All Topics

Top

All Topics

How to register  Splunk Enterprise Certified Architect, I have already completed Admin but am unable to register for the Splunk Enterprise Certified Architect exam in Pearsonvue. Completed exams are... See more...
How to register  Splunk Enterprise Certified Architect, I have already completed Admin but am unable to register for the Splunk Enterprise Certified Architect exam in Pearsonvue. Completed exams are highlighted on the below screenshot.  
I am performing a migration of an 8.2.2 Splunk instance into a new VM. I have copied the entire $SPLUNK_HOME (D:\Splunk) folder into the new VM machine and ran the installer. The installer fails with... See more...
I am performing a migration of an 8.2.2 Splunk instance into a new VM. I have copied the entire $SPLUNK_HOME (D:\Splunk) folder into the new VM machine and ran the installer. The installer fails with rollback. I have the logs with me and here is an excerpt of the failure: MSI (s) (DC:AC) [14:20:49:588]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI3EE8.tmp, Entrypoint: FirstTimeRunCA FirstTimeRun: Warning: Invalid property ignored: FailCA=. FirstTimeRun: Info: Properties: splunkHome: D:\Splunk. FirstTimeRun: Info: Execute first time run. FirstTimeRun: Info: Enter. Args: "D:\Splunk\bin\splunk.exe", _internal first-time-run --answer-yes --no-prompt FirstTimeRun: Info: SystemPath is: C:\Windows\system32\ FirstTimeRun: Info: Execute string: C:\Windows\system32\cmd.exe /c ""D:\Splunk\bin\splunk.exe" _internal first-time-run --answer-yes --no-prompt >> "C:\Users\********\AppData\Local\Temp\splunk.log" 2>&1" FirstTimeRun: Info: WaitForSingleObject returned : 0x0 FirstTimeRun: Info: Exit code for process : 0x2 FirstTimeRun: Info: Leave. FirstTimeRun: Error: ExecCmd failed: 0x2. FirstTimeRun: Error 0x80004005: Cannot execute first time run. CustomAction FirstTimeRun returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 14:20:57: InstallFinalize. Return value 3. Anyone has any insights?
Description of the issue: broken Defender 365 overview dashboard, whenever field status is being used root cause is SPL query has capitalized 1st character on status field (New, InProgress, Reso... See more...
Description of the issue: broken Defender 365 overview dashboard, whenever field status is being used root cause is SPL query has capitalized 1st character on status field (New, InProgress, Resolved) while the addon only ingest status (new, inProgress, resolved) without capitalized 1st letter same issue can be found in many other Dashboards As an example, the below won't return any results: `defender_atp_index` sourcetype="ms365:defender:incident:alerts" | stats latest(status) AS status latest(severity) AS severity latest(assignedTo) AS assignedTo latest(category) AS category by incidentId | chart dc(incidentId) over assignedTo by status | eval Total=New + InProgress + Resolved | fields assignedTo New InProgress Resolved Total | addcoltotals broken Defender 365 overview dashboard, because of reference to non-existing field entities{}.entityType `defender_atp_index` sourcetype="ms365:defender:incident:alerts" | stats latest(status) AS status latest(severity) AS severity latest(assignedTo) AS assignedTo latest(category) AS category latest(entities{}.entityType) AS entityType by incidentId mitre_technique_id | chart dc(mitre_technique_id) over entityType by category" Prerequisite: Installed latest Splunk Add-on for Microsoft Security Successful ingestion of below 3 sourcetypes with `Splunk Add-on for Microsoft Security`: ms:defender:atp:alerts ms365:defender:incident ms365:defender:incident:alerts Installed latest Microsoft 365 app for Splunk    
Hi All, How to find unwanted logs (noise) in crowdStrike Falcon logs? Do you know the details that can be filtered in crowdstrike falcon logs?  
In GUI > Search app > search page  I used to change the search mode to verbose which I knew it persists after the sessions. Such as, when I change the mode to "Fast" and log out. Once I log in back i... See more...
