All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Team, Could you please suggest on how to create an overlapping graph which compares this week's data and previous week's data excluding weekends. Any help is very much appreciated. My ba... See more...
Hello Team, Could you please suggest on how to create an overlapping graph which compares this week's data and previous week's data excluding weekends. Any help is very much appreciated. My base search is very simple. index=my index source=/.log '#search string#' | time chart span=1h count(_raw) by host  
Please help to create regx to extract region from below aws ARN(us-west-2) arn:aws:secretsmanager:us-west-2:1111111111:secret:/rds-oracle/xxxx-xx17sd-xxxxxx-xxx67xxx7gd7133/TEST-01TEST
I have used savedsearch query as- | savedsearch REPORT1 | stats list(COLUMN8) AS COLUMN 8 list(COLUMN 9) AS COLUMN 9 list(COLUMN 10) AS COLUMN 10 BY COLUMN1 COLUMN2 COLUMN3 COLUMN4 COLUMN5 COLUMN6... See more...
I have used savedsearch query as- | savedsearch REPORT1 | stats list(COLUMN8) AS COLUMN 8 list(COLUMN 9) AS COLUMN 9 list(COLUMN 10) AS COLUMN 10 BY COLUMN1 COLUMN2 COLUMN3 COLUMN4 COLUMN5 COLUMN6 COLUMN7     and i got something like this,(fig 1) But I wanted this to be shown in the below format,(fig 2) I could only get last 6 columns by using chart command like- chart values(COLUMN8) AS Status OVER COLUMN 9 BY COLUMN 10 By using this chart command i could get this,(fig 3)   But I want this all together like in (fig 2) Is there any other way where I can change my search query to get in this format,whether splunk supports combining both chart and stats commands.      
I just want to ask that what will happens if we applied the same license on different nodes of distributes environment. Like I was installed a splunk enterprise license on License Manager that is now... See more...
I just want to ask that what will happens if we applied the same license on different nodes of distributes environment. Like I was installed a splunk enterprise license on License Manager that is now working as a search head. But the same license of LM installed on another search head or indexer of the same environment. Then what will happens regarding to it?
Hi All, I want to extract few fields available in the source path. For e.g. the source path is: /apps/stats/domain/miccep3_mic_ce_sit/4.1/tra/domain/miccep3_mic_ce_sit/application/logs/Host... See more...
Hi All, I want to extract few fields available in the source path. For e.g. the source path is: /apps/stats/domain/miccep3_mic_ce_sit/4.1/tra/domain/miccep3_mic_ce_sit/application/logs/Host_MediationServices_STE4_0-1-HOST_MediationServices_4_Host_MediationServices_CSAWC.log   Here I want to capture below 3 details: 1. From "/apps/stats/domain/miccep3_mic_ce_sit" part --- Need to capture "miccep3_mic_ce_sit" as "Domain_Name" 2. Need to capture "/apps/stats/domain/miccep3_mic_ce_sit/4.1/tra/domain/miccep3_mic_ce_sit/application/" part of the source path as "Application_Path" 3. After /logs directory in the path I want to capture the part "Host_MediationServices_STE4_0-1" as "Application_Name" Please help create a query to capture the above fields from the source path.   Your kind help is highly appreciated. Thank You..!!
Hi All... hope you are doing good..  so i have been working on a small project (thirukkural / "kural" - its a collection of 1330 two line songs in tamil language, one of a most famous literature w... See more...
Hi All... hope you are doing good..  so i have been working on a small project (thirukkural / "kural" - its a collection of 1330 two line songs in tamil language, one of a most famous literature work in tamil language. pls note, bible is the most translated book in whole world and kural is the second most translated book). i would like to ingest this kural to splunk. its done easily.  then i wanted to do some basic "sentiment analysis" on kural.. its done as well. (if u r free pls check this 4 mins video of this task at youtube) thanks to @yannK .. his SPL worked perfect, got it from this page   now i would like to search with tamil words.. regular search is working fine.    for example, i can search: source="fulltamil.txt" host="laptop" index="thirukkural" sourcetype="thirukkural" செயல் the rex search i have been thinking: source="fulltamil.txt" host="laptop" index="thirukkural" sourcetype="thirukkural" | regex _raw="செயல்$"     now i would like to search a song which starts or ends with a particular word.. the rex/regex search is not working fine. pls suggest, thanks. 
Hello We currently have multiple IIS servers with multiple websites and our goal is to setup a dashboard “overview” panel  with a list of the following in a table format: - servers names with IP ... See more...
