All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I need your suggestion here. Please guide me I have a lookup file with list of hosts. I need to compare it with splunk data and populate the matching count. Query:  index=idxname (sourcetyp... See more...
Hi, I need your suggestion here. Please guide me I have a lookup file with list of hosts. I need to compare it with splunk data and populate the matching count. Query:  index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB) | fields device.hostname,event.HostName | rename device.hostname as hostfield, event.HostName as hostfield | lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform | fields hostfield,Platform | stats dc(hostfield) as "totalcount" by Platform I have 2 different sourcetype under the same index. sourceA has a field "device.hostname" and sourceB has a fields "event.HostName". [  lookup file --> hostfield: AA,BB,CC sourceA,device.hostname --> AA,XX,YY sourceB,event.HostName --> CC,PP,KK my output count should be 2    ] If any of these 2 fields value is matching with the lookup hostname, then it should be considered. I tried rename command. Please provide your inputs..
We have a Splunk install inside a network that will never be publicly accessible in any way shape or form. Seeing as this is the case is it ok to disable the Splunk Secure Gateway app that comes pre-... See more...
We have a Splunk install inside a network that will never be publicly accessible in any way shape or form. Seeing as this is the case is it ok to disable the Splunk Secure Gateway app that comes pre-installed? Are there other reasons I should keep it turned on?
Hi everyone, We are receiving the following errors after upgrade our splunk´s version: Failed to start KV Store process. See mongod.log and splunkd.log for details. KV Store changed status to fail... See more...
Hi everyone, We are receiving the following errors after upgrade our splunk´s version: Failed to start KV Store process. See mongod.log and splunkd.log for details. KV Store changed status to failed. KVStore process terminated.. KV Store process terminated abnormally (exit code 2, status PID 68203 exited with code 2). See mongod.log and splunkd.log for details.   Does anyone know how can i solve it?  Regards.
Hello, I am running Splunk Enterprise 9.0.2 on a Multi Site Indexer Cluster. In the Cluster Master, under settings >> Indexer Clustering I have started a Searchable Indexer Rolling restart (no "For... See more...
Hello, I am running Splunk Enterprise 9.0.2 on a Multi Site Indexer Cluster. In the Cluster Master, under settings >> Indexer Clustering I have started a Searchable Indexer Rolling restart (no "Force" flag, no "Site Order" flag) and some of my Indexers were stuck with Status Restarting. Never happened before. Here below some logs, as you can see the fist Indexer (Site 2 - IDX03) restarted automatically, then the second Indexer (Site 2 - IDX02) was stuck. After some time I manually restarted it from CLI. The same happened to the third Indexer (Site 2 - IDX01), then for the remaining ones the issue didn't happened. Site 2 - IDX03 04-03-2023 14:44:15.266 +0200 INFO CMSlave [2862 CMHeartbeatThread] - Cluster manager has instructed peer to restart, restartTimeout=10000000 threshold=1690525855.266419 searchable_flag=1 Site 2 - IDX02 - Stuck 04-03-2023 14:52:28.612 +0200 INFO CMSlave [29466 CMHeartbeatThread] - Cluster manager has instructed peer to restart, restartTimeout=10000000 threshold=1690526348.612353 searchable_flag=1 Site 2 - IDX01 - Stuck 04-03-2023 15:46:33.294 +0200 INFO CMSlave [40062 CMHeartbeatThread] - Cluster manager has instructed peer to restart, restartTimeout=10000000 threshold=1690529593.294619 searchable_flag=1 Site 1 - IDX01 04-03-2023 16:14:08.911 +0200 INFO CMSlave [19756 CMHeartbeatThread] - Cluster manager has instructed peer to restart, restartTimeout=10000000 threshold=1690531248.911129 searchable_flag=1 Site 1 - IDX03 04-03-2023 16:17:37.570 +0200 INFO CMSlave [4829 CMHeartbeatThread] - Cluster manager has instructed peer to restart, restartTimeout=10000000 threshold=1690531457.570617 searchable_flag=1 Site 1 - IDX02 04-03-2023 16:22:32.841 +0200 INFO CMSlave [30733 CMHeartbeatThread] - Cluster manager has instructed peer to restart, restartTimeout=10000000 threshold=1690531752.841733 searchable_flag=1   What is strange to me is the value I see in the logs: - restartTimeout=10000000 - threshold=1690525855   Checking here documentation: https://docs.splunk.com/Documentation/Splunk/9.0.2/Indexer/Userollingrestart   I have default values in my Cluster Master: server.conf [clustering] heartbeat_timeout = 60 restart_timeout = 60 decommission_search_jobs_wait_secs = 180 limits.conf [search] search_retry = 0   Do you know what have cause the Stuck and also why I see those high restartTimeout values in the logs that does not reflect what I have in my configurations?   Thanks a lot, Edoardo
Hi folks, Is it possible to enable the below parameters in the web.conf file while using a self signed certificate? sslVerifyServerCert = [true|false] sslAltNameToCheck = <string> When I trie... See more...
