All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, We are want the run a modular input cleanup. What happens to the checkpoints? Will ingest from start from beginning again?   Thanks Nick
How to create empty.csv lookup in web
Hi  Very first question. I have created an inbuilt panel and I didn't want to hardcode the name in the ref parameter Splunk doesn't like the following any ideas? or advice? <init>   <set to... See more...
Hi  Very first question. I have created an inbuilt panel and I didn't want to hardcode the name in the ref parameter Splunk doesn't like the following any ideas? or advice? <init>   <set token="PageName">help_for_toy</set> </init>   <row>      <panel id="help" ref="$PageName$" ></panel>   </row>  
What is the equivalent of <html /> in Dashboard Studio?  I wanted to have some static links.
Hi all, Can we list out alerts based on the host ips used in alert queries.  
Hello All,  I am using splunk to store the logs in one of my projects. While I am using the developer org for my POC, everything working fine as per the expected, after POC, I am trying to use the c... See more...
Hello All,  I am using splunk to store the logs in one of my projects. While I am using the developer org for my POC, everything working fine as per the expected, after POC, I am trying to use the client splunk environment, I am facing some issue. like the logs are not captured in consistence way. For example, while calling my service on 5 times. sometime all the call and the logs are capturing, but sometime some logs are missing. Can someone help on this, is that environment issue or Splunk issue?   Thanks, Dinesh
Hello, I am in need of finding an add on that would allow me to email a Dashboard on a Schedule.  The out of the box PDF creation doesn't meet our requirements sad to say.  I have been trying severa... See more...
Hello, I am in need of finding an add on that would allow me to email a Dashboard on a Schedule.  The out of the box PDF creation doesn't meet our requirements sad to say.  I have been trying several different add ons that may work out for us, but everyone seems to be either no longer able to use due to Splunk Enterprise not using Advanced XML or we receive an error. So far the best add on I found is "Smart PDF Exporter for Splunk"  But, when I try to schedule it, I get a JavaScript error due to a 404 error.  Does anyone know how to resolve this or any ideas on how else I can create a scheduled email with the contents of the Dashboard in the Body.  Doesn't matter what format, as long as we can see the Dashboard in the Body of the email. Thanks for any help on this one. Tom
I have a question about filtering in data. We have a customer who is requesting a set of fields to be sent in from 0365. The issue is, we cant modify what we pull in because we are using  an API, not... See more...
I have a question about filtering in data. We have a customer who is requesting a set of fields to be sent in from 0365. The issue is, we cant modify what we pull in because we are using  an API, not the universal forwarder. Currently I am trying to test out the search query to confirm that I am only pulling in the correct events with those fields.  The o365 data pulls in about 400+ fields. We are wanting about 40 of those events for a specific use case. My question is, what is the correct syntax for splunk to only search for those fields.  Original query that brings in about 400+ fields:   index=o365     New query for about 35 fields:   index=o365 "Operation"="*" OR "LabelAction"="*" OR "LabelAppliedDateTime"="*" OR "LabelIid"="*" OR "abelName"="*" OR "DlpAuditEventMetadata.DlpPolicyMatchId"="*" OR "DlpAuditEventMetadata.EvaluationTime"="*" OR "DlpOriginalFilePath"="*" OR "IrmContentId"="*" OR "PolicyMatchInfo.PolicyId"="*" OR "PolicyMatchInfo.PolicyName"="*" OR "PolicyMatchInfo.RuleId"="*" OR "PolicyMatchInfo.RuleName"="*" OR "ProtectionEventData.IsProtected"="*" OR "ProtectionEventData.IsProtectedBefore"="*" OR "ProtectionEventData.ProtectionEventType"="*" OR "ProtectionEventData.ProtectionOwner"="*" OR "ProtectionEventData.ProtectionType"="*" OR "ProtectionEventData.TemplateId"="*" OR "ProtectionEventType"="*" OR "RMSEncrypted"="*" OR "SensitiveInfoTypeData{}.Confidence"="*" OR "SensitiveInfoTypeData{}.Count"="*" OR "SensitiveInfoTypeData{}.SensitiveInfoTypeId"="*" OR "SensitiveInfoTypeData{}.SensitiveInfoTypeName"="*" OR "SensitiveInfoTypeData{}.SensitiveInformationDetailedClassificationAttributes{}.Confidence"="*" OR "SensitiveInfoTypeData{}.SensitiveInformationDetailedClassificationAttributes{}.Count"="*" OR "SensitivityLabelEventData.ActionSource"="*" OR "SensitivityLabelEventData.ActionSourceDetail"="*" OR "SensitivityLabelEventData.ContentType"="*" OR "SensitivityLabelEventData.JustificationText"="*" OR "SensitivityLabelEventData.LabelEventType"="*" OR "SensitivityLabelEventData.OldSensitivityLabelId"="*" OR "SensitivityLabelEventData.SensitivityLabelId"="*" OR "SensitivityLabelEventData.SensitivityLabelPolicyId"="*" OR "LabelName"="*" | fields