All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We have updated the Splunk Enterprise version to 9 recently. Regarding post upgrade validation, I have already gone through this - post In addition to these validation steps, I need to ensure all th... See more...
We have updated the Splunk Enterprise version to 9 recently. Regarding post upgrade validation, I have already gone through this - post In addition to these validation steps, I need to ensure all the dashboards, search reports/alerts, lookup files are working as expected in each app. If this can be achieved via manual check of each dashboard/report, then it will be a long process. There are so many dashboards/reports available in each app. Could anyone please let me know if there is a way to ensure the working of all splunk objects post upgrade?
Hello I want to create a github action to automate db connect inputs What is the best way to call the api for that purpose ?   Thanks
I have a question about studying multi-site clustering. In a multi-site clustering environment, search heads and peer nodes exist in one site, but only one manager node exists in a specific site. I... See more...
I have a question about studying multi-site clustering. In a multi-site clustering environment, search heads and peer nodes exist in one site, but only one manager node exists in a specific site. I wonder if there is a reason why there shouldn't be one manager node in each site. When I checked the official documentation, I saw a part that said that the manager node is not a member of any site. Therefore, for this reason (the manager node does not belong to any site), I wonder if there is only one manager node even in a multi-site clustering environment. This may not be an appropriate question. It's not enough, but if there are any mistakes, please point out.
In Splunk Phantom 4.10 Free Community Edition, how can we disable a playbook with a status of running other than by using stop_phantom.sh and start_phantom.sh? We would like to know how to do this o... See more...
In Splunk Phantom 4.10 Free Community Edition, how can we disable a playbook with a status of running other than by using stop_phantom.sh and start_phantom.sh? We would like to know how to do this other than by executing the above scripts, as restarting the process every time is operationally burdensome.
Hi Team, Please help us on the dashboard issue, we have a splunk xml dashboard table as shown in the below snippet.  In the root cause column the entire event is coming . We need help so tha... See more...
Hi Team, Please help us on the dashboard issue, we have a splunk xml dashboard table as shown in the below snippet.  In the root cause column the entire event is coming . We need help so that the entire event should be adjusted to 4 lines and if required the column width can extend as per the event.  
Hi Splunkers, I recently set up a use case based of BIAS failure logins with a threshold limit of 9 logins per day according to my company requirements.  Now, My management asking me to check if t... See more...
Hi Splunkers, I recently set up a use case based of BIAS failure logins with a threshold limit of 9 logins per day according to my company requirements.  Now, My management asking me to check if there are any out of the box Splunk features we could run against BIAS logs + Domain controller logs. Any information regarding this would be helpful. Also, I'm trying to use  "iplocation" 
If I am having 3 fields in lookup table as flow,InterfaceCode,DataError. I am having a common field interfaceCode on index search  | lookup CareerMarketplace.csv InterfaceCode as InterfaceCode outp... See more...
If I am having 3 fields in lookup table as flow,InterfaceCode,DataError. I am having a common field interfaceCode on index search  | lookup CareerMarketplace.csv InterfaceCode as InterfaceCode output DataError So i match lookup with above query . With which serach strings I can exactly get these erros :(suggest possible commands with this fields Dataerror match with MessageText and display only these two error) 1. [ART.117.4002] Adapter Runtime (Adapter Service): Unable to invoke adapter service cip.atsJob.connectors.cipdb.jobCatalog:saveJobCatalog with connection cip.atsJob.connectors.cipdb:atsJobDb. [ADA.1.316] Cannot execute the SQL statement "?= call SAVE_JOB_CATALOG( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)". " (23000/1400) ORA-01400: cannot insert NULL into ("ATSJOB"."ATS_JOB_CATALOG"."JOB_TITLE") ORA-06512: at "ATSJOB.SAVE_JOB_CATALOG", line 55 ORA-06512: at line 1 2. Error in ATS_JOB_FEED.AVATURE_GLOBAL job processing either jobTitle or JobDescription value is null,chk ATS_JOB_CATALOG for job details using job code:%dynamic value% and ATS code:AVATURE_GLOBAL See CIP Framework Log for more details, Interface Code: ATS_JOB_FEED.AVATURE_GLOBAL DataError filed values of lookup match with MessageText of IndexSearch How Can I get only these two errors not others as a result,,,?
Hi Team , We are getting the below internal errors in majority of our indexers "timestamp ERROR KVStorageProvider - An error occurred during the last operation ('replSetGetStatus', domain: '15', co... See more...
