All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm trying to upload the "python-for-scientific-computing-for-windows-64-bit_410.tgz" file, but I'm encountering the following error message: "There was an error processing the upload. Error during a... See more...
I'm trying to upload the "python-for-scientific-computing-for-windows-64-bit_410.tgz" file, but I'm encountering the following error message: "There was an error processing the upload. Error during app install: failed to extract app from C:\WINDOWS\TEMP\tmpe_xxxxx to C:\Program Files\Splunk\var\run\splunk\bundle_tmp\xxxxxxxxxxxxxx : The specified path was not found." Has anyone else experienced a similar error while uploading this file? If so, could you please share any insights or solutions you may have? I appreciate any assistance or guidance on this matter. Thank you.
Hi, My search base takes 13 sec to run but it takes more than 1 min for the dashboard to run. I use savedsearch func and it's still very slow. here is part of my dashboard (there are more charts, m... See more...
Hi, My search base takes 13 sec to run but it takes more than 1 min for the dashboard to run. I use savedsearch func and it's still very slow. here is part of my dashboard (there are more charts, more filters and variables). Can you help me to improve the performance, please? <form theme="light"> <label>Analysis Report</label> <search id="AllQueries_Base"> <query> | loadjob savedsearch="mpazchen:search:joinWithLookup_Base" | where $Mac_Address$ AND $WinTimeStamp$ </query> </search> <row> <panel> <input type="multiselect" token="WinTimeStamp" searchWhenChanged="true"> <label>Time</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(WinTimeStamp like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>WinTimeStamp</fieldForLabel> <fieldForValue>WinTimeStamp</fieldForValue> <search base="AllQueries_Base"> <query> | where ( $Mac_Address$ ) | dedup WinTimeStamp | sort WinTimeStamp</query> </search> </input> <input type="multiselect" token="Mac_Address" searchWhenChanged="true"> <label>Mac Address</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(Mac_Address like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>Mac_Address</fieldForLabel> <fieldForValue>Mac_Address</fieldForValue> <search base="AllQueries_Base"> <query> | where ( $WinTimeStamp$ ) | dedup Mac_Address | sort Mac_Address</query> </search> </input> </panel> </row> <row> <panel> <single> <search base="AllQueries_Base"> <query> | stats dc(HostName) as count_distinct_Machines </query> </search> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="height">133</option> <option name="rangeColors">["0xdc4e41","0x3c444d"]</option> <option name="rangeValues">[0]</option> <option name="trellis.enabled">0</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="underLabel">Machines</option> </single> </panel> <panel id="CSSPanel4"> <single> <search base="AllQueries_Base"> <query> | where Header_Type="Event" | stats count </query> </search> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="height">133</option> <option name="rangeColors">["0xdc4e41","0x3c444d"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="underLabel">Events</option> </single> </panel>   <panel id="CSSPanel5"> <single> <search base="AllQueries_Base"> <query> | stats dc(source) </query> </search> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="height">133</option> <option name="rangeColors">["0xdc4e41","0x334457"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="underLabel">Files</option> </single> </panel> </row> <row> <panel id="CSSPanel3"> <title>General events type distribution by time</title> <chart> <search base="AllQueries_Base"> <query> | chart count over WinTimeStamp by Name | addtotals fieldname=total </query> </search><option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option> <option name="charting.axisTitleX.text">Day</option> <option name="charting.axisTitleY.text">Number of events</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisY.abbreviation">auto</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.backgroundColor">#f2f4f5</option> <option name="charting.chart">column</option> <option name="charting.chart.overlayFields">total</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel id="CSSPanel11"> <title>General events type distribution</title> <chart> <search base="AllQueries_Base"> <query> |stats count by Name |sort -count</query> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.chart">pie</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="charting.backgroundColor">#f2f4f5</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="CSSPanel2"> <title>Top 10 events count by machine</title> <chart> <search base="AllQueries_Base"> <query> | chart count over HostName by Name | addtotals fieldname=total| sort -total | head 10 </query> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option> <option name="charting.axisTitleY.text">Number of events</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.backgroundColor">#f2f4f5</option> <option name="charting.chart">column</option> <option name="charting.chart.overlayFields">total</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="CSSPanel14"> <single> <search base="AllQueries_Base"> <query> | chart count over HostName| stats avg(count) AS AVERAGE_Events_Per_User</query> </search> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="height">137</option> <option name="numberPrecision">0.0</option> <option name="rangeColors">["0xdc4e41","0x334457"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="underLabel">Average Events by Machine</option> <option name="unitPosition">after</option> <option name="useColors">1</option> </single> </panel> </row> <row> <panel id="CSSPanel10"> <html> <center> <h1> </h1> </center> </html> </panel> </row> <row> <panel id="CSSPanel1"> <html> <center> <h1 style="color:white;"> WiFi Successful And Failed Connection Events</h1> </center> </html> </panel> </row> <row> <panel> <title>Connection Type</title> <chart> <search base="AllQueries_Base"> <query> <!--| where Name="Wi-Fi Successful Connection" OR Name="Wi-Fi Failed Connection"--> |stats count by "Connection_Type" |sort -count</query> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.chart">pie</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>
Hi All, Duo connector installation docs for splunk isn't clear for multi site cluster environment. Can anyone suggest where to install this Duo connector app ? I assume this needs to be installed... See more...
