All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have a Splunk Enterprise installation composed of 3 clustered indexers. I need to forward all the events received on the 9997 port to an external system. Data must be indexed locally but al... See more...
Hi, I have a Splunk Enterprise installation composed of 3 clustered indexers. I need to forward all the events received on the 9997 port to an external system. Data must be indexed locally but also sent to this external system. I can't do this operation directly from universal forwarders because of network restrictions. Is there a way to achieve this goal on indexers side?
Hello Everyone, I have setup a SPLUNK OTEL COLLECTOR sidecar container along with my application container in AWS ECS Fargate to send APM traces to Splunk Observability Cloud. Everything seems work... See more...
Hello Everyone, I have setup a SPLUNK OTEL COLLECTOR sidecar container along with my application container in AWS ECS Fargate to send APM traces to Splunk Observability Cloud. Everything seems working but I was trying to add some container health check to see if my sidecar container is healthy or not, I have added a basic script that should always pass the checks. I have tried running script/command after login in to a container and they are working perfectly fine but When I configure them as Part of my healthcheck they are failing.  Image: quay.io/signalfx/splunk-otel-collector:latest Command using for healthcheck:  "/usr/lib/splunk-otel-collector/agent-bundle/bin/curl -f http://localhost:13133 || exit 1"   Has anyone faced this issue before, please help.   Thanks
Hi, I have a data with the following dates under the field "Warranty_End_Date" Warranty_End_Date Manufacturer 4/1/2026 Lenovo 4/8/2026 Lenovo 1/9/2026 Acer 4/1... See more...
Hi, I have a data with the following dates under the field "Warranty_End_Date" Warranty_End_Date Manufacturer 4/1/2026 Lenovo 4/8/2026 Lenovo 1/9/2026 Acer 4/1/2025 Apple 19/7/2023 Acer 4/1/2026 Acer 4/4/2026 HP 8/1/2028 Lenovo 10/1/2022 Lenovo 4/1/2026 Apple 4/1/2026 Apple 4/1/2026 Lenovo 4/1/2026 Lenovo 4/1/2026 Lenovo 4/3/2026 Lenovo 4/3/2026 Lenovo I want to create a new field with the similar values wrt Warranty_End_Date Tried the command eval WarEnd = case("Warranty_End_Date" = "*2026", "2026", 1=1, "NA") and similarly for other years but got no proper output
Good day The following problem: I load data into Splunk once a week. However, not always on the same day. I now want to show a trend to last week on a dashboard, but the span option must fit to the... See more...
Good day The following problem: I load data into Splunk once a week. However, not always on the same day. I now want to show a trend to last week on a dashboard, but the span option must fit to the day. Is there a way that the span option automatically adjusts to the next date where there is data? Or do you have another suggestion how I can solve the problem? Currently, if the span does not fit exactly, I have an increase of 100%. My current search query is very basic: index=test CVSS_v3_Severity=$severity_tok$ Operating_System_Generation=$os_dd_tok$ | dedup CVE | timechart span=7d count Thanks in advance and best regards Nico
Hi. i have a search a show a graphchart for 14 months. If i change the timepicker it still shows 14 months for some reason. As you can see  in the picture, the time picker says 30 days, but the gr... See more...
Hi. i have a search a show a graphchart for 14 months. If i change the timepicker it still shows 14 months for some reason. As you can see  in the picture, the time picker says 30 days, but the graph still shows 14 months. What gives? Also, is there a way to display a trendline on the graph? If i use the | trendline sma10(Cores) or the like, it changes the graph instead of just showing a linear line
Hi Splunk Experts. I've a table with multiple fields, based on a click I've created a token to get a value of it. I need to pass this token's value to a Textbox of an another panel. Is it Possible. ... See more...
Hi Splunk Experts. I've a table with multiple fields, based on a click I've created a token to get a value of it. I need to pass this token's value to a Textbox of an another panel. Is it Possible. Please advice!!
  Dataframe row : {"_c0":{"0":"deleted_count","1":"18","2":"8061","3":"0","4":"366619","5":"2","6":"1285","7":"2484","8":"1705","9":"1517","10":"12998","11":"13","12":"57","13":"0","14":"0","15":"0... See more...
