All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I've been using the Splunk add on for Google Cloud Platform for over a year now in my Splunk Cloud deployment. When I took over management of this Splunk instance, we had several existing pub/sub inp... See more...
I've been using the Splunk add on for Google Cloud Platform for over a year now in my Splunk Cloud deployment. When I took over management of this Splunk instance, we had several existing pub/sub inputs, I've set up a few more myself in the past year and haven't had any issues with them, they continue to deliver data without any interruptions. Recently, I added credentials for a new service account, and went to try to add a new pub/sub input using these credentials. I can select the credentials, and the correct project from the dropdowns in the Splunk web UI for the app, but when I try to select the pub/sub subscription I get no results, even entering in the full name of the subscription, I still have no options to select, and it will not let me proceed with the subscription name simply typed in, it needs to be selected from the results that are supposed to appear after selecting the account and project. I was curious, so I tried recreating some of the existing pub/sub inputs we have set up that are currently functioning. I had the same results with those, it seems I am not able to re-create the existing inputs using the service account credentials we have used in the past. This is a production project in GCP, and I don’t have view or write access to everything, so I decided to switch to a sandbox project that I own to do some testing. From that project, I am able to use a service account with the same role bindings without issue. I can add the credentials to the Splunk Add-On for Google Cloud Platform, and when I go to create a pub/sub input, the subscriptions populate in the drop down. I am a bit at a loss of how to further troubleshoot this, I would expect that if something had changed with the service account permissions requirements in either GCP or Splunk that the existing inputs would cease to function, but I am only running into issues with creating new inputs currently. Unfortunately, as this is a Splunk Cloud deployment, I do not have access to the .conf files, so creating inputs via the Splunk Web GUI is my only option. Any recommendations for further troubleshooting steps I could take?
Hi, I have a query where I'm extrapolating type based on a conditional then counting by type. This works great when there are events for both cases, but I'd also like to show a value of 0 for a given... See more...
Hi, I have a query where I'm extrapolating type based on a conditional then counting by type. This works great when there are events for both cases, but I'd also like to show a value of 0 for a given type when there aren't any events for that type. I've seen some other posts using fillnull and appendpipe but those examples haven't worked for my use case. Any help would be appreciated!   | eval type=if(user_action="place_order", "AddInOrdersPlaced", "AddInForwardedOrders") | convert timeformat="%Y-%m-%d" ctime(_time) AS date | chart count over date by type    
I have a search and in the initial part of the search I have a subquery that returns some IP addresses formatted like this using the | format command.   (ip="10.10.10.10 OR ip="1.1.1.1" OR ip="2.... See more...
I have a search and in the initial part of the search I have a subquery that returns some IP addresses formatted like this using the | format command.   (ip="10.10.10.10 OR ip="1.1.1.1" OR ip="2.2.2.2")   I have a different search where I want to negate it. Is there a way to do this? I know that the format command does allow you to do things like this ...   (NOT ip="10.10.10.10 NOT ip="1.1.1.1" NOT ip="2.2.2.2")   However, NOT ip="value" is not the same as ip!="value" in Splunk land. So, I guess I'm wondering if anyone has a great way in a subquery to pass back the field/value pairs with != rather than =. My hunch is | format can't do it, but maybe there is a different way. Hope that makes sense.
Hello I have the below css which affects all the panels including date/time filter..HOw can I make it affect only the panels I want.     <row> <panel depends="$alwaysHideCSSPanel$"> ... See more...
Hello I have the below css which affects all the panels including date/time filter..HOw can I make it affect only the panels I want.     <row> <panel depends="$alwaysHideCSSPanel$"> <html> <style> table thead tr th,td{ font-size:150% !important; width:150px !important; border: 1px solid black !important; text-align: right !important } table thead tr th{ font-weight: bold !important; } g[transform] text { font-size:130% !important; } g.highcharts-axis-labels text { font-size:130% !important; } g.highcharts-axis text { font-size:130% !important; } h2 text { font-size:130% !important; } </style> </html> </panel> </row>    
<form version="1.1" theme="dark"> <label> Backtrace</label> <init> <unset token="input_encoded"></unset> <unset token="show"></unset> </init> <fieldset autoRun="true" submitButton="false"> <in... See more...
