All Topics

Top

All Topics

Splunk Version: 8 OS: Windows Server Good afternoon. Maybe someone here may give me an idea how to troubleshoot. Customer update the OS of Windows server, then after the OS update the Splunk ... See more...
Splunk Version: 8 OS: Windows Server Good afternoon. Maybe someone here may give me an idea how to troubleshoot. Customer update the OS of Windows server, then after the OS update the Splunk is unable to run the service. WARNING: Seems web interface is not to be available. No logs written in splunkd.log The folder or directory of Splunk is under Splunk user. Thank you.
Dear All how to display simply infor when i move mouse over the point in the map? when i move mouse over the point, display such as a table. and the table include some simply infor. how to sett... See more...
Dear All how to display simply infor when i move mouse over the point in the map? when i move mouse over the point, display such as a table. and the table include some simply infor. how to setting ? such as the picture 
Hi Team, We have installed an app "Microsoft Teams Alert Cards" to create an alert in MS Teams through webhook. Everything is working well but it displays the hostname of the search head and usernam... See more...
Hi Team, We have installed an app "Microsoft Teams Alert Cards" to create an alert in MS Teams through webhook. Everything is working well but it displays the hostname of the search head and username of the person who has scheduled the alert, when we go the Teams group and hover the mouse on Go to Search on MS Teams. It displays hostname and username, Below screenshot for reference where I have masked the hostname and user id. How can we ignore or remove the hostname and userid on the alert ? Tried checking in advance edit of Alert, couldn't find any option related to this settings. Regards VK
Trying to do a cross-reference multi-search that gathers specific result counts for two outputs (column1 & column2). Each search ends with a stats count and xyseries, combined to generate a multi-xys... See more...
Trying to do a cross-reference multi-search that gathers specific result counts for two outputs (column1 & column2). Each search ends with a stats count and xyseries, combined to generate a multi-xyseries grid style spreadsheet, showing a count where theres a match for these specific columns. Count doesn't matter so all counts>=1 eval to an "x" that marks the spot. eg. col1 col2 1 2 3 4 5 6 7 8 9 10 a                       b                       c   x   x               d                 x x   e     x           x   x f             x         g                       h               x       i                     x j           x             k                       l                       m          x             n                       o   x x        x      x   p           x           q           x           r           x           s           x           t           x         The overall query hits 1 of many apps at a time -- introducing a problem where depending on the app, the rows in particular can become very large, especially against column2's search. For the situations with an app search that generates pages and pages of results against column2, i'd just like to default to flatten/squish/merge (not sure the best terminology) the result rows, ideally for both xy grids for col1 & col2 results, so you can see the columns 1,2,3..10...x  to see what matches and what doesnt at a glance eg. squishing col2 col1 col2 1 2 3 4 5 6 7 8 9 10 a                       b                       c   x   x               d                 x x   e     x           x   x f             x         g                       h               x       i                     x j           x             squished   x x   x x  x      x i think the terminology for what this might be is throwing my searches but I've tried a number of things from dedup to merge andjoin and stats, but all seem to have shortcomings. closest ive got is adding | stats values(*) as * | eval col2 = if(col2="*", "squished", "squished")  to just treat col2 rows as all the same, but i've found cases where this removes empty columns altogether eg. ones that don't have an "x" count or grid match, for example column 4 would just get removed. This might be more related to structure of my overall query, but thats kinda why im wondering if theres just some spreadsheet type function to after-the-fact, flatten/squish  the results in an xyseries like this, and the dash can toggle between squished and expanded.
Hey , So I need to integrate 12 new indexers to an existing multisite indexer cluster. Cant seem to find a documentation with this. Any pointer would be appreciated.
as i was trying to integrate with AWS UAE region cloudtrail, but haven't observed any details on the add on, there may regions missing as observed. any idea how we can go for the integration.
When comparing multivalue fields, there are a number of relationships one might be interested in. Equality is easy to check, but what about more complex relationships?  Are any members of f1 in f2?... See more...
When comparing multivalue fields, there are a number of relationships one might be interested in. Equality is easy to check, but what about more complex relationships?  Are any members of f1 in f2? What fields do f1 and f2 have in common(intersection)? What fields are unique to f1?
