All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

index=xxxx sourcetype="Script:InstalledApps" DisplayName="Carbon Black Cloud Sensor 64-bit" I am trying to get the list/name of host that doesnt have Carbon Black installed. Can someone help me with... See more...
index=xxxx sourcetype="Script:InstalledApps" DisplayName="Carbon Black Cloud Sensor 64-bit" I am trying to get the list/name of host that doesnt have Carbon Black installed. Can someone help me with a simple query for this.  If I do DisplayName!= and then table the host, it's not giving me the correct result.
Hi All, I am using Splunk Add-on for GCP to pull logs from log sink via pub/sub. I configured a pub/sub input inside the add on and it is successfully pulling the logs from pub/sub.  But I want... See more...
Hi All, I am using Splunk Add-on for GCP to pull logs from log sink via pub/sub. I configured a pub/sub input inside the add on and it is successfully pulling the logs from pub/sub.  But I want to confirm if  "GCP add on after receiving the messages from pub/sub sends back a ACK (acknowledgement) message to pub/sub so that same message is not sent twice or duplicated"? There is nothing mentioned about ACK messages in GCP addon documentation so asking here. Please help me out.  
Hello, I tried to input an DB with query as below:   SELECT ..., txn_stamp as TXTIME, .... FROM mybd WHERE txn_stamp > ? ORDER BY TXTIME ASC   When I hit Excecute query, the resul... See more...
Hello, I tried to input an DB with query as below:   SELECT ..., txn_stamp as TXTIME, .... FROM mybd WHERE txn_stamp > ? ORDER BY TXTIME ASC   When I hit Excecute query, the result produce error: ORA-01861: literal does not match format string. My txn_stamp is a time stamp column with the format: YYYY-mm-dd HH:MM:SS (ex: 2023-08-31 00:00:25). The curious thing is sometime it worked, Executing query show data, but it will stop at some point, I suspect it's because of the above error. My thinking is I want to formart either my db timestamp formart or the rising column timestamp formart to the same formart so it won't be a mischatch, but I don't know how.  
good afternoon everyone, i'm trying to change the sender when i configure a new SMTP asset, better said i want to change the sender domain when i configure the asset, however i have not been able to ... See more...
good afternoon everyone, i'm trying to change the sender when i configure a new SMTP asset, better said i want to change the sender domain when i configure the asset, however i have not been able to get it. The only domains i can use are splunkcloud.com and splunk.com. does anyone know how can i use other domain, without using user and password to authenticate?
Hello Everyone,    First off, thanks in advance to everyone who takes the time to contribute to this post!   I've got custom html code in simple xml and was able to grab data from a textpart ... See more...
Hello Everyone,    First off, thanks in advance to everyone who takes the time to contribute to this post!   I've got custom html code in simple xml and was able to grab data from a textpart and parse it into a  JavaScript variable captured using the code below. I'm trying to use the variable captured in the search query in the SearchManager function. So far I've only been able to set static values such as eval test = "Working" but have had no luck passing in a JavaScript variable.        require([ "underscore", "splunkjs/mvc/searchmanager", "splunkjs/mvc/simplexml/ready!", ], function(_, mvc, SearchManager) { var mysearch = new SearchManager({ id: "mysearch", autostart: "false", search: '| makeresults | eval test = captured | collect index = "test_index"' }); $("#btn-submit").on("click", function () { // Capture value of the Text Area var captured = $("textarea#outcome").val(); mysearch.startSearch(); }); }); });        
Hello, How to perform lookup on inconsistent IPv6 format in CSV file from index? For example: Index has collapsed format of IPv6:  2001:db8:3333:4444:5555:6666::2101 CSV has expanded format of ... See more...
