All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Sample events:   { errorClass: NullPointerException userId: 53 }, { errorClass: IllegalArgumentException userId: 65 }, { errorClass: NullPointerException userId:... See more...
Sample events:   { errorClass: NullPointerException userId: 53 }, { errorClass: IllegalArgumentException userId: 65 }, { errorClass: NullPointerException userId: 32 }   Instead of having one alert mixed with many different errors, I would like to create a new alert for every type of error: Alert 1   { errorClass: NullPointerException userId: 53 }, { errorClass: NullPointerException userId: 32 }   Alert 2   { errorClass: IllegalArgumentException userId: 65 }   Of course the number of errorClass can be infinite so we cannot create a dedicated alert for every errorClass. I want to try if something like: {baseSearch} |stats by errorClass and every row in the stats table can be a new alert is possible.
I have created 3 drop downs and one table data using the dashboard studio .Based on the drop-down values selection ,tables data should change using the help of submit button. Could anyone provide the... See more...
I have created 3 drop downs and one table data using the dashboard studio .Based on the drop-down values selection ,tables data should change using the help of submit button. Could anyone provide the solution using the dashboard studio 
Hi there,  I was referring to the below page to find use cases but unable to access the below link anymore. https://docs.splunksecurityessentials.com/ Anyone has any idea around this? Thank you!
Hi We have a performance log onboarded and there is a value in that we would like to monitor: The logs contain the following :  {"name":"dbcp.numActive","value":"0"},   I would like to get an... See more...
Hi We have a performance log onboarded and there is a value in that we would like to monitor: The logs contain the following :  {"name":"dbcp.numActive","value":"0"},   I would like to get an alert if the value is greater than 90 , how to i compile a query for this?
Hello Guys,  How can we adjust the JAVA heap space value to Splunk DBConnect app (Example from 2GB to 8GB)? Thanks!
I am trying to build an app where I am creating dashboards for a user to see the data which is populated from the Apis which i am calling from a python script. While I was trying to validate the app ... See more...
I am trying to build an app where I am creating dashboards for a user to see the data which is populated from the Apis which i am calling from a python script. While I was trying to validate the app I got this error check_indexes_conf_does_not_exist form Appinspect. Is there any other way I can populate the data in my dashboards without using index and on regular intervals?
Hi Splunk Community!  Is there a way for me to create a table output of the output of the json keys below & (possibly filter the keys to be a different name as well to represent their uniqueness).... See more...
Hi Splunk Community!  Is there a way for me to create a table output of the output of the json keys below & (possibly filter the keys to be a different name as well to represent their uniqueness).  Example below..     Json data: {       "Key1": "Value1",      "Key2": {      "subKey2_1": "sub value1 for key2",      "Manifest": [          {                 "flight": "start",                 "City": "Los Angeles",                "code": 7870,                "Inventory": {                "snacks": 300,                "status": "full"         }     }, {        "flight": "end",       "City": "Las Vegas",       "code": 7470,       "Inventory": {              "snacks": 56,              "status": "near empty"                       }                 }          ],      "subKey2_3": "sub value3 for key2"       },           "Key3": "Value3",           "Key4": "Value4" }     I am looking to create a table with a single row of the fields and values below      Field  = Value    city_origin = "Los Angeles" code_origin = 7870 inventory_snacks_origin=300 inventory_status_origin="full" city_end = "Las Vegas" code_end = 7470 inventory_snacks_end=56 inventory_status_end="near empty"
Hi: Is there a workaround to use Integrated Windows Authentication in either Browser Synthetic or Synthetic API monitoring? That would be very useful within a corporate network using the private syn... See more...
Hi: Is there a workaround to use Integrated Windows Authentication in either Browser Synthetic or Synthetic API monitoring? That would be very useful within a corporate network using the private synthetic agent. Thanks, Roberto
Hey guys!   I need the statistics of a bunch of data by month. And this is done already.   search |eval Month=strftime(_time,"%Y %m") | stats count(mydata) AS nobs, mean(mydata) as mean, min(myd... See more...
