All Topics

Top

All Topics

Hello, everyone. I just ran into an issue where a stanza within apps\SplunkUniversalForwarder\local\inputs.conf on a forwarder is overwriting other apps\AppName\local\inputs.conf  from other apps in... See more...
Hello, everyone. I just ran into an issue where a stanza within apps\SplunkUniversalForwarder\local\inputs.conf on a forwarder is overwriting other apps\AppName\local\inputs.conf  from other apps in the apps folder. I would like to either disable this app, or delete the \SplunkUniversalForwarder\local folder or delete the stanza. The problem is that this has happened on multiple hosts and I need an automated method of doing this. Does anyone have an idea so that this default app that I don't even want to touch doesn't overwrite my own actually used apps? Thanks
whats the difference between :: and = in splunk search. what are the benefits vs drawbacks
I want to get information related to writing of debug logs to Splunk from Saleforce Apex code. Can you provide us with steps or which Managed packe package or COnnector can we use for this.   Than... See more...
I want to get information related to writing of debug logs to Splunk from Saleforce Apex code. Can you provide us with steps or which Managed packe package or COnnector can we use for this.   Thanks, regards  Kr Saket
What is the fastest way to run a query to get an event count on a timechart per host? This is for windows events and I want to get a list of how many events each device is logging per month so that I... See more...
What is the fastest way to run a query to get an event count on a timechart per host? This is for windows events and I want to get a list of how many events each device is logging per month so that I can identify the increase/decrease. They are all ingested in one index. A query like this will take a while to run if run for about a year. Is there a faster way to get this data? index=<index_name> | timechart count by Computer span=1mon Thanks.
What's the simplest regex that will match any character including newline? I want to be able to match all unknown content between two very specific capture groups. Thanks! Jonathan
I'm using the rex command to parse a value out of the results of a transaction command. Is there an easy way to restrict the resulting capture from searching either the start or end block of the tran... See more...
I'm using the rex command to parse a value out of the results of a transaction command. Is there an easy way to restrict the resulting capture from searching either the start or end block of the transaction? This would be much easier than doing it in the regex itself, since both blocks of text returned are very similar. Thanks! Jonathan
I have event Logs Similar to this. {Level: Information MessageTemplate: Received Post Method for activity: {Activity} Properties: { [-] ActionId: 533b531b-3078-448f-a054-7f54240962af ActionName... See more...
I have event Logs Similar to this. {Level: Information MessageTemplate: Received Post Method for activity: {Activity} Properties: { [-] ActionId: 533b531b-3078-448f-a054-7f54240962af ActionName: Pcm.ActivityLog.ActivityReceiver.Controllers.v1.ActivitiesController.Post (Pcm.ActivityLog.ActivityReceiver) Activity: {"ClientId":"1126","TenantCode":"BL.Activities","ActivityType":"CreateCashTransactionType","Source":"Web Entry Form","SourcePath":null,"TenantContextId":"00-9b57deb074fd41df69f90226cb03f499-353e17ffab1a6d25-01","ActivityStatus":"COMPLETE","OriginCreationTimestamp":"2023-09-28T11:39:48.4840749+00:00","Data":{"traceId":"9b57deb074fd41df69f90226cb03f499","parentSpanId":"88558259300b25e5","pcm.user_id":2,"pcm.name":"Transaction_Type_2892023143936842"}} Application: ActivityLogActivityReceiver ConnectionId: 0HMU00KGAKUBJ CurrentCorrelationId: 95c2f966-1110-405b-ae9a-47a024343b6c Environment: AWS-OB-DEV5 OriginCorrelationId: 95c2f966-1110-405b-ae9a-47a024343b6c ParentCorrelationId: 95c2f966-1110-405b-ae9a-47a024343b6c RequestId: 0HMU00KGAKUBJ:00000003 RequestPath: /api/activitylog/v1/activities SourceContext: ActivityLog.ActivityReceiver.Controllers.v1.ActivitiesController TenantContextId: 00-9b57deb074fd41df69f90226cb03f499-353e17ffab1a6d25-01 XRequestId: 3ba2946fa8cc0e5d5e3e82f27f566dd4 } }   I want to create a table from Properties.Activity with some specific fields. "ActivityType", "Source","OriginCreationTimestamp" "CreateCashTransactionType","Web Entry Form","2023-09-28T11:39:48.4840749+00:00" Can you help me to write the query, I tried spath/mvexpand but was not able to find it. 
To start with, I am very new to Splunk and I've been stumbling my way through this with varying degrees of success.  We recently upgraded Splunk from 8.2 to 9.1.2. We noticed the new SSL requirement... See more...