<form version="1.1" theme="dark"> <label> Backtrace</label> <init> <unset token="input_encoded"></unset> <unset token="show"></unset> </init> <fieldset autoRun="true" submitButton="false"> <input type="dropdown" token="appBranchName" searchWhenChanged="true"> <label>Select appBranchName:</label> <fieldForLabel>appBranchName</fieldForLabel> <fieldForValue>appBranchName</fieldForValue> <search> <query>| makeresults count=1 | table appBranchName</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="build" searchWhenChanged="true"> <label>Select Build-Id:</label> <fieldForLabel>build</fieldForLabel> <fieldForValue>build</fieldForValue> <search> <query> <![CDATA[ | makeresults | table build ]]> </query> <earliest>-30d@d</earliest> <latest>now</latest> </search> </input> </fieldset> <search> <query> | makeresults count=1 | eval encoded="$input_encoded$" | eval branch="$appBranchName$" | eval buildId="$build$" | table encoded  branch buildId </query> <done> <set token="backtrace_show">$result.decoded$</set> </done> </search> <row> <panel> <title>Encoded</title> <html> <textarea id="input_encoded" style="width: 100%; height: 250px;"></textarea> <input id="decode" type="button" value="Decode" style="width: 180px;height: 40px;"/> </html> </panel> </row> <row depends="$show$"> <panel> <title>backtrace</title> <html> <textarea id="output" style="width: 100%; height: 300px;">$how$</textarea> </html> </panel> </row> </form>
I have an if statement in my dashboard code but it doesnt work and I have no idea why. Heres the code:     <row> <panel> <title>Submission Details</title> <table> <searc... See more...
I have an if statement in my dashboard code but it doesnt work and I have no idea why. Heres the code:     <row> <panel> <title>Submission Details</title> <table> <search> <query>index=my_db sourcetype="my:details" | fillnull value="NA" ID INT_MESSAGE_ID APPLICATION_NUMBER APPLICATION_TYPE SUBMISSION_NUMBER SUBMISSION_TYPE SUPPORTING_DOC_NUMBER GLOBAL_ID DUNS FEI PROJECT_ID MESSAGE_STATUS MESSAGE_COMMENT LAST_UPDATE_TIMESTAMP | stats count by ID INT_MESSAGE_ID APPLICATION_NUMBER APPLICATION_TYPE SUBMISSION_NUMBER SUBMISSION_TYPE SUPPORTING_DOC_NUMBER GLOBAL_ID DUNS FEI PROJECT_ID MESSAGE_STATUS MESSAGE_COMMENT LAST_UPDATE_TIMESTAMP | fields - count | sort -INT_MESSAGE_ID</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="MESSAGE_STATUS"> <colorPalette type="expression">if (MESSAGE_COMMENT == "Processed", "#53A051", "#DC4E41")</colorPalette> </format> </table> </panel> </row>        
Hi Team, I would like to monitor the below files with extension (.json.gz) in splunk.  In DS APP inputs i have given the stanza like this  When checked in splunk it is showing only 1 day. ... See more...
Hi Team, I would like to monitor the below files with extension (.json.gz) in splunk.  In DS APP inputs i have given the stanza like this  When checked in splunk it is showing only 1 day. These are the files that i want to monitor Kindly let me know how to monitor the files.  
Hi all, I have data coming in, parsing and indexing correctly to a windows index. This data comes in with either one of two sourcetypes: "WinEventLog" and "wineventlog".  The sources appear to be t... See more...
Hi all, I have data coming in, parsing and indexing correctly to a windows index. This data comes in with either one of two sourcetypes: "WinEventLog" and "wineventlog".  The sources appear to be the same, so I am having difficulty understanding what corresponds to each sourcetype. Any help is appreciated. Thank you.  
