All Topics

Top

All Topics

I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git version if should_be=... See more...
I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git version if should_be== server_installed_package  , the status should updated as Completed  , Another case if server_installed_packages is greater than shouldbe to mark as complete 2 < 3 ,  also it should check for if first number is same , it should check for second digits . it should mark as completed , else it should check for the next digit if it is 2. and it should check for another number .    CI Installed  shouldbe server_installed_package Status  server1 git-2.31.1-3.el8_7 git-2.39.3-1.el8_8 git-3.40.3-1.el8_8 Not complete
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]  ... See more...
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]   2023-08-27 07:38:31.688 [INFO ] [Thread-31] TriumphCancelTransferProcessor - TRIM.CNX event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to fetch filenames(bold) from row logs: TRIM.UNBILLED and TRIM.CNX my current query: index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?<status>.*)\",\"description\":\"(?<description>.*)\"\}\]" | eval message="event published to ebnc" | table message status description  
Hi, I am looking for a query to get list of DBConnect exceptions with their timestamp in order to plot them in a graph. Thank you Kind regards Marta
Hi Team, we are observing below error while accessing analytic page, what could be reason of it?
Hi,   I need to extract with rex the two first words of one event but sometimes they are only one word. For example, with these data : command:RESTORE LABELONLY FROM DISK=@P1 command:RESTORE VER... See more...
Hi,   I need to extract with rex the two first words of one event but sometimes they are only one word. For example, with these data : command:RESTORE LABELONLY FROM DISK=@P1 command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql' command:RESTORE VERIFYONLY FROM DISK = 'i:\tata.sql' command:RESTORE LABELONLY FROM DISK=@P1 command:sp_addlinkedsrvlogin command:RESTORE LABELONLY FROM DISK=@P1 I need to have set the field command with these value from these data : RESTORE LABELONLY RESTORE VERIFYONLY RESTORE VERIFYONLY RESTORE LABELONLY sp_addlinkedsrvlogin RESTORE LABELONLY I will apreciate some help to have the correct syntax for rex. Regards
Hi All, I am relatively new to splunk. I am trying to build a search query and below is the condition of the query- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_Index... See more...
Hi All, I am relatively new to splunk. I am trying to build a search query and below is the condition of the query- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain  I am facing problem in line no 4 which is - (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname). The source "retailautonomyfileage has 3 filenames (Fname="mdmdat" , Fname="omsdat", Fname="promodat") and when I do the stats count, not sure why it is counting the sum of all 3  filenames altogether in the output (18 instead of 6)- Output- Device Store src host Chain StoreNum Domain count stp-020sql1 stp0020 DB_Rebuild_Indexes_UpdateStats_MDM stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 DB_Stop_IndexRebuild_Jobs stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 RetailAutonomyDataSync stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 RetailAutonomyPromotionsDataSync stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 esbmessagecount stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 retailautonomyfileage stp-020sql1.stp.local stp 20 stp.local 18 stp-020sql1 stp0020 retaillineitemdup stp-020sql1.stp.local stp 20 stp.local 6 stp-089sql1 stp0089 DB_Rebuild_Indexes_UpdateStats_MDM stp-089sql1.stp.local stp 89 stp.local 6 stp-089sql1 stp0089 DB_Stop_IndexRebuild_Jobs stp-089sql1.stp.local stp 89 stp.local 6   I am trying to break it into 3 lines under the search query . eg  (src="retailautonomyfileage1") AND (Fname="mdmdat" AND Age>240))  (src="retailautonomyfileage2" AND (Fname="omsdat" AND Age>240)) (src="retailautonomyfileage3" AND (Fname="promodat" AND Age>120)) Not sure how I can obtain that. Please help.   Thanks in Advance.
I am getting this error when trying to set the Default SLA on a newly installed Mission control app  
Hi All We have a couple of jobs that occasionally loop around same code returning same message/log - is it possible for a search string to pick up instances where the last [say] 3 logs are identica... See more...
Hi All We have a couple of jobs that occasionally loop around same code returning same message/log - is it possible for a search string to pick up instances where the last [say] 3 logs are identical? Kinds regards Mick  
Hi, I need some analytics result in Splunk but i couldn't achieve. Here what i need. 1) Which EventIDs is repeated in which hostnames? I need this count based. EventID, Hostname and Count 2) Which... See more...
Hi, I need some analytics result in Splunk but i couldn't achieve. Here what i need. 1) Which EventIDs is repeated in which hostnames? I need this count based. EventID, Hostname and Count 2) Which EventIDs is used in which alerts (correleation searches and saved searches)? EventID, Alert Name 3) Which EventIDs triggered which alerts? EventID, Alert Name and count
Dears, I would like to know if we need to follow any sequence in restarting the agents. We have analytics agents and node.js app agent for Node.js application. Several times we have been noticing th... See more...
