All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All,   For those who are familiar with AWS Cloudtrail logs, these have details about every api call, every event that occurs in your AWS account.  Is there an equivalent  of the same in Azure that... See more...
Hi All,   For those who are familiar with AWS Cloudtrail logs, these have details about every api call, every event that occurs in your AWS account.  Is there an equivalent  of the same in Azure that can be ingested in Splunk ? We have "Splunk Add-on for Microsoft Cloud Services" installed in our environment.    What input or config is required to pull in cloudtrail type equivalent logs ??   As of now,  we are getting compute logs and Azure AD events via this add-on.
The primary data our origination needs to ingest from SNOW is in the form of reports created in SNOW.  This add on does not allow for this ingestion currently, requiring our org to develop our own ap... See more...
The primary data our origination needs to ingest from SNOW is in the form of reports created in SNOW.  This add on does not allow for this ingestion currently, requiring our org to develop our own app that recently broke due to SNOW api update breaking pagination.    Ingestion of incident and request data into Splunk is not overall useful as the need for correlation of all individual log events for specific tickets makes searching or monitoring very difficult.   Is there any plan to add SNOW report ingestion as this would be far more useful data to ingest to Splunk
Hello everyone, I am going crazy trying to figure out why this isn't working.  I have a field called "alert.createdAt" that contains an EPOCH time.  (1693398386408).  I need to convert this to be H... See more...
Hello everyone, I am going crazy trying to figure out why this isn't working.  I have a field called "alert.createdAt" that contains an EPOCH time.  (1693398386408).  I need to convert this to be Human Readable (08/30/2023 09:26:47).  However, when using the strftime, I don't see anything being returned. My Search is: SEARCH | eval c_time=strftime (alert.createdAt,"%m-%d-%Y %H:%M:%S") | table c_time I have been going thru all of the previous solutions I could find, but I can't seem to get this to work.  Is there another way to achieve this, or am I just way off on how I am trying to do this. : ) Thanks for any help, much appreciated Tom        
I have a Dell Equallogic Group Manager  (san server)  that's hasn't been sending logs to syslog.  I've added all the IPs for the server, pinged and did traceroute for them with no issues, yet logs ar... See more...
I have a Dell Equallogic Group Manager  (san server)  that's hasn't been sending logs to syslog.  I've added all the IPs for the server, pinged and did traceroute for them with no issues, yet logs are still not sending.  Anyone have a solution?   Thanks
Hello, we have a large multi monitor screen at the front of the floor plate, We have our splunk dashboards showing however we have different dashboards that periodically need to be shown. Is th... See more...
Hello, we have a large multi monitor screen at the front of the floor plate, We have our splunk dashboards showing however we have different dashboards that periodically need to be shown. Is there a way to automatically go through each of these URLs or dashboards to view each individual dhasboard instead of doing it manually. Many thanks
Hello, I've just updated my Splunk Security Essentials application from 3.7 to 3.7.1. After the update, the dashboard in Content>Manage bookmarks show the following error: Anyone seen that bef... See more...
Hello, I've just updated my Splunk Security Essentials application from 3.7 to 3.7.1. After the update, the dashboard in Content>Manage bookmarks show the following error: Anyone seen that before? Thanks.
We have already enabled the Splunk logging driver,  but this forwards logs from inside the containers.   I want to capture the docker system-level events, as you would see from this command:     ... See more...
We have already enabled the Splunk logging driver,  but this forwards logs from inside the containers.   I want to capture the docker system-level events, as you would see from this command:     docker events --filter event=stop --since '60m'     https://docs.docker.com/engine/reference/commandline/system_events/   I see this app (not approved for cloud).   Are there any other options? https://splunkbase.splunk.com/app/6113 https://github.com/quzen/docker_analyzer/blob/main/bin/docker_events.py
Here is a sample of my data.  I want to separate each hours/min/sec since I have no timestamp I'm unable to make it work.  I get the first few to break, but then it goes back to breaking incorrectly.... See more...
