All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Community, I have tried searching, but I've not find an answer to my specifics needs... Or I dont know how to word my question. I work in a company that manufactures servers. Each server ma... See more...
Hello Community, I have tried searching, but I've not find an answer to my specifics needs... Or I dont know how to word my question. I work in a company that manufactures servers. Each server manufactured creates a logfile with a unique name. The log file is a txt file that has identifying lines like "Serial Number: FMXXXXXXX", "Station: 1", "Start Tme: 12:00:00", etc. I am trying to configure splunk to search all these log files based on serial number (to start with) and eventually create a searchable dashboard where I can lookup log files based on serial numbers. I'm obviously new to splunk, and have watched a lot of tutuorials, but most tutorials focus an searching one big log file, or several log files. so far, i have setup the splunk UI and pointed it to a directory containing my log files.  Under "data summary" my sources are over 100k and sourcetypes are over 14k. any hep would be appreciated. Kevin
A couple of weeks ago I took a screenshot of the "Save As Alert" window. Alert type Real-time was available. Today, my colleagues discovered that we can no longer do so, the only alert type is "Sche... See more...
A couple of weeks ago I took a screenshot of the "Save As Alert" window. Alert type Real-time was available. Today, my colleagues discovered that we can no longer do so, the only alert type is "Scheduled". Our admin role has the schedule_rtsearch capability set, but we are not able to find the "rtsearch" capability mentioned in the documentation as also required. Has the latest Splunk Cloud version upgrade to 9.0.2305 removed that capability? Or am I missing something?  
Hi, I created an account to use the free version for 2 weeks and learn Splunk. I received the email to activate my account but I didn't receive the email with the URL and login credentials. I don't k... See more...
Hi, I created an account to use the free version for 2 weeks and learn Splunk. I received the email to activate my account but I didn't receive the email with the URL and login credentials. I don't know why, I've been waiting for more than an hour it didn't work. I thought that Splunk rejected Gmail so I created another one with Yahoo! but I still haven't received any login or URL credentials.    Please help. Thank you.
Hi guys I need your help, please I'm trying to make a connection between MongoDB and Splunk using the DBConnect app, but it's not working. I have been working with this: https://unityjdbc.com/mong... See more...
Hi guys I need your help, please I'm trying to make a connection between MongoDB and Splunk using the DBConnect app, but it's not working. I have been working with this: https://unityjdbc.com/mongojdbc/setup/mongodb_jdbc_splunk_dbconnect_v3.pdf Are any of you guys currently working with this connection between MongoDB and Splunk that can help me please. Regards.
Apologies if this has been asked before.  Essentially, I have a Single-value visualization in a dashboard that just displays a number. This dashboard was built in Dashboard Studio, and the search ... See more...
Apologies if this has been asked before.  Essentially, I have a Single-value visualization in a dashboard that just displays a number. This dashboard was built in Dashboard Studio, and the search tied to the visualization is a simple: Index="my_index" | stats count What I want to accomplish is that when people open this search from the visualization, instead of displaying the | stats count, it will display a table of the data. If I add a table command at the end, I lose the stats for the visualization. Is there any way to have both a table and stats from one search? Or is there a way to have a different search open when somebody clicks this visualization?
Hello,  We have company iphones, managed with Jamf Now, that we would like to collect logs on.  Specifically, we would be most interested in the login attempts. Is there a way for us to collect t... See more...
Hello,  We have company iphones, managed with Jamf Now, that we would like to collect logs on.  Specifically, we would be most interested in the login attempts. Is there a way for us to collect those logs and send them to our Splunk Cloud environment? Thank you!
PS: I checked the other similar questions in this forum but my question is not answered. Hence posting again. Good afternoon all, When I try to fetch my events using a panel in a dashboard, the ... See more...
