All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, After splunk upgrade from 8.0 to 9.0.2 , i am facing the slowness in alerting to create ticket . Can anyone help on this ?   Thanks,
We installed a .NET agent on a website and soon after the website shut down with the following error, "NET Runtime version 2.0.50727.8964 - Fatal Execution Engine Error (5ABCE2D2) (80131506)" The ma... See more...
We installed a .NET agent on a website and soon after the website shut down with the following error, "NET Runtime version 2.0.50727.8964 - Fatal Execution Engine Error (5ABCE2D2) (80131506)" The machine is running on .NET framework 2.0. Once the agent was uninstalled the website starts working fine. Any ideas on why this might have happened?
Hello, As the title suggests, is there a way to do this in TrackMe with a single Tenant or is this feature only available for subscription? Also, What are other best free alternatives to TrackMe. T... See more...
Hello, As the title suggests, is there a way to do this in TrackMe with a single Tenant or is this feature only available for subscription? Also, What are other best free alternatives to TrackMe. Thank you, Best Regards,
My team is moving from working directly in splunk to a Git based deploy where we modify the app files directly. Previously we would create and save a search directly in the Splunk web UI but now add ... See more...
My team is moving from working directly in splunk to a Git based deploy where we modify the app files directly. Previously we would create and save a search directly in the Splunk web UI but now add to the savedsearches.conf. Is there a method for creating a saved search in the web app and extracting the sintax for savedsearachs.conf or another tool for helping this process?  I've read the documentation for savedsearches.conf and much of the variables are niche in their use. Thanks for the help! -Mitch
We ran the EventHub integration  on HF , after some time we want to move the App to another HF  How I can configure start time in order to avoid duplicates  [splunk@ilissplfwd11 local]$ cat input... See more...
We ran the EventHub integration  on HF , after some time we want to move the App to another HF  How I can configure start time in order to avoid duplicates  [splunk@ilissplfwd11 local]$ cat inputs.conf [mscs_azure_event_hub://amdocsazureadlogs] account = splunk consumer_group = $Default event_hub_name = eventhub-name event_hub_namespace = eventhub-name.servicebus.windows.net index = amdocsazureadlogs interval = 15 max_batch_size = 3000 max_wait_time = 10 sourcetype = mscs:azure:eventhub use_amqp_over_websocket = 1 [splunk@ilissplfwd11 local]$   what will be the best configuration to handle a big amount of data  (interval/max_batch_size etc) 
I setup a new monitor on a Json file last week to add the contents to a new index.  Once I got finished the new index would not show any events.  I messed with it for 4 days until I decided to just u... See more...
I setup a new monitor on a Json file last week to add the contents to a new index.  Once I got finished the new index would not show any events.  I messed with it for 4 days until I decided to just use an older Index that was built at some point before I joined the company. I have no idea on the approx age of this index other than the earliest index was 7 months ago.   I know an upgrade was done since then. The issue I seem to be facing is that any new index I create is not getting data but if I user an older one it works.  I don't even know where to begin on trying to solve this so any input is appreciated.  I did see in splunkd log something about a "string index out of range" and found a solution to go and basically increase MAX_SEGMENT = 1024 - change it to MAX_SEGMENT = 4096 in $SPLUNK_HOME/bin/scrubber.py.     That did not fix anything.  Thank you!  
I'm trying to deploy the Splunk UF on Windows Server 2019 boxes. It fails giving me an message that the forwader installation wizard ended prematurely. I have the following MSI log. MSI (s) (F0:64) ... See more...
