All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Good day, I have a usecase explained below - Index A has Reporting_Host (mix of IP address, hostname, FQDN) and Index CMDBB had data from CMDB ( so contains hostname, FQDN, IP Address, Server owner... See more...
Good day, I have a usecase explained below - Index A has Reporting_Host (mix of IP address, hostname, FQDN) and Index CMDBB had data from CMDB ( so contains hostname, FQDN, IP Address, Server owner information etc ). My requirement is to map Reporting_Host data from index A again CMDB data and display server owner information along with hostname, IP etc.  Issue here is, Index CMDB has data in multiple fields like Hostname (contains servername), CI_Name(contains FQDN), IP_address(obvious IP address).  How do I match Reporting_Host field values agains these 3 fields in CMDB and display the output? I tried using join but able to compare with any one field in CMDB data but not 3. Sample query below - index=A sourcetype=syslog_stats | stats min(_time) as old, max(_time) as new by Reporting_Host | stats min(old) as oldest, max(new) as newest by Reporting_Host | eval diff = tostring((newest - oldest), "duration") | where newest < now() - (86400 * 2) | eval stopped= (now()-newest) | eval stopped_for = round(stopped/86400, 0) | convert ctime(oldest) | convert ctime(newest) | join Reporting_Host [ search index=CMDB | rename HostName as Reporting_Host ] | fields oldest newest diff stopped_for Reporting_Host Server_Owner I did a field alias for CI_Name, IP_address and Hostname and named it as HostName but its not working.
Hello, I am currently trying to figure out how to combine the below three searches with different conditions into one query/alert.  if abc reminder is <1 then trigger an alert if xyz reminder i... See more...
Hello, I am currently trying to figure out how to combine the below three searches with different conditions into one query/alert.  if abc reminder is <1 then trigger an alert if xyz reminder is <5 then trigger an alert if 123 reminder is <22 then trigger an alert Here is my query so far: index="xyz" sourcetype=xyz ("abc reminder") OR ("xyz reminder") OR ("123 reminder") earliest=-24h | eval JobName=case( searchmatch("abc reminder"), "ABC reminder", searchmatch("xyz reminder"), "XYZ reminder", searchmatch("123 reminder"), "123 reminder") | stats count as ABCJobCount by JobName | where ABCJobCount<1 | stats count as XYZJobCount by JobName | where XYZJobCount<1 | stats count as 123JobCount by JobName | where 123JobCount<1 |eval NetcoolTitle = JobName + " did not complete in last 24 hours"
I have a splunk query as below which contains a lot of backslashes index="ABC" os="Win" FileName="*\\Programs\\Startup\\*" | rex field=FileName "Users\\\(?<username>[^\\\]+)." Now, I now that whe... See more...
I have a splunk query as below which contains a lot of backslashes index="ABC" os="Win" FileName="*\\Programs\\Startup\\*" | rex field=FileName "Users\\\(?<username>[^\\\]+)." Now, I now that when I tried to add this in savedseacrhes.conf it wont work as expected as in Splunk it breaks the line when it sees backslash.    Any suggestion on how we can add it to saved searches.conf  ?        
Hi Experts, I'm trying to validate whether the user is a new user or an existing user using summary index. The userLogin field is a combination of username, userId and uniqueId associated to user's... See more...
Hi Experts, I'm trying to validate whether the user is a new user or an existing user using summary index. The userLogin field is a combination of username, userId and uniqueId associated to user's each login. I just want the username and userId from userLogin field to maintain single record of each user and to find the count of userLogin within specific dateTime interval (i.e past one week). Here's the query i've written, but. Any suggestions would be highly welcomed. Thanks in advance. index=user_login_details | rex field=userLogin "(?<userName>\s+\d{5}).*" | eval time=strftime(_time,"%Y-%m-%dT%H:%M:%S") | stats count, earliest(time) as FirstTime by userName | join type=left userName [search index=user_login_details sourcetype=existing_login_users latest=-7d | eval Time=strptime(FirstTime ,"%Y-%m-%dT%H:%M:%S") | stats count as ExistingUser by Time userName ] | fillnull ExistingUser value=0 | search ExistingUser=0 | fields-ExistingUser | collect index=user_login_details sourcetype=existing_login_users
How do i compare for todays let say 9a-10a with yesterdays 9a-10a stats side by side? Is it possible on 1 qeury? index=foo <query> | stats avg(responsetime) today and tomorrow count by uri    
Hi, Splunkers,   I have my multiselect field ccs code as below:    2nd part, 350px works for entire area width,   but 1st part looks not working as expected,  input area width not as  300px, ... See more...
