All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

what does this cron mean ? 1-30/10 * * * * one place its given - Every 10 minutes, minutes 1 through 30 past the hour not able to got it fully.  does it mean every 10 min, for 30 min ? if yes then... See more...
what does this cron mean ? 1-30/10 * * * * one place its given - Every 10 minutes, minutes 1 through 30 past the hour not able to got it fully.  does it mean every 10 min, for 30 min ? if yes then it will answer my query for another cron.       
Hi, I have a alert scheduled to monitor, if 2 different users who are accessing same device for authentication from okta and I'm monitoring it for 1 month. Once the alert is triggered , the same ... See more...
Hi, I have a alert scheduled to monitor, if 2 different users who are accessing same device for authentication from okta and I'm monitoring it for 1 month. Once the alert is triggered , the same users details should not trigger for next 1 month. Any suggestions how can I achieve this ? ( Can be in query / alert actions ) Below is sample query: index=okta result=success NOT ( device=null) | eval _time=strftime(_time) | stats values (user ) as user dc(user) as "number of users per device" by device _time | lookup XXX | search "number of users per device">1 | regex device =myregx| rex field=user (myregex) | where isnull(match) | table fileds  | stats fields X y Z dc(_time) as detected by device | where detected>=1 | sort _time
Hi I am trying to count values based on values if they equal a range of values. Is that possible?  | search fieldName=$Token $ | stats count(eval(fieldName)) AS Label by FieldName | table FieldName
Hi,  I am not able to give cron exp for alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM, can anyone please help for this cron exp? i only know this -  */10 7-20 * * 1-5 bu... See more...
Hi,  I am not able to give cron exp for alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM, can anyone please help for this cron exp? i only know this -  */10 7-20 * * 1-5 but dont know how give 7:30 min instead 7am in this case.    Thanks, Taslim.    
Hello, We are currently running splunk on 8.1 and we upgraded the cloudflare app for splunk to its latest version (2.0.0) Although we see that the dashboards from the app is getting populated pro... See more...
Hello, We are currently running splunk on 8.1 and we upgraded the cloudflare app for splunk to its latest version (2.0.0) Although we see that the dashboards from the app is getting populated properly, we are getting this error related to the macro. SearchParser - The search specifies a macro 'cloudflare_zt_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. We have given the macro global permissions, added a setting in the distsearch.conf to ensure the data replication but still the error is showing up. We have disabled the app for now. However, we are trying to investigate, what would be the issue. Kindly help
Hi, We have a internal wiki with tons of useful informations about hosts and IPs. I'm trying to set up a workflow that triggers a search of the value -IP or Hostname- on this internal wiki. Firs... See more...
Hi, We have a internal wiki with tons of useful informations about hosts and IPs. I'm trying to set up a workflow that triggers a search of the value -IP or Hostname- on this internal wiki. First issue : Since this workflow action should work with a variety of fields (src_ip, dest_ip, host, src, dest, etc.) : What variable shall I use in order to return in the workflow action the selected value ? Is there a sort of global variable like $the_selected_value$ no matter it's an IP address, a hostname or whatsoever ? Second issue : I selected my workflow to be applied on any field with a * but the workflow action is just not available anywhere. Thanks in advance for your kind help on this matter ! Best
Hi, is it possible to get the list of splunk alerts, reports and dashboard via 3 different splunk queries? Thank you Kind regards Marta  
I want to show this requirement in splunk. when year<="2020" &&  time_type = "ALL" make variable "day_type" must have "day" when year>"2020" &&  time_type = "ALL" make variable  "day_type" can hav... See more...
I want to show this requirement in splunk. when year<="2020" &&  time_type = "ALL" make variable "day_type" must have "day" when year>"2020" &&  time_type = "ALL" make variable  "day_type" can have "day" and "night" when time_type="half" make variable "day_type" must have "morning" So, I wrote my code like this, but it doesn't working at all. where day_type = case("$time_type$"=="ALL", case("$year$"<="2020", "day",1=1, in("day","night")), "$time_type$"=="half", "morning", 1=1,day_type)  How could I make this Requirement ??