Hi Team , We are getting the below internal errors in majority of our indexers "timestamp ERROR KVStorageProvider - An error occurred during the last operation ('replSetGetStatus', domain: '15', code: '13053'): No suitable servers found (`serverSelectionTryOnce` set): [connection closed calling ismaster on '[::1]:8191']"   Can someone explain what that error messages indicates
I have a query that is giving the latest event of the task but I want to filter the query for a status   <base query> | stats latest(status) as Status latest(time) as Time by TASK_NAME Resu... See more...
I have a query that is giving the latest event of the task but I want to filter the query for a status   <base query> | stats latest(status) as Status latest(time) as Time by TASK_NAME Results: TASK_NAME          Status                           Time TASK 1                      Passed                         2023-05-19T01:32:28 TASK 2                     Failed                            2023-05-19T01:35:28 TASK 3                     Passed                         2023-05-19T01:15:28 TASK 4                    Passed                          2023-05-19T05:32:28   I just wants all the failed tasks
If I have DataError field which has 10 different message text but I need to exclude two out 10 I need only 8 as stats result ?Please suggest any solution here?
 am writing an If Then Else Evaluation statement and could use some help.   If (PRIORITY=02 AND Condition=Alarm) then <h3 style="color:red;">A Critical Alarm</h3> else If (PRIORITY=12 AND Con... See more...
 am writing an If Then Else Evaluation statement and could use some help.   If (PRIORITY=02 AND Condition=Alarm) then <h3 style="color:red;">A Critical Alarm</h3> else If (PRIORITY=12 AND Condition=Alarm) then <h3 style="color:orange;">A High Alarm</h3> else  If (PRIORITY=22 OR PRIORITY=25 AND Condition=Alarm) then <h3 style="color:yellow;">A Low Alarm</h3> else  If (PRIORITY=02 OR PRIORITY=12 OR PRIORITY=22 OR PRIORITY=25 AND Condition=Clear) then <h3 style="color:green;">A Cleared Alarm</h3>
I am trying to create an alert that triggers when a certain number of failed logins are reported in a 5 minute time period. Specifically, when a given user fails to login 3 successive times without... See more...
I am trying to create an alert that triggers when a certain number of failed logins are reported in a 5 minute time period. Specifically, when a given user fails to login 3 successive times without a successful login in the next login attempt I want the alert to fire and list the failed login attempts (user and _time ). 1) events below trigger alert user     time  login attempt status smith 12:01 failed smith 12:03 failed smith 12:04 failed 2) below events will NOT trigger alert since the last event is a successful login user    time    login attempt status smith 12:01 failed smith 12:02 failed smith 12:03 failed smith 12:04 succeeded how do i create a splunk query(using the transaction command presumably) to identify user login attempts that meet the trigger condition?      
Hello All,   I have a log file which looks like below and I want to display in Time against the segment size (where first column which is date and the column "SEGSZ" column value against time.) c... See more...
Hello All,   I have a log file which looks like below and I want to display in Time against the segment size (where first column which is date and the column "SEGSZ" column value against time.) can anyone help me with a query. T ID KEY MODE OWNER GROUP CREATOR CGROUP NATTCH SEGSZ CPID LPID ATIME DTIME CTIME 28-05-2023 00:00:00 AM;IPC status from <running system> as of Sun May 28 00:00:02 MEST 2023 m 16779859 0 --rw------- prxm2 tuxedo prxm2 tuxedo 3 1472 57944 57954 2:12:42 2:12:42 2:12:42 28-05-2023 00:00:00 AM;Shared Memory: m 16779801 0 --rw------- prxm2 tuxedo prxm2 tuxedo 365 156068 57942 60092 4:00:42 4:00:42 2:12:42 28-05-2023 00:00:00 AM;m 16779844 0 --rw------- prxm2 tuxedo prxm2 tuxedo 16 4592 57943 60483 6:00:01 6:00:01 2:12:42 m 16779771 0 --rw------- prxm2 tuxedo prxm2 tuxedo 3 6152 57940 57950 2:12:42 2:12:42 2:12:42 28-05-2023 00:00:00 AM;m 16779786 0 --rw------- prxm2 tuxedo prxm2 tuxedo 3 1472 57941 57951 2:12:42 2:12:42 2:12:42 m 16779639 0 --rw------- prxm2 tuxedo prxm2 tuxedo 2 443769 57604 57719 2:12:39 no-entry 2:12:36 28-05-2023 00:00:00 AM;m 16779640 0 --rw------- prxm2 tuxedo prxm2 tuxedo 2 1048576 57604 57719 2:12:39 no-entry 2:12:36 m 16779465 0 --rw------- prxm2 tuxedo prxm2 tuxedo 2 1048576 57289 57447 2:12:33 no-entry 2:12:30
If we have some error messages with some static and dynamic content. We want to match static content of error to interesting fields of splunk search by editing lookup table with regex please suggest ... See more...
