All Topics

Top

All Topics

Hi,   We have been using Splunk Enterprise version 8.1.0 and planning to upgrade to version 9.x but there seems to be some sort of an issue. We have a choice tag with collapse and expand o... See more...
Hi,   We have been using Splunk Enterprise version 8.1.0 and planning to upgrade to version 9.x but there seems to be some sort of an issue. We have a choice tag with collapse and expand options but that doesn't seem to work when migrating to 9.0.2 or even 9.0.4 version but works perfectly fine in 8.1.5 version. Has anyone faced a similar issue or is there some workaround to fix this ?   Regards, Pravin
Hi Guys, So currently i have a line chart on a dashboard which looks like below: But i need the line chart to have a bullet point at each data point entry something like below. If someone co... See more...
Hi Guys, So currently i have a line chart on a dashboard which looks like below: But i need the line chart to have a bullet point at each data point entry something like below. If someone could help me out on how i can achieve this. Would be great. Thanks  
We have multiple lines within double quotes and to be updated in the different field names according to the name we have. All values has to be in different field names separately which is within do... See more...
We have multiple lines within double quotes and to be updated in the different field names according to the name we have. All values has to be in different field names separately which is within double quotes the below regex is working and but picking all the values and updating in one field, i am looking for 1. where the value within first double quotes getting picked in one common field name 2. where the value within second double quotes getting picked in second common field name 3. where the value within third double quotes getting picked in third common field name | rex "\\\"(?<JobId>[^\\\"]+)" "17449551" "pmqcd1p3" "SAP for Oracle" "PMQ" "N/A" "default" "(Logcommand line)"
e.g. input : CustomerService API call compeled in 105 ms Expected output : Customerservice  105 (in some graphical reprentation)
Hello, is there anyway to get an alert for the new errors/exceptions that never happened before? More like let say that i have 10 errors/exceptions that happened before can i get an alert only for ... See more...
Hello, is there anyway to get an alert for the new errors/exceptions that never happened before? More like let say that i have 10 errors/exceptions that happened before can i get an alert only for the new ones? Also for the known exceptions is possible to do a threshold? I will attach my type of logs.  
HI, In Splunk enterprise some of team members are unable to assign notable on their name. unable to assign option is not there. In drop down list also not able to see their name. with same leve... See more...
HI, In Splunk enterprise some of team members are unable to assign notable on their name. unable to assign option is not there. In drop down list also not able to see their name. with same level access another user is able to assign. Tried to clear the cookies as well.  
Hi We are trying to write the props from couple of days Issue: splunk showing time difference 4 to 5 hours logs are coming from one source with multiple time differences .. example 1. splunk t... See more...
Hi We are trying to write the props from couple of days Issue: splunk showing time difference 4 to 5 hours logs are coming from one source with multiple time differences .. example 1. splunk time 3:48pm, log time 20:48 . example 2. splunk time 2:24pm log time 18:24. time format : 2023-03-10T20:48:11.689534088Z   Please let me know if you have any ideas or solutions that could help us out here!  
Would like to know if there is any query available that will tell us the total number of disabled accounts in Active Directory for a given time period and how to get the rate of disablement.
Hi Trying to figure out how best to send the logs (at least kubernetes logs+ possibly application logs) from on prem Kubernetes cluster to on prem Splunk Enterprise. I have gone through a long li... See more...
Hi Trying to figure out how best to send the logs (at least kubernetes logs+ possibly application logs) from on prem Kubernetes cluster to on prem Splunk Enterprise. I have gone through a long list of options such as 'Splunk app for infrastructure' (EOL),  Splunk connect for kubernetes ( EOL Jan 2024) ,  Splunk Operators v1 and 2  etc Splunk OpenTelemetry Collector for Kubernetes would look promising but if I understood correctly this only works with observatility (cloud) and not meant to work/ supported  with with Splunk Enterprise.   My question is what is the best way to ship logs from Splunk to Splunk enterprise (both on prem) ? Currently the Logging , Metrics , Traces etc have not yet been configured on Kubernetes clluster I am building. Since we use Splunk for certalized log collection, what ever solution it is needs to work with Splunk enterprise but also ideally be more futureproof than many of solutions seen previously.        
Have been able to raise cases previously but when trying to rasie a new case not seeing any drop down options  under the "select Entitlement" option which stops me from being able to raise a new case.
I am trying to extract the fields in json format. But not able to fetch the data. PFB screenshot for reference: not able to extract fields. Can anyone help on this. Thanks in Advance. ... See more...
I am trying to extract the fields in json format. But not able to fetch the data. PFB screenshot for reference: not able to extract fields. Can anyone help on this. Thanks in Advance.
Hello, What proxy rules I need to allow to install apps from Splunkbase what URL\s I need to allow?   https://*splunk.com* is that sufficient ? Thanks in advance, Ran
Timezone on my splunk indexer is GMT and windows machine is PST.  I found that the metadata from Windows Eventlogs lose timezone info so that time in raw events is 8 hour earlier than `_time` which ... See more...