Hi All, Duo connector installation docs for splunk isn't clear for multi site cluster environment. Can anyone suggest where to install this Duo connector app ? I assume this needs to be installed on any HF and configure it to one custom index to receive the logs? I do have the admin api keys and other integration keys to configure it. Please suggest if anyone installed Duo connector in multi site.  
Below is my log file details index="idx_rwmsna" sourcetype=st_rwmsna_printactivity source="E:\\Busapps\\rwms\\mna1\\geodev12\\Edition\\logs\\DEFAULT_activity_1.log" I tried multiple ways but I am... See more...
Below is my log file details index="idx_rwmsna" sourcetype=st_rwmsna_printactivity source="E:\\Busapps\\rwms\\mna1\\geodev12\\Edition\\logs\\DEFAULT_activity_1.log" I tried multiple ways but I am unable to make this work using below splunk query appreciate response on this | tstats latest(_time) as updated_time where index="idx_rwmsna" source="E:\\Busapps\\rwms\\mna1\\geodev12\\Edition\\logs\\DEFAULT_activity_1.log" host=ATLWMSVP44 | eval status=if(updated_time>(now()-60),"ko","ok") The problem is with above query, if file updation stopped before the triggering time of the alert its not fetching the updated_time and its not processing further. Can someone please help how to handle this , please consider this on priority Regards Amit  
Hi  i am trying to plot a timechart for multiple duration windows which service is taking time to respond inorder to segregate how many requests are breaching SLA based on this timeline , is it pos... See more...
Hi  i am trying to plot a timechart for multiple duration windows which service is taking time to respond inorder to segregate how many requests are breaching SLA based on this timeline , is it possible to plot this kind of computation ?  index=<<index name>>  | rex field=_raw "duration=(?<Time>.*?)," |  search (>200 OR >250 OR >300 OR >350) | chart or timechart by Timeduration  example : each request has its own response time like 300, 350 ,260,360ms for each request so wanted to look for the chart or timechart based on the requests taking >200 count, >250 count, >300 count > 350 count as this has overlapping aswell to rule out how many requests are falling in each time span, can i get a help pls   Thanks in advance 
Hello, All, is there a new/working version of the OPC-UA add-on. Please let me know.
Hello, I am new to Splunk, and web/programming in general. My question is can 3rd party web/Java/html based controls from DevEx, Grape City,or Telerik be added to enhance the the dashboards and o... See more...
Hello, I am new to Splunk, and web/programming in general. My question is can 3rd party web/Java/html based controls from DevEx, Grape City,or Telerik be added to enhance the the dashboards and or add additional options. Thank you for your help.      
how to add work week date in splunk query (or) how to convert date to work week ?
I have below splunk query and look for help on that | tstats latest(_time) as updated_time where index="idx_rwmsna" source="E:\\Busapps\\rwms\\mna1\\geodev12\\Edition\\logs\\DEFAULT_activity_1.log"... See more...