Dears, I would like to know if we need to follow any sequence in restarting the agents. We have analytics agents and node.js app agent for Node.js application. Several times we have been noticing that analytics agent is not reporting the data not sure what is triggering this. I am suspecting when application  pods are restarted since then it is not reporting (just my suspicion). When this happens,  until we restart both analytics and nodejs agents, the data is not resuming. Any help around this would be much appreciated.
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dyn... See more...
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dynamically-depends-on-selection/m-p/655457/highlight/false#M53927   The panels can be displayed dynamically by the user selection. However, I need to display the title or the description according to the dymical selection. That is, if the user select packet_size="32,40,128" from the filter. Three panels will be displayed and I wish to display the title = "Packet size=xx", where xx represent the analyzed packet_size value.   ex. Table 1 with title = "Packet size=32", Table 2 with title = "Packet size=40", Table 3 with title = "Packet size=128" I refer to these history but I am unable to find a successful solution. How do I display _time on dashboard panel's title field?  Dynamic value display in the Panel Title?  How do you display the date in a dashboard title?  Does anyone know how to display the title or description with a variable in code or a value in filter selection? Thank you so much.
Hello Folks, Good Morning to one and all, I have Trend Micro Cloud one service, and i want to integrate those service with Splunk instance which has been placed on cloud. Kindly suggest the mechan... See more...
Hello Folks, Good Morning to one and all, I have Trend Micro Cloud one service, and i want to integrate those service with Splunk instance which has been placed on cloud. Kindly suggest the mechanism for this, as i have checked there is no add on available for this. As i know trend Micro Cloud one have the ability to forward the logs via Syslog mechanism & the Splunk instance on cloud, then what will be the Splunk interface for syslog on cloud for this integration. Please share your opinion on this.   Regards, Gautam Khillare(GK)
Splunk seems to have a problem with authenticating a SAML user account using a token. The purpose of using token authentication is to allow an external application to run a search and get the result... See more...
Splunk seems to have a problem with authenticating a SAML user account using a token. The purpose of using token authentication is to allow an external application to run a search and get the results. A sample script is posted on GitHub as a code gist — the script simply starts a search but does not wait for the results. The problem is that when token authentication is used with a SAML account, it only works when that SAML user is logged in on the Splunk web GUI and while the interactive session is (still) valid. The problem is shown in the internal log:   07-03-2023 19:35:53.931 +0000 ERROR Saml [795668 AttrQueryRequestExecutorWorker-0] - No status code found in SamlResponse, Not a valid status. 07-03-2023 19:35:53.901 +0000 ERROR Saml [795669 AttrQueryRequestExecutorWorker-1] - No status code found in SamlResponse, Not a valid status.   The theory on the failure is: The token authentication works with (within) Splunk; But Splunk needs to perform RBAC after authentication. So it does AQR after the authentication; However, when there is no valid, live SAML session, the AQR fails. (AQR = Attribute Query Request) -- in this case, to get the user's group memberships to map to Splunk roles. I wonder if anyone has been able to get token authentication to work for a SAML account? [Edit]: On the other hand, is it simply impossible to use token authentication with a SAML user account?
Hi    I want to know that what will happen after splunk universal forwarder reached throughput limit, because i found my universal forwarder is stop ingest the data at a certain monment every day, a... See more...
Hi    I want to know that what will happen after splunk universal forwarder reached throughput limit, because i found my universal forwarder is stop ingest the data at a certain monment every day, and i don't know waht happend here, and i just set up the thruput in limits.conf, and restart the UF, the remain data will be collected,  although i'm not sure if it will still be effective next time... so the throughput limit reached, the Splunk UF will stop collecting data until next restart?   
I need to run a curl command to run various tasks such as creating searches, accessing searches etc. I have the below command which works perfectly   curl -k -u admin:test12345 https://127.0.0.1:8... See more...
I need to run a curl command to run various tasks such as creating searches, accessing searches etc. I have the below command which works perfectly   curl -k -u admin:test12345 https://127.0.0.1:8089/services/saved/searches/ \ -d name=test_durable \ -d cron_schedule="*/15 * * * *" \ -d description="This test job is a durable saved search" \ -d dispatch.earliest_time="-15h@h" -d dispatch.latest_time=now \ --data-urlencode search="search index=_audit sourcetype=audittrail | stats count by host"   but given that I may have to craft various curl commands with different -d flags, I want to be able to pass values through a file so I used below command   curl -k -u admin:test12345 https://127.0.0.1:8089/services/saved/searches/ --data-binary data.json   where data.json looks like this { "name": "test_durable", "cron_schedule": "*/15 * * * *", "description": "This test job is a durable saved search", "dispatch.earliest_time": "-15h@h", "dispatch.latest_time": "now", "search": "search index=_audit sourcetype=audittrail | stats count by host" } but in doing so I get following error   <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg> </messages> </response>   So after going through lot of different posts on this topic, I realised Splunk seems to have problem with json format or mainly extracting the 'name' attribute from json format. Can someone please assist with how I can craft Curl command that uses data from a file like I am using above and get correct response from Splunk ?
