All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Have been able to raise cases previously but when trying to rasie a new case not seeing any drop down options  under the "select Entitlement" option which stops me from being able to raise a new case.
I am trying to extract the fields in json format. But not able to fetch the data. PFB screenshot for reference: not able to extract fields. Can anyone help on this. Thanks in Advance. ... See more...
I am trying to extract the fields in json format. But not able to fetch the data. PFB screenshot for reference: not able to extract fields. Can anyone help on this. Thanks in Advance.
Hello, What proxy rules I need to allow to install apps from Splunkbase what URL\s I need to allow?   https://*splunk.com* is that sufficient ? Thanks in advance, Ran
Timezone on my splunk indexer is GMT and windows machine is PST.  I found that the metadata from Windows Eventlogs lose timezone info so that time in raw events is 8 hour earlier than `_time` which ... See more...
Timezone on my splunk indexer is GMT and windows machine is PST.  I found that the metadata from Windows Eventlogs lose timezone info so that time in raw events is 8 hour earlier than `_time` which is real time in GMT.   The influence is that all of  these log will 8 hours earlier than the real time after a `collect` action. Such as the following image which just collect the datas into a new index.   I want Windows Eventlogs can be added a timezone info or we can modify time info in windows splunk universal forwarder. I have tried change props.conf  in forwarder and indexer but it change the timestamp but not raw events. What's more, I will not change  system timezone on machine because unknown problems maybe imported into systems. Can I change the time info in Windows Eventlogs without change windows system timezone?
I am unable to access the SaaS controller with 500 Internal Server Error. How to resolve it ?
We have many use-cases in our environment and placed it in hadoop_queues_base.csv  file. We would like to check if dashboards and alerts configured for specific use-cases. Is there any way out to sor... See more...
We have many use-cases in our environment and placed it in hadoop_queues_base.csv  file. We would like to check if dashboards and alerts configured for specific use-cases. Is there any way out to sort and find out dashboards and alerts associated with use-cases.  
I want to connect Splunk Enterprise configured in Azure VM and O11y Cloud through Log Observer Connect. I tried Log Observer Connect connection, but it is not connected as shown in the attachment. ... See more...
I want to connect Splunk Enterprise configured in Azure VM and O11y Cloud through Log Observer Connect. I tried Log Observer Connect connection, but it is not connected as shown in the attachment. I applied all the information on the 'Set Up Service Account' page. I created and reflected the Enterprise's own certificate by referring to the Splunk documentation. The 8089 port InBound/OutBound policy is also reflected in the Azure VM. I want to know how to solve it. Please answer about my question.  
Does Python 3.9.2 not work for Splunk SDK 1.7.2? Creating connection with this: service = client.connect( host=host, port=port, token=token ) Using all the values (host, port, token) that w... See more...
Does Python 3.9.2 not work for Splunk SDK 1.7.2? Creating connection with this: service = client.connect( host=host, port=port, token=token ) Using all the values (host, port, token) that work with a curl (-H) command. This is the error that I'm getting: Traceback (most recent call last): File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 292, in wrapper return request_fun(self, *args, **kwargs) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 73, in new_f val = f(*args, **kwargs) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 699, in get response = self.http.get(path, all_headers, **query) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 1232, in get return self.request(url, { 'method': "GET", 'headers': headers }) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 1304, in request raise HTTPError(response) splunklib.binding.HTTPError: HTTP 401 Unauthorized -- call not properly authenticated During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/home/anonymous/xxxx.py", line 48, in <module> for app in service.apps: File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/client.py", line 1411, in __iter__ for item in self.iter(**kwargs): File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/client.py", line 1574, in iter response = self.get(count=pagesize or count, offset=offset, **kwargs) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/client.py", line 1804, in get return super(Collection, self).get(name, owner, app, sharing, **query) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/client.py", line 862, in get return self.service.get(path, File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 304, in wrapper raise AuthenticationError( splunklib.binding.AuthenticationError: Request failed: Session is not logged in. Is it the python version or something to do with my search head host using `https`? 
Hello Everyone  I am new to Splunk. I want to create a report that displays value of a particular field from Windows Registry.  I have user level access to Splunk cloud. In Splunk documentation, I ... See more...
Hello Everyone  I am new to Splunk. I want to create a report that displays value of a particular field from Windows Registry.  I have user level access to Splunk cloud. In Splunk documentation, I found following method to achieve what I am looking to do: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorWindowsregistrydata However, I don’t see the Add Data/Data Input options mentioned in the link to get windows registry data. My question is, how do I see those options? Do I need higher level of access like Admin or something similar? Please advise.
I created a outputlookup  file with just one column ...My search | table D_ID  | outputlookup Total.csv I want to use the data in a new search like a subsearch but results are 0 while I am cert... See more...
I created a outputlookup  file with just one column ...My search | table D_ID  | outputlookup Total.csv I want to use the data in a new search like a subsearch but results are 0 while I am certain the events exists Is there also a max limit when using inputlookup ? ...My search [| inputlookup Total.csv]
Hi  We have a requirement to pull data from third-party aws account. Third party provider will push the data to a S3 bucket in their aws account and we are looking to pull that to an on-prem Splunk... See more...
