All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I need a Splunk ID for taking a Splunk Certification exam on PearsonVUE. How do I get the 6-digit ID?
Hey, I had a quick question about my splunk search that doesnt work. Im using timechart and was wanting to display the single value visualization while having that sparkline. On some of these forum p... See more...
Hey, I had a quick question about my splunk search that doesnt work. Im using timechart and was wanting to display the single value visualization while having that sparkline. On some of these forum posts, i saw where they were using accum right after timechart, but my visualization just displays one of the values, im wanting it to accumulate while showing the sparkline.       heres the code im using:      index=ironport source="/export/var/splunk/ironport/mail/*" | rex "((?<Domain>((@[a-zA-Z0-9._-]+\.[a-zA-Z0-9_-]+))))" | search Domain="@mail321.bluematrix.com" | stats values(src_user) as src_user values(recipient) as recipient values(size) as msg_size values(_time) as _time values(eval(lower(Domain))) as Domain by MID | eval Total_MB_Sent=msg_size/1024/1024 |table _time, Domain, Total_MB_Sent | timechart span=1hr sum(Total_MB_Sent) AS MSG_Sum by Domain | accum MSG_Sum       I think its just updating the value shown, but it isnt accumulating. Any help would be appreciated.   
Hi folks, below are the log snippet that I am working on to generate a report dare=10-05-2023,uniquieId=123 ,Request body: {"name":"test123","id": "Id123"} dare=10-05-2023,uniquieId=234 ,Request ... See more...
Hi folks, below are the log snippet that I am working on to generate a report dare=10-05-2023,uniquieId=123 ,Request body: {"name":"test123","id": "Id123"} dare=10-05-2023,uniquieId=234 ,Request body: {"name":"test234","id": "Id234"} dare=10-05-2023,uniquieId=345 ,Request body: {"name":"test123","id": "Id345"} dare=10-05-2023,uniquieId=123 ,Response body: {"role":"1"} dare=10-05-2023,uniquieId=234 ,Response body: {"role":"2"} dare=10-05-2023,uniquieId=345 ,Response body: {"role":"1"} .... .... .... ..... I want daily stats on name and role, how do I combine the result based on uniquieId . as below date                    test123         test234 10-05-2023           2                     1
We would like to bubble up alerts from Splunk to our alert management platform. I see there are a couple of options,   AWS SNS Topics, and a Webhook Alert. With either of those there is a securit... See more...
We would like to bubble up alerts from Splunk to our alert management platform. I see there are a couple of options,   AWS SNS Topics, and a Webhook Alert. With either of those there is a security issue, as it would require  us to open an API or SNS Topic to the world. What I would like is in the case of SNS,  to know if there is an AWS Account or IP that I could restrict ingress?    For the webhook I guess it could only be an IP restriction from the splunk hosts. Also - if there is a better option / add-on available to increase security here I would be interested.  I just haven't found anything other than "Observability Cloud" which we do not have a license for.  Thanks! 
Is there any possibility to find the index name mapped to the host from any search query(internal index), reason behind this we have 200+ forwarder which needs to be upgraded for this we have to info... See more...
Is there any possibility to find the index name mapped to the host from any search query(internal index), reason behind this we have 200+ forwarder which needs to be upgraded for this we have to inform the application team to get it upgraded. 
Hi, I am new to splunk and need to understand the below query and the results coming.  | eval c_time=(strftime(latest,"%d")) | eval c_time2 = c_time * 86400 | eval newdate=latest - c_time2 | wh... See more...
Hi, I am new to splunk and need to understand the below query and the results coming.  | eval c_time=(strftime(latest,"%d")) | eval c_time2 = c_time * 86400 | eval newdate=latest - c_time2 | where _time >=newdate The results: can anyone please explain the above query and the results and why we are multiplying with  c_time * 86400 and how do i get the current may month time.
I have a classic dashboard that has 8 separate 'pages' controlled by a dropdown selection. I just added drilldowns to almost every visualization and have around 60 searches in the dashboard and it's ... See more...
I have a classic dashboard that has 8 separate 'pages' controlled by a dropdown selection. I just added drilldowns to almost every visualization and have around 60 searches in the dashboard and it's starting to get laggy. Is there a way to only execute searches on the page when I select it, instead of all at once?  
In an index I have files in hexadecimal and I want to convert it to text in a search. Is there a way to parse that file into hexadecimal and convert it to text could you help me?,  greetings
Hi, I have a dashboard with table and some columns with colorPalette and scale I'd like to set dynamically the range of the scale for the colorPalette using a text input I did that but not work... See more...
