All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have a policy.csv file with 2 columns: user                   tags Andre               IT Kleo                  Management Vlad                  Finance   And I also have an index... See more...
Hi, I have a policy.csv file with 2 columns: user                   tags Andre               IT Kleo                  Management Vlad                  Finance   And I also have an index=events with events and field "user" What I want is to count the number of events for each tag by user. for example: User          Tags         Count Andre         IT           55   I've tried this, but it counts the number of rows from the csv, not from index: |inputlookup policy.csv | join type=left tags [|tstats count where index=events by user] |stats count by user tags
Hi, I have a query that is searching over 4 different indexes (AIBA, AIBC, AIBP, AIBX) as follows: index=AIB* "Windows" EventCode="*" | stats count as NumOfLogs by dvc_NodeName | sort - NumOfLogs... See more...
Hi, I have a query that is searching over 4 different indexes (AIBA, AIBC, AIBP, AIBX) as follows: index=AIB* "Windows" EventCode="*" | stats count as NumOfLogs by dvc_NodeName | sort - NumOfLogs | eval Host = dvc_NodeName | table Host , NumOfLogs, index However, I need one of the fields on the outputted table to be "Index" but nothing is currently outputted in my current query. Can you please help? Thanks as always!
Hi all, I want to get data from an xml file from a selected source ( eg: Source_A, Source_B, ...). When there is no data found in xml file, is it possible to get data from the referenced xml sources... See more...
Hi all, I want to get data from an xml file from a selected source ( eg: Source_A, Source_B, ...). When there is no data found in xml file, is it possible to get data from the referenced xml sources and pick the latest one to display the data? The referenced sources are in a text file in the same location of selected source. The structure of folders look like this: D:\datasource\<source_name>\release.xml D:\datasource\<source_name>\referenced_sources.txt The referenced_source text file contains values seperated by commas. Example: Source_A,Source_B And my current SPL to retrieve data is: index=sample_index source=*$selected_source$* source="*.xml"   Thanks in advance
I have current search  index="intau_workfusion" host=* sourcetype="services_status.out.log" service="HTTP/1.1" status=* | chart count by status   when I run it and save as pie chart I am able ... See more...
I have current search  index="intau_workfusion" host=* sourcetype="services_status.out.log" service="HTTP/1.1" status=* | chart count by status   when I run it and save as pie chart I am able to get the percentage of the different status code status's, but I want it in table format and I cant divide by total when doing my eval status as all the other status codes still fall under "status" how can I solve this?
Hello! I'm trying to make a timechart day wise action by unique user for the proxy logs like this one below, but I'm unable add action field as column. Below query i had build . please suggest com... See more...
Hello! I'm trying to make a timechart day wise action by unique user for the proxy logs like this one below, but I'm unable add action field as column. Below query i had build . please suggest command to archive this requirement . _time Action/User  Raj Jane Tom 2023-03-11T00:00:00.000+0000 Permitted 1 1 1 2023-03-11T00:00:00.000+0000 Block 0 2 4 Query was build which generate above result without action column   | from datamodel:web | timechart span=1d count(actions) as Actions by user useother=0 limit=10 | addcoltotals
What is the minimal set of permissions for Users to create splunk studio dashboards? Backround info: i have users i want to give permissions to create splunk studio dashboards, but they can only c... See more...
What is the minimal set of permissions for Users to create splunk studio dashboards? Backround info: i have users i want to give permissions to create splunk studio dashboards, but they can only create classic with their current role set. the only role i have found to give them the ability is Admin_all_objects but this is problematic. there doesn't seem to be a role  for this in the Capabilities doc the https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Security/Rolesandcapabilities Thanks Daniel
Hello. I wonder if the path of the splunk scheduling report exists. If the path exists, can I edit the splunk scheduling report there?
I know the KPI Search Schedule can only select items as mentioned in the picture. But in case I want the information to be displayed faster by set the Search Schedule KPI to less than 1 minute, is t... See more...
I know the KPI Search Schedule can only select items as mentioned in the picture. But in case I want the information to be displayed faster by set the Search Schedule KPI to less than 1 minute, is there a way to do this?   Or if not, what is the best way to display information on Glass Table in the fastest way? Because the information on the Glass Table has to wait for the KPI Search Schedule to complete their task while the raw data has been uploaded to Splunk before. This causes the Glass Table information to appear slower than the actual data (about 3 minutes according to my observations).   Thank you very much if anyone can help.    
I have a problem with dashboard studio that flicker when in FULL SCREEN mode from FIT size. Os : Windows 10 Splunk Version : 9.0.0 Browser : Firefox Screen Size : 22" Resolution : 1920 x 1080 L... See more...
I have a problem with dashboard studio that flicker when in FULL SCREEN mode from FIT size. Os : Windows 10 Splunk Version : 9.0.0 Browser : Firefox Screen Size : 22" Resolution : 1920 x 1080 Link :  splunk-flickering 
Hi There, I am running below query, base search | rename msg.message as "message", msg.customer as "customer" | stats count as Total, count(eval(isnull(msg.errorCode))) as Success, count(eval(isnot... See more...
