All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We have this dashboard that recently started alerting us on a risky command. We were using the fit command.    I followed the docs and added the following line to the newly created commands.... See more...
We have this dashboard that recently started alerting us on a risky command. We were using the fit command.    I followed the docs and added the following line to the newly created commands.conf that i had put in the apps local folder to push.  [fit] is_risky = false According to the docs, i assumed that this would just disable the warning for using that command. After i put it into the specified apps local folder, /export/opt/splunk/etc/shcluster/apps/<app-name>/local, I pushed the bundle and it seemed to have put it in the apps default folder on the search heads. But the biggest issue here is that once i pushed that bundle, splunk doesn't recognize the fit.py file any more. I tested putting that commands.conf in the apps default folder, same thing. I tested this a few times, and while im glad that the bundle pushes were working, im a bit confused as to why splunk no longer recognizes that command even though im only using the is_risky=false, which should only stop the warning.    Any help on this matter would be appreciated. Thank you. And if you could also answer as to why the local file in the app's directory is pushing to the apps default folder on the search heads, that would be a bonus. Thank you. 
Hi guys, I am making a dashboard regarding a leaving employee , which follow his mail traffic. The dashboard is working fine , i want to make it dynamic so everyone else can insert a new employee... See more...
Hi guys, I am making a dashboard regarding a leaving employee , which follow his mail traffic. The dashboard is working fine , i want to make it dynamic so everyone else can insert a new employee id and the dashboard will load the new data. I have tried using the dropdown box , but couldnt make it work as i intended. this is my SPL- index=****** FromUser="Adam.Levin" | eval Data=RecipientUser+"@"+RecipientDomain+","+HasAttachments | eval MegaBytes=round((BytesSent/1024)/1024,2) | table Data MegaBytes HasAttachments  
Hello, Can someone please help me with the steps to fix it, when one of the search head in a search head cluster is down?   Thanks
Hi timestamp of data that send via logstash change when store in splunk index. what is the reason? index="influx2splunk" | spath input=_raw | table time _time @timestamp _raw time               ... See more...
Hi timestamp of data that send via logstash change when store in splunk index. what is the reason? index="influx2splunk" | spath input=_raw | table time _time @timestamp _raw time                                          _time                               @timestamp 2023-06-15T06:06:55Z 2023-06-15 05:06:55 2023-06-15T01:36:55.000Z 2023-06-15T06:06:55Z                                               2023-06-15T01:36:55.000Z   here is the _raw data that get from logstash: {"usage_irq":0,"usage_user":4.373757455295997,"results":{"statement_id":0},"@version":"1","@timestamp":"2023-06-15T01:36:55.000Z","usage_guest":0,"cpu":"cpu20","usage_iowait":0,"usage_softirq":0.39761431396001656,"http_poller_metadata":{"input":{"http_poller":{"response":{"status_code":200,"status_message":"OK","headers":{"date":"Sat, 17 Jun 2023 06:05:47 GMT","x-influxdb-build":"OSS","x-influxdb-version":"1.7.8","transfer-encoding":"chunked","x-request-id":"00a6ba2f-0cd5-11ee-981b-005056b7dda2","content-type":"application/json","request-id":"00a6ba2f-0cd5-11ee-981b-005056b7dda2"},"elapsed_time_ns":797045},"request":{"name":"cpu","original":{"url":"https://192.168.1.1:8086/query?pretty=true&db=mydb&q=myquery","headers":{"Authorization":"Token mytoken"},"method":"get"},"retry_count":0,"host":{"hostname":"srv"}}}}},"usage_idle":92.04771372774293,"usage_system":3.1809145128373424,"usage_steal":0,"time":"2023-06-15T06:06:55Z","name":"cpu","usage_nice":0,"usage_guest_nice":0}     logstash config: filter { split { field => "results" } split { field => "[results][series]" } split { field => "[results][series][values]" } mutate { rename => { "[results][series]" => "series" } } mutate { rename => { "[series][name]" => "name" } } ruby { code => 'series = event.get("series"); series["columns"].each_with_index {|val, index| event.set(val, event.get("[series][values][" + index.to_s() + "]"))}' } date { match => ["time", "yyyy-MM-dd'T'HH:mm:ss:SSS'Z"] target => "_time" } prune { blacklist_names => [ "event", "host", "series" ] }   }     Any idea? Thanks
Hi, I'm trying to exclude the service accounts of the users from the below event in splunk ES. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Micro... See more...
Hi, I'm trying to exclude the service accounts of the users from the below event in splunk ES. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'> %%2048 %%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event> Thanks
Hello! I am currently trying to dynamically select columns in my output that are generated by an xyseries. I am comparing the difference in columns over a period of times, and I am running my y_f... See more...
