All Topics

Top

All Topics

Hello everyone, I have the below fields and I want the search to generate only the results when Previous_Time and New_Time difference is more than 5s: _time host EventCode ... See more...
Hello everyone, I have the below fields and I want the search to generate only the results when Previous_Time and New_Time difference is more than 5s: _time host EventCode EventCodeDescription Name Previous_Time New_Time Tue Aug 15 09:35:01 2023 hostname 4616 The system time was changed. C:\Program Files (x86)\TrueTime\WinSync\WinSync.exe ‎2023‎-‎08‎-‎15T07:35:01.152758200Z ‎2023‎-‎08‎-‎15T07:35:01.152000000Z Thank you.
Hi all,  we want to use Splunk Synthetic Transaction Monitoring in Splunk Observability Cloud. So we have an Account and set up some synthetic monitors.  We want to query the results of these synth... See more...
Hi all,  we want to use Splunk Synthetic Transaction Monitoring in Splunk Observability Cloud. So we have an Account and set up some synthetic monitors.  We want to query the results of these synthetical from our Splunk Entprise On-Premise platform. For security reasons there is only a connect allowed from on-prem to Splunk Observability Cloud.  On our Test Search Head I installed the Splunk Synthetic Monitoring Add-On (https://splunkbase.splunk.com/app/5608) and have to configure an access-token for the Observability Cloud.  Which connections do I have to enable in our firewalls ?  Where do I configure the Access in Observability Cloud?    Thanks in advance for any help.    Regards Sascha   
Hi Splunk Experts, I've different XML request(100+ requests) as a multi-line event. Is it possible to stat these requests and get their count. But all these request would have any values between the... See more...
Hi Splunk Experts, I've different XML request(100+ requests) as a multi-line event. Is it possible to stat these requests and get their count. But all these request would have any values between their tags and rex-ing all these request to stat them would be a difficult task, but is there any possible way to achieve this criteria. Any suggestion would be very much helpful!!. Thanks in advance!!
Can anyone tell me why my table doesn't display the redirect_uri?   index=keycloak customerReferenceAccountId!=SERVICE* username!=test*@test.co.uk type=LOGIN* | stats count(eval(type="LOGIN")) as... See more...
Can anyone tell me why my table doesn't display the redirect_uri?   index=keycloak customerReferenceAccountId!=SERVICE* username!=test*@test.co.uk type=LOGIN* | stats count(eval(type="LOGIN")) as successful_login count(eval(type="LOGIN_ERROR")) as login_error by username, ipAddress | eval percentage_failure=((successful_login/login_error)*100) | eval percentage_failure=round('percentage_failure', 2) | where successful_login>0 AND login_error>7 | table username, ipAddress, redirect_uri, successful_login, login_error, percentage_failure  
Hi, I would like to add alert name and its triggered time to a lookup file once the alert is triggered. I don't need the results instead alert name and triggered time would do. Basically, need thi... See more...
Hi, I would like to add alert name and its triggered time to a lookup file once the alert is triggered. I don't need the results instead alert name and triggered time would do. Basically, need this data for reporting purpose. I am aware that this can be taken using Triggered alerts and using rest API or get the data from audit index. When I use rest API for triggered alerts, triggered time is not there and for the audit index, only admin has access. So, trying to do something while the alert is getting triggered.
Hello all, I am going to upgrade to Splunk to version 9.1.x. Inside my app I use JS which does the translation of the page using i18n. When checking the jquery scan, I get the message: "Thi... See more...
Hello all, I am going to upgrade to Splunk to version 9.1.x. Inside my app I use JS which does the translation of the page using i18n. When checking the jquery scan, I get the message: "This /path/to/js/file.js is importing the following dependencies which are not supported or externally documented by Splunk. splunk.i18n " Does anyone have a solution to this problem or if Splunk can't do i18n in JS anymore..., how do you translate your dashboards? Any hints are appreciated.   Kind regards, Marie
I am developing a custom dashboard with a table created from XML. The table has an id of "summary_table" which I am calling to extend with custom cell renderer.  The issue is that the table doesn't... See more...