I have below splunk query and look for help on that | tstats latest(_time) as updated_time where index="idx_rwmsna" source="E:\\Busapps\\rwms\\mna1\\geodev12\\Edition\\logs\\DEFAULT_activity_1.log" host=ATLWMSVP45 | eval status=if(updated_time>(now()-60),"ok","ko") | sort - _time | where status="ko"   I wanted to monitor the above log file and if its not getting updated I need to send an email, I am trying it but even for 1 min alert is not getting triggered. Can someone help to check the above code and let me know if I am missing anything here. Appreciate your input Regards Amit   
Hello, I am using the below tag in my Dashboard and now it's deprecated in the new version, can someone tell me a replacement for the below syntax?   <populatingSearch fieldForValue="EventType"... See more...
Hello, I am using the below tag in my Dashboard and now it's deprecated in the new version, can someone tell me a replacement for the below syntax?   <populatingSearch fieldForValue="EventType" fieldForLabel="EventType" > <![CDATA[$env$ source=$ProcessingNode$ $stepfilter$ $timerange$ | dedup EventType | $FilterEventType$| table EventType]]> </populatingSearch>
Hi all, I have a big problem with my customer. I try to get message trace logs from Azure for O365, following the Splunk doc, my account have all 3 roles: Exchange Administrator  Global Administra... See more...
Hi all, I have a big problem with my customer. I try to get message trace logs from Azure for O365, following the Splunk doc, my account have all 3 roles: Exchange Administrator  Global Administrator  Global Reader role In my lab Splunk I try to trouble shoot by _internal and I have this. Any one know why and how to fix this? this is sample log:       2023-07-08 20:00:18,077 level=ERROR pid=10564 tid=MainThread logger=splunk_ta_o365.modinputs.message_trace pos=__init__.py:run:376 | datainput=b'messagetrace' start_time=1688821215 | message="An error occurred while collecting data" stack_info=True Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 371, in run self._collect_events(app) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 145, in _collect_events self._get_events_continuous(app) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 216, in _get_events_continuous self._process_messages(start_date, end_date) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 283, in _process_messages message_response = self._get_messages(microsoft_trace_url) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 270, in _get_messages raise e File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 262, in _get_messages response.raise_for_status() File "/opt/splunk/etc/apps/splunk_ta_o365/lib/requests/models.py", line 1021, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2023-07-03T12:54:27Z'%20and%20EndDate%20eq%20datetime'2023-07-03T13:54:27Z'        
Can Splunk v. 9.1 Enterprise run on an AWS EC2 t2.micro with the standard 8GB?  When I run the query, index="_internal" | STATS count by host, I get an error saying the minimum 5000(thousand)MB is no... See more...
Can Splunk v. 9.1 Enterprise run on an AWS EC2 t2.micro with the standard 8GB?  When I run the query, index="_internal" | STATS count by host, I get an error saying the minimum 5000(thousand)MB is not met.  Thanks for all your help.
Issue - Unable to launch Splunk IMAP app, giving 404 error.  App on Splunkbase - https://splunkbase.splunk.com/app/5798 Splunk on-prem HF - v.9.0.4.1 HF OS - CentOS v.7.0 Core Install locatio... See more...
Issue - Unable to launch Splunk IMAP app, giving 404 error.  App on Splunkbase - https://splunkbase.splunk.com/app/5798 Splunk on-prem HF - v.9.0.4.1 HF OS - CentOS v.7.0 Core Install location - /opt/splunk/etc/apps Permissions - Directory & files are with splunk permissions Installation method - Tried over DS as well as individually on HFs restarting Splunkd Versions tried - 3.3.0 & 3.3.1 (released May 2023) Splunkd logs mentions An unknown view name "credential_management" is referenced in the navigation definition for "imap". Any suggestions please that might work?
Hi All, There are few risk notable events getting generated in the Incident review page as part of correlation searches being run. How can we exclude few users (who are from SOC team) from correl... See more...
