All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi there,  im pretty new in Splunk, so sorry if it is easy task. I have following example events in my index -  It is a export from the Zabbix monitoring   8/31/23 4:39:31.000 PM { [-] descri... See more...
Hi there,  im pretty new in Splunk, so sorry if it is easy task. I have following example events in my index -  It is a export from the Zabbix monitoring   8/31/23 4:39:31.000 PM { [-] description: mem Heap Memory used groups: [ [+] ] hostname: WMS_Name itemid: 186985 ns: 941726183 tags.application: Memory type: 3 value: 1199488000 } Show as raw text description = mem Heap Memory usedhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 1199488000 8/31/23 4:39:31.000 PM { [-] description: mem Heap Memory max groups: [ [+] ] hostname: WMS_NAME1 itemid: 186984 ns: 883128205 tags.application: Memory type: 3 value: 8589934592 } Show as raw text description = mem Heap Memory maxhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 8589934592   Search query:   index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024| table _time, hostname, ValueMB     In this case, there are two events - one for java heap memory usage and one for java heap max memory.  Is there any way, how to rename values variable  based on the description in a event and join them in one table under the same time? Or maybe join both events in one? The main goal is to display both values in one graph and be able to monitor long term usage.  I found a way with using multisearch, but it takes too much time in processing and i believe there will be a more simple way.  Thank you in advance for any hint    
Hello, I'm new to Splunk and despite searching extensively on this community site, I was not able to find a solution for what I thought was a rather simple problem. I would like to list, for each ... See more...
Hello, I'm new to Splunk and despite searching extensively on this community site, I was not able to find a solution for what I thought was a rather simple problem. I would like to list, for each field in my index, the list of top 10 values. I've tried different commande with stats values and top, and the following one gives me what's closest, but the output is messy:     index = my_index | multireport [top limit=10 field_1] [top limit=10 field_2] [top limit=10 field_3]     I do get the top values of each field presented in different columns of the output, but also get many empty cells: field_1 field_2 field_3   a top value of field_2     a top value of field_2     a top value of field_2       a top value of field_3     a top value of field_3 a top value of field_1     a top value of field_1       while i would like something like that: field_1 field_2 field_3 a top value of field_1 a top value of field_2 a top value of field_3 a top value of field_1 a top value of field_2 a top value of field_3   a top value of field_2     Has someone any idea how I could cleanup the output, and, ideally, easily loop through the column names so I don't have to write their name manually. Thank!
Hi, I'm in the middle of testing deployment of the UF for a new setup and I started with 9.0.1, deploying it with ansible from a local yum repository as the initial push. (that' s the gist of it, bit... See more...
Hi, I'm in the middle of testing deployment of the UF for a new setup and I started with 9.0.1, deploying it with ansible from a local yum repository as the initial push. (that' s the gist of it, bit more complex infrastructure behind it but not really relevant) But now 9.1.1 came out which was pointed out to me due to a security alert so I updated the package on our repository, hit 'yum update'  on one of my test servers, and this broke the UF. Apparently it needs to be started manually once with '--accept-license --answer-yes --no-prompt'  to complete the upgrade and accept the license .. again .. ? Is there a clever way of dealing with this so it just works after upgrading the rpm ? Short of modifying the rpm's spec file so it does some starting and stopping while the rpm is being upgraded. Manually doing this in case there happens to be an update is just not an option due to the number of hosts, our regular updates run unattended with basically just a 'yum/dnf update -y' Modifying the systemd file so it just starts with the required parameters does not appear be working with the '_internal_launch_under_systemd' , replacing that with the old 'start etc' makes the UF not work with systemd anymore. RHEL9 is going to forego the init.d folder I think so using older more flexible sysV scripts is not an option either. Any sort of manual intervention when there happens to be a new version is highly undesirable.
Hi Team, How can I fetch the start and end time from below logs: 2023-08-30 00:29:00.018 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D082923.T002302 20... See more...
Hi Team, How can I fetch the start and end time from below logs: 2023-08-30 00:29:00.018 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D082923.T002302 2023-08-30 07:43:29.020 [INFO ] [Thread-18] FileEventCreator - Completed Settlement file processing, TRIM.UNB.D082923.T045920 records processed: 13283520 I want this start time and end time can someone help me with query my current query: index="abc"sourcetype ="600000304_gg_abs_ipc2" source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Reading Control-File /absin/CARS.HIERCTR."    
I have a simple lookup file with two fields, user and host user                                host Bob                                   1 Dave                                  2 Karen          ... See more...