Hello! I am currently trying to dynamically select columns in my output that are generated by an xyseries. I am comparing the difference in columns over a period of times, and I am running my y_field as the dates that dynamically change depending on the range selected. For example: 2023-06-04         2023-06-11 10                                     5 15                                  18 Without resulting to renaming the columns to something static like "Week 1" and "Week 2" and be able to still eval the two columns to get the mathematical difference. Sometime like: eval DIFF=datecolumn[1]-datecolumn[0]. Thank you!
I can search through cisco logs easily enough, and can also sort for logins, or failed logins without issue - but since the username isn't actually a field that splunk seems to automatically parse, I... See more...
I can search through cisco logs easily enough, and can also sort for logins, or failed logins without issue - but since the username isn't actually a field that splunk seems to automatically parse, I would love to be able to show a bar graph or pie chart that shows how many logins over the past 7 days, sorts by username.     
I have 3 panels. Each panels have the same query except 2nd line which contains patterns. Eg. index="index_name" source="input.txt" some regex pattern line ( only this line will be different in all... See more...
I have 3 panels. Each panels have the same query except 2nd line which contains patterns. Eg. index="index_name" source="input.txt" some regex pattern line ( only this line will be different in all three panels) table id Action All remaining lines will be same in all three panels.   How to create one summary index and implement as base search for all three panels  
The app write log entries to a log file, say /var/theapp/thelogfile.log. The app is configured to roll the log file once it reaches a certain size and to keep only x copies, say 3 copies of 10 MB ea... See more...
The app write log entries to a log file, say /var/theapp/thelogfile.log. The app is configured to roll the log file once it reaches a certain size and to keep only x copies, say 3 copies of 10 MB each. So we eventually end up with three 10 MB files like this: /var/theapp/thelogfile.log /var/theapp/thelogfile.log.1 /var/theapp/thelogfile.log.2 The log file gets maybe 400-500 entries per minute. How do I ensure the collector won't miss log entries or duplicate log entries in this scenario?  Or are we always at risk of the collector missing the last few log entries that push the thelogfile.log > 10 MB, with the original writing app rolling the log to thelogfile.log.1 before Splunk read the final entries? Would making the size of the log files smaller or larger help mitigate the issue? I assume telling Splunk to watch all 3 copies of the log would lead to duplicate entries in Splunk?  
I am trying to create a table whereby two of the values are within a JSON array. The data in each array entry is based on the "type" field. I can't seem to figure out how to extract the proper json u... See more...
I am trying to create a table whereby two of the values are within a JSON array. The data in each array entry is based on the "type" field. I can't seem to figure out how to extract the proper json using json_extract or spath, so I assume I'm going in the wrong direction. Any help would be appreciated. I can't figure out how to say 'Extract the value from displayName for the array entry where a specific key/value pair match my criteria' Any help is appreciated. Example Data     { "actor": { "type": "User", "alternateId": "john.smith@example.com" }, "target": [ { "type": "User", "alternateId": "jane.doe@example.com", "displayName": "Doe, Jane", "detailEntry": null }, { "type": "UserGroup", "alternateId": "unknown", "displayName": "Good Employees", "detailEntry": null } ], "uuid":"58dd3885-0c4a-11ee-9843-938af4d00f2c" }       Preferred Output Actor Group User john.smith@example.com Good Employees jane.doe@example.com  
Hello, Can someone please help me with the Splunk search to find the list of Heavy Forwarders reporting with their IP address?   thanks
For example if there are two Search Heads and I go to Settings \ Searches, reports, and alerts on Search Head 1 and I list all the Alerts am I looking at all the Alerts in our Splunk Environment or ... See more...
For example if there are two Search Heads and I go to Settings \ Searches, reports, and alerts on Search Head 1 and I list all the Alerts am I looking at all the Alerts in our Splunk Environment or only the ones running on this Search Head I'm asking cause we have so much stuff running that no one is looking at, that I want to start Disabling some Alerts in order to increase performance I know that one Search Head belongs to my group and the other one to another group of Splunk users so I want to turn off Alerts on our Search Head only and not for everyone  I hope this makes sense, thank you  
Hello, I have a syslog server that collects logs from various hosts, (esxi).  The syslog is currently receiving the logs each day from the hosts and puts them the  "data/ES/" directory.  I have spl... See more...
Hello, I have a syslog server that collects logs from various hosts, (esxi).  The syslog is currently receiving the logs each day from the hosts and puts them the  "data/ES/" directory.  I have splunkforwarder installed the syslog and inside the splunkforwarder, I have the esxi add-on app. Inside the esxi add-on app  I have created an input stanza that monitors the data and sent to the indexer  [monitor:///data/ES/] disabled = false index = vmware-esxilog sourcetype = vmw-syslog The logs stopped sending to the indexer several days ago.  However, my firewall logs are still sending to the indexer.  The firewall logs are sent the same directory "/data/fire/" and then sent to index.  What am I missing?     Thanks  
Hai All, Good day, we have event in splunk for job_name Test job HAS  START_TIME  at 2023/06/15 23:30:33 and END_TIME 2023/06/16 00:04:09  AND we have static cut off time for each job which we h... See more...
