All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I'm looking to create a query that helps to search the following conditions. For example, get the address for 1. John from Spain  2. Jane from London  3. Terry from France My current meth... See more...
Hello, I'm looking to create a query that helps to search the following conditions. For example, get the address for 1. John from Spain  2. Jane from London  3. Terry from France My current methodology is to run each query one by one for each examples. index IN ( sampleIndex) John AND Spain | stats name, country, address After running the above query, I run for the next example. index IN ( sampleIndex) Jane AND London | stats name, country, address Running 1 query for 1 example will become tedious if I have thousand of examples to go through. It is possible to get some help on creating query that help to run similar logic like the following, index IN ( sampleIndex) Jane AND London OR John AND Spain OR  Terry AND France | stats name, country, address Sorry if my question isn't clear.
Hi All, we are working on to create a dashboard on UF status connection by using phone home interval in DS using search below but while checking if forwarder phone connection last few secs in DS st... See more...
Hi All, we are working on to create a dashboard on UF status connection by using phone home interval in DS using search below but while checking if forwarder phone connection last few secs in DS still it was showing as not connected in list. please let us know what needs to be changes in the search to get exact result and also search was running slowly.   index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d | eval Host=coalesce(hostname, sourceHost) | eval age=(now()-_time) | stats min(age) AS age max(_time) AS LastTime BY Host | convert ctime(LastTime) AS "Last Active On" | eval Status=if(age< 1800,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | sort Status | dedup Host | table Host Status Age "Last Active On", | where Status="DOWN"
Hello, I have a dashboard studio dashboard that uses a png image as a background image.  The app I am working in and the dashboard itself are both set to allow read for everyone. When a user with a... See more...
Hello, I have a dashboard studio dashboard that uses a png image as a background image.  The app I am working in and the dashboard itself are both set to allow read for everyone. When a user with admin role loads the dashboard then everything is visible, but when a user with user role loads the dashboard then the backgroud image does not load.  I have tried setting the image as a normal image rather than the background image but it does not change anything.  All non-image elements load without issue. Why can a user with user role not see the images?  Splunk version 8.2.6. Thank you and best regards, Andrew
Hi folks,   I need a quick clarification, I need to know if I use a whitelist function on inputs.conf I will saving the license like the drop event configuration by props and transforms. thanks... See more...
Hi folks,   I need a quick clarification, I need to know if I use a whitelist function on inputs.conf I will saving the license like the drop event configuration by props and transforms. thanks in advance Regards Alessandro
I'm using 3.10 version of DB connect app, but on one of the Heavy forwarder I'm getting below error. Invalid key in stanza [APP NAME] in /SPLUNK/splunk/etc/apps/CONNECTION_NAME/local/db_inputs.conf... See more...
I'm using 3.10 version of DB connect app, but on one of the Heavy forwarder I'm getting below error. Invalid key in stanza [APP NAME] in /SPLUNK/splunk/etc/apps/CONNECTION_NAME/local/db_inputs.conf, line 235: checkpoint_key (value: 638de13816f31a4b64728e8c). Is there any way to fix these ?
We recently upgraded our cluster from splunk 8.1.0.1 to splunk 9.0.2 and the KVstore on SH cluster were manually upgraded to WiredTiger. We could see that cluster manager and peer nodes were autom... See more...