Timezone on my splunk indexer is GMT and windows machine is PST.  I found that the metadata from Windows Eventlogs lose timezone info so that time in raw events is 8 hour earlier than `_time` which is real time in GMT.   The influence is that all of  these log will 8 hours earlier than the real time after a `collect` action. Such as the following image which just collect the datas into a new index.   I want Windows Eventlogs can be added a timezone info or we can modify time info in windows splunk universal forwarder. I have tried change props.conf  in forwarder and indexer but it change the timestamp but not raw events. What's more, I will not change  system timezone on machine because unknown problems maybe imported into systems. Can I change the time info in Windows Eventlogs without change windows system timezone?
I am unable to access the SaaS controller with 500 Internal Server Error. How to resolve it ?
We have many use-cases in our environment and placed it in hadoop_queues_base.csv  file. We would like to check if dashboards and alerts configured for specific use-cases. Is there any way out to sor... See more...
We have many use-cases in our environment and placed it in hadoop_queues_base.csv  file. We would like to check if dashboards and alerts configured for specific use-cases. Is there any way out to sort and find out dashboards and alerts associated with use-cases.  
I want to connect Splunk Enterprise configured in Azure VM and O11y Cloud through Log Observer Connect. I tried Log Observer Connect connection, but it is not connected as shown in the attachment. ... See more...
I want to connect Splunk Enterprise configured in Azure VM and O11y Cloud through Log Observer Connect. I tried Log Observer Connect connection, but it is not connected as shown in the attachment. I applied all the information on the 'Set Up Service Account' page. I created and reflected the Enterprise's own certificate by referring to the Splunk documentation. The 8089 port InBound/OutBound policy is also reflected in the Azure VM. I want to know how to solve it. Please answer about my question.  
Does Python 3.9.2 not work for Splunk SDK 1.7.2? Creating connection with this: service = client.connect( host=host, port=port, token=token ) Using all the values (host, port, token) that w... See more...
Does Python 3.9.2 not work for Splunk SDK 1.7.2? Creating connection with this: service = client.connect( host=host, port=port, token=token ) Using all the values (host, port, token) that work with a curl (-H) command. This is the error that I'm getting: Traceback (most recent call last): File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 292, in wrapper return request_fun(self, *args, **kwargs) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 73, in new_f val = f(*args, **kwargs) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 699, in get response = self.http.get(path, all_headers, **query) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 1232, in get return self.request(url, { 'method': "GET", 'headers': headers }) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 1304, in request raise HTTPError(response) splunklib.binding.HTTPError: HTTP 401 Unauthorized -- call not properly authenticated During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/home/anonymous/xxxx.py", line 48, in <module> for app in service.apps: File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/client.py", line 1411, in __iter__ for item in self.iter(**kwargs): File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/client.py", line 1574, in iter response = self.get(count=pagesize or count, offset=offset, **kwargs) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/client.py", line 1804, in get return super(Collection, self).get(name, owner, app, sharing, **query) File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/client.py", line 862, in get return self.service.get(path, File "/home/anonymous/.local/lib/python3.9/site-packages/splunklib/binding.py", line 304, in wrapper raise AuthenticationError( splunklib.binding.AuthenticationError: Request failed: Session is not logged in. Is it the python version or something to do with my search head host using `https`? 
Hello Everyone  I am new to Splunk. I want to create a report that displays value of a particular field from Windows Registry.  I have user level access to Splunk cloud. In Splunk documentation, I ... See more...
Hello Everyone  I am new to Splunk. I want to create a report that displays value of a particular field from Windows Registry.  I have user level access to Splunk cloud. In Splunk documentation, I found following method to achieve what I am looking to do: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorWindowsregistrydata However, I don’t see the Add Data/Data Input options mentioned in the link to get windows registry data. My question is, how do I see those options? Do I need higher level of access like Admin or something similar? Please advise.
I created a outputlookup  file with just one column ...My search | table D_ID  | outputlookup Total.csv I want to use the data in a new search like a subsearch but results are 0 while I am cert... See more...
I created a outputlookup  file with just one column ...My search | table D_ID  | outputlookup Total.csv I want to use the data in a new search like a subsearch but results are 0 while I am certain the events exists Is there also a max limit when using inputlookup ? ...My search [| inputlookup Total.csv]
Hi  We have a requirement to pull data from third-party aws account. Third party provider will push the data to a S3 bucket in their aws account and we are looking to pull that to an on-prem Splunk... See more...
Hi  We have a requirement to pull data from third-party aws account. Third party provider will push the data to a S3 bucket in their aws account and we are looking to pull that to an on-prem Splunk instance. There is an aws Splunk add-in splunkbase , are we able to use this add-on to pull data from a third-party aws account , if so how is it authenticated against third-party account? Please point me to any documentation available.