I have a simple lookup file with two fields, user and host user                                host Bob                                   1 Dave                                  2 Karen                                 x Sue                                     y I want exclude any results from my search where there is any combination of host AND user where they match any value from the lookup. For example, exclude any results where: the user is Bob and the host is either 1, 2, x or y the user is either Bob, Dave, Karen or Sue and the host is x  I'm playing with this search, which appears to work but unsure if there's a flaw in my logic, or if there's a better way to do it?     index=proxy sourcetype="proxy logs" user="*" NOT ([| inputlookup lookup.csv | fields user | format ] AND [| inputlookup lookup.csv | fields host | format ]) | stats c by username, host     Thanks in advance
index=main sourcetype=_json status="True" | stats count(status) as True by name | append [| search index=main sourcetype=json status="False" | stats count(status) as False by name]  | append [| searc... See more...
index=main sourcetype=_json status="True" | stats count(status) as True by name | append [| search index=main sourcetype=json status="False" | stats count(status) as False by name]  | append [| search index=main sourcetype=json status="*" | stats count(status) as Total by name] | stats sum(True) as True sum(False) as False sum(Total) as Total max(Performance) as Performance by name | eval Percentage=round(((True/Total)*100),0)  | fields  Percentage Is it possible to show trendline and if Percentage up or down compart to last month.
Hello Team, I have logs with the below pattern 08/31/2023 8:00:00:476 am ........ count=0 08/31/2023 8:00:00:376 am ........ process started 08/31/2023 8:00:00:376 am...... XXX Process I need th... See more...
Hello Team, I have logs with the below pattern 08/31/2023 8:00:00:476 am ........ count=0 08/31/2023 8:00:00:376 am ........ process started 08/31/2023 8:00:00:376 am...... XXX Process I need the process name and the count to be displayed together but I dont have any common values/names/strings to match them. I have 4 similar process and the count together in the logs..is there a way on how we can match them together. Any help is much appreciated.
Hi, I'm using a splunk enterprise based in a docker image, the dashboard is getting all the default windows events  but isn't getting sysmon events, I've created the inputs.conf file in the local... See more...
Hi, I'm using a splunk enterprise based in a docker image, the dashboard is getting all the default windows events  but isn't getting sysmon events, I've created the inputs.conf file in the local directory, in that file i'm forwarding both "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and "Microsoft-Windows-Windows-Sysmon/Operational" events, I see the Firewall events in the dashboard and see that as a source but I don't get any of the sysmon events and it doesn't show up as a source, I've confirmed that the events are in the event viewer on the client, I have installed the application "Splunk Add-on for Sysmon", and in another seperate splunk enterprise docker image I tried installing the "Microsoft Sysmon Add-on" application,  In the inputs.conf file I have tried (on different instances):  [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = false  or: [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = main renderXml = true or: [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = true none have worked, I have installed the universal forwarder both manually and using the command line to rule out the quite install, I have even tried giving the forwarder service full admin rights to rule out issues accessing the logs , but I am still not getting any sysmon events in the dashboard, what am I missing?  
How to see daily licensing usage of 1 index in Splunk.
I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git version if should_be=... See more...
I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git version if should_be== server_installed_package  , the status should updated as Completed  , Another case if server_installed_packages is greater than shouldbe to mark as complete 2 < 3 ,  also it should check for if first number is same , it should check for second digits . it should mark as completed , else it should check for the next digit if it is 2. and it should check for another number .    CI Installed  shouldbe server_installed_package Status  server1 git-2.31.1-3.el8_7 git-2.39.3-1.el8_8 git-3.40.3-1.el8_8 Not complete
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]  ... See more...
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]   2023-08-27 07:38:31.688 [INFO ] [Thread-31] TriumphCancelTransferProcessor - TRIM.CNX event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to fetch filenames(bold) from row logs: TRIM.UNBILLED and TRIM.CNX my current query: index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?<status>.*)\",\"description\":\"(?<description>.*)\"\}\]" | eval message="event published to ebnc" | table message status description  
Hi, I am looking for a query to get list of DBConnect exceptions with their timestamp in order to plot them in a graph. Thank you Kind regards Marta
Hi Team, we are observing below error while accessing analytic page, what could be reason of it?
Hi,   I need to extract with rex the two first words of one event but sometimes they are only one word. For example, with these data : command:RESTORE LABELONLY FROM DISK=@P1 command:RESTORE VER... See more...
