All Topics

Top

All Topics

I have a query  and i need to show the logs as shown in the below image. Total Messages:  index=app-logs " Request received from all applications" |stats count Error count: Sum of count (App lo... See more...
I have a query  and i need to show the logs as shown in the below image. Total Messages:  index=app-logs " Request received from all applications" |stats count Error count: Sum of count (App logs + Exception logs + Canceled logs + 401 mess logs) App logs:  index=app-logs "Application logs received" Exception logs:  index=app-logs "Exception logs received" Canceled logs:  index=app-logs "unpassed logs received" 401 mess logs:  index=app-logs "401 error message" Stand by count: Subtract(url - cleared log) url:   index=app-logs "url info staged" cleared log: index=app-logs "Filtered logs arranged"  
I just updated the Splunk App for Lookup File Editing to the latest and now I can no longer download lookup files via CLI.  This has been working flawlessly in Splunk Cloud when I was running v3.6.0 ... See more...
I just updated the Splunk App for Lookup File Editing to the latest and now I can no longer download lookup files via CLI.  This has been working flawlessly in Splunk Cloud when I was running v3.6.0 but just updated to 4.0.1 (v4.0.2 not available in Cloud yet) and now I am getting 403 errors. Through testing, I verified lookup endpoint is still valid, lookup shared at global level, and I even changed the permissions of the account to be sc_admin but still experiencing the same issue.  Has anyone else come across this and found a solution?  Same error no matter which lookup file I attempt to download. My test command   python3 lut.py -app search -l geo_attr_countries.csv -app search INFO:root:list of lookups to download: ['geo_attr_countries.csv'] ERROR:root:[failed] Error: Downloading file: 'geo_attr_countries.csv', status:403, reason:Forbidden, url:https://[REDACTED].splunkcloud.com:8089/services/data/lookup_edit/lookup_contents?lookup_type=csv&namespace=search&lookup_file=geo_attr_countries.csv    Python script from here
Hi - i'm not great at Splunk and am struggling with this one: I have this search result in table form Name Status Server1 OK Server2 OK Server1 Deleted Server2 OK Server3 Di... See more...
Hi - i'm not great at Splunk and am struggling with this one: I have this search result in table form Name Status Server1 OK Server2 OK Server1 Deleted Server2 OK Server3 Discovered I'd like to filter out any servers that have status deleted so for the example i'd like Name Status Server2 OK Server3 Discovered Thanks for any help.
Hi all, I been working on new rule and I just can't get it work fully. I know that there are many similar questions/answers on the forum related to this but none of them work for me. The events c... See more...
Hi all, I been working on new rule and I just can't get it work fully. I know that there are many similar questions/answers on the forum related to this but none of them work for me. The events contain field "TargetUserOrGroupName" containing an email address e.g.    TargetUserOrGroupName = testmail@gmail.com   I use split and mvindex to get only email domain out of TargetUserOrGroupName:   | eval email_domain = mvindex(split(TargetUserOrGroupName, "@"),1)     Then I want to check if "email_domain" is in lookup "free_email_domains.csv" I was able to get this easily working (partial) with sub search and inputlookup   | search email_domain=* [|inputlookup free_email_domains.csv.csv | fields email_domain] But there is issue with getting all data as sub-search returns only 10 000 entries resulting in free email domains not being in first 10k rows are not matched. The local csv file contains only column email_domains (i did added "is_free_domain" column with value "Yes" in lookup while testing but it can be removed if not needed) Any help is welcome as I cant get lookup command to work (maybe due to additional extracting of field value)  
The latest Splunk add-on for Windows is version 8.8.0 https://splunkbase.splunk.com/app/742 For customers who are still on version 4.8.2 and they need to upgrade to version 8.8.0. The splunk documen... See more...
