All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We have recently upgraded an indexer from 8.2.6 to 9.0.2 (running on Windows) and since then we have been plagued by an intermittent issue where the indexer stops indexing new data, but otherwise fun... See more...
We have recently upgraded an indexer from 8.2.6 to 9.0.2 (running on Windows) and since then we have been plagued by an intermittent issue where the indexer stops indexing new data, but otherwise functions fine. The indexing rate is 0, but it still returns search results. Restarting the Splunk service is all that is required and it starts indexing again. The problem seem very similar to this post, but I can't see that any of the known issues quoted relate to 9.0.2. It should be already fixed with the "server side fix" alluded to by one of the people replying to that post. When the problem happens, we see these errors in the splunkd log of the indexer: Sorry for the screen shots. Best I could do. Any clues as to what is going on here?    
I have a query and at the end I want to sort the data by specific column But column is dynamically generated. i can get the column name in eval function and store it in variable. Now to use this vari... See more...
I have a query and at the end I want to sort the data by specific column But column is dynamically generated. i can get the column name in eval function and store it in variable. Now to use this variable in sort command? for example my_search | eval date="my logic & let say return '2023-02-02'" | sort - $date here variable is holding the column_name value and then I want to sort by that column. Is it possible to sort by column name which is dynamically generated So i won't know the exact name But variable holds the column name So I can just use sort - $Variable?  
  index=index1 type=1 feature IN ([search index=index1 type=type2 application=weather_app | dedup feature | fields feature | format ])     The above code returns this error an... See more...
  index=index1 type=1 feature IN ([search index=index1 type=type2 application=weather_app | dedup feature | fields feature | format ])     The above code returns this error and i cant seem to figure out how to fix it. Any help would be appreciated Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals. '((feature = "feature1") OR (feature = "feature2") OR (feature = "feature3") OR (feature = "feature4") is not a literal.
I'm having issue where php can't seem to load the agent.so,  similar to this issue PHP 8.0 agent cannot start - AppDynamics Community Is there any know bugs with the current php agent version 22.12.... See more...
I'm having issue where php can't seem to load the agent.so,  similar to this issue PHP 8.0 agent cannot start - AppDynamics Community Is there any know bugs with the current php agent version 22.12.1 with php 8.1 I've followed install instructions as usual from Install the PHP Agent by Shell Script (appdynamics.com) php -v PHP Warning: PHP Startup: Unable to load dynamic library 'appdynamics_agent.so' (tried: /usr/lib64/php/modules/appdynamics_agent.so (/usr/lib64/php/modules/appdynamics_agent.so: undefined symbol: zend_vm_stack_copy_call_frame), /usr/lib64/php/modules/appdynamics_agent.so.so (/usr/lib64/php/modules/appdynamics_agent.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 PHP 8.1.15 (cli) (built: Jan 31 2023 15:13:17) (NTS gcc x86_64) Copyright (c) The PHP Group Zend Engine v4.1.15, Copyright (c) Zend Technologies with Zend OPcache v8.1.15, Copyright (c), by Zend Technologies
Is there a limit to how many events can be sent to Splunk HEC per event? What’s recommended, are there any guideline  This Splunk conf has it at 5-50, but I’ve seen some folks send 1k-6k events p... See more...
Is there a limit to how many events can be sent to Splunk HEC per event? What’s recommended, are there any guideline  This Splunk conf has it at 5-50, but I’ve seen some folks send 1k-6k events per request? Is there a point where # of events per request starts to affect performance and would it affect just the input with large request or the overall HEC server? https://conf.splunk.com/files/2017/slides/measuring-hec-performance-for-fun-and-profit.pdf “Recommendation: Batch size between 5 and 50“
Hi need Influxdb driver for splunkdb connect. Any idea? Thanks
I created a small power shell script to collect all Ec2 windows hostnames and Ip addresses. I simulated the existing scripts and locations  already in the system.   I did have success with linu... See more...
I created a small power shell script to collect all Ec2 windows hostnames and Ip addresses. I simulated the existing scripts and locations  already in the system.   I did have success with linux with shell.  No data is returning.   Is there a recipe out there or advice to get results to appear ?
The search below doesn't work when i add department in the group by fields in the streamstats commands. It works with any other field but this one. Can someone please give some insight?       ... See more...