Hello, How to perform lookup on inconsistent IPv6 format in CSV file from index? For example: Index has collapsed format of IPv6:  2001:db8:3333:4444:5555:6666::2101 CSV has expanded format of IPv6:    2001:db8:3333:4444:5555:6666:0:2101 The following lookup can NOT find the IPv6 that has the inconsistent pattern, it only find the exact match | index=vulnerability_index | lookup company.csv ip_address as ip OUTPUTNEW ip_address, company, location In IPv6  "::" (double colon) represents consecutive zeroes  ( :0:   or :0:0: or :0:0:0:)  ":0:"represents 0000 I think this is what I am looking for, but I am not sure how to implement it. https://splunkbase.splunk.com/app/4912 Thank you for your help
Hello, we are working on setting some Health rules in AppDynamics to monitor slow-running queries in the Database. After going through the documentation on the website, we configured a health rule as... See more...
Hello, we are working on setting some Health rules in AppDynamics to monitor slow-running queries in the Database. After going through the documentation on the website, we configured a health rule as seen below. Our problem with this is that there is a 'Group Replication module' (screenshot below) always running on the db side that is needed but causing constant violations. Is there a way of adding an exception to queries so that similar items in the database do not trigger the violations? Is there another way you can suggest we move forward with this that will give us a more accurate result?
Hello All, I am using maps+ with some success. I have one question, is there a way to zoom back to a set zoom point (like 3 or 4) after a default zoom in on a cluster? I am using maps+ to show up or... See more...
Hello All, I am using maps+ with some success. I have one question, is there a way to zoom back to a set zoom point (like 3 or 4) after a default zoom in on a cluster? I am using maps+ to show up or down network devices. The cluster shows, say 2 devices at a given lat/log, zooms in quite a lot. I am using a map of the US, more or less centered in the window., but after the zoom-in, I have to backout using the "-" icon. It would be nice if maps+ had the zoom bck feature of the legacy map using geostats, etc.   Thanks eholz1
With SOAR 6.1's addition of the "Run automatically when" field, it would be great to be able to run a playbook on container resolution that can read the closure comment. Bonus points if you can expla... See more...
With SOAR 6.1's addition of the "Run automatically when" field, it would be great to be able to run a playbook on container resolution that can read the closure comment. Bonus points if you can explain why Comment data is separate from Event data in the export while notes aren't.
Good day. I am trying to use the sendalert command in Splunk to send a set of results to Splunk SOAR(Phantom), each result appears in phantom as a new event, would there be a way to receive only one ... See more...
Good day. I am trying to use the sendalert command in Splunk to send a set of results to Splunk SOAR(Phantom), each result appears in phantom as a new event, would there be a way to receive only one event with all the results. I'll appreciate your answer
Is it possible to add some parameters in Splunk URL so that after clicking the URL, the viewer will see a well formatted SPL search and does not need to format manually?
Hello, I set up several hosts in Forwarding and Receiving section (different servers and ports) to forward logs. I can see there is Automatic Load Balancing option ENABLED. I want to have it DISABLE... See more...
Hello, I set up several hosts in Forwarding and Receiving section (different servers and ports) to forward logs. I can see there is Automatic Load Balancing option ENABLED. I want to have it DISABLED but do not know how to disable it. Can anybody help me pls ? thanks, pawel
I have an idea and am looking for some input on how to approach it, where to start. As mentioned in the subject.  I do not want an alert to be triggered if lets say its Sunday between 1-2 AM.  I can... See more...
I have an idea and am looking for some input on how to approach it, where to start. As mentioned in the subject.  I do not want an alert to be triggered if lets say its Sunday between 1-2 AM.  I cannot do this via CRON so looking for an alternative solution. Questions/Thoughts: (1) What is the best/simplest way to get from Splunk the Day and Hour (2) Once I get day & hour how should I incorporate that into my existing alert query.  Should I create a var to indicate outage or not (0/1) (3) Once I determine if I am in an outage (1) is there an easy way to force the alerts results to = 0  I know there are going to be many questions so fire away and I will try to explain or answer the best I can as there are many alerts im trying to make this work for and they are all slightly different in their implementation...  