In GUI > Search app > search page  I used to change the search mode to verbose which I knew it persists after the sessions. Such as, when I change the mode to "Fast" and log out. Once I log in back it shows "Fast". But not any more after we upgraded to 9.0.5 from 9.0.4.  Why? [ui-prefs.conf, url or localStorage]
I have looked through the forums and can't find exactly what I am looking for. Here is my search and what I think should work, but I don't think I completely understand multisearch.     | mu... See more...
I have looked through the forums and can't find exactly what I am looking for. Here is my search and what I think should work, but I don't think I completely understand multisearch.     | multisearch [ search index=patch sourcetype=device host="bradley-lab" device_group=PRE* | where match(host,"bradley-lab")] [ search index=patch sourcetype=device host="bradley-lab" device_group=BFV* | where NOT match(host,"bradley-lab")] | dedup extracted_host | eval my_time=_time | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(my_time) | rename extracted_host as device_Name, my_time as "Date Posted" | table "Date Posted" device_group device_Name current_system_version latest_system_version status       host=bradley-lab will come from a token drilldown on a dashboard if the host is bradley-lab I want it to show all devices with the device_group=PRE and if the host is anything else, I want it to show all devices with device_group=BFV
.conf may be over, but the opportunities to get together with your fellow Splunk users have only just begun! Check out some upcoming User Group events below, and head to usergroups.splunk.com to see ... See more...
.conf may be over, but the opportunities to get together with your fellow Splunk users have only just begun! Check out some upcoming User Group events below, and head to usergroups.splunk.com to see even more! Don't have one happening in your region? Plan one!   Pro Tip: if you see a   symbol, it means it's a virtual or hybrid event that you can join from anywhere!   Düsseldorf - August 7th: Rhineland Splunk User Group Summer Meeting  Get together at COCUS AG. COCUS is an IT Solution & Service Provider and the data lovers will welcome you at the Düsseldorf location close to Seestern! We will start with the latest news of the .conf and continue the evening with an immersive journey about process automation and data-driven insights with Splunk's Process Engine. Dallas - August 8th: Dallas Area Splunk User Group (DASUG) Choose Your Own Adventure  Best of .conf23, what's new in v9.1.0.1 and/or reviewing some of the funky support cases that we have had lately, some of which have resulted in very deep understanding of edge cases of the way some features and commands in Splunk work.   Sydney - August 10th: Sydney Splunk User Group Meeting Disappointed you missed out on Taylor Swift tickets? Well don't worry, shake it off, you can still make it to the Splunk User Group! There'll be plenty to talk about following .conf23, so why not do it over a casual drink & pizza! Perth - August 10th: Splunk Perth User Group August .conf Recap As Vegas is a long way from Perth, let me bring Vegas to you with a recap of the highlights from our .Conf event. Come and meet your local Splunk team, users and partners while sharing some snacks and beverages.  Atlanta - August 15th: ATL Splunk User Group Meeting The August 2023 Splunk ATL meeting will be a recap of all the Splunk goodness announced at .conf 2023! Come out and join us at Tekstream for lunch and hear all about the latest and greatest news from Splunk! Speaker TBA. Washington, DC - August 15th: Threat Intelligence into Splunk ES Recorded Future will demo customer use cases of leveraging Intelligence inside of Splunk. The focus will be on enrichment of IOCs, correlation, threat detection and hunting, vulnerability prioritization and alerting. Toronto - August 16th: Splunk Toronto User Group (STUG) August Meeting  Please join us for the August Splunk Toronto User Group event. Oslo - August 17th: Oslo Splunk User Group Meeting We are getting ready for the next Oslo Splunk User Group, hosting by Sena at PlusArena. Enjoy several stories from the real world, and an update from .conf! Harrisburg - August 21st: Harrisburg Splunk User Group Meeting  Couldn't attend .conf23 this year? Join us as we re-hash the ups, downs, lefts, and rights of .conf23! Baltimore - August 21st: Baltimore Post-.conf Review  Couldn't attend .conf23 this year? Join us as we re-hash the ups, downs, lefts, and rights of .conf23! Dresden - August 21st: Sommertreffen der Splunk UG Dresden Robotron lädt euch zum nächsten Dresden Splunk User Group Treffen am 22. August 2023 ein. Milwaukee - August 24th: Best of .conf Live and Local Join us for an In-Person meeting to review the product highlights and new products announcements from this years .conf followed by a Happy Hour at Sport Club near our event sponsor, Northwestern Mutual, downtown Milwaukee location.   ---------   Be sure to check out all the additional events that are happening this month and next here.  