Hi All, There are few risk notable events getting generated in the Incident review page as part of correlation searches being run. How can we exclude few users (who are from SOC team) from correlation searches which are being run. Correlation searches like " OT Sec- Execution Process Spawning cmd.exe" are enabled in our network, which are getting triggered when SOC team opens any chrome, exe's etc. Hence, we need to exclude few users from risk generating notables or please suggest any other option which might be useful to get rid of these risk notables. Regards VK  
I have a Spring boot application where I have configured log4j to use Http event collector. The data ingestion is successfully done but the ingestion stops intermittently and again resumes, there i... See more...
I have a Spring boot application where I have configured log4j to use Http event collector. The data ingestion is successfully done but the ingestion stops intermittently and again resumes, there is no definite pattern for resuming the ingesion There is no failure logs in the tomcat as well. Below are the configuration in log4j2-spring.xml :   <SplunkHttp name="splunkhttp" host="dummy" source="source1" url="https://http-yyy-xxxx.splunkcloud.com" token="xxxxxxxxxxxxxxxx" index="ssssssss" sourcetype="log4j" disableCertificateValidation="true" > <PatternLayout pattern="%m" /> </SplunkHttp> <Loggers> </Logger> <Logger name="com.some.service" level="debug" additivity="false"> <appender-ref ref="splunkhttp" /> </Logger> </Loggers>   The following are the dependency in pom.xml :   <repositories> <repository> <id>splunk-artifactory</id> <name>Splunk Releases</name> <url>https://splunk.jfrog.io/splunk/ext-releases-local</url> </repository> </repositories>   <repositories> <repository> <id>splunk-artifactory</id> <name>Splunk Releases</name> <url>https://splunk.jfrog.io/splunk/ext-releases-local</url> </repository> </repositories>   Any pointer please.  
I have been attempting to contact the sales team for a month via phone, no response. I have tried opening cases with many different browsers, doesn't function properly.  I have tried calling othe... See more...
I have been attempting to contact the sales team for a month via phone, no response. I have tried opening cases with many different browsers, doesn't function properly.  I have tried calling other Splunk support numbers, also no answer.  I've tried emailing the support email, no response.  How do I get support??? This is just unacceptable for a company making 3.5 billion dollars a year.  Anyone know how to actually get in contact with support, that works? 
Hi I need to run this query, I don't know what I'm missing but when I run it the src_ip field doesn't show me anything, I don't know what I'm missing. Can you help me?     index=main sourc... See more...
Hi I need to run this query, I don't know what I'm missing but when I run it the src_ip field doesn't show me anything, I don't know what I'm missing. Can you help me?     index=main source="WinEventLog:*" EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7 | table _time, host, user, New_Process_Name, Process_Command_Line | rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando"       Someone tried to help me and suggested this query but I don't know if it is correct but it doesn't show me the value of the src_ip field.      index=main source="WinEventLog:*" (EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7) | table _time, host, user, New_Process_Name, Process_Command_Line | rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando" | join type=inner src_ip [ search index=main source="WinEventLog:*" EventCode=4624 | table EventCode, src_ip ]      
how to remove duplicates rows based on all fields, not just one field, and display the unique rows? Let say there are 10 fields, when I used | dedup 10 field1, field2, ..  field 10,  the result miss... See more...
how to remove duplicates rows based on all fields, not just one field, and display the unique rows? Let say there are 10 fields, when I used | dedup 10 field1, field2, ..  field 10,  the result missed some unique rows Please help. Thank you
I want to extract the json object based on a single field match from below string message.   payload ::[{"name","suman", "age":"22"},{"name","raman", "age":"32"}]    If the age is 22 then print {... See more...
I want to extract the json object based on a single field match from below string message.   payload ::[{"name","suman", "age":"22"},{"name","raman", "age":"32"}]    If the age is 22 then print {"name","suman", "age":"22"} 
I have been attempting to add a file path in data inputs as well as in the inputs.conf file as a "monitor".  Each time I implement this Splunk ingestion latency spikes to over 300ms and the service b... See more...
I have been attempting to add a file path in data inputs as well as in the inputs.conf file as a "monitor".  Each time I implement this Splunk ingestion latency spikes to over 300ms and the service becomes effectively unusable. My intention is to monitor file additions, deletions, and modifications within a specific filepath.   Any ideas?