Hi, I am looking for a search query to get respectively: - list of all alerts - list of all reports - list of all dashboards Any hint on how to achieve that? Thank you Marta
Hi, I would like to learn how to save an SPL search and be able to retrieve it whenever necessary. I'm unsure about the process of saving an SPL search without setting a schedule for it to run, and ... See more...
Hi, I would like to learn how to save an SPL search and be able to retrieve it whenever necessary. I'm unsure about the process of saving an SPL search without setting a schedule for it to run, and I'm seeking guidance on how to achieve this.  Thanks
I have been trying to install Splunk on Windows 10, but it gives me an error that says "Splunk enterprise setup wizard ended prematurely because of an error". I have tried installing it in command pr... See more...
I have been trying to install Splunk on Windows 10, but it gives me an error that says "Splunk enterprise setup wizard ended prematurely because of an error". I have tried installing it in command prompt running as an administrator, but it does not work either. 
I'm using the trial version and would like to simply look at any sample applications that may be available.  In other words, something that is already instrumented that I could take a look at a sampl... See more...
I'm using the trial version and would like to simply look at any sample applications that may be available.  In other words, something that is already instrumented that I could take a look at a sample transaction or two.  I'd also like to look at a sample dashboard related to that test app. Any help would be appreciated.
Hello, I am rather new to Splunk and I have two values that I want to search for, but I want to combine them to one name in multiselect option (easier for user).    There are two coded values for... See more...
Hello, I am rather new to Splunk and I have two values that I want to search for, but I want to combine them to one name in multiselect option (easier for user).    There are two coded values for offsite sample and onsite samples which are  offsite samples = "OffsiteComplete" and "OffsiteNeedsReview" onsite samples = "QA Approved" and "Analysis Complete" I have tried to add these both as values and use OR as delimiter but no success.  Please help!  Code is below and screenshot   <form> <label>LIMS Analytical Data</label> <description>Select Year Range First</description> <search> <query>| makeresults | add info </query> <earliest>$time_token1.earliest$</earliest> <latest>$time_token1.latest$</latest> <done> <eval token="tokEarliestTimeString">strftime($result.info_min_time$,"%Y/%m/%d %H:%M:%S %p")</eval> <eval token="tokLatestTimeString">if($result.info_max_time$="+Infinity",strftime(relative_time(now(),"0d"),"%Y/%m/%d %H:%M:%S %p"),strftime($result.info_max_time$,"%Y/%m/%d %H:%M:%S %p")</eval> <eval token="tokEarliestTime">$result.info_min_time$</eval> <eval token="tokLatestTime">if($result.info_max_time$="+Infinity",relative_time(now(),"0d"),$result.info_max_time$)</eval> </done> </search> <fieldset submitButton="true"> <input type="dropdown" token="lookupToken" searchWhenChanged="true"> <label>Year Range</label> <choice value="LIMSCSV.csv">2022-2023</choice> <choice value="LIMS2021.csv">2021</choice> <choice value="LIMS2020.csv">2020</choice> <choice value="LIMS2019.csv">2019</choice> <choice value="LIMSPre2019.csv">Pre-2019</choice> <default>LIMSCSV.csv</default> <initialValue>LIMSCSV.csv</initialValue> </input> <input type="time" token="time_token1" searchWhenChanged="true"> <label>Select Time Range within Year Range</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="lab_token" searchWhenChanged="true"> <label>Result Status</label> <delimiter> OR </delimiter> <search> <query/> <earliest>-24h@h</earliest> <latest>now</latest> </search> <choice value="OffsiteComplete,OffsiteNeedsReview">Offsite Analysis</choice> <choice value="QA Approved">Onsite Analysis</choice> <valuePrefix>ResultStatus="</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="analyte_token" searchWhenChanged="true"> <label>Select Analyte</label> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>Analyte="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>Analyte</fieldForLabel> <fieldForValue>Analyte</fieldForValue> <search> <query>|inputlookup $lookupToken$ |where _time &lt;= $tokLatestTime$ |where _time &gt;= $tokEarliestTime$ |where $lab_token$ |stats count by Analyte</query> </search>  
Hello, which scanning tool would you recommend to report on Splunk add-on vulnerabilities?