The latest Splunk add-on for Windows is version 8.8.0 https://splunkbase.splunk.com/app/742 For customers who are still on version 4.8.2 and they need to upgrade to version 8.8.0. The splunk documentation says to upgrade to version 5.0.1 first then upgrade to 6 then going from 6 to anything greater. Since the download of the Splunk add-on for windows version 6.0 is not available from splunkbase: 1. Where can the customer gets the Splunk add-on for Windows is version 6.0 (https://splunkbase.splunk.com/app/742)?  2. Can the customer upgrade directly from version 5.0.1 to 8.8.0 without breaking anything? Note: Assuming that they already follow the steps outlined in Upgrade the Splunk Add-on for Windows  when you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0
Hi There, I have noticed that since the most recent update (that changed the UI) the manage bookmarks dashboard is displaying incorrectly when set as my home page.  Has anyone else experienced this... See more...
Hi There, I have noticed that since the most recent update (that changed the UI) the manage bookmarks dashboard is displaying incorrectly when set as my home page.  Has anyone else experienced this / know of a fix? I have also attached an image that shows what the page is meant to look like (Normal Behaviour, Bottom Half of image) and what it looks like when set as the homepage (Strange behaviour on Home Page, Top half of image). Any help/info would be appreciated, Jamie
for my mail logs in JSON format, with my splunk query I created below table mail from mail sub mail to ABC account created for A abc@a.com ABC account created for B bcd@a.com ABC ... See more...
for my mail logs in JSON format, with my splunk query I created below table mail from mail sub mail to ABC account created for A abc@a.com ABC account created for B bcd@a.com ABC account created for C efg@a.com   In my splunk query I apply dedup on "mail sub".  as you can see unique but very similar subject remains in table which I want to further become joined or considered as 1 row. my ask: what are the possible  way that I can partially match table column values and they combined into 1 .? in matching logic if somehow we can use two columns for matching (mail from and mail sub)   mail from mail sub mail to count ABC account created for A abc@a.com 3   count 3 is coming on the basis of partial match in unique subject and mail from combined.  
Good morning, I need to know what the exact search command is in order to see this parameter: Enter a search that returns all web application events that contain a prohibited status (403)
Hello everyone, we use LDAPS in Splunk to allow our employees to log in to the system (Search Heads). Is there a way for users to change their passwords when needed or after they have expired? Some u... See more...
Hello everyone, we use LDAPS in Splunk to allow our employees to log in to the system (Search Heads). Is there a way for users to change their passwords when needed or after they have expired? Some users only access Splunk and do not have any other means to update their passwords.
Hi at all, I have to configure a multisite Indexer Cluster and I have a dubt: in the Splunk architectig course, the indicated Indexer Cluster replication port was 9100. Then reading Multisite Inde... See more...
Hi at all, I have to configure a multisite Indexer Cluster and I have a dubt: in the Splunk architectig course, the indicated Indexer Cluster replication port was 9100. Then reading Multisite Indexer Cluster documentation the indicated port is 9887. What's the correct one? Can I use 9100 instead 9887 or 9100 is dedicated to other purposes? Thank you for your support. Ciao. Giuseppe
ID: rb.splunk-es.abc.com:/dev/mapper/vg_data-lv_data_opt:os_high_disk_utilization - rb.splunk-es.abc.com - High Priority - Low disk space on /data/opt at 2.00% free
I came across of running a custom python script in Splunk on the triggered events by adding the run a script action but I don't know how to do it. As the alerts are visible on Splunk I want to run a ... See more...
I came across of running a custom python script in Splunk on the triggered events by adding the run a script action but I don't know how to do it. As the alerts are visible on Splunk I want to run a script and extract those triggered alerts by running a script.
Hi All, i am using below search to monitor a status of process based on PID and usage  we have tried by stopping the service ,PID got changed how we can determine when it stopped, when using below... See more...