Hello We currently have multiple IIS servers with multiple websites and our goal is to setup a dashboard “overview” panel  with a list of the following in a table format: - servers names with IP addresses - websites installed on the servers - status of the website (up or down) -apppool used by the website and its status (running or not) -IIS bindings for each website we have installed the the Splunk Windows IIS addon  and data is being imported into the index using the ms:iis:auto sourcetype I am struggling to find information how best to setup the panel and what the best search query to use or approach is for something like this. Any advice / information on best approaches would be appreciated at least to get us started, In order to learn how best to proceed. Thank you
I have enabled eventgen and its does generate but I keep hitting the same issue when it tries to pass a sample log with ""    time="2023-06-08T23:02:21Z" level=info msg="Parsing configuration for... See more...
I have enabled eventgen and its does generate but I keep hitting the same issue when it tries to pass a sample log with ""    time="2023-06-08T23:02:21Z" level=info msg="Parsing configuration for sample: ActiveDirectoryLab.sample" time="2023-06-08T23:02:21Z" level=info msg="Parsing configuration for sample: apache_access_demo.csv" time="2023-06-08T23:02:21Z" level=fatal msg="Failed to read csv sample file: parse error on line 2, column 40: bare \" in non-quoted-field"   Any suggestions on what I am doing wrong would be appreciated
I want to use the below events to generate a graph with an X axis of time (with units in days) and a Y axis of num_occurrences which would be the sum of the occurrences of that unique identifier (150... See more...
I want to use the below events to generate a graph with an X axis of time (with units in days) and a Y axis of num_occurrences which would be the sum of the occurrences of that unique identifier (1501358-my_event_1, 1234567-other_event_1, etc). I would appreciate if answers could provide some information about what is happening. I’ve spent several days trying to figure this out and one of my biggest issues is answers are often just a query with no explanation for what any of it does) The events would generate 3 series: Series: 1501358-my_event_1 (6/8/23, 18) (6/9/23, 5)   Series: 1501358-my_event_2 (6/8/23, 3) (6/9/23, 0)   Series: 1234567-other_event_1 (6/8/23, 0) (6/9/23, 7)   There could be a lot of events (100+) so I would like to be able to limit each line chart to X number of series and generate more line charts if necessary. If there is a way to make this a lot simpler by formatting my data differently, please let me know. I have some flexibility with changing the data format. I can't combine the different events, but I can alter how the events are stored.   Events:       { time: 6/8/23 10:00:00.213 PM ... other information ... occurrences: { 1501358: [ { event: my_event_1 num_occurrences: 10 } { event: my_event_2 num_occurrences: 3 } ] } } { time: 6/8/23 6:00:00.213 AM ... other information ... occurrences: { 1501358: [ { event: my_event_1 num_occurrences: 8 } { event: my_event_2 num_occurrences: 0 ] } } { time: 6/9/23 11:12:12.123 AM ... other information ... occurrences: { 1501358: [ { event: my_event_1 num_occurrences: 5 } { event: my_event_2 num_occurrences: 0 } ] 1234567: [ { event: other_event_1 num_occurrences: 7 } ] } }        
Sanity check please re: Splunk indexer remote storage configuration (1) Our indexers are set up in a clustered environment, and originally frozen buckets were moved to a local external location usi... See more...
Sanity check please re: Splunk indexer remote storage configuration (1) Our indexers are set up in a clustered environment, and originally frozen buckets were moved to a local external location using coldToFrozenPath. (2) We are now trying to use a script to have all frozen buckets written to AWS, and  the app containing the updated indexes.conf was distributed using the master node Script to move / freeze buckets to AWS is working, validated again by checking date / time stamps of last written files (3) However, we are STILL getting "duplicate" buckets being written to the local storage instance, even though everything SHOULD only be written to AWS When looking at the pertinent indexes in the web GUI, the Frozen Path is still set, even though it has been removed completely from the deployed app's indexes.conf, and verified on the indexers in /peer-apps/xxxx/local/indexes.conf Trying to manually remove the frozen path in the GUI doesn't work, "not allowed in a clustered environment" (4) When trying to find out the 5W's, I've noticed that there is an /opt/splunk/etc/system/local/indexes.conf that ALSO exists on each indexer, and this version still uses the Frozen Path to the local storage. Question: Since the deployed peer-apps indexes.conf with the script does seem to be working correctly, is it safe (relative) for me to remove the /system/local/indexes.conf?
Here's the beginning of my dashboard: <form theme="dark"> <label>Test Dashboard</label> <description></description> <fieldset submitButton="false"></fieldset>   I'd like to increase the font... See more...
