All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

i have data in the event with date field  and while saving the same search in the dashboard studio table its giving previous date values  not giving exact values as event data   index=test so... See more...
i have data in the event with date field  and while saving the same search in the dashboard studio table its giving previous date values  not giving exact values as event data   index=test sourcetype="test Data*" | sort -time | dedup TABLE_NAME | table TABLE_NAME MAX_POSITION_DATE MAX_DMA_RUN_DATETIME    TABLE_NAME          MAX_POSITION_DATE              MAX_DMA_RUN_DATETIME 5858585 L                2023-06-01 00:00:00.000         2023-06-01 06:48:12.225 46466464                 2023-05-31 00:00:00.000         2023-06-01 03:02:58.000
Can we aggregate the data in the specified column? example SPL A) index=pan_logs  | stats count by signature,src,dest example SPL A Result) signature_name src dest count signature-A ... See more...
Can we aggregate the data in the specified column? example SPL A) index=pan_logs  | stats count by signature,src,dest example SPL A Result) signature_name src dest count signature-A 10.1.1.1 10.0.0.1 1 signature-B 10.1.1.2 10.0.0.2 2 signature-A 10.1.1.3 10.0.0.3 2 signature-B 10.1.1.4 10.0.0.4 2 Want to creat table) signature_name src dest count signature-A 10.1.1.1 10.0.0.1 3   10.1.1.3 10.0.0.3   signature-B 10.1.1.2 10.0.0.2 4   10.1.1.4 10.0.0.4   We want to aggregate by signature_name without changing  src<->dest combination.
Hi Forum Members, I am new to the features of AppDynamics and I would like to enquire on the possibility to integrate Power BI with AppDynamics to visualize data on Power BI. Power BI has a feature... See more...
Hi Forum Members, I am new to the features of AppDynamics and I would like to enquire on the possibility to integrate Power BI with AppDynamics to visualize data on Power BI. Power BI has a feature called tooltip where users can obtain information on a data status by hovering over a particular node, in order to retrieve information from that particular status. Does AppDynamics have a similar feature to tooltip?   Given that AppDynamics has dashboarding capabilities, are we able to create a dashboard that consist of color-changing status symbols (Red, Amber, Green) according to the data abnormalies detected instead of using Power BI? At the same time, does it provide a detailed changing dashboard pages where I can focus on the performance on a specific application upon clicking on a specific component (Database)?
During Upgrade readiness jquery scan, we are seeing errors for latest version of add-on apps like OKTA, Lastpass and Jenkins. Is it still safe to go ahead and upgrade from v9.0.1 to v9.0.4.1 without ... See more...
During Upgrade readiness jquery scan, we are seeing errors for latest version of add-on apps like OKTA, Lastpass and Jenkins. Is it still safe to go ahead and upgrade from v9.0.1 to v9.0.4.1 without causing a problem to the add-on apps usage? LastPass This app is not compatible with jQuery 3.5. Version 2.0.0 Application Path C:\Program Files\Splunk\etc\apps\TA-lastpass Required Action Do one of the following: Confirm on the app's Splunkbase listing if this alert should be dismissed for this app version. Petition the developer to update the app. Uninstall the app from the app listing page. Take ownership of the app and override existing code (not recommended).   Okta Identity Cloud Add-on for Splunk This app is not compatible with jQuery 3.5. A jQuery 3.5 compatible version of this app is available on Splunkbase. Version 2.25.21 Application Path C:\Program Files\Splunk\etc\apps\TA-Okta_Identity_Cloud_for_Splunk Required Action Update this app to the latest version on Splunkbase.   Splunk App For Jenkins This app is not compatible with jQuery 3.5. A jQuery 3.5 compatible version of this app is available on Splunkbase. Version 2.0.4 Application Path C:\Program Files\Splunk\etc\apps\splunk_app_jenkins Required Action Update this app to the latest version on Splunkbase.
Hi Guys, We are running AKS with CNI plugin with Synthetic Sever(Azure VM) and getting the below errors in the Chrome pod logs.   Private Synthetic Agent version is 22.9.0 It's as though Chrome pod... See more...