Hey guys!   I need the statistics of a bunch of data by month. And this is done already.   search |eval Month=strftime(_time,"%Y %m") | stats count(mydata) AS nobs, mean(mydata) as mean, min(mydata) as min by Month | reverse   The output is what I want: Month nobs mean min 2023 06 1900 -5.0239778 -68.73417 2023 05 3562 -4.2430259 -67.134697 2023 04 3181 -4.1811658 -64.995394 2023 03 4274 -4.3373071 -134.20177 2023 02 3939 -4.7725011 -73.538274 2023 01 2868 -5.5231115 -41.056093 2022 12 395 -4.617424 -35.51642   Now I want to add another row at the bottom, called 'All', like this Month nobs mean min 2023 06 1900 -5.0239778 -68.73417 2023 05 3562 -4.2430259 -67.134697 2023 04 3181 -4.1811658 -64.995394 2023 03 4274 -4.3373071 -134.20177 2023 02 3939 -4.7725011 -73.538274 2023 01 2868 -5.5231115 -41.056093 2022 12 395 -4.617424 -35.51642 All z.zz x.xx y.yy   Here, the result for x.xx, y.yy and z.zz should be from the whole search result, instead of from the statistics shown in the rows. I am wondering how to do that? Ideally, I can use the search result without the need to search again and degrade performance. Thanks!  
We have cisco ios logs going to our syslog server > heavy forwarder > Splunk cloud. The addon is installed on the syslog server UF, heavy forwarder and search head. Data is being parsed correctly how... See more...
We have cisco ios logs going to our syslog server > heavy forwarder > Splunk cloud. The addon is installed on the syslog server UF, heavy forwarder and search head. Data is being parsed correctly however for dvc all we get is the syslog server. Is there something we need to configure on the addon to get the actual cisco device name?
I don't want to have my sc_admin users to have to handle restore requests.  I would like to make a role that has just enough capabilities to manage restores / rehydrations. 
Hello, I'm new to Splunk and currently working on a firewall dashboard. I'm encountering issues with the coding, specifically regarding a dropdown firewall panel. My goal is to create a dropdown me... See more...
Hello, I'm new to Splunk and currently working on a firewall dashboard. I'm encountering issues with the coding, specifically regarding a dropdown firewall panel. My goal is to create a dropdown menu that lists 33 different firewalls, and when a firewall is selected, other panels should display the corresponding data. However, I'm facing a problem where selecting a firewall doesn't trigger any data to appear. I'm wondering if there's something missing or if I made a mistake in my implementation. Additionally, I have 333 host types, and I'm unsure of the best way to condense them into a single field. Below, you'll find the code for my firewall dropdown menu and a total result panel. Any assistance would be greatly appreciated. Thank you kindly. <panel> <input type="dropdown" token="firewall_token" searchWhenChanged="true"> <label>Search by Firewall:</label> <choice value="All">All Firewalls</choice> <choice value="ais-fw-a">Firewall 1</choice> <choice value="ais-fw-b">Firewall 2</choice> <!-- Add more choices for different firewalls --> </input> </panel> <panel> <title>Total Results</title> <chart> <search> <query> index=firewalls earliest="$time_earliest$" latest="$time_latest$" | stats count by source </query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.drilldown">all</option> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option> </chart> </panel>
I have event like below and I am trying to create a common field for  CI_Name / Hostname /IP_Address and name it as Generic_HostName. 2023-06-21 07:46:38.701, CI_Name="abc.xyz.net", Hostname="abc",... See more...
I have event like below and I am trying to create a common field for  CI_Name / Hostname /IP_Address and name it as Generic_HostName. 2023-06-21 07:46:38.701, CI_Name="abc.xyz.net", Hostname="abc", Domain="xyz.net", System_Role="DR", Environment="DR", IP_Address="40.90.20.10", Tier1="Hosting", Tier2="Processing unit", Tier3="Server", BU="poc", Operating_System="Red Hat Enterprise Linux 7.9", OS_Version="7.9",   So when I do a stats on Generic_Hostname, the result should have CI_Name, Hostname, IP_Address. index=* | stats count by Generic_Hostname Output: abc.xyz.net abc 40.90.20.10   How can I achieve this?    
Hello, I have set an alert which generates around 50-60 events everyday. I have configured this alert to send mails to my email id, I have been observing that not all events generate emails and... See more...
Hello, I have set an alert which generates around 50-60 events everyday. I have configured this alert to send mails to my email id, I have been observing that not all events generate emails and the count of the alert events and the mails received mismatches. The alert mail is not fired intermittently. Can you please suggest some ways to troubleshoot the cause of this problem? Thanks in advance
    "my base query 1 to Total _count_of_sucess_transactions" | rex "URI\s*(?<URI>[^\=\n]+)" "my base query 2 to trackTotal _count_of_Failed_transactions" | rex "gov\^*(?<URL>.*)"     I w... See more...