  Dataframe row : {"_c0":{"0":"deleted_count","1":"18","2":"8061","3":"0","4":"366619","5":"2","6":"1285","7":"2484","8":"1705","9":"1517","10":"12998","11":"13","12":"57","13":"0","14":"0","15":"0","16":"0","17":"1315","18":"0","19":"0","20":"0","21":"0","22":"0","23":"410973","24":"18588725","25":"0","26":"0","27":"0","28":"0","29":"25238"},"_c1":{"0":"load_date","1":"2023-08-28","2":"2023-08-28","3":"2023-08-28","4":"2023-08-28","5":"2023-08-28","6":"2023-08-28","7":"2023-08-28","8":"2023-08-28","9":"2023-08-28","10":"2023-08-28","11":"2023-08-28","12":"2023-08-28","13":"2023-08-28","14":"2023-08-28","15":"2023-08-28","16":"2023-08-28","17":"2023-08-28","18":"2023-08-28","19":"2023-08-28","20":"2023-08-28","21":"2023-08-28","22":"2023-08-28","23":"2023-08-28","24":"2023-08-28","25":"2023-08-28","26":"2023-08-28","27":"2023-08-28","28":"2023-08-28","29":"2023-08-28"},"_c2":{"0":"redelivered_count","1":"0","2":"1","3":"0","4":"0","5":"0","6":"0","7":"204","8":"0","9":"0","10":"0","11":"0","12":"0","13":"0","14":"0","15":"0","16":"0","17":"0","18":"0","19":"0","20":"0","21":"0","22":"0","23":"0","24":"9293073","25":"0","26":"0","27":"0","28":"0","29":"0"},"_c3":{"0":"table_name","1":"pc_dwh_rdv.gdh_ls2lo_s99","2":"pc_dwh_rdv.gdh_spar_s99","3":"pc_dwh_rdv.cml_kons_s99","4":"pc_dwh_rdv.gdh_tf3tx_s99","5":"pc_dwh_rdv.gdh_wechsel_s99","6":"pc_dwh_rdv.gdh_revolvingcreditcard_s99","7":"pc_dwh_rdv.gdh_phd_s99","8":"pc_dwh_rdv.gdh_npk_s99","9":"pc_dwh_rdv.gdh_npk_s98","10":"pc_dwh_rdv.gdh_kontokorrent_s99","11":"pc_dwh_rdv.gdh_gds_s99","12":"pc_dwh_rdv.gdh_dszins_s99","13":"pc_dwh_rdv.gdh_cml_vdarl_le_ext_s99","14":"pc_dwh_rdv.gdh_cml_vdarl_s99","15":"pc_dwh_rdv.gdh_avale_s99","16":"pc_dwh_rdv.gdh_spar_festzi_s99","17":"pc_dwh_rdv_gdh_monat.gdh_phd_izr_monthly_s99","18":"pc_dwh_rdv.gdh_orig_sparbr_daily_s99","19":"pc_dwh_rdv.gdh_orig_terming_daily_s99","20":"pc_dwh_rdv.gdh_orig_kredite_daily_s99","21":"pc_dwh_rdv.gdh_orig_kksonst_daily_s99","22":"pc_dwh_rdv.gdh_orig_baufi_daily_s99","23":"pc_dwh_rdv_creditcard.credit_card_s99","24":"pc_dwh_rdv_csw.fkn_security_classification_s99","25":"pc_dwh_rdv_loan_appl.ccdb_loan_daily_s99","26":"pc_dwh_rdv_loan_appl.leon_loan_monthly_s99","27":"pc_dwh_rdv_loan_appl.nospk_loan_daily_s99","28":"pc_dwh_rdv_partnrdata.fkn_special_target_group_s99","29":"pc_dwh_rdv_talanx.insurance_s99"}}  
Hello, I have created a Splunk app and it is currently in marketplace. I am getting a timeout error while pulling data from my API into Splunk app. Upon investigation, I figured out that I need to ... See more...
Hello, I have created a Splunk app and it is currently in marketplace. I am getting a timeout error while pulling data from my API into Splunk app. Upon investigation, I figured out that I need to increase 'splunkdConnectionTimeout' from 30 sec to a higher value, in `$ SPLUNK_HOME /lib /python3.7 /site-packages /splunk /rest /__ init__. py’, line number 52. I want to modify this as and when the user installs my app, this modification should be applied upon restarting the splunk. I tried doing this by using `web. conf` file in my app but I am not sure where and how to use this. Please help me how can I do this.
