All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have field log-sshd like this: log-sshd="Apr 5 xx:xx:xx serverhost sshd[xxxx]: Failed password for user xxx from xx.xx.xxx.xx port xxxx ssh2" What is the SPL search if i just wanna get the wo... See more...
I have field log-sshd like this: log-sshd="Apr 5 xx:xx:xx serverhost sshd[xxxx]: Failed password for user xxx from xx.xx.xxx.xx port xxxx ssh2" What is the SPL search if i just wanna get the word that i bolded ?
I want to be able to create a daily/weekly report on Health Rules Violations as part of our service reporting. Is there a way to do this please?
hi all, i have this logs which i am interested in know if there is a agent restarted after certain period when the agent got stop   index=unix sourcetype=syslog centrifyEventID=17000    Cent... See more...
hi all, i have this logs which i am interested in know if there is a agent restarted after certain period when the agent got stop   index=unix sourcetype=syslog centrifyEventID=17000    Centrify agent (adclient) started centrifyEventID=17002    Centrify agent (adclient) stopped      can help to to construct the query to search to if the agent got started within 10mins after the agent got stop
Splunk Enterprise 8.1.3 I installed splunkforwarder-8.1.3-63079c59e632-AIX-powerpc. AIX version is 7.1 A problem occurred that the connection to the AIX server where UF was installed was lost. S... See more...
Splunk Enterprise 8.1.3 I installed splunkforwarder-8.1.3-63079c59e632-AIX-powerpc. AIX version is 7.1 A problem occurred that the connection to the AIX server where UF was installed was lost. So I restarted AIX UF, but the connection was lost again. the following error log is displayed right before disconnection Check the logs below for further confirmation. ===================================================================== 03-29-2023 05:00:28.927 +0900 WARN X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates> 03-29-2023 05:00:28.938 +0900 INFO ArchiveProcessor - Handling file=/LOG/tux/CLOG.032723.Z 03-29-2023 05:00:28.942 +0900 INFO ArchiveProcessor - reading path=/LOG/tux/CLOG.032723.Z (seek=0 len=113564693) 03-29-2023 05:00:29.027 +0900 INFO UiHttpListener - Web UI disabled in web.conf [settings]; not starting 03-29-2023 05:00:29.097 +0900 INFO WatchedFile - Will begin reading at offset=13491182 for file='/LOG/tux/CLOG.032923'. 03-29-2023 05:00:29.250 +0900 ERROR ProcessRunner - child's last words: cannot find portable_pid_t 9372426 in _pidToUniqMap 03-29-2023 05:00:29.252 +0900 FATAL ProcessRunner - Unexpected EOF from process runner child! 03-29-2023 05:00:29.299 +0900 ERROR ProcessRunner - helper process seems to have died (child exited with code 255)! 03-29-2023 05:00:29.299 +0900 ERROR ExecProcessor - Exception attempting to setup event loop 03-29-2023 05:00:29.299 +0900 ERROR ExecProcessor - child's last words: cannot find portable_pid_t 9372426 in _pidToUniqMap
Splunk Enterprise 8.1.3 I installed splunkforwarder-8.1.3-63079c59e632-AIX-powerpc. There was a problem with the universalforwarder connection being disconnected, so I restarted it. However, eve... See more...
Splunk Enterprise 8.1.3 I installed splunkforwarder-8.1.3-63079c59e632-AIX-powerpc. There was a problem with the universalforwarder connection being disconnected, so I restarted it. However, even after restarting, the connection was lost after a certain period of time. I am attaching the last 15 lines of splunkd log before disconnection. Check the logs below for further confirmation. ===============================================================================  03-29-2023 05:00:28.918 +0900 INFO WatchedFile - Will begin reading at offset=338882 for file='/IBTRANS/SPQ/var/log/event_log'. 03-29-2023 05:00:28.919 +0900 INFO TcpOutputProc - _isHttpOutConfigured=NOT_CONFIGURED 03-29-2023 05:00:28.922 +0900 INFO TcpOutputProc - Connected to idx=150.1.13.90:9997, pset=0, reuse=0. 03-29-2023 05:00:28.927 +0900 INFO loader - Limiting REST HTTP server to 400000 sockets 03-29-2023 05:00:28.927 +0900 INFO loader - Limiting REST HTTP server to 10922 threads 03-29-2023 05:00:28.927 +0900 WARN X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates> 03-29-2023 05:00:28.938 +0900 INFO ArchiveProcessor - Handling file=/LOG/tux/CLOG.032723.Z 03-29-2023 05:00:28.942 +0900 INFO ArchiveProcessor - reading path=/LOG/tux/CLOG.032723.Z (seek=0 len=113564693) 03-29-2023 05:00:29.027 +0900 INFO UiHttpListener - Web UI disabled in web.conf [settings]; not starting 03-29-2023 05:00:29.097 +0900 INFO WatchedFile - Will begin reading at offset=13491182 for file='/LOG/tux/CLOG.032923'. 03-29-2023 05:00:29.250 +0900 ERROR ProcessRunner - child's last words: cannot find portable_pid_t 9372426 in _pidToUniqMap 03-29-2023 05:00:29.252 +0900 FATAL ProcessRunner - Unexpected EOF from process runner child! 03-29-2023 05:00:29.299 +0900 ERROR ProcessRunner - helper process seems to have died (child exited with code 255)! 03-29-2023 05:00:29.299 +0900 ERROR ExecProcessor - Exception attempting to setup event loop 03-29-2023 05:00:29.299 +0900 ERROR ExecProcessor - child's last words: cannot find portable_pid_t 9372426 in _pidToUniqMap
Splunk Enterprise 8.1.3 I installed splunkforwarder-8.1.3-63079c59e632-AIX-powerpc. There was a problem with the universalforwarder connection being disconnected, so I restarted it. However, eve... See more...
