All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I am running multiple Splunk instances on the same machine, located in /opt as follows: /opt/splunk1 /opt/splunk2 /opt/splunk3 ... etc I need to upgrade Splunk Enterprise to a newer versi... See more...
Hello, I am running multiple Splunk instances on the same machine, located in /opt as follows: /opt/splunk1 /opt/splunk2 /opt/splunk3 ... etc I need to upgrade Splunk Enterprise to a newer version, I tried using the following RPM command: sudo rpm -Uvh --relocate=/opt/splunk=/opt/splunk1 splunk.rpm But I received the following error message: path /opt/splunk in package splunk is not relocatable I tried using a .tgz file instead, but it's also not working. sudo tar -xzf splunk.tgz -C /opt/splunk1 Can anyone recommend a way to upgrade Splunk on all my instances?
Hello All, I want to move my indexed data from the default directory i.e. /opt/splunk/var/lib/splunk to a different folder preferrable to the hot/warm volume. Is there any way this can be achieved ... See more...
Hello All, I want to move my indexed data from the default directory i.e. /opt/splunk/var/lib/splunk to a different folder preferrable to the hot/warm volume. Is there any way this can be achieved with minimum down time. Thanks in advance  
Hi Team, We have a splunk XML dashboard as shown in the below snippet. In the above table we have extracted the job names from the raw text and arranged those job names in the splunk dashboa... See more...
Hi Team, We have a splunk XML dashboard as shown in the below snippet. In the above table we have extracted the job names from the raw text and arranged those job names in the splunk dashboard table, where we can see that all job names are in single cell but we need those job names divided into separate cells with the same time stamp. Please help us on this.  Below is the SPL query we have given for the table and the xml code given for the table. index= app_events_dwh2_de_int _raw=*(*Error*) | eval status="Error" | rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<name>[^\\\]+)" | append [ search index=app_events_dwh2_de_int _raw=*(*Error*) | eval rootcause=exc_info] |table "_time", "name", status, rootcause <panel id="Error_table"> <html> <H1 style="text-align:center;background-color:#0080FF;">Error Event Details</H1> <style> #Error_table { width: 70% !important; } #Error_table1 table thead tr th:nth-child(1){ width: 25% !important; } #Error_table1 table thead tr th:nth-child(3){ width: 10% !important; } #Error_table1 table thead tr th:nth-child(2){ width: 25% !important; } #Error_table1 table thead tr th:nth-child(4){ width: 40% !important; } #Error_table1 table td { row-height: 5px !important; } </style> </html> <table id="Error_table1"> <search> <query>index= app_events_dwh2_de_int _raw=*(*Error*) | eval status="Error" | rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?&lt;name&gt;[^\\\]+)" | append [ search index=app_events_dwh2_de_int _raw=*(*Error*) | eval rootcause=exc_info] |table "_time", "name", status, rootcause</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="count">6</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <option name="wrap">true</option> <format type="color" field="name"> <colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <format type="color" field="status"> <colorPalette type="map">{"Error":#FFFFFF}</colorPalette> </format> </table> </panel>  
Through a dbx query, I'm pulling out several columns, among which include account_email, true_ip, device_id, and request_id. I want to see only the events where any of these columns have duplicate va... See more...
Through a dbx query, I'm pulling out several columns, among which include account_email, true_ip, device_id, and request_id. I want to see only the events where any of these columns have duplicate values. For example, if 3 events have the account_email of test@gmail.com, then I'd want to see all 3 events, regardless of what's in the other columns. The same applies for true_ip, device_id, and request_id. How can I do this?   I tried something like this: dbxquery=query_here | stats count by account_email, true_ip, account_telephone, device_id, request_id, session_id, digital_id | where count > 1 But this doesn't work because this would only extract occurrences where the combination of all those columns happened more than once. But as long as at least one of the columns have a duplicate occurrence, I'd want to see it.
When I checked the plugin using Splunk AppInspect before submitting it, I reported the following error:     curl -X GET -H 'Authorization: bearer REDACTED' --url 'https://appinspect.splunk.com/v1... See more...
When I checked the plugin using Splunk AppInspect before submitting it, I reported the following error:     curl -X GET -H 'Authorization: bearer REDACTED' --url 'https://appinspect.splunk.com/v1/app/validate/status/2a201454-38d8-4859-87f6-d15811316176' { "request_id": "2a201454-38d8-4859-87f6-d15811316176", "links": [ { "href": "/v1/app/validate/status/2a201454-38d8-4859-87f6-d15811316176", "rel": "self" }, { "href": "/v1/app/report/2a201454-38d8-4859-87f6-d15811316176", "rel": "report" } ], "status": "ERROR" }     How can i resolve it
Original query:   index=app-data sourcetype=clientapp-code |rex field=_raw "\Status\:(?<Code>.*?)\|" |eval Failed=if(Code!=0, "Failed", null()) |bucket _time span=1d |stats count(Failed) as Fail... See more...
