect-to-the-controller-invalid-response-from/m-p/50571#M3319 Suggests ignoring or disabling the errors Here is to hoping there is a solution or better answer to this issue.
Hi Splunkers!    I would like to know how to define a .evtx file,    I had defined in this way, but it didn't works [monitor://C:\Windows\System32\Winevt\Logs\Data Security.evtx]   Thanks!
Hi all, I have a forwarder in my cluster and it sends events to the indexers. The events are json formatted and I want to drop some events if a specific key has specific value. For example consider ... See more...
Hi all, I have a forwarder in my cluster and it sends events to the indexers. The events are json formatted and I want to drop some events if a specific key has specific value. For example consider following event:   {"process_exec":{"process":{"exec_id":"xXXXXXXXXXx==","pid":1111111,"cwd":"/tmp","binary":"/bin/sleep","arguments":"10"}}}   I want to for example if the binary was equal to X, the forwarder drops the event and not send to indexers no index. I created props.conf and transforms.conf. The content of these files are:   [json_no_timestamp] TRANSFORMS-filter = filterLinux   and   [filterLinux] REGEX = process.process_exec.binary = '/usr/bin/timeout' DEST_KEY=queue FORMAT=nullQueue   But the events are not dropped. Any help is appreciated.
Hello Comunity I am trying to identify the following. What would be the best data source/s on Win Systems to gain visibility over the Services (which should be different from Processes) and their D... See more...
Hello Comunity I am trying to identify the following. What would be the best data source/s on Win Systems to gain visibility over the Services (which should be different from Processes) and their DLLs, executables, hashes, and paths? The Endpoint Data Model requires fields related to the above: https://docs.splunk.com/Documentation/CIM/5.2.0/User/Endpoint Any help will be much appreciated! Thank you.  
I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no re... See more...
I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no results. Essentially this is used to extract ticket numbers and descriptions entered into a freeform text box and I'm trying to pick up when this isn't entered or entered incorrectly. My search:   index=<MyIndex> sourcetype=<MySourceType> log_subtype=general description=CommitAll* | rex field=description "JobId=(?<JobId>.*?)\." | rename JobId as "Job ID" | rex field=description "User:\s(?<user>.*?)\." | rename user as User | rex field=description "Commit Description:\s(?<CommitDescription>.*)" | rename CommitDescription as "Commit Description" | rex field=description "(?<JobDescription>.*).*JobId" | rename JobDescription as "Job Description" | rex field=description "device-group\s(?<DeviceGroup>.*?)\s" | rename DeviceGroup as "Device Group" | rex field=description "template\s(?<Template>.*?)\s" | rename template as Template | rex field="Commit Description" "\b(?<TicketNumber>\d{5})\b" | rename TicketNumber as "Ticket Number" | transaction "Job ID" | table _time,host,"Job ID",User,"Ticket Number","Commit Description","Template","Device Group","Job Description"   I have tried adding:   | where isnull("Ticket Number") OR "Ticket Number"=""   I'm assuming that if the search is unable to extract the fields because a ticket number or description has not been entered then the field won't exists to search? I'm going round in circle here as I don't really understand what happens if the field extraction REX doesn't find a match.
Hi Experts, I am trying to convert a Splunk classic XML dashboard to  Splunk Dashboard Studio. Below is my classic XML dashboard  code. <fieldset autoRun="True" submitButton="false"> <input type=... See more...
Hi Experts, I am trying to convert a Splunk classic XML dashboard to  Splunk Dashboard Studio. Below is my classic XML dashboard  code. <fieldset autoRun="True" submitButton="false"> <input type="text" token="SelectedDay" searchWhenChanged="true"> <label>Enter Date (MM/DD/YYYY)</label> <default>$CurDate$</default> </input> </fieldset> The above code got converted to Splunk Dashboard Studio code as shown below. But when the Dashboard is displayed, token SelectedDay is set to "$CurDate$" instead of current date.  Could you please help me on this ?    "inputs": { "input_9ejCAUHM": { "type": "input.text", "options": { "token": "SelectedDay", "selectFirstSearchResult": true, "defaultValue": "$CurDate$" }, "title": "Enter Date (MM/DD/YYYY)" } },   Thanks, Ravikumar  
Splunk UBA users not able to Login with Splunk when splunk is on SSO
Good mornign All, I have several logs with fields which have sibfield. I would like to be able to extract the subfield and append it to the parent. The example should clarify my query. I have a log ... See more...