Here is a sample of my data.  I want to separate each hours/min/sec since I have no timestamp I'm unable to make it work.  I get the first few to break, but then it goes back to breaking incorrectly. 07:05:00.140 [https-jsse-nio-8443-exec-17] INFO com.sabrix - [EVENT SUCCESS Anonymous:@unknown -> /ExampleApplication/com.sabrix] Failed to look up error 'USSG120','347','334' Probably OK to ignore.Single entity not found. 07:05:00.126 [https-jsse-nio-8443-exec-17] INFO com.sabrix - [EVENT SUCCESS Anonymous:@unknown -> /ExampleApplication/com.sabrix] Failed to look up error 'CUSTAUTHSST1','19021','334' Probably OK to ignore.Single entity not found. 07:05:00.096 [https-jsse-nio-8443-exec-17] INFO com.sabrix - [EVENT SUCCESS Anonymous:@unknown -> /ExampleApplication/com.sabrix] Failed to look up error 'USSG120','825','334' Probably OK to ignore.Single entity not found. 07:00:17.125 [https-jsse-nio-8443-exec-23] INFO com.sabrix - [EVENT SUCCESS Anonymous:@unknown -> /ExampleApplication/com.sabrix] [Message: NO_EXACT_MATCH_FOUND_FOR_GEOCODE - No Exact match was found for the specified geocode, Message: AV_SUCCESSFUL_PROCESSING - Successful processing.] ... 45 common frames omitted at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:176) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:149) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:444) at org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164) Caused by: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7@50fdb291 ... 29 common frames omitted at org.hibernate.query.internal.AbstractProducedQuery.list(AbstractProducedQuery.java:1566) at org.hibernate.query.internal.AbstractProducedQuery.doList(AbstractProducedQuery.java:1598) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1526) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:220) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:395) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:505) at org.hibernate.loader.Loader.list(Loader.java:2599) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2604) at org.hibernate.loader.Loader.doList(Loader.java:2770) at org.hibernate.loader.Loader.doList(Loader.java:2787) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:351) at org.hibernate.loader.Loader.doQuery(Loader.java:949) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1990) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:2012) at org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:2082) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:151) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:186) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:113) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) Caused by: org.hibernate.exception.GenericJDBCException: could not prepare statement ... 20 common frames omitted at com.thomsonreuters.persistence.helper.SabrixInternalExceptionDelegate.doExecute(SabrixInternalExceptionDelegate.java:87) at com.thomsonreuters.persistence.AbstractSabrixBaseRepository$6.call(AbstractSabrixBaseRepository.java:394) at com.thomsonreuters.persistence.AbstractSabrixBaseRepository$6.call(AbstractSabrixBaseRepository.java:398) at com.thomsonreuters.persistence.AbstractBaseRepository.findOneMatching(AbstractBaseRepository.java:753) at com.thomsonreuters.persistence.AbstractBaseRepository.findOne(AbstractBaseRepository.java:428) at org.springframework.data.jpa.repository.support.QuerydslJpaRepository.findOne(QuerydslJpaRepository.java:106) at com.querydsl.jpa.impl.AbstractJPAQuery.fetchOne(AbstractJPAQuery.java:253) at com.querydsl.jpa.impl.AbstractJPAQuery.getSingleResult(AbstractJPAQuery.java:183) at org.hibernate.query.internal.AbstractProducedQuery.getSingleResult(AbstractProducedQuery.java:1614) at org.hibernate.query.internal.AbstractProducedQuery.list(AbstractProducedQuery.java:1575) at org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:154) Caused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not prepare statement at java.util.TimerThread.run(Timer.java:505) at java.util.TimerThread.mainLoop(Timer.java:555) at com.sabrix.scheduler.ScheduledTask.run(ScheduledTask.java:84) at com.sabrix.te.autocontentdownload.task.AutoContentDownloadTask.runTask(AutoContentDownloadTask.java:529) at com.sabrix.te.autocontentdownload.task.AutoContentDownloadTask.runTaskAndNotify(AutoContentDownloadTask.java:545) at com.sabrix.te.autocontentdownload.task.AutoContentDownloadTask.runTask(AutoContentDownloadTask.java:693) at com.sabrix.te.autocontentdownload.task.AutoContentDownloadTask.isTimeToRun(AutoContentDownloadTask.java:778) at com.sun.proxy.