All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi ,  I want to rename to Required Parameters Longitude and Latitude are missing or invalid to a new value Required Parameters missing.   index="****" k8s.namespace.name="*****" "Error" OR "Exc... See more...
Hi ,  I want to rename to Required Parameters Longitude and Latitude are missing or invalid to a new value Required Parameters missing.   index="****" k8s.namespace.name="*****" "Error" OR "Exception" | rex field=_raw "(?<error_msg>Required Parameters Longitude and Latitude are missing or invalid)" | stats count by error_msg | sort count desc   Any help will be great
Hello everyone, I have the following field and example value: sourcePort=514.000 I'd like to format these fields in such a way, that only the first digits until the point are kept. Furthermore, t... See more...
Hello everyone, I have the following field and example value: sourcePort=514.000 I'd like to format these fields in such a way, that only the first digits until the point are kept. Furthermore, this should only apply to a certain group of events (group one).  Basically:  before: sourcePort=514.000 after:    sourcePort=514 What I have until now: search... | eval sourcePort=if(group=one, regex part, sourcePort) The regex to match only the digits is  ^\d{1,5} However, I am unsure how to work with the regex and if it is even possible to achieve my goal using this. Thanks in advance
Hi there,   I am trying to ingest data which is stored within the profile of a user's AddData location: C:\Users\(User ID)\AppData\Local\UiPath\Logs but can't pull in any events. I've tried lots o... See more...
Hi there,   I am trying to ingest data which is stored within the profile of a user's AddData location: C:\Users\(User ID)\AppData\Local\UiPath\Logs but can't pull in any events. I've tried lots of different stanzas like  [monitor://C:\Users\DKX*\AppData\ [monitor://C:\Users\DKX$\AppData\ [monitor://C:\Users\...\AppData\ [monitor://C:\Users\%userprofile%\AppData\ Any idea why it isn't working? I know i've not added in all my stanza attempts but could it be due to the Splunk service account not having access to that location?
Hello everyone,   I am passing the dates as token but it shows the error in both the condition. Cond1: | where (Date>="$date_start$" AND Date<="$date_end$") Cond2: | where (Date>="2022-06-01"... See more...
Hello everyone,   I am passing the dates as token but it shows the error in both the condition. Cond1: | where (Date>="$date_start$" AND Date<="$date_end$") Cond2: | where (Date>="2022-06-01" AND Date<="2022-06-02") Please help
Hi, I've been told, that using field extractions on json is not best practis and that I should use calculated fields instead. In some cases thats easy and I can use replace or other methods to do tha... See more...
Hi, I've been told, that using field extractions on json is not best practis and that I should use calculated fields instead. In some cases thats easy and I can use replace or other methods to do that but in some it is more difficult.  I have some events giving me information about software versions. When I try to extract the version string from as follows, I get the results for events containing this string. In all other cases I get the complete string instead. What I need is the matching string or nothing. I couldn't figure out how to do that. replace(message, "^My Software Version (\S+).*", "\1")  
  I try use macros to get external indexes in child dataset VPN, but search with tstats on this dataset doesn't work.  Example of search:     | tstats values(sourcetype) as sourcetyp... See more...
  I try use macros to get external indexes in child dataset VPN, but search with tstats on this dataset doesn't work.  Example of search:     | tstats values(sourcetype) as sourcetype from datamodel=authentication.authentication where nodename=authentication.VPN by nodename       But when I explicitly enumerate the indexes, then everything works! And also it work with macros when i use search:     | from datamodel ...     What's problem? 
Hi, I am trying to create the metric from ADQL searches. However, when I create the metric, it keeps fluctuating between one and zero. However, when I see the same thing in ADQL searches I get some ... See more...
Hi, I am trying to create the metric from ADQL searches. However, when I create the metric, it keeps fluctuating between one and zero. However, when I see the same thing in ADQL searches I get some value (5 in this case as you can see in the ADQL query screenshot) Analytics ADQL query Screenshot: Analytics metric screenshot: Am I going wrong somewhere?  Thanking you in advance
I have edited edited Input.conf file as below. [Bamboo://localhost:8085] sourcetype = bamboo interval = 60 server = http://localhost:8085 protocol = https port = 8085 username = bamboo_user ... See more...