I'm trying to deploy the Splunk UF on Windows Server 2019 boxes. It fails giving me an message that the forwader installation wizard ended prematurely. I have the following MSI log. MSI (s) (F0:64) [05:57:42:567]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (F0:64) [05:57:42:573]: Machine policy value 'LimitSystemRestoreCheckpointing' is 0 MSI (s) (F0:64) [05:57:42:573]: Note: 1: 1715 2: UniversalForwarder MSI (s) (F0:64) [05:57:42:573]: Note: 1: 2205 2: 3: Error MSI (s) (F0:64) [05:57:42:573]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1715 MSI (s) (F0:64) [05:57:42:573]: Calling SRSetRestorePoint API. dwRestorePtType: 0, dwEventType: 102, llSequenceNumber: 0, szDescription: "Installed UniversalForwarder". MSI (s) (F0:64) [05:57:42:573]: The call to SRSetRestorePoint API failed. Returned status: 0. GetLastError() returned: 127 MSI (s) (F0:64) [05:57:42:577]: File will have security applied from OpCode. MSI (s) (F0:64) [05:57:42:674]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi' against software restriction policy MSI (s) (F0:64) [05:57:42:674]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi has a digital signature MSI (s) (F0:64) [05:57:43:406]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi is permitted to run at the 'unrestricted' authorization level. MSI (s) (F0:64) [05:57:43:406]: Creating MSIHANDLE (375) of type 790542 for thread 4708 MSI (s) (F0:64) [05:57:43:406]: MSCOREE not loaded loading copy from system32 MSI (s) (F0:64) [05:57:43:406]: End dialog not enabled MSI (s) (F0:64) [05:57:43:406]: Original package ==> C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi MSI (s) (F0:64) [05:57:43:406]: Package we're running from ==> C:\Windows\Installer\12c17059.msi MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: Compatibility mode property overrides found. MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: looking for appcompat database entry with ProductCode '{6C243C23-42E6-46E7-AECC-81428601A55E}'. MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'TransformsSecure' is 1 MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisablePatch' is 0 MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'AllowLockdownPatch' is 0 MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (F0:64) [05:57:43:422]: Enabling baseline caching for this transaction since all active patches are MSI 3.0 style MSPs or at least one MSI 3.0 minor update patch is active MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: looking for appcompat database entry with ProductCode '{6C243C23-42E6-46E7-AECC-81428601A55E}'. MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (F0:64) [05:57:43:422]: Transforms are not secure. MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\Administrator\Downloads\msiexec.log'. MSI (s) (F0:64) [05:57:43:422]: Command Line: INSTALLDIR=C:\Program Files\SplunkUniversalForwarder\ TARGETDIR=C:\ AGREETOLICENSE=Yes GENRANDOMPASSWORD=0 CURRENTDIRECTORY=C:\Users\Administrator\Downloads CLIENTUILEVEL=0 CLIENTPROCESSID=4760 USERNAME=Windows User SOURCEDIR=C:\Users\Administrator\Downloads\ ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE=C:\ INSTALLLEVEL=1 SECONDSEQUENCE=1 WIXUI_INSTALLDIR_VALID=1 MONITOR_PATH=C:\Windows\NTDS RECEIVING_INDEXER=172.16.1.3:9997 WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=0 WINEVENTLOG_SET_ENABLE=0 ENABLEADMON=1 LOGON_PASSWORD=********** LOGON_USERNAME=splunk SPLUNKPASSWORD=********** SPLUNKUSERNAME=********** DEPLOYMENT_SERVER=172.16.1.3:8089 ADDLOCAL=Complete ACTION=INSTALL MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{405F297E-93B0-496F-AD0C-D7EAA614048F}'. MSI (s) (F0:64) [05:57:43:422]: Product Code passed to Engine.Initialize: '' MSI (s) (F0:64) [05:57:43:422]: Product Code from property table before transforms: '{6C243C23-42E6-46E7-AECC-81428601A55E}' MSI (s) (F0:64) [05:57:43:422]: Product Code from property table after transforms: '{6C243C23-42E6-46E7-AECC-81428601A55E}' MSI (s) (F0:64) [05:57:43:422]: Product not registered: beginning first-time install MSI (s) (F0:64) [05:57:43:422]: Package name extracted from package path: 'splunkforwarder-9.0.4-de405f4a7979-x64-release.msi' MSI (s) (F0:64) [05:57:43:422]: Package to be registered: 'splunkforwarder-9.0.4-de405f4a7979-x64-release.msi' MSI (s) (F0:64) [05:57:43:422]: Note: 1: 2205 2: 3: Error MSI (s) (F0:64) [05:57:43:422]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableMsi' is 1 MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (F0:64) [05:57:43:422]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (F0:64) [05:57:43:422]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (s) (F0:64) [05:57:43:422]: Running product '{6C243C23-42E6-46E7-AECC-81428601A55E}' with elevated privileges: Product is assigned. MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding INSTALLDIR property. Its value is 'C:\Program Files\SplunkUniversalForwarder\'. MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'. InstallFiles: File: Copying new files, Directory: , Size: MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: Patch MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: Patch 4: SELECT `Patch`.`File_`, `Patch`.`Header`, `Patch`.`Attributes`, `Patch`.`Sequence`, `Patch`.`StreamRef_` FROM `Patch` WHERE `Patch`.`File_` = ? AND `Patch`.`#_MsiActive`=? ORDER BY `Patch`.`Sequence` MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: Error MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1302 MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiSFCBypass MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: MsiSFCBypass 4: SELECT `File_` FROM `MsiSFCBypass` WHERE `File_` = ? MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: MsiPatchHeaders 4: SELECT `Header` FROM `MsiPatchHeaders` WHERE `StreamRef` = ? MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: PatchPackage Action ended 5:57:46: InstallFiles. Return value 1.  
