All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,  Is it possible to set alert for individual pod restart counts ? I have setup an alert by choosing the metric HardwareResources|Cluster|Pod restarts , It calculates on cluster basis, the total n... See more...
Hi,  Is it possible to set alert for individual pod restart counts ? I have setup an alert by choosing the metric HardwareResources|Cluster|Pod restarts , It calculates on cluster basis, the total number of pod restarts.  But it does not help much, it will be good if we can get alerts based on pod specific. Have anyone tried doing it?
Hi, On a Splunk Dashboard Studio, how can one overlay a trend graph onto a bar chart? I only see the following options for my graph and nothing pertaining to adding an overlay.   ... See more...
Hi, On a Splunk Dashboard Studio, how can one overlay a trend graph onto a bar chart? I only see the following options for my graph and nothing pertaining to adding an overlay.   Can you please help? Thanks!
I would like to add an outliers' chart from the Machine learning visualizations to my splunk dashboard. The visualization itself is not available in the dashboard studio, and I can't find any documen... See more...
I would like to add an outliers' chart from the Machine learning visualizations to my splunk dashboard. The visualization itself is not available in the dashboard studio, and I can't find any documentations for it. Running my query in the search tab works fine because it detects what visualization i want to use automatically. My query:        index=xxx sourceServiceName="xxx" cn1="xxx" | bucket _time span=1h | stats count by _time | sort - count | eventstats median("count") as median | eval absDev=(abs('count'-median)) | eventstats median(absDev) as medianAbsDev | eval lowerBound=(median-medianAbsDev*exact(8)), upperBound=(median+medianAbsDev*exact(8)) | eval isOutlier=if('count' < lowerBound OR 'count' > upperBound, 1, 0) | fields _time, "count", lowerBound, upperBound, isOutlier, *         I tried replacing fields with "table" but wouldn't fix it. Any help is appreciated.
Hi I am writing the implementation document for Splunk on Nutanix.  Thinking about backup for disaster recovery, data on Nutanix object store (so Smartstore), and the fact that the Nutanix object s... See more...
Hi I am writing the implementation document for Splunk on Nutanix.  Thinking about backup for disaster recovery, data on Nutanix object store (so Smartstore), and the fact that the Nutanix object store is WORM. I like the deployment to be protected against ransomware attacks. Putting all the data in a backup is not possible because the size is too big and changes too fast. I see that the Nutanix object store is WORM, so data could not be altered by ransomware.. so far so good. But the data on the indexers in the cache itself? The hot data is not protected with WORM, I think that's  the way it works ( must be some downside somewhere) But the warm data in the cache? Suppose there is a ransonware attack.. it would like to change the object store but fails. But it will (i think) change the "warm"  data in the cache on the indexers. There is a difference by now between two of the same files (in cache and object store). Ans possible even on the different indexers... What will splunkd do?  Is it the way I tell it above? Pls. give me your opinion greetz jari
Hi, I'm trying to assign a list from a nested JSON event      { "timestamp": "2023-06-14T18:03:57.047201+00:00", . . "records": [ { "type": "A", "value": [] }, { "type": "A... See more...
Hi, I'm trying to assign a list from a nested JSON event      { "timestamp": "2023-06-14T18:03:57.047201+00:00", . . "records": [ { "type": "A", "value": [] }, { "type": "AAAA", "value": [] }, { "type": "CNAME", "value": [] }, { "type": "NS", "value": [ "ns-0.blah.com", "ns-1.blah.org", "ns-1.blah.co.uk", "ns-1.blah.net" ] } ], "metadata": { . . } }          using this query       index=test | eval records=mvindex('records{}.value{}', mvfind('records{}.type',"NS"))       instead of getting all 4 entries in the list, I only got one entry (there is no other field similar to 'records', 'value', 'type')       ns-1.blah.net       Side comparison,  to show that a list can be assigned via an eval, when I collapse the nesting (removing the 'records' level) and adjusting the query, it's reads all 4 values (so it doesn't appear to be a variable 'type' problem)     index=test | eval records='value{}'           { "timestamp": "2023-06-14T17:00:00.123073+02:00", . . "value": [ "ns-0.blah.com", "ns-1.blah.co.uk", "ns-1.blah.net", "ns-1.blah.org" ], . . }           ns-0.blah.com ns-1.blah.co.uk ns-1.blah.net ns-1.blah.org        
Hello, I was wondering if AppDynamics RUM can be installed on premises or it is a SaaS Cloud based ?? and when we monitor Real Users, could we capture the users IPs ??