Hi folks, Is it possible to enable the below parameters in the web.conf file while using a self signed certificate? sslVerifyServerCert = [true|false] sslAltNameToCheck = <string> When I tried with a working test environment configured with self signed SSL along with the above parameters, I got the following error while starting the SPLUNK. ERROR: certificate validation: self signed certificate Note: I also configured the openssl.cnf as per the below link: Solved: How to generate CSR files with SubjectAltNames (SA... - Splunk Community So, I assume it is not possible to check SAN while using a self signed certificate?
hi all new to Splunk and its ecosystem I was asked to research it a bit and try to inject data in 2 ways: local file and using REST Api I added local CSV file data to the Splunk Cloud from the "... See more...
hi all new to Splunk and its ecosystem I was asked to research it a bit and try to inject data in 2 ways: local file and using REST Api I added local CSV file data to the Splunk Cloud from the "Add data --> Upload" option. so far, so good. now I'm trying to add some data using the HTTP Event Collector options. I defined a new HOC and I have a valid token now. now I got some questions: 1. How do I  actually send the data using Postman or some other HTTP tool ? except for the token I don't even know what URL I should invoke. 2. In what format should I send data? I'm guessing JSON or CSV but I can't find any information about support types and schemas. 3. Is there some sort of full documentation of the API? LIKE, swagger style? since this is only POC I need some help or examples to get me started thanks Amir    
Hello, I'm trying to search in the Authentication data model for authentication attempts where the username is wrong. I get results when I search for "Authentication.signature_id=4625", and can see ... See more...
Hello, I'm trying to search in the Authentication data model for authentication attempts where the username is wrong. I get results when I search for "Authentication.signature_id=4625", and can see many "User name does not exist" events when I click on Authentication.signature in the left column. When I add " Authentication.signature="User name does not exist" " or a variation ("=*User name does not exist*", "=*exist*", etc.) I get zero results returned. Is there something I am doing wrong?   Thanks!
So I have a python script called Analysis.py  And normally I would run it locally like this Analysis.py <filepath>,  so as an example Analysis.py D:/Temp/temp.txt And what this python script do... See more...
So I have a python script called Analysis.py  And normally I would run it locally like this Analysis.py <filepath>,  so as an example Analysis.py D:/Temp/temp.txt And what this python script does is it generates a csv file. What I would like to do is a dashboard in splunk which does visualization on this csv file, eg. like a line chart or some bar graphs. However this python script runs with a <filepath> argument. And also, this dashboard would accept a custom input but the user who will input the <filepath> argument and the dashboard will show the results accordingly, visualized in a line chart for example. How can I write a splunk custom search command such that I can create this dashboard
Hello , I have  sign&go as SSo tool and I have integrated it with splunk. I configured the chain of certificates "/opt/splunk/etc/auth/idpCerts/idpCertChain_1" in the order needed, but I a, still... See more...