If we have some error messages with some static and dynamic content. We want to match static content of error to interesting fields of splunk search by editing lookup table with regex please suggest a possible solution here.   error: Connection timed out 65143 static content : Connection timed out  dynamic content : 65143
Hello, Team! I see delays in the receipt of events in the indexes. Events are collected by SplunkForwarder agents. In the case of a complete absence of events, restarting agents helps, but if there ... See more...
Hello, Team! I see delays in the receipt of events in the indexes. Events are collected by SplunkForwarder agents. In the case of a complete absence of events, restarting agents helps, but if there is a delay in the arrival of events, restarting agents does not help. Events goes to HFs, then to indexers. On splunk universal forwarders such errors in splunkd.log WARN TailReader [282099 tailreader0] - Could not send data to output queue (parsingQueue), retrying... in metrics.log +0300 INFO HealthChangeReporter - feature="Large and Archive File Reader-0" indicator="data_out_rate" previous_color=green color=yellow due_to_threshold_value=1 measured_value=1 reason="The monitor input cannot produce data because splunkd's processing queues are full. This will be caused by inadequate indexing or forwarding rate, or a sudden burst of incoming data."   where is problem? on splunk universal forwarder or on heavy forwarder? what to look?
Is there an official page for AppDynamics where extensions can be downloaded? A page similar to where we get the agents (agents.download). Also are those extensions updated and have different version... See more...
Is there an official page for AppDynamics where extensions can be downloaded? A page similar to where we get the agents (agents.download). Also are those extensions updated and have different versions?  The extension requirements are:  1. Process monitor 2. File watcher (File count)  3. Windows service manger extension
We have a script as a data source, and sometimes events could be duplicated (same ID). Using | dedup id in the search helps, but we want to override events with the same ID if possible. We have tried... See more...
We have a script as a data source, and sometimes events could be duplicated (same ID). Using | dedup id in the search helps, but we want to override events with the same ID if possible. We have tried some solutions from the internet and documentation, but they haven't helped.   props.conf [incidents_script] TZ = UTC category = Splunk App Add-on Builder pulldown_type = 1 python.version = python3 TRUNCATE = 1000000 INDEXED_EXTRACTIONS = json TIMESTAMP_FIELDS = trigger_time SHOULD_LINEMERGE = false AUTO_KV_JSON = false KV_MODE = none TRANSFORMS-index = replace_existing deduplicate REPORT-id = extract_id TRANSFORMS-debug = debug_deduplicate EXTRACT-id = "id"\s*:\s*"([^"]+)" transforms.conf [replace_existing] REGEX = . DEST_KEY = _SYS_CHECKSUM FORMAT = index-replace [deduplicate] REGEX = . MV_ADD = true [debug_deduplicate] REGEX = . MV_ADD = true [extract_id] REGEX = "id"\s*:\s*"([^"]+)" FORMAT = id::$1
Hello Everyone, I have below query with which I am trying to build a table showing data for SUCCESS  for sum of statusCode starts with 20* and FAIL for sum of statusCode starts with 4*.  However ... See more...
Hello Everyone, I have below query with which I am trying to build a table showing data for SUCCESS  for sum of statusCode starts with 20* and FAIL for sum of statusCode starts with 4*.  However with the below query,     index=my_index sourcetype=openshift_logs openshift_namespace=my_ns openshift_cluster="cluster009" ("message.statusCode"=20* OR "message.statusCode"=4*) | search "message.logType"=CLIENT_RES | search "message.url"="/shopping/carts/*" | timechart span=1h dc("message.tracers.id{}") as count by message.statusCode      I am getting the table as below: _time 200 201 400 403 2023-05-28 03:00 400 10 10 11 2023-05-28 04:00 301 99 19 0 2023-05-28 05:00 100 45 11 9   I am expecting table as something like this: _time success fail 2023-05-28 03:00 410 21 2023-05-28 04:00 400 19 2023-05-28 05:00 145 20   Not sure how to change this.
Hello, How would I get report ID or ID for the saved/schedule search? Thank you!
Hello dear community, I am new here and hope for warm support. The following problem I have to solve: I have several files and if a document is missing, should be sent a notification with the ref... See more...
Hello dear community, I am new here and hope for warm support. The following problem I have to solve: I have several files and if a document is missing, should be sent a notification with the reference to this file. Example: File12324.txt File21111.txt Filefdfdf.txt (naming without pattern) If next day File21111.txt is missing, email goes out with content "..." + File21111.txt + "..." Thanks for the advice