All Topics

Top

All Topics

 Does it leverage an API call to directly to the data sources, or does it use data indexed in Splunk already?
Hi There!    I'm having the case, If present day is "Monday" and if user selects the option "Exclude weekend", the time range picker should looks for the data on friday If user selects the option... See more...
Hi There!    I'm having the case, If present day is "Monday" and if user selects the option "Exclude weekend", the time range picker should looks for the data on friday If user selects the option "Include weekend", the time range picker should be yesterday <input type="radio" token="weekends" searchWhenChanged="true"> <label>Weekends</label> <choice value="exclude">Exclude Weekends</choice> <choice value="include">Include Weekends</choice> <default>exclude</default> <initialValue>exclude</initialValue> </input> thanks!
Hello, Upon attempting to execute the command $SPLUNK_HOME/bin/splunk reload deploy-server following the update of app inputs, a warning message is generated, which states: "Could not look up HOME ... See more...
Hello, Upon attempting to execute the command $SPLUNK_HOME/bin/splunk reload deploy-server following the update of app inputs, a warning message is generated, which states: "Could not look up HOME variable. Auth tokens cannot be cached. WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Reloading serverclass(es). " Could you please suggest a solution to address this problem, as the changes do not appear to be taking effect. Thanks    
Hello All, I have a lookup file: table1.csv with two columns: index, sourcetype. I have a custom index which has fields: orig_index, orig_sourcetype I need to build and execute an SPL for each row... See more...
Hello All, I have a lookup file: table1.csv with two columns: index, sourcetype. I have a custom index which has fields: orig_index, orig_sourcetype I need to build and execute an SPL for each row of the lookup file. Thus, need your inputs to build the same. Thank you Taruchit  
Hi All, I am having an issue using the Splunk Add-on Builder app in a clustered SH environment. I am getting the following Warning error: The Add-on Builder could not be loaded because the current se... See more...
Hi All, I am having an issue using the Splunk Add-on Builder app in a clustered SH environment. I am getting the following Warning error: The Add-on Builder could not be loaded because the current server is in a search head cluster. Does anyone came across such warning? How this can be fixed? Tried it on a separate SH, but no luck so far. It is in a dev instance. Are there any configs I can adjust on the back end of that SH?
Hello! Can Azure AD and Microsoft Entra ID be configured simultaneously on a Splunk Enterprise instance? Is this a stupid question? Thanks! Andrew
Failed to contact the cluster manager. ERROR: Cluster manager is not enabled on this node Failed to contact the peers endpoint. ERROR: Cluster manager is not enabled on this node I encountered th... See more...
Failed to contact the cluster manager. ERROR: Cluster manager is not enabled on this node Failed to contact the peers endpoint. ERROR: Cluster manager is not enabled on this node I encountered the above error message when executing the $SPLUNK_HOME/bin/splunk validate cluster-bundle --check-restart -auth admin:password . Has anyone had a similar problem? In addition, I put all the management functions into one node, is this the operation that caused the above error?
Hello Friends, My search returns the following: serverName errorNumber responsiblePerson responsblePersonEmail server_a 4586 Bob M. bobm@tmail.com server_a 1236 Bob M. bobm@tma... See more...
Hello Friends, My search returns the following: serverName errorNumber responsiblePerson responsblePersonEmail server_a 4586 Bob M. bobm@tmail.com server_a 1236 Bob M. bobm@tmail.com server_a 788 Bob M. bobm@tmail.com server_b 468 Bob M. bobm@tmail.com server_b 8798 Bob M. bobm@tmail.com server_c 5647 Amelia S. amelias@tmail.com server_c 556 Amelia S. amelias@tmail.com server_c 789 Amelia S. amelias@tmail.com server_c 8799 Amelia S. amelias@tmail.com   I want to send alerts by email to appropriate responsible person. Each responsible person should receive ONLY ONE email that contain ALL errors on the servers for which he is responsible. In this example Bob should receive one email that contain 5 lines (3 for server_a and 2 for server_b), and Amelia should receive one email that contain 4 lines (for server_c). Any help would be appreciated!    