Hi Team, I am using below query to get my total closing balance index="abc*" sourcetype=600000304_gg_abs_ipc2 " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData" so... See more...
Hi Team, I am using below query to get my total closing balance index="abc*" sourcetype=600000304_gg_abs_ipc2 " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData totalClosingBal=(?<totalClosingBal>)"|table _time  totalClosingBal| sort _time I am getting current result as below: 7.71727634934E10 I want this E10 to be in actual numbers which can be done by below logic: 7.71727634934 × 1010 Can someone guide me how can I do this in splunk query.
Ever since we upgraded to Lookup Editor 4.0.1, any KVstore changes made in the app don't save for some reason. It says they do, but they don't. CSV files work normally.
Hi Team, I have created below query to create drill down and show raw logs but its not working for me. Can someone please help me with it. <row> <panel> <title>Association BalanceStatistics -... See more...
Hi Team, I have created below query to create drill down and show raw logs but its not working for me. Can someone please help me with it. <row> <panel> <title>Association BalanceStatistics - Send</title> <table> <search> <query>index="abc*" sourcetype=600000304_gg_abs_ipc2 " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex " AssociationProcessor - compareTransformStatsData : statisticData: StatisticData totalOutputRecords=(?&lt;totalOutputRecords&gt;), totalInputRecords=(?&lt;totalInputRecords&gt;),busDt=(?&lt;busDt&gt;),fileName=(?&lt;fileName&gt;),totalClosingBal=(?&lt;totalClosingBal&gt;)"|table _time totalOutputRecords totalInputRecords busDt fileName totalClosingBal|sort _time</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="show_panel">true</set> <set token="selected_value1">$click.value1$</set> </drilldown> </table> </panel> </row>
Hi Team, I am using below query to show my two fields "Inputrecords" and OutputRecords" index="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-trans... See more...
Hi Team, I am using below query to show my two fields "Inputrecords" and OutputRecords" index="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount I am getting the result as below: I want on clicking of Output records these two records should get displayed "nonFinChargeAccounts" and "finChargeAccounts" index="abc*" sourcetype = "600000304_gg_abs_ipc2" "Post ASSOCIATION" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex " Post ASSOCIATION totalInputRecordsCount=(?<totalInputRecordsCount>), totalOutputRecordsCount=(?<totalOutputRecordsCount>),nonFinChargeAccounts=(?<nonFinChargeAccounts>),finChargeAccounts=(?<finChargeAccounts>)"| table _time totalInputRecordsCount totalOutputRecordsCount Can someone guide me with query .
Hi Team, Currently I am using below query to show duration: index="abc*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]" | transaction thread startswith=" Started ASSOCIATIO... See more...
Hi Team, Currently I am using below query to show duration: index="abc*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]" | transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process" | timechart avg(duration) as duration span=1d | eval duration=tostring(duration, "duration")|sort _time I am getting output as below: I want to see duration in minutes only  Can someone guide me.
I am trying to dig through some records and trying to get the q (query) from the raw data, but I keep getting data back that includes a backslash after the requested field (mostly as a unicode charac... See more...
