All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team, I am trying to load a custom metrics onto the dashboard & its not loading any data. For individual applications when i try to get the Metrix data in dashboard i can see the data coming... See more...
Hi Team, I am trying to load a custom metrics onto the dashboard & its not loading any data. For individual applications when i try to get the Metrix data in dashboard i can see the data coming . But when i tried to get all applications URL monitoring on a dashboard as i configured on a single server and when i try to get the data on dashboard I am unable to get the data ,Its showing data not available  Individual applications on the server under Metrix Browser am able to get but all together on the dashboard am unable to see . I have attached the screenshots. Kindly suggest on how to get this fixed.  Regards, Srujana .
The log we have for WinEvenLog for Security EventCode IN (4768) is missing the parts "Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication t... See more...
The log we have for WinEvenLog for Security EventCode IN (4768) is missing the parts "Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. EditMore Resources" This is after Certificate Thumbprint. This only what we have in Splunk. The SEDCMD in props.conf were already commented out but still we are not getting this part in Splunk.    
Hi, I am creating a dashboard where I need to use the density function to show anomalies as follows: | tstats count as total where index=dns by _time span=1h | fit DensityFunction total dist=norm... See more...
Hi, I am creating a dashboard where I need to use the density function to show anomalies as follows: | tstats count as total where index=dns by _time span=1h | fit DensityFunction total dist=norm show_density=true | bin total bins=100 | stats count avg("ProbabilityDensity(total)") as pd by total However, when using the ProbabilityDensity function within the machine learning app in Splunk, no results are outputted. In addition, I see no Probability Density macros "out-of-the-box" within the Machine Learning app either. What is the definition of this DensityFunction macro so I can create it or do I need to download this macro?   Many thanks,
Is there a reason why the Splunk is no longer works from an iPad? Its not working from any browser. There is an error SSL_PROTOCOL_ERROR   Splunk version is 8.2.7   It works fine from all o... See more...
Is there a reason why the Splunk is no longer works from an iPad? Its not working from any browser. There is an error SSL_PROTOCOL_ERROR   Splunk version is 8.2.7   It works fine from all other devices.  
Hi,  I have created a base search, and have an event table to display the results. Problem is, only the 'All' value is working correctly. When i select other options, nothing is being display. The ... See more...
Hi,  I have created a base search, and have an event table to display the results. Problem is, only the 'All' value is working correctly. When i select other options, nothing is being display. The dropdown is showing me the correct options.  Below is my codes, i have changed some of the words, as i can't use the actual data here.   This is my base search, i have set it up at the top     <form theme="dark"> <label>Profiles</label> <search id="baseSearch"> <query>source="ErrorLog" ESPACE_NAME IN (Customer, Vendors, Friends) | replace "Customer" WITH "Customer Name", "Vendors" with "Vendors Name", "Friends" WITH "Friends Name" IN ESPACE_NAME</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset>        This is the codes for my dropdown     <panel> <title>Error Log</title> <input type="dropdown" token="ProfileLog" searchWhenChanged="true"> <label>Module</label> <fieldForLabel>ESPACE_NAME</fieldForLabel> <fieldForValue>ESPACE_NAME</fieldForValue> <search base="baseSearch"> <query>| stats count by ESPACE_NAME</query> </search> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> </input> <event> <search base="baseSearch"> <query>| search ESPACE_NAME=$ProfileLog$</query> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>       Any assistance is appreciated!! Thank you
In a search I'm displaying on the Dashboard I'm using an 'ID' field in the format '000001', '000002' etc, however when it is being displayed it is being converted to number datatype and the preceding... See more...
In a search I'm displaying on the Dashboard I'm using an 'ID' field in the format '000001', '000002' etc, however when it is being displayed it is being converted to number datatype and the preceding 0s are removed.  (turns it into 1, 2 etc) I need to preserve this as a text type as I'm then using it as a token value for other searches ?
When I try to log in to AppDynamics controller I am getting a login failed Thanks Ramakrishna Varma ^ Post edited by @Ryan.Paredez to remove screen shot as it showed the Account name. Please be s... See more...
When I try to log in to AppDynamics controller I am getting a login failed Thanks Ramakrishna Varma ^ Post edited by @Ryan.Paredez to remove screen shot as it showed the Account name. Please be sure not to share Account names or emails on Community posts for security and privacy reasons.
Hi, Could anyone over here  able to write an spl query for usecase in splunk ES like when single user triggers alert say other than dlp  in between 2 hours of time more than 3 times,how to make  a c... See more...
Hi, Could anyone over here  able to write an spl query for usecase in splunk ES like when single user triggers alert say other than dlp  in between 2 hours of time more than 3 times,how to make  a count for alert_name not for generic events, how to write this use case spl query using eval ?
Hi team, How to do certificate monitoring using splunk. Certificates are on windows and Linux machines. Thanks 
Like how to extract the values of country and channel id for the dashboard, right when I'm pulling it. I'm getting both Country id and channel id in one column, but I want to segregate both individua... See more...