Hi Guys, We are running AKS with CNI plugin with Synthetic Sever(Azure VM) and getting the below errors in the Chrome pod logs.   Private Synthetic Agent version is 22.9.0 It's as though Chrome pod is unable to authenticate with heimdall, hence the 401 error. Has anyone seen this before?  Not sure how to deal with this issue. INFO 2023-05-31 04:32:59,176 ad.internal idx-measurementId=4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 Creating directory: ../temp/customScreencasts INFO 2023-05-31 04:32:59,176 ad.internal idx-measurementId=4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 Creating directory: ../temp/pageScreencasts INFO 2023-05-31 04:32:59,176 ad.internal.HeimdallClient idx-measurementId=4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 Fetching measurement for id: 4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 ERROR 2023-05-31 04:32:59,188 ad.internal.HeimdallClient idx-measurementId=4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 Fetching measurement for id: 4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 failed Received status code: 401. Time taken for api call in ms: 0 ERROR 2023-05-31 04:32:59,189 ad.internal idx-measurementId=4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 Fetching measurement for id: 4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 failed Received status code: 401. Time taken for api call in ms: 0 Traceback (most recent call last): File "driver.py", line 79, in <module> measurement_data = heimdall_client.fetchMeasurement(MEASUREMENT_ID) File "/app/agent/Client/heimdall_client.py", line 73, in fetchMeasurement raise HeimdallClientException(errorMessage) customExceptions.HeimdallClientException: Fetching measurement for id: 4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 failed Received status code: 401. Time taken for api call in ms: 0 INFO 2023-05-31 04:32:59,189 ad.internal.ResultsUploader idx-measurementId=4a8f5e61-08ee-43da-a2e1-b719b8efa620~81527f82-7801-469c-83da-e9a4d504b513 Uploading artifacts
I love love love Splunk and especially SPL! It makes it so easy to generate very granular and detailed reports on large data-sets. But is there anything comparable for offline data? In the past I've ... See more...
I love love love Splunk and especially SPL! It makes it so easy to generate very granular and detailed reports on large data-sets. But is there anything comparable for offline data? In the past I've used Excel and both it's 'Data:Filter' function along with custom formulas. But that all seems so restrictive now, compared to SPL. Any suggestions? (Aside from temporarily importing my offline data into Splunk which I cannot do for various reasons...)
Hi, I am in need for an older version of Splunk Universal Forwarder that works with Windows 2000. Before anyone asks, this is for a specialized use case and no it cannot use a newer version of win... See more...
Hi, I am in need for an older version of Splunk Universal Forwarder that works with Windows 2000. Before anyone asks, this is for a specialized use case and no it cannot use a newer version of windows. I am well aware that Windows 2000 has been out of support from Microsoft for over a decade. This does not change the fact that I need some way to get logs from the Windows 2000 system to Splunk. Everything I am finding points to Forwarder version 5.0.17 being potentially the last version to include support for Windows 2000. Is this version (or any other compatible version) still available anywhere? The Previous Releases page only goes back to 7.1.1 currently. Splunk Universal Forwarder Previous Releases | Splunk Please, if you know where I can get a version I would greatly appreciate it. Thanks!
Hi all, I want to migrate Splunk Enterprise 6.5 to Splunk Cloud. There is an app called Cloud Migration Assessment App for Splunk (SCMA), but it is not compatible with Splunk Enterprise 6.5 versi... See more...
Hi all, I want to migrate Splunk Enterprise 6.5 to Splunk Cloud. There is an app called Cloud Migration Assessment App for Splunk (SCMA), but it is not compatible with Splunk Enterprise 6.5 version. I prefer not to need to update the actual Splunk Enterprise. Any tip?
Hello, when I want to create a dashboard on the free license of Splunk v9.0.4.1, I get the error ' Wrong content-type "text/html" expected "application/json" '. I've searched everywhere where the ... See more...
Hello, when I want to create a dashboard on the free license of Splunk v9.0.4.1, I get the error ' Wrong content-type "text/html" expected "application/json" '. I've searched everywhere where the error may come from, I can't find... For information, I just installed Splunk and inserted some logs
Hello,  I have a log file that spits out data like the below. I want to be able to evaluate the the numbers either side of the "/" and alert if they are not the same. How can i do this? The will on... See more...
Hello,  I have a log file that spits out data like the below. I want to be able to evaluate the the numbers either side of the "/" and alert if they are not the same. How can i do this? The will only be 1 "/" per line. The last line below that has "1/3" would be the only line i want returning.  The data below is not in table form in the log file, its just text.     NAME READY STATUS RESTARTS AGE Process1 2/2 Running 0 8d Process2ab  2/2 Running 0 8d Process 3abc  1/3 Running 0 8d  
Hi Splunkers , As the Subject mentions , I want to run 2 version of Splunk DB connect on the same instance . Existing : 3.5.0 >> want to move to 3.13.0 (latest) I am not able to rename and keep... See more...
Hi Splunkers , As the Subject mentions , I want to run 2 version of Splunk DB connect on the same instance . Existing : 3.5.0 >> want to move to 3.13.0 (latest) I am not able to rename and keep both of them side by side , the UI doesn't load . Is there a way this can be achieved ? UseCase : To migrate the connections / identities from one to another in a phased process . There was  failed DBconnect upgrade due to which i had to restore old DB connect and this is the way we have decided if it can be achieved . In general any app should be able to do this , do let me know if you guys have a solution !
Hi There, I am attempting to set up alerts to send a message to a teams channel. However, I can't seem to find a way to edit the request and the only option is to enter a URL. Any help would be... See more...
Hi There, I am attempting to set up alerts to send a message to a teams channel. However, I can't seem to find a way to edit the request and the only option is to enter a URL. Any help would be appreciated, Jamie
I have two queries I want to merge and I need expert help. The first one returns reporting devices as good and non-reporting devices as missing. The second one returns the missing devices with a hear... See more...