I am trying to dig through some records and trying to get the q (query) from the raw data, but I keep getting data back that includes a backslash after the requested field (mostly as a unicode character representation, /u0026 which is an &). For example, I have this search query to capture the page from which a search is being made (i.e., "location"):    index="xxxx-data" | regex query="location=([a-zA-Z0-9_]+)+[^&]+" | rex field=_raw "location=(?<location>[a-zA-Z0-9%-]+).*" | rex field=_raw "q=(?<q>[a-zA-Z0-9%-_&+/]+).*"| table location,q   Which mostly works viewing the Statistics tab, except that it occasionally returns the next URL parameter, i.e., location q home_page   hello+world   // this is ok about_page goodbye+cruel+world\u0026anotherparam=anotherval    // not ok  The second result should just be goodbye+cruel+world without the following parameter. I have tried adding variations on regex NOT [^\\] for a backslash character but everything I've tried has either resulted in an error of the final bracket being escaped, or the backslash character ignored like so: rex field=_raw  ... regex attempt result "q=(?<q>[a-zA-Z0-9%-_&+/]+[^\\\]).*"  goodbye+cruel+world\u0026param=val   "q=(?<q>[a-zA-Z0-9%-_&+/]+[^\\]).*"  Error in 'rex' command: Encountered the following error while compiling the regex 'q=(?<q>[a-zA-Z0-9%-_&+/]+[^\]).*': Regex: missing terminating ] for character class.   "q=(?<q>[a-zA-Z0-9%-_&+/]+[^\]).*"  Error in 'rex' command: Encountered the following error while compiling the regex 'q=(?<q>[a-zA-Z0-9%-_&+/]+[^\]).*': Regex: missing terminating ] for character class.   "q=(?<q>[a-zA-Z0-9%-_&+/]+[^\\u0026]).*" Error in 'rex' command: Encountered the following error while compiling the regex 'q=(?<q>[a-zA-Z0-9%-_&+/]+[^\u0026]).*': Regex: PCRE does not support \L, \l, \N{name}, \U, or \u.   "q=(?<q>[a-zA-Z0-9%-_&+/]+[^u0026]).*"  goodbye+cruel+world\u0026param=val" "q=(?<q>[a-zA-Z0-9%-_&+/]+[^&]).*"  goodbye+cruel+world\u0026param=val" "q=(?<q>[a-zA-Z0-9%-_&+/]+).*" goodbye+cruel+world\u0026param=val     Events tab data is like:    Event apple: honeycrisp ball: baseball car: Ferrari query: param1=val1&param2=val2&param3=val3&q=goodbye+cruel+world&param=val status: 200   ... etc ... SO, how can I get the q value to return just the first parameter, ignoring anything that has a \ or & before it and terminating just at q? And please, if you would be so kind, include an explanation of why what you suggest works?  Thanks
I have need of creating a dashboard that will compare 2 sets of data from different times. Thus, I need to bypass the time picker. I realize that I may do this by including an earliest=x latest=y sta... See more...
I have need of creating a dashboard that will compare 2 sets of data from different times. Thus, I need to bypass the time picker. I realize that I may do this by including an earliest=x latest=y statement in my search. What I am trying to do, is combine an absolute date with a relative statement.  The reason is that the absolute date in each of the two charts needs to be a variable from a button on the dashboard, in the example I am trying to build, this is a deployment date. I want to search x number (another variable) of days before and after that deployment date.  ex, index=my_index source=my_source earliest=07/19/2023:00:00:00 latest=07/19/2023:23:59:59 In this example the deployment date is the 19th of July.  How I would I write this to be 07/19/2023:23:59:59 +/- x days so that I can make both the Absolute date itself, and the number of days a variable tied to dropdown buttons in the dashboard. 
Hi All, I have got logs as below:   Log1: Tue Aug 1 12:15:03 EDT 2023 10G 6.4G 64% /var Log2: Tue Aug 1 12:15:03 EDT 2023 20G 5.9G 30% /opt Log3: Tue Aug 1 12:15:02 EDT 2023 11G 7.2G 66% /ua... See more...