Splunk Enterprise 8.1.3 I installed splunkforwarder-8.1.3-63079c59e632-AIX-powerpc. There was a problem with the universalforwarder connection being disconnected, so I restarted it. However, even after restarting, the connection was lost after a certain period of time. I am attaching the last 10 lines of splunkd log before disconnection. Check the logs below for further confirmation. =============================================================================== 03-29-2023 05:00:28.927 +0900 WARN X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates> 03-29-2023 05:00:28.938 +0900 INFO ArchiveProcessor - Handling file=/LOG/tux/CLOG.032723.Z 03-29-2023 05:00:28.942 +0900 INFO ArchiveProcessor - reading path=/LOG/tux/CLOG.032723.Z (seek=0 len=113564693) 03-29-2023 05:00:29.027 +0900 INFO UiHttpListener - Web UI disabled in web.conf [settings]; not starting 03-29-2023 05:00:29.097 +0900 INFO WatchedFile - Will begin reading at offset=13491182 for file='/LOG/tux/CLOG.032923'. 03-29-2023 05:00:29.250 +0900 ERROR ProcessRunner - child's last words: cannot find portable_pid_t 9372426 in _pidToUniqMap 03-29-2023 05:00:29.252 +0900 FATAL ProcessRunner - Unexpected EOF from process runner child! 03-29-2023 05:00:29.299 +0900 ERROR ProcessRunner - helper process seems to have died (child exited with code 255)! 03-29-2023 05:00:29.299 +0900 ERROR ExecProcessor - Exception attempting to setup event loop 03-29-2023 05:00:29.299 +0900 ERROR ExecProcessor - child's last words: cannot find portable_pid_t 9372426 in _pidToUniqMap
Hello guys, I'm starting to approach ITSI, checking the machine learning associate to the prediciton analysis i saw that there are two algoritms (Regression and Classification) and based to the cho... See more...
Hello guys, I'm starting to approach ITSI, checking the machine learning associate to the prediciton analysis i saw that there are two algoritms (Regression and Classification) and based to the choise four methods: Linear regression (Regression) Random forest regressor (Regression) Gradient boosting regressor (Regression) Logistic regression (Classification) The prerequisite to use this function is the MLTK app that has more methods than the ones  proposed by the configuration GUI. Is there a way to use different/additional alghoritm/method for the prediction ? If yes kindly can you suggest me how to do ? Thanks
Hello Splunkers!! I want to setup HEC token mechnaism. But After send some events to Splunk by using curl script. I am getting an error "{"text":"The requested URL was not found on this server.","c... See more...
Hello Splunkers!! I want to setup HEC token mechnaism. But After send some events to Splunk by using curl script. I am getting an error "{"text":"The requested URL was not found on this server.","code":404}" . Please help me to fix this issue. default port 8088 is setup token is also setup   Thanks in advance  
Splunk Enterprise 8.1.3 I installed splunkforwarder-8.1.3-63079c59e632-AIX-powerpc. The error message comes from AIX os. When entering the "errpt" command, the following error message is display... See more...