PS: I checked the other similar questions in this forum but my question is not answered. Hence posting again. Good afternoon all, When I try to fetch my events using a panel in a dashboard, the results do come up but they are way small compared to the exact same query that I use in search window. The purpose is to keep monitoring failure spikes happening on the production environment. I'm providing the normal search query as well as the entire dashboard query (scrubbed) for your review. For sure the normal search is returning more values than the exact query as run from Panel. Normal search query:  index=myOnlyIndex | fields * | search clientApp="Fictitious Company Mobile App*" Customer=Production app IN (https) requestMethod=POST | | timechart span=1h count BY failureCode usenull=false useother=false Dashboard details: <form version="1.1" theme="light"> <label>Production Spikes.</label> <description>This is dashboard contains various panels that will be tested before eventually moved into functional dashboard</description> <search id="BaseSearch"> <query>index=myOnlyIndex | fields * </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <fieldset submitButton="true" autoRun="false"> <input type="time" token="time_token" searchWhenChanged="true"> <label>Timeframe</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="environment" searchWhenChanged="true"> <label>Environment</label> <prefix>Customer=</prefix> <suffix></suffix> <initialValue>*</initialValue> <choice value="*">All</choice> <choice value="UAT">UAT</choice> <choice value="Production">Production</choice> </input> <input type="dropdown" token="protocol" searchWhenChanged="true"> <label>Protocol</label> <prefix>app IN (</prefix> <suffix>)</suffix> <choice value="http, https">Both</choice> <choice value="https">HTTPS Only</choice> <choice value="http">HTTP Only</choice> </input> <input type="dropdown" token="reqMethod" searchWhenChanged="true"> <label>Request Method</label> <prefix>requestMethod=</prefix> <suffix></suffix> <initialValue>*</initialValue> <choice value="*">All</choice> <choice value="GET">GET Method</choice> <choice value="POST">POST Method</choice> <choice value="PUT">PUT Method</choice> </input> </fieldset> <row> <panel> <title>Mobile Application Generic Spikes</title> <chart> <search base="BaseSearch"> <query>search clientApp="Fictitious Company Mobile App*" $environment$ $protocol$ $reqMethod$ | timechart span=1h count BY failureCode usenull=false useother=false </query> </search> </chart> </panel> </row> </form>
Hello All, I have created a filler gauge for a count of events. I would like to not see the scale on the right side of the gauge, or change the major units to show just 100s. Is this possible -... See more...
Hello All, I have created a filler gauge for a count of events. I would like to not see the scale on the right side of the gauge, or change the major units to show just 100s. Is this possible - see image below: I have searched to see if I can change this, but have not yet found the answer, thanks as always, eholz1
Downloaded SA-cim_Vladiator app on my splunk enterprise , however it's stuck on search type= _raw and Target Datamodel= "Network_Traffic" which is grayed out and I can't select any different datamode... See more...
Downloaded SA-cim_Vladiator app on my splunk enterprise , however it's stuck on search type= _raw and Target Datamodel= "Network_Traffic" which is grayed out and I can't select any different datamodels. Could anyone provide any info to help me get this working correctly.   Thanks all
Hi all, I have an table with the start time and stop time in each case as below. ID Case Name Start Time Stop Time user_1 Case_A 2023.08.10 13:26:37.867787 2023.08.10 13:29:42.159543 ... See more...
Hi all, I have an table with the start time and stop time in each case as below. ID Case Name Start Time Stop Time user_1 Case_A 2023.08.10 13:26:37.867787 2023.08.10 13:29:42.159543 user_2 Case_B 2023.08.10 13:29:42.159545 2023.08.10 13:29:48.202143   Because I want to merge the duration of case execution with another event, I hope to transfer the above table into this kind of table. _time ID Case Name case_action 2023.08.10 13:26:37.867787 user_1 Case_A start 2023.08.10 13:29:42.159543 user_1 Case_A stop 2023.08.10 13:29:42.159545 user_2 Case_B start 2023.08.10 13:29:48.202143 user_2 Case_B stop   I could transfer the start time into _time by    |eval _time='Start Time'   However, I can't think of a solution to record "Stop Time" into _time as well. Does any one have a idea about how to accomplish this?   Thanks a lot.
I downloaded splunkforwarder-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz, untared it on a fresh Ubuntu 22.04, ran ./splunk start (also tried ./splunk start --debug) then accepted license, set password.... ... See more...
I downloaded splunkforwarder-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz, untared it on a fresh Ubuntu 22.04, ran ./splunk start (also tried ./splunk start --debug) then accepted license, set password.... lsof -i -P -n | grep 8089 command doesn't show anything But ps command show UF is running: user    8267  0.2  0.1 403216 98920 ?        Sl   14:00   0:10 splunkd -p 8089 restart --debug user    8268  0.0  0.0 120792 15068 ?        Ss   14:00   0:00 [splunkd pid=8267] splunkd -p 8089 restart --debug [process-runner] I tried the same steps on 9.0.5.  It worked: splunkd    462339        user    4u  IPv4 54062151      0t0  TCP 127.0.0.1:8089 (LISTEN) How do I get UF 9.1 to listen on port 8089?  Or UF 9.1 doesn't work the same way?  Thanks
Hi, I have an issue where my UF installed on a linux server is not uploading data to Splunk from a specific folder. My inputs.conf file contains multiple simliar set ups for several folders to be u... See more...
Hi, I have an issue where my UF installed on a linux server is not uploading data to Splunk from a specific folder. My inputs.conf file contains multiple simliar set ups for several folders to be uploaded. Everything is working perfectly except for one folder. In the inputs.conf file, I have the following set up for this folder: [monitor:///DATA/remotelogs-ORACLE-MESS/test/*] index=test_bd_oracle sourcetype=test_oracle:audit:xml host_segment = 3 This set up is to upload all files under path /DATA/remotelogs-ORACLE-MESS/test/  However, no files are being uploaded. What  is also wierd is that when I open one of those files using the Linux Vim command, a temporary copy of that file is autocreated with extension .swp and the UF UPLOADS the .swp file. Any help is appreciated. Thank you.
