All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm trying to determine the order of precedence when a user has two roles that both assign a default app (i.e., user-prefs.conf, default_namespace). For example, user "bob" has the following roles:... See more...
I'm trying to determine the order of precedence when a user has two roles that both assign a default app (i.e., user-prefs.conf, default_namespace). For example, user "bob" has the following roles: workspace_default and workspace_engineering. On the search head, in the acme_zglobal_ta app: user-prefs.conf [role_workspace_default] default_namespace = global_app In the acme_engineering_ta app: [role_workspace_engineering] default_namespace = engineering_app The lexicographical sorting of the apps doesn't seem to play into it, since the global_app is given to Bob. Any insights?
What is the best way to deal with building searches and alerting in a Hyper-V environment in which VMs pull MAC address from a pool controlled by the cluster nodes?  Is setting all of my VMs to use s... See more...
What is the best way to deal with building searches and alerting in a Hyper-V environment in which VMs pull MAC address from a pool controlled by the cluster nodes?  Is setting all of my VMs to use static MAC addresses best practice (this is a large undertaking and would require maintenance) or is there a better way to do this?  Should I rely on another variable to track these assets?
I want to restrict all users except for one role from accessing the contents of one index. In doing so I have updated authorize.conf with below settings: [role_abc] searchIndexesAllowed = * src... See more...
I want to restrict all users except for one role from accessing the contents of one index. In doing so I have updated authorize.conf with below settings: [role_abc] searchIndexesAllowed = * srchFilter = (index::abc_confidential) [role_super_user] searchIndexesAllowed = * srchFilter = * When this change is in place - though the role_super_user is behaving as expected, other roles which have restriction are not able to search any data in splunk. Instead of restricting users belonging to the role from searching for content in specified index, none of the index is searchable. I have tried from UI and CLI, nothing seems to work. Can someone please assist me in restricting all roles except 1 from accessing index=abc_restrcit while still being able to search data from other indexes.
Hello I have a list of host pairs e.g. hostA1 and hostA2, hostB1 and hostB2, etc. I'm currently trying to search for event A to happen for each host pair and show the results count by each pair of ... See more...
Hello I have a list of host pairs e.g. hostA1 and hostA2, hostB1 and hostB2, etc. I'm currently trying to search for event A to happen for each host pair and show the results count by each pair of hosts, rather than individual hosts? E.g. the results would show Pair 1: Host A1 or Host A2         2 Pair 2: Host B1 or Host B2         93 Pair 3: Host C1 or Host C2         42 Is it also possible to do this using a lookup file?
I have a dashboard that has a dropdown which takes in the values from a csv file. Is there a way I can add on to the results of the csv file without altering the csv file so that these two results sh... See more...
I have a dashboard that has a dropdown which takes in the values from a csv file. Is there a way I can add on to the results of the csv file without altering the csv file so that these two results show up in the dropdown? <search> <query> | inputlookup domains.csv | fields display, domain | dedup domain </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> I need to add a couple more results to the dropdown that I'm currently extracting from the csv file.  Any help is appreciated!
Hi, We have applications Availability data in splunk. With below SPL, I got this data. Base_SPL..| streamstats reset_on_change=true count as Real_Status by status,JonName The challenge is to... See more...
Hi, We have applications Availability data in splunk. With below SPL, I got this data. Base_SPL..| streamstats reset_on_change=true count as Real_Status by status,JonName The challenge is to identify, if 2 or more successive failure have happened. Only show ALL Fail events, if 2 or more successive failures. In the below table, only the contents highlighted in RED needs to be shown. (Ignore Failure, highlighted in GREEN) If i filter with below SPL, then i will miss the 1st FAIL event (Highlighted in RED)  where Real_Status > 1   So how do I solve this challenge?   JobName status Real_Status Process1 SUCCESS 1 Process1 SUCCESS 2 Process1 FAIL 1 Process1 SUCCESS 1 Process1 FAIL 1 Process1 FAIL 2 Process1 FAIL 3
I have some SPL that generates a table that looks like this for several builds of a job: Prepare 1.003 Execute Test 44.544 Collate Results 556.44 Post 23.33 ... See more...
I have some SPL that generates a table that looks like this for several builds of a job: Prepare 1.003 Execute Test 44.544 Collate Results 556.44 Post 23.33 And it outputs this for each build that matches the SPL query. I want to be able to calculate the average time elapsed per stages{}.name to each stages{}.duration returned. When I use avg(stages{}.duration), it seems to average over all of the results in a way that isn't coherent. For instance, I want to display a bar chart that gives you a chart of the following table: Prepare <Average of Prepare stage> Execute Test <Average of Execute Test stage> Collate Results <Average of Collate Results stage> Post <Average of Post stage>
Hello! Been using the universal forwarder for years connecting to a heavy forwarder currently forwarding to splunk cloud. Installing it on a new AWS host, running into the below errors when data inpu... See more...