Hi, Splunkers,   I have my multiselect field ccs code as below:    2nd part, 350px works for entire area width,   but 1st part looks not working as expected,  input area width not as  300px, or 340 px.           #KeyWordID div[data-component="splunk-core:/splunkjs/mvc/components/MultiSelect"]           {             width: 300px; !important;             max-width: 340px; !important;           }             #KeyWordID {             width: 350px;           }   thx, in advance.   Kevin  
see an error while trying to upgrade the event service via the enterprise console. EC was upgraded successfully 
I have a dashboard with statistics table and I want to add color to the font alone in the statistic table.There is no condition to be given.I have to give color to the font for all rows in the table.... See more...
I have a dashboard with statistics table and I want to add color to the font alone in the statistic table.There is no condition to be given.I have to give color to the font for all rows in the table.How to do it?    
we are trying to find why server error appears on search head though don't see any errors in logs and no high CPU usage found, running with v7.3.5
Hi all, I am trying to integrate MS SQL audit log data with a UF instead of DB Connect.  What is the best and recommended way to do it that maps all fields?  At the moment it is integrated with... See more...
Hi all, I am trying to integrate MS SQL audit log data with a UF instead of DB Connect.  What is the best and recommended way to do it that maps all fields?  At the moment it is integrated with the UF and using the "Splunk Add-on for Microsoft SQL Server" With that the MS SQL events can be identified by SourceName=MSSQLSERVER or SourceName=MSSQL* However it does not work properly work as most of the fields are not extracted and mapped. For example the user is also not translated User= NOT_TRANSLATED
Hi Splunkers, I'm struggling with setting up an appropriate line breaker for data from log file.  The example is below. I tried to use Event-breaking policy set to "every line", but it doesn't work... See more...
Hi Splunkers, I'm struggling with setting up an appropriate line breaker for data from log file.  The example is below. I tried to use Event-breaking policy set to "every line", but it doesn't work fine as the last line consists of 3 events. I would like to break lines based on [abcdef.abcs][info][gc], but I'm not entirely sure whether it's possible.  Could you please take a look?  [883722.688s][info][gc] GC(40135) Pause Init Mark (process weakrefs) 1653.109ms [883734.774s][info][gc] GC(40135) Concurrent marking (process weakrefs) 12086.056ms [883736.181s][info][gc] GC(40135) Concurrent precleaning 1406.445ms [883738.907s][info][gc] GC(40135) Pause Final Mark (process weakrefs) 2724.588ms [883738.908s][info][gc] GC(40135) Concurrent cleanup 72424M->72273M(153600M) 0.229ms [883739.217s][info][gc] GC(40135) Concurrent evacuation 308.624ms [883739.217s][info][gc] GC(40135) Pause Init Update Refs 0.137ms [883742.192s][info][gc] GC(40135) Concurrent update references 2975.050ms [883742.195s][info][gc] GC(40135) Pause Final Update Refs 1.175ms [883742.196s][info][gc] GC(40135) Concurrent cleanup 80318M->62137M(153600M) 0.204ms [883742.197s][info][gc] Trigger: Allocated since last cycle (15943M) is larger than allocation threshold (15360M) [883742.224s][info][gc] GC(40136) Concurrent reset 26.618ms [883743.575s][info][gc] GC(40136) Pause Init Mark 1349.467ms
Hi everyone, is there an official document for the necessary api permissions? Or does anyone know about these permissions? Thank you
Hi,I'm unable to install app on my Splunk Cloud Platform evaluation! Is this a limitation? E.g can't test / evaluate application on Splunk Cloud Platform evaluation? Thanks for clarifying.  
Hi  My system is Linux.  Am trying to monitor 3 users in an index.  The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e... See more...
Hi  My system is Linux.  Am trying to monitor 3 users in an index.  The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e.g James Peter and John? Thanks
Hi, I`m following this article in an attempt to ingest Teams data into Splunk and I need some help with testing the webhook - can someone confirm what the webhook URL is ?         curl WE... See more...
Hi, I`m following this article in an attempt to ingest Teams data into Splunk and I need some help with testing the webhook - can someone confirm what the webhook URL is ?         curl WEBHOOK_ADDRESS -d '{"value": "test"}'           Also, looking at the documentation for the Teams Add-on for Splunk it states that "theTeams Webhook is not available for Splunk Cloud installations." - has anyone found an alternative solution for Cloud Deployments ? We use Splunk in a hybrid (cloud + on prem) environment. Many thanks.