Are there pre-configured or default Dashboards associated with this Add-on?  Is the Add-on suppose to show up under App when it's installed? 
Goal: Being able to alert off the latest event if the event is more than 300 seconds and is not blank or "non-productive". Here is my current search and the results:  Every incident is an... See more...
Goal: Being able to alert off the latest event if the event is more than 300 seconds and is not blank or "non-productive". Here is my current search and the results:  Every incident is an open or a closing of an event. If the incident is blank, that signifies a closing of the previous event. If the incident has a string, that is the current open event.  In my ideal scenario, I would alert based on any incident where I have a string value within the incident field, current duration has surpassed 300 seconds, and I don't have a value in the total duration field.  However, when I try to add a filter for | where total duration = "", no results are returned at all.. Which I am confused about since the latest totalduration event is blank since streamstats is false... Any help or tips greatly appreciated!
Hello Experts, We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some sea... See more...
Hello Experts, We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some searches .  Highlights  --> old backup has primary and replication buckets as it was cluster backup. --> we are planning to setup a test machine(indexer/search head) for the above and ask storage team to mount (~450TB (primary and secondary ) buckets). Do you think it is a right approach ? is there anything that we need to consider before we ask a test machine (8GB RAM , 4 CPU) and storage team to mount 450TB(backup) to this test machine . 
Example ERROR HttpInputDataHandler [7000 HttpDedicatedIoThread-1] - Failed processing http input, token name=hec-token, channel=n/a, source_IP=xxx.xxx.xxx.xxx, reply=9, events_processed=nnn, http_in... See more...
Example ERROR HttpInputDataHandler [7000 HttpDedicatedIoThread-1] - Failed processing http input, token name=hec-token, channel=n/a, source_IP=xxx.xxx.xxx.xxx, reply=9, events_processed=nnn, http_input_body_size=yyyyyyy, parsing_err="Server is busy"  
Greetings. I am quite new to Splunk and read a lot of sources. However, I have a hard time to find my answer about the join and eval functions. I have a first search on an index. I want to filter ... See more...
Greetings. I am quite new to Splunk and read a lot of sources. However, I have a hard time to find my answer about the join and eval functions. I have a first search on an index. I want to filter this search with values of one field in a csv I import as lookup. Example: index="data" sourcetype="entities" | table EMAIL EXTERNAL_EMAIL CATEGORY And I have the inputlookup  inputlookup 20230904_NeverLoggedIn.csv How do I compare the field EXTERNAL_EMAIL from the index to the E_MAIL field in the csv file as a filter? Many thanks for the help.
Hi Friends, My Client using Splunk ITSI and XYZ(Internal Application). Now they want to access Splunk ITSI  Glass Table UI  from Internal (XYZ) Application GUI.  Kindly advice how to achieve this. 
Hello again! I'm working with two different sources of data both tracking the same thing but coming from different sources. I need to consolidate them into one single Splunk search, so I decided t... See more...
Hello again! I'm working with two different sources of data both tracking the same thing but coming from different sources. I need to consolidate them into one single Splunk search, so I decided to turn one of the two sources of data into a lookup table for the other. Right now the lookup table I'm using has 3 Fields in it: HostName, Domain, and Tanium. What I'd like to do is load the 3 fields from this Lookup into my Splunk Search so that: 1) the HostName field from the lookup is merged with the HostName field in the search, with unique HostName values from the search and the lookup both available in the final output, but also that if there's duplicate values for HostName, they're merged together. 2) The Domain and Tanium values from the Lookup are loaded into their corresponding entries in the final output. Is this possible? I believe it should be if I use the command: | lookup WinrarTaniumLookup.csv HostName OUTPUT Tanium Domain But when I put in that command it doesn't appear to be adding any unique HostName values from the Lookup, just merging the HostName values that both the lookup and the search share.  What am I doing wrong here?