Hi, I'm trying to set a source_type for CSV files that contains headers, and the fields are extracted fine. The problem is that the data is extracted both as fields with the headers and as indexed... See more...
Hi, I'm trying to set a source_type for CSV files that contains headers, and the fields are extracted fine. The problem is that the data is extracted both as fields with the headers and as indexed fields like: field1, field2, etc. My question is: Is it possible to extract only the fields with the headers and not the fields field1, field2? Thanks!
Hi , I have somthing data need to deduplicate. I got some data from two database and save in different indexes . I use the following SPL to merge the data as       index="data1" sourcety... See more...
Hi , I have somthing data need to deduplicate. I got some data from two database and save in different indexes . I use the following SPL to merge the data as       index="data1" sourcetype="data1" | append [search index="data2" sourcetype="data2"] |rename data1DATA as 1data |eval dataall=coalesce(1data,2data) |table dataall sourcetype       and I got results like this       dataall sourcetype ------ ---------- abc,1 data1 abc,1 data2 def,2 data1 abc,3 data2       Now, I need to compare the data and exclude duplicate data . The result is like the following       dataall sourcetype ------ ---------- def,2 data1 dbc,3 data2       Any suggestions ? Greetings and thanks!
Can someone help me please with the configuration of Splunk DB connection I receive failed to restart task server .  
I'm new to splunk and I'm asking for help. I will give an example as below. if event_id or orig_event are the same, count them I want to lookup event_id for case not 3. Therefore, in this case, t... See more...
I'm new to splunk and I'm asking for help. I will give an example as below. if event_id or orig_event are the same, count them I want to lookup event_id for case not 3. Therefore, in this case, the count of event_id 7 is 2, not 3, so 7 should be the lookup. could you possibly help me? [data table] index type event_id orig_event_id A a 1   A b   1 B c   1 A a 3   A b   3 B c 3   A a   5 A b 5   B c   5 A a   7 A b 7     [result] A a   7 A b 7    
I am wanting to go into the Splunk Web and monitor the USBSTOR in Windows 10.  I am selecting the "New Registry Monitoring, then when I browse to the hive or key I want to monitor (USBSTOR) it isn't ... See more...
I am wanting to go into the Splunk Web and monitor the USBSTOR in Windows 10.  I am selecting the "New Registry Monitoring, then when I browse to the hive or key I want to monitor (USBSTOR) it isn't listed as a choice.  It resides at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR.  The value that I am interested in is the "Start" value changes.   Can someone point me to how I can enable monitoring of this in Splunk Web?   Thanks, Marty
Hello community, I am looking for a regex to keep the highlighted  parts from the below raw log and remove the rest using SEDCMD c-ip=XXX.XXX.XXX.XXX rs-Content-Type="application/javascript" cs-a... See more...
