All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

When 'tail -f /opt/streamfwd/var/log/streamfwd.log' is executed Why do I get the following message? WARN [140610710128384] (HTTPRequestSender.cpp:1485) stream.SplunkSenderHTTPEventCollector - (#0) ... See more...
When 'tail -f /opt/streamfwd/var/log/streamfwd.log' is executed Why do I get the following message? WARN [140610710128384] (HTTPRequestSender.cpp:1485) stream.SplunkSenderHTTPEventCollector - (#0) DNS lookup failed for "$decideOnStartup": Host not found (authoritative) WARN [140610710128384] (HTTPRequestSender.cpp:1470) stream.SplunkSenderHTTPEventCollector - (#0) Recovery attempt failed
Hi I want to use a lookup table as a whitelist for an alert. 1. I created a whitelist.csv lookup table including src, dst, protocol, user, whitelisted src  |  dst  | protocol  | user | whitelis... See more...
Hi I want to use a lookup table as a whitelist for an alert. 1. I created a whitelist.csv lookup table including src, dst, protocol, user, whitelisted src  |  dst  | protocol  | user | whitelisted 192.168.10.1 | 120.18.97.6 | * | * | true 192.168.10.5 | * | * | * | true * | * | https | bob | true 2. I created a lookup definition with match type:  WILDCARD(src), WILDCARD(dst), WILDCARD(user), WILDCARD(protocol) 3. Added following line to my search: | lookup whitelist.csv src user dst protocol | where isnull(whitelisted)   But is does not work. Do I need to change anything?
I am encountering this error in Splunk forwarder: ERROR BTree [15252 TcpOutEloop] - 9th child has invalid offset: indexsize=93950440 recordsize=226914360, (Leaf) ERROR BTreeCP [15252 TcpOutEl... See more...
I am encountering this error in Splunk forwarder: ERROR BTree [15252 TcpOutEloop] - 9th child has invalid offset: indexsize=93950440 recordsize=226914360, (Leaf) ERROR BTreeCP [15252 TcpOutEloop] - addUpdate CheckValidException caught: BTree::Exception: Validation failed in checkpoint any suggestion about the possible causes?  
We had previously been successfully using the Splunk SMTP app for SOAR (Phantom) until the beginning of this year.  We are currently on v5.5.0 of SOAR and v2.3.0 of the SMTP app. I am wondering if a... See more...
We had previously been successfully using the Splunk SMTP app for SOAR (Phantom) until the beginning of this year.  We are currently on v5.5.0 of SOAR and v2.3.0 of the SMTP app. I am wondering if anyone has successfully completed test connectivity with the combination of these two versions.  We are currently receiving this output and error: App 'SMTP' started successfully (id: 123456789) on asset: 'smtp'(id: 1) Loaded action execution configuration Using OAuth Authentication 1 action failed Error retrieving system info, Status Code: 401 Error from Server: {"failed": true, "message": "Request Validation Error: Invalid or missing session token. Please refresh your session."}. Test Connectivity Failed  We have had a support case open with Splunk for over a month. Looking to see if anyone out there has been able to get SMTP app working. If you have given up on the SMTP app, what are you using to send emails instead?
Hi, I've faced an issue with summary indexing since last week. I have around 25 saved searches running 15 mins past the hour and save the results in the Summary index. Based on the jobs, these sear... See more...
Hi, I've faced an issue with summary indexing since last week. I have around 25 saved searches running 15 mins past the hour and save the results in the Summary index. Based on the jobs, these searches run fine with no error, but sometimes, summary index data is not written for some of these searches.  I check the _internal log and found the following:   reason=The maximum number of concurrent historical scheduled searches on this instance has been reached, Status=Continued   The concurrency limit on the search head is 39, and I changed max_searches_per_cpu to 2 on both SH and indexers, but no improvement! My issue is similar to this post, but the solution is for version 5. Could someone please help me with this? Thank you!
I have the following search string in my chart panel.   "Arguments.category{}"= "$TestSuite$"   TestSuite is defined by the following dropdown UI-Input.   | stats count by test_suite | fields te... See more...
I have the following search string in my chart panel.   "Arguments.category{}"= "$TestSuite$"   TestSuite is defined by the following dropdown UI-Input.   | stats count by test_suite | fields test_suite   My question is when I use this string "Arguments.category{}"= "$TestSuite$"   The output returns this search "Arguments.category{}"= "(backend/resource_ql)"   I  am interested in getting this (without the parenthesis).  "Arguments.category{}"= "backend/resource_ql"   What am I doing wrong?  Thanks in advance.
