All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want the v7.5.0 of app #1928 which is not visible in Splunkbase. How can I find the Internal owner of the app? Please help with this....
Hi, I need some help with querying log events based on field values nested inside a escaped raw JSON object property. Below screenshot represents the complete JSON log event in "Show syntax highlight... See more...
Hi, I need some help with querying log events based on field values nested inside a escaped raw JSON object property. Below screenshot represents the complete JSON log event in "Show syntax highlighted" mode. I need to filter events based on properties in the parent JSON object and also combine field values from msg.object which is also a proper JSON object. I tried rex, spath but couldn't filter the events the way I need. Any help is appreciated. Thanks. I am looking for a query to filter events matching the highlighted fields in the Splunk event log screenshot. This is for a dashboard with dropdowns for app, clientName, requestType, and state fields. I should be able to filter the log events based on dropdown selection. index=x05_dev app=mock-app msg.detail{}.value=value1 | search msg.object.headers.requestType="basic" | search msg.object.body.client.clientName="XyzClient" | search msg.object.body.order.details[*].address.state="MN" Sample Splunk Log Event
I calculate the requests per second for my application using the following query:      method!=GET process="start" | timechart count by region limit=0 | timechart per_second(*)   I also calculat... See more...
I calculate the requests per second for my application using the following query:      method!=GET process="start" | timechart count by region limit=0 | timechart per_second(*)   I also calculate the number of errors my application is producing using the following separate query     process=end AND status=500 | timechart count | timechart per_second(*)     I am trying to find a query that will answer when my application "breaks", or in other words, what is the requests per second that causes my application to have more than N errors    
We are using Fujitsu Market Place and have AppDynamics installed. We are not convinced we have the optimal configurations, as we do not detect any traffic for some of the tiers, particularly "StoreC... See more...
We are using Fujitsu Market Place and have AppDynamics installed. We are not convinced we have the optimal configurations, as we do not detect any traffic for some of the tiers, particularly "StoreCashManagement." We are interested to know if there are others using AppD with FJMP, and how they have their configs. Thanks, Greg Burkhead
The same configs (cluster-agent, and app deployment) are working in an existing k8s cluster.  When I copy (the intention is to move) to a new cluster, the new cluster successfully registers on the ap... See more...
The same configs (cluster-agent, and app deployment) are working in an existing k8s cluster.  When I copy (the intention is to move) to a new cluster, the new cluster successfully registers on the appd console, but no tier or transaction show up. The cluster agent log says: containermonitoringmodule.go:455 - Either there are no containers discovered or none of the containers are due for registration and repeats: agentregistrationmodule.go:145 - Successfully registered agent again DTVUS-IT-DTVCP-EPOCH-Dev-East The cluster-aget has: tierNameStrategy: manual instrumentationRules: - namespaceRegex: nodejs tierName: dev-east instrumentContainer: select containerMatchString: epoch-awsmw-offerms-dcp   # I verified that this matches the container name. What am I missing?
How can we send DNS logs from Splunk to Chronicle.
https://cdn.appdynamics.com/packages/nodejs/23.3.0.0/appdynamics-libagent-napi-native-osx-x64-v19.tgz ``` <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>4CWXKH0AD... See more...
https://cdn.appdynamics.com/packages/nodejs/23.3.0.0/appdynamics-libagent-napi-native-osx-x64-v19.tgz ``` <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>4CWXKH0ADWB5A3Z1</RequestId> <HostId>IJWj3tUmCzpZ0pAbh3Kamn86VZOFlRha1MhM9BzCsWgIDnhHM6U1UyHqxkfv28IeZGLa4yjXy2U=</HostId> </Error> ```
Is it possible to have action.summary_index._name have multiple values? Ie. can I have a saved search write to more than one summary index? Ex. action.summary_index._name = my_alerts,general_summary
Hi all,   I have an testapp with a savesearch containing:     [testsearch] alert.suppress = 0 alert.track = 0 counttype = number of events cron_schedule = 1 * * * 1 dispatch.earliest_ti... See more...
Hi all,   I have an testapp with a savesearch containing:     [testsearch] alert.suppress = 0 alert.track = 0 counttype = number of events cron_schedule = 1 * * * 1 dispatch.earliest_time = -7d@d dispatch.latest_time = -0d@d display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics enableSched = 1 quantity = 0 relation = greater than search = | makeresults     when i install the app using gui/api or commandline i see the schedule for next monday 1am. When i now change the schedule and settings to:     [testsearch] alert.suppress = 0 alert.track = 0 counttype = number of events cron_schedule = 5 * * * * dispatch.earliest_time = -16m@m dispatch.latest_time = -1m@m display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics enableSched = 1 quantity = 0 relation = greater than search = | makeresults     and checking by     | rest /servicesNS/-/testsearch/saved/searches | table title cron_schedule eai:acl.app cron_schedule next_scheduled_time | rename eai:acl.app as app | search title=*testsearch     i see that next_scheduled_time is still next monday. running a /debug/refresh or curl -k -u admin:XXX https://localhost:8089/servicesNS/nobody/testsearch/admin/localapps/_reload does not fix the issue. It seems only restarting the searchhead, wait until next schedule (multiple day in this case) or change using the gui fixes the issue.    In our case non of the above is possible, as we are deploying our apps using a cicd pipeline. Any hint or workaround?   Best regards,   Andreas
I have to search for events I have one event let's say MIT=" step started" and another event says MIT=" step completed" Now I have to ensure that both events have been included in my search crit... See more...
I have to search for events I have one event let's say MIT=" step started" and another event says MIT=" step completed" Now I have to ensure that both events have been included in my search criteria in such a way that Case 1:The first event is started the second event will get completed. Case 2: If the first event is not started then the second event will also not be complete. Considering these conditions I need search criteria.