Hello, I was aware that splunk is very versatile application which allows the users to manipulate the data is many ways.  I have extracted the fields of event_name, task_id , event_id. I am trying t... See more...
Hello, I was aware that splunk is very versatile application which allows the users to manipulate the data is many ways.  I have extracted the fields of event_name, task_id , event_id. I am trying to create an alert if there is an increment in the event_id for the same task_id & event_name when latest even arrives in the splunk. For example, event at 3:36:40.395 PM have the task_id which is 3  & event_id which is 1223680  AND  the latest even arrived at 3:52:40.395 PM which have task_id 3 & event_id which is 1223681 I am trying to create an alert because for the same task_id (3), event_name (server_state) there is an increment in event_id. I believe it is only possible if we store the previous event_id in a variable for the same event_name & task_id so that we can compare it with the new event_id. However, we have four different task_id, I am not sure how save the event_id for all those different task_id's. Any help would be appreciated.   Log File Explanation:   8/01/2023 3:52:40.395 PM server_state|3 1123681 5 Date Timestamp event_name|task_id event_id random_number     Sample Log file:   8/01/2023 3:52:40.395 PM server_state|3 1223681 5 8/01/2023 3:50:40.395 PM server_state|2 1201257 3 8/01/2023 3:45:40.395 PM server_state|1 1135465 2 8/01/2023 3:41:40.395 PM server_state|0 1545468 5 8/01/2023 3:36:40.395 PM server_state|3 1223680 0 8/01/2023 3:25:40.395 PM server_state|2 1201256 2 8/01/2023 3:15:40.395 PM server_state|1 1135464 3 8/01/2023 3:10:40.395 PM server_state|0 1545467 8     Thank You
I audit windows computers. My search looks for the date, time, EventCode and Account_Name:   Date                        Time            EventCode  Account_Name 2023/08/29       16:09:30     4624 ... See more...
I audit windows computers. My search looks for the date, time, EventCode and Account_Name:   Date                        Time            EventCode  Account_Name 2023/08/29       16:09:30     4624                   jsmith   I would like the Time field to turn red when a user signs in after hours (1800 - 0559). I have tried clicking on the pen in the time column and selecting Color than Ranges. I always get error messages about not putting the numbers in correct order. What do I need to do?
Hello,  I've been attempting to use the results of a sub-search as input for the main search with no luck. I'm getting no results. Based on the query below, I was thinking of getting the field value... See more...
Hello,  I've been attempting to use the results of a sub-search as input for the main search with no luck. I'm getting no results. Based on the query below, I was thinking of getting the field value of Email_Address  from the sub-search and passing the result to the main search (in my mind only the Email_Address value). Finally, thinking the main search now has the resulting values from the sub-search (the Email_Address field), it then runs the main search using the passed value (Email_Address) as a search criteria to find events from another index. Is that the correct way to pass values as a searchable value or am I wrong? If I'm wrong, how can I do this? I thank you all in advance for your assistance!  index=firstindex Email_Address [search index=secondindex user="dreamer"      | fields Email_Address      | head 1 ] |table Date field1 field2 Email_Address
We are noticing that that same data received via the HTTP Event Collector is not searchable by Field like data received via our Forwarders. Note how EventName field IS NOT being picked up from Event... See more...
We are noticing that that same data received via the HTTP Event Collector is not searchable by Field like data received via our Forwarders. Note how EventName field IS NOT being picked up from Event received through HEC:   Note how EventName IS getting picked up from Event received through Forwarders:   It seems that the events received through the HEC are treated as one large Blob of data and are not parsed or indexed the same way by Splunk. I there anything that can be done in the request to the HEC or to an indexer to resolve this? Thanks.      
As an app add-on creater we don't have control on the Indexes available on the Splunk Cloud on user environment.  In App's Input.config we set the index= default.   In the add-on flow.. we add a dat... See more...
As an app add-on creater we don't have control on the Indexes available on the Splunk Cloud on user environment.  In App's Input.config we set the index= default.   In the add-on flow.. we add a data input  configuration ..with new input stream urls and  the index, it should point to.. shown in the below image    As you see the  index is populated with "default" How can we enable the ability to show up all available indexes in the drop down If the desired index is not in the available list .. how can we enable user to  input  a string and trigger a search If user don't want to pick a index then.. the default should be selected