Hi All, i am using below search to monitor a status of process based on PID and usage  we have tried by stopping the service ,PID got changed how we can determine when it stopped, when using below search not getting OLD PID in the table, which was showing latest how can modify  index=Test1 host="testserver" (source=ps COMMAND=*cybAgent*) | stats latest(cpu_load_percent) as "CPU %", latest(PercentMemory) as "MEM %", latest(RSZ_KB) as "Resident Memory (KB)", latest(VSZ_KB) as "Virtual Memory (KB)",latest(PID) as "PID" ,latest(host) as "host" by COMMAND | eval Process_Status = case(isnotnull('CPU %') AND isnotnull('MEM %'), "Running", isnull('CPU %') AND isnull('MEM %'), "Not Running", 1=1, "Unknown") | table host,"CPU %", "MEM %", "Resident Memory (KB)", "Virtual Memory (KB)", Process_Status,COMMAND,PID | eval Process_Status = coalesce(Process_Status, "Unknown") | rename "CPU %" as "CPU %", "MEM %" as "MEM %" | fillnull value="N/A"
when i made a log for HEC with json array, im not sure what is more better way to use spl. can someone advise me please? way 1.  {host: 'test' lists : [{                    id: ' list1'        ... See more...
when i made a log for HEC with json array, im not sure what is more better way to use spl. can someone advise me please? way 1.  {host: 'test' lists : [{                    id: ' list1'                    ip: '192.168.0.1'                    device: 'laptop'                    value: 123                    },                  {                    id: ' list2'                    ip: '192.168.0.2'                    device: 'phone'                    value: 1223                    },                  {                    id: ' list3'                    ip: '192.168.0.3'                    device: 'desktop'                    value: 99                    }, ]}   way2. {host: 'test' list1 :{                    id: ' list1'                    ip: '192.168.0.1'                    device: 'laptop'                    value: 123              } list2 : {                    id: ' list2'                    ip: '192.168.0.2'                    device: 'phone'                    value: 1223                    }, list3:   {                    id: ' list3'                    ip: '192.168.0.3'                    device: 'desktop'                    value: 99                    }, ]}  
_Raw json format is below { "test-03": { "field1": 97869, "field2": 179771, "field3": "test-03", "traffics": 1070140210 }, "test-08": { "field1": 53094, "field2": 103840, "field3": "test-0... See more...
_Raw json format is below { "test-03": { "field1": 97869, "field2": 179771, "field3": "test-03", "traffics": 1070140210 }, "test-08": { "field1": 53094, "field2": 103840, "field3": "test-08", "traffics": 998807234 }, "test-09": { "field1": 145655, "field2": 250518, "field3": "test-09", "traffics": 2212423288 }, "test-10": { "field1": 83663, "field2": 151029, "field3": "test-10", "traffics": 762554139 }, "k": 63314 } when i use  timechart avg(test*.traffics) , it works   but number was so huge, so i tried to change |eval test*.traffics=round(test*.traffics/1024,2) but it didnt work. can anybody help it please
Hi all, I have a panel with 4 columns and I configure the panel settings in "htmlPanel1A".   <panel id="htmlPanel1A">   Due to different values in each columns, I sometimes found 3 columns l... See more...
Hi all, I have a panel with 4 columns and I configure the panel settings in "htmlPanel1A".   <panel id="htmlPanel1A">   Due to different values in each columns, I sometimes found 3 columns look like left-aligned while the rest 1 column looks like right-aligned content. I think the problem comes from center-aligned in the default setting. I would like to change into right-aligned for all columns but remains the title of the panel is center-aligned. Is there any suggestion on my CSS configuration to fulfill the purpose?   <panel depends="$alwaysHideCSS$"> <html> <div> <style> /* define some default colors */ .dashboard-row .dashboard-panel{ background-color:lightcyan !important; } .dashboard-panel h2{ background:cyan !important; color:FFFFFF !important; text-align: center !important; font-weight: bold !important; border-top-right-radius: 12px; border-top-left-radius: 12px; } /* override default colors by panel id */ #htmlPanel1 h2,#htmlPanel1A h2{ color:#3C444D !important; background-color:#FFFFFF !important; } ..... </style> </div> </html> </panel>             Thank you so much.
I am trying to get individual values and add a summary row with the minimum value. In this case I have 3 times and want the output to have all three times and create a minimum time row (labelname=min... See more...