$Proxy135.getFrequency(Unknown Source) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:205) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344) at java.lang.reflect.Method.invoke(Method.java:498) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at sun.reflect.GeneratedMethodAccessor857.invoke(Unknown Source) at com.sabrix.te.autocontentdownload.configuration.DefaultAutoContentDownloadSubsystemConfiguration.getFrequency(DefaultAutoContentDownloadSubsystemConfiguration.java:290) at com.sabrix.scheduler.SDIConfiguration.getAutoFrequency(SDIConfiguration.java:149) at com.sabrix.scheduler.SDIConfiguration.getAutoFreqConfig(SDIConfiguration.java:359) at com.sabrix.scheduler.SDIConfiguration.getConfig(SDIConfiguration.java:525) at com.thomsonreuters.persistence.taxentity.ConfigDao.findConfigByName(ConfigDao.java:69) at com.thomsonreuters.persistence.AbstractSabrixBaseRepository.findEntityByEntityKeyWithFinderException(AbstractSabrixBaseRepository.java:393) at com.thomsonreuters.persistence.helper.SabrixFinderExceptionDelegate.doExecute(SabrixFinderExceptionDelegate.java:65) at com.thomsonreuters.persistence.helper.SabrixInternalExceptionDelegate.doExecute(SabrixInternalExceptionDelegate.java:91) at com.thomsonreuters.persistence.helper.SabrixInternalExceptionDelegate.processException(SabrixInternalExceptionDelegate.java:135) com.sabrix.error.SabrixInternalException: Could not execute AbstractBaseRepository.findEntityByEntityKeyWithFinderException(). 06:57:48.030 [Timer-1] ERROR c.s.t.a.c.DefaultAutoContentDownloadSubsystemConfiguration - [EVENT FAILURE Anonymous:@unknown -> /ExampleApplication/com.sabrix.te.autocontentdownload.configuration.DefaultAutoContentDownloadSubsystemConfiguration] An error occurred whilst retrieving the auto content download frequency setting. Using default of "12" hours. at java.util.TimerThread.run(Timer.java:505) at java.util.TimerThread.mainLoop(Timer.java:555) at com.sabrix.scheduler.ScheduledTask.run(ScheduledTask.java:84) at com.sabrix.te.autocontentdownload.task.AutoContentDownloadTask.runTask(AutoContentDownloadTask.java:529) at com.sabrix.te.autocontentdownload.task.AutoContentDownloadTask.runTaskAndNotify(AutoContentDownloadTask.java:543) at com.sabrix.te.autocontentdownload.task.AutoContentDownloadTask.removeMessagesForChannel(AutoContentDownloadTask.java:585) at com.sun.proxy.$Proxy143.removeMessages(Unknown Source) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:118) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:367) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344) at java.lang.reflect.Method.invoke(Method.java:498) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at sun.reflect.GeneratedMethodAccessor856.invoke(Unknown Source) at com.sabrix.te.messaging.management.NotificationMessageRemover.removeMessages(NotificationMessageRemover.java:88) at com.thomsonreuters.persistence.taxentity.NotificationMessageDao.findMessages(NotificationMessageDao.java:99) com.sabrix.messaging.management.MessageFinderRuntimeException: Could not execute AbstractBaseRepository.findEntitiesByEntityKey(Predicate). 06:57:48.030 [Timer-1] ERROR c.s.t.a.task.AutoContentDownloadTask - [EVENT FAILURE Anonymous:@unknown -> /ExampleApplication/com.sabrix.te.autocontentdownload.task.AutoContentDownloadTask] An exception occurred during removal of messages on channel with id 200. 06:49:26.496 [https-jsse-nio-8443-exec-4] INFO com.sabrix - [EVENT SUCCESS Anonymous:@unknown -> /ExampleApplication/com.sabrix] Failed to look up error 'USSG148','10222','334' Probably OK to ignore.Single entity not found. 06:49:26.488 [https-jsse-nio-8443-exec-4] INFO com.sabrix - [EVENT SUCCESS Anonymous:@unknown -> /ExampleApplication/com.sabrix] Failed to look up error 'USSG192','7983','334' Probably OK to ignore.Single entity not found. 06:49:26.446 [https-jsse-nio-8443-exec-2] INFO com.sabrix - [EVENT SUCCESS Anonymous:@unknown -> /ExampleApplication/com.sabrix] Failed to look up error 'USSG148','10222','334' Probably OK to ignore.Single entity not found. 06:49:26.437 [https-jsse-nio-8443-exec-2] INFO com.sabrix - [EVENT SUCCESS Anonymous:@unknown -> /ExampleApplication/com.sabrix] Failed to look up error 'USSG192','7983','334' Probably OK to ignore.Single entity not found.
