All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

index=* ("ORC from FCS completed" OR "ORC from SDS completed." OR "ORC from ROUTER completed") namespace IN ("dk1692-b","dk1399-b","dk1371-b") | eval dk1692=if(searchmatch("\"ORC from ROUTER complete... See more...
index=* ("ORC from FCS completed" OR "ORC from SDS completed." OR "ORC from ROUTER completed") namespace IN ("dk1692-b","dk1399-b","dk1371-b") | eval dk1692=if(searchmatch("\"ORC from ROUTER completed\" namespace=dk1692-b"),1,0) | eval dk1399=if(searchmatch("\"ORC from SDS completed\" namespace=dk1399-b"),1,0) | eval dk1371=if(searchmatch("\"ORC from FCS completed\" namespace=dk1371-b"),1,0) | stats sum(dk*) as dk* | search dk1692>90 OR dk1399>60 OR dk1371>60   Am getting attached output    Problem statement , i would like setup alert where ever specific namespace **bleep** goes below its threshold which mention in search query. 
For ES, can someone recommend a threat intel feed of malicious IP-addresses that contain IP along with reputation score / category ?    Most of the free IP based feeds contain a list of IPs but a lot... See more...
For ES, can someone recommend a threat intel feed of malicious IP-addresses that contain IP along with reputation score / category ?    Most of the free IP based feeds contain a list of IPs but a lot of IPs in the list are false positives.  
Getting below DB error in splunk, Please help to fix this issue.   ERROR ChunkedExternProcessor [11770 ChunkedExternProcessorStderrLogger] - stderr: BrokenPipeError: [Errno 32] Broken pipe
Hello All, I'm new to Splunk. I wanted to move the app bar from the top to the left, and also change the icon position. Please guide me how can I achieve this. My Splunk version is 8.0.5  
I'm going to upgrade Splunk Enterprise to version 8.2.10, as per the instruction https://advisory.splunk.com/advisories/SVD-2023-0209. However, I can not find the downloading of version 8.2.10, see... See more...
I'm going to upgrade Splunk Enterprise to version 8.2.10, as per the instruction https://advisory.splunk.com/advisories/SVD-2023-0209. However, I can not find the downloading of version 8.2.10, seems been removed from previous releases. Any idea about this? Thanks!
Need a dropdown and when i select one option only that related panels should display rest all panels should not display. i have 7 panels(panel1, panel2.......panel7), i need to have one dropdown wit... See more...
Need a dropdown and when i select one option only that related panels should display rest all panels should not display. i have 7 panels(panel1, panel2.......panel7), i need to have one dropdown with 3 options(appID, appname, appdetails) options in it. if i select appID from the dropdown,  3 panels should display(panel1, panel2 and panel3) if i select appname from the dropdown, 2 panels should display(panel4, panel5) if i select appdetails from the dropdown,  2 panels should display(panel6, panel7) Please help me on this.
index=cat                     Name Place ID     jack delhi 1     jill melbourne 2                     ... See more...
index=cat                     Name Place ID     jack delhi 1     jill melbourne 2                       index=dog           Country number       Australia 2       India 1               ID field in cat and number field in dog are same, I need below output                 Name Place ID Country   jack delhi 1 India   jill melbourne 2 Australia
Hi,  We have a set of indexers with no public IPs behind AWS NLB  We would like to use AWS certificates that terminate on the NLB We have the ACM pem certifcate and the CA (you cant get the pr... See more...
Hi,  We have a set of indexers with no public IPs behind AWS NLB  We would like to use AWS certificates that terminate on the NLB We have the ACM pem certifcate and the CA (you cant get the private key)  We tested it using openSSL and it is working using the CAfile  How can I configure my UF to use SSL with only the destination pem and CAfile    Thanks 
How to perform splunk search for local account in the openstack tenant (and audit) logs ? Thanks
Using Splunk enterprise 8.2.5 and trying to match a string of repeating characters in my Events. For example of the log file I'm ingesting       INFO - Service Started DEBUG - Service suspend... See more...
Using Splunk enterprise 8.2.5 and trying to match a string of repeating characters in my Events. For example of the log file I'm ingesting       INFO - Service Started DEBUG - Service suspended       So I was testing this as follows but the field mylevel is not extracted        | makeresults | eval msg="info"| rex field=msg "(?<mylevel>\w{4-5})" | table mylevel       This works though       | makeresults | eval msg="info"| rex field=msg "(?<mylevel>(\w{4})|(\w{5}))" | table mylevel       What is incorrect/wrong with my usage of this ?       \w{4-5}        
Hi All I have a couple of questions regarding embedded reports, I'm looking to use them to provide an iframe to teams that want to include the service status of IT systems into their pages (e.g. we... See more...
