All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to set color to field in table that greater than field value in other column?

by in Dashboards & Visualizations
‎02-24-2023 04:42 AM
‎02-24-2023 04:42 AM
Hi, I need to color the value in update.version column when this is greater than value in version column how can I do this? Thank you
Labels

Splunk App for Unix and Linux doesn't display results in the cloud

by in All Apps and Add-ons
‎02-24-2023 04:22 AM
‎02-24-2023 04:22 AM
Hi Splunkers,  I'm using Splunk App for Unix and Linux for monitoring some CentOS parameters.  All scripts work fine when I run them locally on UF. However, some of them (e.g. vmstat, who) don't di... See more...
Hi Splunkers,  I'm using Splunk App for Unix and Linux for monitoring some CentOS parameters.  All scripts work fine when I run them locally on UF. However, some of them (e.g. vmstat, who) don't display results - just the headers(parameter descriptions).  This is script output from UF (who) below is the screenshot from Splunk's GUI I tried to play with soructypes' linebreaker, but it didn't help.  Have anyone encountered similar issue?  I would be grateful for your help. regards, Sz
Labels

How to find host diff from two searches in the same index?

by in Splunk Search
‎02-24-2023 03:47 AM
‎02-24-2023 03:47 AM
I've been trying to solve this problem for days now with no success. Maybe I can find ultimate salvation here.  I have a single index where I need to run 2 queries.  First query finds all... See more...
I've been trying to solve this problem for days now with no success. Maybe I can find ultimate salvation here.  I have a single index where I need to run 2 queries.  First query finds all hosts that generate logs for a particular app called APP.  I need to count totals. Second query searches for a hosts that were scanned by the APP. Problem: I need to deduct hosts detected in Query 2 from hosts found in Query 1. That will generate a list of hosts that were potentially not scanned in a selected period of time. Query 1: index=demon source="/opt/app/logs/*" Query 2: index=demon source="*scan.log" "scan Finished" From what I learnt so far |multisearch appears to be the best candidate however when I run the below query I only get 1 variable listed, I guess because of host that can be attributed only once.   I'm sure there are multiple ways of achieving this goal.   Thanks  
Labels

How to download itsi prod kvstore and restore in test environment?

by in Splunk ITSI
‎02-24-2023 03:33 AM
‎02-24-2023 03:33 AM
HI Team, Greetings for the DAY, I have one prod ITSI environment, i have managed to upgrade my test environment as same version of prod one. i need help and steps on how to backup prod kvstore an... See more...
HI Team, Greetings for the DAY, I have one prod ITSI environment, i have managed to upgrade my test environment as same version of prod one. i need help and steps on how to backup prod kvstore and restore in my test environment. Please help me asap.
Labels

特定期間を経過したデータを抽出したい (How to extract data after a certain period of time has passed?)

by in Splunk Search
‎02-24-2023 03:00 AM
‎02-24-2023 03:00 AM
お世話になります。 現在、あるログの集計をしております。 接続元IPアドレスと、接続日時をキーにして、初回接続日から10日間経過後も接続しているログのみを抽出出来るようにしたいですが、上手く抽出することが出来ません。 ※合計接続日数は初回接続日~最終接続日の間で接続された日数をカウントした数です。 このようなデータを抽出するサーチ文をご教授いただけると幸いです。 ■サンプルデ... See more...
お世話になります。 現在、あるログの集計をしております。 接続元IPアドレスと、接続日時をキーにして、初回接続日から10日間経過後も接続しているログのみを抽出出来るようにしたいですが、上手く抽出することが出来ません。 ※合計接続日数は初回接続日~最終接続日の間で接続された日数をカウントした数です。 このようなデータを抽出するサーチ文をご教授いただけると幸いです。 ■サンプルデータ 接続IPアドレス 接続日 1.0.0.0 2023-01-01 10:35:45 1.0.0.0 2023-01-03 12:33:10 1.0.0.0 2023-01-08 09:35:06 1.0.0.0 2023-01-11 21:18:29 2.0.0.0 2023-01-01 23:32:11 2.0.0.0 2023-01-05 04:55:15 2.0.0.0 2023-01-10 19:35:24   ■出力結果イメージ 接続IPアドレス 初回接続日時 最終接続日時 接続日数 1.0.0.0 2023-01-01 10:35:45 2023-01-11 21:18:29 4  
Labels