We have two CMDB tables logs in to Splunk 1.  CMDB Business application - Business related info 2. CMDB Rel - Relationship table We need business application info along with host name CMDB B... See more...
We have two CMDB tables logs in to Splunk 1.  CMDB Business application - Business related info 2. CMDB Rel - Relationship table We need business application info along with host name CMDB Business application table fields are, AppNumber  AppName    AppOwner     ServerStatus      1                          APP 1                                 X                                 Operational      2                          APP 2                                 Y                                 Operational      3                          APP 3                                 Z                                 Operational CMDB Relationship table fields are, AppParent       AppChild     APP 1             APP 1 Production     APP 2            App 2 Dev     APP 3            APP 3 Test                             HostName 1                             HostName 2                              HostName 3 The common Fields  from these tables are ApplicationName  and AppParent(Which is the application name). We need to combine the Application number from the business application with hostnames. Is there any way to combine these two tables via Splunk search? There is no direct relationship between  AppNumber or AppName  with HostNames.  These two CMDB tables are in different sourcetype from same Index.
Hi,  I have some antivirus events that shows anti-malware action failed.  With this I am trying to create an spl to identify when anti-malware action failed on a host but also wait for the next ... See more...
Hi,  I have some antivirus events that shows anti-malware action failed.  With this I am trying to create an spl to identify when anti-malware action failed on a host but also wait for the next 12 hours to see if that action has changed. If it has not change it should generate results, otherwise it should not.  I know the last part could be done with an if but I am not sure how to do de time part.   Thanks for the help
Hi, I have many concurrent saved searches running due to which search delayed health indicator is always red. How to change the cron schedule of around 500 saved searches together at once in splunk c... See more...
Hi, I have many concurrent saved searches running due to which search delayed health indicator is always red. How to change the cron schedule of around 500 saved searches together at once in splunk cloud so spread across the clock? TIA
Hi we are using aws cloud to run and maintain our infrastructure. So now we are using splunk indexer in log configuration of an  ecs task defiintion to send logs to splunk cloud  awhen a container bo... See more...
Hi we are using aws cloud to run and maintain our infrastructure. So now we are using splunk indexer in log configuration of an  ecs task defiintion to send logs to splunk cloud  awhen a container boots up. And we are cloudformation  to maintain the infrastructure. Now we want to get the stackname i,e AWS::StackName as a field in splunk so that we can differentiate and analyze whcih stack has pushed the logs to splunk cloud using log configuration in ecs service. Can someone please help us to know how can we push aws stackname as a field to splunk cloud and retreive it.
Hello, I've starting working with data models and Pivot. They've been working for the most part, but recently, Pivot has been throwing errors for a few of the data models like this when I click on Pi... See more...
Hello, I've starting working with data models and Pivot. They've been working for the most part, but recently, Pivot has been throwing errors for a few of the data models like this when I click on Pivot from the Data Model editor: The search job has failed due to an error. You may be able view the job in the Job Inspector.     Error in 'TsidxStats': Could not find job directory for sid: 1681752470.124849_22F608DA-1DAB-4C64-BCA3-3D6EA29D58A4   The sid changes each time I run Pivot. I've found the tstats command in search.log, and if I run that as its own search outside of Pivot, sometimes it runs fine, sometimes it doesn't.   This seems to have corresponded with a recent change changing our events to JSON format. Could that be the issue? No reports, dashboards, or alerts seem to have been affected by that change.    Thank you in advance!
Hi, Is there any official documentation or best practice recommendation on how to migrate a MC to a new server for a distributed deployment in 8.2? Thanks
Hi, We have a data source containing File Path's from both Windows and Linux formats.  Applying regex separately works but how can I extract all file names regardless of format in a single search? ... See more...
Hi, We have a data source containing File Path's from both Windows and Linux formats.  Applying regex separately works but how can I extract all file names regardless of format in a single search? Following works for all Windows path's but for Linux, entire path gets extracted as file_name   | rex field=file_path "(?P<file_name>[^\\\]+)$"    whereas this one works for Linux but does nothing on the Windows path.   | rex field=file_path ".*\/(?<file_name>.*)$"     Is there a way to use both in same search? or a new regex that would work on either of the two formats?  
I am getting below error. Although I have changed my password & user name from user-seed.conf. But still it is showing below error. But when I am login to UI, below are the error I am getting. P... See more...
I am getting below error. Although I have changed my password & user name from user-seed.conf. But still it is showing below error. But when I am login to UI, below are the error I am getting. Please help me how to fix this error.    
WE have ALOT of aws instances with universal forwarders sending winevent logs and some are sending logs to an on prem HF. (before my time ). This isnt the kinesis aws logs going to splunk. My quest... See more...