Hi All I have a couple of questions regarding embedded reports, I'm looking to use them to provide an iframe to teams that want to include the service status of IT systems into their pages (e.g. websites, Service Management tools, digital signage), so I'm looking to have one report as it will cover all the requirements. I'm having two challenges though We are Splunk Cloud and the 20 row table limit is a pain, as we have more than 20 IT Services, does anyone know if this can be increased? When you disable embedding and after making a change re-enable it, the URL is different, does anyone know if you can stop this or map it to a friendly URL, if I'm going to provide it to multiple teams it will be a pain to give them a new URL whenever we have to make a change? Cheers in advance Andy
Hello, I've seen in the documentation that default MetricsSets have a standard set of metrics. And that these include `workflows` metrics, for example, those shown here in the above linked document... See more...
Hello, I've seen in the documentation that default MetricsSets have a standard set of metrics. And that these include `workflows` metrics, for example, those shown here in the above linked documentation:   I've searched metrics in our new Splunk Observability, and I don't see any workflows metrics. Is this normal? Is there anything I need to enable? I'm using an Opentelemtry jekins plugin, and other metrics are being received, but I don't see any workflows metrics, even though other docs I've seen seen that use the same plugin seem to utilise these workflows metrics.     
Greetings! We are trying to integrate Splunk Cloud with Flexera SaaS Manager, we saw directly in Flexera and there isn't a direct integration, is there a way/process that we can follow to do the in... See more...
Greetings! We are trying to integrate Splunk Cloud with Flexera SaaS Manager, we saw directly in Flexera and there isn't a direct integration, is there a way/process that we can follow to do the integration? Thanks in advanced!
Hello Splunkers , I am trying to find the up time of hosts by calculating the difference between the latest event for that host and last time it booted . The following event describes that partic... See more...
Hello Splunkers , I am trying to find the up time of hosts by calculating the difference between the latest event for that host and last time it booted . The following event describes that particular host has been booted. 2023-02-24T08:58:38.796336-08:00 hostabc kernel: [ 0.000000] Linux version 5.15.0-58-generic (buildd@lcy02-amd64-101) (gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 (Ubuntu 5.15.0-58.64-generic 5.15.74) The following event is the latest event of that host 2023-02-24T14:04:51.115717-08:00 hostabc sssd_nss[248054]: Starting up  Firstly I want to get the difference between 2023-02-24T14:04:51.115717-08:00 - 2023-02-24T08:58:38.796336-08:00  Secondly If the difference is greater than 60 minutes create a new file called status and say it as down Thanks in Advance 
Does anyone know of a way that I can check if a system is reporting into my log server  
Hi Community,   When the panels are loaded in dashboards, I find this error as an exclamation in the panel. I initially thought the error was due to the permission and granted all the folders a... See more...
Hi Community,   When the panels are loaded in dashboards, I find this error as an exclamation in the panel. I initially thought the error was due to the permission and granted all the folders access, but still the issue exists. Not sure what is the issue, could someone provide me some insights on how to fix the issue?   Regards, Pravin
Hi Community,   I have upgraded the Splunk cluster to version 9.0.2 and noticed high CPU usage in the cluster search head. This almost causes memory usage to go high as 90%. The same works fine i... See more...
Hi Community,   I have upgraded the Splunk cluster to version 9.0.2 and noticed high CPU usage in the cluster search head. This almost causes memory usage to go high as 90%. The same works fine in 8.1.0 version.   Just checking if someone has noticed similar issues when migrating to 9.x version. Was there a version that didn't have issues? What did you do to fix the issue?   Regards, Pravin
When testing the JDK8+ agent installer using the latest version of Docker Desktop locally... Docker flags up some vulnerabilities within the installer packages. Have included screenshots of those id... See more...
When testing the JDK8+ agent installer using the latest version of Docker Desktop locally... Docker flags up some vulnerabilities within the installer packages. Have included screenshots of those identifed for the last two releases. Are there plans to remove these from upcoming releases please? Latest version December 2022
I am trying to pair down the list of ciphers we are using.  When I remove AES256-GCM-SHA384 I begin to get the below errors on our Search Head Cluster.   02-24-2023 16:17:35.187 +0000 WARN SSLCom... See more...
I am trying to pair down the list of ciphers we are using.  When I remove AES256-GCM-SHA384 I begin to get the below errors on our Search Head Cluster.   02-24-2023 16:17:35.187 +0000 WARN SSLCommon [121742 TcpOutEloop] - Received fatal SSL3 alert. ssl_state='SSLv2/v3 read server hello A', alert_description='handshake failure'. 02-24-2023 16:17:35.187 +0000 ERROR TcpOutputFd [121742 TcpOutEloop] - Connection to host=SH_IP_REMOVED:8999 failed. sock_error = 0. SSL Error = error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure   In server.conf, web.conf, inputs.conf and outputs.conf I have the below ciphers.  Once I remove AES256-GCM-SHA384.  The errors begin.   cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384
When one configures the indexer cluster for SmartStore, does each indexer get its own S3 bucket?  Or is there just one very large S3 bucket and all indexers write into the same S3 bucket (separated b... See more...
When one configures the indexer cluster for SmartStore, does each indexer get its own S3 bucket?  Or is there just one very large S3 bucket and all indexers write into the same S3 bucket (separated by indexer GUID or something like that)?