I am developing a custom dashboard with a table created from XML. The table has an id of "summary_table" which I am calling to extend with custom cell renderer.  The issue is that the table doesn't render the extended view of the table on first load. But if I click on the table header - which will trigger a sort function, the extended view works. Same thing when I click on a page from pagination view.  This is the view when I first load the dashboard.  (DATA SHOWN BELOW ARE ALL MOCK DATA) And this is the view when I click on any of the table headers. Which should have been rendered on first load. I am thinking that the table didn't re-rendered again after adding the new BaseCellRenderer.    here's my code.            var CustomCellRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { // Enable this custom cell renderer for the confirm field return cell.field === 'Expiry_Extension' }, render: function($td, cell) { console.log(cell.value) if(cell.value != ""){ const extension = cell.value.split("|")[0] const expiration_date = cell.value.split("|")[1] const order_id = cell.value.split("|")[2] let html = `` let button_html = ` <button class="extend_expiry btn-sm btn btn-primary"><i class="icon icon-plus-circle"></i></button>` if(extension == 'null'){ html += button_html } else{ html += extension html += button_html } $td.html(html) } } }); // Create an instance of the custom cell renderer var myCellRenderer = new CustomCellRenderer(); setTimeout(function(){ mvc.Components.get("summary_table").getVisualization(function(tableView) { tableView.addCellRenderer(myCellRenderer); tableView.table.render() console.log("rendered") }); },1000) }            
Hi I have a dashboard with multiple filters. I have a "customer" and "subsidiary" filter. I want the "customer" filter to display corresponding companies depending on the selection of "subsidiary" fi... See more...
Hi I have a dashboard with multiple filters. I have a "customer" and "subsidiary" filter. I want the "customer" filter to display corresponding companies depending on the selection of "subsidiary" filter.  My query for the "customer" filter is as follow, currently it is showing all companies     index IN ("organization_a_company", "organization_b_company") | dedup name | fields name       For the "subsidiary" filter, it has a static input with      Name - Value ============ All - * OrgA - OrgA OrgB - OrgB       However, since the value of "subsidiary" is different from the actual index name. I need to perform eval case to map to corresponding indexes name. I tried something dynamic in "customer" filter like:     index IN ("organization_a", "organization_b") | eval $sub$ = "OrgA" <- the $sub$ token should come from the "subsidiary" filter, I am just testing here | eval filteredIndex = case($sub$ == "OrgA", "organization_a", $sub$ == "OrgB", "organization_b", 1=1, "organization_*") | search index IN ($filteredIndex$) | dedup name | fields name      but it didn't give any results. I tried follow the example here by using $$ but still no luck. And I don't think I can put the eval before the search right? but how can I make the index dynamic then. Thanks
Hi ,  Below is my raw data  { timestamp: 2023-09-10 Version:1 Kubernetes.namespace: X Kubernetes.node: Y App_id:12345 Host: server.ms.com Log:  21:46:32.268 [[Runtime].uber.471: [da... See more...
Hi ,  Below is my raw data  { timestamp: 2023-09-10 Version:1 Kubernetes.namespace: X Kubernetes.node: Y App_id:12345 Host: server.ms.com Log:  21:46:32.268 [[Runtime].uber.471: [dasda-dasf-fasfs-import-1.0.0].vmstats.com] INFO net.das.com - ProcessCPUload=2.39| SystemCPUload=2.55|Initial memory=1.00| Usedheapmemory=0.70|Maxheap memory=0.95|commited_memory=0.95 S_sourcetype=x Source=lkms } Now, If query as index=123 | table log --> I get the complete data in the log field but my aim to create a table with columns as  ProcessCPUload, SystemCPUload, Usedheapmemory, Maxheap memory, commited_memory with their respective values.  Could you help on how could I achieve this please
Hi friends.   I've followed de path to use UniversarForwarder app from my splunk cloud enviromen. But i have the next message: The TCP output processor has paused the data flow. Forwarding to h... See more...