Good mornign All, I have several logs with fields which have sibfield. I would like to be able to extract the subfield and append it to the parent. The example should clarify my query. I have a log of user modifications. The log would look something like that: Changed Attributes:   SAM Account Name: -   Display Name: -   User Principal Name: -   Home Directory: -   Home Drive: -   Script Path: -   Profile Path: -   User Workstations: -   Password Last Set: 9/12/2023 7:30:15 AM   Account Expires: -   Primary Group ID: -   AllowedToDelegateTo: -   Old UAC Value: -   New UAC Value: -   User Account Control: -   User Parameters: -   SID History: -   Logon Hours: -   I would like to be able to create a table which will have a column which will include the "parent" field: Changed Attributes as well as the child field, for example: CHanged Attributes: Password Last Set.   Altenatively, I would also settle for a table with statically assigned column, lets call it changed data and a sa value have: Password Last Set:  9/12/2023 7:30:15 AM   Another challenge I have (probably candidate for another question on the forum) is to add the value to a table column, only if it has value other than "-" to the right of it. The reason is that only one changed attribue (of all those in the list above) will have any value. I would like to report on what attribue for a user was changed.   Thank you very much in advance for any direction.   Kind Regards,   Mike.
My trial got finished and expired almost, I don't want to keep my account, could you guide me how to fully delete account and all related info ? Even the controller GUI keeps showing 500 Internal Se... See more...
My trial got finished and expired almost, I don't want to keep my account, could you guide me how to fully delete account and all related info ? Even the controller GUI keeps showing 500 Internal Server Error and wasn't resolved till now.
Hi All, Our scenario is like, in our AWS environment ,we want to collect our logs by using universal forwarder from our Linux, eks and windows server. But the thing here is we don't have internet i... See more...
Hi All, Our scenario is like, in our AWS environment ,we want to collect our logs by using universal forwarder from our Linux, eks and windows server. But the thing here is we don't have internet in our environment, can anyone please suggest a solution on how we can install this forwarder and use to forward our logs to centralize server for monitoring? Basically it's non routable environment And there are 3 resources from where we want to collect logs, Linux server Windows server Eks cluster 
Is there any prebuilt search (like rest command) to find the number of triggered alerts for a particular dashboard?  if not, can we create a search which helps in identifying which triggered alert i... See more...
Is there any prebuilt search (like rest command) to find the number of triggered alerts for a particular dashboard?  if not, can we create a search which helps in identifying which triggered alert is associated with which dashboard for a specific time period.
Hi SMEs,   I would like to create an alert on Splunk ES which should trigger if any of the Heavy forwarder reboot or shutdown by someone. thanks in advance 
I was building a new search and started getting this error with various functions. I simplified my search down to something straight out of the documentation to make sure I wasn't missing something s... See more...
I was building a new search and started getting this error with various functions. I simplified my search down to something straight out of the documentation to make sure I wasn't missing something silly, but still get the error even with this:  index=* | eval c=avg(1, 2, 3) What's going on?
Getting a ton of these Telemetry errors in Event Log of a windows server with at UF installed. They started a few days ago. What could be causing them? No changes have been made to the UF or splunk i... See more...
