All Topics

Top

All Topics

Hi, I have a simple TCP syslog server in the same network where I have setup my Splunk Enterprise platform 9.10. I am trying to forward the data polled into Splunk Enterprise by Add-On apps to the ... See more...
Hi, I have a simple TCP syslog server in the same network where I have setup my Splunk Enterprise platform 9.10. I am trying to forward the data polled into Splunk Enterprise by Add-On apps to the TCP Syslog Server. But even after configuring it from settings> Forwarding and Receiving, I am getting error like connection Timed out. Can anyone suggest what is being missed or needs to be looked into here. Thank you
Dear Splunk experts, Just want to ask about the general upside/downside of creating a large number of indexes. Thinking to create a Splunk index per application/service so we may end up with 3K to... See more...
Dear Splunk experts, Just want to ask about the general upside/downside of creating a large number of indexes. Thinking to create a Splunk index per application/service so we may end up with 3K to 5K indexes But this would allow us to target <<inputs.conf>> based on application/service Just not sure of the downside of that many indexes... Appreciate your advice.
Hi Splunk Experts, I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is... See more...
Hi Splunk Experts, I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is getting failed. I've tried replacing it with '*', but that gives me unexpected results. So I'm thinking of escaping all possible special characters in the token value. Please advice!! Ex: !@#$%^&*(){}|";:<>/\[] I want them as below: \!\@\#\$\%\^\&\*\(\)\{\}\|\"\;\:\<\>\/\\\[\]  
I want to offload some logs into MinIO using smartstore to reduce volume consumption in license, but I cannot find reference if smartstore will still count against the license volume
Hi All, I am trying to build a search query for an alert and below is the condition- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTi... See more...
Hi All, I am trying to build a search query for an alert and below is the condition- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain  But I am facing difficulty at line 4- OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname). It is taking all 3 file names (Fname=mdmdat,omsdat,promodat) as one and hence I am getting the incorrect count for the src=retailautonomyfileage I am trying to break the condition of line no 4 into 3 parts within the eval condition itself.   Thanks in advance.
I have an event log that looks like this search_name=x, search_now=3.000, info_min_time=1692741600.000, info_max_time=1692828000.000, info_search_time=1692847620.636, app=Digital, text="<a hre... See more...
I have an event log that looks like this search_name=x, search_now=3.000, info_min_time=1692741600.000, info_max_time=1692828000.000, info_search_time=1692847620.636, app=Digital, text="<a href=\"https://support.vodafone.co.uk/1627646512 \" target=\"_blank\"> ...etc ", info_log=l use the command ... | table text to extract the 'text' field, you get the expected result  <a href=\"https://support.vodafone.co.uk/1627646512 \" target=\"_blank\"> ...etc  However, when I attempt to extract the same 'text' field from the same event, but this time from a summary index, I  get a different result <a href=\  and the whole value is presented in the event tap when i enable the verbose mode so the whole value is in the summary index but i can't show it.  how to prevent splunk from truncating the result if it is in the summary index     
I have my table panel with the column field as Month-year and this is a dynamic fields populated from my panel query. One more column is a text field and it is a static field. (This does not need to ... See more...
I have my table panel with the column field as Month-year and this is a dynamic fields populated from my panel query. One more column is a text field and it is a static field. (This does not need to be color coded.) I want to color code the cell values in all the dynamic field, based on the below condition if the cell value is less than 2 - the cell should be coded in green if the cell value is more than 2 - the cell should be coded in red. Other cells with text values - the cell should not be color coded. I tried to use multiple conditions with color palatte expression but that does not work <format type="color"> <colorPalette type="expression">if(isnull(value), "#c1fa9b", if(value&lt;02, "#c1fa9b", "#ff9c9c"), if(value&gt;02, "#ff9c9c", "#c1fa9b"))</colorPalette> </format>   I did the two conditions similar, just to filter the fields with text values. So that all the numeric fields with values less than 2 will be displayed as green and the greater than 2 will be displayed as red. I am aware of writing JS scripts for this but would like to make this with SimpleXML. Could anyone please help me on this?
If I am having list of comma separated numbers in single splunk  event field: I am having too many event fields like below,How Can I split these comma separated values and display them in table form... See more...
If I am having list of comma separated numbers in single splunk  event field: I am having too many event fields like below,How Can I split these comma separated values and display them in table format I mentioned below? Any suggestion here? Sequence Numbers processed during this transaction : 00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514,00000000000000872515,00000000000000872516,00000000000000872517,00000000000000872518,00000000000000872519,00000000000000872520,00000000000000872521,00000000000000872522,00000000000000872523,00000000000000872524,00000000000000872525,00000000000000872526,00000000000000872527,00000000000000872528,00000000000000872529,00000000000000872530,00000000000000872531,00000000000000872532,00000000000000872533   How Can I split thiese comma separated values and display them individually in table like: 00000000000000872510 00000000000000872511 00000000000000872512 00000000000000872513 00000000000000872514 00000000000000872515 00000000000000872516 . .likewise till 00000000000000872533
good morning. for example I have number the following +140871771234, +140871771245, +140871771286 +171522334321, +171522334325, +171522334329 +151688325297,  +151688325258, +151688325239 range ... See more...
good morning. for example I have number the following +140871771234, +140871771245, +140871771286 +171522334321, +171522334325, +171522334329 +151688325297,  +151688325258, +151688325239 range +1408717712XX, site code is A +1715223343XX, site code is B +1516883252XX, site code is C when number found in the range, how to give as site code   thank you.    
Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck.. field a AA\ABC$ BB\DCE$ field b A=ABC,B=Domain,C=AB,D=XXX,E=NET A=DCE,B=... See more...
Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck.. field a AA\ABC$ BB\DCE$ field b A=ABC,B=Domain,C=AB,D=XXX,E=NET A=DCE,B=Domain,C=AB,D=XXX,E=NET Now my results should return  field a = field b ABC    = ABC DCE    = DCE Could someone pls help me on this?
Hi Everyone, Is it possible to create a button similar to edit button and place it near edit button using html and css? I was able to create a button, but it is big and also i was not able to pla... See more...
Hi Everyone, Is it possible to create a button similar to edit button and place it near edit button using html and css? I was able to create a button, but it is big and also i was not able to place it near edit button. can anyone help me?
Hey guys, new to splunk and trying to figure some things out and hit a wall. I created a dropdown called 'down'. I used this field in the search criteria and its not filtering based on the value I se... See more...
Hey guys, new to splunk and trying to figure some things out and hit a wall. I created a dropdown called 'down'. I used this field in the search criteria and its not filtering based on the value I set in the drop down. Data is being pulled/returned but does not seem to be using the eval correctly. Any help would be greatly appreciated. Thanks!    Code is search:   source="plays.csv" host="DESKTOP-CU54MC0" sourcetype="csv" | apply "_exp_draft_275e108c50cd4522ac0479ad79873849" | `confusionmatrix("playType","predicted(playType)")` | eval down=$down$   I also cannot get it to restrict based on down in a search: source="plays.csv" host="DESKTOP-CU54MC0" sourcetype="csv" | apply "_exp_draft_275e108c50cd4522ac0479ad79873849" | `confusionmatrix("playType","predicted(playType)")`| eval down=1    
here is an example of the table.        X Y Z W A8 2       B12   7   5 C14 5       D24   2 3   Total 2*8+5*14 7*12+... See more...
here is an example of the table.        X Y Z W A8 2       B12   7   5 C14 5       D24   2 3   Total 2*8+5*14 7*12+2*24 3*24 5*24    What is the SPL (formula or command) for calculating the total number as listed in the table?      Thanks,    
Hi Everyone, When i am trying to update "Splunk App for Windows Infrastructure" the login screen where it asks to provide splunk.com credentials does not proceed further, i checked my credentials an... See more...
Hi Everyone, When i am trying to update "Splunk App for Windows Infrastructure" the login screen where it asks to provide splunk.com credentials does not proceed further, i checked my credentials and they seem to be correct.   any idea why i am unable to update the app? i am able to update other apps fine
Hi Splunkers,   I have the statistics for example Country.          Sites                                Stats USA.                   DC, NY                             4.8 China           ... See more...
Hi Splunkers,   I have the statistics for example Country.          Sites                                Stats USA.                   DC, NY                             4.8 China                  Beijing, Shanghai         5.2 India                    Mumbai, Delhi               6.2 Australia             Melbourne, Sydney     7.8 ….. let’s say I have 50 countries data there and I have to take a report for each country. How can I do it with out doing it manually for each country?  any advice?   
Hello Splunk Community, I'm trying to write a query to show me a chart (or table) for all hosts in my index in the last 45 min that haven't written a specific string to a log. The below query shows ... See more...
Hello Splunk Community, I'm trying to write a query to show me a chart (or table) for all hosts in my index in the last 45 min that haven't written a specific string to a log. The below query shows me that it has happened on a single host, but I want two columns in a table: column 1 showing the host name and column 2 showing how many times that string appeared in that log (including all the hosts with 0 times). Query so far: index="index" source="C:\\Windows\\System32\\LogFiles\\Log.log" "Detection!" earliest=-45m latest=now | stats count by host
August 2023 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another edition of indexEducation, the newsletter that takes an untraditional twist on ... See more...
