All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,  my logs do not appear in the index and in splunkd.log i get the following error   09-21-2023 16:36:40.693 +0200 INFO AutoLoadBalancedConnectionStrategy [7698 TcpOutEloop] - Connected to idx=... See more...
Hi,  my logs do not appear in the index and in splunkd.log i get the following error   09-21-2023 16:36:40.693 +0200 INFO AutoLoadBalancedConnectionStrategy [7698 TcpOutEloop] - Connected to idx=xx.xx.xx.xx:16313, pset=0, reuse=0. using ACK. 09-21-2023 16:36:48.003 +0200 INFO TailReader [7705 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log' 09-21-2023 16:37:10.613 +0200 INFO AutoLoadBalancedConnectionStrategy [7698 TcpOutEloop] - Connected to idx=xx.xx.xx.xx:16313, pset=0, reuse=0. using ACK. 09-21-2023 16:37:18.002 +0200 INFO TailReader [7705 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'     my inputs.conf has only the following:   [default] host = myhostname index = vcenter-index-name [monitor:///var/log/remotelogs/vcenter-rep/analytics.log] sourcetype = "vcenter" queueSize = 50MB crcSalt = <SOURCE> disabled = false   I would mention that I have the same configuration on a different server and logs end out in splunk without a problem and this error does not appear on the other servers:   09-21-2023 16:37:18.002 +0200 INFO TailReader [7705 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'  
I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this.   Context I have 2 apps   1) mainapp with savedsearches, macros, dashboards, etc.  2)... See more...
I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this.   Context I have 2 apps   1) mainapp with savedsearches, macros, dashboards, etc.  2) mainapp_TA, containing most of the *.config files (props, transforms, etc.)   Based on the GUI Settings > pages, all ... * savedsearches are all set to owner=nobody * macros are set to owner= No Owner * Sharing is set to App for everything   Issue One of my 7 savedsearches will NOT run using a CRON schedule when the owner=nobody. The other savedsearches run just fine. However, once I set owner=greg in /metadata/local.meta, the CRON schedule runs just fine. Note: I tried setting owner to another user in our environment, and the the CRON would NOT run. So, somehow this savedsearch is tied to me and I am not sure how to "untie" it. When the owner=nobody on this savedsearch, I can manually hit "run" from the Settings > Searches, Reports, and Alerts page and it works every time.   I cannot figure out WHY this savedsearch is special and requires me to be the owner.   I have to be missing something but not sure where to look now.   Any help is greatly appreciated. Regards, Greg
Hello I am trying to get filename (name.exe) from a full path (dir + filename) from windows folders, ex: C:\dir1\dir2\filename.ext using code as below:   index = os_sysmon NOT Image="*... See more...
Hello I am trying to get filename (name.exe) from a full path (dir + filename) from windows folders, ex: C:\dir1\dir2\filename.ext using code as below:   index = os_sysmon NOT Image="*Sysmon*" EventCode=1 | rex field=Image "Executable=(?P<Executable>[^\\\]+)$" | table Image Executable   Problem: Executable always empty Can you please advise? best regards Altin
Hello I am trying to test the functionality of sending an email that will be sent because of an alert. For that, first I tried to send an email using the sendemail command. I used the free subscript... See more...
Hello I am trying to test the functionality of sending an email that will be sent because of an alert. For that, first I tried to send an email using the sendemail command. I used the free subscription of Brevo to get an accessible SMTP server to send an email. Then I tried configuring the email settings in my Splunk Enterprise. Below are the SS of my email settings For the password, I am using the MasterKey provided in the Brevo for my SMPT   For the rest of the settings, I kept them as the default   I am trying to send the data to a dummy email in Mailinator. Below is my searched SPL with the error. It is giving me an error for the email set as Send Email as user(Splunk) which I kept as default. I tried using my personal Gmail ID as well but got the same error for that ID. Can anyone please help me on how to debug or resolve this issue.
Hello! I am trying to get the streamfwd app to capture traffic on an interface located on my virtual machine. Does this app not recognize link layer virtualization? This is the error I am receiving ... See more...
Hello! I am trying to get the streamfwd app to capture traffic on an interface located on my virtual machine. Does this app not recognize link layer virtualization? This is the error I am receiving and currently can't find a workaround... "(SnifferReactor/PcapNetworkCapture.cpp:238)  stream.NetworkCapture - SnifferReactor unrecognized link layer for device <lo0>: 253" I was also receiving the same error when I changed my streamfwd.conf to capture on a different network interface. Even tried putting the interface into promiscuous mode. Any help/troubleshooting on this would be appreciated! Fysa, I am using a 64bit CentOS8.
my app contains the index.conf which declares the index that is installed on the heavy forwarder and it is not installed on the indexer. The problem is that data does not land on the indexer ... See more...
my app contains the index.conf which declares the index that is installed on the heavy forwarder and it is not installed on the indexer. The problem is that data does not land on the indexer      
Hi, I have query | makeresults | eval _raw="{\"name\": \"my name\", \"values\": [{\"rank\": 1, \"value\": \"\"}, {\"rank\": 2, \"value\": \"a\"}, {\"rank\": 3, \"value\": \"b\"}, {\"rank\": 4, \... See more...
