All Topics

Top

All Topics

Hi Team, If the file is too old for eg: file is created in 2022 and further no updates in the file, so in this case will events be visible for that source file to the index?  This will be first t... See more...
Hi Team, If the file is too old for eg: file is created in 2022 and further no updates in the file, so in this case will events be visible for that source file to the index?  This will be first time ingestion to the Splunk for the source file. If can be read then what additional parameters should be applied. 
Im using DBConnect 3.11.0 and cant add or change the description of Inputs via the GUI. It appears since ive upgraded from version 3.8 I can click inside the Textarea and the cursor is shown as n... See more...
Im using DBConnect 3.11.0 and cant add or change the description of Inputs via the GUI. It appears since ive upgraded from version 3.8 I can click inside the Textarea and the cursor is shown as normal, but no Keystroke is taken and i cant even delete text out of it. As workaround i`ll use config explorer with debug/refresh but i dont want to use it everytime when creating the description for a new input or changing the description of an existing input. Is this a known issue? Does anyone alse  have this behavior too?
I'm trying to add a lookup to enrich results returned from a 'simple' search.  The search command I'm using [and I have limited to one key/value pair] is: - index=ee_commercialbankingeforms_pcf "*L... See more...
I'm trying to add a lookup to enrich results returned from a 'simple' search.  The search command I'm using [and I have limited to one key/value pair] is: - index=ee_commercialbankingeforms_pcf "*LEVEL=WARN*" | rex "^\S+\s(?<microService>\S+).*MESSAGE=(?<message>.+)" | bucket _time span=day | stats count by microService, message | lookup [ {JIRASummary: "No JWT found on UserPrincipal and no custom JWT claims configured. No nested JWT will be sent in downstream requests!", JIRA: "CBE-968"} ] JIRASummary AS message OUTPUT JIRA ...but I keep seeing following error... Error in 'SearchParser': Missing a search command before '{'. Error at position '192' of search query 'search index=ee_commercialbankingeforms_pcf "*LEVE...{snipped} {errorcontext = lookup [ {JIRASummar}'. Can someone explain the error that I see? Regards Mick
Splunk search events returns json format log data. I want to remove a particular key:value pair since the value of this key is huge (in terms of length) and unnecessary. How can I do so. sample lo... See more...
Splunk search events returns json format log data. I want to remove a particular key:value pair since the value of this key is huge (in terms of length) and unnecessary. How can I do so. sample log data: { "abcd1": "asd", "abcd2": [], "abcd3": true, "toBeRemoved": [{ "abcd8": 234, "abcd9": [{ "abcd10": "asd234" }], "abcd11": "asdasd" }], "abcd4": 324.234, "abcd5": "dfsad dfsdf", "abcd6": 0, "abcd7": "asfsdf" } The key:value pair to be removed has been marked in bold. ! NOTE THIS IS FORMATTED DATA, FIELDS CAN HAVE STRINGS, NUMBERS, BOTH, LISTS, ETC !    
hi, please know me   i had 6 peer nodes, search factor 2, replicator factor 3.  how many the maximum number of node down ? and please tell me the references about it.
index=* ("ORC from FCS completed" OR "ORC from SDS completed." OR "ORC from ROUTER completed") namespace IN ("dk1692-b","dk1399-b","dk1371-b") | eval dk1692=if(searchmatch("\"ORC from ROUTER complete... See more...
index=* ("ORC from FCS completed" OR "ORC from SDS completed." OR "ORC from ROUTER completed") namespace IN ("dk1692-b","dk1399-b","dk1371-b") | eval dk1692=if(searchmatch("\"ORC from ROUTER completed\" namespace=dk1692-b"),1,0) | eval dk1399=if(searchmatch("\"ORC from SDS completed\" namespace=dk1399-b"),1,0) | eval dk1371=if(searchmatch("\"ORC from FCS completed\" namespace=dk1371-b"),1,0) | stats sum(dk*) as dk* | search dk1692>90 OR dk1399>60 OR dk1371>60   Am getting attached output    Problem statement , i would like setup alert where ever specific namespace **bleep** goes below its threshold which mention in search query. 
For ES, can someone recommend a threat intel feed of malicious IP-addresses that contain IP along with reputation score / category ?    Most of the free IP based feeds contain a list of IPs but a lot... See more...
For ES, can someone recommend a threat intel feed of malicious IP-addresses that contain IP along with reputation score / category ?    Most of the free IP based feeds contain a list of IPs but a lot of IPs in the list are false positives.  
Getting below DB error in splunk, Please help to fix this issue.   ERROR ChunkedExternProcessor [11770 ChunkedExternProcessorStderrLogger] - stderr: BrokenPipeError: [Errno 32] Broken pipe
Hello All, I'm new to Splunk. I wanted to move the app bar from the top to the left, and also change the icon position. Please guide me how can I achieve this. My Splunk version is 8.0.5  
I'm going to upgrade Splunk Enterprise to version 8.2.10, as per the instruction https://advisory.splunk.com/advisories/SVD-2023-0209. However, I can not find the downloading of version 8.2.10, see... See more...
I'm going to upgrade Splunk Enterprise to version 8.2.10, as per the instruction https://advisory.splunk.com/advisories/SVD-2023-0209. However, I can not find the downloading of version 8.2.10, seems been removed from previous releases. Any idea about this? Thanks!
Need a dropdown and when i select one option only that related panels should display rest all panels should not display. i have 7 panels(panel1, panel2.......panel7), i need to have one dropdown wit... See more...