August 2023 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another edition of indexEducation, the newsletter that takes an untraditional twist on what’s new with Splunk Education. We hope the updates about our courses, certification, and technical training will feed your obsession to learn, grow, and advance your careers. Let’s get started with an index for maximum performance readability: Training You Gotta Take | Things You Needa Know | Places You’ll Wanna Go  Training You Gotta Take Cybersecurity Defense Analyst | Training for the Blue Team Showcased at .conf23 was our new Blue Team Academy training – perfect for all you defenders of the universe out there! Our user conference may be over, but now the fun really begins. The Splunk Certified Cybersecurity Defense Analyst (CDA) certification exam is now open to the public in beta – for FREE. So, look over the study materials, take the exam, and show the world you're a Splunk Certified Cybersecurity Defense Analyst. We’ll give you a badge to prove it too!  Gotta Be a Defender | Get Your CDA Cert Today The Developer Track | Validate Your Mad Skills Before It’s Too Late If you want to become a Splunk Certified Developer and build some killer apps with the Splunk web framework, the clock is ticking. The Splunk Certified Developer Certification, one of our 13 Splunk Certifications, is being taken out of the rotation on September 30, 2023. So, get your training on by following the Developer Track and reviewing the exam study guide. If you currently hold the Splunk Certified Developer Certification, it will remain valid until its current expiration date. But, if you want to extend your certification for another three years, consider recertifying before it’s too late. Gotta  Follow the Track  | Grow Your Badge Collection Things You Needa Know Fall Swag is Coming | Splunk Learning Rewards Program With the Splunk Learning Rewards Program you may be well on your way to earning that OG Splunk T-shirt you’ve had your eye on or one of the top-selling Splunk items from .conf23. That’s right, you can earn points for each paid Splunk Education course you complete, which can then be redeemed for super-fun Splunk swag. And, if you need one more reason to rack up those points now, can you say “Splunk Snuggie?” Yup, we’ve got fall swag items to help you get prepared for those cold winter days ahead.  Gotta Get Punny Ts | Redeem Points for Fall Swag  Cybersecurity in the Curriculum | Plus More Upcoming Classes  If you’re an aspiring Blue Team Academy defender, we’ve recently added two more free self-paced, eLearning courses – “The Cybersecurity Landscape” and “Security Operations and the Defense Analyst” – just for you. These courses are in addition to our catalog of almost 50 free eLearning courses. And, if your organization offers paid training units, seats are still available for these upcoming Instructor-led courses: Intro to Dashboards on September 14, Splunk Enterprise 9.0 System Administration on September 11, and Using Splunk Real User Monitoring on September 22.  Gotta Start Free | Hot Cybersecurity Courses  Gotta Do ILT | September Calendar Places You’ll Wanna Go Splunk University | School is Always in Session Splunk University might be over, but it’s never too soon to start thinking about attending this incredible on-site learning experience next year. Our annual user conference will take place June 10-13, 2024, at The Venetian in Las Vegas, Nevada, and our Splunk University doors will open the weekend prior. This is your opportunity to attend bootcamps, connect with a global community of passionate data experts, and explore tons of educational sessions. (Um, we won’t mention the poolside cocktails or the excitement of Las Vegas cuz that just wouldn’t be fair to your decision-making.) Cha-ching.  Wanna Go to Splunk University | Stay In-the-Know Splunk Learning Platform | Find STEP Answers Whether you’re in the market for flexible self-paced eLearning, easy-to-enroll-in instructor-led training, or the latest Splunk Certification exams, STEP is your first stop for registration and enrollment. At Splunk, we believe that everyone, everywhere should have access to technical learning opportunities so they can grow their careers and help their organizations stay ahead of the ‘bad guys.’ We also believe that change can be hard sometimes, which is why we have been supporting our learners and organization managers to navigate the new system with helpful resources and guidance. Don’t get stuck on the first STEP of the journey. We’re giving you a leg up.  Go Find STEP Answers | STEP FAQs Find Your Way | Learning Bits and Breadcrumbs   Go Earn a Gift Card | Share Feedback About Your Career & Splunk  Go to STEP | Get Upskilled Go Watch On-Demand Tech Talks | Deep-Dives for Technical Practitioners Go Discuss Stuff | Join the Community Go Social | LinkedIn for News Go Share | Subscribe to the Newsletter   Thanks for sharing a few minutes of your day with us – whether you’re looking to grow your mind, career, or spirit, you can bet your sweet SaaS, we got you. If you think of anything else we may have missed, please reach out to us at indexEducation@splunk.com.  Answer to Index This: Seven    
Hi,   Does anybody now how to change the email in my account. My company is doing an email domain renewal and I need to change my email to a new email. Could you help me?
our app's addon's Inputs.config  the sourcetype is set to custom name and the index is set to default. shown in below image   In the Add_on install flow .. The UI drop down to pick indexes i... See more...
our app's addon's Inputs.config  the sourcetype is set to custom name and the index is set to default. shown in below image   In the Add_on install flow .. The UI drop down to pick indexes is showing fewer than what are available For example below shown indexes are not showing in the list.   The one difference I see is .. these indexes are created with App "_cluster_admin" the other are "search" ..  How do we enable search option in the available indexes ?  
Hi Team, I have one file CARS.HIERCTR for which I want to capture START and END DURATION I am using below query: ndex="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 | rex "\[(?<thre... See more...
Hi Team, I have one file CARS.HIERCTR for which I want to capture START and END DURATION I am using below query: ndex="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]" | transaction thread startswith="Reading Control-File /absin/CARS.HIERCTR." endswith="Completed Settlement file processing, CARS.HIER." | table duration But I am not getting any result Can someone guide me Starting Logger - 2023-08-29 00:26:20.256 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D082823.T001819 Ending logger - 2023-08-29 02:18:33.064 [INFO ] [Thread-34] FileEventCreator - Completed Settlement file processing, CARS.HIER.D082823.T020913 records processed: 135959 PLEASE GUIDE.