I am trying to get individual values and add a summary row with the minimum value. In this case I have 3 times and want the output to have all three times and create a minimum time row (labelname=min). event    _time a          10:00 b           11:00 c            10:30 min    10:00
I have a very long SQL query executing for every 900 seconds and amount of events are in millions. There're ~ 10 "left joins" in SQL query, which seems like filtering events with fields to get output... See more...
I have a very long SQL query executing for every 900 seconds and amount of events are in millions. There're ~ 10 "left joins" in SQL query, which seems like filtering events with fields to get output creating load on server and on db connect server.  I wanted to use "Catalog", "Schema" and "Table" options in db input where i want to choose or add multiple left joins. Do we have any documentation, i didn't find any documentation in Splunk Docs and same in community. Much appreciated for any explanation or documentation "How to use left join using schema in db connect input". Thanks in advance!!
Hello, I'm working in splunk enterprise 8.2.4 I have the below search index=Red msg="*COMPLETED Task*” | spath output=logMessage path=msg | rex field=logMessage "Message\|[^\t\{]*(?<json>{[^\t]+})"... See more...
Hello, I'm working in splunk enterprise 8.2.4 I have the below search index=Red msg="*COMPLETED Task*” | spath output=logMessage path=msg | rex field=logMessage "Message\|[^\t\{]*(?<json>{[^\t]+})" | eval PP_elapsedTime=spath(json, “PPInfo.PP.elapsedTime") | eval CC_elapsedTime=spath(json, “CCInfo.CC.elapsedTime") | eval System = “Member” | table System, PP_elapsedTime, CC_elapsedTime Current output: System _time PP_elapsed_Time CC_elapsed_Time Member 2023-09-10 1.52 4 Member 2023-09-11 2 2.6   I want the output to read: System _time Reason Value Member 2023-09-10 PP_elapsed_Time 1.52 Member 2023-09-10 CC_elapsed_Time 4 Member 2023-09-11 PP_elapsed_Time 2 Member 2023-09-11 CC_elapsed_Time 2.6   I'm not sure where to go from here, any feedback would be appreciated.   
Today, we're unveiling a revamped integration between Splunk Answers and Splunkbase, designed to elevate your experience with Splunkbase apps. Now, each Splunkbase app will feature its own dedicated ... See more...
Today, we're unveiling a revamped integration between Splunk Answers and Splunkbase, designed to elevate your experience with Splunkbase apps. Now, each Splunkbase app will feature its own dedicated 'product page' on Splunk Answers.      This new layout simplifies app-specific conversations, making it easier than ever for customers, developers, partners, and Splunkers to collaborate and solve challenges. About Splunkbase: Splunkbase is a marketplace where Splunk customers can download apps for the Splunk Cloud Platform or Splunk Enterprise environment, or Splunk SOAR. Developers can also upload their own Splunk Enterprise and Splunk Cloud Platform apps to share them with the Splunk community. About Splunk Answers: Splunk Answers is a discussion forum for the Splunk community to engage in dialogue regarding Splunk. It serves as a knowledge base to help customers engage with each other, Splunk employees, and app developers. This integration improves the experience between two key tools used by the community.  This integration offers three key benefits: First, customers will be able to easily find a knowledge base of previously asked and answered questions regarding specific apps, allowing faster self-service issue resolution. Second, developers will be able to communicate directly with users of their apps, enabling better asynchronous troubleshooting of issues. Third, developers will be able to source feedback from the discussions to educate any future enhancements to their apps.  The best part? In order to take advantage of this integration, developers do not need to do anything! App listings will automatically be updated to point to new Splunk Answers app discussions. (Note: when creating a new listing, it may take up to 24 hrs to create a new corresponding Splunk Answers app discussion. Upon initial creation, the app listing will temporarily point to the generic All Apps and Add-Ons page.) We hope this new functionality makes it easier to use and extend Splunk. For questions and comments, reach out to splunkbase-admin@splunk.com or community@splunk.com.