Hello , I have  sign&go as SSo tool and I have integrated it with splunk. I configured the chain of certificates "/opt/splunk/etc/auth/idpCerts/idpCertChain_1" in the order needed, but I a, still recieving the sam error . 04-03-2023 16:01:21.658 +0200 ERROR UiSAML [2402186 webui] - Verification of SAML assertion using the IDP's certificate provided failed. Error: failed to verify signature with cert 04-03-2023 16:01:21.658 +0200 ERROR Saml [2402186 webui] - Unable to verify Saml document 04-03-2023 16:01:21.658 +0200 ERROR Saml [2402186 webui] - Error: failed to verify signature with cert :/opt/splunk/etc/auth/idpCerts/idpCertChain_1; How to solve this error? Thank you.  
Couple of my CSV indexes in Splunk (UF to Indexers) have been creating/renaming the first field in CSV with special prefixes for example Id is becoming xE2_x81, and ReportID becoming  xE2_x81ReportID... See more...
Couple of my CSV indexes in Splunk (UF to Indexers) have been creating/renaming the first field in CSV with special prefixes for example Id is becoming xE2_x81, and ReportID becoming  xE2_x81ReportID or  xE2_x90ReportID, and it is changing to new name automatically after few days. Any help in fixing is appreciated. Thanks in advance. 
I need help installing a new Enterprise license for my Splunk free instance. How do I install a new license?
Could someone have a look at the following query and see why it does not give me the results I expect based on the documentation of map?   index=portal sourcetype=app:*** source="log" cls=c.b... See more...
Could someone have a look at the following query and see why it does not give me the results I expect based on the documentation of map?   index=portal sourcetype=app:*** source="log" cls=c.b.m.s.SoapServiceClientService Exit event 'ERROR' | rex "(?i) .*? \[(?P<ResponseCode>\d+)(?=\])" | search ResponseCode=504 | stats values(ses) as Session | map search="search index=portal sourcetype=app:*** source='log' cls='c.b.m.s.SoapClient Webservicecall*' ses=$Session$ | stats first"   So the first search lists all the session ID's for which a certain error occurs. I want to match this to another event from those sessions which contains the name of the webservice for which the call failed. The second search finds multiple events in the same session, but with 'stats first' I take the latest, which for now is assumed to be the failing one. Instead of the events from the second search, I only get events for the first search as results. No table. So right now my result are events which I would also get when removing the whole map bit and the first stats. Nothing seems to have been added in regards to fields. The holy grail would allow me to include two more rex commands in the map search to extract two fields. When I add a rex command comparable to the one in the first search, the second search won't run.
Hello, I am trying to use the custom splunk visualisation.  I have formatted my search as the following:   index=my_index my_search | timechart span=30s sum(qty) as "Qty"   However,  when... See more...
Hello, I am trying to use the custom splunk visualisation.  I have formatted my search as the following:   index=my_index my_search | timechart span=30s sum(qty) as "Qty"   However,  when trying to apply the timeline visualization, each qty is displayed on it's own row instead of a single row with each 30s sum shown.  Each one of the blue circles represents a qty. Bad example of what is currently happening Below is what I am trying to achieve, each 30s bin shows a blue event circle and when mouseover it shows the sum of qty in that bin. Good example Below is the format of my data _time qty 2023-03-23 09:46:00 80 2023-03-23 09:46:30 85 2023-03-23 09:47:00 180 2023-03-23 09:47:30 276 2023-03-23 09:48:00 120 2023-03-23 09:48:30 390 2023-03-23 09:49:00 411 2023-03-23 09:49:30 125 2023-03-23 09:50:00 173 2023-03-23 09:50:30 40 2023-03-23 09:51:00 314     Thank you for any help. Ultimately I want to see different fields on each row, this one will be qty, the next will be rating etc
Hi,   I have service name verb, object and outcome. I need to show the statistics in pie chart.  For example, index=abc (SUBJECT="Access"  AND OBJECT="status" AND VERB="Get") OR (SUBJECT="Cus... See more...