-I am running an alert which is not triggering email actions when using real-time option.   The alert is used to  search for hosts which have not sent logs in the last 5 minutes. -For example, I sh... See more...
-I am running an alert which is not triggering email actions when using real-time option.   The alert is used to  search for hosts which have not sent logs in the last 5 minutes. -For example, I shut down a host for testing and wait 5 minutes. I then manually use the search string and specify time frame (e.g. last 15 minutes)- I am able to obtain results. However,  even though the same search was configured in the form of an alert running in real time, it produces no results nor does it trigger an email. Here is the search I am using:     index=* | stats max(_time) as latest by host | eval recent= if(latest > relative_time(now(),"-5m"),1,0). realLatest = strftime(latest, "%Y-%M-%D %H%M%S") | fields - latest | where recent = 0 | rename host AS Host, realLatest AS "Latest Timestamp" | table Host, "Latest Timestamp"      
Good afternoon, I am trying to show information from a csv which is static, but will be replaced as time goes on I awas wondering there was a way to make the CSV filenames a dropdown option in ... See more...
Good afternoon, I am trying to show information from a csv which is static, but will be replaced as time goes on I awas wondering there was a way to make the CSV filenames a dropdown option in an input which would correlate in the searches below in the dashboard.    For example Input dropdown values: july.csv august.csv   And the search would be | inputlookup $august.csv$ ...   Is this an option or is there a better way to do this?
I'm trying to add an input within a canvas as is indicated here: https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/inputConfig#Inputs_in_the_canvas I have been dragging my in... See more...
I'm trying to add an input within a canvas as is indicated here: https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/inputConfig#Inputs_in_the_canvas I have been dragging my input to the canvas without luck. Then I found this video that shows a configuration option for in or above canvas: https://www.youtube.com/watch?v=eyXAa6xxrso However, on my dashboard, I do not have these options. Is there a configuration that I am missing?   Why am I unable to move my inputs to the canvas? Splunk Cloud Version: 9.0.2209.3
Hello All, I have seen this post (which is helpful) "How to get the on click marker gauge redirect to a dashboard?"   I would like to run a search instead of setting a variable ... See more...
Hello All, I have seen this post (which is helpful) "How to get the on click marker gauge redirect to a dashboard?"   I would like to run a search instead of setting a variable on a panel. Is this possible? The javascript writes the value to a $toke$ variable on a second panel. I would like to run a search - the filler gauge does not have an option for a drilldown. Yes - the easy way is to just click the search magnify glass.   Thanks, eholz1
Is there a way to view license usage from the Splunk search head? I'm on Splunk 9.0.3. I've attempted to forward license_usage.log to the Splunk indexer and directly to the Splunk search head from... See more...
Is there a way to view license usage from the Splunk search head? I'm on Splunk 9.0.3. I've attempted to forward license_usage.log to the Splunk indexer and directly to the Splunk search head from the manager node. The file seems to forward however the contents are replaced with a message stating the information is only viewable from the manager node. Another possibility is license_usage.log is generated by default on both the indexer and search head so it only looks as though the log is being forwarded.  Due to the way our Splunk deployment is distributed, I need to have the web interface disabled on the manager node so simply logging into the manager node web interface is not an option. To reiterate the question above, is there a way to view licensing information (either through search or monitoring console) from the Splunk search head?
Hi, I want to separate out below fields in table format. Raw = Namespace [com.sampple.ne.vas.events], ServiceName [flp-eg-cg], Version [0.0.1], isActive [true], AppliationType [EVENT] Query I a... See more...
