All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Getting error in HF : User : splunk have rwx to the snmp_ta app. I am not sure what is the issue here. the team configured to host and port. message from "python SPLUNK_HOME/splunk/etc/apps/snm... See more...
Getting error in HF : User : splunk have rwx to the snmp_ta app. I am not sure what is the issue here. the team configured to host and port. message from "python SPLUNK_HOME/splunk/etc/apps/snmp_ta/bin/snmp.py" Failed to register transport and run dispatcher: bind() for (u'*', *) failed: [Errno 13] Permission denied snmp_stanza:snmp://cisco_prime Any help is appreciated. Thanks.
1.What are the steps to add new indexer through the WEB UI? . what are steps to be taken to remove indexers from cluster? What happens to the data in the indexers which are removed? and if ... See more...
1.What are the steps to add new indexer through the WEB UI? . what are steps to be taken to remove indexers from cluster? What happens to the data in the indexers which are removed? and if data is lost how to recover? Thanks in advance
Does anyone have examples of how to use Splunk to measure application availability?
Does anyone have examples of how to use Splunk to measure continuous delivery duration?
Does anyone have examples of how to use Splunk to monitor cloud VM memory usage?
We have splunk add-on for aws installed on one of the hf .Can we install the same add-on other HF and create the same inputsso that when one of the hf is down and the other sends data. Is this possi... See more...
We have splunk add-on for aws installed on one of the hf .Can we install the same add-on other HF and create the same inputsso that when one of the hf is down and the other sends data. Is this possible ? or any other work around for this? Thanks in Advance
i want to have 3 fileds in the below unstructured data. i need props.conf for the below data. 1st is always heading. 2nd is always paragragh words. 3rd is always URL. and URL the first line ... See more...
i want to have 3 fileds in the below unstructured data. i need props.conf for the below data. 1st is always heading. 2nd is always paragragh words. 3rd is always URL. and URL the first line is heading follows Tesco and Marks & Spencer set for market spotlight as investors continue to gauge Christmas retail results 1. ----> **first Line is in first new column** Whether or not there are any more acquisition stories, food retail will be very much in focus on Thursday as Tesco and M&S release Christmas trading updates. “slightly” higher than expectations thanks to a variety of factors, including its opinion splitting vegan products. 2.>>>>>> next text aas a word 2nd column Link: https://www.proactiveinvestors.co.uk/companies/news/910189/tesco-and-marks--spencer-set-for-market-spotlight-as-investors-continue-to-gauge-christmas-retail-results-910189.html 3.>>>>> as URL field 3rd new column Lidl plans 50 new stores a year in France 1. ----> **first Line is in new field** Between 2010 and 2018, Lidl saw its market share in France rise steadily to more than 6 %. The discounter is not satisfied yet however, and aims to open dozens of new stores every year in the foreseeable future. Strategy pays off In 2012, Lidl changed its strategy in France radically: since then, the discounter invested a whopping 4.5 billion euros in expanding its stores, but barely changed its product range. As a reward, last year the chain passed the 6 % market share milestone and has, according to Kantar, already moved up to 6.2 %. In the past decade, the turnover increased by 4.5 % each year. Expansion not over yet 2.>>>>>> next text aas a word Link: https://www.retaildetail.eu/en/news/food/lidl-plans-50-new-stores-year-france 3.>>>>> as URL field
Hello Splunkers, Where do I go to leave feedback or suggestions for Splunk? I have the following suggestion but don't know where to send it. Hello Splunk, It would be very helpful if there wer... See more...
Hello Splunkers, Where do I go to leave feedback or suggestions for Splunk? I have the following suggestion but don't know where to send it. Hello Splunk, It would be very helpful if there were a way to do some of the CLI commands from the web interface. This is the primary way even our administrators interact with Splunk and for security reasons there is almost no remote access to the Splunk server. This makes entering CLI commands a big hassle. One example of something it would be nice to do with a button (maybe on the "Server Controls" page) is reloading the deployment server. We are constantly tweaking the inputs for our workstations and a button to push out the updated conf files would save us a ton of hassle. https://answers.splunk.com/answers/247605/why-is-the-deployment-server-not-pushing-updated-i.html
Hello Guys, I am very new to Splunk and am trying to configure UF to send data to an indexer on port 9997. I have enabled the receiver in indexer instance. I have added [tcp://....DC IP Address:999... See more...
Hello Guys, I am very new to Splunk and am trying to configure UF to send data to an indexer on port 9997. I have enabled the receiver in indexer instance. I have added [tcp://....DC IP Address:9997] and index = indexname in the inputs.conf file for UF found in $SPLUNK_HOME$/etc/system/local. I restarted splunkd services but am not getting any data coming to the specified indexer. The firewalls are OFF on the server. Indexer and UF are installed on the same server and this server is part of the domain controller. I apologize if I am not able to provide all the details as I do not have much understanding on it. Please let me know if you require any more information. Also, when I try to stop splukd services, I get Error:1035 but the service stops and I can start it again. Any help is much appreciated. Thank You!