I have two queries I want to merge and I need expert help. The first one returns reporting devices as good and non-reporting devices as missing. The second one returns the missing devices with a heartbeat but not sending logs. Help me come up with one query that would show results for Good, Heartbeat and Missing: | tstats latest(_time) as latest where index="*" earliest=-5d by host | eval recent = if(latest > relative_time(now(),"-15m"),"Good","Missing"), realLatest = strftime(latest,"%c") | tstats latest(_time) as latest where index="_*" earliest=-5d by host | eval recent = if(latest > relative_time(now(),"-15m"),"Heartbeat","Missing"), realLatest = strftime(latest,"%c")
We have around 100 indexes and instead of creating alert for each index/sourcetype if there is drop in % of volume. I don't want to create alert for each index. Any suggestions or do we have existing... See more...
We have around 100 indexes and instead of creating alert for each index/sourcetype if there is drop in % of volume. I don't want to create alert for each index. Any suggestions or do we have existing query which is already implemented?
I'm trying to come up with a way to output to a lookup file a list of calculated network addresses given a list of IP addresses. By using a destination MAC address and a source IP, I'm able to group ... See more...
I'm trying to come up with a way to output to a lookup file a list of calculated network addresses given a list of IP addresses. By using a destination MAC address and a source IP, I'm able to group together a list of IPs that are using the same gateway with the following: `index=zeek sourcetype=zeek_conn | stats values(src) by resp_l2_addr` But from here, I need to take those src values and have Splunk give me the smallest subnet that covers that range of addresses. For example, if I have 10.0.0.5 and 10.0.1.5 in the same list, I would need the query to say, based on these two addresses, there is a 10.0.0.0/23 network. I feel this is more of a machine learning type of problem, but wanted to see if anyone has come up with something similar that could solve this. Thanks!
With https://community.splunk.com/t5/Dashboards-Visualizations/Render-HTML-code-from-search-result-in-Splunk-dashboard/m-p/221940 I managed to display the (html) content in 1 field in readable format... See more...
With https://community.splunk.com/t5/Dashboards-Visualizations/Render-HTML-code-from-search-result-in-Splunk-dashboard/m-p/221940 I managed to display the (html) content in 1 field in readable format. This solution works fine for 1 field at a time (logically,  because it's using a token). I want to display all the fields in a dashboard in that format. I can't find out how to do that.  Besides that it's hard to find usefull information to use javascript in combination with splunk but maybe that's because I'm relatively new in using javascript and probably using the wrong keywords. Anyone some suggestions?  
Hello together, I installed in Splunk Single Instance Deployment with version 9.0.4 the Splunk ES 7.11 via CLI. If i go under menu: configure -> Incident Management -> New Notable Event I got... See more...
Hello together, I installed in Splunk Single Instance Deployment with version 9.0.4 the Splunk ES 7.11 via CLI. If i go under menu: configure -> Incident Management -> New Notable Event I got the following error: Cannot read properties of undefined (reading 'value')   Any ideas how to solve this?   I tried also a reinstall of splunk core and ES. not working.  
 Error in 'rtlitsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLU... See more...
 Error in 'rtlitsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK. I am facing this error in Splunk free edition after 3 violations.. how can I become free from this error and after how many days this error will go from my web console??
Hi, I am relatively new to Splunk. I am trying to achieve the output as - Store Register Success_Count Failure_Count Total                       ... See more...
Hi, I am relatively new to Splunk. I am trying to achieve the output as - Store Register Success_Count Failure_Count Total                                           I am using the below search query - index=idx-stores-pos sourcetype=GSTR:Adyen:log Success OR Failure | eval Store= substr(host,1,7)        ---------   extracting store and register from the host | eval Register= substr(host,8,2) | rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>.+)" | stats count as Status_Count by Status | eventstats sum(Status_Count) AS Total it is giving me this result - Status Status_Count Total Failure 23 597 Success 574 597         Please help!
Hi all, We have enable windows DNS debug on our AD servers, but get in wrong domain names. I have tried on our SH two diffrent prop.conf but still wrong domain names.  [MSAD:NT6:DNS] EVAL-fqdn... See more...
Hi all, We have enable windows DNS debug on our AD servers, but get in wrong domain names. I have tried on our SH two diffrent prop.conf but still wrong domain names.  [MSAD:NT6:DNS] EVAL-fqdn=trim(replace(src_domain,"\([0-9]+\)","."),".") [MSAD:NT6:DNS] EVAL-src_domain_punct = trim(replace(src_domain, "\(\d+\)", "."),".") Example of domain name: (6)mobile(6)events(4)data(9)microsoft(3)com(0) (5)teams(6)events(4)data(9)microsoft(3)com(0) (4)pool(3)ntp(3)org(0) Can you help advise on how to remove ( ) from the FQDN ? Thank you in advance