Hello community, I am looking for a regex to keep the highlighted  parts from the below raw log and remove the rest using SEDCMD c-ip=XXX.XXX.XXX.XXX rs-Content-Type="application/javascript" cs-auth-groups="xxxxxx\ROLE.STD.MSTeams" cs-bytes=888 cs-categories="Technology/Internet;NetSkope_XXX" cs-host=xxxxxxxx cs-ip=XXX.XXX.XXX.XXX cs-method=GET cs-uri-port=443 cs-uri-scheme=https cs-User-Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.6.00.12455 Chrome/ XXX.XXX.XXX.XXX Electron/XX.1.8 Safari/5XX.3X" cs-username=XXXX dnslookup-time=0 duration=0 rs-status=200 rs-version=HTTP/1.1 s-action=TCP_HIT s-ip=XXX.XXX.XXX.XXX service.name="XXXXX HTTP" service.group="Standard" s-supplier-ip=XXX.XXX.XXX.XXX s-supplier-name=XXX.XXX.XXX.XXX sc-bytes=1XXX711 sc-filter-result=OBSERVED sc-status=200 time-taken=31 c-url="/xxxxxxxx.net/midgard/versionless/livepersonacardstrings_f8axxxad2fc4867bf1300xxxx06c7057c23.js" cs-Referer="httpsxxx.com/" cs-auth-groups="ccccccc\ROLE.STD.MSTeams" cs-headerlength=667 cs-threat-risk=2 r-ip=XXX.XXX.XXX.XXX s-connect-type=Unknown s-icap-status=ICAP_NOT_SCANNED s-sitename=https.forward-proxy s-source-port=0 s-supplier-country="None" sr-Accept-Encoding=gzip,%20deflate,%20br,%20identity x-auth-credential-type=NTLM x-cookie-date=Thu,%2015-Jun-23%2009:15:15%20GMT x-cs-connection-negotiated-cipher=XXXX_256_GCM_SHA384 x-cs-connection-negotiated-cipher-size=256 x-cs-connection-negotiated-ssl-version=TLSv1.3 x-cs-Referer-uri=https://teams.microsoft.com/ x-cs-Referer-uri-address=XXX.XXX.XXX.XXX x-cs-Referer-uri-host=teams.microsoft.com x-cs-Referer-uri-hostname=teams.microsoft.com x-cs-Referer-uri-port=XXX x-cs-Referer-uri-scheme=https x-cs-Referer-uri-stem=https://teams.microsoft.com/ x-exception-sourceline=0 x-rs-certificate-hostnamexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxertificate-observed-errors=none x-rs-certificate-xxxxxxxxxxxxxxxnet" x-rs-certificate-validate-status=CERT_VALID x-rs-connection-negotiated-cipher=TLS_AES_256_GCM_SHA384 x-rs-connection-negotiated-cipher-size=256 x-rs-connection-negotiated-ssl-version=TLSv1.3 cs-uri-extension=js cs-uri-path=/midgard/versionless/livepersonacardstrings_f8aa070xxxxxxxxx4867bf13000eac47f306c7057c23.js c-uri-pathquery=/midgard/versionless/livepersonacardstrings_f8aa070ad2fc4867bf1300xxxxxxxxxxxc7057c23.js Thank you!
Hi, following ticket: https://community.splunk.com/t5/Splunk-Search/Join-all-objects-with-specific-object-within-the-same-file/m-p/645000/highlight/false#M223372 I have a JSON file (key-val struc... See more...
Hi, following ticket: https://community.splunk.com/t5/Splunk-Search/Join-all-objects-with-specific-object-within-the-same-file/m-p/645000/highlight/false#M223372 I have a JSON file (key-val structure). I need to create a source type in Splunk enterprise website(I don't have access to the config files).  Each file include one array called Payloads and metadata header. Payloads includes events. each event has Header+Payload.  i need to parse the json so each row represent one event and meta data fields will be added to each row. (metadata fields values are the same for all events in one file). Example for json: { "MetaData": { "HostName": "host name" }, "Payloads": [ { "Header": { "Type": "Event 1", "Name": "event name 1", "TimeStamp": 133299573877857753 }, "Payload": { "Scan Start Timestamp": 133299573845207001, "Scan Complete Timestamp": 133299573877857728 } }, { "Header": { "Type": "Event 2", "Name": "event name 2", "TimeStamp": 133207765527670215 }, "Payload": { "MAC Address": "A7", "Information": { "APM": "blabla" }, "CT": "bla", "LInformation": [ { "ID": 1 } ], "CE Parameters": { "AR Timestamp": 133207765527630372, "AsR Frame": [ 0, 0, 48, 0, 74, 0 ] } } } ] } which definitions should i use in edit source type? thanks
Hey all The PAN-OS traffic log include a log field ‚flags‘ ‚Flags‘ is a 32-Bit field that provide details on session. This field can be decoded with a bitwise AND operation. E.g. you have to bi... See more...
