All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Does splunk have any predefined or pre-existing or canned Event Sequences already built - and essentially ready to be used - possibly with some minor tweaks  
Hi Team, I would like to achieve the below dashboard which is having outer grid and inside we have multiple panels. Please check with the XML code Kindly help in achieving this.
I'm trying to implement a chart, so users can select their options from a multi-select input box, and automatically update the chart with the selection the user chose (1 to many).       index=abc... See more...
I'm trying to implement a chart, so users can select their options from a multi-select input box, and automatically update the chart with the selection the user chose (1 to many).       index=abc dict1 | rename dict1.hardware as hardware, dict1.build as build, | eval mv=mvappend(“process1", "process2", "process3") | foreach mode=multivalue mv      [rename dict1.<<FIELD>>.duration as duration       | chart avg(duration) OVER build BY hardware ]     1) Can I have this done in one chart? 2) Can I also have an option to dynamically create multiple charts?   TIA.  
Hi, I have a json of Sysmon logs. I want to load it locally to splunk enterprise but I faced some difficulties. I downloaded Splunk Add-on for Sysmon but have no idea what I should do next.  ... See more...
Hi, I have a json of Sysmon logs. I want to load it locally to splunk enterprise but I faced some difficulties. I downloaded Splunk Add-on for Sysmon but have no idea what I should do next.   Thank you in advanced!
I created an extracted field called remote_user.  My search for certain dates do bring the field value properly. However the same search for some other dates do not bring the proper values. I checked... See more...
I created an extracted field called remote_user.  My search for certain dates do bring the field value properly. However the same search for some other dates do not bring the proper values. I checked the events and the extracted field is malformed on the dates having issues. The remote_user field value will be like "CompanyName John_doe".  The days when search is working the remote_user shows "CompanyName John_doe".  The dates when the search is not working the field shows  value as "CompanyName". How can same extracted field works differently on different dates? Any suggestions?
I have the following query:          "MyToken" status >= 400 | stats count by status,action         That produces a table like :  status action count 404 actio... See more...
I have the following query:          "MyToken" status >= 400 | stats count by status,action         That produces a table like :  status action count 404 action1 20 500 action2 30 400 action3 50   I would like to add a constant "description" depending on the status so that for example the output looks like :  status action count description 404 action1 20 NOT FOUND 500 action2 30 INTERNAL ERROR 400 action3 50 INVALID Request   The description should map from the status
I'm looking to change the width of the multiselect input box.  It's currently dynamically updated, and the lengths of the input varies.     Would it be possible to change the width dynamically (if ... See more...
I'm looking to change the width of the multiselect input box.  It's currently dynamically updated, and the lengths of the input varies.     Would it be possible to change the width dynamically (if not static)?     TIA.  
HI When I was developing the app I was testing on UNIX, these settings (below) worked very well and kept the number of jobs down (dispatch directory). I have put the app on WINDOWS, however, they d... See more...
HI When I was developing the app I was testing on UNIX, these settings (below) worked very well and kept the number of jobs down (dispatch directory). I have put the app on WINDOWS, however, they don’t seem to be working. When I run a btool I can see they are in the correct place (well I think they are please correct me). Is there anything I should know from the development of an app from UNIX to Windows, please? Tanks in advance How do I know it is not working? UNIX image we can see the number of jobs staying low, green box windows image we can see the number is rising.   Rob
we have a search which is feeding data to kv store lookup let say lookup name 'sample_test'. now i want to run a weekly scheduled search that will compare the index source data and the data in 'sa... See more...
we have a search which is feeding data to kv store lookup let say lookup name 'sample_test'. now i want to run a weekly scheduled search that will compare the index source data and the data in 'sample_test' and remove the entire row from the kv store lookup which are not in index source data. Example: KV store data ('sample_test') X Y Z a A 1 b B 2 c C 3 d D 4 e E 5 Index Source Data X Y Z a A 1 b B 2 c C 3 d D 4 So ideally, when compare to above 2 tables last row in the kv store lookup in not present my source data i need to run a weekly scheduled search to remove that last row from the KV store. It would be more helpful if anyone can help me to resolve this issue. Happy Splunking!!
HI Splunk pals,  I am getting an error when trying to write a relatively large file using tstats.  splunk "StatsFileWriterLz4" write failed file=<path_to_file>.lz4 The SPL is a tstats query ... See more...
HI Splunk pals,  I am getting an error when trying to write a relatively large file using tstats.  splunk "StatsFileWriterLz4" write failed file=<path_to_file>.lz4 The SPL is a tstats query that creates a massive data table used as a base search to power several reports in a dashboard. I know that the LZ4 application took over for Gzip in Splunk version 6-7 or something. I have yet to find any other docs on how to begin troubleshooting this issue.  I would paste my SPL, but I have a customer that ... let's say would be less than happy with me sharing this info.  Any suggestions are welcome!
Getting this error via UI upgrade to Splunk 7.1:  Invalid message type: 28 We're on version 9.0.4.  Previous upgrade work without this error using the UI.
What are the best configuration available to improve EPS for windows events?
I am new to Splunk and facing an issue while setting up the custom alert. The results as shown in Table 1. I have tried the one which is highlighted in red color below is not working.  ... See more...
I am new to Splunk and facing an issue while setting up the custom alert. The results as shown in Table 1. I have tried the one which is highlighted in red color below is not working.  How do I configure for both of the values ie., DCOEtransfercount and NDMCopycount? Note: Ignore the DCOEtransfercount and NDMCopycount labels in both of the tables.
Hello Splunkers, I am facing an issue where lookup data string changes to URL encoding when I double-click on the field. Even after I select other data fields, it continues to remain in URL encodi... See more...