How to parse data from JSON?

by in Splunk Search
‎02-24-2023 01:57 AM
‎02-24-2023 01:57 AM
Hello, Help me please. I have a REST API datasource get data ( JSON ) in main index something like this: ["user","domain\\user1","domain\\user2","domain\\user3"] ...  I'd like to create a searc... See more...
Hello, Help me please. I have a REST API datasource get data ( JSON ) in main index something like this: ["user","domain\\user1","domain\\user2","domain\\user3"] ...  I'd like to create a search which runs for all the users extracted from this JSON.  How it is possible to use all this values in another search?  thanks   
Labels

Dashboard Visual Entry Points

by in Splunk Search
‎02-24-2023 01:39 AM
‎02-24-2023 01:39 AM
Is there a way in splunk that i can have a indicator or symbol that shows the different entry points something like above just a circle of when each waypoint is logged. 
Labels

Why am I receiving wrong number of events when running multiple lookups?

by in Splunk Search
‎02-24-2023 01:16 AM
‎02-24-2023 01:16 AM
Hello. I'm having some problem and I can't for the life of me figure out what goes wrong. I am running a search like this against two lookups (both lookup files has multiple columns): index=gateway... See more...
Hello. I'm having some problem and I can't for the life of me figure out what goes wrong. I am running a search like this against two lookups (both lookup files has multiple columns): index=gateway EventIDValue=gateway-check EventStatus=success | lookup assets_and_users.csv USER AS SourceUserName, ASSET AS EndpointDeviceName OUTPUTNEW USER, ASSET | lookup computer_objects.csv own_asset AS EndpointDeviceName OUTPUTNEW own_asset | where isnotnull(USER) OR isnotnull(ASSET) OR isnotnull(own_asset) AND own_asset!=EndpointDeviceName The idea is to check for a certain number of assets and users previously seen in our environment with the assets_and_users.csv lookup, and filter out assets that are currently managed by us with the computer_objects.csv lookup, so that I can see activity from the previously seen assets and users as well as assets not previously seen and that are not managed by us. However the first iteration of the search looked like this: index=vpn EventIDValue=gateway-check EventStatus=success | lookup assets_and_users.csv USER AS SourceUserName OUTPUTNEW USER | lookup computer_objects.csv own_asset AS EndpointDeviceName OUTPUTNEW own_asset | where isnotnull(USER) OR isnotnull(own_asset) AND own_asset!=EndpointDeviceName and that version gave me a couple thousand events. However, once I added the asset part as seen in the top query I got three events which doesn't make sense. I should if anything get more events than the first iteration (bottom query). Can someone spot where it goes wrong?
Labels

Splunk HF QUEUE Blocked issue

by in Splunk Data Stream Processor
‎02-24-2023 12:26 AM
‎02-24-2023 12:26 AM
Hi, Getting below queue blocked and Errror in the HF.  don't know how to troubleshoot to fix this block queue issue.  can you help with the quick fix for this issue.     
Labels

How to achieve field enrichment in Splunk results?

by in Other Usage
‎02-24-2023 12:02 AM
‎02-24-2023 12:02 AM
When I run a search query I see that there are some fields which are present in interesting fields but not present in the event results. How is that achieved?
Labels

集計軸が違う場合にCount数を加工して出力する方法についてお教え下さい (How to process and output the count number when the aggregation axis is different)

by in Splunk Search
‎02-23-2023 10:34 PM
‎02-23-2023 10:34 PM
集計軸が違う場合にCount数を加工して出力する方法についてお教え下さい。 index「接続情報」のデータ項目は「タイムスタンプ、ユーザ名、接続プロトコル」になります。 またデータイメージは下記にタイムスタンプが付加された物になります。 ---------+---------- ユーザ名 | 接続プロトコル ---------+---------- ユーザA | http ユーザ... See more...
集計軸が違う場合にCount数を加工して出力する方法についてお教え下さい。 index「接続情報」のデータ項目は「タイムスタンプ、ユーザ名、接続プロトコル」になります。 またデータイメージは下記にタイムスタンプが付加された物になります。 ---------+---------- ユーザ名 | 接続プロトコル ---------+---------- ユーザA | http ユーザB | http ユーザA | ftp ユーザA | scp ユーザA | http ユーザB | http ・ ・ ・ ユーザC | ftp ---------+---------- 接続プロトコル"http"が多い為、"http"接続のみ1/2の件数にして表示したいと思っています。 接続プロトコルを軸に1か月単位で集計する場合は下記のサーチで行えました。 index="接続情報" | timechart span=mon eval(if("接続プロトコル"="http",count(eval("接続プロトコル"))/2,count)) by "接続プロトコル" ですが、ユーザ名を軸に集計する場合の方法が分かりません。 1つのサーチで実行可能でしょうか? よろしくお願いいたします。
Labels