Hi, I have a dashboard with table and some columns with colorPalette and scale I'd like to set dynamically the range of the scale for the colorPalette using a text input I did that but not working <input type="text" token="myValue" searchWhenChanged="true"> <label>Value Scale</label> </input> ... ... <format type="color" field="transaction/arbitrage_v2.0"> <colorPalette type="list">[#FFFFFF,#D41F1F]</colorPalette> <scale type="threshold">$myValue$</scale> </format> but myValue is not interpreted Is it possible to solve ?   Thanks in advance
HI Team, Created AWS EC2 and  installed Splunk Enterprise in ubuntu successfully,  splunk service and ports are running fine but I am not able to access splunk web it's showing site can't be reache... See more...
HI Team, Created AWS EC2 and  installed Splunk Enterprise in ubuntu successfully,  splunk service and ports are running fine but I am not able to access splunk web it's showing site can't be reached.  I saw many post relevent to same issuse but it's not working , Kindly give clear info regarding this  Regards  Reddy Kumar
For the below table, 26th row, count should be 8 because there is different Mac_ID inbetween. | streamstats count(eval(Mac_ID=="Serial num")) as Inspection_Count Query which I have written is, if... See more...
For the below table, 26th row, count should be 8 because there is different Mac_ID inbetween. | streamstats count(eval(Mac_ID=="Serial num")) as Inspection_Count Query which I have written is, if serial number followed by mac_id then count should be calculated. But here in 26th row, there is no serial number so the count is continuing. How can I change if mac_Id changes inbetween when there is no serial number. Sno _time Device_ID Mac_ID Inspection_Count 1 2018-05-31T03:24:57.182+05:30 10 Started 1 2 2018-05-31T03:24:57.182+05:30 10 Serialnum 1 3 2018-05-31T03:24:58.869+05:30 10 5102 1 4 2018-05-31T03:25:09.179+05:30 10 5102 1 5 2018-05-31T06:23:23.446+05:30 10 Started 2 6 2018-05-31T06:23:23.446+05:30 10 Serialnum 2 7 2018-05-31T06:23:24.608+05:30 10 5102 2 8 2018-05-31T06:40:46.619+05:30 10 Started 3 9 2018-05-31T06:40:46.619+05:30 10 Serialnum 3 10 2018-05-31T06:46:59.594+05:30 10 5102 3 11 2018-05-31T06:47:00.084+05:30 10 5102 3 12 2018-05-31T06:47:03.098+05:30 10 5102 3 13 2018-05-31T06:58:30.714+05:30 10 Started 4 14 2018-05-31T06:58:30.714+05:30 10 Serialnum 4 15 2018-05-31T07:21:47.990+05:30 10 Started 5 16 2018-05-31T07:21:47.990+05:30 10 Serialnum 5 17 2018-05-31T07:22:09.677+05:30 10 5102 5 18 2018-05-31T07:22:10.063+05:30 10 5102 5 19 2018-05-31T07:22:11.070+05:30 10 5102 5 20 2018-09-05T10:30:13.455+05:30 86 Started 6 21 2018-09-05T10:30:13.455+05:30 86 Serialnum 6 22 2018-09-05T11:08:18.761+05:30 86 Started 7 23 2018-09-05T11:08:18.761+05:30 86 Serialnum 7 24 2018-09-05T11:08:41.907+05:30 86 7878 7 25 2018-09-05T11:08:42.071+05:30 86 7878 7 26 2018-09-05T11:09:04.068+05:30 86 8765 7 27 2018-09-05T11:09:26.877+05:30 86 8765 7 28 2018-09-05T11:09:41.845+05:30 86 8765 7
I have events that where hostnames  show up more than once and I would like to combine them. The fields available are DNS Host_Auth IP. There will be vents where the =DNS is the same but the Host_Aut... See more...
I have events that where hostnames  show up more than once and I would like to combine them. The fields available are DNS Host_Auth IP. There will be vents where the =DNS is the same but the Host_Auth will be null and the IPs will be different. How can I combine by DNS to show the Host_Auth value that is not null and shows by IPs of the combined DNS? 
When creating a playbook, the view of individual blocks goes away when adding custom code. Is this expected or some type of glitch? Usually the view can be used to better visualize the workflow, and ... See more...
When creating a playbook, the view of individual blocks goes away when adding custom code. Is this expected or some type of glitch? Usually the view can be used to better visualize the workflow, and makes edits easier, so not sure if this is intentional or an issue.
