All Topics

Top

All Topics

Try to get error failures from live integration and create Splunk alert for every continuous 5 Alerts
Hi Team,   Is it possible to automate the entity creation in Splunk ITSI from CMDB? Currently, we are creating entities manually and adding the required fields and values in order to map the servi... See more...
Hi Team,   Is it possible to automate the entity creation in Splunk ITSI from CMDB? Currently, we are creating entities manually and adding the required fields and values in order to map the service.   Regards, Dayananda
Hi, I have a query like: index=federated:ccs_rmail sourcetype="rmail:KIC:reports" | dedup _time | timechart span=1mon sum(cisco_*) as cisco_* | addtotals | eval rep_perc = round(cisco_stoppedbyre... See more...
Hi, I have a query like: index=federated:ccs_rmail sourcetype="rmail:KIC:reports" | dedup _time | timechart span=1mon sum(cisco_*) as cisco_* | addtotals | eval rep_perc = round(cisco_stoppedbyreputation/Total*100,2), spam_perc =round(cisco_spam/Total*100,2), virus_perc=round(cisco_virus/Total*100,6) | table cisco_stoppedbyreputation,rep_perc,cisco_spam,spam_perc,cisco_virus,virus_perc | rename cisco_spam as spam, cisco_virus as virus,cisco_stoppedbyreputation as reputation | transpose The result look like: column row 1 reputation 740284221 rep_perc 82.46 spam 9695175 spam_perc 1.08 virus 700 virus_perc 0.000078 Is it possible to have something like this? Name # % reputation 740284221 82.46 spam 9695175 1.08 virus 700 0.000078 Thanks, Emile
Hi I'm seeing an error message in my es search head, How we can sort out this issue Search peer idx-xxx.com has the following message: The metric event is not properly structured, source=nmon_perfda... See more...
Hi I'm seeing an error message in my es search head, How we can sort out this issue Search peer idx-xxx.com has the following message: The metric event is not properly structured, source=nmon_perfdata_metrics, sourcetype=nmon_metrics_csv, host=xyz, index=unix-metrics. Metric event data without a metric name and properly formated numerical values are invalid and cannot be indexed. Ensure the input metric data is not malformed, have one or more keys of the form "metric_name:<metric>" (e.g..."metric_name:cpu.idle") with corresponding floating point values. Thanks
Can anyone help me regarding creation of alerts for continuous errors
To access Splunk Cloud after logging its asking the Splunk Tenant Name could you specify what should I need to enter to get access. Thankyou
Hi, From the context menu of a "username" field value I choose "new search", then the below SPL was automatically added into the search bar and returned 0 events. * user="aaa" However if I changed... See more...
Hi, From the context menu of a "username" field value I choose "new search", then the below SPL was automatically added into the search bar and returned 0 events. * user="aaa" However if I changed the SPL to index=* user="aaa" then it showed events related to that user. Why * user="aaa" did not work?  
Hi, ii had recently install UF v9.0.5 on our windows hosts to send logs to a heavy forwarder, and is getting below messages in the splunkd logs in windows host. Can i know what are these info about... See more...
Hi, ii had recently install UF v9.0.5 on our windows hosts to send logs to a heavy forwarder, and is getting below messages in the splunkd logs in windows host. Can i know what are these info about? ERROR TcpOutputFd [2404 TcpOutEloop] - Read error. An existing connection was forcibly closed by remote host INFO AutoLoadBalancedConnectionStrategy [2404 TcpOutEloop] - Connection to 10.xx.xx.xx:9997 closed. Read error. An existing connection was forcibly closed by remote host WARN AutoLoadBalancedConnectionStrategy [2404 TcpOutEloop] - Possibe duplication of events with channel=source::C:\Programs Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::xxxxx011|splunkd|2606, streamId=0, offset=0 on host=10.xx.xx.xx:9997 Thanks
Hi Team,   Created test user and assign the viwer  role, and login to test Credentials and select the manage app setting operation  , it displayed the Splunk 404 Forbidden Error window displaye... See more...