We recently upgraded our cluster from splunk 8.1.0.1 to splunk 9.0.2 and the KVstore on SH cluster were manually upgraded to WiredTiger. We could see that cluster manager and peer nodes were automatically upgraded to WiredTiger mostly, however some indexer peers failed in this. Please find the related error messages from the mongodb.log below.    Its not clear why exactly this happened. Is there a manual way to recover and migrate? --------------- 2023-01-12T08:44:16.890Z I STORAGE [initandlisten] exception in initAndListen: Location28662: Cannot start server. Detected data files in /usr/local/akamai/splunk/var/lib/splunk/kvstore/mongo created by the 'mmapv1' storage engine, but the specified storage engine was 'wiredTiger'., terminating 2023-01-12T08:44:16.890Z I REPL [initandlisten] Stepping down the ReplicationCoordinator for shutdown, waitTime: 10000ms 2023-01-12T08:44:16.890Z I NETWORK [initandlisten] shutdown: going to close listening sockets... 2023-01-12T08:44:16.890Z I NETWORK [initandlisten] Shutting down the global connection pool 2023-01-12T08:44:16.890Z I - [initandlisten] Killing all operations for shutdown 2023-01-12T08:44:16.890Z I NETWORK [initandlisten] Shutting down the ReplicaSetMonitor 2023-01-12T08:44:16.890Z I CONTROL [initandlisten] Shutting down free monitoring 2023-01-12T08:44:16.890Z I FTDC [initandlisten] Shutting down full-time data capture 2023-01-12T08:44:16.890Z I STORAGE [initandlisten] Shutting down the HealthLog 2023-01-12T08:44:16.890Z I - [initandlisten] Dropping the scope cache for shutdown 2023-01-12T08:44:16.890Z I CONTROL [initandlisten] now exiting 2023-01-12T08:44:16.890Z I CONTROL [initandlisten] shutting down with code:100 --------------- Cluster details – splunk multisite ------------------------- 4 SH (site1) 4 SH (site2) 11 IDX (site1) 11 IDX (site2) Master1(Site1) Master2(Standby at site2)
Hi,  I looking for rex sed cmd to extract the value from the field. eg:  input field1 = d:\AppDynamics\machineagent\ver22.2.0.3282\bin\MachineAgentService.exe output = ver22.2.0.3282 I need ... See more...
Hi,  I looking for rex sed cmd to extract the value from the field. eg:  input field1 = d:\AppDynamics\machineagent\ver22.2.0.3282\bin\MachineAgentService.exe output = ver22.2.0.3282 I need a valid sed cmd to filter the value everything before 3rd backslash and after 4th backslash. eg: |rex field=version mode=sed "s/ /\*/g" Thanks, Babu
I have and issues with red status :   The monitor input cannot produce data because splunkd's processing queues are full. This will be caused by inadequate indexing or forwarding rate, or a sudden bu... See more...
I have and issues with red status :   The monitor input cannot produce data because splunkd's processing queues are full. This will be caused by inadequate indexing or forwarding rate, or a sudden burst of incoming data. i check in Indexing Performance: Instance and almost field had 100%  and when i check CPU and memory used and license used it had alot space     so how can i find the issues and can i fix this problem       
Hey people, I am trying to convert the execution time which I get in ms to duration format | rex "EXECUTION_TIME : (?<totalTime>[^ms]+)"   I did also try something like this | eval inSec = in... See more...
Hey people, I am trying to convert the execution time which I get in ms to duration format | rex "EXECUTION_TIME : (?<totalTime>[^ms]+)"   I did also try something like this | eval inSec = inMs / 1000 | fieldformat inSec = tostring(inSec, "duration")   but it is giving me null value Could you please help me out here
Hey people, my requirement is as such   I have extracted these columns from my data using the query  my query | rex "filterExecutionTime=(?<FET>[^,]+)" | rex "ddbWriteExecutionTime=(?<ddbET>[^... See more...
Hey people, my requirement is as such   I have extracted these columns from my data using the query  my query | rex "filterExecutionTime=(?<FET>[^,]+)" | rex "ddbWriteExecutionTime=(?<ddbET>[^)]+)" | rex "EXECUTION_TIME : (?<totalTime>[^ ms]+)" | eval buildAndTearDowTime=(tonumber(FET)) + (tonumber(ddbET)) |table totalTime FET ddbET buildAndTearDownTime     I want to have buildAndTearDown as totalTime - (FET+ ddbET)   once I have all the three values required (FET, ddbET, buildAndTearDown) I want to put these values in a pie chart.   Another question I have is why is  This statement  eval buildAndTearDowTime=(tonumber(FET)) + (tonumber(ddbET)) is giving me null value   Thanks   
    index=servicenow assignment_group_name="security" status=* | stats count by number,status,group_name,created_on     The above query will produce the following: I need to calculate t... See more...
    index=servicenow assignment_group_name="security" status=* | stats count by number,status,group_name,created_on     The above query will produce the following: I need to calculate the number days from the "created on" date shown above in the example to the current date.   Any help with this is greatly appreciated.