Getting a ton of these Telemetry errors in Event Log of a windows server with at UF installed. They started a few days ago. What could be causing them? No changes have been made to the UF or splunk infrastructure recently. 1.6987038408387303e+09 error exporterhelper/queued_retry.go:183 Exporting failed. The error is not retryable. Dropping data. {"kind": "exporter", "name": "signalfx", "error": "Permanent error: \"HTTP/2.0 401 Unauthorized\\r\\nContent-Length: 0\\r\\nDate: Mon, 30 Oct 2023 22:10:40 GMT\\r\\nServer: istio-envoy\\r\\nWww-Authenticate: Basic realm=\\\"Splunk\\\"\\r\\nX-Envoy-Upstream-Service-Time: 5\\r\\n\\r\\n\"", "dropped_items": 50} go.opentelemetry.io/collector/exporter/exporterhelper.(*retrySender).send /builds/o11y-gdi/splunk-otel-collector-releaser/.go/pkg/mod/go.opentelemetry.io/collector@v0.53.0/exporter/exporterhelper/queued_retry.go:183 go.opentelemetry.io/collector/exporter/exporterhelper.(*metricsSenderWithObservability).send /builds/o11y-gdi/splunk-otel-collector-releaser/.go/pkg/mod/go.opentelemetry.io/collector@v0.53.0/exporter/exporterhelper/metrics.go:132 go.opentelemetry.io/collector/exporter/exporterhelper.(*queuedRetrySender).start.func1 /builds/o11y-gdi/splunk-otel-collector-releaser/.go/pkg/mod/go.opentelemetry.io/collector@v0.53.0/exporter/exporterhelper/queued_retry_inmemory.go:119 go.opentelemetry.io/collector/exporter/exporterhelper/internal.consumerFunc.consume /builds/o11y-gdi/splunk-otel-collector-releaser/.go/pkg/mod/go.opentelemetry.io/collector@v0.53.0/exporter/exporterhelper/internal/bounded_memory_queue.go:82 go.opentelemetry.io/collector/exporter/exporterhelper/internal.(*boundedMemoryQueue).StartConsumers.func2 /builds/o11y-gdi/splunk-otel-collector-releaser/.go/pkg/mod/go.opentelemetry.io/collector@v0.53.0/exporter/exporterhelper/internal/bounded_memory_queue.go:69  
Hi,  We need to forward XML documents from a UF to indexers that have key fields both in a one-time header  section and in a repeated section that can be repeated up to 100,000 times.  So, for examp... See more...
Hi,  We need to forward XML documents from a UF to indexers that have key fields both in a one-time header  section and in a repeated section that can be repeated up to 100,000 times.  So, for example, the file could look like: <PUBS> <HEADER><Identifier>93234</Identifier> <REPEATSECTION><Balance>8751.23</Balance></REPEATSECTION> <REPEATSECTION><Balance>943.43</Balance></REPEATSECTION> ... note: repeats up to 100,000 times with many many more fields than shown here. Total file size >=300mb... <REPEATSECTION><Balance>123.233</Balance></REPEATSECTION> </PUBS> If the UF breaks events before  <REAPEATSECTION>, then we could have one splunk event per REPEAT section but the fields in the HEADER would not be available.  If the UF sends the whole 300mb file to an indexer,  is there a configuration of props/transforms on the indexer that can create one splunk event per REPEATSECTION but also get the fields from the HEADER section? I'm trying to ask a good question here as best i can.  Does my question make sense to anyone? Thanks!
Hi, My table for VPN connection by a user put MAC address of the user's laptop in place of external IP.  CITY, COUNTRY, REGION, LAT, LON, everything related to the location of the user comes in blan... See more...
Hi, My table for VPN connection by a user put MAC address of the user's laptop in place of external IP.  CITY, COUNTRY, REGION, LAT, LON, everything related to the location of the user comes in blank. Does this show any unusual activity by user?
Hi. Currently, I receive my Linux logs in an index called linux_logs and a syslog sourcetype. I would like to change the syslog sourcetype to the linux_secure sourcetype. How can I make that chang... See more...
Hi. Currently, I receive my Linux logs in an index called linux_logs and a syslog sourcetype. I would like to change the syslog sourcetype to the linux_secure sourcetype. How can I make that change so that the new logs already arrive in the new sourcetype? My configuration   Sourcetype syslog Sourcetype linux_secure   Thanks!    
I am looking to create an acronym from a dynamic string, by capturing the first letter of each broken substring How do I write the script, so I can capture whatever number of substrings gets generat... See more...
I am looking to create an acronym from a dynamic string, by capturing the first letter of each broken substring How do I write the script, so I can capture whatever number of substrings gets generated from the original string?     ie. "Hello_World_Look_At_Me" => "HWLAM" "Hello_World" => "HW"   I'm thinking of doing the following, but this seems to be pretty lengthy.  Would like to know if there's a more efficient way of getting this done. | eval txt1 = "Hello_World_Look_At_Me" | eval tmp = split(txt1, "_") | eval new_word = substr(mv_index(tmp,1), 1) + ...