All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team,  I have 2 indexes with same data. In Index1 data is coming with the fields user, action, http_referrer and  In index 2 data is coming with the fields loginid, action, referrer I want t... See more...
Hi Team,  I have 2 indexes with same data. In Index1 data is coming with the fields user, action, http_referrer and  In index 2 data is coming with the fields loginid, action, referrer I want to table the results with common field data from 2 indexes like | table user, action, referrer  I tried using eval mvappend it didn't work. Can some one please assist. Thank You. 
Hi, i have parsing issue on window DHCP log. Im using splunk add on for Window DHCP. The raw log are as below. 1030,05/16/23,15:24:03,0 DHCPV6 Stateless client records purged,,,,,,,,,, 25,05/16/... See more...
Hi, i have parsing issue on window DHCP log. Im using splunk add on for Window DHCP. The raw log are as below. 1030,05/16/23,15:24:03,0 DHCPV6 Stateless client records purged,,,,,,,,,, 25,05/16/23,15:24:03,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0 25,05/16/23,15:24:03,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0 24,05/16/23,15:24:03,Database Cleanup Begin,,,,,0,6,,,,,,,,,0 11030,05/16/23,14:24:03,0 DHCPV6 Stateless client records purged,,,,,,,,,, 25,05/16/23,14:24:03,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0 25,05/16/23,14:24:03,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0 it seems like doesn't have any information. Please assist for this issue. Thank You 
Hey, Can someone pls share the steps/document for the Splunk indexer migration which are available in cluster. Thanks, GK
I have an IP field that I'm trying to match against a lookup that contains DHCP ranges. For example, assume the lookup contains the following: Start_Address,End_Address 10.0.0.5,10.0.0.254 10.2... See more...
I have an IP field that I'm trying to match against a lookup that contains DHCP ranges. For example, assume the lookup contains the following: Start_Address,End_Address 10.0.0.5,10.0.0.254 10.2.0.5,10.3.0.254 10.4.0.5,10.4.0.254 When matching the IP field, 10.0.0.10 would match, but 10.0.0.2 would not. That said, simply determining the CIDR notation (10.0.0.0/24) won't work. I've consider enumerating all IPs, resulting in a huge lookup, but I'm wondering if anyone has any other ideas.
Hello Team,   We have one Splunk environment where we are facing the challenge to prepare the correct onboarding inventory sheet, can one help with correct resolution. pls provide any application... See more...
Hello Team,   We have one Splunk environment where we are facing the challenge to prepare the correct onboarding inventory sheet, can one help with correct resolution. pls provide any application, or query will avail to prepare the data. your answer will be appreciated.   Regards, Gautam Khillare(GK)
Is there any Splunk website that shows the different event codes and the purpose for each one of them? If can point that out to me. 
I have multiple panels in a dashboard and drop down for time range as well But for one of the panel i want to mention earliest and latest time to see data from 12:00 am to 11: 59 pm(i don't want to... See more...
I have multiple panels in a dashboard and drop down for time range as well But for one of the panel i want to mention earliest and latest time to see data from 12:00 am to 11: 59 pm(i don't want to link the panel to time range drop down) How do I mention it in earliest and latest 
My dashboard has a dropdown "System" and few panels. Dropdown system has "A", "b", "c". If  i choose "A" from the dropdown, then panels should exclude these 2 lines - | dedup time_day, name | ded... See more...
My dashboard has a dropdown "System" and few panels. Dropdown system has "A", "b", "c". If  i choose "A" from the dropdown, then panels should exclude these 2 lines - | dedup time_day, name | dedup ID from the base search and execute. Base : | pivot XYZ_dm ..... | dedup time_day, name | dedup ID | table * if I choose "b" or "c" from dropdown, base should execute as it is in all the panels. Please suggest
We're running a demo install of Splunk Enterprise.  It's running on a Windows server (2022). I am trying to get my instance of Cisco Firepower e-streamer to get data into splunk.  The instructions ... See more...
We're running a demo install of Splunk Enterprise.  It's running on a Windows server (2022). I am trying to get my instance of Cisco Firepower e-streamer to get data into splunk.  The instructions indicate I need to run a shell script that it located in the app folder. The only way I can imagine running this script is via SSH. When I attempt to SSH to my splunk instance on port  22, my connection is refused.  Anybody got any tips?  This has got to be something easy that I am overlooking. THANKS! --Dan
Hi i'm trying to create a vanilla dense neural network in the splunk deep learning toolkit, but when i try to use the command | fit MLTKContainer algo=nn_regresion "field" from * into: app:XYZ i ... See more...
Hi i'm trying to create a vanilla dense neural network in the splunk deep learning toolkit, but when i try to use the command | fit MLTKContainer algo=nn_regresion "field" from * into: app:XYZ i got the error: MLTKC error: /fit: ERROR: unable to load algo code from module. Ended with exception: module 'app.model.nn_regresion' has no attribute 'summary' Someone knows, what did i do wrong? or it's a deep learning toolkit problem?
Good afternoon I'm trying to send an alert via slack, but my result is a table, and it only sends the first row of the table. How do I get splunk to send all table rows, for example: ... See more...
Good afternoon I'm trying to send an alert via slack, but my result is a table, and it only sends the first row of the table. How do I get splunk to send all table rows, for example: Settings:  
So I have a Splunk dashboard and i have multiple filters, and i am using a base search. I want to have a button that allows me to export the base search table as a csv file when i click the button, a... See more...
So I have a Splunk dashboard and i have multiple filters, and i am using a base search. I want to have a button that allows me to export the base search table as a csv file when i click the button, and it should export the table with the filters i have applied in the filter section, how can i achieve this. Any help would be greatly appreciated. I know that you can press the export button at the bottom of the file to export the table but my table is hidden, so i just want a button that export the report. Thanks.