I have edited edited Input.conf file as below. [Bamboo://localhost:8085] sourcetype = bamboo interval = 60 server = http://localhost:8085 protocol = https port = 8085 username = bamboo_user password = bamboo_pwd disabled = 0 Is above file is correct? Based on this HTTP event collector will generate the token in Splunk web enterprise right?      
hello, My need is to use Splunk Entreprise to serve multiple client organizations using a single instance=> Multitenancy function use. I have some installed Splunk Apps using only one index and t... See more...
hello, My need is to use Splunk Entreprise to serve multiple client organizations using a single instance=> Multitenancy function use. I have some installed Splunk Apps using only one index and they manage the data coming from multiple clients, how can I separate them on the dashboard ?  how can i create Role-based permissions per customer ? Does Splunk Entreprise  supports natively Multitenancy function ? how can I achieve my goal ? Bests, Yassine.  
Hello. I have three lists of names of different technologies, I would like to put the technologies in a menu or multiselect so that when I select each technology it brings me the names of each one ... See more...
Hello. I have three lists of names of different technologies, I would like to put the technologies in a menu or multiselect so that when I select each technology it brings me the names of each one that is selected, for example:   My list is:   My multiselect input is:   When selecting each option, I would like it to show me all the users like the following table: try doing the following | makeresults |eval input = "$ms_Be1Voild$" //This is the token of my multiselect input |eval array = mvjoin(input, ",") |fields array But the result is the following: Active Directory,o365,Windows Could anyone help me please.    
Hi, i'm currently working on a props.conf and have different values from _time and the timestamp in my logs. What did i wrong? Thanks in advance. 2023-01-24T13:00:23+00:00 avx.local0.notice {"hos... See more...
Hi, i'm currently working on a props.conf and have different values from _time and the timestamp in my logs. What did i wrong? Thanks in advance. 2023-01-24T13:00:23+00:00 avx.local0.notice {"host":"xx-xx-xxxxx-xxxx-xxxxx-x-xx-000x-xxxxx-xxxx-xx.xxx.xxx.xxx","ident":"syslog","message":"xx:xx.xxxxxx+xx:xx xx-xx-xxxxxx-xxxx-xxxxxxx-x-xx-xxxx-xxxxx-hagw-xx.xxxx.xxx.xxxx From Splunk search the values are the following: timestamp: 2023-01-24T13:00:19.141113233, _time: 2023-01-24T14:00:23.000+01:00 My props.conf is the following: [s3:Test] TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 26 TRUNCATE = 10000 SHOULD_LINEMERGE = false
The internal logs flow to splunk UI but the applications logs are not flowing to splunk UI. We have a cluster with several different components. We are facing the above issue with only one of the ... See more...
The internal logs flow to splunk UI but the applications logs are not flowing to splunk UI. We have a cluster with several different components. We are facing the above issue with only one of the component, although, the splunk configuration for all the components are same except the host differs.
Hello Community! I'm searching for a solution to highlight the "HostC", which has an AppC failure and no further log entry, that AppC is started again. How can I do this, regardless on which host ... See more...
Hello Community! I'm searching for a solution to highlight the "HostC", which has an AppC failure and no further log entry, that AppC is started again. How can I do this, regardless on which host this happens? I saw a comment, to create events for "app failure" and "app started" and then make a transaction, but is there an other way too? SampleData: 1.1.1970 08:00 HostA - 1.1.1970 08:00 HostB AppB=failure 1.1.1970 08:00 HostC AppC=failure 1.1.1970 09:00 HostA AppA=started 1.1.1970 09:00 HostB AppB=started 1.1.1970 09:00 HostC - Thanks for your help Rob
We're trying to integrate splunk APM to a python based app but the service doesn't appear in the APM list.  The integration works locally, but not in the same service deployed in our Kubernetes... See more...