Hi All, I have got logs as below:   Log1: Tue Aug 1 12:15:03 EDT 2023 10G 6.4G 64% /var Log2: Tue Aug 1 12:15:03 EDT 2023 20G 5.9G 30% /opt Log3: Tue Aug 1 12:15:02 EDT 2023 11G 7.2G 66% /uam Log4: Tue Aug 1 12:15:02 EDT 2023 11G 7.2G 85% /mqr   Using below query, I created a pie chart for my dashboard:   **** | rex field=_raw "(?ms)]\|(?P<host>\w+\-\w+)\|" | rex field=_raw "(?ms)]\|(?P<host>\w+)\|" | rex field=_raw "\]\,(?P<host>[^\,]+)\," | rex field=_raw "\]\|(?P<host>[^\|]+)\|" | rex field=_raw "(?ms)\|(?P<File_System>(\/\w+){1,5})\|" | rex field=_raw "(?ms)\|(?P<Disk_Usage>\d+)" | rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%" | rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)" | regex _raw!="^\d+(\.\d+){0,2}\w" | regex _raw!="/apps/tibco/datastore" | rex field=_raw "(?P<Time>\w+\s\w+\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\s\d" | rex field=_raw "\[(?P<Time>\w+\s\w+\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\]" | rex field=_raw "(?ms)\d\s(?<Total>\d+(\.\d+){0,2})\w\s\d" | rex field=_raw "(?ms)G\s(?<Used>\d+(\.\d+){0,2})\w\s\d" | eval Available=(Total-Used) | lookup Environment_List.csv "host" | search Environment="UAT" | eval UAT=if(Disk_Usage <= 79, "Below80%", "Above80%") | stats count by UAT   I have 3 other Environments (SIIT,DIT,DIT2), for which I created pie charts using above query and changing the environment name. Now, I have got 4 pie charts in 4 separate panels in the dashboard. I need to get all the 4 pie charts in one panel and want to create drilldown from that panel. (something like shown in the attachment) Please help to modify the query to get all the pie charts in one panel in the dashboard.    Your kind consideration is highly appreciated..!! Thank You..!!      
Hi everyone I have a problem with one process on a server that I can't graph, the process is in Java and I can see it on the machine: I need to create a dashboard to see the behavior and set... See more...
Hi everyone I have a problem with one process on a server that I can't graph, the process is in Java and I can see it on the machine: I need to create a dashboard to see the behavior and set up alarms for specific thresholds, but when I want to capture the information taking the full path the metric is always empty: The process is running all the time, what could be the error? or how can I graph it? ^ Post edited by @Ryan.Paredez for minor formatting
Can someone please tell me exactly what Appdynamics classes as a "call" in the "calls per minute" section of the metric browser? This is for java app agent metrics Screen attached.
After fixing filters on some fields that don't exist in all the events, I tried to apply these filters on the graphs and the problem here is that when Splunk reads the search string of a graph, it ge... See more...
After fixing filters on some fields that don't exist in all the events, I tried to apply these filters on the graphs and the problem here is that when Splunk reads the search string of a graph, it gets only the events where the fields exist and it excludes the other events. As a result all the statistics and the graphs are wrong !! Ayone has a solution please ?? Thanks in Advance.
Hello - as of 7/29/2023 I have been unable to play Splunk e-learning (with labs) videos.  I can go to the specific page but the videos will not load.  I even re-enrolled and when I opened the same pa... See more...
Hello - as of 7/29/2023 I have been unable to play Splunk e-learning (with labs) videos.  I can go to the specific page but the videos will not load.  I even re-enrolled and when I opened the same page no videos loaded and it "auto-completed" that part of the module.  Labs appear to have a similar issue as well.  Quiz seems to work when I load it.  Does anyone know if the Education platform is having an issue?  Am I doing something wrong? It all worked fine when I last accessed it the week or two before. Thank You - Screen Shots attached          
Hey Splunk community,   I've been getting turned around in the docs as some things are meant for folks running a single instance and others meant for a distributed environment. I'm currently runnin... See more...
Hey Splunk community,   I've been getting turned around in the docs as some things are meant for folks running a single instance and others meant for a distributed environment. I'm currently running an environment with the following    Search Head (Windows Server 2019) Indexer 1 (CentOS Stream 9) Indexer 2 (CentOS Stream 9) Indexer 3 CentOS Stream 9) CPU 48 Cores 24 Cores 24 Cores 24 Cores Disk Space 4Tb 500 GB (expandable) 500 GB (expandable) 500 GB (expandable) Roles Deployment Server Cluster Manager License Manager Search Head Indexer Indexer Indexer     I have a Syslog server running Syslog-ng (that won't start the service but thats for another post.)  Now to the main part of the post: I am principally trying to do two things right now, I have forwarders installed on my file servers and one of my domain controllers. The thing is, the documentation is not clear on what route I need to take to ingest file data and AD data. Do I utilize a deployed app to my forwarders that will "automagically" ingest the data I am looking for or create an inputs.conf file to monitor the events I am looking for. Specifically file reads, modifications and related data. I would also like to monitor my AD for logins and and administration data. Any help would be appreciated.