Hello Splunkers, I am facing an issue where lookup data string changes to URL encoding when I double-click on the field. Even after I select other data fields, it continues to remain in URL encoding format. Is there any solution to keep the string data as it is without it changing to URL encoding when double-clicked? Please see the attachment. Thank you in advance for your assistance.
How do I convert the below time format  2023-05-02T02:35:47Z into 2023-05-03 15:37:22
I have a linux box that is very sensitive to agent overhead, resources, security, etc. Installing the UF on it is out of the question. However, I need to pull some nginx application logs. How can I a... See more...
I have a linux box that is very sensitive to agent overhead, resources, security, etc. Installing the UF on it is out of the question. However, I need to pull some nginx application logs. How can I accomplish this?  I tried searching for answers here and other places but I don't see a comprehensive answer. Thank you in advance.
Complete novice here, but I was able to get my search result thanks to others who have had questions. Currently I'm successfully running a search that shows me by hour where count = 0   <<searc... See more...
Complete novice here, but I was able to get my search result thanks to others who have had questions. Currently I'm successfully running a search that shows me by hour where count = 0   <<search>> | timechart span=1h count | where count=0   I get my date/hour in statistics showing me each hour that's getting a count of 0.  But I'd like to visualize it better. Hit Visualize and it shows me a nice chart with a flatlined Y axis. Of course, because everything is 0. I can't quite wrap my head around showing this data in a more visually appealing format. Every day there are a couple of "0 count" hours. Maybe something that shows each day and the number of "0 count" hours?  Thanks in advance.
I have a problem where I need to use the Splunk API to return timechart graphs as an image, however as the API cannot do this I need to find another solution. I dont want to do down the route of usin... See more...
I have a problem where I need to use the Splunk API to return timechart graphs as an image, however as the API cannot do this I need to find another solution. I dont want to do down the route of using a local application to turn the returned data into a visualisation. I thought that a potential solution could involve starting the search via the API and obtaining the search/job id. The script would then login to the Splunk GUI instance and use the ID to find the search job and view the visualization as a human would. I could then screenshot the result solving the problem. However I dont see a way of taking a search ID and using it to get the visualization of that specific search. This is needed as part of a project that populates Jira tickets so using the SplunkJS framework would be a complex solution that I would like to avoid if possible. Any help would be greatly appreciated 
I've seen a few posts on this topic but couldn't find an answer that fits my use case.  How can I change the sort order of data in a Trell... - Splunk Community This one suggests adding spaces befo... See more...
I've seen a few posts on this topic but couldn't find an answer that fits my use case.  How can I change the sort order of data in a Trell... - Splunk Community This one suggests adding spaces before the aggregated field but uses static data. I have a single value trellis visualization on a dashboard that updates based on time-range radio buttons. The values change every few days so I need a solution that is flexible with data updates. | my search | stats count(Alert) as Alerts by App The results have between 15-40 Apps, depending on time-range, that have values from 1-40. Since the treillis will only show 20 results on the first page, it would be much better to show the highest values first instead of alphabetical order of the App names. I tried adding an eval statement at the end to assign the values to each App but this sorts it from lowest to highest and doesn't account for double digits correctly. Sorting them 1, 14, 2, 23, 3, 35, 38, 4, 41 | my search | stats count(Alert) as Alerts by App | eval App="(".Alerts.") ".App | stats values(Alerts) by App If there isn't a direct way to sort by value, I feel like this is on the right path but not quite right. How to sort on single value in trellis? - Splunk Community This seems to be inline with my train of thought but not sure how the "severity" field is generated.
Distcp job application_1681357021637_0984 MAPREDUCE Wed May 3 04:32:32 MST 2023 Wed May 3 04:32:40 MST 2023 SUCCEEDED default Fine edmse2 Oozie Job on Vip 0306563-230428030149477-oozie-oozi-W Shell... See more...
Distcp job application_1681357021637_0984 MAPREDUCE Wed May 3 04:32:32 MST 2023 Wed May 3 04:32:40 MST 2023 SUCCEEDED default Fine edmse2 Oozie Job on Vip 0306563-230428030149477-oozie-oozi-W Shell-Action Wed May 3 04:32:09 MST 2023 Wed May 3 04:32:17 MST 2023 SUCCEEDED default nemoqee2 Spark Python Pi-job application_1681357021637_0983 SPARK Wed May 3 04:32:02 MST 2023 Wed May 3 04:32:11 MST 2023 SUCCEEDED default Fine edmse2   Need to extract fields like the below table fields, since each event is not the same.    Job Succeeded in Nemo-Stage-GLOBAL E2 on lpqecpdb0001556.phx.aexp.com Application-Name Application-Id Application-Type Start-Time Finish-Time Final-State Queue Queue Utilization PI-job application_1678348796091_805329 MAPREDUCE Tue May 2 04:30:09 MST 2023 Tue May 2 04:30:22 MST 2023 SUCCEEDED default Fine Spark-job application_1678348796091_805342 SPARK Tue May 2 04:31:10 MST 2023 Tue May 2 04:31:17 MST 2023 SUCCEEDED default Fine Spark Python Pi-job application_1678348796091_805345 SPARK Tue May 2 04:31:41 MST 2023 Tue May 2 04:31:49 MST 2023 SUCCEEDED default Fine Distcp job application_1678348796091_805347 MAPREDUCE Tue May 2 04:32:10 MST 2023 Tue May 2 04:32:18 MST 2023 SUCCEEDED default Fine Oozie Job on Vip 1446459-230327031301376-oozie-oozi-W Shell-Action Tue May 2 04:32:10 MST 2023 Tue May 2 04:32:18 MST 2023 SUCCEEDED default