Hi I'm trying to extract some json values into tables for a dashboard. The log line that i'm using is something like the below       username=myUser notificationPreferences= [class Notific... See more...
Hi I'm trying to extract some json values into tables for a dashboard. The log line that i'm using is something like the below       username=myUser notificationPreferences= [class NotificationPreferences { category=cat1, categoryDescription=category1 receiveEmailNotifications=false receiveSmsNotifications=false }, class NotificationPreferences { category=cat2 categoryDescription=category2 receiveEmailNotifications=false receiveSmsNotifications=true }]         As you can see, its just a standard toString on a java class that the developers are outputting. What i want is a table of users and categories, with each category having the associated details, eg User Category Email SMS myUser1 Category1 false false myUser1 Category2 false true myUser2 Category1 true true   I started by trying to tidy up the json        | rex field=notificationPreferences mode=sed "s/\[class NotificationPreferences/prefs:[ /g" | rex field=notificationPreferences mode=sed "s/, class NotificationPreferences/, /g"       Which makes the notificationPreferences field a bit better       username=myUser notificationPreferences= prefs:[ { category=cat1, categoryDescription=category1 receiveEmailNotifications=false receiveSmsNotifications=false },{ category=cat2 categoryDescription=category2 receiveEmailNotifications=false receiveSmsNotifications=true }]       But from here im struggling with what i need to do in terms of spath and extractions to get both categories to work. I only ever seem to get the first category to appear in my results. Any help would be great Thanks  
Dears, I have installed Splunk app for linux  & add on in my Splunk enterprise paid license version. Installed splunk forwarder in all hosts & added cpu, vmstat & df in input.conf file in remote se... See more...
Dears, I have installed Splunk app for linux  & add on in my Splunk enterprise paid license version. Installed splunk forwarder in all hosts & added cpu, vmstat & df in input.conf file in remote servers. Now i want to create dashboard for live monitoring for mentioned linux metrics  & alerts for that. Need to help to do that or have any good documents please share.
Hi Team, We have a field called Status=Start and Status=Success OrderId is one field When orderId has the Status=start and if there is no Status=Success for 10 mins it should be considered as fa... See more...
Hi Team, We have a field called Status=Start and Status=Success OrderId is one field When orderId has the Status=start and if there is no Status=Success for 10 mins it should be considered as failure May i know how to write a condition for this?
I have the following data that I'm trying to timechart the differences between: 2023-02-16T16:14:04: Data Processing Phase -1 completed 2023-02-16T14:01:00: Data Processing Phase -1 starting 2023... See more...
I have the following data that I'm trying to timechart the differences between: 2023-02-16T16:14:04: Data Processing Phase -1 completed 2023-02-16T14:01:00: Data Processing Phase -1 starting 2023-02-16T14:01:00: Data Collection Phase 3 (Final Collection Phase) completed 2023-02-16T11:34:10: Data Collection Phase 2 starting 2023-02-16T11:34:10: Data Collection Phase 1 completed 2023-02-16T11:34:10: Data Collection Phase 3 (Final Collection Phase) starting 2023-02-16T11:34:10: Data Collection Phase 2 completed 2023-02-16T09:01:36: Data Collection Phase 1 starting   I've sliced up the data using the following SPL, but that will only give me a look at the time differences over the selected timeline.  I can't figure out how to slice this data up so that I'm able to timechart the differences over multiple runs of the Data Collection Phases. | stats first(_time) as End, last(_time) as Start by Phase, PhaseIdentifier | eval RunTime = round((End - Start) / 60, 0) | eval Start=strftime(Start, "%c") | eval End=strftime(End, "%c") | rename RunTime AS "RunTime (Minutes)"   I'm used to working more with metrics and logs that spit out runtimes, so this has been vexing me for entirely too long...
Hi, need some help in crafting a search query that could get count by a regex and display counts in a table.   The log msg we have is "Successfully submitted: admin-mobile" or "Successfully submi... See more...
Hi, need some help in crafting a search query that could get count by a regex and display counts in a table.   The log msg we have is "Successfully submitted: admin-mobile" or "Successfully submitted: admin". I'd like to count numbers of msg contains "admin-mobile" and "admin" respectively and show them in a table.   I know that I can get one count by: `| search "Successfully submitted: admin-mobile" | stats count` and it will show in a table.  Question is how to get the other count. Thanks.   The result i'd like to have is like below, in a table format: submissionType        count    admin-mobile              999 admin                              888