Splunk Enterprise 8.1.3 I installed splunkforwarder-8.1.3-63079c59e632-AIX-powerpc. The error message comes from AIX os. When entering the "errpt" command, the following error message is displayed. Check the messages below for further confirmation. ===================================================================== LABEL: SRC_TRYX IDENTIFIER: 1BA7DF4E Date/Time: Wed Apr 5 05:00:32 KORST 2023 Sequence Number: 3589 Machine Id: 00CEC3474C00 Node Id: mgl888 Class: S Type: PERM WPAR: Global Resource Name: SRC Description SOFTWARE PROGRAM ERROR Probable Causes APPLICATION PROGRAM Failure Causes SOFTWARE PROGRAM Recommended Actions DETERMINE WHY SUBSYSTEM CANNOT RESTART Detail Data SYMPTOM CODE 2048 SOFTWARE ERROR CODE -9020 ERROR CODE 0 DETECTING MODULE 'srchevn.c'@line:'369' FAILING MODULE splunkd
This is application insight query which i need to write in splunk , can some one help me please let a=traces | where cloud_RoleInstance startswith "sams-card-account-update" | where message conta... See more...
This is application insight query which i need to write in splunk , can some one help me please let a=traces | where cloud_RoleInstance startswith "sams-card-account-update" | where message contains "Received Message from CAU:" | parse message with * "clientReqId='" clientReqId "', status=" * "resultReason='" resultReason "', message" * | project clientReqId, timestamp, resultReason | parse clientReqId with personId "_" paymentInstrumentId "_retry-" retry "_" epoch | project responseDate = bin(timestamp,1d),personId, paymentInstrumentId, retry, requestDate = bin(unixtime_milliseconds_todatetime(tolong(epoch)),1d), resultReason | where resultReason !in ("AU202","AU203","AU401","AU501","Z999") | distinct requestDate, personId, paymentInstrumentId, responseDate, resultReason | summarize receivedCount = count() by requestDate, responseDate; let b=customEvents | where cloud_RoleInstance startswith "sams-card-account-update" | where name == "CAU_UPDATE_REQUEST" | extend personId = tostring(customDimensions.personId) | extend paymentInstrumentId = tostring(customDimensions.paymentInstrumentId) | project requestDate = bin(timestamp,1d), personId, paymentInstrumentId | distinct requestDate, personId, paymentInstrumentId | summarize requestedCount = count() by requestDate; a | join kind=inner b on requestDate | project requestDate, responseDate, requestedCount, receivedCount | project received_perc = receivedCount / todouble(requestedCount) * 100, responseDate, requestDate=substring(requestDate,0,10) | sort by requestDate asc,responseDate asc | render timechart   this is how the data look like  {"kubernetes":{"labels":{"version":"v1","app":"card-account-update"},"pod_name":"card-account-update-5c4b875dc6-t7kzx","host":"stage-a6-vmss0003is","namespace_name":"n1497934467"},"time":"2023-03-25T09:05:16.023813003Z","log":{"timestamp":"2023-03-25T09:05:16.023Z","type":"trace","context":"default","thread":"org.springframework.kafka.KafkaListenerEndpointContainer#0-11-C-1","logger":"com.t.cau.integration.impl.CAUConsumer","level":"INFO","message":"Received Message from BST: BSTResponse{inquiryValue='20042341056', clientId='BSTclub.com', clientReqId='99f50c8e-4800-42af-b7ea-ccc9bf0a5349-4b40-9eea-aabfd0affec7_retry-2_1679735115331', status='ERROR', result='ERROR', resultReason='AU501', message='Unknown Error encountered', instrumentMap={xref=com.BST.payment.cau.integration.model.InstrumentInfo@6c3ad85}}"},"cluster_id":"wus-stage-a6"}   Thanks in advance
Hello, I m trying to build the props.conf for the below log but when i am getting "failed to parse timestamp" and "defaulting to file modtime" error.   [test] TIME_PREFIX = \["BS": TIME_FOR... See more...
Hello, I m trying to build the props.conf for the below log but when i am getting "failed to parse timestamp" and "defaulting to file modtime" error.   [test] TIME_PREFIX = \["BS": TIME_FORMAT = %Y-%m-%d %H-%M-%S.%3N LINE_BREAKER = \} SHOULD_LINEMERGE = true TRUNCATE = 100000   below is the log sample     ["BS":"2023-04-04 20-10-45.013", MessageID:"test-7657-99", UID="xy123-bc22"] { xyz } ["BS":"2023-04-04 20-10-46.013", MessageID:"test-7687-99", UID="xy123-bc22"] { abc }                  Please help me with it Thanks
I have a log event and I want to extract like this: I want to show it line the red line. How ever it just recive the first line in event. how to show all the blue line? Thank you for your he... See more...
I have a log event and I want to extract like this: I want to show it line the red line. How ever it just recive the first line in event. how to show all the blue line? Thank you for your help.