Controller Metadata Registration Limit Reached

by in Splunk AppDynamics
‎02-23-2023 08:08 PM
‎02-23-2023 08:08 PM
Hi All, I just got an event that said  Severity: Error Type: CONTROLLER_METADATA_LIMIT_REACHED Time: 02/23/23 23:37:23 Summary : Limit Reached for: THREAD_TASK;Scope:ACCOUNT;Id:2;Limit:1000 ... See more...
Hi All, I just got an event that said  Severity: Error Type: CONTROLLER_METADATA_LIMIT_REACHED Time: 02/23/23 23:37:23 Summary : Limit Reached for: THREAD_TASK;Scope:ACCOUNT;Id:2;Limit:1000 Does this event affect our controller performance or Data Collection and how to work with this issue? I found a similar issue for Business Transaction  but nothing for THREAD_TASK in this discussion: https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Getting-CONTROLLER-METADATA-REGISTRATION-LIMIT-REACHED-error/td-p/29747 Rgrds, Ruli

How to delete old data before ingesting new data from CSV - Refresh Data?

by in Splunk Search
‎02-23-2023 08:07 PM
‎02-23-2023 08:07 PM
I have a few spreadsheets that are ingested into Splunk daily.  What is the best method to refresh the data, so I don't end up with duplicates? I am looking to do something like this: Today: Ingest... See more...
I have a few spreadsheets that are ingested into Splunk daily.  What is the best method to refresh the data, so I don't end up with duplicates? I am looking to do something like this: Today: Ingest spreadsheet.csv Tomorrow: delete previous data for spreadsheet.csv and then ingest new data Thanks, Garry

How to use AND condition?

by in Splunk Search
‎02-23-2023 08:05 PM
‎02-23-2023 08:05 PM
index=* "ORC from FCS completed" namespace="dk1371-b" index=* "ORC from ROUTER completed" namespace="dk1692-b" index=* "ORC from SDS completed." namespace="dk1399-b" Above query working fine , ... See more...
index=* "ORC from FCS completed" namespace="dk1371-b" index=* "ORC from ROUTER completed" namespace="dk1692-b" index=* "ORC from SDS completed." namespace="dk1399-b" Above query working fine , ------------------------------------------------------------------------------------------------------ however when am using below its not providing any data    index=* "ORC from FCS completed" namespace="dk1371-b" AND namespace="dk1399-b" Because ORC from "" is different for namespaces    i have below problem statement 1. I would like to prepare single query where i can use all namespaces like dk1371-b , dk1399-b etc . . . . 2 . In single search i would like have FCS/SDS  "ORC from FCS completed" "ORC from SDS completed"        
Labels

How to join with search from 2 sources?

by in Splunk Search
‎02-23-2023 07:54 PM
‎02-23-2023 07:54 PM
Hi, I am trying to figure out how to use join to table the results from 2 searches. sourcetype=AAD_MSGraph_UserData AAD_OnPremSID AAD_Email AAD_UserType AAD_LastSignInDateTime AAD_LastNonIn... See more...
Hi, I am trying to figure out how to use join to table the results from 2 searches. sourcetype=AAD_MSGraph_UserData AAD_OnPremSID AAD_Email AAD_UserType AAD_LastSignInDateTime AAD_LastNonInteractiveSignInDateTime AAD_LastPWChange sourcetype=AD_UserData AD_SID AD_UserPrincipalName AD_LastLogon JOIN ON: AAD_OnPremSID AND AD_SID TABLE RESULTS: AAD_OnPremSID, AAD_Email, AAD_UserType, AAD_LastPWChange, AAD_LastSignInDateTime, AAD_LastNonInteractiveSignInDateTime, AD_LastLogon   Thanks! Garry
Labels