The search below doesn't work when i add department in the group by fields in the streamstats commands. It works with any other field but this one. Can someone please give some insight?       index=... | lookup lookup cn as user OUTPUT department | reverse | dedup department application feature time | streamstats current=f window=1 values(currTotalCount) as prev_count by application feature department | table department application user display time feature currTotalCount prev_count       The prev_count field is empty when i add the department in the group by fields (streamstats command), otherwise it shows the correct result.
Hello i am new I have combined data from cyclogs,adserver logs and firewall logs how can i search for data that happens +- 5mins from a message event? for example, I have narrowed my search of ... See more...
Hello i am new I have combined data from cyclogs,adserver logs and firewall logs how can i search for data that happens +- 5mins from a message event? for example, I have narrowed my search of data down with the message "search Message="Started FTP Client" but i need to know what happens +-5mins form this event as i would like to see the dest_Ip address in the firewall data and User login data from ADserver  i imagine they would be the same time stamp or very close    Thank you 
Hi, What location would we get on the geo dashboard if the user is using VPN to connect to the system to fetch the application? If the location is configured in VPN, can we get the actual locatio... See more...
Hi, What location would we get on the geo dashboard if the user is using VPN to connect to the system to fetch the application? If the location is configured in VPN, can we get the actual location if the user is using the application?
I have a table that looks like below and it shows how the app users are distributed across departments. There are several apps and several departments.   app | department | dep_headcount | avg_user... See more...
I have a table that looks like below and it shows how the app users are distributed across departments. There are several apps and several departments.   app | department | dep_headcount | avg_users_per_hr   Is there any way to visualize this so any data point in the chart will show  application: app_name departments: dep_name avg_users_per_hr: X dep_headcount: Y
Hi All    We are Using the Splunk Enterprise version with the Perpetual License Model with Index Capacity of 5 GB .   We are all of sudden facing issue in the Indexing of the data when the Limi... See more...
Hi All    We are Using the Splunk Enterprise version with the Perpetual License Model with Index Capacity of 5 GB .   We are all of sudden facing issue in the Indexing of the data when the Limit is not yet breached in the Last 30 days  .      Can you please Guide on this case .    
is there a format that needs to be adhered to when using a blacklist with regex?  I am trying to format "New Process Name:" with a regex that will extract events from a specific data source.  I h... See more...
is there a format that needs to be adhered to when using a blacklist with regex?  I am trying to format "New Process Name:" with a regex that will extract events from a specific data source.  I have tested the regex with regex101 and it identifies the events that I want to filter and is basically blacklist3 = New\sProcess\sName\:\s+C\:\\Program\sFiles\s\(x86\)\\...... should that work or do I need to format it something more like blacklist3 = New Process Name = C\:\\Program\sFiles\s\(x86\)\\......  my current blacklist is resulting in  ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist3' [legacy], range error found in 'regex'...... According to this document, https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata blacklist = <your_custom_regex>  should work.    Thanks
Our client is asking us for information that is stored in the Splunk cloud, and I am not aware of how to access a copy of the information, either because they simply want to have it or because they w... See more...
Our client is asking us for information that is stored in the Splunk cloud, and I am not aware of how to access a copy of the information, either because they simply want to have it or because they want it to be backed up from time to time. The second part of the question is if there is such a way to have a copy of that information how is the restore process?
While adding the Splunk App to Splunk Base I am getting Error :    The "id" field found in app.conf does not match the root folder of the application   My config:  [install] is_configured ... See more...
While adding the Splunk App to Splunk Base I am getting Error :    The "id" field found in app.conf does not match the root folder of the application   My config:  [install] is_configured = 0 install_source_checksum = xxxxx [launcher] author = Abhinav Ranjan description = AccuKnox App for Splunk lets AccuKnox customers and KubeArmor users send alerts from Feeder or Workflows to visualize the data in the AccuKnox Splunk dashboards. AccuKnox, CNAPP that just works, from Build to Runtime. See what your applications are really doing and Automatically generate Zero Trust, least privilege policies to continuously monitor and protect your Network, Application and Data. version = 1.0.0 [package] id = SplunkforAccuKnox [ui] is_visible = 1 label = AccuKnox
When sending batch data to HEC server, with multiple events per request, is it better to send large (10k-100k), medium (1k-10k) or small (>1k) batch data to the HEC server? Is there anything that can... See more...