Hi, I have installed the virustotal add-on for Splunk. When I enter the dashboards that are already pre-built I find that the data is related to .csv files. When I enter one of the panels t... See more...
Hi, I have installed the virustotal add-on for Splunk. When I enter the dashboards that are already pre-built I find that the data is related to .csv files. When I enter one of the panels to see how the query is constructed I see that it is indeed a list of IP address values and a reputation level given by virustotal. | inputlookup vt_ip_cache | search vt_detections > 0 | where "1" = "1" OR _first_seen_in_events >= relative_time(now(), "1") | stats count   I am currently on a license of X amount of GB which I am using to ingest logs from many windows machines and some Azure services so I am getting the firewall logs in Elasticsearch and I use the command | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="*" fields="SourceIP" Each query independently brings me results, but what I need is to correlate the virustotal source logs on the IP addresses where the field is called vt_id and show only the ones that match the logs from the paloalto under the SourceIP field I am not very skilled with this type of queries and for this reason I ask for your help, I managed to build this query, which does not bring me results either because there are no matches or because it is incorrect, what do you think? | inputlookup vt_ip_cache | search vt_detections > 0 |table vt_id vt_collections_names |append [| ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="*" fields="SourceIP" |table SourceIP] |where vt_id==SourceIP |table SourceIP vt_id vt_collections_names Would you help me to adjust or improve it?   thanks
I wanted to reconcile the data from 2 indexes say index=A and index=B both indexes have some common fileds like field1,field2,field3,field4,field5 at the end I wanted to compare the data from index... See more...
I wanted to reconcile the data from 2 indexes say index=A and index=B both indexes have some common fileds like field1,field2,field3,field4,field5 at the end I wanted to compare the data from index A and index B side by side with time span of 1s. The report should display _time index1 index2 source field1 field2 field3 field4 field5 and difference between the 2 indexes eventcount or any other.
I've created a summary index and user with admin role can see it when selecting "Enable Summary Index" option but the but the user with power role cannot see that index at all. 
Hi Guys... Post upgrade of Splunk to v9, we are noticing errors when invoking external endpoints using curl command. We are receiving a 400 response from the external endpoints. No changes have ... See more...
Hi Guys... Post upgrade of Splunk to v9, we are noticing errors when invoking external endpoints using curl command. We are receiving a 400 response from the external endpoints. No changes have been made at either of the places and the only change is upgrading Splunk version to v9. We tried to re-create the issue on Postman and found that these errors occur when we do not pass wither the Content-Length and host in the header. How do we check if these details are being passed by curl. Anyone else faced similar issues ? Any suggestion on how to work around it ? We are not seeing any SSL error. We are able to get a response fro with the endpoint if we are accessing services available using GET method. We are having issues only we use POST method   We are using Splunk v9, webtools 2.0.2.  Thanks Vik
For an adhoc search, users can click Job -> edit job settings and change read permissions to "everyone". How can I restrict users from being able to do this?
I am able to sync my data from the Cisco managed S3 bucket to a local folder on my heavy forwarder.  The files are comma delimited with  double quotes. With a comma and empty double quotes to show th... See more...
I am able to sync my data from the Cisco managed S3 bucket to a local folder on my heavy forwarder.  The files are comma delimited with  double quotes. With a comma and empty double quotes to show the end of the line (maybe)? Example:  "date time stamp","user","internal ip address","" So how do I create the custom event types to get the source and destination IP Addresses.  
So there's ton of documentations of whitelisting through the subsearch approach using lookups, however, is it possible to whitelist using another search criteria within a search? For example... | s... See more...
So there's ton of documentations of whitelisting through the subsearch approach using lookups, however, is it possible to whitelist using another search criteria within a search? For example... | search 1 index=blah1 [ sub search 2 index=blah2 ] | if user in search 2 is in 1, whitelist Remember, I know how to whitelist through lookups. Just curious to know if there is another way.
This question was asked in the interview. Index is splunk's _internal, fields are host and date_month. I want to create an output in such a way that columns will be "Month", "Host", "Count". In month... See more...
This question was asked in the interview. Index is splunk's _internal, fields are host and date_month. I want to create an output in such a way that columns will be "Month", "Host", "Count". In month column each row will represent each day of month, in host column name of the 1st host will appear for all days of that month and count in column count. After the last day of month, in month column I want to display month name, in host column name of the 2nd host for all the days of month and count. How to write SPL query for this?
Hi, I have the Splunk_TA_nix installed and deployed. In generel it works. I activated the interfaces.sh which does give me IPv4-Adresses and IPv6 Link-Local-Adresses but none else. Since I have a pr... See more...
Hi, I have the Splunk_TA_nix installed and deployed. In generel it works. I activated the interfaces.sh which does give me IPv4-Adresses and IPv6 Link-Local-Adresses but none else. Since I have a primarily IPv6 environment I miss the most importent part but I don't understand why it delivers me the link-locals but not the public adresses? I could not find any documentation or anything about activating ipv6 for the interfaces.sh and since there are link-locals I guess it is activated but the script has maybe a bug. Can anyone tell me if theres a better documentation for this script anywhere or knows why it does not collect the ipv6 adresses?
Hi team,   We have got a requirement "some dashboarding in PowerBI and connecting it to Splunk for data."  Is it possible in splunkcloud environment ? If yes , can you please help me with ste... See more...
Hi team,   We have got a requirement "some dashboarding in PowerBI and connecting it to Splunk for data."  Is it possible in splunkcloud environment ? If yes , can you please help me with steps to configure