Please let me know the Splunk SaaS cloud licensing usage over time per index.
We would like to have the search results based on the following criteria. We have records in the event log with the following values transactionID: abc | is_true: 1 | eventType: main | other_attrib... See more...
We would like to have the search results based on the following criteria. We have records in the event log with the following values transactionID: abc | is_true: 1 | eventType: main | other_attributes_data transactionID: abc | eventType: event-A | other_attributes_data transactionID: abc | eventType: event-C | other_attributes_data transactionID: abc | eventType: event-F | other_attributes_data transactionID: def | is_true: 0 | eventType: main | other_attributes_data transactionID: def | eventType: event-B | other_attributes_data transactionID: def | eventType: event-C | other_attributes_data transactionID: def | eventType: event-E | other_attributes_data We basically want a search string, that identifies the "main" event records whose is_true value is "1". Once that is done, then we want all the events that are associated to the same "transactionID".  In this example, since "transactionID: abc" has the main event, whose is_true value is 1, then we would like to list all the events associated to that particular transactionID.  The output for the query ranswer for the query will be something like transactionID: abc | eventType: main | other_attributes_data transactionID: abc | eventType: event-A | other_attributes_data transactionID: abc | eventType: event-C | other_attributes_data transactionID: abc | eventType: event-F | other_attributes_data   The "transactionID: def" records will not be coming back in the search results, as the corresponding main event has is_true value of "0". How can we write such query? Appreciate the response. Thanks,      
There are several topics related to this , but it seems they not exactly what im asking (ie those are related to custom dashboards, while im asking with regard to the basic splunk search function). ... See more...
There are several topics related to this , but it seems they not exactly what im asking (ie those are related to custom dashboards, while im asking with regard to the basic splunk search function).   When viewing search results, on the left sidebar ,  if you try to open a new tab via the results of either "selected fields" or "Interesting fields",  that value is not appended to the search (in the new tab).  But rather you just get a duplicate of the current search results. Is there anyway to fix this?  (or to manually modify the splunk JS files to support this?) animated gif screen cap of what im referring to (using v9.1.0.2 demo): (just adding screen shots, the web server  keeps throwing a Less than 1m characters error when i add the animated gif); what im referring to:   what we get:     what im hoping for:     This has bugged me since splunk v6 (im now on v8 latest),  and just did a test / demo install of v9.1 and the issue remains with all versions. thanks   some related topics that are very similar to what im asking here (but are not exactly the same):   https://community.splunk.com/t5/Dashboards-Visualizations/how-to-create-drilldowns-which-open-in-new-window-so-that-the/td-p/399087?sort=oldest https://community.splunk.com/t5/Dashboards-Visualizations/How-to-enable-a-new-tab-opening-from-within-a-dashboard/m-p/388622#M25461 https://community.splunk.com/t5/Dashboards-Visualizations/How-to-drill-down-launch-another-search-with-parameter-from/td-p/49957  
Hello, How can we use 2 Fields to compare in Join Command. I have lookup table with tix1, tix2, tx3, and tx4 fields ; I also have index with tix1, tix2, ix3, and ix4 fields. How to use join command... See more...
Hello, How can we use 2 Fields to compare in Join Command. I have lookup table with tix1, tix2, tx3, and tx4 fields ; I also have index with tix1, tix2, ix3, and ix4 fields. How to use join command using tix1 and tix2 fields as a basis of comparison. It is working well when I use tix1 or tix2 fields as a basis for comparison. But it doesn't work when I use both tix1 and tix2. Any recommendation will be highly appreciated. Thank you! Here is what I did with one field and working as expected  |inputlookup x_account.csv  | search tix2  IN(03,05) | table tix1, tix2, tx3, and tx4 | join type=left tix1 [search index=idx_Account sourcetype="idx:events" tix2  IN(03,05)  |table Stix1, tix2, ix3, and ix4 ]    But need to use: |inputlookup x_account.csv  | search tix2  IN(03,05) | table tix1, tix2, tx3, and tx4 | join type=left tix1 tix2 [search index=idx_Account sourcetype="idx:events" tix2  IN(03,05)  |table Stix1, tix2, ix3, and ix4 ]       
Hi Splunk Experts, I want to break all lines as a single Line event [\r\n]. But if there are logs with stacktrace I want to consider them as multi-line event.  I've tested below regex and it works ... See more...