I'm creating a bunch of status dashboards where I need to search for a specific set of hosts and persist a result (adding null value later) I want to use the same macros to keep my search sizes dow... See more...
I'm creating a bunch of status dashboards where I need to search for a specific set of hosts and persist a result (adding null value later) I want to use the same macros to keep my search sizes down. I want to have searches that look like this      index=main host IN (`listofhosts`) | do some filtering | append [| makeresults | eval host = "`listofhosts`" | eval state=0 | makemv delim="," host | mvexpand host | fields host state] | stats first(*) AS * by host | do some more cool stuff      I know that my hosts don't have spaces in them, so I figure I can write `listofhosts` as     host1,host2,host3,host4     without quotes so the host search at the top will work. But "`listofhosts`" does call the macro (because its in a string). So, is there any way to call a macro within the body of a string?
Need splunk query to parse json Data into table format. raw data/event in splunk: <158>May 09 04:33:46 detailedSwitchData {'cnxiandcm1': {'Ethernet1': 'MAC ACL Enabled', 'Ethernet2': 'MAC ACL Ena... See more...
Need splunk query to parse json Data into table format. raw data/event in splunk: <158>May 09 04:33:46 detailedSwitchData {'cnxiandcm1': {'Ethernet1': 'MAC ACL Enabled', 'Ethernet2': 'MAC ACL Enabled', 'Ethernet3': 'MAC ACL Enabled', 'Ethernet4': 'MAC ACL Enabled', 'Ethernet5': 'Dot1x Enabled', 'Ethernet6': 'Dot1x Enabled', 'Ethernet7': 'Dot1x Enabled', 'Ethernet8': 'Dot1x Enabled', 'Ethernet9': 'Dot1x Enabled', 'Ethernet10': 'Dot1x Enabled', 'Ethernet11': 'Dot1x Enabled', 'Ethernet12': 'Dot1x Enabled', 'Ethernet13': 'Dot1x Enabled', 'Ethernet14': 'Dot1x Enabled', 'Ethernet15': 'Dot1x Enabled', 'Ethernet16': 'Dot1x Enabled', 'Ethernet17': 'Dot1x Enabled', 'Ethernet18': 'Dot1x Enabled', 'Ethernet19': 'Dot1x Enabled', 'Ethernet20': 'Dot1x Enabled', 'Ethernet21': 'Dot1x Enabled', 'Ethernet22': 'Dot1x Enabled', 'Ethernet23': 'Dot1x Enabled', 'Ethernet24': 'Dot1x Enabled', 'Ethernet25': 'Dot1x Enabled', 'Ethernet26': 'Dot1x Enabled', 'Ethernet27': 'Dot1x Enabled', 'Ethernet28': 'Dot1x Enabled', 'Ethernet29': 'Dot1x Enabled', 'Ethernet30': 'Dot1x Enabled', 'Ethernet31': 'Dot1x Enabled', 'Ethernet32': 'Dot1x Enabled', 'Ethernet33': 'Dot1x Enabled', 'Ethernet34': 'Dot1x Enabled', 'Ethernet35': 'Dot1x Enabled', 'Ethernet36': 'Dot1x Enabled', 'Ethernet37': 'Dot1x Enabled', 'Ethernet38': 'Dot1x Enabled', 'Ethernet39': 'Dot1x Enabled', 'Ethernet40': 'Dot1x Enabled', 'Ethernet41': 'Dot1x Enabled', 'Ethernet42': 'Dot1x Enabled', 'Ethernet43': 'Dot1x Enabled', 'Ethernet44': 'Dot1x Enabled', 'Ethernet45': 'Dot1x Enabled', 'Ethernet46': 'Dot1x Enabled', 'Ethernet47': 'Dot1x Enabled', 'Ethernet48': 'Dot1x Enabled', 'Ethernet49': 'Dot1x Enabled', 'Ethernet50': 'Dot1x Enabled', 'Ethernet51': 'Dot1x Enabled', 'Ethernet52': 'Dot1x Enabled', 'Ethernet53': 'Dot1x Enabled', 'Ethernet54': 'Dot1x Enabled', 'Ethernet55': 'Dot1x Enabled', 'Ethernet56': 'Dot1x Enabled', 'Ethernet57': 'Dot1x Enabled', 'Ethernet58': 'Dot1x Enabled', 'Ethernet59': 'Dot1x Enabled', 'Ethernet60': 'Dot1x Enabled', 'Ethernet61': 'Dot1x Enabled', 'Ethernet62': 'Dot1x Enabled', 'Ethernet63': 'Dot1x Enabled', 'Ethernet64': 'Dot1x Enabled', 'Ethernet65': 'Dot1x Enabled', 'Ethernet66': 'Dot1x Enabled', 'Ethernet67': 'Dot1x Enabled', 'Ethernet68': 'Dot1x Enabled', 'Ethernet69': 'Dot1x Enabled', 'Ethernet70': 'Dot1x Enabled', 'Ethernet71': 'Dot1x Enabled', 'Ethernet72': 'Dot1x Enabled', 'Ethernet73': 'Dot1x Enabled', 'Ethernet74': 