Hi All i have a log source in the server timezone is in CST and logs are coming into the server as UTC time zone logs. so while ingesting logs splunk was ingesting based on CST which is 5 hours bef... See more...
Hi All i have a log source in the server timezone is in CST and logs are coming into the server as UTC time zone logs. so while ingesting logs splunk was ingesting based on CST which is 5 hours before logs. i have added props config for UTC but still getting the issue. please let us know what needs to be done
Need to compare 2 KV files and report the missing records of File1 in File2 File 1: Row# roll numbers Name  Registration # 1 5     2 7 Ajay 999 3 13 ... See more...
Need to compare 2 KV files and report the missing records of File1 in File2 File 1: Row# roll numbers Name  Registration # 1 5     2 7 Ajay 999 3 13 Kishore 123 4 10     5   Vijay     File2: Row# Class roll numbers Section Name Registration # 1 V 2 A Aaron 565 2 VI 4 B Michel 321 3 IV 3 D Jeff 678 4 VIII 7 E Ajay 999 5 X 8 H Kumar 767 6 XII 10 F   098 7 XI 12 N Evan  345   now, I want to compare the following columns: Roll numbers(File1) against Roll numbers(File2) Name(File1) against the Name(File2) Registration #(File1) against the Registration#(File2) if we find any one of the record(Roll Numbers/ Name/ Registration #) of File1 in File2 then we will not report that, I shall only report the record which we couldn't find anything by either roll number/name/registration# Note - We have to compare FILE1 against FILE 2 and report the FILE1 missing records in File2 Desired OUTPUT  Row # roll numbers Name Registration # 1 5     2 13 Kishore 123 3   Vijay     Total 3 records not found (present in File1 and not present in File2)
Hello, Splunk published multiple vulnerabilities on June 1st. Reading through the documentation of every vulnerability found. The Product Status states that the fix version is Splunk Cloud 9.0.2303... See more...
Hello, Splunk published multiple vulnerabilities on June 1st. Reading through the documentation of every vulnerability found. The Product Status states that the fix version is Splunk Cloud 9.0.2303.100. Would that mean that we would not need to worry about the vulnerabilities anymore?
Hi Team,  We have mobile application launch recently and not able to view the crash events correlation and it's missing some how for Info points, Custom timers, and custom metrics. As far as I know,... See more...
Hi Team,  We have mobile application launch recently and not able to view the crash events correlation and it's missing some how for Info points, Custom timers, and custom metrics. As far as I know, it's a standard mobile instrumentation for IOS AppD SDK development. After implementation, you will get the details for custom data, info points, custom times, and breadcrumbs in the mobile app as this allows to correlate what the user was doing before the crash. However, I do not see any of that data appearing under the crash page in the app currently.  the below SDK documentation has been followed line by line to do the implementation. https://docs.appdynamics.com/appd/21.x/21.5/en/end-user-monitoring/mobile-real-user-monitoring/instrument-ios-applications/install-the-ios-sdk Just wondering if there is any further custom instrumentation required in this case.  Kindly check and advise.  Awaiting for the response. Thanks.  regards,  Sagar 
Hi Splunkers Im using "Splunk Add-on for Service Now"  to send  triggered alerts to servicenow. Im trying to pass the alert name , alert time to the short description field in service now. In Servi... See more...
Hi Splunkers Im using "Splunk Add-on for Service Now"  to send  triggered alerts to servicenow. Im trying to pass the alert name , alert time to the short description field in service now. In Service now i see the results populated but it gets truncated exactly at 80 character .  I checked with service-now team as well in my organisation and they dont have any such limit at their end.   Additionaly when i checked the add-on i see the index_lenght =80 check has been used in the addon code. will this could be the reason behind the results getting trucated. Any one else faced this issue? Code Snippet :   # # SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com> # SPDX-License-Identifier: LicenseRef-Splunk-8-2021 # # APP_NAME = "Splunk_TA_snow" DEFAULT_RECORD_LIMIT = 3000 DEFAULT_DISPLAY_VALUE = "false" FIELD_SEPARATOR = "||" INDEX_LENGTH = 80 FILTER_PARAMETER_MIGRATION_STANZA = "filter_parameter_migration" SETTINGS_CONF_FILE = "splunk_ta_snow_settings" CHECKPOINT_COLLECTION_NAME = "Splunk_TA_snow_inputs_checkpointer"
We have 2 poller script in add on. One is getting triggered with the inteval whereas other not. I tried to reorder the config as suggested in https://community.splunk.com/t5/Getting-Data-In/Interval-... See more...