Hi Splunk Experts, I want to break all lines as a single Line event [\r\n]. But if there are logs with stacktrace I want to consider them as multi-line event.  I've tested below regex and it works as expected, but I'm not sure on, what are the properties I should apply them for a sourcetype. This is for an application which logs millions of event in a minute. Please assist me with an optimized solution. (.*[\n]((.*\)\])?(\s+at.*\)\n))+) Sample logs:     [(2023-08-03 10:00:03)] INFO: Request completed successfully. [(2023-08-03 10:00:03)] ERROR: Request got failed. [(2023-08-03 10:00:02)] Exception in thread "main" java.lang.NullPointerException at com.example.MyClass.method1(MyClass.java:12) at com.example.MyClass.method2(MyClass.java:34) at com.example.AnotherClass.someMethod(AnotherClass.java:56) at com.example.Main.main(Main.java:23) [(2023-08-03 10:00:03)] INFO: Request Submitted successfully. [(2023-08-03 10:00:03)] INFO: Request completed successfully. [(2023-08-03 10:00:03)] WARN: Request failed unsuccessfully. [(2023-08-03 10:00:02)] java.io.FileNotFoundException: file.txt (No such file or directory) [(2023-08-03 10:00:02)] at java.base/java.io.FileInputStream.open0(Native Method) [(2023-08-03 10:00:02)] at java.base/java.io.FileInputStream.open(FileInputStream.java:219) [(2023-08-03 10:00:02)] at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157) [(2023-08-03 10:00:02)] at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112) [(2023-08-03 10:00:02)] at com.example.FileDemo.readFromFile(FileDemo.java:55) [(2023-08-03 10:00:02)] at com.example.Main.main(Main.java:12) [(2023-08-03 10:00:03)] INFO: Request completed successfully. [(2023-08-03 10:00:04)] DEBUG: Processing request: /api/v1/data?id=67890 [(2023-08-03 10:00:03)] WARN: Request failed unsuccessfully. java.lang.IllegalArgumentException: Invalid input: negative value not allowed [(2023-08-03 10:00:02)] at com.example.MathUtils.squareRoot(MathUtils.java:42) [(2023-08-03 10:00:02)] at com.example.Main.main(Main.java:33) [(2023-08-03 10:00:02)] ERROR: Failed to fetch data from the database.     Expected First Multi-Line Event:     [(2023-08-03 10:00:02)] Exception in thread "main" java.lang.NullPointerException at com.example.MyClass.method1(MyClass.java:12) at com.example.MyClass.method2(MyClass.java:34) at com.example.AnotherClass.someMethod(AnotherClass.java:56) at com.example.Main.main(Main.java:23)     Expected Second Multi-Line Event:     [(2023-08-03 10:00:02)] java.io.FileNotFoundException: file.txt (No such file or directory) [(2023-08-03 10:00:02)] at java.base/java.io.FileInputStream.open0(Native Method) [(2023-08-03 10:00:02)] at java.base/java.io.FileInputStream.open(FileInputStream.java:219) [(2023-08-03 10:00:02)] at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157) [(2023-08-03 10:00:02)] at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112) [(2023-08-03 10:00:02)] at com.example.FileDemo.readFromFile(FileDemo.java:55) [(2023-08-03 10:00:02)] at com.example.Main.main(Main.java:12)     Expected Third Multi-Line Event:     [(2023-08-03 10:00:03)] WARN: Request failed unsuccessfully. java.lang.IllegalArgumentException: Invalid input: negative value not allowed [(2023-08-03 10:00:02)] at com.example.MathUtils.squareRoot(MathUtils.java:42) [(2023-08-03 10:00:02)] at com.example.Main.main(Main.java:33)    
Hi Team, is there any way we can store CSV file back to source path directory or any other directory ? I am trying create a alert with having "Output results to lookup". is there any way we can ... See more...