Operation,LabelAction,LabelAppliedDateTime,LabelIid,abelName,DlpAuditEventMetadata.DlpPolicyMatchId,DlpAuditEventMetadata.EvaluationTime,DlpOriginalFilePath,IrmContentId,PolicyMatchInfo.PolicyId,PolicyMatchInfo.PolicyName,PolicyMatchInfo.RuleId,PolicyMatchInfo.RuleName,ProtectionEventData.IsProtected,ProtectionEventData.IsProtectedBefore,ProtectionEventData.ProtectionEventType,ProtectionEventData.ProtectionOwner,ProtectionEventData.ProtectionType,ProtectionEventData.TemplateId,ProtectionEventType,RMSEncrypted,SensitiveInfoTypeData{}.Confidence,SensitiveInfoTypeData{}.Count,SensitiveInfoTypeData{}.SensitiveInfoTypeId,SensitiveInfoTypeData{}.SensitiveInfoTypeName,SensitiveInfoTypeData{}.SensitiveInformationDetailedClassificationAttributes{}.Confidence,SensitiveInfoTypeData{}.SensitiveInformationDetailedClassificationAttributes{}.Count,SensitivityLabelEventData.ActionSource,SensitivityLabelEventData.ActionSourceDetail,SensitivityLabelEventData.ContentType,SensitivityLabelEventData.JustificationText,SensitivityLabelEventData.LabelEventType,SensitivityLabelEventData.OldSensitivityLabelId,SensitivityLabelEventData.SensitivityLabelId,SensitivityLabelEventData.SensitivityLabelPolicyId,LabelName     Basically, From my understanding and my research, if you just append a specific string in quotes, or outside of quotes, splunk searches all events for that string and pulls it in. Such as:   index=Test field1 field2 field3   That would bring in only events with field1 or field2 or field3 within it. Adding quotes to it, such as    index=Test "field1"="*" "field2"="*" "field3"="*"   Should filter the same way. I have tested it both way, with double quotes surrounding the field, as well as no quotes. Im also using | fields Which should only bring those fields in, but i dont know if its only showing those fields, but bringing in ALL of the events.    My question is, is this correct? With the base searches ive been testing with, searching all of the events in o365 for one day, full 24 hours, brings in  23,410,064 events. Filtering out with the query I pasted above, for the same day, same 24 hours, brings in 23,409,887 events. Ive tested this a couple of ways, and each time, searching over the same time period, the filtering query brings in about 1k less events. But I can still only view the first 1k events, 20 pages worth. But that may be another question.    My longwinded question boils down to, am I searching this data correctly? I know its a heavy index with millions of events, but filtering out to only 40 or so fields, some of which only appear .6% of the time, still brings in millions of events. Is there a way to fully validate it?   
How do I use a search to generate values to use inside of an IN search? For example:     index=syslog src_ip IN ( | tstats count from datamodel=Random by ips | stats values(ips) as IP | eval IP = ... See more...
How do I use a search to generate values to use inside of an IN search? For example:     index=syslog src_ip IN ( | tstats count from datamodel=Random by ips | stats values(ips) as IP | eval IP = mvjoin(IP, ",")     I tried the method above but it's not working. Thank you!
Hello All, I am hoping for some guidance here. I am using Maps+. It seems to be a decent application. There are two things I want to do, ans so far no joy. 1. I want to be able to change the color... See more...
Hello All, I am hoping for some guidance here. I am using Maps+. It seems to be a decent application. There are two things I want to do, ans so far no joy. 1. I want to be able to change the color of the cluster circle. 2. I want to be able to "un-zoom" back to initial state after clicking on a cluster circle. My map show routers and switches, by lat/long that are UP or DOWN. I have no issues with markerType or color or icon style. I would like to change the cluster circle color for devices that are "down". Can I do this? or do I have to use a legacy map type. thanks so much, eholz
Hi all, today I updated Splunk enterprise from 9.0.5 to 9.1.1. Since the update I see the folliwing messages on the start page: "Laden der App-Liste nicht möglich. Aktualisieren Sie die Seite, um... See more...
Hi all, today I updated Splunk enterprise from 9.0.5 to 9.1.1. Since the update I see the folliwing messages on the start page: "Laden der App-Liste nicht möglich. Aktualisieren Sie die Seite, um den Vorgang zu wiederholen." and "Laden von gemeinsamen Aufgaben nicht möglich. Aktualisieren Sie die Seite, um den Vorgang zu wiederholen." Reloading the page doesn't solve the issue. A reboot of Windows where Splunk is installed doesn't help either. Splunk seems to work fine. But do you have any ideas how to solve the issue? Thank You.
I want to get the volume for a specific word "ERROR" occurrence in a specific server in last 7 days. How to do that? Please help.
Splunk shows duplicate events in search results when there are no duplicates in the source file.
I have a a saved search for vpcflow logs sourcetype which searches for particular CIDR (src_ip & dest_ip) but takes almost 3 4 hrs run the query when it searches for last 6months , I want the output ... See more...
I have a a saved search for vpcflow logs sourcetype which searches for particular CIDR (src_ip & dest_ip) but takes almost 3 4 hrs run the query when it searches for last 6months , I want the output for external reporting , what is the best method forward to save time & resources . we dont have data models on our search head.