Hi Team,   Created test user and assign the viwer  role, and login to test Credentials and select the manage app setting operation  , it displayed the Splunk 404 Forbidden Error window displayed  again click here option displayed in the window  again click and login credentials and click the manage setting working .   How to overcome the 404 Forbidden Error? please help me.     Regards, Vijay .K
Hi, I'm trying to integrate splunk to our springboot java application, I believe that I have made all the required integration steps but the logs are not showing up in our splunk account.    Thank... See more...
Hi, I'm trying to integrate splunk to our springboot java application, I believe that I have made all the required integration steps but the logs are not showing up in our splunk account.    Thanks,   Jerome
Is there no current PowerShell module support for Splunk?  I am only finding old articles on this and various sites.
Hey guys I keep getting this privacy error every time i attempt to download Splunk Enterprise on Mac, i read somewhere that removing the s behind http should fix and resolve the issue but i still kee... See more...
Hey guys I keep getting this privacy error every time i attempt to download Splunk Enterprise on Mac, i read somewhere that removing the s behind http should fix and resolve the issue but i still keep getting an error. Thanks for any help   https://download.splunk.com/products/splunk/releases/9.1.1/osx/splunk-9.1.1-64e843ea36b1-darwin-64.tgz "download.splunk.com normally uses encryption to protect your information. When Chrome tried to connect to download.splunk.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be download.splunk.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged."
Hi all, I deployed Splunk and enabled indexer clustering. Then I created an index in master-apps and it has been replicated to peer nodes. Now I want to export some event from an index and import ... See more...
Hi all, I deployed Splunk and enabled indexer clustering. Then I created an index in master-apps and it has been replicated to peer nodes. Now I want to export some event from an index and import to the newly created index. I tested multiple methods: I export events using following command: ./splunk cmd exporttool /opt/splunk/var/lib/splunk/defaultdb/db/db_1305913172_1301920239_29/ /myexportpath/export1.csv -et 1302393600 -lt 1302480000 -csv and import the result using following command: ./splunk cmd importtool /opt/splunk/var/lib/splunk/defaultdb/db /myexportpath/export1.csv  but the data not replicated to indexers. I tried another method using UI in cluster master. I import my events to newly created index. In the cluster master search everything is OK but this events not replicated to the indexers. Note that my newly index does not shown in the indexes tab in indexer clustering: manger node. There are just three indexes: _internal, _audit, _telementry I think I did a wrong way to do this. Does anyone have an idea?
Hi All,  I am from an application production support team and we use splunk as our monitoring tool along with other tools. We use splunk primarily to get an understanding of the user actions via log... See more...
Hi All,  I am from an application production support team and we use splunk as our monitoring tool along with other tools. We use splunk primarily to get an understanding of the user actions via logs.  We built some traditional dashboards and alerts to enhance our monitoring. We do our application health checks which include manually looking at splunk dashboards to see any spike in errors.  I would like to automate this step where we check the dashboards and report them if there are any queries on dashboards that are trending red. Preferably post a RGB status on teams chat / email Any leads on how to build this solution is much appreciated.
Does anyone know how to integrate glassbox session events with splunk? By the way, there is no option to export glassbox session events alone but we can we see all the events in expert view section i... See more...
Does anyone know how to integrate glassbox session events with splunk? By the way, there is no option to export glassbox session events alone but we can we see all the events in expert view section inside the session. Or else is there a way to export these events from glassbox session as json/text format?
Is there an application to send SOAR files to a server?
Is possible to develop Apps outside SOAR with IDE like Visual Studio and test from there and then import the app to soar?
I am working on setting up a third party evaluation of a new network management and security monitoring installation for an enterprise network that uses Splunk for various log aggregation purposes. T... See more...