Hey all The PAN-OS traffic log include a log field ‚flags‘ ‚Flags‘ is a 32-Bit field that provide details on session. This field can be decoded with a bitwise AND operation. E.g. you have to bitwise AND operate the value 0x01000000 to the logged value to know the a SSL session was decrypted.   I guess that I have to convert the logged hexadecimal value to decimal. That is no problem. But the bitwise operation require to convert the value to a binary value and here I‘m stuck. I don‘t manage to convert the value in binary for each event of the traffic logs. That‘s why I not get to the point where to bitwiseand the logged value with a value provided by a list from Palo Alto Networks.   Does anyone have an idea how to make a bitwise AND operation for a high number of events in Splunk?  
Hi Splunkers, Here I'm asking help on Splunk query. I have a csv file with some numbers between 101-999, I need to write a Splunk query that provides the 10 numbers that are not in the csv. For ... See more...
Hi Splunkers, Here I'm asking help on Splunk query. I have a csv file with some numbers between 101-999, I need to write a Splunk query that provides the 10 numbers that are not in the csv. For example CSV has 198,101,145,223.555,336,987,135,573 and now my splunk query needs to suggest 10 numbers which are not there in the csv. Thank you in advance.  
Hey all, Does anyone know why this isn't working (I'm a new Splunk user)? I'm trying to show the errorMessageFilter, errorCode and errorAlertValue from the CSV file in the table. CSV file: erro... See more...
Hey all, Does anyone know why this isn't working (I'm a new Splunk user)? I'm trying to show the errorMessageFilter, errorCode and errorAlertValue from the CSV file in the table. CSV file: errorMessage,errorMessageFilter,errorCode,errorAlertValue Test1,Value1,1,10 Test2,Value2,2,10 Test3,Value3,3,100 Test4,Value4,5,100 Test5,Value5,5,100 And this is my query so far: index = index1 cf_app_name = app1 [ | inputlookup critical_errors.csv | table errorMessageFilter | rename errorMessageFilter as msg | format ] AND NOT NULL | lookup critical_errors.csv errorMessageFilter OUTPUT errorCode, errorAlertValue | eval time = strftime(timestamp/1000000000,"%a %b %d, %Y, %T") | table time, cf_space_name, cf_app_name, msg, errorCode, errorAlertValue   Everything in the table results shows fine, with the exception of errorCode and errorAlertValue. These 2 are empty. 
As the customer requested to have 13 months of data to be available. Searchable data is available for 90 days. Due to some storage issues not able to archive 13 months of data. So, Is it possible... See more...
As the customer requested to have 13 months of data to be available. Searchable data is available for 90 days. Due to some storage issues not able to archive 13 months of data. So, Is it possible to store 12 months of data in DDAA and 1 month of data in DDSS  If yes kindly let me know the steps how to configure it. 
index="myIndex" app_name="myappName"  My.Message = "*failed to retrieve the workOrder*" | rex "Order (?<Order>[^\s]+)" | stats count BY Order | addcoltotals count | rename Order AS "Order#", coun... See more...
index="myIndex" app_name="myappName"  My.Message = "*failed to retrieve the workOrder*" | rex "Order (?<Order>[^\s]+)" | stats count BY Order | addcoltotals count | rename Order AS "Order#", count AS "# of times failed" on the Events tab, My.Message returns  Order 1AB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB1 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 2MB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 2MB6 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB1 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB7 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB9 failed to retrieve the workOrder. Error DataBase mapping incorrect. On the Statics Tab I see the below values Order# (1AB5, (1MB1, (2MB6, 1MB7 1MB9 How to remove ( and ,  Thanks
Hello, Do you have any recommendations on how to proceed with the installation of AWS Add On in SPLUNK. Does REST API call from AWS Add on needs to have any Authentication Token? Thank you so muc... See more...
Hello, Do you have any recommendations on how to proceed with the installation of AWS Add On in SPLUNK. Does REST API call from AWS Add on needs to have any Authentication Token? Thank you so much for your support in advance.  
Hello. i have a search with different files. In my table I have a field EDZ_000. In another csv file, I have a list with this field EDZ_000 to EDZ_XXX. Need to match this fields to get another colum... See more...
Hello. i have a search with different files. In my table I have a field EDZ_000. In another csv file, I have a list with this field EDZ_000 to EDZ_XXX. Need to match this fields to get another column. How do I do that? Unfortunately, i can't show the source code.