Hi Team, is there any way we can store CSV file back to source path directory or any other directory ? I am trying create a alert with having "Output results to lookup". is there any way we can store the created .CSV at shared  directory ? Please advise Thank you.
I have data stored in the csv file, which contains the time field. I want the data for complete last week and also the data for current week. Eg Day1: 100 day2: 200. . . . .Day14:600 ... See more...
I have data stored in the csv file, which contains the time field. I want the data for complete last week and also the data for current week. Eg Day1: 100 day2: 200. . . . .Day14:600 I want data from day1-day7 -> Current week and day7-14 -> Previous week I am doing something like below, but it gives me data from current week    | eval first_day_last_week=relative_time(relative_time(now(),"-1w@w"),"-1d@d"), last_day_last_week=relative_time(relative_time(now(),"-1w@w"),"+6d@d") | where _time>=first_day_last_week AND _time<=last_day_last_week   technically the data should not come up as today is the Aug 7 and it should not show as it is from current week  
I have json data coming in that contains a 13 digit epoch value in eventTime, but %s appears to only support 10 digits (https://docs.splunk.com/Documentation/Splunk/8.2.8/Data/Configuretimestamprecog... See more...
I have json data coming in that contains a 13 digit epoch value in eventTime, but %s appears to only support 10 digits (https://docs.splunk.com/Documentation/Splunk/8.2.8/Data/Configuretimestamprecognition?ref=hk) What i'm trying to do is create a source type that will set _time to the value in eventTime when consumed, but struggling to solve it. I did try setting TIMESTAMP_FIELDS to eventTime and then TIME_FORMAT to %s, but that did not work. But, I also manually added a 10 digit epoch and it still did not work, so maybe i'm just chasing the wrong idea. I also tried 'AUTO' but it did not find it. Looking to learn!  Thank you!    
I'm currently working on an XML dashboard in Splunk where I've set up a chained search that builds upon a base search. My objective is to retrieve the SID (Search ID) for the chained search itself, r... See more...
I'm currently working on an XML dashboard in Splunk where I've set up a chained search that builds upon a base search. My objective is to retrieve the SID (Search ID) for the chained search itself, rather than just obtaining the SID of the base search, which currently happens when I use the addinfo command. When I apply the addinfo command within the chained search, it only provides me with the SID of the base search, and I'm looking to access the SIDs associated with the extended search queries within the chained search. How can I effectively retrieve the SIDs for each component of the chained search, including the extended queries, using the addinfo command or any alternative methods?  Sample     <form theme="dark" version="1.1"> <label>test</label> <search id="baseSearch"> <query> index="test" | table A B C D E F _time </query> <earliest>-7d@d</earliest> <latest>now</latest> </search> <table> <search base="baseSearch"> <done> <set token="job_exportTocsv">$job.sid$</set> </done> <query>| stats count by A | addinfo </query> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>     The job.sid you can see or which is added from addinfo shows only the results from the basesearch in this example, if you make a |loadjob $job.sid$ which is provided by the chained search you will see the results from the basesearch | table A B C D E F _time  instead of the |stats count by A. So it looks like the chained searches handels different instead of a basesearch, it was also not possible for me to find the chained search in Activity --> Jobs or access this search via REST Endpoint. Any ideas here two access the results from the chained search?
Tech Talks | Your Top 5 Summer Playlist!   See them for yourself                                                           Share o... See more...
Tech Talks | Your Top 5 Summer Playlist!   See them for yourself                                                           Share one key takeaway in the comments section below and lookout for a token of appreciation sent straight to your inbox.  See them for yourself
Is it possible to change the splunk toplevel menu  e.g. Messages / Settings /Activity / Help / Find We would like to customise the menus and options for a specific user but can only seem to fin... See more...
Is it possible to change the splunk toplevel menu  e.g. Messages / Settings /Activity / Help / Find We would like to customise the menus and options for a specific user but can only seem to find ways of editing the menu options for apps.