Hi, I have query | makeresults | eval _raw="{\"name\": \"my name\", \"values\": [{\"rank\": 1, \"value\": \"\"}, {\"rank\": 2, \"value\": \"a\"}, {\"rank\": 3, \"value\": \"b\"}, {\"rank\": 4, \"value\": \"c\"}]}" | spath | rename values{}.rank as rank | rename values{}.value as value | table name, rank, value Producing result Because in the first item of values, value is empty the values in the table are shifted one up and are not aligned with the rank.  How could I conditionally update the value to, say, [empty] if that is empty string in the data?
Hello Splunker, I'm trying to  join two fields values in stats command using Eval , looks like I'm doing it wrong, Please help me with the correct syntax.     | stats count (eval(action="Not ... See more...
Hello Splunker, I'm trying to  join two fields values in stats command using Eval , looks like I'm doing it wrong, Please help me with the correct syntax.     | stats count (eval(action="Not Found",action="Forbidden")) as failures by src | where failures>100 | table src     Basically I'm trying call "Not Found" and "Forbidden" as Failures that happened from a single source and then make a count of both these fields.    A Help  here is appreciated,   Thanks, Moh
Hello I have a table with 3 columns :    Domain Environemnt %of deployments hello qa 12 hello1 dr 13 hello2 prod 13 hello3 dev 15   And I would like to achieve this..... See more...
Hello I have a table with 3 columns :    Domain Environemnt %of deployments hello qa 12 hello1 dr 13 hello2 prod 13 hello3 dev 15   And I would like to achieve this.. Domain qa dr dev prod hello 12 13 14 15 hello1 1 2 3 4 hello2 3 2 4 6 hello3 1 3 5 7 While the numbers in the cells are the % of deployments for each environment and domain I've tried this but it is not working as expected : | eventstats count by SERVERS | eventstats dc(SERVERS) as Total_Servers by Domain Environment | eventstats dc(SERVERS) as Total_Servers | eval "% Of deployments by domain&env" = (Deployed_Servers/Total_Servers)*100 | search Sprint!=*required AND Sprint!=*deleted* AND Sprint!="?" | eval SH_{Environment}=count | eventstats values(SH_*) as * by Domain | dedup Environment Domain | table Domain SH* "% Of deployments by domain&env" | rename SH_dr as DR SH_production as Production SH_qa as QA SH_staging as Staging
Hi All  I have a csv file in splunk that i am searching on i am looking to get the total monthly figure spend on each account number and then the total spend per month (of all account number)  ... See more...
Hi All  I have a csv file in splunk that i am searching on i am looking to get the total monthly figure spend on each account number and then the total spend per month (of all account number)  Here my query i've created  ..... main search  | rename Order_Date as Month | stats count by Account_Number, Total_Sum, Month | eventstats sum(Total_Sum) as Monthly_Total by Month | sort - Total_Sum | sort Account_Number | stats list(Account_Number) as Account_Number, list(Total_Sum) as Total_Sum, values(Monthly_Total) as Monthly_Total by Month it looks good but then i noticed that i haven't added each Account_Number up per month (see table below as 6210 appears 3 times.  Can anyone help?  Month Account_Number Total_Sum Monthly_Total April 5751 5756 6201 6203 6205 6210 6210 6210 6340 1986 23423.42 139 17003.09 7107.98 1395.12 50 18 8.05 51130.66   Also i'd like to make the figures in Euros I've tried below but it wont work - any ideas  | fieldformat Total="€".tostring(Total, "commas") finally Splunk has put the month April at the top, i've tried to use the eval command to move January to the top using below code but this hasn't helped - any ideas?  | eval M=case(Month=="April","04", Month=="January","01", Month=="February", "02", Month=="March","03", Month=="May", "05", Month=="June", "06", Month=="July","07", Month=="August","08", Month=="September", "09") | sort M | fields - M   Many thanks P   
This is an informational post rather than a question. If you use WEF to gather logs from your infrastructure to a single point from which you pick them up with [WinEventLog://ForwardedEvents] You ... See more...
This is an informational post rather than a question. If you use WEF to gather logs from your infrastructure to a single point from which you pick them up with [WinEventLog://ForwardedEvents] You might notice that this input can stop working after you upgrade to 9.1.0 (or above). The forwarder will log to splunkd.log errors about wrong event format Invalid WEC content-format:'Events', for splunk-format = rendered_eventSee the description for the 'wec_event_format' setting at $SPLUNK_HOME/etc/system/README/inputs.conf.spec for more details  If you go to the inputs.conf spec file (either in the readme directory or on the Splunk website) you'll find the wec_event_format parameter (which was not present in versions up to 9.0.6) which must correspond with the setting in the WEF subscription settings. If the wec_event_format is "wrong" (the most typical situation will be when the WEF subscription is created as Events and the UF uses the default rendered_event value) , you need to set wec_event_format = raw_event in your input definition.