Hi Guys, am trying to configure Splunk to send me alerts through mobile when the requests against my web server are more than a specified value i ran the search and it shows me the requests numbe... See more...
Hi Guys, am trying to configure Splunk to send me alerts through mobile when the requests against my web server are more than a specified value i ran the search and it shows me the requests number and source IP but  i created an alert but this alert is not triggered at all(i viewed the triggered alerts menu and its empty) scheduled to one hour, number of results greater than 0 and selected actions Splunk secure gateway  my goal is send these events to my mobile and to SOAR when they greater than a value and configure playbook to automatically block the src_ip as its  mostly performing a DoS attack anybody can help me ? host=192.168.1.1 "DST=192.168.1.174"|stats count(SRC) AS Requests BY SRC |sort - Requests | where Requests>50
Hi, I have a simple TCP syslog server in the same network where I have setup my Splunk Enterprise platform 9.10. I am trying to forward the data polled into Splunk Enterprise by Add-On apps to the ... See more...
Hi, I have a simple TCP syslog server in the same network where I have setup my Splunk Enterprise platform 9.10. I am trying to forward the data polled into Splunk Enterprise by Add-On apps to the TCP Syslog Server. But even after configuring it from settings> Forwarding and Receiving, I am getting error like connection Timed out. Can anyone suggest what is being missed or needs to be looked into here. Thank you
Dear Splunk experts, Just want to ask about the general upside/downside of creating a large number of indexes. Thinking to create a Splunk index per application/service so we may end up with 3K to... See more...
Dear Splunk experts, Just want to ask about the general upside/downside of creating a large number of indexes. Thinking to create a Splunk index per application/service so we may end up with 3K to 5K indexes But this would allow us to target <<inputs.conf>> based on application/service Just not sure of the downside of that many indexes... Appreciate your advice.
Hi Splunk Experts, I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is... See more...
Hi Splunk Experts, I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is getting failed. I've tried replacing it with '*', but that gives me unexpected results. So I'm thinking of escaping all possible special characters in the token value. Please advice!! Ex: !@#$%^&*(){}|";:<>/\[] I want them as below: \!\@\#\$\%\^\&\*\(\)\{\}\|\"\;\:\<\>\/\\\[\]  
I want to offload some logs into MinIO using smartstore to reduce volume consumption in license, but I cannot find reference if smartstore will still count against the license volume
Hi All, I am trying to build a search query for an alert and below is the condition- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTi... See more...
Hi All, I am trying to build a search query for an alert and below is the condition- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain  But I am facing difficulty at line 4- OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname). It is taking all 3 file names (Fname=mdmdat,omsdat,promodat) as one and hence I am getting the incorrect count for the src=retailautonomyfileage I am trying to break the condition of line no 4 into 3 parts within the eval condition itself.   Thanks in advance.
I have an event log that looks like this search_name=x, search_now=3.000, info_min_time=1692741600.000, info_max_time=1692828000.000, info_search_time=1692847620.636, app=Digital, text="<a hre... See more...