Hi  We have a requirement to pull data from third-party aws account. Third party provider will push the data to a S3 bucket in their aws account and we are looking to pull that to an on-prem Splunk instance. There is an aws Splunk add-in splunkbase , are we able to use this add-on to pull data from a third-party aws account , if so how is it authenticated against third-party account? Please point me to any documentation available. 
Hello, Why do some dropdowns have a filter box and others don't? Are there options on the <input type="dropdown"...> tag that needs to be set? What other options are available for dropdowns? ... See more...
Hello, Why do some dropdowns have a filter box and others don't? Are there options on the <input type="dropdown"...> tag that needs to be set? What other options are available for dropdowns? Thanks and God bless, Genesius
 does this affect anything typically? I ask this because I have apps that I downloaded from splunkbase and put into /opt/splunk/etc/shcluster/apps and rand the command recomened but thoses app... See more...
 does this affect anything typically? I ask this because I have apps that I downloaded from splunkbase and put into /opt/splunk/etc/shcluster/apps and rand the command recomened but thoses apps arent showing up in apps on any of my SHs in my cluster
Hello Everyone, I am trying to find outliers in connection duration on a specific subnet but having trouble getting the outliers part to show any results. I want to get avg duration of all traffic ... See more...
Hello Everyone, I am trying to find outliers in connection duration on a specific subnet but having trouble getting the outliers part to show any results. I want to get avg duration of all traffic connections from a subnet (or list of IPs) by sourceIP and application. So I am grabbing the average of connections in a 15m bin. After evaluating the outliers I want to display the time bin, sourceIP, application, AvgDuration and Outlier I have tried following 2 queries till now and neither gives results when I try to get the results: 1. index=firewall sourceip=10.0.0.1/24 | bin span=15m _time | stats avg(duration) AS AvgTotal by sourceip, _time, app | eval outlier=if(duration>AvgTotal*3,1,0) | table _time sourceip app AvgDuration outlier 2. index=firewall sourceip=10.1.11.1 | timechart span=15m avg(duration) AS AvgDuration by sourceip, _time, app | eval outlier=if(duration>AvgDuration*3,1,0) | table _time sourceip app AvgDuration outlier This is just a test query I am trying, with plans to build on it. I think there something wrong in how I am calling the table. What am I doing wrong in the 2 queries?
FW: [ DOC 45 ] DTP: DEMO XXX CCC | 20147 I want to extract number after pie as field name "data".  what is the regex?
Hello, I'm working on dashboard studio. I have a drop-down to choose a store and show chart related to this store. For the drop-down, the label is the name of the store and the value (use in sear... See more...
Hello, I'm working on dashboard studio. I have a drop-down to choose a store and show chart related to this store. For the drop-down, the label is the name of the store and the value (use in search) is the number. I want to put a title with the name (label) of the store, but if I use the token, it's the value (number of store) which is printed. Somebody knows how to print the label (and not the value) with Dashboard studio ?
Hi, I am formatting data as required and getting it in below format. Now I want to calculate average of only highlighted fields in green color i.e. Q1_score PREPAID,Q2_score PREPAID,Q1_score CONSU... See more...
Hi, I am formatting data as required and getting it in below format. Now I want to calculate average of only highlighted fields in green color i.e. Q1_score PREPAID,Q2_score PREPAID,Q1_score CONSUMER so on Example Q1_score CONSUMER ,Count by segment value should be 4.50 This is last piece of my query     | addcoltotals COUNT* Q1* Q2* Q3* Total | eval Month=coalesce(Month, "Count by Segment")        Please suggest
So, I wanted to Split the path into multiple events so that i can count whatever i want to count like active or dev or usa or etc. We have few path i.e below path=/dev/site/usa/active path=... See more...
So, I wanted to Split the path into multiple events so that i can count whatever i want to count like active or dev or usa or etc. We have few path i.e below path=/dev/site/usa/active path=/prod/site/usa/inactive path=/dev/site/Germany/cleaning path=/qa/site/Austria/maintenancemode   So now i want to count each of active by usa, dev then I want to get the top 5 counts of it. In the results i want to see the bar graph like active  cleaning  maintenancemode instead of whole path.  Note: I don't have backend access. 
Hello -  I have a table with the following: host HOST FQDN DNS_NAME HOST_MATCH INDEX hostalpha hosta.mydomain.com hosta false index_a hosta host - true... See more...
Hello -  I have a table with the following: host HOST FQDN DNS_NAME HOST_MATCH INDEX hostalpha hosta.mydomain.com hosta false index_a hosta host - true index_b Created from the following search: base_search | rex field=FQDN ""^(?<DNS_NAME>[^.]+)\..*$" | fillnull value="-" DNS_NAME |eval HOST_MATCH="if(host='DNS_NAME',"true","false") How would I replace the do the following: 1.  If HOST != DNS_NAME, Make HOST = DNS_NAME 2.  If DNS_NAME = "-" MAKE DNS_NAME = HOST Thanks!
Hello, I would like to uninstall Splunk on my windows machine, do i need to stop the service first and then uninstall the program from control panel or directly uninstall it? Can some one please ... See more...
Hello, I would like to uninstall Splunk on my windows machine, do i need to stop the service first and then uninstall the program from control panel or directly uninstall it? Can some one please help me with it?     Thanks