I am sending some traces from my service to Splunk using the OpenTelemetry Collector and the Splunk HEC exporter. My traces are getting to Splunk and their fields in general properly identified, bu... See more...
I am sending some traces from my service to Splunk using the OpenTelemetry Collector and the Splunk HEC exporter. My traces are getting to Splunk and their fields in general properly identified, but I would like for the attributes of an event that have a json format to be further decomposed into fields. This is an example of an event: I would like for the `attributes.data` field to be further decomposed. Is that possible?
Hi Experts, I have below events Event 1 : TRANEND TRANS ABENDS TRN1 ABN1 blah blah Event 2 : TRANEND CICS_TRAN_Abends CICT1 TRN3 ABN3 blah blah Event 3 : TRANSUMM CICS_TSUM_Rate CICT1 = * bla... See more...
Hi Experts, I have below events Event 1 : TRANEND TRANS ABENDS TRN1 ABN1 blah blah Event 2 : TRANEND CICS_TRAN_Abends CICT1 TRN3 ABN3 blah blah Event 3 : TRANSUMM CICS_TSUM_Rate CICT1 = * blah blah Event 4 : TRANDYN TRANS ABENDS TRN2 ABN2 blah blah Event 5 : SYSTEM CICS_RDSA_MaxFree CICt2 * * blah blah Event 6 : TRANDYN CICS_TRAN_Abends CICT1 TRN4 ABN4 blah blah I want below output Traction Abend code TRN1 ABN1 TRN3 ABN3 TRN2 ABN2 TRN4 ABN4 Events 2,3,5 needs to be excluded from the result Could you please help me ? Thanks, Ravikumar  
Hello, I have a list of few hundered servers in csv file like in the picture below.     I am trying to import servers as entities in ITSI. When I do csv import I get  below : Any ... See more...
Hello, I have a list of few hundered servers in csv file like in the picture below.     I am trying to import servers as entities in ITSI. When I do csv import I get  below : Any Idea why is not uploading correct? ITSI we are using is 4.11.4
I am looking for a technical understanding for detecting a "Univariate Categorical Outlier". I have used the ML Toolkit on Splunk and basically, I am trying to detect the "rare" categories which are... See more...
I am looking for a technical understanding for detecting a "Univariate Categorical Outlier". I have used the ML Toolkit on Splunk and basically, I am trying to detect the "rare" categories which are really having low frequencies for the given variable of the dataset.  I have also followed the thread here but I couldn't find the information I am looking for. Tough I could see the links like this which discuss different methods like histogram, IQR, and ZScore for anomaly detection but couldn't find any technical overview. If anyone could help me with finding the "rare" category automatically, it will be a huge help. Because setting a static threshold like 0.05 doesn't work for all datasets. There has to be some way around like the histogram method. Please give me the sources on how splunk finds the rare categories. It is fine if you can provide me with the univariate variable only instead of the multivariate. Thanks
Hi There,    I would like to export the results of kv lookup file in a lookup editor, but the results after exporting is only 50k records, even the original results is 80k records, How to download ... See more...
Hi There,    I would like to export the results of kv lookup file in a lookup editor, but the results after exporting is only 50k records, even the original results is 80k records, How to download the entire results in a single file? Thanks!
Hi all, I'm trying to  make a query  which is not working as expected could you pls help me out in raising an alert. I have a field name first_find value  "2021-06-07T09:04:09.130Z" and last_find... See more...