How would you extract fields from this Data, I would like to extract the panel ID, watts, grid Hz, grid voltage and temp from the data, the grid data is on every set of 4 lines, there are 24 panels. ... See more...
How would you extract fields from this Data, I would like to extract the panel ID, watts, grid Hz, grid voltage and temp from the data, the grid data is on every set of 4 lines, there are 24 panels.                   ID                               Watts  Volts  Freq    Gvolts  Temp match="805000048512-1 98 W 33 V 60.0 Hz 251 V 35 °C 08/07/2023 12:58:53 UTC, _time="1691438333.0", title="ZEDTwo30", encoding="utf-8", browser="integrated_client", response_size="14555", response_code="200", url="http://192.168.2.178/index.php/realtimedata", request_time="734.2638969421387", content_md5="40acffc51f6d6213b2b1e1b379bc14f2", content_sha224="aae23ec01baaf5502794091e3cc7e00d1cb6ba265ef675a999e27dc0", raw_match_count="25", match="Inverter ID Current Power DC Voltage Grid Frequency Grid Voltage Temperature Reporting Time", match="805000048512-1 1 W 36 V 60.0 Hz 253 V 14 °C 2023-08-07 06:57:04", match="805000048512-2 0 W 36 V 253 V", match="805000048512-3 0 W 36 V 253 V", match="805000048512-4 1 W 36 V 253 V", match="805000050217-1 0 W 36 V 60.0 Hz 252 V 14 °C 2023-08-07 06:57:04", match="805000050217-2 1 W 36 V 252 V", match="805000050217-3 0 W 36 V 252 V", match="805000050217-4 1 W 36 V 252 V", match="805000048270-1 1 W 36 V 60.1 Hz 253 V 15 °C 2023-08-07 06:57:04", match="805000048270-2 1 W 36 V 253 V", match="805000048270-3 1 W 36 V 253 V", match="805000048270-4 1 W 36 V 253 V", match="805000051865-1 0 W 36 V 60.0 Hz 252 V 14 °C 2023-08-07 06:57:04", match="805000051865-2 0 W 36 V 252 V", match="805000051865-3 0 W 36 V 252 V", match="805000051865-4 0 W 36 V 252 V", match="805000050663-1 0 W 36 V 60.0 Hz 252 V 13 °C 2023-08-07 06:57:04", match="805000050663-2 0 W 36 V 252 V", match="805000050663-3 0 W 36 V 252 V", match="805000050663-4 0 W 36 V 252 V", match="805000048357-1 0 W 36 V 59.9 Hz 251 V 14 °C 2023-08-07 06:57:04", match="805000048357-2 0 W 36 V 251 V", match="805000048357-3 0 W 36 V 251 V", match="805000048357-4 0 W 36 V 251 V"
Hello, I have a table with the following fields from an email security system that are duplicated within a time range of 3s: _time    sender    receiver    subject    attach ... See more...
Hello, I have a table with the following fields from an email security system that are duplicated within a time range of 3s: _time    sender    receiver    subject    attach 2023-08-07 14:07:46 sender1@domain.com receiver1@domain.com receiver2@domain.com "email subject" attach1.pdf attach2.pdf 2023-08-07 14:07:49 sender1@domain.com receiver1@domain.com receiver2@domain.com     2023-08-07 15:10:05 sender2@domain.com receiver3@domain.com receiver4@domain.com     2023-08-07 15:10:08 sender2@domain.com receiver3@domain.com receiver4@domain.com "email2 subject" attach3.rar attach4.rar 2023-08-07 16:11:08 sender3@domain.com receiver5@domain.com     I want to merge the duplicated fields together within the range of 3s without losing the subject and attach value, but I don't want to remove other blank values of the emails that are sent without a subject or attach. It should look like this:   _time    sender    receiver    subject    attach 2023-08-07 14:07:46 sender1@domain.com receiver1@domain.com receiver2@domain.com "email subject" attach1.pdf attach2.pdf 2023-08-07 15:10:08 sender2@domain.com receiver3@domain.com receiver4@domain.com "email2 subject" attach3.rar attach4.rar 2023-08-07 16:11:08 sender3@domain.com receiver5@domain.com     Thank you.