Need a dropdown and when i select one option only that related panels should display rest all panels should not display. i have 7 panels(panel1, panel2.......panel7), i need to have one dropdown with 3 options(appID, appname, appdetails) options in it. if i select appID from the dropdown,  3 panels should display(panel1, panel2 and panel3) if i select appname from the dropdown, 2 panels should display(panel4, panel5) if i select appdetails from the dropdown,  2 panels should display(panel6, panel7) Please help me on this.
index=cat                     Name Place ID     jack delhi 1     jill melbourne 2                     ... See more...
index=cat                     Name Place ID     jack delhi 1     jill melbourne 2                       index=dog           Country number       Australia 2       India 1               ID field in cat and number field in dog are same, I need below output                 Name Place ID Country   jack delhi 1 India   jill melbourne 2 Australia
Hi,  We have a set of indexers with no public IPs behind AWS NLB  We would like to use AWS certificates that terminate on the NLB We have the ACM pem certifcate and the CA (you cant get the pr... See more...
Hi,  We have a set of indexers with no public IPs behind AWS NLB  We would like to use AWS certificates that terminate on the NLB We have the ACM pem certifcate and the CA (you cant get the private key)  We tested it using openSSL and it is working using the CAfile  How can I configure my UF to use SSL with only the destination pem and CAfile    Thanks 
How to perform splunk search for local account in the openstack tenant (and audit) logs ? Thanks
Using Splunk enterprise 8.2.5 and trying to match a string of repeating characters in my Events. For example of the log file I'm ingesting       INFO - Service Started DEBUG - Service suspend... See more...
Using Splunk enterprise 8.2.5 and trying to match a string of repeating characters in my Events. For example of the log file I'm ingesting       INFO - Service Started DEBUG - Service suspended       So I was testing this as follows but the field mylevel is not extracted        | makeresults | eval msg="info"| rex field=msg "(?<mylevel>\w{4-5})" | table mylevel       This works though       | makeresults | eval msg="info"| rex field=msg "(?<mylevel>(\w{4})|(\w{5}))" | table mylevel       What is incorrect/wrong with my usage of this ?       \w{4-5}        
Hi All I have a couple of questions regarding embedded reports, I'm looking to use them to provide an iframe to teams that want to include the service status of IT systems into their pages (e.g. we... See more...
Hi All I have a couple of questions regarding embedded reports, I'm looking to use them to provide an iframe to teams that want to include the service status of IT systems into their pages (e.g. websites, Service Management tools, digital signage), so I'm looking to have one report as it will cover all the requirements. I'm having two challenges though We are Splunk Cloud and the 20 row table limit is a pain, as we have more than 20 IT Services, does anyone know if this can be increased? When you disable embedding and after making a change re-enable it, the URL is different, does anyone know if you can stop this or map it to a friendly URL, if I'm going to provide it to multiple teams it will be a pain to give them a new URL whenever we have to make a change? Cheers in advance Andy
Hello, I've seen in the documentation that default MetricsSets have a standard set of metrics. And that these include `workflows` metrics, for example, those shown here in the above linked document... See more...
Hello, I've seen in the documentation that default MetricsSets have a standard set of metrics. And that these include `workflows` metrics, for example, those shown here in the above linked documentation:   I've searched metrics in our new Splunk Observability, and I don't see any workflows metrics. Is this normal? Is there anything I need to enable? I'm using an Opentelemtry jekins plugin, and other metrics are being received, but I don't see any workflows metrics, even though other docs I've seen seen that use the same plugin seem to utilise these workflows metrics.     
Greetings! We are trying to integrate Splunk Cloud with Flexera SaaS Manager, we saw directly in Flexera and there isn't a direct integration, is there a way/process that we can follow to do the in... See more...
Greetings! We are trying to integrate Splunk Cloud with Flexera SaaS Manager, we saw directly in Flexera and there isn't a direct integration, is there a way/process that we can follow to do the integration? Thanks in advanced!
Hello Splunkers , I am trying to find the up time of hosts by calculating the difference between the latest event for that host and last time it booted . The following event describes that partic... See more...
Hello Splunkers , I am trying to find the up time of hosts by calculating the difference between the latest event for that host and last time it booted . The following event describes that particular host has been booted. 2023-02-24T08:58:38.796336-08:00 hostabc kernel: [ 0.000000] Linux version 5.15.0-58-generic (buildd@lcy02-amd64-101) (gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 (Ubuntu 5.15.0-58.64-generic 5.15.74) The following event is the latest event of that host 2023-02-24T14:04:51.115717-08:00 hostabc sssd_nss[248054]: Starting up  Firstly I want to get the difference between 2023-02-24T14:04:51.115717-08:00 - 2023-02-24T08:58:38.796336-08:00  Secondly If the difference is greater than 60 minutes create a new file called status and say it as down Thanks in Advance 
Does anyone know of a way that I can check if a system is reporting into my log server