Original query:   index=app-data sourcetype=clientapp-code |rex field=_raw "\Status\:(?<Code>.*?)\|" |eval Failed=if(Code!=0, "Failed", null()) |bucket _time span=1d |stats count(Failed) as Fail by _time   OUTPUT: _time Fail 2022-01-22 6 2022-01-23 0 2022-01-24 8 2022-01-25 0 2022-01-26 0 2022-01-27 12 2022-01-28 0 2022-01-29 0 tstats query:   |tstats count where index=app-data sourcetype=clientapp-code by PREFIX(status:) _time span=1d |rename status: as Code |eval Failed=if(Code!=0, "Failed", null()) |where Code!=0 |stats values(count) by _time   OUTPUT: _time Fail 2022-01-22 6 2022-01-24 8 2022-01-27 12   I want to see original query  output  with tstats query but 0 data rows are not showing up in tstats command. How can i get the 0 data rows using tstats query???
Hello, I have a Splunk forwarder forwarding logs to a Splunk Server, and the SplunkServer is using a LetsEncrypt CA cert. I have tried a couple of directives but they dont see to work. Here are m... See more...
Hello, I have a Splunk forwarder forwarding logs to a Splunk Server, and the SplunkServer is using a LetsEncrypt CA cert. I have tried a couple of directives but they dont see to work. Here are my configs:       outputs.conf [tcpout] useACK = true indexAndForward = false defaultGroup = splunkssl forwardedindex.0.whitelist = modsec [tcpout:splunkssl] compressed = true server = splunkserver.ip.com:9998 clientCert = /opt/splunkforwarder/etc/certs/client.pem [tcpout-server://splunkserver.ip.com:9998] #sslRootCAPath = /opt/splunkforwarder/etc/certs/cacert.pem sslRootCAPath = /opt/splunkforwarder/etc/certs/letsencryptca.pem sslVerifyServerCert = true sslCommonNameToCheck = splunkserver-alias.ip.com       I found my issue here in the forums, but the response was to disable sslVerifyServerCert.. which I can not do.   Here is the error I get:       05-30-2023 16:19:21.265 -0700 ERROR TcpOutputFd - Connection to host=splunkserver.ip.com:9998 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.      
What is the main difference between a netstat command a stats commands as feel like one is associated with tables?
I have two different searches: 1. index=xoom_app_online_checkout_orchestration_api user_id residence_country=US request_cobrand=null  2.  index!=xoom_app_online_checkout_orchestration_api user_id... See more...
I have two different searches: 1. index=xoom_app_online_checkout_orchestration_api user_id residence_country=US request_cobrand=null  2.  index!=xoom_app_online_checkout_orchestration_api user_id tracing_user_id tracing_user_type="ABC"    From the first search, I want to retrieve user_id From the second search, I want to retrieve tracing_user_id I only want a response if user_id=tracing_user_id I was using this query, but it was ignoring values from search (1):   ( index="xoom_app_online_checkout_orchestration_api" user_id residence_country=US request_cobrand=null ) OR (index!=xoom_app_online_checkout_orchestration_api tracing_user_id tracing_user_type="ABC" ) | eval joiner=if(index="xoom_app_online_checkout_orchestration_api", user_id, tracing_user_id)| stats values(*) as * by joiner | WHERE user_id=tracing_user_id  
  I have two machines one looks like it's a heavy forwarder, I can browse into the GUI of the first Splunk server but cannot browse into the GUI  on the heavy forwarder. is this normal?   do yo... See more...
  I have two machines one looks like it's a heavy forwarder, I can browse into the GUI of the first Splunk server but cannot browse into the GUI  on the heavy forwarder. is this normal?   do you usually have a GUI access on the heavy forwarder??. is there a service that needs to be running to allow it to serve web traffic.?    
Is there an easy way to tell what role a Splunk server is?
I have a lookup table with filters and SPLs columns/values by product/client. I want to use a macro passing the product/client as an argument, and the result should be the entire filter or SPLs. Is t... See more...
I have a lookup table with filters and SPLs columns/values by product/client. I want to use a macro passing the product/client as an argument, and the result should be the entire filter or SPLs. Is there any way to do it? For example:   index=X `mymacro(productA)`   mymacro definition should return the values in the lookup table related to the productA. The search above should return all the fields, commands, and so on related to this productA and execute the search.
KV  store initiation failure, I have got this area that says     ......"error in input lookup command external command-based lookup es notable events is not available because KV store initialization ... See more...
KV  store initiation failure, I have got this area that says     ......"error in input lookup command external command-based lookup es notable events is not available because KV store initialization has failed contact your system administrator,"     what log is the most relevant for this kind of error would it be the mongodb log and look for a lock? is that a good route to go? I am a pretty good engineer but new to Splunk and definitely could use some guidance on just about everything Splunk related.  