When sending batch data to HEC server, with multiple events per request, is it better to send large (10k-100k), medium (1k-10k) or small (>1k) batch data to the HEC server? Is there anything that can be done to ensure data is ingested faster and smoother?
Hi I'm Splunk newbie. I'm confused about MC, CM, and LM, so I'm asking a question. 1. Is it true that the monitoring console exists to check the indexer's health or CPU usage? 2. If number 1 i... See more...
Hi I'm Splunk newbie. I'm confused about MC, CM, and LM, so I'm asking a question. 1. Is it true that the monitoring console exists to check the indexer's health or CPU usage? 2. If number 1 is correct, I wonder why there is a license usage tab in the monitoring console menu. Does the monitoring console also check the license pool? (Does it also serve as a license master?) 3. Is it correct to say that the indexer cluster master is a role when divided based on Splunk components, and the monitoring console is a built-in function of the cluster master? Doesn't the monitoring console and the cluster master instance exist separately?
Hi, We have installed the Splunk Universal forwarder on a VIOS server and pushed the TA-metricator-for-nmon. However, we are unable to get any metrics. A look at the internal logs shows the follo... See more...
Hi, We have installed the Splunk Universal forwarder on a VIOS server and pushed the TA-metricator-for-nmon. However, we are unable to get any metrics. A look at the internal logs shows the following error: /splunkforwarder/var/log/metricator/var/nmon_repository/fifo1/nmon_timestamp.dat: A file or directory in the path name does not exist. Is this an install issue or some configuration changes that need to be made? Thanks, AKN @guilmxm 
"Hello everyone, how are you? I am trying to perform a search in the Cylance Protect app, where I have the following event as an example: 2023-02-08T13:25:10.484000Z sysloghost CylancePROTECT - - -... See more...
"Hello everyone, how are you? I am trying to perform a search in the Cylance Protect app, where I have the following event as an example: 2023-02-08T13:25:10.484000Z sysloghost CylancePROTECT - - - Event Type: Threat, Event Name: threat_changed, Device Name: NB-2071, IP Address: (172.47.102.56), File Name: main.exe, Path: C:\DIEF2023.2.0, Drive Type: Internal Hard Drive, File Owner: AUTORIDADE NT\SISTEMA, SHA256: 8B2F7F3120DD73B2C6C4FEA504E60E65886CC9804761F8F1CBE18F92CA20AC44, MD5: 70D778C4A1C17C2EFD2D7F911668E887, Status: Quarantined, Cylance Score: 100, Found Date: 2/8/2023 1:25:10 PM, File Type: Executable, Is Running: False, Auto Run: True, Detected By: FileWatcher, Zone Names: (HOMOLOGAÇÃO), Is Malware: False, Is Unique To Cylance: False, Threat Classification: PUP - Generic, Device Id: 6c4e6c22-bf96-4de4-897b-cea83b8989b4, Policy Name: Política de Proteção N3 - Bloqueio In this case, note the SHA256 parameter, it is the basis of the Panel that I need to create. The thing is that I need to generate a chart that presents the number of different SHA256s that were detected month by month. Observing the following rules: If an SHA256 was detected in January, the chart should count one If the same SHA256 is detected again in February, the chart should count it again However, if the same SHA256 was detected twice in the same month, the chart will only count as one. I tried various different ways to perform this search. However, I was not successful. Here are some examples: eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | timechart span=1mon count as Total   this function works, but it's counting the number of monthly events, that is, the same SHA256 is being counted more than once eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | dedup SHA256 | stats count as Total by month | timechart span=1mon sum(Total) as Total This time the error was "No Results Found" eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | stats count by SHA256, month | timechart span=1mon sum(count) as Total  Again the error of no results found Thank you in advance."
One of my coldbucket indexer lost connection to the SAN and now I have a lot of data and files in my ColdBucket lost+found directory. 1. How can I re-ingest/put these data in their actual folders i... See more...
One of my coldbucket indexer lost connection to the SAN and now I have a lot of data and files in my ColdBucket lost+found directory. 1. How can I re-ingest/put these data in their actual folders in the ColdBucket? 2. What can I do with the data in the lost + found directory located in the ColdBucket?