All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone, I have a question for you   I have this table :   But , I want to have first : - the evenement Dépôt in the second line : the evenement Pré-contrôle   I do... See more...
Hello everyone, I have a question for you   I have this table :   But , I want to have first : - the evenement Dépôt in the second line : the evenement Pré-contrôle   I don't know how to do this. Can you help me please.
A question about the architecture of the HomeLab Hello, I am a Splunk Enterprise Certified Admin who has an opportunity to advance to Splunk Architect with someone retiring. I plan on taking the Sp... See more...
A question about the architecture of the HomeLab Hello, I am a Splunk Enterprise Certified Admin who has an opportunity to advance to Splunk Architect with someone retiring. I plan on taking the Splunk Architect courses but would like to set up a home lab to give myself practice and experience. To best prepare me, I’d like to set up a virtual Home Lab with a Splunk distributed search environment, an indexer cluster, and a deployment server to deploy all the apps to the forwarders. How many total Ubuntu Server VMs in Hyper-V should I spin up? I think one search head, at least two indexers (right?), the deployment server, a management node, and possibly an HF for practice. So maybe a total of six VMs? Or is that too few….or too many? It depends on how many Splunk roles each VM can play, which I’m not entirely sure about. It isn’t easy to find this information online. I’m not planning on ingesting much data, just a few data sources for practice. This is more of a Proof of Concept and learning opportunity for me from an architectural perspective.
I'm attempting to auto-assign users to certain types of Notable events under "Default Owner". For some reason only 20/24 users are showing up as options. The users that are missing from the drop down... See more...
I'm attempting to auto-assign users to certain types of Notable events under "Default Owner". For some reason only 20/24 users are showing up as options. The users that are missing from the drop down have accounts with the same role as the other users and they have logged into Enterprise Security before.
Hi All, I`m looking to combine the two  searches below.  I have been messing around with it, but I don`t do this alot! - but I thought rather than put in my ramblings I would ask the basic need of... See more...
Hi All, I`m looking to combine the two  searches below.  I have been messing around with it, but I don`t do this alot! - but I thought rather than put in my ramblings I would ask the basic need of the question. I basically want the 'state', 'startTime' and 'completeTime' from the second search to be added to the first search # search 1 index=vmware-taskevent sourcetype=vmware_inframon:events fullFormattedMessage="Task:*" | stats by info.entityName fullFormattedMessage info.entity.type info.queueTime userName vm.name computeResource.name createdTime info.task.moid | sort createdTime | table info.entityName fullFormattedMessage info.entity.type info.queueTime userName vm.name computeResource.name createdTime info.task.moid # search 2 index=vmware-taskevent sourcetype="vmware_inframon:tasks" | stats by entityName name queueTime startTime completeTime entity.type state reason.userName task.moid | table entityName name queueTime startTime completeTime entity.type state reason.userName task.moid There are common results from fields but not common field names.  Ie sourcetype=vmware_inframon:events has 'info.task.moid' and sourcetype="vmware_inframon:tasks" has 'task.moid' and the results from this field matches. This is the same for info.entityName and entityName
(Running v9.0.2208 of Splunk Cloud) When I load a dashboard with external URLs in they throw up an external content warning - how do I get rid of these? In the version we're running, I cannot upd... See more...
(Running v9.0.2208 of Splunk Cloud) When I load a dashboard with external URLs in they throw up an external content warning - how do I get rid of these? In the version we're running, I cannot update 'Settings > Server settings > Dashboards Trusted Domains List' as I believe that is only available in v9.0.2209. I'm also unable to enable automatic UI updates which is the fix in the current version. I've tried to create a web-features.conf but not having any luck. Thanks!
For SOAR v5.3.5 there is a pre-req that /tmp has min 5Gb free. Does anyone know if the script soar-install can be passed an option not to check disk space. There us to be an option in earlier ver... See more...
For SOAR v5.3.5 there is a pre-req that /tmp has min 5Gb free. Does anyone know if the script soar-install can be passed an option not to check disk space. There us to be an option in earlier versions to pass it no-space-check 
Hi All, We have two different on-prem environment one lower and higher environment. While promoting the ITSI changes from lower environment to higher environment using ITSI full backup and resto... See more...
Hi All, We have two different on-prem environment one lower and higher environment. While promoting the ITSI changes from lower environment to higher environment using ITSI full backup and restore method i am facing the below issues.. I am unable to restore the newly/custom created ITSI Import objects (which is stores under itsi/local app as part of creating entities from saved search and setting up a recurring import) As per the documentation if the savedsearch is stored itsi/local this excluded from backup and restore then what process to follow to promote this to higher environment.     As part of this backup and restore by default all the entities are promoted to higher is there any way to restrict to promoting entities alone because based on the environment the entities changes.. Thanks in advance  
So currently I have a line chart below with a marker for each data point and here is the code below for that. <option name="charting.chart.showMarkers">true</option> <option name="charting.chart.ma... See more...
So currently I have a line chart below with a marker for each data point and here is the code below for that. <option name="charting.chart.showMarkers">true</option> <option name="charting.chart.markerSize">3</option> but when I try increase the marker size it does not work. If anyone has a solution, it would be greatly appreciated. Thanks.
Hello,  I have been trying to present Splunk dashboards through frames to my website, and it's not working as you can see in the picture below, I have seen other people with the same question but n... See more...