Hi There, I am running below query, base search | rename msg.message as "message", msg.customer as "customer" | stats count as Total, count(eval(isnull(msg.errorCode))) as Success, count(eval(isnotnull(msg.errorCode))) as Error, eval(((Success/Total)*100)."%") as SuccessRate by customer and I am getting below error. Error in 'stats' command: The number of wildcards between field specifier '((Success/Total)*100).%' and rename specifier 'SuccessRate' do not match. Note: empty field specifiers implies all fields, e.g. sum() == sum(*). Can anyone please tell me where I am wrong? basically I want to calculate a percent of total successful events here. Thanks!!!
Hi, I want to use Splunk for logs for Heroku apps. How to integrate Splunk with Heroku. Can you please help me with implementation.
index=mail | dedup MessageTraceId | dedup MessageId | dedup subject | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_e... See more...
index=mail | dedup MessageTraceId | dedup MessageId | dedup subject | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | table RecipientDomain SenderAddress RecipientAddress Subject Received hi this 3 lines are not working for this query. Please help. | where mvcountRecipientAddress=1 | eval subject_count=mvcount(Subject) | sort - subject_count
I have a AIX 5.3 system for which I want to install Splunk forwarder Agent but I see on the Splunk website that Forwarder software is not available for this version of Operating system. Request y... See more...
I have a AIX 5.3 system for which I want to install Splunk forwarder Agent but I see on the Splunk website that Forwarder software is not available for this version of Operating system. Request you to let me know if you can provide me with old version of Splunk software from any Splunk repo which is compatible with AIX 5.3 OS.
Hello Splunkers!!   I want a list of dashboards and those dashboards are using saved searches & macros. How I can achieve those details by using rest command. So far I have tried the below one bu... See more...
Hello Splunkers!!   I want a list of dashboards and those dashboards are using saved searches & macros. How I can achieve those details by using rest command. So far I have tried the below one but not getting the exact result.   |rest /servicesNS/-/-/data/ui/views splunk_server=local |table author eai:acl.app id eai:data title  
{"Organization": "groupxyz.onmicrosoft.com", "MessageId": "<12345678>", "Received": "2023-03-13T01:56:22.9207071", "SenderAddress": "bca@bca.com", "RecipientAddress": "dlf@g.com", "Subject": "1231231... See more...
{"Organization": "groupxyz.onmicrosoft.com", "MessageId": "<12345678>", "Received": "2023-03-13T01:56:22.9207071", "SenderAddress": "bca@bca.com", "RecipientAddress": "dlf@g.com", "Subject": "12312312332231'", "Status": "Delivered", "ToIP": "111.1.11.1", "FromIP": "12.23.4.2.23232", "Size": 2022121 "MessageTraceId": "4f74644747749djhrhfbf", "Index": 0}   hi this is my raw data; how can i show it in a table in a nice format? index=mail , and please help RecipientDomain sender recipient subject Earliest Latest      
Hello How can I trigger an alert after checking the results for 3 minuets  So for example, if I want that the alert will trigger if count>1 , I would like to check for 3 minutes if count>1 and onl... See more...
Hello How can I trigger an alert after checking the results for 3 minuets  So for example, if I want that the alert will trigger if count>1 , I would like to check for 3 minutes if count>1 and only then raise the alert How can i do it ?
I have kvstore which generate the data by API.  when I use | lookup  mylookup id output data - its working I want to convert it to automatic lookup in some index, but its not working. any idea ... See more...
I have kvstore which generate the data by API.  when I use | lookup  mylookup id output data - its working I want to convert it to automatic lookup in some index, but its not working. any idea why?
Good Morning I'm trying to download splunk and start it on my terminal but I keep getting this error code:  Exception: <class 'PermissionError'>, Value: [Errno 13] Permission denied: '/opt/splunk/e... See more...
Good Morning I'm trying to download splunk and start it on my terminal but I keep getting this error code:  Exception: <class 'PermissionError'>, Value: [Errno 13] Permission denied: '/opt/splunk/etc/system/local/eventtypes.conf.tmp' PermissionError: [Errno 13] Permission denied: '/opt/splunk/etc/system/local/eventtypes.conf.tmp'   please help!
Hello Splunkers!!   I have two fields AND I want to concatenate both the fields. Location : 3102.01.03 element : S82(=3102+LCC60-550S5) And I want a result : 3102.01.03.S82(=3102+LCC60-550S5)  ... See more...
Hello Splunkers!!   I have two fields AND I want to concatenate both the fields. Location : 3102.01.03 element : S82(=3102+LCC60-550S5) And I want a result : 3102.01.03.S82(=3102+LCC60-550S5)   I have tried Location.".".element but it is not working properly. Please suggest me a fic workaround.  
Hello Splunkers!!   I have below value  S000081(=00003102+LCC000060-0000550S00003) I want to replace above value with S81(=3102+LCC60-550S3) Means wherever digit 0 is four times I want to remov... See more...
Hello Splunkers!!   I have below value  S000081(=00003102+LCC000060-0000550S00003) I want to replace above value with S81(=3102+LCC60-550S3) Means wherever digit 0 is four times I want to remove those digits.   thanks in advance