Hi, After some days the Splunk server stop receiving input.  The forwarders are not changed, but I did some changes on splunk server (can't remember what I did).  Also know that the firewall does no... See more...
Hi, After some days the Splunk server stop receiving input.  The forwarders are not changed, but I did some changes on splunk server (can't remember what I did).  Also know that the firewall does not cause of the problem. On server Splunk server we have also configured Splunk Uniiversal forwarder. So same server include both Splunk Enterprise + Splunk Universal forwarder.    Not sure, but I think it's some trouble with indexer since they cannot receive inputs. Have also  verified that environment variables is ok.  Also changed file permission on all filres/directories below Splunk_HOME.   So it should be fine   On Splunk Universal clients (on clients),  splunkd.log says that TcpOutProc is connected to Splunk Server. It also says that the Splunk server LISTEN to *:9997.  > ss -tnlup tcp LISTEN 0 128 *:9997  *:* users(("splunkd",pid=170257,fd=41))   Assume telemytry data is sent to Splunkserver, but they are not indexed. One more information:    On Splunk server: Settings - Data - Indexes  I can see that  _audit SplunkLighForwarder $SPLUNK_DB/audit/db status says  disabled _internal SplunkLighForwarder $SPLUNK_DB/_internal/db status says  disabled _introspection SplunkLighForwarder $SPLUNK_DB/_introspection/db status says  disabled _telemetry  SplunkLighForwarder SPLUNK_DB/_telemetry/db status says  disabled history SplunkLighForwarder SPLUNK_DB/history/db status says  disabled main  SplunkLighForwarder PLUNK_DB/history /default/db status says  disabled   Assume it has something to do with wrong settings on Splunk server.  Hope soemone out there can give me some usefull tips/hints. So we can use splunk again as normal.    Rgds Geir J. H
Hello everyone, I have a need to increase the compute capacity of an HF running in AWS (it is only forwarding, not indexing).    Splunk PS recommended putting a 16CPU machine into service. I'm no... See more...
Hello everyone, I have a need to increase the compute capacity of an HF running in AWS (it is only forwarding, not indexing).    Splunk PS recommended putting a 16CPU machine into service. I'm not sure if the vCPU count shown by the AWS instance-type page  reflects the number of cores that will be exploited by Splunk, or the number of threads that are available.  Basically, I don't know if I want a 16 vCPU machine (c6i.4xl) or a 16 physical core machine (c6i.16xlarge) to get Splunk using the recommended 16CPUs. Does anyone have a quick answer?  Google wasn't my friend here! Mike
I've received this warning :"If you do nothing, the app will fail in future Splunk upgrades that use jQuery 3.5" . Does anyone use this add-on on Splunk Enterprise 9.X?
Hi Folks,  Has anyone upgraded 7.2.x UF on Windows 2012 R2 to 9.0.x? Documentation says to upgrade 7.2 to 8.0 or 8.1 then 9.x However,  Windows 2012 R2 not supported on 8.0.x or 8.1.x Can'... See more...
Hi Folks,  Has anyone upgraded 7.2.x UF on Windows 2012 R2 to 9.0.x? Documentation says to upgrade 7.2 to 8.0 or 8.1 then 9.x However,  Windows 2012 R2 not supported on 8.0.x or 8.1.x Can't find any documentation or posts related to this so asking here: Is it ok to upgrade 7.2.x to 8.2.x then onto 9.0.x for Windows 2012 R2?
I have this date string example: Mon, 01 May 2023 00:00:00 GMT how can I convert it to epoch?    thanks!
Hello, I sat for Splunk Certified Cybersecurity Defense Analyst (CDA) on the 14th of September, 2023 and this is a week after and no result yet. How can i access my result?  
I have a number of Lookups that I create with similar naming convention (and plan to create more in the future). I want to be able to have a saved search that searches across all these lookups. The... See more...
I have a number of Lookups that I create with similar naming convention (and plan to create more in the future). I want to be able to have a saved search that searches across all these lookups. The following does not work as subsearches returned provide a litsearch of  (title="chosen_lookups_abcd" OR title="chosen_lookups_bcda" )  |inputlookup append=t [|rest /servicesNS/-/-/data/lookup-table-files | search title=chosen_lookups* | table title ]   Ideally, something like the following would work | inputlookup append=t chosen_lookups*   Thanks in advance 
hello Team,   We are trying to develop a function to validate if a user id and pwd are valid(in an artifact). Thought of using an LDAP BIND unfortunately we are getting an error that we cannot impo... See more...
hello Team,   We are trying to develop a function to validate if a user id and pwd are valid(in an artifact). Thought of using an LDAP BIND unfortunately we are getting an error that we cannot import LDAP3. has anyone developed an app or function to test this?
Hi Splunkers, I have a huge report with 15 to 20 pages worth of information which I need to show in a dashboard panel. Is there any way that I can add “expand” “collapse” option to showcase my data ... See more...
Hi Splunkers, I have a huge report with 15 to 20 pages worth of information which I need to show in a dashboard panel. Is there any way that I can add “expand” “collapse” option to showcase my data in a better way especially for the non splunk users to understand it better. Thanks