We are using Splunk OPC Add-On to bring in some tags. We have two specific tags that we are currently looking at. Tag 1's value will always be "Productive" or "Non-productive". Tag 2's value will be ... See more...
We are using Splunk OPC Add-On to bring in some tags. We have two specific tags that we are currently looking at. Tag 1's value will always be "Productive" or "Non-productive". Tag 2's value will be a current string value or blank.  We are hoping that we can alert if Tag1 = Productive & Tag2 != "", then we can return a result and alert off of this result.  I have tried: "Tag1"="Productive" AND NOT isnull("Tag2") but that doesn't return any results when there should be a few results. I'm not sure if I need to combine these somehow?
Hi Team, I have below row logs: 2023-08-30 07:43:28.671 [INFO ] [Thread-18] ReadFileImpl - ebnc event balanced successfully My current query: index="abc" sourcetype =600000304_gg_abs_ipc2 source=... See more...
Hi Team, I have below row logs: 2023-08-30 07:43:28.671 [INFO ] [Thread-18] ReadFileImpl - ebnc event balanced successfully My current query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCMessage="ebnc event balanced successfully" | table EBNCMessage True This occurs as many time as file got processed I want to show only 1 event ebnc event balanced successfully                         true But its coming 8 times as 8 files go
Hi Team, I have below row logs: 2023-08-30 07:43:29.000 [INFO ] [Thread-18] StatisticBalancer - statisticData: StatisticData [selectedDataSet=13283520, rejectedDataSet=0, totalOutputRecords=2067040... See more...
Hi Team, I have below row logs: 2023-08-30 07:43:29.000 [INFO ] [Thread-18] StatisticBalancer - statisticData: StatisticData [selectedDataSet=13283520, rejectedDataSet=0, totalOutputRecords=20670402, totalInputRecords=0, fileSequenceNum=9226, fileHeaderBusDt=08/29/2023, busDt=08/29/2023, fileName=TRIM.UNB.D082923.T045920]   2023-08-30 05:36:30.678 [INFO ] [Thread-19] StatisticBalancer - statisticData: StatisticData [selectedDataSet=27, rejectedDataSet=0, totalOutputRecords=27, totalInputRecords=0, fileSequenceNum=6395, fileHeaderBusDt=08/29/2023, busDt=08/29/2023, fileName=TRIM.CNX.D082923.T052656] I want to fetch records only for highlighted file  not for other files but I am getting for both the files. My current query: index="600000304_d_gridgain_idx*" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "StatisticBalancer - statisticData: StatisticData" |rex "totalOutputRecords=(?<totalOutputRecords>),busDt=(?<busDt>),fileName=(?<fileName>),totalAchCurrOutstBalAmt=(?<totalAchCurrOutstBalAmt>),totalAchBalLastStmtAmt=(?<totalAchBalLastStmtAmt>),totalClosingBal=(?<totalClosingBal>),totalRecordsWritten=(?<totalRecordsWritten>),totalRecords=(?<totalRecords>)" |table busDt fileName totalAchCurrOutstBalAmt totalAchBalLastStmtAmt totalClosingBal totalRecordsWritten totalRecords  
Does anyone have a creative solution or know if there is an obscure way in Splunk to prepend a certain string to the beginning of email subjects that are sent from Splunk? I'm looking for something t... See more...
Does anyone have a creative solution or know if there is an obscure way in Splunk to prepend a certain string to the beginning of email subjects that are sent from Splunk? I'm looking for something that users could not override when they create an alert or report. I do know about the email footer option in the email setup screen to add a static footer that cannot be altered by users and we do employ that as well. I'm trying to do something like this with the email subject. Thanks.
Hi Everyone, Is there someone who knows how to export Splunk ITSI Entities to a CSV file including their aliases, fields and services? Thanks!
Hi there,  im pretty new in Splunk, so sorry if it is easy task. I have following example events in my index -  It is a export from the Zabbix monitoring   8/31/23 4:39:31.000 PM { [-] descri... See more...
Hi there,  im pretty new in Splunk, so sorry if it is easy task. I have following example events in my index -  It is a export from the Zabbix monitoring   8/31/23 4:39:31.000 PM { [-] description: mem Heap Memory used groups: [ [+] ] hostname: WMS_Name itemid: 186985 ns: 941726183 tags.application: Memory type: 3 value: 1199488000 } Show as raw text description = mem Heap Memory usedhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 1199488000 8/31/23 4:39:31.000 PM { [-] description: mem Heap Memory max groups: [ [+] ] hostname: WMS_NAME1 itemid: 186984 ns: 883128205 tags.application: Memory type: 3 value: 8589934592 } Show as raw text description = mem Heap Memory maxhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 8589934592   Search query:   index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024| table _time, hostname, ValueMB     In this case, there are two events - one for java heap memory usage and one for java heap max memory.  Is there any way, how to rename values variable  based on the description in a event and join them in one table under the same time? Or maybe join both events in one? The main goal is to display both values in one graph and be able to monitor long term usage.  I found a way with using multisearch, but it takes too much time in processing and i believe there will be a more simple way.  Thank you in advance for any hint