Hi all, I'm trying to  make a query  which is not working as expected could you pls help me out in raising an alert. I have a field name first_find value  "2021-06-07T09:04:09.130Z" and last_find values "2023-02-15T16:15:52.506Z"are in this format, I believe it is in UTC format, I need a search to make if first_find OR last_find matches with current date the alert should triggered. My SH is set to IST time zone would it make any impact on search ? Do i need to convert the field values  time zone from UTC to IST to get a alert out of it ?
Hey all, Our raw syslogs are showing IP addresses of sourced events, but the results in Splunk is changing the IP addresses to their respective hostnames/FQDNs. If I want to see the results witho... See more...
Hey all, Our raw syslogs are showing IP addresses of sourced events, but the results in Splunk is changing the IP addresses to their respective hostnames/FQDNs. If I want to see the results without the name resolution how can I do this? I just need to see the IP addresses, as per the actual raw syslog. Thanks, Will  
I am looking to get the data in year, month, day, hour, minute and second basis search criteria is index="abc" rex field=raw"few fields" | stats count yearcount by year The above query is giving me... See more...
I am looking to get the data in year, month, day, hour, minute and second basis search criteria is index="abc" rex field=raw"few fields" | stats count yearcount by year The above query is giving me below columns year      yearcount 2023      10 Similar to the above query we want to get count of month, day...seconds the final output should have below table year   yearcount   month   monthcount   day  daycount  ......seconds   secondscount Is it possible to get this output without using appendcols function multiple time as it is making the search query very long and not effective.  
Hi, This work when I use it at search time: | spath path=messageParts{} output=message | mvexpand message | rex field=message "{\"disposition\":\s+\"(?<disposition>[^\"]+)\",\s+\"sha256\":\s+\"(?... See more...
Hi, This work when I use it at search time: | spath path=messageParts{} output=message | mvexpand message | rex field=message "{\"disposition\":\s+\"(?<disposition>[^\"]+)\",\s+\"sha256\":\s+\"(?<sha>[^\"]+)\",\s+\"md5\":\s+\"(?<md5>[^\"]+)\",\s+\"filename\":\s+\"(?<filename>[^\"]+)\",\s+\"sandboxStatus\":\s+\"(?<sandboxStatus>[^\"]+)\",\s+\"oContentType\":\s+\"(?<oContentType>[^\"]+)\",\s+\"contentType\":\s+\"(?<contentType>[^\"]+)\"}" BUT how to put this in props.conf? I have tried MV_ADD = true - but no luck  
I follow up on this doc to generate tokens via API but I didn't receive any response from the server. https://docs.appdynamics.com/appd/4.5.x/en/extend-appdynamics/appdynamics-apis/api-clients#APICl... See more...
I follow up on this doc to generate tokens via API but I didn't receive any response from the server. https://docs.appdynamics.com/appd/4.5.x/en/extend-appdynamics/appdynamics-apis/api-clients#APIClients-GeneratetheTokenThroughAPI the curl like below: curl -X POST -H "Content-Type: application/vnd.appd.cntrl+protobuf;v=1" "https://(accountName).saas.appdynamics.com/controller/api/oauth/access_token" -d 'grant_type=client_credentials&client_id=(username)@(accountName)&client_secret=(clientsecret)' Please help me!
I am trying to get billing data in s3. The data is in parquet format. I tried to get that data with "splunk add-on for aws" app. but i failed. I setting all the source types supported by the app, ... See more...
I am trying to get billing data in s3. The data is in parquet format. I tried to get that data with "splunk add-on for aws" app. but i failed. I setting all the source types supported by the app, the data was not normal. please get me how i can get parquet format data. in a Splunk cloud environment.
Hi Team, working on how to log individual rows in my search result table as individual events in Splunk. Below is a picture of log events and what i'm trying to do with them.  
Hi I am trying to create alerts and dashboards for my o365 and AD logs.  Is there somewhere that has an overview of the different options in for example Operations? Since I dont have a log from w... See more...
Hi I am trying to create alerts and dashboards for my o365 and AD logs.  Is there somewhere that has an overview of the different options in for example Operations? Since I dont have a log from when a user is created, I dont know the value the log will say eg, UserCreated, UserWasCreated, CreateUser. Hope it makes sense