To start with, I am very new to Splunk and I've been stumbling my way through this with varying degrees of success.  We recently upgraded Splunk from 8.2 to 9.1.2. We noticed the new SSL requirements but went we have a self-signed cert but the website shows as not secure. We wanted to make sure everything was as secure as possible. We created an actual CA Cert chain and redirected the web.conf to the cert along with the key. I had issues with this at first because we weren't using a passphrase on the cert creation but we fixed that and it seems to accept it. Now the webpage seems to load, but it takes an incredibly long time. Once loaded, we should be able to login with LDAP. That's no longer working. I tried the local admin and it thinks for a while and then goes to a "Oops. The server encountered an unexpected condition which prevented it from fulfilling the request. Click here to return to Splunk homepage." page.  This is on the deploy server.  I changed the server.conf to use the cert as well though that doesn't appear to make a difference. I checked the openldap.conf and added the cert to that but then the page wouldn't load anymore. (doing a splunk restart between each change).  I'm not sure which logs to even look at to find the problem. I have gone through the documentation to setup the TLS which we want to do for interserver communication and for the webpage. the forwarders aren't necessary right now. Can anyone give me a clue what I might be doing wrong? EDIT: I did discover this error in the splunkd.log relating to my cert. Only post I've found so far says to combine the key and pem into a single file it can use. message="error:0906D06C:PEM routines:PEM_read_bio:no start line Here's my config files server.conf       [general] serverName = servername.com [changed for privacy reason] pass4SymmKey =[redacted] [sslConfig] # turns on TLS certificate host name validation sslVerifyServerName = true serverCert = /opt/splunk/etc/auth/servername.com.pem #sslPassword =[redacted] #SSL No longer valid option # sslPassword = [redacted] # turns on TLS certificate host name validation cliVerifyServerName = true sslPassword = [redacted] # Reference the file that contains all root certificate authority certificates combined together sslRootCAPath = /opt/splunk/etc/auth/servername.com.pem sslCommonNameList = servername.com, servername [pythonSslClientConfig] #sslVerifyServerCert = true #sslVerifyServerName = true [lmpool:auto_generated_pool_download-trial] description = auto_generated_pool_download-trial quota = MAX slaves = * stack_id = download-trial [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder quota = MAX slaves = * stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free quota = MAX slaves = * stack_id = free [lmpool:auto_generated_pool_enterprise] description = auto_generated_pool_enterprise quota = MAX slaves = * stack_id = enterprise [license] active_group = Enterprise [kvstore] storageEngineMigration = true         web.conf       [settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/myprivate.key serverCert = /opt/splunk/etc/auth/servername.com.pem sslPassword =[redacted]         authentication.conf [authentication] authSettings = ldapserver.com authType = LDAP [roleMap_ldapserver.com] admin = SplunkAdmins [ldapserver.com] SSLEnabled = 1 anonymous_referrals = 1 bindDN = CN=ServiceAccount,CN=AccountFolder,DC=SubOrg,DC=Org,DC=com bindDNpassword = [redacted] charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = OU=Groups,OU=Users & Computers,OU=MainFolder,DC=SubOrg,DC=Org,DC=com groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ldapserver.SubOrg.Org.Com nestedGroups = 0 network_timeout = 20 pagelimit = -1 port = 636 realNameAttribute = displayname sizelimit = 1000 timelimit = 15 userBaseDN = OU=Users,OU=Users & Computers,OU=MainFolder,DC=SubOrg,DC=Org,DC= com userNameAttribute = samaccountname   ldap.conf # See ldap.conf(5) for details # This file should be world readable but not world writable. ssl start_tls TLS_REQCERT demand TLS_CACERT /opt/splunk/etc/auth/ldapserver.pem # The following provides modern TLS configuration that guarantees forward- # secrecy and efficiency. This configuration drops support for old operating # systems (Windows Server 2008 R2 and earlier). # To add support for Windows Server 2008 R2 set TLS_PROTOCOL_MIN to 3.1 and # add these ciphers to TLS_CIPHER_SUITE: # ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA: # ECDHE-RSA-AES128-SHA # TLS_PROTOCOL_MIN: 3.1 for TLSv1.0, 3.2 for TLSv1.1, 3.3 for TLSv1.2. TLS_PROTOCOL_MIN 3.3 TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256> #TLS_CACERT absolute path to trusted certificate of LDAP server. For example /opt/splunk/etc/openldap/certs/mycertificate.pem #TLS_CACERTDIR absolute path to directory that contains trusted certificates of LDAP server. For example /opt/splunk/etc/openldap/certs  
I need to compare the values of 2 fields from the Splunk data with the field-values from the lookup and find the missing values from the Splunk data and output those missing field value pairs For ex... See more...