Like how to extract the values of country and channel id for the dashboard, right when I'm pulling it. I'm getting both Country id and channel id in one column, but I want to segregate both individuals columns in dashboards. I've below sample event type: Path= /Verify/ endpoint request={"userId":"xxxxxxxxxxxxxxxxx","country":"AB","channelId":"111111","ssnNumber":null,"operatorId":"test"} response={"result":"ERROR","error_reason":"NO_DATA_ERROR","error_category":"APPLICATION","error_text":"No for user exist","error_rc":444}   Please suggest..
Hi team, I can see export csv option available in dashboard created as Splunk classic  , but cant see the same when i created a dashboard with Dashboard Studio.   Kindly help on this
Hi all, need some help. my SH2 kvstore is always showing "Status: Failed" despite me reinstalling entire Splunk Enterprise  Below mentioned steps done but still no luck: - Rebuild Splunk Enterp... See more...
Hi all, need some help. my SH2 kvstore is always showing "Status: Failed" despite me reinstalling entire Splunk Enterprise  Below mentioned steps done but still no luck: - Rebuild Splunk Enterprise - Recreated Self sign Cert - removed and rebuild Mongo  - revert back to Splunk default Self Sign cert Kvstore shows Ready but not on created self sign cert.  
Hi All, I'm setting an alert and sending email notification to my inbox. I have a field called Time and basically it calculates the duration. Example:  "25 minutes ago"     Hence , when I incl... See more...
Hi All, I'm setting an alert and sending email notification to my inbox. I have a field called Time and basically it calculates the duration. Example:  "25 minutes ago"     Hence , when I include the field in the message , like below: $result.Time$    I get message in my inbox in seconds.  Example:  Host abcd CPU usage reached 97% 1680502445 . Please investigate. So if you look here , the 1680502445 is the time duration in seconds. It suppose to pick the summarized time as per the column result.  Please help  how can I get the same output like what I have gathered in the Time1 column.    Thanks
Hi All,       I have a log which is in Json format. I used spath and extracted the fields. But there is no field value pair for the value which i need to get it extracted. This is the sample log... See more...
Hi All,       I have a log which is in Json format. I used spath and extracted the fields. But there is no field value pair for the value which i need to get it extracted. This is the sample log. {"log":"100.64.12.88 - idp-psu-int-sanctions-listener-app-npd|696534fc-2f4a-a078-e053-071bf40a21a6|7762ee4c-a769-6413-e053-1d1bf40a3e8e| [03/Apr/2023:15:10:57 +1000] \"GET https://pds-event-api.msaas-badev/payments/history/v3/payments/events/rawContents?receiptNumber=MP10403051048&eventTypeCode=CLRG.RECEIVE_NEW_MSG&messageDefinitionId=pain.001.001.10 HTTP/1.1\" 200 14127 \"-\" \"Java/1.8.0_342\" 190\n","stream":"stdout","docker":{"container_id":"9ce8070c8f3bdde9fd0374a295922ef64e34fa7a007241d528b72286187dc8fe"},"kubernetes":{"container_name":"pds-event-api-psu-api","namespace_name":"msaas-badev","pod_name":"pds-event-api-psu-api-3.17.16-68cfc5f9c6-52fhl","container_image":"pso.docker.internal.cba/pds-event-microservice:3.17.16","container_image_id":"docker-pullable://pso.docker.internal.cba/pds-event-microservice@sha256:44cf819cc3c8b88f6794cac17dbcd775de2a2e4b40cad33418d2ba20d642ef28","pod_id":"3c9080dd-82c6-44f9-9bb4-9e0d7843a8f3","pod_ip":"100.64.15.33","host":"ip-10-3-196-184.ap-southeast-2.compute.internal","labels":{"app":"pds-event-api","app.kubernetes.io/instance":"pds-event-api","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"pds-event-api","helm.sh/chart":"psu-api-1.7.5","heritage":"Helm","pod-template-hash":"68cfc5f9c6","release":"pds-event-api"},"master_url":"https://172.20.0.1:443/api","namespace_id":"25c93690-5c3b-4f2b-a967-8d0355ea90f2","namespace_labels":{"argocd.argoproj.io/instance":"appspaces","ci":"CM0953076","kubernetes.io/metadata.name":"msaas-badev","name":"msaas-badev","platform":"PSU","service_owner":"somersd","spg":"CBA_PAYMENTS_TEST_COORDINATION"}},"hostname":"ip-10-3-196-184.ap-southeast-2.compute.internal","host_ip":"10.3.196.184","cluster":"nonprod/pmn02"}       The one which i highlighted in the log "190" is the response time which is getting captured in logs. I need to fetch it under value called response time and calculate the percentage of responsetime. Can anyone please help me out  in writting regex to fetch that value out from log field which is in json format. Thanks in Advance.