Hi friends.   I've followed de path to use UniversarForwarder app from my splunk cloud enviromen. But i have the next message: The TCP output processor has paused the data flow. Forwarding to host_dest=inputs1.XXXX.splunkcloud.com inside output group splunkcloud_ from host_src=YYYYYY has been blocked for blocked_seconds=10. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. Learn more.   I've tested the communications to splunk cloud   splunkcloud.com:9997 splunkcloud.com:8000 splunkcloud.com:8089   And all are OK. My heavy forwarder is now skipping data. Is there something else I clould check out?    
I can't get splunk to send me a an ID so I can register for an exam.  I have filled out the form multiple teems.   I have never had a tech company not let me register for an certification  exam befor... See more...
I can't get splunk to send me a an ID so I can register for an exam.  I have filled out the form multiple teems.   I have never had a tech company not let me register for an certification  exam before.  I need to schedule a day off to take the exam and I need this ASAP     Thanks   Stephanie
Am trying a calculate the overall score in a panel for each Registration type. I want the box inside to the right. Is that possible?  I have added screenshot.
Does the 'Add-on for Atlassian JIRA Service Desk alert action' (https://splunkbase.splunk.com/app/4958) allow you to "auto-map" the varied values coming from the SplunkES alert to specific fields in ... See more...
Does the 'Add-on for Atlassian JIRA Service Desk alert action' (https://splunkbase.splunk.com/app/4958) allow you to "auto-map" the varied values coming from the SplunkES alert to specific fields in Jira?   As an example, we would like to auto map/populate  ${source_ip}$ to the 'Source IP' field in the Jira record. Thank you, Mike
I'm doing a main search of a sourcetype, then I need to join with a csv file using the inputlookup, both the main search and the subsearch have the `Name` column, but when sending the complete search... See more...
I'm doing a main search of a sourcetype, then I need to join with a csv file using the inputlookup, both the main search and the subsearch have the `Name` column, but when sending the complete search through the api, it does not return the values correctly, but when I do the search manually in splunk it works correctly. import splunklib.client as client service = client.connect(host=host, port=port, username=user, password=password) search = '''search''' + '''index="aiops_main" sourcetype="scom_np" OR sourcetype="scom_p" type="*SQL*" AND (type="*AlwaysOn*" OR type="*Server Service Stopped*") | join type=left Name [| inputlookup maintenance_window.csv max=0 | eval Name=lower(Name) | table Name, maint_down_start_time, maint_down_end_time, change_ticket] | eval is_maintenance = if((alwayson_failovertime >= maint_down_start_time) AND alwayson_failovertime < maint_down_end_time,"true","false") | table Name, type, is_maintenance ''' kwargs_export = { "earliest_time": '1', "latest_time": "now", "search_mode": "normal", "exec_mode": "blocking", } # Create job and return results try: job = service.jobs.create(search, parse_only=False, **kwargs_export) print(time.strftime('\n%Y_%m_%d__%H:%M:%S')) print("...done!") except Exception as e: print("Trouble connecting to Splunk. Try again in a few seconds") raise e This error appears: "INFO: [subsearch]: Your timerange was substituted based on your search string" In short: the is_maintenance field when run manually in Splunk returns some lines as True, while running the same search in python returns all as False.  
I need to be able to list the changes made to firewall rules. It seems like a simple audit task that you should be able to do but unfortunately, I can't find the answer to my problem from these do... See more...