I need to compare the values of 2 fields from the Splunk data with the field-values from the lookup and find the missing values from the Splunk data and output those missing field value pairs For ex: index=test  sourcetype=splunk_test_data fields: field1, field2 lookup: test_data.csv Fields: field1, field2 The output should show missing values from the Splunk data and output those missing values Any help would be appreciated  Thanks
My query returns multiple rows, one for each environment that meets a certain condition. I would like to trigger an alert for each row (environment) that meets the condition. Is there a way to do thi... See more...
My query returns multiple rows, one for each environment that meets a certain condition. I would like to trigger an alert for each row (environment) that meets the condition. Is there a way to do this in Splunk?
Hello there. I have IIS logs being ingested into Splunk. The sourcetype is currently set to "iis:test" props.conf: [iis:test] TZ = UTC TIME_FORMAT = %Y-%m-%d %H:%M:%S TRANSFORMS-8_AssignToIndex =... See more...
Hello there. I have IIS logs being ingested into Splunk. The sourcetype is currently set to "iis:test" props.conf: [iis:test] TZ = UTC TIME_FORMAT = %Y-%m-%d %H:%M:%S TRANSFORMS-8_AssignToIndex = setindex_dev, setindex_qa, setindex_stage, setindex_prod transforms.conf: [setindex_dev] SOURCE_KEY = MetaData:Host REGEX = (?i)^host::web-dev-2\d{1}.*$ DEST_KEY = _MetaData:Index FORMAT = wf_dev_i [setindex_qa] SOURCE_KEY = MetaData:Host REGEX = (?i)^host::web-qa-2\d{1}.*$ DEST_KEY = _MetaData:Index FORMAT = wf_qa_i [setindex_stage] SOURCE_KEY = MetaData:Host REGEX = (?i)^host::web-stg-2\d{1}.*$ DEST_KEY = _MetaData:Index FORMAT = wf_stage_i [setindex_prod] SOURCE_KEY = MetaData:Host REGEX = (?i)^host::web-2\d{1}.*$ DEST_KEY = _MetaData:Index FORMAT = wf_prod_i   This should send the events coming from the host web-dev-20 to the wf_dev_i index. Instead, they go to the main index. I have the same configuration set for other sources and it works fine. What am I missing here? Thank you, Claudio
I have a generic catchall for syslog traffic that is breaking when i try and use an acceptFrom for a subnet.   --- Generic Catchall ---- [udp://514] connection_host = ip index = syslog sourcety... See more...
I have a generic catchall for syslog traffic that is breaking when i try and use an acceptFrom for a subnet.   --- Generic Catchall ---- [udp://514] connection_host = ip index = syslog sourcetype = syslog   The catch all functions correctly when using a single specific IP going to specified index : [udp://192.168.1.1:514] host = srv-lb-2 connection_host = none index = a10 sourcetype = syslog     But if I try and add a new UDP input to capture a full /24 to shove it in a separate index, that overrides/disables the generic input from the first one. I do see messages in the checkpoint index however the [udp://514] from the first block stops.   [udp://514] acceptFrom = 192.168.2.0/24 connection_host = ip index = checkpoint sourcetype = syslog   Anyone know how to do this in a way that works please?? Thanks! 
I need to change the value of the "Trigger" parameter from "Once" to "For each result" for multiple alerts. But I can't find the parameter where its stored to change it via API.    
I have the following Query: index=obh_prod sourcetype=obh:edge:api proxy!="ow*" | lookup blink_six_providers ProviderId as pxrq_h_x-corapi-target-id OUTPUT ProviderId ProviderName | fillnull value... See more...
I have the following Query: index=obh_prod sourcetype=obh:edge:api proxy!="ow*" | lookup blink_six_providers ProviderId as pxrq_h_x-corapi-target-id OUTPUT ProviderId ProviderName | fillnull value=target_id ProviderId ProviderName | dedup ProviderName ProviderId | table ProviderId ProviderName If no values are found ProviderId, ProviderName should both get the value of pxrq_h_x-corapi-target-id. If actually now produces: ProviderId ProviderName pxrq_h_x-corapi-target-id pxrq_h_x-corapi-target-id IIDP06300 Valiant Bank AG IIDP00761 Aargauische Kantonalbank       If should produce the following if the xrq_h_x-corapi-target-id e.g. contains IIDP099999 and this value is not found in the lookup. How do I get the contents of the variable and  not the name of the variable itself?   ProviderId ProviderName IIDP099999 IIDP099999 IIDP06300 Valiant Bank AG IIDP00761 Aargauische Kantonalbank  
I have a dashboard that show/hide panel whenever option/s in checkbox is ticked, which is already working. My problem is whenever I select the option as default value, the panel is still hidden whene... See more...