I've been using the 60 day Splunk Enterprise Trial Version, and I am unable to edit my second dashboard.   My first one is a Splunk Studio dashboard, and so is my second one. Am I limited to edit... See more...
I've been using the 60 day Splunk Enterprise Trial Version, and I am unable to edit my second dashboard.   My first one is a Splunk Studio dashboard, and so is my second one. Am I limited to editing only one dashboard with the trial I am using? If not, how can I edit the second dashboard.   Thanks.
I would like to upload a lookup csv file via API call. Is this possible with the latest splunkcloud? I need to push an updated lookup csv file every time I deploy new components. 
hi, we have a bunch of fields that show up in the Splunk Oncall/VictorOps UI. under either "Alert Details > Alert Data > Alert Fields" or "Annotations" (screenshot below) that i'm hoping to insert in... See more...
hi, we have a bunch of fields that show up in the Splunk Oncall/VictorOps UI. under either "Alert Details > Alert Data > Alert Fields" or "Annotations" (screenshot below) that i'm hoping to insert into the payload body of a custom outbound webhook  of "Any-Incident" event type. When using the VictorOps API i only see the custom fields present under the "raw" field of the GET Alert response. I see in the Incident Fields support page some mention of custom_fields, which makes me think perhaps we could add those to payload with something like ${{ALERT.custom_fields}}, or ${{ALERT.raw}}, but at least when i tried those nothing was populated on the webhook payload for it Since i havent been able to find documentation on how to add these custom fields, annotations, or raw alert payload to the webhook payload body and they dont appear within the suggested variables, does someone know how we would add those to the webhook body or if thats possible?  Or do i need to pull them from the Alert.raw field myself and if so how would i get that raw field on the webhook payload?   Thanks! "
I am using treemap visualization. I have been trying to change the default color of the treemap using the following options: <option name="treemap_app.treemap.maxColor"> <option name="treemap_app.... See more...
I am using treemap visualization. I have been trying to change the default color of the treemap using the following options: <option name="treemap_app.treemap.maxColor"> <option name="treemap_app.treemap.minColor"> colorMode has been set to categorical <option name="treemap_app.treemap.colorMode">categorical</option> treemap doesn't seem to honor any changes to maxColor or minColor and uses the default colors. Is this a bug in treemap?   maxColor/minColor seems to work if colorMode is changed is sequential but that is not the view I'm interested in    
Hello, Can some one please help me with props.conf for the below log? Timestamp Process TID Area Category EventID Level Message Correlation 03/23/2023 06:10:20.73 w1wp.exe (0x12G8) 0x1F8D ShareP... See more...
Hello, Can some one please help me with props.conf for the below log? Timestamp Process TID Area Category EventID Level Message Correlation 03/23/2023 06:10:20.73 w1wp.exe (0x12G8) 0x1F8D SharePoint Foundation Authentication Authorization ag6al Medium OAuth app principal Name=i:0i.t|ms.sp.ext|92d4232b-12w3-57d5-b038-a2c108d5dd18@9a211ce9-5e5a-4dab-8256-6748538485fc, IsAppOnlyRequest=True, UserIdentityName=0i.t|00000003-0110-0gg1-ce00-000000000000|app@sharepoint, ClaimsCount=11 0dd5c32e-121d-adcd-9284-75f41116e8c5 03/23/2023 07:11:27.53 w2wp.exe (0x17F8) 0x1Z74 SharePoint Foundation General af8sw Medium ListRootFolderUrl=/tops/ops/abcd/Forms, CAML query: <View Scope="RecursiveAll"><Query><Where><Eq><FieldRef Name="ID" /><Value Type="Counter">21170</Value></Eq></Where></Query><ViewFields><FieldRef Name="Position_x0010_3" /><FieldRef Name="ID" /></ViewFields><RowLimit Paged="TRUE">1</RowLimit></View> 0dd9b01e-002d-adcd-b28b-91e7hg71fdd9 03/23/2023 09:11:27.73 w8wp.exe (0x25F0) 0x1E9C SharePoint Foundation App Management tempo Medium AppMngMinDb: Got SubscriptionId 0c6554b-12d0-400e-91c6-2bd25af4be5b from partion key. SubscriptionId 00000000-1111-1110-0000-000000444400 is in the SPServiceContext. 0mm9b62e-202d-adcd-9277-75f41666e8c0 03/23/2023 08:45:27.73 w0wp.exe (0x17F8) 0x1V4C SharePoint Foundation App Management tempo Medium AppMngMinDb: Executing query: dbo.proc_AM_GetAppPrincipalPerms on Legacy db with context subId: 00990000-0440-0100-0000-004444400000 and compositeKeyId: 0c98423b-34d0-438m-91c6-2ac25av4ce5d 0dd9b21e-111d-adcd-3333-7111111c0 Thanks
Hi, I have created a dynamic lookup table in one of the search head  using a search ,now i want  it to move to another search head and shedule it, how could we achieve it.