Hi, I need to populate the dropdown from the lookup table. I can only drop down labels from the lookup table, not the value. I need to use filter the dashboard based on the selected value. Currently,... See more...
Hi, I need to populate the dropdown from the lookup table. I can only drop down labels from the lookup table, not the value. I need to use filter the dashboard based on the selected value. Currently, label is passing to the queries in the dashboard. 
Hi, I have below raw event. Data is ingested via reading logfiles from dedicated location on monitored server with UF on it. Splunk's default method is not extracting fields as I need. Some fields ... See more...
Hi, I have below raw event. Data is ingested via reading logfiles from dedicated location on monitored server with UF on it. Splunk's default method is not extracting fields as I need. Some fields have nested fields within. Is it possible to do a regex at search time or preferably at index time to do this?   ### Tue Apr 11 00:00:06 CDT 2023: logChangeEventForSplunk() called ###     event.id: 00000000-d825-00000-0cd1-00000000000000     event.time.received: Tue Apr 11 00:00:06 CDT 2023     event.time.first.received: Mon Apr 10 23:56:04 CDT 2023     event.title: TESTING XYZ:CPU Load status changed from OK to Critical     event.description: null     event.state: closed     event.severity: unknown     event.receivedOnCiDowntime: false     event.etiHint: CPULoad:Bottlenecked:82.0     event.isLogOnly: false     forwarding.type: notify_and_update     event.solution: null     event.control.transferred.to.name: <none>     event.control.transferred.to.dns.name:     event.control.transferred.to.state: <none>     event.control.transferred.to.external.id:     event.duplicate_count: 0     event.external.id: urn:uuid:00000000000-d825-00000-0cd1-0000000000000     cause.external.id: null     custom attributes:         SubmitCloseKey=true         bsmc_policy_type=xml-ws     history list:         history line 1:             historyLine.timeCreated.1=2023-04-10 23:56:05.624             historyLine.messageKey.1=null             historyLine.modifiedBy.1=System             historyLine.headline.1=null         history line 2:             historyLine.timeCreated.2=2023-04-10 23:56:05.83             historyLine.messageKey.2=null             historyLine.modifiedBy.2=System             historyLine.headline.2=null         history line 3:             historyLine.timeCreated.3=2023-04-11 00:00:06.336             historyLine.messageKey.3=historylines.component.closing.related.events             historyLine.modifiedBy.3=System             historyLine.headline.3=Closing Related Events     Related CI: 0000000000000000000000000         lic_operational2advanced=false         root_candidatefordeletetime=Sun Apr 30 12:22:50 CDT 2023         data_operationisnew=false         lic_type_basic=false         lic_type_asset=false         lic_type_udf=false         type=nt         root_class=nt         lic_type_udi=false         TenantsUses=System Default Tenant         display_label=XYZMACHINE         data_operationstate=0:Normal         host_key=0.0.0.0 DefaultDomain         lic_type_premium=false         monitored_by=XYZ.ABC.com         data_allow_auto_discovery=true         root_actualdeletetime=Sat May 20 12:22:50 CDT 2023         data_teststate=0:Normal         id=0000000000000000000000         type_label=Windows         project=ABC         default_gateway_ip_address_type=IPv4         data_changecorrstate=0:No Change         last_modified_time=Thu Apr 06 15:05:46 CDT 2023         create_time=Thu Jan 26 12:56:33 CST 2023         TenantOwner=System Default Tenant         data_changestate=0:No Change         primary_dns_name=XYZ.ABC.com         contextmenu=itCIs         global_id=00000000000000000000000000         lic_type_management=false         data_testisnew=false         root_lastaccesstime=Mon Apr 10 12:22:50 CDT 2023         lic_type_operational=false         root_iscandidatefordeletion=false         data_source=XYZ: SAMPLE         data_changeisnew=false         data_testcorrstate=0:Normal         track_changes=false         host_iscomplete=true         name=AAAAAAAAAAAAAAAAAAA         data_operationcorrstate=0:Normal         is_save_persistency=false         data_adminstate=0:Managed                                                                                                                                                lic_type_full=false         root_enableageing=true         data_updated_by=XYZ : ABC ### Tue Apr 11 00:00:06 CDT 2023: logChangeEventForSplunk() finished ###
Is it possible to see the Splunk the log in the graphical user interface (the web interface), supposedly you can see it somewhere in settings but I don't see that is there any way to see the SplunkD.... See more...
Is it possible to see the Splunk the log in the graphical user interface (the web interface), supposedly you can see it somewhere in settings but I don't see that is there any way to see the SplunkD.,log in the gui. I don't currently have command line access to the Splunk host. thanks for anything you can tell me.
Is there anywhere else Splunk Community joins together?
How do I meet Splunk users in my area? Are there meetups?
I have a great suggestion for a product, an app, etc- who do I speak to?
Who can I contact for Training and Certification related inquiries?