Here's the beginning of my dashboard: <form theme="dark"> <label>Test Dashboard</label> <description></description> <fieldset submitButton="false"></fieldset>   I'd like to increase the font size of "Test Dashboard". I've tried lots of different methods but they all result in validation errors.
Is there a way to implement multiple tabs/pages for a single dashboard?
My log messages format is like this: 2023-01-01 01:02:40 INFO - Thread-1 com.example.ClassName : this is log A 2023-01-01 01:02:35 INFO - Thread-2 com.example.ClassName : this is log B 2023-01-01... See more...
My log messages format is like this: 2023-01-01 01:02:40 INFO - Thread-1 com.example.ClassName : this is log A 2023-01-01 01:02:35 INFO - Thread-2 com.example.ClassName : this is log B 2023-01-01 01:02:30 INFO - Thread-3 com.example.ClassName : this is log A Is it possible to create such query to find the frequency of the same log messages? In this case I would like to get the following output as a table: this is log A | 2 this is log B | 1
Hello, We have recently started using ITSI and noticed that some false service health degradation alerts are getting generated.  when we checked the deep dive in some cases all the KPI under servi... See more...
Hello, We have recently started using ITSI and noticed that some false service health degradation alerts are getting generated.  when we checked the deep dive in some cases all the KPI under service are green but still overall health shown yellow and some times red. Trying to understand the behavior. Thanks Ankit
Hello all,  Starting end of next week my team will be doing a POV of Splunk ES as a possible replacement of our current SIEM.  We are looking at the cloud with workload pricing model.   I am wond... See more...
Hello all,  Starting end of next week my team will be doing a POV of Splunk ES as a possible replacement of our current SIEM.  We are looking at the cloud with workload pricing model.   I am wondering if anyone can provide any tips or tricks related to doing a POV  of ES.  The sort of things you feel can be difficult or take time to complete, Monthly care and feeding of the Product that you and your team do.  How the Workload pricing actually computes in your environment ( example's say you have 100 SVG's and you send in 5 TB a day and do 1,000 searches...) . I appreciate any insight anyone can provide.   Thank you   
Hi, dear splunkers, actually im new to splunk and I need to write a query in order to make a report. So, from a logs I have to display for several employees their first connection time for each day f... See more...
Hi, dear splunkers, actually im new to splunk and I need to write a query in order to make a report. So, from a logs I have to display for several employees their first connection time for each day for a period of two weeks and have it in output.  As i see steps would be to take each day, find  time of earliest event and write it in output. How it would be better to implement it? Thanks in advance. My draft index=<insex_name> sourcetype=<source_name> earliest=-14d latest=-13d user@email | sort _time asc | head 1 | table _time, user | eval 25.05=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q") | fields - _time
Hi, I am looking for step by step instructions on how I can migrate current Splunk web app from one EC2 instance to the other newly created one? I've tried spinning up an EC2 instance from the ol... See more...
Hi, I am looking for step by step instructions on how I can migrate current Splunk web app from one EC2 instance to the other newly created one? I've tried spinning up an EC2 instance from the old one's AMI image which wasn't very successful, because the issue with splunkd not able to run. https://community.splunk.com/t5/Splunk-Enterprise/Splunkd-not-running-after-launching-from-an-AMI-image/m-p/646204#M16525 Please help and thanks!
Whenever my users try to export search results via the "Action" menu they get the following error message:     <response> <messages> <msg type="ERROR">Service Unavailable</msg> </messages> </re... See more...
Whenever my users try to export search results via the "Action" menu they get the following error message:     <response> <messages> <msg type="ERROR">Service Unavailable</msg> </messages> </response>     What  service is unavailable/not running?
Hello! I've got a search that I'm working on. I've been asked to integrate the results of a lookup table into that search. The major problem is that the lookup file's data, while it shares comm... See more...
Hello! I've got a search that I'm working on. I've been asked to integrate the results of a lookup table into that search. The major problem is that the lookup file's data, while it shares common fields with the Splunk search, doesn't have the same dataset. The search and the lookup identify two different set of results. Is there a way to simply add all the data in the lookup to the Splunk search so that when I run the search I see both data sets?
When installing ITSI app on a SH it ships with ITSI License Checker app. However, I have the ITSI License checker app installed on my license master. Can I disable it on the Search Head? Also, if I... See more...
When installing ITSI app on a SH it ships with ITSI License Checker app. However, I have the ITSI License checker app installed on my license master. Can I disable it on the Search Head? Also, if I'm not mistaken, the only place where to install the ITSI license is on the License master.