I am working on setting up a third party evaluation of a new network management and security monitoring installation for an enterprise network that uses Splunk for various log aggregation purposes. The environment has 6 indexers with duplication across 3 sites, and hundreds of indexes set up and configured by the installers. The questions that I need to write a test for: "Is there sufficient storage available for compliance with data retention policies? (e.g. is there sufficient storage available to meet 5 year retention guidelines for audit logs?)" I would like to run simple search strings to produce the necessary data tables. I am no wizard at writing the appropriate queries, and I don't have access to an environment that is complicated enough to try these things out before I have limited time on the production environment to run my reports. After reading through the forums for hours, it seems like answering this storage question may be harder than originally anticipated, as Splunk does not seem to have any default awareness of how much on disk space it is actually consuming.   1. Research has shown that I need to make sure that the age off and size cap for each index is appropriately set with the FrozenTimePeriodInSecs and maxTotalDataSizeMB variables in each index.conf file. Is there a search I can run that will provide a simple table for all indexes across the environment with these two variables? e.g. index name, server, FrozenTimePeriodInSecs, maxTotalDataSizeMB 2. Is there any other configuration where allocated space is determined for an index that can be returned with a search?   3.  Is there a search string I can run to show the current storage consumption (size on disk) for all indexes on all servers? I have seen some options here on the forums and I think the answer for this one might be the following:    | dbinspect index=* | eval sizeOnDiskGB=sizeOnDiskMB/1024 | eval rawSizeGB=rawSize/1024 | stats sum(rawSizeGB) AS rawTotalGB, sum(sizeOnDiskGB) AS sizeOnDiskTotalGB BY index, splunk_server     4. What is the best search string to determine the average daily ingest "size on disk" by index and server/indexer to calculate required storage needed for retention policy purposes? So far, I have found something like this: index="_internal" source="*metrics.log" per_index_thruput source="/opt/splunk/var/log/splunk/metrics.log" | eval gb=kb/1024/1024 | timechart span=1d sum(gb) as "Total Per Day" by series useother=f | fields - VALUE_* I'm not sure quite what is happening above with the useother=f or the last line of the search. the thread I found it on is dead enough that I don't expect a reply.  I would need any/all results from these three searches in table format sorted by index, server to match up with the other searches for simple compilation. Any help that can be provided is greatly appreciated.
Hello All, I'm a relative newbie and hoping the community can help me out. I'm kind of stuck on a query and I can't figure out how to get the correct results.   I have an event that has a re... See more...
Hello All, I'm a relative newbie and hoping the community can help me out. I'm kind of stuck on a query and I can't figure out how to get the correct results.   I have an event that has a referer and a txn_id. Multiple events with the same referer field can have the same txn_id.     Referer Txn_id response_time google abcd1234 42 google abcd1234 43 google abcd1234 44 google 1234abcd 45 google 1234abcd 46 google 1234abcd 47 google 1234abcd 48 yahoo xyz123 110 yahoo 123xyx  120 yahoo 123xyz 130   What I am trying to do is get the average number of txn_ids per referer and the avg of response times for that. So something like this:     Referer avg(count txn_id) avg(response_time) google 3.5 44.5 yahoo 1.5 120   Any help would be appreciated. Thanks!
Hi, I am working on a query where i need to display the table based on the multiselect input. multi-select input options are : (nf, sf, etc) When i select "nf " then only columns starts with "... See more...
Hi, I am working on a query where i need to display the table based on the multiselect input. multi-select input options are : (nf, sf, etc) When i select "nf " then only columns starts with "nf" should display along with "user" and "role" and also display the columns in same order as it is mentioned, similarly to be applied  if i am selecting multiple options from the multi-select input as well but,  iam facing a issue while fetching the table in same order. i have tried using  |<search query> | stats list(*) as * by user, role but this one jumbles the column placement in alphabetical order, which i don't want to. also, tried using set tokens by giving the field_name starts with "nf" in one token and sf in another token. |< search query> | table user, role, $nf_fields$ $,sf_fields$ by trying this method also faced an issue example: if i am selecting only sf from the multi select input then the fields starts with nf also displayed with empty values   --> Is it possible to fix the placement of the columns. or, --> removing the empty columns based on the multi-select input both approaches works for me. Expected Output: please help me to solve this. Thanks in advance.