WE have ALOT of aws instances with universal forwarders sending winevent logs and some are sending logs to an on prem HF. (before my time ). This isnt the kinesis aws logs going to splunk. My question is this, would it be better to send all the winevent logs in our AWS instances to a heavy forwarder IN AWS and then forward those to our splunk cloud ?
We have two events Start event  Index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | Rex field =log " manid=(?<man... See more...
We have two events Start event  Index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | Rex field =log " manid=(?<mandid>.*?)", | Rex field=log "bid=(?<bid>.*"     |  Rex field=  log " state=(?<state>.*" | Table _time bid,mandid,actionid,state   End event  Index=y sourcetype=yytype source=y  "VALIDATION SUCESS" " msg got" | Rex field =msg " manid\:(?<mandid>.*?)", | Rex field=msg "actionid"\:(?<actionid>.*"  | Table _time manid actionid   Calculate different between start event and end event group by manid and count mandates exceeding different above 30sec
I have a dashboard which displays information about password resets and I have a bar chart showing the top 20 accounts that have reset their passwords, code as follows:       index=keycloak "... See more...
I have a dashboard which displays information about password resets and I have a bar chart showing the top 20 accounts that have reset their passwords, code as follows:       index=keycloak "fields.environment"=production redirect_uri=* type=UPDATE_PASSWORD | rename customerReferenceAccountId as AccountID | top AccountID limit=20       This displays as a bar chat absolutely fine, however what I'm trying to achieve is to be able to click one of the bars in this chart, which will then display a table with AccountID, username, userId, redirect_uri, ipAddress, _time. Code as follows:       index=keycloak "fields.environment"=production customerReferenceAccountId=$AccountID$ type=UPDATE_PASSWORD | table $AccountID$, username, userId, redirect_uri, ipAddress, _time       In the first table I have set the "On Click" with a value of "Manage tokens on this dashboard" as follows: Set AccountID = $click.value$. However, when I click on one of the bars, the table below isn't displaying any information, I just get "No results found" but I know that there are results
I have been able to monitor websites with HTTP code and text check but I wanted to check if there is a way to check for an image as well from the HTML code(inspect image on website)?
We have splunk event having field "eventdateTime"  in format mentioned below. for example eventdateTime 2023-04-17 06:45:55,405 2023-04-17 06:45:52,599 2023-04-17 06:45:52,446... See more...
We have splunk event having field "eventdateTime"  in format mentioned below. for example eventdateTime 2023-04-17 06:45:55,405 2023-04-17 06:45:52,599 2023-04-17 06:45:52,446 2023-04-17 06:45:52,208   We want to create new field "duration" that will give difference of "eventdateTime" value with current date time value in Minute seconds format i.e( duration = 4Min:10.256Sec) For Example:  eventdateTime = 22023-04-17 06:51:19,950 current date time = 2023-04-17 06:53:39,000 duration = 2Min:19.050Sec
Hi Splunkers, I need your assistance to create a search that provides the following: SPL query I will use it to look for sourcetypes that are not reporting, my focus here is on the nix sourcetypes... See more...
Hi Splunkers, I need your assistance to create a search that provides the following: SPL query I will use it to look for sourcetypes that are not reporting, my focus here is on the nix sourcetypes. I have a CSV lookup file called "os_sourcetypes.csv" that contains a list of 27 different sourcetypes. I have another CSV lookup file called "onboarded_hosts.csv" that contains a list of onboarded hosts on Splunk with their IP addresses and a Bunit. What I want is to have something like this: My search is below:   | tstats max(_time) as lastTime where index=os by host sourcetype | join host [| inputlookup onboarded_hosts.csv | eval host=lower(host) | search Bunit=production] | join sourcetype [| inputlookup os_sourcetypes.csv ] | eval current_time=now() | eval timediff=round((current_time-lastTime)/60,2) | sort -timediff | convert ctime(current_time) , ctime(lastTime) | table host IP sourcetype timediff lastTime   In the above search, I'm searching only for the "production" Bunit (which has 45 hosts) What I'm expecting is: (27 sourcetypes * 45 hosts = 1215 statistics)  But I'm having only 637! What I have tested is trying to search for only one host from the "production" Bunit (host1 for example) just for testing purposes, and found that this host returns only 23 sourcetypes out of 27! What I need is that all the hosts to show all of the 27 sourcetypes, even if one of the sourcetypes for one host is never seen before to show NULL. One more thing: if I select "All time" from the time range picker, the search will take a VERY LONG time to finish, I would like the search to be efficient also. Can someone please guide me in the right direction? Thank you all.