/var/log VS /var/log/messages /var/log/auth.log /var/log/boot.log etc, etc, etc
I have this errors in my search, can you help me?   Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/services/licenser/licenses?count=0 from server=https://127.0.0.1:8089 -... See more...
I have this errors in my search, can you help me?   Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/services/licenser/licenses?count=0 from server=https://127.0.0.1:8089 - Forbidden   Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/licenser/licenses?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API The REST request on the endpoint URI /services/licenser/licenses?count=0 returned HTTP 'status not OK': code=403, Forbidden.  
Hello, I'm hosting a Splunk Enterprise free trial on an AWS instance.  I'd like to share this with some friends to practice with some Boss of Soc Data. How many people can access it the Splunk Enter... See more...
Hello, I'm hosting a Splunk Enterprise free trial on an AWS instance.  I'd like to share this with some friends to practice with some Boss of Soc Data. How many people can access it the Splunk Enterprise free trail at one time?
I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring a... See more...
I'm hoping to get some help or direction. I have seen a few different forum posts where the search pulled how many concurrent sessions were happening at a time. (General count of sessions occurring at a given time) I somewhat get that done with this search: index=main EventCode=4624  | eval Account=mvindex(Account_Name,1) | eventstats dc(host) AS Logins by Account | where Logins > 1 | timechart count(Logins) BY Account I am hoping to pivot into a search with more detail such as Account login session duration and any overlap in sessions from unique hosts. The goal is to pinpoint potentially shared credentials for further investigation. I have played with transaction a bit, but can't seem to get it to work the way I need and have read many posts advising against this command due to resource usage.  Any tips for a Splunk Newb?
We just upgraded Splunk DB Connect from 3.9.0 to 3.11.0 on our Splunk Enterprise 9.0.3  Heavy Forwarder and getting warning "DBX cannot connect to task server" Port 9998 is free , nobody is listen... See more...
We just upgraded Splunk DB Connect from 3.9.0 to 3.11.0 on our Splunk Enterprise 9.0.3  Heavy Forwarder and getting warning "DBX cannot connect to task server" Port 9998 is free , nobody is listening on it . We have updated Java 8 to Java 11 just now. Rolling DB Connect back to 3.0.9 fixes the issue, DB Connect starts working again. Will appreciate any advice. Thank you!
Hello, I'm wondering if there is a possibility that it can be extracted with a variable for a mail form since the client wants to see the disk health rule in which the problem is found Thanks in adv... See more...
Hello, I'm wondering if there is a possibility that it can be extracted with a variable for a mail form since the client wants to see the disk health rule in which the problem is found Thanks in advance
  I want to run this search but i have to concatenate the string with a variable and it doesn't work        | rest splunk_server=local /servicesNS/-/-/saved/searches      | where match(search,"ou... See more...
  I want to run this search but i have to concatenate the string with a variable and it doesn't work        | rest splunk_server=local /servicesNS/-/-/saved/searches      | where match(search,"outputlookup\s.$lookup$") 
Hi, Not sure what the issue is. I got the solution from the other answers, but it's not working for me. I am getting data from splunk date picker and trying to calculate the number of days.  |addin... See more...
Hi, Not sure what the issue is. I got the solution from the other answers, but it's not working for me. I am getting data from splunk date picker and trying to calculate the number of days.  |addinfo | eval min=info_min_time, max=info_max_time | eval earliest =strftime(min,"%Y-%m-%d %H:%M:%S") | eval latest=strftime(max,"%Y-%m-%d %H:%M:%S") | eval duration = round((latest-earliest)/86400) |table latest, earliest, duration   Thanks
From here i need to extarct the identification=MLAS, MLA, LAS and VAM My sample logs: [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-76... See more...
From here i need to extarct the identification=MLAS, MLA, LAS and VAM My sample logs: [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=MLAS&timeRange=EVERYDAY&timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=MLA&timeRange=EVERYDAY&timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=LAS&timeRange=EVERYDAY&timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=VAM&timeRange=EVERYDAY&timePeriod=MINUTES in my selected fileds or intresting fileds  indeentification fileds  should appear has below: MLAS MLA LAS  VAM