Path : /opt/app/splunk/bin/jars/vendors/spark/3.0.1/lib/log4j-core-2.13.3.jar   Installed version : 2.13.3
Hello,  i get in Splunk every 7 days a vulnerability scan log from all Hosts in our infrastructure - in the future the scan  should be everyday . Now i want to filter which of the vulnerability fin... See more...
Hello,  i get in Splunk every 7 days a vulnerability scan log from all Hosts in our infrastructure - in the future the scan  should be everyday . Now i want to filter which of the vulnerability findings are really new and which one is equal to last scan because they are not new anymore and have a reason that they are still in the filter and they should be excluded in the search output.  If they scan output are the same the CVE number and the message is  identical only the date is different.  My output should look like that i see only event scan messages when they are only on time in the logs. When a scan log is the same (CVE Number) two times in the log it should not be showed in the output. The best thing would be when i can see in the statistics field which of the extracted_Host are new or in the logs. Right now my filter is like this:  I can see in the statistics which of the extracted Host are new with the CVE number but i see in the main Event logs equal logs which are not new anymore. I tried with dedup but thats only deleting the old event logs field value and i can exclude the old event log but the newest is still here. index=nessus Risk=Critical | stats count as event_count by CVE, extracted_Host | where event_count=1 | rename extracted_Host as Host | table CVE, Host Thanks for the Help  
These are the sample parameters for index, host, source index="production" host="abc.com-i-1234" source="Log-*-3333-abc4j.log" Suppose there are three Splunk queries as shown below: ------------... See more...
These are the sample parameters for index, host, source index="production" host="abc.com-i-1234" source="Log-*-3333-abc4j.log" Suppose there are three Splunk queries as shown below: ---------------------------------------- Query 1: index="production" host="abc.com-*" source="Log-*" | eval ID=substr(host,9,7) | dedup ID| table ID Suppose it gives output as : ID i-1234 i-5678 i-9123 i-4567   ------------------------------ Query 2: index="production" host="abc.com-$field2$" source="Log-*-*-abc4j.log" | eval Sub_ID = mvindex(split(source,"-"),2) | dedup Sub_ID | table Sub_ID Suppose it gives output as : Sub_ID 111 222 3333 4444 555 666 7777 8888   where, $field2$ denotes the "ID" generated from Query 1 and each "ID" from Query 1 is mapped to two values of "Sub_ID" generated from Query 2. E.g if the query was- index="production" host="abc.com-i-1234" source="Log-*-*-abc4j.log" | eval Sub_ID = mvindex(split(source,"-"),2) | dedup Sub_ID | table Sub_ID it will give output as: Sub_ID 111 222 ------------------------------------------- Query 3: index="production" host="abc.com-$field2$" source="Log-*-$field3$-log4j.log" | dedup RP_Remote_User | table RP_Remote_User | stats count as events Suppose it gives output as : events: 52 where, $field2$ denotes the "ID" generated from query 1 and $field3$ denotes the "Sub_ID" generated from Query 2 E.g if the query was- index="production" host="abc.com-i-1234" source="Log-*-3333-log4j.log" | dedup RP_Remote_User | table RP_Remote_User | stats count as events it will give output as: (on the basis of "ID" : i-1234 and "Sub_ID":3333) events: 52 --------------------------------------- Could you please help me with the Splunk query to generate the output in tabular format as below (count of events corresponding to each ID and its Sub_ID) with the help of above mentioned three queries: ID Sub_ID Events i-1234 111 38   222 48 i-5678 3333 52   4444 45 i-9123 555 23   666 34 i-4567 7777 12   8888 29
Does Splunk 9.1 completely compatible with RHEL 9? I need to know which version of Splunk with which version of RHEL does completely compatible? and support all features? As I know RHEL 9 uses kern... See more...
Does Splunk 9.1 completely compatible with RHEL 9? I need to know which version of Splunk with which version of RHEL does completely compatible? and support all features? As I know RHEL 9 uses kernel 5.14.0. does Splunk completely compatible with this version?
Hi.   I have been given a search, that I need some help decifering. index=atp-aes-prod sourcetype=atp_aes_json SourceContext=RevisionLogger Properties.Url="/api/Document/get-merged-pdf" Properties... See more...