I'm trying to use the Smart Outlier Detection use case in MLTK, but after entering the query I don't get the option to move into the "Learn" stage.  Here is my query: `Internal Macro` earliest=-6... See more...
I'm trying to use the Smart Outlier Detection use case in MLTK, but after entering the query I don't get the option to move into the "Learn" stage.  Here is my query: `Internal Macro` earliest=-60m (action="deny" OR action="blocked") |bin _time span=1m | stats count as event_count by _time I think this is the same as a previous time I did the query, which did end up going to the "Learn" stage. It ended up throwing an error stating that dependencies were required the last time. The admin has stated they installed the missing dependencies so it should be working.  Now, it's not even going past the "Define" stage and it's not giving any error messages so either there's something wrong with my query or the app has an issue still. I'd appreciate any help in this matter.
Hello all!    I am unable to ingest log data from the host on which my docker container resides.  Since it is a container I do not have access to the host logs.  I also tried installing a universal... See more...
Hello all!    I am unable to ingest log data from the host on which my docker container resides.  Since it is a container I do not have access to the host logs.  I also tried installing a universal forwarder on the host, but since the ports 8089 and 9997 are already bound to the container that does not work.  I would appreciate any suggestions.   Regards, Virgil
Hello Team,  When i`m trying to run below query for Maxmind, Getting error.   index= prod_guest_business | head 50 | `seckit_iplocation(src_ip)` | `seckit_iplocation(src_ip,all_fields)` | table sr... See more...
Hello Team,  When i`m trying to run below query for Maxmind, Getting error.   index= prod_guest_business | head 50 | `seckit_iplocation(src_ip)` | `seckit_iplocation(src_ip,all_fields)` | table src_ip src_ip_city src_ip_country src_ip_lat src_ip_long     Error Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/SecKit_SA_geolocation/bin/SecKit_geo_lookup.py'. The search job has failed due to an error. You may be able view the job in the 
Hello, I am creating a dashboard in which I have a search that returns a multiple value field table. I'm also using a JS script and a CSS script to make this table look better. Each time I open/re... See more...
Hello, I am creating a dashboard in which I have a search that returns a multiple value field table. I'm also using a JS script and a CSS script to make this table look better. Each time I open/refresh the dashboard, I have the impression that the JS script loads before the searches finish loading. So I have to press the edit button to see the JS script applied to the table search. Do you have a solution to fix this problem? Thanks in advance !
The Upgrade Readiness App tells me that version 8.0.2 of my Palo Alto Networks and Palo Alto Networks Add-On apps are incompatible with Python version 3. The Splunkbase page shows it's Splunk Cloud 9... See more...
The Upgrade Readiness App tells me that version 8.0.2 of my Palo Alto Networks and Palo Alto Networks Add-On apps are incompatible with Python version 3. The Splunkbase page shows it's Splunk Cloud 9.0 compatible, so is it safe to assume this is a false positive?
Hi, I am creating a query to identify users connected to our Exchange on-prem servers using Microsoft Modern Authentication. So far I managed to get the user SID and using ldapfilter command I obta... See more...
Hi, I am creating a query to identify users connected to our Exchange on-prem servers using Microsoft Modern Authentication. So far I managed to get the user SID and using ldapfilter command I obtain the user account related to the SID but I get two rows for some reason. Could someone point what could be the issue? or maybe a better way to reach the same goal. index=msexchange sourcetype=MSExchange:2016:WinHttp host=LABMX1 AuthMethod=Bearer | stats count(_time) as totalConnections,earliest(_time) as lastcon,values(UserAgent) as UserAgents by UserSID | eval last_connection = strftime(lastcon, "%Y%m%d") | table UserSID,last_connection, UserAgents, totalConnections | appendpipe [| ldapfilter domain=LAB search="(objectSid=$UserSID$)" attrs=cn ] the result  UserSID last_connection UserAgents totalConnections cn S-1-5-21-2872280-2353677280-1887909603-18694 20230515 Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4266; Pro) 61 S-1-5-21-2872280-2353677280-1887909603-18694 20230515 Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4266; Pro) 61 Josh Wright
There is a search endpoint on Splunk for running searches remotely via the REST API and stream back the search results as they become available (search/v2/jobs/export). There also is a rest comman... See more...
There is a search endpoint on Splunk for running searches remotely via the REST API and stream back the search results as they become available (search/v2/jobs/export). There also is a rest command in Splunk. One would think that it is possible to use the rest command to run searches on the endpoint "search/v2/jobs/export", for example like this. | rest /services/search/v2/jobs/export splunk_server=local search="123" However, I get the error message "Method Not Allowed" when I'm trying to do this. Suspect this is because the enpoint is expecting a HTTP POST, not HTTP GET. Has anyone managed to do a search on this API endpoint like this using the rest search command, or have any idea on how to do it?
Hello,    I am running the following query.  index=sys_tools_ecc-appd application_name=CAPRI-1130 | table * | search source=business_transactions business_transactions.metricName="*Average Resp... See more...
Hello,    I am running the following query.  index=sys_tools_ecc-appd application_name=CAPRI-1130 | table * | search source=business_transactions business_transactions.metricName="*Average Response Time (ms)*" | timechart avg(business_transactions.metricValues{}.value) by business_transactions.metricPath   The business_transactions.metricPath names are all too long example below: 1. Business Transaction Performance|Business Transactions|APP|/dbq/ecrud|Average Response Time (ms) 2. Business Transaction Performance|Business Transactions|APP|/dbq/BTSXDRRequest_PortTypeWS|Average Response Time (ms)   Need to trim them from both side. I need to remove  "Business Transaction Performance|Business Transactions" from the front and "|Average Response Time (ms)" from the back before displaying them on column.