We have 2 poller script in add on. One is getting triggered with the inteval whereas other not. I tried to reorder the config as suggested in https://community.splunk.com/t5/Getting-Data-In/Interval-not-working-on-script/m-p/74998 this post. Still not getting expected result. Can someone please tell what could be wrong ?
I have a savedsearch test_mail which is not returning any results when run as a report or alert but running fine in my search tab. All the permissions are given properly. Anyone encountered anything... See more...
I have a savedsearch test_mail which is not returning any results when run as a report or alert but running fine in my search tab. All the permissions are given properly. Anyone encountered anything like this??
Hello, Splunkers. Problem Statement: I've searched the data with "date" and "score" to get the latest data and got the result. (Date may or may not be the current time.)       index=sampl... See more...
Hello, Splunkers. Problem Statement: I've searched the data with "date" and "score" to get the latest data and got the result. (Date may or may not be the current time.)       index=sampledata | head 10 | table Date Score | sort -Date| head 1       Result: Date Score 2023-02-24 20 I have created a lookup table "score.csv" to behave like variables to store data.  Saved_Date Saved_Score 2023-01-15 30 Now, I want to compare something like below       | eval current_timestamp=strptime(Date, "%Y-%m-%d") | lookup score.csv Saved_Date <Required Help > | eval saved_timestamp=strptime(Saved_Date, "%Y-%m-%d") | eval new=if(current_timestamp > saved_timestamp, "Yes","No") | where new="Yes" | <want to overwrite with "Date" and "Score" in score.csv>          
Hi all .. I have syslog come from Forcepoint web proxy and the size of data is very huge, I analysis the data and found some URLs come duplicated many times on same logs and i need remove this data... See more...
Hi all .. I have syslog come from Forcepoint web proxy and the size of data is very huge, I analysis the data and found some URLs come duplicated many times on same logs and i need remove this data from indexing . the below sample for this data Jun 3 23:59:58 xx.xx.xx.xx vendor=Forcepoint product=Security product_version=8.5.4 action=blocked severity=7 category=9 user=LDAP://xx.xx.xx.xx OU\=users,OU\=xx_xx,OU\=xxxx,DC \=domain,DC\=xxxxxx,DC\=com,DC\=jo/XXXX  XXXXX loginID=x.xxxx src_host=xx.xx.xx.xx src_port=55231 dst_host=otelrules.azureedge.net dst_ip=13.107.227.65 dst_port=443 bytes_out=0 bytes _in=0 http_response=0 http_method=GET http_content_type=- http_user_agent=Microsoft_Office/16.0_(Windows_NT_10.0;_Microsoft_Word_16.0.16327;_Pro) http_proxy_status_code=302 reason=- disposi tion=1025 policy=Super_Administrator**Default role=8 duration=4 url=https://otelrules.azureedge.net/rules/rule12019v1s19.xml logRecordSource=OnPrem
Hi Community Please suggest how many gateways can be deployed for 5000 collectors?
Hi Team! I need to make a REST API GET call to ingest a fairly large amount of data to splunk and unfortunately, this REST API doesn't have a pagination logic. So, it literally dumps an entire set of... See more...
Hi Team! I need to make a REST API GET call to ingest a fairly large amount of data to splunk and unfortunately, this REST API doesn't have a pagination logic. So, it literally dumps an entire set of some 50,000 records every time. So may I know which can be the best way to ingest only new data into Splunk? Is there any best practices to ingest only delta records (which are new) to the system? Thanks.   
How can I search not only filter messages also couple of messages around it?