I have many alerts in splunk, now i want to get the list of alerts where cut service now incident is configured. how can i get this???
Hello All, I need to work on building SPL to fetch information related to corrupt data. The conditions I narrowed to to determine if data is corrupt or not are: - 1. Improper breaking of data into... See more...
Hello All, I need to work on building SPL to fetch information related to corrupt data. The conditions I narrowed to to determine if data is corrupt or not are: - 1. Improper breaking of data into individual lines. - When fewer than expected events are ingested in index. - When multiple events are grouped together as a large event. - Truncation of lines in lengthy events, when length size exceeds the defined limit. 2. Improper breaking of events. - When events are not properly recognized by Splunk. - When we see more than required or lesser than required events. 3. Incorrect timestamp extraction. - Timestamp issues related to: - a. DATETIME_CONFIG b. TIME_PREFIX c. TIME_FORMAT d. MAX_TIMESTAMP_LOOKAHEAD e. When time observed in _time does not match the raw data. - Errors related to timestamp extraction issues: - a. AggregatorMiningProcessor b. DateParserVerbose Thus, I need your assistance to understand the approach of build SPLs to fetch details for above Splunk failure conditions  occur. So far, I have been able to document the below two queries: - index=_internal TERM(AggregatorMiningProcessor) |stats count BT event_message index=_internal TERM(DateParserVerbose) |stats count BY event_message Thank you
I have an event field that is a list of  "permissions" , and I want to perform a lookup for each permission in the list.  E.g. Events name permissions app1 send_message a... See more...
I have an event field that is a list of  "permissions" , and I want to perform a lookup for each permission in the list.  E.g. Events name permissions app1 send_message app2 read_user, send_message, write_test   Lookup Table: permission risk send_message medium read_user low write_test high   Desired Results app permission risk app1 send_message medium app2 read_user low app2 send_message medium app2 write_test high I want to split the permissions field for each app, and then use the lookup separately so that each row corresponds to an app and one of its permissions. The length of the permissions field is variable.  I am not sure what is the most efficient way to achieve this. 
Hello Team, can anyone help me with the extraction of new field   input: site: mclaudelinemugasqiln.platinilemu.com:1227  site is a field domain is mclaudelinemugasqiln.platinilemu.com:1227... See more...
Hello Team, can anyone help me with the extraction of new field   input: site: mclaudelinemugasqiln.platinilemu.com:1227  site is a field domain is mclaudelinemugasqiln.platinilemu.com:1227 i want this output: mclaudelinemugasqiln.platinilemu.com:1227   Thank you
I have this report that i received an error from. Ive seen the error from different searches, but i just started to look into them. In the email, it said the issue was  Error in 'where' command: ... See more...
I have this report that i received an error from. Ive seen the error from different searches, but i just started to look into them. In the email, it said the issue was  Error in 'where' command: The 'not' function is unsupported or undefined.   Im assuming the search ran fine before it started getting an error as it was turned into a report.  Current search:    |inputlookup X_servers.csv | search OS=*Windows* environment=Production OR environment="Disaster Recovery" | dedup host | rename host as HOST | table HOST environment OS application1 | sort +HOST |where NOT[|inputlookup Y_agent_managed.csv | table HOST]     I looked up that error, but I couldnt find anything useful out of them. We have our DMC, Both cluster Masters, and deployment servers all on Splunk 9.x.x, everything else is on 8.x.x. The posts I saw were talking about Splunk 6.x, so that one was a bit outdated and im at a loss as to the proper syntax. I tried replacing NOT with != but apparently splunk reads them both as NOT, which makes sense.      Id appreciate any help, thank you. We haev a few old reports that still use NOt like this . 
Hello, How to change the permissions of the knowledge objects(ex., dashboards, alerts) on the splunk cloud search head to a new user since the previous owner who created those is no longer with the ... See more...
Hello, How to change the permissions of the knowledge objects(ex., dashboards, alerts) on the splunk cloud search head to a new user since the previous owner who created those is no longer with the organization Please help me with it.     Thanks
how do I monitor F5 on AppDynamics 
Hello. I've been watching a few lookup videos but they mostly concentrate on extracting data from a lookup file. None of them are addressing a case where you have to correlate a field from a query to... See more...
Hello. I've been watching a few lookup videos but they mostly concentrate on extracting data from a lookup file. None of them are addressing a case where you have to correlate a field from a query to a field from a lookup file. Here is my example. I have a query (index=web username=mike) I would like to pull Mike's email from a emaillookup.csv file so that my final table result looks like below.    username    email mike               mike@yahoo.com   So far, I have tried index=web username=mike | lookup emaillookup.csv email OUTPUT username with no success