Hello, Can someone please help me with the solutions for the below errors on splunk internal logs? Host                     Component                    Error splunk01-shc SearchScheduler The m... See more...
Hello, Can someone please help me with the solutions for the below errors on splunk internal logs? Host                     Component                    Error splunk01-shc SearchScheduler The maximum disk usage quota for this user has been reached. splunk01-shc DispatchManager The maximum number of concurrent historical searches on this instance has been reached. splunk01-shc UserManagerPro SAML config is invalid, Reconfigure it. splunk02 ExecProcessor message from "{}" /bin/sh: {}: Permission denied splunk02 ExecProcessor message from "{}" File "/opt/splunk/etc/apps/splunk_assist/bin/instance_id_modular_input.py", line 29, in should_run splunk01-shc SearchScheduler Search not executed: The maximum number of concurrent historical searches on this instance has been reached., concurrency_category={}, concurrency_context={}, current_concurrency={} concurrency_limit={}
I am regularly running queries to ingest DB data from Heavy forwarders, but is there a way to run ad-hoc DBX searches from the SplunkCloud search head?  It doesn't seem to either recognize the connec... See more...
I am regularly running queries to ingest DB data from Heavy forwarders, but is there a way to run ad-hoc DBX searches from the SplunkCloud search head?  It doesn't seem to either recognize the connection or it returns no results when I attempt with a connection that exists in the Heavy forwarder
I am using the nix TA to report on Unix and Linux server health. I'm trying to learn how things work by using the "Monitoring Unix and Linux" content pack and looking at how KPIs and the itsi_summary... See more...
I am using the nix TA to report on Unix and Linux server health. I'm trying to learn how things work by using the "Monitoring Unix and Linux" content pack and looking at how KPIs and the itsi_summary_metrics work together. I am analyzing the NIX:OS:Performance.NIX-df base search and see that it is using a "metrics search" and can't find what field that base search is looking for in my data to generate any of the metrics - for example "Free MB /". When I look at my events index (in my case the index is "os"), I have the sourcetype of df but it does not have a "Free MB /" field. Is there a saved search generating the field that the base search will be using for that metric? I looked in saved searches, Fields, All configurations, but can't find anything. Perhaps I'm looking for the wrong thing? Am I thinking about this all wrong? I am new to ITSI and am going to take the ITSI course soon.
hello team, I have data from CSV files coming into my Splunk instance, I can search and find that data. However, they come together in the "Event" field, and I would like to separate them based o... See more...
hello team, I have data from CSV files coming into my Splunk instance, I can search and find that data. However, they come together in the "Event" field, and I would like to separate them based on a comma to create dashboards for servers that haven't been patched in over 30 days and haven't been restarted in over 30 days. So I use the following search:       index="index_name" host=hostname source="path_to_file/file.csv" sourcetype="my_source"         And I get the results as follows: How I see the event. I'm new to using the tool so I'm a bit overwhelmed by the amount of information, so I'm not sure which way to go. Is it possible to do this just using Splunk Commands? Note: As you can see I have hidden the real information about the servers, IPs and other names for compliance purposes.
I have a sourcetype that is exhibiting very odd behavior.  If I try to run a lookup command such as the following: index=index_here sourcetype=sourcetype_here |lookup lookup_name JoiningID as Joinin... See more...
I have a sourcetype that is exhibiting very odd behavior.  If I try to run a lookup command such as the following: index=index_here sourcetype=sourcetype_here |lookup lookup_name JoiningID as JoiningID output Value1 Value2 It will not give me Value1 or Value2 in my results, however if I instead run: index=index_here sourcetype=sourcetype_here |join type=left JoiningID [|inputlookup lookup_name] I get the Value1 and Value2 here joined in no problem.  What are some reasons for the actual lookup command not giving me any values?