Hai All, Good day, we have event in splunk for job_name Test job HAS  START_TIME  at 2023/06/15 23:30:33 and END_TIME 2023/06/16 00:04:09  AND we have static cut off time for each job which we have added in lookup data FOR ABOVE job cutoff time is 23:40 but the job crossed cutoff time even day was changes BELOW is the query i was using to get if any job exceed cutoff time on account of day changes it should consider the same day  this query not giving expected ouput,please help on it    
Hi, I've upgrated the Splunk App for Lookup File Editing and now when I try to open a lookup from lookup editor, this is the message I get: This is the URL of the Load Balancer: https://<L... See more...
Hi, I've upgrated the Splunk App for Lookup File Editing and now when I try to open a lookup from lookup editor, this is the message I get: This is the URL of the Load Balancer: https://<LOADBALANCER>.com/splunk/en-GB/app/lookup_editor/lookup_list   But when I hover the mouse over any lookup name or I click on it, splunk/en-GB misses I don't have this problem when I directly connect to a specific search head. Is there maybe a configuration I need to change?   Thank you in advance for any suggestion. Kind Regards  
Hello Team, I need to have top 10 url's in the order of max average response time taken. Could you please help in that.. My base search: index= host=  source=" " | timechart span=1h  avg(resp... See more...
Hello Team, I need to have top 10 url's in the order of max average response time taken. Could you please help in that.. My base search: index= host=  source=" " | timechart span=1h  avg(response_time) by URL Can we use limit command to get the top 10 URLs
Hi all, i have configured and started the Splunk Add-on for VMware v 4.0.5 on two heavy forwarders. Unfortunately will the port 8008 not be available after restarting the Splunk instance. I get eve... See more...
Hi all, i have configured and started the Splunk Add-on for VMware v 4.0.5 on two heavy forwarders. Unfortunately will the port 8008 not be available after restarting the Splunk instance. I get everytime following entries in splunkd.log 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" Traceback (most recent c all last): 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" File "/opt/splunk/etc/ apps/SA-Hydra/bin/bootstrap_hydra_gateway.py", line 26, in <module> 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" port, service_log_le vel, access_log_level = get_gateway_config(session_key) 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" File "/opt/splunk/etc/ apps/SA-Hydra/bin/bootstrap_hydra_gateway.py", line 16, in get_gateway_config 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" stanza = HydraGatewa yStanza.from_name("gateway", "SA-Hydra", session_key=session_key) 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" File "/opt/splunk/etc/ apps/SA-Hydra/bin/hydra/models.py", line 610, in from_name 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" host_path=host_path) 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" File "/opt/splunk/lib/python3.7/site-packages/splunk/models/base.py", line 552, in get 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" entity = self._get_entity(id, host_path=host_path) 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" File "/opt/splunk/etc/apps/SA-Hydra/bin/hydra/models.py", line 339, in _get_entity 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=mid, hostPath=host_path)) 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" File "/opt/splunk/lib/python3.7/site-packages/splunk/entity.py", line 277, in getEntity 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True) 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 553, in simpleRequest 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" raise splunk.AuthenticationFailed 06-16-2023 16:36:51.103 +0200 ERROR ExecProcessor [23751 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Hydra/bin/bootstrap_hydra_gateway.py" splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated Does someone any idea to solve this issue with Authentication failed? Kind regards Kathrin  
Hi Forum, We have an issue with UF 9.0.5. When starting or stopping the filesytem group permissions are changed to the primary group of the technical user running splunk.  when splunk is started we... See more...
Hi Forum, We have an issue with UF 9.0.5. When starting or stopping the filesytem group permissions are changed to the primary group of the technical user running splunk.  when splunk is started we always see the message:   Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk_tech_user /opt/splunkforwarder"      This does not  chown  the user but also the group to the primary group of the user. Any chance to skip this?  version 8.* does not show this issue.  best regards, Andreas
Hi All, do you know if we can tell from Splunk what encryption protocols are used for NetScaler queries? There is no App stream add-on configured for this. Is there any way for checking for Netscale... See more...
Hi All, do you know if we can tell from Splunk what encryption protocols are used for NetScaler queries? There is no App stream add-on configured for this. Is there any way for checking for Netscaler encryption protocls sucjh as TLS, SSL versions by splunk search? Index=*vmcnsx IPFIX TLS It returns” tls-inspection-certificate-dump.command” as an example in the message. what does this means?
How to change table height to make it static? So I have a table and below it there is another table. The height of the table depends on how many rows it display. I only can adjust rows per page, bu... See more...
How to change table height to make it static? So I have a table and below it there is another table. The height of the table depends on how many rows it display. I only can adjust rows per page, but it does not look good because it will shrink and expand. I want to make it a static height that fit max number of row that I set, so it doesn't shrink and expand. Please help. Thanks