Hi, I want to separate out below fields in table format. Raw = Namespace [com.sampple.ne.vas.events], ServiceName [flp-eg-cg], Version [0.0.1], isActive [true], AppliationType [EVENT] Query I am using = | eval Namespace=mvindex(split(mvindex(split(_raw, "Namespace "),1),"],"),1) | eval ServiceName=mvindex(split(mvindex(split(_raw,"ServiceName "),1),"],"),0) | eval Version=mvindex(split(mvindex(split(_raw,"Version "),1),"],"),0) | stats latest(Namespace) as Namespace latest(ServiceName) as ServiceName latest(Version) as Version by host | sort -Version Expected result Host AppName ServiceName Version                  
Hi All, I would like to download the Splunk Add-on for AWS 6.0.0 Version documentation for my reference, but I spent some time to search in google and also from the https://docs.splunk.com/ but unab... See more...
Hi All, I would like to download the Splunk Add-on for AWS 6.0.0 Version documentation for my reference, but I spent some time to search in google and also from the https://docs.splunk.com/ but unable to fetch those details could any one guide me how to get the pervious release documentation from Splunk site.   Thanks in Advance.    
Hi all, After running several actions from the EWS for O365 app (version 2.12.0) in phantom, the following error is received: "API failed. Status code: ErrorInvalidIdMalformed. Message: Id is malfo... See more...
Hi all, After running several actions from the EWS for O365 app (version 2.12.0) in phantom, the following error is received: "API failed. Status code: ErrorInvalidIdMalformed. Message: Id is malformed.". As per the app documentation, the expected field format for "Message ID" is not specified. I´m  using the Message Id field extracted from the original email headers. Is this correct? Is there any other way to obtain the message id? Wich is the expected format? Thanks in advance!  
For adding two KPIs  in SA topology, KPI queries that taken from Monitoring console are using REST API and are working only on Monitoring console and are not giving results at Search Head or ITSI whe... See more...
For adding two KPIs  in SA topology, KPI queries that taken from Monitoring console are using REST API and are working only on Monitoring console and are not giving results at Search Head or ITSI where they are required.  The error is - "Restricting the results of the rest operator to local instance because you do not have the dispatch_rest_to_indexers capability". How can this be proceeded with ?
Hi, I have two fields: field 1 and field 2 field1        field 2 ABC           AA\ABC DEF           DD\DEF GHI            GG\JKL Now I need to compare both these fields and exlcude if ... See more...
Hi, I have two fields: field 1 and field 2 field1        field 2 ABC           AA\ABC DEF           DD\DEF GHI            GG\JKL Now I need to compare both these fields and exlcude if there is a match So in the above case it should return only field1         field 2 GHI             GG\JKL Could someone help me on this, please?
Hi,   I have a excel file on a linux server at a particular path. I have created a input file to monitor this file , but Im not receiving any logs. Can anyone help me how to get that excel daily ... See more...
Hi,   I have a excel file on a linux server at a particular path. I have created a input file to monitor this file , but Im not receiving any logs. Can anyone help me how to get that excel daily by creating  a input.conf 
Hi Team, I have 2 splunk searches in which i want to exclude of hostname in first search matches with Node field in the 2nd search. how can i modify for joining this 2 searches to exclude hostname.... See more...
Hi Team, I have 2 splunk searches in which i want to exclude of hostname in first search matches with Node field in the 2nd search. how can i modify for joining this 2 searches to exclude hostname. common field is hostname field in first one and it will be as Node field in the 2nd search  index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Windows | dedup hostname | eval age=(now()-_time) | eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S") | eval Status=if(age< 3600,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | lookup 0010_Solarwinds_Nodes_Export Caption as hostname OUTPUT Application_Primary_Support_Group AS CMDB2_Application_Primary_Support_Group, Application_Primary AS CMDB2_Application_Primary, Support_Group AS CMDB2_Support_Group NodeID AS SW2_NodeID Enriched_SW AS Enriched_SW2 Environment AS CMDB2_Environment | eval Assign_To_Support_Group=if(Assign_To_Support_Group_Tag="CMDB_Support_Group", CMDB2_Support_Group, CMDB2_Application_Primary_Support_Group) | table _time, hostname,sourceIp, Status, LastActiveTime, Age, SW2_NodeID,Assign_To_Support_Group, CMDB2_Support_Group,CMDB2_Environment |where Status="DOWN" AND NOT isnull(SW2_NodeID) AND CMDB2_Environment="Production" | sort 0 hostname   index=ivz_em_solarwinds source="solwarwinds_query://Test_unmanaged_Nodes_Data" | table Node Account Status From Until | dedup Node