Hi.   I have been given a search, that I need some help decifering. index=atp-aes-prod sourcetype=atp_aes_json SourceContext=RevisionLogger Properties.Url="/api/Document/get-merged-pdf" Properties.IsImpersonated=false | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Application.Commands.Queries.Selfservice.GenerateMergedPdf.GenerateMergedPdfHandler MessageTemplate="User tries to merge*"] | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Integrations.GetOrganized.GoDocumentsService MessageTemplate="Start CombineToPdf method*"] | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Domain.Services.Selfservice.Authorization.SelfServiceAuthorizationService MessageTemplate="SelfServiceAuthorizationService took {@elapsedMilliseconds} ms to be constructed for part {@partId}."] | table Properties.Url, Timestamp, Properties.CompanyName, Properties.partId, Properties.documents It does not run on our system and never will, I think it was developed by somebody versed in relational databases. I'm trying to rewrite this search, but I'm slightly baffled by the {@elapsedMilliseconds} and {@partId}. Does anybody know what they are doing?   Kind regards las
Hi ,  I am from the Cisco Internal Eng team. I want to try Appdynamics for my Cisco Product. Can you please guide me on how to get a trial license Thanks udaya
Hello Community, I have a sample data as below: 2023-10-17T17:14:24,436Z client-id=1159222917, transaction-id=522f4012-9737-483c-a3bb-8f23f146da0f [INFO ] [http-nio-9010-exec-3] c.c.a.s.AService Ad... See more...
Hello Community, I have a sample data as below: 2023-10-17T17:14:24,436Z client-id=1159222917, transaction-id=522f4012-9737-483c-a3bb-8f23f146da0f [INFO ] [http-nio-9010-exec-3] c.c.a.s.AService AddressMetrics: {"fieldsToCompare":["addressLine1","city","stateProvince","postalCode","latitude","longitude","taxGeoCode","matchCode","locationCode"],"addressResponseV1":{"addresses":[{"taxGeoCode":"442150950","apartmentLabel":"","matchCode":"S80","city":"EDINBURG","postalCode":"785413355","latitude":"26.307701","houseNumber":"121","stateProvince":"TX","leadingDirectional":"W","streetName":"VAN WEEK","lastLine":"EDINBURG, TX 78541-3355","addressLine1":"121 W VAN WEEK ST","addressLine2":"","streetSuffix":"ST","locationCode":"AP05","trailingDirectional":"","longitude":"-98.162231","apartmentNumber":""}]},"addressRequest":{"clientId":"1159222917","city":"EDINBURG","postalCode":"78541","multiMatch":false,"addressLine1":"121 W VAN WEEK ST","addressLine2":"","state":"TX","sessionId":"1159222917","userId":"1366654994","transactionId":"522f4012-9737-483c-a3bb-8f23f146da0f"},"addressResponseV2":{"addresses":[{"geoResultCode":"S8HPNTSCZA","zipCode":"78541","taxGeoCode":"442150950","matchCode":"S80","city":"EDINBURG","latitude":26.307701,"addressLine1":"121 W VAN WEEK ST","zip4":"3355","addressLine2":"","state":"TX","locationCode":"AP05","longitude":-98.162231}]},"decisionMatrix":{"taxGeoCode":true,"matchCode":true,"city":true,"postalCode":true,"latitude":true,"addressLine1":true,"stateProvince":true,"locationCode":true,"longitude":false}} 2023-10-17T17:14:24,432Z client-id=0122346633, transaction-id=1fde5a12-ee65-4523-bed4-c8dd76cc666b [INFO ] [http-nio-9010-exec-6] c.c.a.s.AService AddressMetrics: {"fieldsToCompare":["addressLine1","city","stateProvince","postalCode","latitude","longitude","taxGeoCode","matchCode","locationCode"],"addressResponseV1":{"addresses":[{"taxGeoCode":"442152020","apartmentLabel":"","matchCode":"S80","city":"MISSION","postalCode":"785741749","latitude":"26.240278","houseNumber":"1004","stateProvince":"TX","leadingDirectional":"E","streetName":"DAWSON","lastLine":"MISSION, TX 78574-1749","addressLine1":"1004 E DAWSON LN","addressLine2":"","streetSuffix":"LN","locationCode":"AP05","trailingDirectional":"","longitude":"-98.310512","apartmentNumber":""}]},"addressRequest":{"clientId":"0122346633","city":"MISSION","postalCode":"78574","multiMatch":false,"addressLine1":"1004 