    "my base query 1 to Total _count_of_sucess_transactions" | rex "URI\s*(?<URI>[^\=\n]+)" "my base query 2 to trackTotal _count_of_Failed_transactions" | rex "gov\^*(?<URL>.*)"     I want the below table to be shown 1)  column 1 Total count of Success transactions  2)  column 2 Total count of Failed Services 3) column 3 Percent of success rate   
I have 3 drop downs added, Timeframe, Report Name, Path Category Timeframe is fine. I have added 5 options including All under Report Name which is hardcoded under static values (All, Moovweb, SFC... See more...
I have 3 drop downs added, Timeframe, Report Name, Path Category Timeframe is fine. I have added 5 options including All under Report Name which is hardcoded under static values (All, Moovweb, SFCC, Akamai, SFCC core) Under Path Category I have added hardcoded static values with name and value. (All, PDP, PLP, MW api, MW Search, Cart api, Akamai search, Akamai checkout flow, Akamai account flow, SFCC Core search) With static option, if I select Moovweb, I get all results under path category drop down. but what Iam looking for is just 5 values: All, PDP, PLP, MW Api, MW Search, Cart Api same way: for Akamai: All, PDP, PLP, Akamai search, Akamai checkout flow, Akamai account flow How can I achieve this, with one report name, I need specific path categories? One more point: in the above dashboard I have included 19 panels (different sites) where Splunk query has been added, where the result change according to the above selections) Can anyone please check this on priority and revert. Thanks in advance!!  
Sample Log 16/Jan/2021:00:00:01 +0000 1111155317 madridES_20 90.180.XX.167 GET https www.cdn77.com /img/customers_logos_light.png 200 HIT 35532 41004 0.000 424923 Mozilla/5.0 (Linux; Android 4.4.2;... See more...
Sample Log 16/Jan/2021:00:00:01 +0000 1111155317 madridES_20 90.180.XX.167 GET https www.cdn77.com /img/customers_logos_light.png 200 HIT 35532 41004 0.000 424923 Mozilla/5.0 (Linux; Android 4.4.2; SUNSET Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari https://www.cdn77.com/css/main.min.css V3 How Bloom filters work when written in quotes like this 1st Query -       index=some_index "Mobile Safari"       As per my understanding terms in logs break on major segmenters i.e. space here and make lexicon terms that are present in tsidx files on which bloom filters work. If I write the query like this  2nd Query -       index=some_index TERM(Mobile Safari)       It won't return any events as there is no Lexicon Term present in tsidx files like Mobile Safari as a whole. But the 1st query is returning the events having the string Mobile Safari. I want to understand how filter in double quotes is different from the one used inside TERM. How these filters are processed?
I'm not lucky I have disabled all inherited roles for admin admin and when I try to re-enable back the save button is disabled and all the cluster is affected by this change please help  
Hi, I need  to extract the below events i tried this  | rex "URI\s(?<URI>.+?)="   but not working. i want to extract for the 1& 2 events before the "=" URI /api/Hellothisistest?customerNumber... See more...
Hi, I need  to extract the below events i tried this  | rex "URI\s(?<URI>.+?)="   but not working. i want to extract for the 1& 2 events before the "=" URI /api/Hellothisistest?customerNumber=244479 URI /api/Hellothisistest?customerNumber=247370 URI  /api/Getthisextractessample URI  /api/createthisextractesof URI  /api/liverpooltestsoccer   Thanks in Advance  
I am tring to ingest xml file data using below inputs.conf configuration. I am unable to ingest the data. i am not getting any ERROR in internal logs as well. Source Path is as follows:  D:\ARD... See more...
I am tring to ingest xml file data using below inputs.conf configuration. I am unable to ingest the data. i am not getting any ERROR in internal logs as well. Source Path is as follows:  D:\ARDS\MASS\Data\ExecutionReport\ExecutionReport_Task[SendLabelNetisuq]_Job[5c522e65-a46f-4445-a9ca-3192e6c391b7]_20230614-182807-394995.xml [monitor://D:\ARDS\MASS\Data\ExecutionReport\ExecutionReport_Task[SendLabelNetisuq]_Job*_*.xml] disabled = false sourcetype = abc:xyz:executionreport index = log_abc crcSalt=<SOURCE>