I have a dashboard that show/hide panel whenever option/s in checkbox is ticked, which is already working. My problem is whenever I select the option as default value, the panel is still hidden whenever I open the dashboard. Any idea on this? or am I missing something   Heres some part of my xml. <input type="checkbox" token="check"> <label>Category Type</label> <choice value="db_gc_wait">DB GC Waits</choice> <choice value="concurrent_manager">Concurrent Managers</choice> <choice value="blocking_session">Blocking Session</choice> <choice value="longrunning_job">Long Running Jobs</choice> <choice value="crm_top_request">CRM Top Requests</choice> <choice value="workflow_mailer">Workflow Mailer</choice> <change> <condition match="$check$ = &quot;db_gc_wait&quot;"> <set token="show_db_gc_wait">1</set> <unset token="show_concurrent_manager"></unset> <unset token="show_blocking_session"></unset> <unset token="show_longrunning_job"></unset> <unset token="show_crm_top_request"></unset> <unset token="show_workflow_mailer"></unset> </condition> ... <condition match="$check$ = &quot;db_gc_wait concurrent_manager blocking_session longrunning_job crm_top_request workflow_mailer&quot;"> <set token="show_db_gc_wait">1</set> <set token="show_concurrent_manager">1</set> <set token="show_blocking_session">1</set> <set token="show_longrunning_job">1</set> <set token="show_crm_top_request">1</set> <set token="show_workflow_mailer">1</set> </condition> <!-- Unset all tokens --> <condition> <unset token="show_db_gc_wait"></unset> <unset token="show_concurrent_manager"></unset> <unset token="show_blocking_session"></unset> <unset token="show_longrunning_job"></unset> <unset token="show_crm_top_request"></unset> <unset token="show_workflow_mailer"></unset> </condition> </change> ... <row> <panel depends="$show_db_gc_wait$"> <table> <title>Database GC Waits</title> <search> <query> MY QUERY</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <option name="drilldown">cell</option> </table> </panel> </row>
Hi I have a lot of alerts in my Splunk apps Is there a way to count the number of alerts returning result by days, by month... Is it possible ? Thanks 
Hello folks,  I have a question about multiple checkbox, I'm using them to fill a "IN" command in my search and I have an "All option" and I was thinking if is it possible when I check this "All opt... See more...
Hello folks,  I have a question about multiple checkbox, I'm using them to fill a "IN" command in my search and I have an "All option" and I was thinking if is it possible when I check this "All option"  the others will be unchecked like in this example below: 1:   2: and if possible only using XML (without JavaScript).  
The fifth leaderboard update for The Great Resilience Quest is out >>  Check out the Leaderboard  Kudos to our new players who are joining with great enthusiasm! New chapters are arrivin... See more...
The fifth leaderboard update for The Great Resilience Quest is out >>  Check out the Leaderboard  Kudos to our new players who are joining with great enthusiasm! New chapters are arriving in less than a month, so stay tuned! Many rewards await – Jump into the game to enhance your understanding of digital resilience with Splunk and aim for a top spot on the leaderboard. Tip: For an optimal gaming experience, please disable ad-blockers in your browser settings, as they might affect the quest page loading. Best regards, Splunk Customer Success
I have a windows server and it's OS got crashed but i have the splunk database  in the another drive which is fine now the steps I have performed are in the new splunk installation are: 1. Copied th... See more...
I have a windows server and it's OS got crashed but i have the splunk database  in the another drive which is fine now the steps I have performed are in the new splunk installation are: 1. Copied the configurations of the previous splunk application from the backup i have in to the new application. 2. Changed the database location and created the database structure in another drive apart from C: drive. 3. Now from the earlier database i copied the indexed data in to the new data base where i have overwritten the already present indexes which are created as per the indexer configuration. 4. Now when i restart the splunk i am getting a "DIRTY_DATABASE File (.dirty_database)" file generated. 5. But i can see the data in the indexes when i ran a search So, the question is whether the procedure i followed is correct or is there any other way to do this Thanks, Your well wisher
I'm struggling to find documents on AppDynamics Saas for ingestion capability in an agentless approach. Basically, I know I have to find a way of monitoring  SAP CPI (in the cloud) and no agent ca... See more...
I'm struggling to find documents on AppDynamics Saas for ingestion capability in an agentless approach. Basically, I know I have to find a way of monitoring  SAP CPI (in the cloud) and no agent can be installed there. I need a way of calling data from an external source and then gathering it in AppD or directly shipping the data to AppD. Does a feature like this exist and where are they documented? Best regards