We're trying to integrate splunk APM to a python based app but the service doesn't appear in the APM list.  The integration works locally, but not in the same service deployed in our Kubernetes cluster We have added the following env variables into the deployment manifest of the application: - name: SPLUNK_OTEL_AGENT    valueFrom:         fieldRef:              fieldPath: status.hostIP - name: OTEL_EXPORTER_OTLP_ENDPOINT    value: "http://$(SPLUNK_OTEL_AGENT):4317" - name: OTEL_SERVICE_NAME    value: "my-app" - name: OTEL_RESOURCE_ATTRIBUTES    value: "deployment.environment=development" We also tried to add these additional variables to try to send the data directly, but it still didn't work - name: SPLUNK_ACCESS_TOKEN    value: "******" - name: OTEL_TRACES_EXPORTER    value: "jaeger-thrift-splunk" - name: OTEL_EXPORTER_JAEGER_ENDPOINT    value: "https://ingest.us1.signalfx.com/v2/trace"
A question, When we talk about correlation, is it necessarily because a query is being made in 2 or more sources? Or is it also considered correlation when certain criteria are searched in a sour... See more...
A question, When we talk about correlation, is it necessarily because a query is being made in 2 or more sources? Or is it also considered correlation when certain criteria are searched in a source to try to find a possible event or security incident? For you what is correlation in Splunk?
Hi, I have created multi select dropdown and when I tried to be dependable by passing dropdown token, it doesn't shows any value. <form> <label>TEST- Multi Select with distinct value</label> <f... See more...
Hi, I have created multi select dropdown and when I tried to be dependable by passing dropdown token, it doesn't shows any value. <form> <label>TEST- Multi Select with distinct value</label> <fieldset submitButton="false"> <input type="multiselect" token="flow"> <label>Select Flow</label> <choice value="*">All</choice> <default>*</default> <delimiter>,</delimiter> <fieldForLabel>FLOW</fieldForLabel> <fieldForValue>FLOW</fieldForValue> <search> <query>| loadjob savedsearch="Test_Data" | search adt="$adt$"</query> <earliest>0</earliest> <latest></latest> </search> <prefix>IN(</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="adt"> <label>Select ADT</label> <choice value="*">All</choice> <default>*</default> <delimiter>,</delimiter> <fieldForLabel>adt</fieldForLabel> <fieldForValue>adt</fieldForValue> <search> <query>| loadjob savedsearch="Test_Data" | search flow="$flow$"</query> <earliest>0</earliest> <latest></latest> </search> <prefix>IN(</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <initialValue>*</initialValue> </input> </fieldset> <row> <panel> <table> <search> <query>| loadjob savedsearch="Test_Data" | where FLOW $flow$ and adt $adt$ | table adt, FLOW, Date, NbRecordsOKFCR, CMTotal, NbRecordsOKCM, NBIntFile, NB1, NB2, NB3, NbErrorsCM, Alert | fields Date, adt, FLOW, CMTotal</query> <earliest>0</earliest> <latest></latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
Hi, I need to create the 2 drop down for date where user can manually select start_date and end_date. And based on that data will be filter and show data between two dates. Please help
Hello, I am using 2 multi select dropdown. When its on  the default value  'ALL' then it doesn't show any value in the table, after selection it works.    After open in search, it shows "*... See more...