I need to be able to list the changes made to firewall rules. It seems like a simple audit task that you should be able to do but unfortunately, I can't find the answer to my problem from these documentations.  Does anyone know how to do this audit from splunk?  Palo Alto Networks App for Splunk | Splunkbase Palo Alto Networks Add-on for Splunk | Splunkbase
index="tbv" source="winevents" ComputerName="CSPV-MTL-GCS-GAME1" EventID=6013   The EventID=6013, it fetches the system uptime in seconds [example: The system uptime is 18 seconds.] in the Messag... See more...
index="tbv" source="winevents" ComputerName="CSPV-MTL-GCS-GAME1" EventID=6013   The EventID=6013, it fetches the system uptime in seconds [example: The system uptime is 18 seconds.] in the MessageString field.   Need help to add all the system uptime and show the Total value in hours.
I have two lookup table call lookup1.csv and lookup2.csv both has matching field call fullname. I want match my lookup1.csv to lookup2.csv and output the value not in the lookup1.csv byt in the look... See more...
I have two lookup table call lookup1.csv and lookup2.csv both has matching field call fullname. I want match my lookup1.csv to lookup2.csv and output the value not in the lookup1.csv byt in the lookup2.csv? | inputlookup lookup1.csv | search NOT [| inputlookup lookup.csv | field fullname] but this SPL displaying result found in the both look table. Is any way to do this in splunk?   ADDVANCE Thanks
Hi All, I have these two logs: 2023-08-09 10:31:57.853 [INFO ] [Thread-3] CollateralFileGenerator - Started generation of collateral Data file for type LENDING 2023-08-09 10:31:59.342 [INFO ] [Thr... See more...
Hi All, I have these two logs: 2023-08-09 10:31:57.853 [INFO ] [Thread-3] CollateralFileGenerator - Started generation of collateral Data file for type LENDING 2023-08-09 10:31:59.342 [INFO ] [Thread-3] CollateralFileGenerator - *****************************************SUCCESS in sending control file collateral files to ABS Suite!!!***************************************** I want to create a table structure where I want one column of _time in second column I want this two statements: Started generation of collateral Data file for type LENDING *****************************************SUCCESS in sending control file collateral files to ABS Suite!!!***************************************** And on third column I want one green tick if I receive these two logs If I don't receive these two logs I want red tick/ Can someone help me with query.
Dears, i have a problem with my dashboard using html inside the <row>. what i want to achieve is having 2  tabs so that when i click on each of them a different query will be executed. the problem is... See more...
Dears, i have a problem with my dashboard using html inside the <row>. what i want to achieve is having 2  tabs so that when i click on each of them a different query will be executed. the problem is that i have a  separate   html code in each of them and both links appear as active  regardless of the tab i select. i followed this tutorial: Splunk Dashboard Customization: Create Multiple Tabs Within A Single Dashboard - Splunk on Big Data my code is : <dashboard script="tabs.js" stylesheet="tabs.css"> <label>test</label> <row id="tabs"> <panel> <html> <ul id="tabs" class="nav nav-tabs"> <li class="active"> <a href="#" class="toggle-tab" data-elements="tab_Map" data-token="control_token_non_internal" style="color:orangered;font-weight: bolder;">tab1</a> </li> <li> <a href="#" class="toggle-tab" data-elements="tab_Tab2" data-token="control_token_non_internal" style="color:orangered;font-weight: bolder;">tab2</a> </li> </ul> </html> </panel> </row> <row id="tab_Map" > <panel > <html > <a href=...(ommiting this part)><button class="button">tab1</button> </row> and another row for the other tab. i get both buttons like below. i want to have only tab1 button when i click on tab1 , not both of buttons. any idea what am i missing  
Looking at the Terraform provider documentation, I do not fully understand how a user is deleted using the "splunk_authentication_users" resource.  Referenced here:  https://registry.terraform.io/p... See more...
Looking at the Terraform provider documentation, I do not fully understand how a user is deleted using the "splunk_authentication_users" resource.  Referenced here:  https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/authentication_users I also looked through the provider source and examples and could not make heads or tales out of it: https://github.com/splunk/terraform-provider-splunk  as well as the REST API: https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#authentication.2Fusers   Any help is appreciated!  Thanks, Chris