Hello,  I have been trying to present Splunk dashboards through frames to my website, and it's not working as you can see in the picture below, I have seen other people with the same question but no solution was suggested that worked for me, if I tried to present the reports, they work fine, but the dashboards don't seem to work. This is my code:      <iframe src="https://MY_SPLUNK_SERVER/en-US/app/MY_APP_NAME/DASHBOARD_NAME?embed=true" width="100%" height="550px" frameborder="0" scrolling="no" ></iframe>         Clearing the cookies & restarting the browsers didn't work, neither did trying  a different browser. Does anyone know how to solve this? or if it's not even possible?
Hello everyone,  I have events which contains such fields user1=..., user2=...., user3... etc And I have lookup which have column "user" where located all users.    
I have a string like below and unable to extract accuratly with rex command please suggest  any alternative way. _raw---------------- {lable:harish,message: Say something, location:India, state:T... See more...
I have a string like below and unable to extract accuratly with rex command please suggest  any alternative way. _raw---------------- {lable:harish,message: Say something, location:India, state:TS,qual:xyz} {message: say nothing,lable:harish, location:India, state:TS,qual:xyz} {lable:harish, location:India, state:TS,qual:xyz,message: say splunk splunk answers}   The message value is randomized location and I need to pick the message value.   When I try with below command it is not considering the proper end position. Please suggest |rex "message:(?<Message_value>.*)[,|}]" |table Message_Value
Hi,   We have been using Splunk Enterprise version 8.1.0 and planning to upgrade to version 9.x but there seems to be some sort of an issue. We have a choice tag with collapse and expand o... See more...
Hi,   We have been using Splunk Enterprise version 8.1.0 and planning to upgrade to version 9.x but there seems to be some sort of an issue. We have a choice tag with collapse and expand options but that doesn't seem to work when migrating to 9.0.2 or even 9.0.4 version but works perfectly fine in 8.1.5 version. Has anyone faced a similar issue or is there some workaround to fix this ?   Regards, Pravin
Hi Guys, So currently i have a line chart on a dashboard which looks like below: But i need the line chart to have a bullet point at each data point entry something like below. If someone co... See more...
Hi Guys, So currently i have a line chart on a dashboard which looks like below: But i need the line chart to have a bullet point at each data point entry something like below. If someone could help me out on how i can achieve this. Would be great. Thanks  
We have multiple lines within double quotes and to be updated in the different field names according to the name we have. All values has to be in different field names separately which is within do... See more...
We have multiple lines within double quotes and to be updated in the different field names according to the name we have. All values has to be in different field names separately which is within double quotes the below regex is working and but picking all the values and updating in one field, i am looking for 1. where the value within first double quotes getting picked in one common field name 2. where the value within second double quotes getting picked in second common field name 3. where the value within third double quotes getting picked in third common field name | rex "\\\"(?<JobId>[^\\\"]+)" "17449551" "pmqcd1p3" "SAP for Oracle" "PMQ" "N/A" "default" "(Logcommand line)"
e.g. input : CustomerService API call compeled in 105 ms Expected output : Customerservice  105 (in some graphical reprentation)
Hello, is there anyway to get an alert for the new errors/exceptions that never happened before? More like let say that i have 10 errors/exceptions that happened before can i get an alert only for ... See more...
Hello, is there anyway to get an alert for the new errors/exceptions that never happened before? More like let say that i have 10 errors/exceptions that happened before can i get an alert only for the new ones? Also for the known exceptions is possible to do a threshold? I will attach my type of logs.  
HI, In Splunk enterprise some of team members are unable to assign notable on their name. unable to assign option is not there. In drop down list also not able to see their name. with same leve... See more...
HI, In Splunk enterprise some of team members are unable to assign notable on their name. unable to assign option is not there. In drop down list also not able to see their name. with same level access another user is able to assign. Tried to clear the cookies as well.  
Hi We are trying to write the props from couple of days Issue: splunk showing time difference 4 to 5 hours logs are coming from one source with multiple time differences .. example 1. splunk t... See more...
Hi We are trying to write the props from couple of days Issue: splunk showing time difference 4 to 5 hours logs are coming from one source with multiple time differences .. example 1. splunk time 3:48pm, log time 20:48 . example 2. splunk time 2:24pm log time 18:24. time format : 2023-03-10T20:48:11.689534088Z   Please let me know if you have any ideas or solutions that could help us out here!  
Would like to know if there is any query available that will tell us the total number of disabled accounts in Active Directory for a given time period and how to get the rate of disablement.
Hi Trying to figure out how best to send the logs (at least kubernetes logs+ possibly application logs) from on prem Kubernetes cluster to on prem Splunk Enterprise. I have gone through a long li... See more...
Hi Trying to figure out how best to send the logs (at least kubernetes logs+ possibly application logs) from on prem Kubernetes cluster to on prem Splunk Enterprise. I have gone through a long list of options such as 'Splunk app for infrastructure' (EOL),  Splunk connect for kubernetes ( EOL Jan 2024) ,  Splunk Operators v1 and 2  etc Splunk OpenTelemetry Collector for Kubernetes would look promising but if I understood correctly this only works with observatility (cloud) and not meant to work/ supported  with with Splunk Enterprise.   My question is what is the best way to ship logs from Splunk to Splunk enterprise (both on prem) ? Currently the Logging , Metrics , Traces etc have not yet been configured on Kubernetes clluster I am building. Since we use Splunk for certalized log collection, what ever solution it is needs to work with Splunk enterprise but also ideally be more futureproof than many of solutions seen previously.