Hello, I am using 2 multi select dropdown. When its on  the default value  'ALL' then it doesn't show any value in the table, after selection it works.    After open in search, it shows "*" in the value. | loadjob savedsearch="TEST" | where FLOW IN("*") and adt IN("*") | table adt, FLOW, Date | fields Date, adt, FLOW, CMTotal ------------------------------------------------------------------ Original Query-  <form>   <label>AAA_Test</label>   <fieldset submitButton="false">     <input type="multiselect" token="flow">       <label>Select Flow</label>       <choice value="*">All</choice>       <default>*</default>       <delimiter>,</delimiter>       <fieldForLabel>FLOW</fieldForLabel>       <fieldForValue>FLOW</fieldForValue>       <search>         <query>| loadjob savedsearch="TEST" | dedup FLOW</query>         <earliest>0</earliest>         <latest></latest>       </search>       <prefix>IN(</prefix>       <suffix>)</suffix>       <valuePrefix>"</valuePrefix>       <valueSuffix>"</valueSuffix>       <initialValue>*</initialValue>     </input>     <input type="multiselect" token="adt">       <label>Select ADT</label>       <choice value="*">All</choice>       <default>*</default>       <delimiter>,</delimiter>       <fieldForLabel>adt</fieldForLabel>       <fieldForValue>adt</fieldForValue>       <search>         <query>| loadjob savedsearch="TEST" | dedup adt</query>         <earliest>0</earliest>         <latest></latest>       </search>       <prefix>IN(</prefix>       <suffix>)</suffix>       <valuePrefix>"</valuePrefix>       <valueSuffix>"</valueSuffix>       <initialValue>*</initialValue>     </input>   </fieldset>   <row>     <panel>       <table>         <search>           <query>| loadjob savedsearch="TEST"           | where FLOW $flow$ and adt $adt$           | table adt, FLOW, Date, NbRecordsOKFCR, CMTotal, NbRecordsOKCM, NBIntFile, NB1, NB2, NB3, NbErrorsCM, Alert           | fields Date, adt, FLOW, CMTotal</query>           <earliest>0</earliest>           <latest></latest>         </search>         <option name="count">10</option>         <option name="drilldown">none</option>         <option name="refresh.display">progressbar</option>       </table>     </panel>   </row> </form> Please suggest.
I'm using Ansible to try to configure SPlunk Enterprise and more specifically- I want to create a user for the Splunk add-on TA-jira-service-desk-simple-addon However, I'm getting this error when tr... See more...
I'm using Ansible to try to configure SPlunk Enterprise and more specifically- I want to create a user for the Splunk add-on TA-jira-service-desk-simple-addon However, I'm getting this error when trying when trying to run my Ansible  "Status code was -1 and not [200]: Connection failure: [Errno 104] Connection reset by peer"   Is this because I'm using a free-trial for Splunk? I deployed Splunk using the Splunk Enterprise API on AWS and I can connect to Splunk web no problem. Here's my Ansible playbook: --- - name: Create Jira Service Desk User in Splunk hosts: splunk_sh gather_facts: false tasks: - name: Create user uri: url: "http://ec2-44-212-47-250.compute-1.amazonaws.com:8089/servicesNS/nobody/TA-jira-service-desk-simple-addon/ta_service_desk_simple_addon_account" method: POST user: "admin username" password: "admin password" body: "name=svc_jira&jira_url=test.url.com&username=test_username" status_code: 200 I redacted my admin username and password, but I tried using the URL above (Which is the DNS name) and I tried using just the IPv4 address with port 8089 and the endpoint and it gave me the same error. I made sure that port 8089 is also open on my AWS Security Group. What could be causing the issues?
I have a search along these lines     "duration: " | rex field=host "(?P<host_type>[my_magic_regex])" | rex "duration: (?P<duration_seconds>[0-9]+)" | chart count by duration_seconds host_type ... See more...
I have a search along these lines     "duration: " | rex field=host "(?P<host_type>[my_magic_regex])" | rex "duration: (?P<duration_seconds>[0-9]+)" | chart count by duration_seconds host_type limit=0 span=1.0     This is working exactly as expected. However, since I am doing count by ... for each host type, the histograms constructed for each host_type vary wildly.  The lines have such a different scale that overlaying them on the same axis is worthless. I need to either 1. create a different chart for each host_type (and not worry about the actual value of count) 2. normalize the y axis so that instead of the literal count, the max peak for all histograms is 1 (or 100 or whatever) I think I'll need a foreach command somewhere, but not sure what's the best route forward. Maybe there's a command similar to count that I should be using instead.