Spl

by in Other Usage
‎02-23-2023 07:40 PM
‎02-23-2023 07:40 PM
Hi Splunkers, I'm working on two conditions where I need to use condition eval statement. Some filters that I need to add for every condition before I do eval. Please help me in achieving this. ... See more...
Hi Splunkers, I'm working on two conditions where I need to use condition eval statement. Some filters that I need to add for every condition before I do eval. Please help me in achieving this. Condition 1: Filters to be applied before: id is not "N/A"  AND risk="Critical" AND risk_factor="critical" After satisfying above conditions, I have to create a field called score. eval score=IF(insurance="Y",  instate="Y", age_requirements="y",  30, 60) Condition 2: Filters to be applied before: id is not "N/A"  AND risk="Critical" AND risk_factor="high" After satisfying above conditions. Add to the newly existing field "score" eval score=IF(insurance="Y",  instate="Y", age_requirements="y",  60, 90) TIA.

Why does splunk query only show 1 recipent?

by in Alerting
‎02-23-2023 07:09 PM
‎02-23-2023 07:09 PM
index=mail sender!="postmaster@groupncs.onmicrosoft.com" | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provid... See more...
index=mail sender!="postmaster@groupncs.onmicrosoft.com" | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(recipient) values(subject) earliest(_time) AS "Earliest" latest(_time) AS "Latest" count by RecipientDomain sender | sort -count | convert ctime("Latest") | convert ctime("Earliest")   original command  above   modify command below    index=mail sender!="postmaster@groupncs.onmicrosoft.com" | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | table sender recipient subject DateTime | sort recipent == 1 | where recipient == 1 | convert ctime(DateTime)     when  i use where, there is no results showing.  i only want to show results of a single recipient. if there are many do not show it .  

How to match start of field string using regex?

by in Splunk Search
‎02-23-2023 06:58 PM
‎02-23-2023 06:58 PM
Hello, I am trying to match the start of a path in httpRequest.uri, as seen here: index=xyz source=xyz | spath "httpRequest.headers{}.value" | search "httpRequest.headers{}.value"="application/j... See more...
Hello, I am trying to match the start of a path in httpRequest.uri, as seen here: index=xyz source=xyz | spath "httpRequest.headers{}.value" | search "httpRequest.headers{}.value"="application/json" | spath "httpRequest.uri" | regex "^/public*" | stats count by "httpRequest.uri" | sort -count  Unfortunately, it isn't working. Can someone point out what I am doing wrong here? If I get rid of the caret, the regex works, but it matches anywhere within the field’s string value. I need to start from the beginning of the string. Thank you so much in advance!  
Labels

How to get the search report of a value?

by in Splunk Search
‎02-23-2023 05:45 PM
‎02-23-2023 05:45 PM
In the log there are events like - {"submitterType":"Others","SubID":"App_4-45887-02232023"} {"submitterType":"Others","SubID":"App_5-45892-02232023"}   I want a report showing - App_4-4588... See more...
In the log there are events like - {"submitterType":"Others","SubID":"App_4-45887-02232023"} {"submitterType":"Others","SubID":"App_5-45892-02232023"}   I want a report showing - App_4-45887-02232023 App_5-45892-02232023   Thanks!
Labels

How to show matched and unmatched lookup results?

by in Splunk Search
‎02-23-2023 04:49 PM
‎02-23-2023 04:49 PM
Hello, I have the following query that shows the results of all the values from the splunk events that matched with the values in the lookup table; however I would also like to display those values ... See more...
Hello, I have the following query that shows the results of all the values from the splunk events that matched with the values in the lookup table; however I would also like to display those values in the lookup table that are not present in the splunk events: | metadata type=hosts index=_internal | rex field=host "(?<host>.+)--.+)" | lookup mylookup Name as host OUTPUT Name "IP Address" as IP Classification "Used for" as used_for | fillnull value="No match" | search Classification=Production used_for!=*Citrix* used_for!=*Virtualization* | stats c by host,Name,IP,Classification,used_for | fields - c How can I show both matched and unmatched values?
Labels