We have an alert to notify users through an e-mail whenever there is an OutOfMemory in the server. Recently added a log alert action to run a script that restarts the server as soon as the alert trig... See more...
We have an alert to notify users through an e-mail whenever there is an OutOfMemory in the server. Recently added a log alert action to run a script that restarts the server as soon as the alert triggers. From then, whenever the alert triggers and sends an email, it doesn't include "Link to results", "Trigger Conditions" and "inline" even though they are included to send through email in the alert.
Hi, We are reaching 100% of disk space for frozen data. I wanted to know how can we move data to a bigger disk without turning off Splunkindexers?
EXAMPLE TABLE/STATS: field_1 field_2 012 blah1 345 blah2 ABC blah3 678 blah4 DESIRED OUTPUT: new_field 012 / blah1 345 / blah2 ABC / blah3 678 / blah4
Hi, I've been trying to install the CIM app since yesterday. I can't find it in "More App" and I can't manually install it the "Manage App" windows. I have a school project, I can get data from... See more...
Hi, I've been trying to install the CIM app since yesterday. I can't find it in "More App" and I can't manually install it the "Manage App" windows. I have a school project, I can get data from an instance and detect a Brute force attack but I have to try to detect Tor Browser usage. I tried Network Behavior Analytics App, it looks for CIM compliant data within Splunk. I have Tor installed on the instance and I want the app to detect it. Which logs I have to index and how? DNS logs, Web logs? Is there any other way I can ensure my data is being indexed correctly.
Does anyone have examples of how to use Splunk to track application errors?
Hi all, I need to know if there is any kind of incompatibilities/problems between maintenance mode and smart store while doing a splunk update process. Thanks in advance.
Does anyone have examples of how to use Splunk to monitor containers?
Hello, We'd like to provide a basic dashboard to our analysts to help them to search the information in an asset lookup based on its name, IP or Mac addresses. By default we'd like to use a wildca... See more...
Hello, We'd like to provide a basic dashboard to our analysts to help them to search the information in an asset lookup based on its name, IP or Mac addresses. By default we'd like to use a wildcard with the text input (in case of multiple values in the field), but we'd like to leave an option to suppress the wildcard as well. For this purpose we use a radiobutton. Here is our dashboard: <form> <label>Asset Info</label> <fieldset submitButton="true" autoRun="false"> <input type="text" token="input"> <label>Name, IP or Mac</label> <default></default> </input> <input type="radio" token="field1" searchWhenChanged="true"> <label>Exact Value</label> <choice value="Yes">Yes</choice> <choice value="No">No</choice> <change> <condition value="No"> <set token="myseaerch">| inputlookup assets_info.csv | search name=*$input$* OR ip=*$input$* OR mac=*$input$* | table name, ip, mac, zone, classification, status, os, serial_number</set> </condition> <condition value="Yes"> <set token="myseaerch">| inputlookup assets_info.csv | search name=$input$ OR ip=$input$ OR mac=$input$ | table name, ip, mac, zone, classification, status, os, serial_number</set> </condition> </change> <initialValue>No</initialValue> <default>No</default> </input> </fieldset> <row> <panel> <table> <title>Asset Info</title> <search> <query>$myseaerch$</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> Unfortunately, for some reason we need to reselect a radiobutton every time we want to resubmit the search. I mean, we can't just leave it in "No" position and resubmit a search with a new text input, but have to switch to "Yes" and then back to "No" in order to make it work. Do you have any idea what the issue is cased by and how it could be fixed? Thanks for the help.
Does anyone have examples of how to use Splunk to find out which parts of your application are most used?
Hello all, I'm using a Correlation Search to create a Log Event as below: hxxps://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/LogEvents Whilst it works, I can't figure out how to get mor... See more...
Hello all, I'm using a Correlation Search to create a Log Event as below: hxxps://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/LogEvents Whilst it works, I can't figure out how to get more information into the "Event text" other than free text. I would like to include some data from the original correlation search. The idea is it would trigger on a port scanning correlation for example and create "Port scan from x.x.x.x". Then there would be another search that picks up that event and correlates it with vuln scanning, etc.
Hi all, I have a search that filters results based on a lookup file. Is there a simple way that I can add the match from the lookup file to the table/results? index=web[| inputlookup HighRiskW... See more...
Hi all, I have a search that filters results based on a lookup file. Is there a simple way that I can add the match from the lookup file to the table/results? index=web[| inputlookup HighRiskWords.csv | eval HighRiskWords="*"+HighRiskWords+"*" | rename HighRiskWords as web_Search] | stats count by web_Search, web_User, _time It would be great to have the final piece of the search to be: Web_Search, {web_MatchingLookup}, web_user, _time Thanks!