Hi All,   I am trying to create a single value panel like below and add tooltip which displays values dynamically.     But when i implemented this, the single value panel is disappeared and ... See more...
Hi All,   I am trying to create a single value panel like below and add tooltip which displays values dynamically.     But when i implemented this, the single value panel is disappeared and the output of the mouseover tooltip query is displaying as a panel in splunk as shown below.   Below is the source Code.   <label>Finance Job Status Clone</label> <row> <panel id="panel1"> <title>Functional Area</title> <search> <query>| makeresults | eval FA="HR and Finance ACN"</query> <earliest>-15m</earliest> <latest>now</latest> </search> <html id="htmlToolTip1" depends="$tokToolTipShow1$"> <!-- Style for Tooltip Text for center alignment with panel --> <style>       #htmlToolTip1{         margin:auto !important;         width: 20% !important;       } </style> <div class="tooltip fade top in"> <div class="tooltip-arrow"/> <div class="tooltip-inner">$tokToolTipText1$</div> </div> </html> <table> <search> <query>*Search query*</query> <earliest>1691485200</earliest> <latest>1691658000</latest> <done> <set token="tokToolTipText1">$result.Job$</set> </done> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard>     In the above sourcecode, the output of the striked over query should appear as a dashboard panel(first screenshot) and the out put of the second search query should be appeared when we hover over that panel.     Could someone please suggest whats wrong in the above code.?            
We would very much like to restrict certain users in our Splunk environment to the apps that have been provided to them and prevent them from reaching the Search interface. We have established sepa... See more...
We would very much like to restrict certain users in our Splunk environment to the apps that have been provided to them and prevent them from reaching the Search interface. We have established separate roles for each app, and assigned to the users to those roles, but are having some difficulty determining exactly which set of capabilities the roles require for the apps to function, but to make sure the users can't reach the search bar. We remove the "Open in Search" option from the bottom on the dashboard panels, and we would like to remove access to the Search & Reporting app to all but the necessary roles.  We just want to be sure everything still functions for the users in their various apps. Any guidance would be helpful. Thanks!
hi, i created a job runner. its not fetching any results but when ran separately in search gives me data. screenshot for reference.  any help here please    
Hello. During issue creation with Jira Service Desk  , custom fields get ignored i.e. an issue gets created with mandatory fields, like  description, summary, etc., however custom fields are not pop... See more...
Hello. During issue creation with Jira Service Desk  , custom fields get ignored i.e. an issue gets created with mandatory fields, like  description, summary, etc., however custom fields are not populated Syntax of CF like  "customfield_21264": "Hello"  ______________________________________________ I can successfully set this CF  if I create issue via HTTP with Curl $ curl -k -u 'account:password' --request POST --url 'https://jira-host/rest/api/2/issue' --header 'Accept: application/json' --header 'Content-Type: application/json' --data '{"fields": { "project": { "key": "PROJ" }, "summary": "Pictures", "description": "SIEM-Eng", "issuetype": {"name":"Event"}, "customfield_21264": "Hello"}}'
Hello, When i getting results while doing search query, the complete pages doesn't display. For example, I searched 9am to 7 pm (10 hrs) logs. But, the result i got was upto 1 pm only, after that m... See more...
Hello, When i getting results while doing search query, the complete pages doesn't display. For example, I searched 9am to 7 pm (10 hrs) logs. But, the result i got was upto 1 pm only, after that missing. Please refer the screen capture for better understanding. Thanks, Ragav 
Hi all! I have a field called "correlation id" in my search output, out of which I am trying to extract another field called "key". e.g. Correlation id field value: Stores_XstorePOSError_tjm1554_... See more...
Hi all! I have a field called "correlation id" in my search output, out of which I am trying to extract another field called "key". e.g. Correlation id field value: Stores_XstorePOSError_tjm1554_2023320 Then its corresponding key value: Stores_XstorePOSError_tjm1554, which I am able to achieve using this regex - | rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d]*))([\._])?"  which is unfortunately not working for some correlation ids. e.g. - Correlation id field value: STP_Stores_DiskSpace_stp-44slcapp9_20230809 Key value coming is: STP_Stores_DiskSpace_stp I assume it is because in the regex, it is mentioned to take "_" and not "-"  How do I fix it?
Hello, I have this dashboard with a graph that shows values per week day, the goal is, with the vertical line as circled in green at the photo, change a value inside assigned to it, dynamically when... See more...
Hello, I have this dashboard with a graph that shows values per week day, the goal is, with the vertical line as circled in green at the photo, change a value inside assigned to it, dynamically when selecting the filter. Is it possible to do that? If so, how?  
Unable to find the proper documentation on the REST API endpoints for accessing DataModels or Datasets etc of my splunk enterprise account and unable to achieve the accessibility to those data using ... See more...
Unable to find the proper documentation on the REST API endpoints for accessing DataModels or Datasets etc of my splunk enterprise account and unable to achieve the accessibility to those data using REST API via postman configuration. Any help would be appreciated