'Dot1x Enabled', 'Ethernet75': 'Dot1x Enabled', 'Ethernet76': 'Dot1x Enabled', 'Ethernet77': 'Dot1x Enabled', 'Ethernet78': 'Dot1x Enabled', 'Ethernet79': 'Dot1x Enabled', 'Ethernet80': 'Dot1x Enabled', 'Ethernet81': 'Dot1x Enabled', 'Ethernet82': 'Dot1x Enabled', 'Ethernet83': 'Dot1x Enabled', 'Ethernet84': 'Dot1x Enabled', 'Ethernet85': 'Dot1x Enabled', 'Ethernet86': 'Dot1x Enabled', 'Ethernet87': 'Dot1x Enabled', 'Ethernet88': 'Dot1x Enabled', 'Ethernet89': 'MAC ACL Enabled', 'Ethernet90': 'MAC ACL Enabled', 'Ethernet91': 'MAC ACL Enabled', 'Ethernet92': 'Dot1x Enabled', 'Ethernet93': 'Dot1x Enabled', 'Ethernet94': 'MAC ACL Enabled', 'Ethernet95': 'MAC ACL Enabled', 'Ethernet96': 'Dot1x Enabled', 'Ethernet97/1': 'Uplink Port', 'Ethernet98/1': 'Uplink Port', 'Ethernet99/1': 'Uplink Port', 'Ethernet100/1': 'Uplink Port', 'Ethernet101/1': 'Uplink Port', 'Management1': 'Uplink Port'}}   Output table :  
Hi. Following an upgrade from version 8.2.4 to version 9.0.4.1 we're encountering an issue with Configuration bundle actions. We're unable to push new configurations bundle to the indexers as the val... See more...
Hi. Following an upgrade from version 8.2.4 to version 9.0.4.1 we're encountering an issue with Configuration bundle actions. We're unable to push new configurations bundle to the indexers as the validation is unsuccessful. Seems like the Latest Bundle ID is not being updated following any change in the bundle. Appreciate any help on this. Thanks
I am using above splunk query   stats count by BankType.  I am getting result as   SBI   27 AXIS   15 CITI   12. but I want to sum the count of Axis and citi and  display it under AXIS colu... See more...
I am using above splunk query   stats count by BankType.  I am getting result as   SBI   27 AXIS   15 CITI   12. but I want to sum the count of Axis and citi and  display it under AXIS column. so basically output would be something like this  SBI 27 AXIS 27. Can anyone suggest what can we do here ?    
I have a splunk dashboard that looks like below,  And i have added the text filter. But when i try to search of the text filter it works. But it only works when i search by one App. But i want... See more...
I have a splunk dashboard that looks like below,  And i have added the text filter. But when i try to search of the text filter it works. But it only works when i search by one App. But i want it to search so that if i search, Max, Pan, Ian It will give me the details for the 3 rows. I have 4000 unique apps so i want it so that if i search Max, Pan, Ian it will give me 3 row details. If someone can help me on this, it would be greatly appreciated.
Hi Team, I have 2 panels in our xml dashboard that are side by side as shown in below screenshot.   I need those 2 panels one below the other in the same row with the same width. Please he... See more...
Hi Team, I have 2 panels in our xml dashboard that are side by side as shown in below screenshot.   I need those 2 panels one below the other in the same row with the same width. Please help me on this. Again the dashboard which we are using is the classic dashboard.
Hi, While trying to install Splunk UF in Windows Server 2022 to send logs to Splunk Cloud Instance, we encounter this Universal forwarder setup wizard ended prematurely Error.  Back from server. ... See more...
Hi, While trying to install Splunk UF in Windows Server 2022 to send logs to Splunk Cloud Instance, we encounter this Universal forwarder setup wizard ended prematurely Error.  Back from server. Return value: 1603 This value is returned which was found in the msi logs. What could be the issue of this error?