Hi,   I need to extract with rex the two first words of one event but sometimes they are only one word. For example, with these data : command:RESTORE LABELONLY FROM DISK=@P1 command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql' command:RESTORE VERIFYONLY FROM DISK = 'i:\tata.sql' command:RESTORE LABELONLY FROM DISK=@P1 command:sp_addlinkedsrvlogin command:RESTORE LABELONLY FROM DISK=@P1 I need to have set the field command with these value from these data : RESTORE LABELONLY RESTORE VERIFYONLY RESTORE VERIFYONLY RESTORE LABELONLY sp_addlinkedsrvlogin RESTORE LABELONLY I will apreciate some help to have the correct syntax for rex. Regards
Hi All, I am relatively new to splunk. I am trying to build a search query and below is the condition of the query- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_Index... See more...
Hi All, I am relatively new to splunk. I am trying to build a search query and below is the condition of the query- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain  I am facing problem in line no 4 which is - (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname). The source "retailautonomyfileage has 3 filenames (Fname="mdmdat" , Fname="omsdat", Fname="promodat") and when I do the stats count, not sure why it is counting the sum of all 3  filenames altogether in the output (18 instead of 6)- Output- Device Store src host Chain StoreNum Domain count stp-020sql1 stp0020 DB_Rebuild_Indexes_UpdateStats_MDM stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 DB_Stop_IndexRebuild_Jobs stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 RetailAutonomyDataSync stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 RetailAutonomyPromotionsDataSync stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 esbmessagecount stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 retailautonomyfileage stp-020sql1.stp.local stp 20 stp.local 18 stp-020sql1 stp0020 retaillineitemdup stp-020sql1.stp.local stp 20 stp.local 6 stp-089sql1 stp0089 DB_Rebuild_Indexes_UpdateStats_MDM stp-089sql1.stp.local stp 89 stp.local 6 stp-089sql1 stp0089 DB_Stop_IndexRebuild_Jobs stp-089sql1.stp.local stp 89 stp.local 6   I am trying to break it into 3 lines under the search query . eg  (src="retailautonomyfileage1") AND (Fname="mdmdat" AND Age>240))  (src="retailautonomyfileage2" AND (Fname="omsdat" AND Age>240)) (src="retailautonomyfileage3" AND (Fname="promodat" AND Age>120)) Not sure how I can obtain that. Please help.   Thanks in Advance.
I am getting this error when trying to set the Default SLA on a newly installed Mission control app  
Hi All We have a couple of jobs that occasionally loop around same code returning same message/log - is it possible for a search string to pick up instances where the last [say] 3 logs are identica... See more...
Hi All We have a couple of jobs that occasionally loop around same code returning same message/log - is it possible for a search string to pick up instances where the last [say] 3 logs are identical? Kinds regards Mick  
Hi, I need some analytics result in Splunk but i couldn't achieve. Here what i need. 1) Which EventIDs is repeated in which hostnames? I need this count based. EventID, Hostname and Count 2) Which... See more...
Hi, I need some analytics result in Splunk but i couldn't achieve. Here what i need. 1) Which EventIDs is repeated in which hostnames? I need this count based. EventID, Hostname and Count 2) Which EventIDs is used in which alerts (correleation searches and saved searches)? EventID, Alert Name 3) Which EventIDs triggered which alerts? EventID, Alert Name and count
Dears, I would like to know if we need to follow any sequence in restarting the agents. We have analytics agents and node.js app agent for Node.js application. Several times we have been noticing th... See more...
Dears, I would like to know if we need to follow any sequence in restarting the agents. We have analytics agents and node.js app agent for Node.js application. Several times we have been noticing that analytics agent is not reporting the data not sure what is triggering this. I am suspecting when application  pods are restarted since then it is not reporting (just my suspicion). When this happens,  until we restart both analytics and nodejs agents, the data is not resuming. Any help around this would be much appreciated.
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dyn... See more...
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dynamically-depends-on-selection/m-p/655457/highlight/false#M53927   The panels can be displayed dynamically by the user selection. However, I need to display the title or the description according to the dymical selection. That is, if the user select packet_size="32,40,128" from the filter. Three panels will be displayed and I wish to display the title = "Packet size=xx", where xx represent the analyzed packet_size value.   ex. Table 1 with title = "Packet size=32", Table 2 with title = "Packet size=40", Table 3 with title = "Packet size=128" I refer to these history but I am unable to find a successful solution. How do I display _time on dashboard panel's title field?  Dynamic value display in the Panel Title?  How do you display the date in a dashboard title?  Does anyone know how to display the title or description with a variable in code or a value in filter selection? Thank you so much.