Hello! Been using the universal forwarder for years connecting to a heavy forwarder currently forwarding to splunk cloud. Installing it on a new AWS host, running into the below errors when data inputs change. I've confirmed that the forwarder is reachable out from the host using telnet. Any Ideas? 05-08-2023 10:35:09.570 -0400 INFO AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Removing quarantine from idx=10.9.101.133:9997 connid=2 05-08-2023 10:35:09.570 -0400 INFO AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Removing quarantine from idx=10.9.101.133:9997 connid=3 05-08-2023 10:35:09.601 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine. 05-08-2023 10:35:09.648 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine. 05-08-2023 10:35:09.679 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine. 05-08-2023 10:35:09.726 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine. 05-08-2023 10:35:09.773 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine. 05-08-2023 10:35:09.773 -0400 WARN AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Applying quarantine to ip=10.9.101.133 port=9997 connid=3 _numberOfFailures=2 05-08-2023 10:35:09.804 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine. 05-08-2023 10:35:09.804 -0400 WARN AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Applying quarantine to ip=10.9.101.133 port=9997 connid=2 _numberOfFailures=2 05-08-2023 10:35:09.851 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain?  When I bring in the identities from multiple sources the events are multivalu... See more...
When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain?  When I bring in the identities from multiple sources the events are multivalue so one event may contain 5 usernames and 5 different domains.
Hello,    I have 2 different files names lookup1.csv and lookup2.csv, which have column A and column B in both.    How can we merge two files using a single word in Column A in both files wit... See more...
Hello,    I have 2 different files names lookup1.csv and lookup2.csv, which have column A and column B in both.    How can we merge two files using a single word in Column A in both files with a sentence in it? lookup1: Column A: "I am good"  lookup2: Column A: "I am bad"  I want to combine both the files using a word "I am" in this case.   Any help would be appreciated.    
Hello, I am creating a Dashboard thru Studio that contains status icons, but when I make the width or height smaller than 35. the icon disappears.  Is there any way to make the icons smaller than 3... See more...
Hello, I am creating a Dashboard thru Studio that contains status icons, but when I make the width or height smaller than 35. the icon disappears.  Is there any way to make the icons smaller than 35?  Driving me crazy trying to find a solution.  Thanks for any help on this one, Tom
Below is my CSV file format.     Time Span:,Full Time-span Rate:,Cumulative Scope:,Net This is Table Header Field1,Field2,Field3,Field4 Total1,/,1.20%,2.34%,N/A Total2,/Total2,1.20%,2.05%,N/A T... See more...
Below is my CSV file format.     Time Span:,Full Time-span Rate:,Cumulative Scope:,Net This is Table Header Field1,Field2,Field3,Field4 Total1,/,1.20%,2.34%,N/A Total2,/Total2,1.20%,2.05%,N/A Total3,/Total/Total3,1.20%,N/A,N/A Effect4,/Total/Total4,0.00%,N/A,N/A   Here first 3 lines are common fields and values. 4th line is the table header (willing to extract that as a field as well if possible) The rest is the actual CSV file, I would like to extract it as field value pairs.  
Hi Splunk forwarder sending data to indexer at 4 o'clock,  indexer indexing by 4:30 there is latency 30 min, how will trouble shoot this  Thanks Ramana
After installing the Splunk Enterprise Security (ES) app using the splunk-enterprise-security_701.spl file, I noticed that the "Security Posture" dashboard was empty and searching for index=notable r... See more...
After installing the Splunk Enterprise Security (ES) app using the splunk-enterprise-security_701.spl file, I noticed that the "Security Posture" dashboard was empty and searching for index=notable returned no results. Upon further investigation, I discovered that there was no inputs.conf file present in the /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local directory                          
how to fetch value from search text box and pass the value to query to get results?
I know that Splunk removed old installation files, but if by any chance someone has the above mentioned version available, pl
Can someone provide an explanation of the headers x, y1, y2, y3, and y4 in the "Todays_ License_ Usage" report? I would like to understand their specific meanings.
  Device_ID Handset_ID 1 Serial Number 1 Started 1 1420 1 1420 1 1420 1 Serial Number 1 Started 1 1420 1 Serial Numbe... See more...
  Device_ID Handset_ID 1 Serial Number 1 Started 1 1420 1 1420 1 1420 1 Serial Number 1 Started 1 1420 1 Serial Number 1 Started 1 1420 1 1420 1 1420 1 Serial Number 1 Started 1 Serial Number 1 Started 2 1420 2 1420 2 Serial Number 2 Started 2 Serial Number 2 Started 2 Serial Number 2 Started 2 20 2 Serial Number 2 Started 2 Serial Number 2 Started   Expected Output: Count should be based on keyword "Serial Number"  followed by Handset_ID to another "Serial Number". If there is no Handset_ID between , it should skip the rows. Eg.last 4 rows Handset_ID Total Count 1420 4 20 1
How to specify two similar value with slight differences in their spelling(i.e; "In Progress" and "In progress") as a single option in Multiselect option for particular field i.e;Status - as show in ... See more...
How to specify two similar value with slight differences in their spelling(i.e; "In Progress" and "In progress") as a single option in Multiselect option for particular field i.e;Status - as show in below figure:  
I have a field returned with some search data that contains a date and time in UTC.  I would like to be able to add 10 hours to the time. a) Field contents(dateTime UTC):  2023-05-08T00:24:37.60793... See more...
I have a field returned with some search data that contains a date and time in UTC.  I would like to be able to add 10 hours to the time. a) Field contents(dateTime UTC):  2023-05-08T00:24:37.6079338Z b) New field (Local dateTime):         2023-05-08 10:24:37.607 Is there a way to do the conversion from a) to b) in the search syntax?