E DAWSON LN","addressLine2":"","state":"TX","sessionId":"0122346633","userId":"0867774533","transactionId":"1fde5a12-ee65-4523-bed4-c8dd76cc666b"},"addressResponseV2":{"addresses":[{"geoResultCode":"S8HPNTSCZA","zipCode":"78574","taxGeoCode":"442152020","matchCode":"S80","city":"MISSION","latitude":26.240278,"addressLine1":"1004 E DAWSON LN","zip4":"1749","addressLine2":"","state":"TX","locationCode":"AP05","longitude":-98.310512}]},"decisionMatrix":{"taxGeoCode":false,"matchCode":true,"city":false,"postalCode":true,"latitude":true,"addressLine1":true,"stateProvince":true,"locationCode":true,"longitude":true}}   what I am trying to achieve here is get the stats of each field within the decisionMatrix object as below: Field TRUE FALSE taxGeoCode 1 1 matchCode 2 0 city 1 1   Any suggestions?
According to UBA document, looks like UBA's machine learning is based on on-prem Microsoft Active Directory and corresponding event code.  I'm wondering if UBA's capable to deal with AAD events when ... See more...
According to UBA document, looks like UBA's machine learning is based on on-prem Microsoft Active Directory and corresponding event code.  I'm wondering if UBA's capable to deal with AAD events when now many organizations have been shifted to Azure AD/Entra.
I have a drill down in dashboard studio panel that returns the start time of some events ($startTime$). I want to use the token as the earliest, and at the same time, I want to use $dd_span$+$startTi... See more...
I have a drill down in dashboard studio panel that returns the start time of some events ($startTime$). I want to use the token as the earliest, and at the same time, I want to use $dd_span$+$startTime$ ($dd_span$ is created from a pulldown menu, it has options of 1d, 1h, 2h, etc). I wanted to use the start time and end time to narrow down a search in another panel. index=main (earliest=$startTime$ latest=$startTime$+$dd_span$) | spath ... does not resolve, is there a way to add the time together?
Is there any optimal way to get context bith before and after fir search result? As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message.  
I want to enable/disable splunk alerts in splunk cloud, How to disable/enable alerts using rest api spl commands in splunk cloud?
I'm struggling to effectively use a minor amount of javascript which is intended to facilitate some in-dashboard help pages, and hoping that someone might be able to help me out.   Given this javas... See more...
I'm struggling to effectively use a minor amount of javascript which is intended to facilitate some in-dashboard help pages, and hoping that someone might be able to help me out.   Given this javascript (in <app>/appserver/static/js/help.js): require([ 'jquery', 'splunkjs/mvc/simplexml/ready!' ], function($) { $('#help-btn').on( 'click', function() { $('#help').toggle(); }); $('#help-close').on( 'click', function() { $('#help').toggle(); }); });   And this dashboard which adds a "Dashboard Help" button (next to Edit), the idea would be that simply clicking the button will toggle() the #help id, which is the panel. In "Edit" mode, I can see my overview.html panel as well as the "Dashboard Help" button, and clicking it will perform the correct action. I've used this on live dashboards as well, successfully on some and not so much on others. I imagine there's some sort of timing condition with dynamic loading and whatnot that I'm running into. Can anyone advise? <form version="1.1" script="common_ui_util:/js/help.js"> <label>TEST</label> <row> <panel> <html> <div> <input id="help-btn" type="button" value="Dashboard Help" style="top: -40px;" class="btn default"></input> </div> </html> </panel> </row> <row depends="$HIDEME$"> <panel id="help"> <html> <button id="help-close" class="help-close close close_btn"/> </html> <html src="html_docs/overview.html"></html> </panel> </row> </form>