Hi,   I have service name verb, object and outcome. I need to show the statistics in pie chart.  For example, index=abc (SUBJECT="Access"  AND OBJECT="status" AND VERB="Get") OR (SUBJECT="Customer Service" AND VERB=Get AND OBJECT="Customer status") OR (SUBJECT="Agreement service" AND OBJECT="attachments" AND VERB="Create")  | search OUTCOME=FAILURE | chart count by VERB,OBJECT   Results: VERB                     Customer status              attachments Get                                  3                                            0 Create                            0                                             2   What I am looking for is to show that 2 failures for create attachments and 3 failures for get customer status in Pie Chart format. But above query is not working like that , it is only showing one field in the pie chart which is not use ful.   Please help on this. Thanks in Advance.
I`m trying to query Splunk Cloud using the REST API so that I can export some data externally, however I`m not entirely sure how to download/install/configure the ACS Open API 3.0 specification. The ... See more...
I`m trying to query Splunk Cloud using the REST API so that I can export some data externally, however I`m not entirely sure how to download/install/configure the ACS Open API 3.0 specification. The Splunk documentation is a bit ambiguous. I`m also unable to setup a new authentication token, receiving the error below. I`m using an admin account.     curl -u username:password -X POST https://admin.splunk.com/[myValidStackName]/adminconfig/v2/tokens {"code":"401-unauthorized","message":"{\"messages\":[{\"type\":\"ERROR\",\"text\":\"Unauthorized\"}]}. Please refer https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSerrormessages for general troubleshooting tips."}        
Hi All, I am currently working on ingesting WinEventLog:Security data and noticed that the event has been cleaned up even though I didn't configure the SEDCMD extractions in my props configuration... See more...
Hi All, I am currently working on ingesting WinEventLog:Security data and noticed that the event has been cleaned up even though I didn't configure the SEDCMD extractions in my props configuration. Please note that the props.conf in my local folder is exactly the same copy of the props.conf in my default folder. I am looking specifically at the certificate information and would like it to be seen in my data in Splunk This is what it looks like in Splunk: I expect to also have the same data as what I have in my source Any idea what happened and how can I troubleshoot to determine what's causing this to my data? Your help is greatly appreciated. Thanks in advance!  
i have environments like "A" "B" "C" "D", each environments have different clients,Now I want to display response status for particular url of an environment in a table like below clent="x" Req... See more...
i have environments like "A" "B" "C" "D", each environments have different clients,Now I want to display response status for particular url of an environment in a table like below clent="x" Requested Url             responnseStatus=200       responseStatus=400      responsestatus=500        **********                                      45                                            55                                                   10 __________                                 24                                            14                                                     5   Client="y"    Requested Url             responnseStatus=200       responseStatus=400      responsestatus=500        **********                                      15                                            5                                                   10 __________                                 42                                            24                                                  15  
Hi There,    I had a dashboard that is having a pop up, when the single value is selected, it will display the drop down dashboard,    I had category selection at top of the dashboard, it include... See more...
Hi There,    I had a dashboard that is having a pop up, when the single value is selected, it will display the drop down dashboard,    I had category selection at top of the dashboard, it includes 3 category, when the other category is selected the drop down dashboard will remains same as per the previous selection of single value, I don't need drop down dashboard after the change in selection of category in dashboard, I only need dropdown dashboard when the value in the dashboard is selected.   Thanks in advance!
How to represent good visualization with the following fields DeviceID, Software Version (Eg 1.22.2222.34) , Software Version Release Date (2020-02-03 00:00:00) , Software Version last timestamp ( ... See more...
How to represent good visualization with the following fields DeviceID, Software Version (Eg 1.22.2222.34) , Software Version Release Date (2020-02-03 00:00:00) , Software Version last timestamp ( 2020-02-05 02:04:45) and Total_Days ( 2)   Total Days is the difference between Software Version Release Date and Software Version last timestamp.   Chart should cover all fields  
Hi. Please tell me how to link Splunk and bitbucket add-on https://splunkbase.splunk.com/app/4592  I added the app, and I want to know how to set it up.