I have an event log that looks like this search_name=x, search_now=3.000, info_min_time=1692741600.000, info_max_time=1692828000.000, info_search_time=1692847620.636, app=Digital, text="<a href=\"https://support.vodafone.co.uk/1627646512 \" target=\"_blank\"> ...etc ", info_log=l use the command ... | table text to extract the 'text' field, you get the expected result  <a href=\"https://support.vodafone.co.uk/1627646512 \" target=\"_blank\"> ...etc  However, when I attempt to extract the same 'text' field from the same event, but this time from a summary index, I  get a different result <a href=\  and the whole value is presented in the event tap when i enable the verbose mode so the whole value is in the summary index but i can't show it.  how to prevent splunk from truncating the result if it is in the summary index     
I have my table panel with the column field as Month-year and this is a dynamic fields populated from my panel query. One more column is a text field and it is a static field. (This does not need to ... See more...
I have my table panel with the column field as Month-year and this is a dynamic fields populated from my panel query. One more column is a text field and it is a static field. (This does not need to be color coded.) I want to color code the cell values in all the dynamic field, based on the below condition if the cell value is less than 2 - the cell should be coded in green if the cell value is more than 2 - the cell should be coded in red. Other cells with text values - the cell should not be color coded. I tried to use multiple conditions with color palatte expression but that does not work <format type="color"> <colorPalette type="expression">if(isnull(value), "#c1fa9b", if(value&lt;02, "#c1fa9b", "#ff9c9c"), if(value&gt;02, "#ff9c9c", "#c1fa9b"))</colorPalette> </format>   I did the two conditions similar, just to filter the fields with text values. So that all the numeric fields with values less than 2 will be displayed as green and the greater than 2 will be displayed as red. I am aware of writing JS scripts for this but would like to make this with SimpleXML. Could anyone please help me on this?
If I am having list of comma separated numbers in single splunk  event field: I am having too many event fields like below,How Can I split these comma separated values and display them in table form... See more...
If I am having list of comma separated numbers in single splunk  event field: I am having too many event fields like below,How Can I split these comma separated values and display them in table format I mentioned below? Any suggestion here? Sequence Numbers processed during this transaction : 00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514,00000000000000872515,00000000000000872516,00000000000000872517,00000000000000872518,00000000000000872519,00000000000000872520,00000000000000872521,00000000000000872522,00000000000000872523,00000000000000872524,00000000000000872525,00000000000000872526,00000000000000872527,00000000000000872528,00000000000000872529,00000000000000872530,00000000000000872531,00000000000000872532,00000000000000872533   How Can I split thiese comma separated values and display them individually in table like: 00000000000000872510 00000000000000872511 00000000000000872512 00000000000000872513 00000000000000872514 00000000000000872515 00000000000000872516 . .likewise till 00000000000000872533
good morning. for example I have number the following +140871771234, +140871771245, +140871771286 +171522334321, +171522334325, +171522334329 +151688325297,  +151688325258, +151688325239 range ... See more...
good morning. for example I have number the following +140871771234, +140871771245, +140871771286 +171522334321, +171522334325, +171522334329 +151688325297,  +151688325258, +151688325239 range +1408717712XX, site code is A +1715223343XX, site code is B +1516883252XX, site code is C when number found in the range, how to give as site code   thank you.    
Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck.. field a AA\ABC$ BB\DCE$ field b A=ABC,B=Domain,C=AB,D=XXX,E=NET A=DCE,B=... See more...
Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck.. field a AA\ABC$ BB\DCE$ field b A=ABC,B=Domain,C=AB,D=XXX,E=NET A=DCE,B=Domain,C=AB,D=XXX,E=NET Now my results should return  field a = field b ABC    = ABC DCE    = DCE Could someone pls help me on this?
Hi Everyone, Is it possible to create a button similar to edit button and place it near edit button using html and css? I was able to create a button, but it is big and also i was not able to pla... See more...
Hi Everyone, Is it possible to create a button similar to edit button and place it near edit button using html and css? I was able to create a button, but it is big and also i was not able to place it near edit button. can anyone help me?