All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Can someone help to get the Splunk universal forwarder for AIX 5.3 thanks!
My data looks something like this The status can be either SUCCESS or FAILED, I want to count the total number of events that has status as FAILED and status as SUCCESS.   FYI: The status ... See more...
My data looks something like this The status can be either SUCCESS or FAILED, I want to count the total number of events that has status as FAILED and status as SUCCESS.   FYI: The status is not a direct field, I had to extract it out by using  | rex "status=(?<Status>[^,]+)"  
Hi all, Last year, Crowdstrike  announced they will be deprecating the following, and we are now in the last 30 days before this happens. The "GET /devices/entities/devices/v1" will be deprecate... See more...
Hi all, Last year, Crowdstrike  announced they will be deprecating the following, and we are now in the last 30 days before this happens. The "GET /devices/entities/devices/v1" will be deprecated on February 9th 2023. The following applications will definitely be impacted (there may be others): CrowdStrike OAuth API  CrowdStrike Falcon Devices Technical Add-On    Is there a plan in place to roll out updated Crowdstrike apps with the new endpoints?   Thanks!
Hello Splunkers, I have an issue with a bar chart - I have a dashboard set to dark theme. I am using splunk 8.2.4, and SimpleXML. I create the chart from a search, convert to a horizontal bar cha... See more...
Hello Splunkers, I have an issue with a bar chart - I have a dashboard set to dark theme. I am using splunk 8.2.4, and SimpleXML. I create the chart from a search, convert to a horizontal bar chart - and the bars are an OK color, blue, etc. But when I move the visualization into an existing dashboard set to the dark theme, the chart comes in as a nice orange color - then immediately switches to a gray color. The existing dashboard is from the Cisco Networks app. Any ideas on this?? Thanks so much, eholz1  
The event has a field:     { ... some_field: { key1: value1 key2: value2 } ... }     How to iterate over the values of "some_field" field? For example I need to get max value. I need someth... See more...
The event has a field:     { ... some_field: { key1: value1 key2: value2 } ... }     How to iterate over the values of "some_field" field? For example I need to get max value. I need something like this: ... | eval filed_max_value=max(map_values(some_field)) For map_value I get error: Error in 'EvalCommand': The 'map_values' function is unsupported or undefined. Could you also explain how to use map_keys and map_values functions ?
Hello, I have a problem after upgrading splunk from 8.1.7.1 to 9.0.2. the Splunk service starts the first time (after I run splunk start), and after a few seconds splunk stops. Before, there was no s... See more...
Hello, I have a problem after upgrading splunk from 8.1.7.1 to 9.0.2. the Splunk service starts the first time (after I run splunk start), and after a few seconds splunk stops. Before, there was no such problem. the Spkunk logs I can't find a message that indicates the source of the problem. here are the errors i found: is there anyone having the same problem as me? Thanks in advance  
Splunk version 9.0.0 on Windows servers Please allow me to preface this by saying yes I GOOGLED this error and yes I did find some hits on this very Community site though 6 years old, and yes I did... See more...
Splunk version 9.0.0 on Windows servers Please allow me to preface this by saying yes I GOOGLED this error and yes I did find some hits on this very Community site though 6 years old, and yes I did follow the many links to other links, which in turn lead me to more orphaned threads, ha ha, hence deciding to make this fresh more current post in which I hope we can present a solution File Integrity checks found 40 files that did not match the system-provided manifest. Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View ; potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem. So if you click that link you get something like this:   List of installed files presenting integrity check failures The table below shows files that were installed by the Splunk Enterprise package and have been improperly modified or are missing. Learn more.   Search is completed   File path Check result   List of installed files presenting integrity check failures The table below shows files that were installed by the Splunk Enterprise package and have been improperly modified or are missing. Learn more. Search is completed File path Check result C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/app.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/default-mode.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/health.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/outputs.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/server.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/metadata/default.meta missing C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/jquery_scan.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/python_scan.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/setting.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/setting_scan.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/splunk9x_scan.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_app_list.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_check_mongodb_tls_dns_validation.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_check_search_peer_ssl_config.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_email_notification_switch_scripted_input.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_remote_latest_report.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_remote_scan_scripted_input.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_scan_apps.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_scan_deployment.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_scan_process.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_send_email.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_telemetry.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/jura_scan_process.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/jura_telemetry.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/pura_consts.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/pura_logger_manager.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/pura_skynet_log_manager.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/pura_utils.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/splunkbaseapps.csv differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_consts.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_logger_manager.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_skynet_log_manager.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_utils.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunkbaseapps.csv differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_remote_latest_report.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_telemetry.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/scan_process.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/default/data/ui/nav/default.env_cloud.xml missing C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/default/data/ui/nav/default.xml differs C:\Program Files\Splunk\etc/system/local/README missing
I have a look up table with two columns. They are for source IP and destination IP addresses. I want to be able to search for firewall traffic logs and filter out any source IP and destination IP com... See more...
I have a look up table with two columns. They are for source IP and destination IP addresses. I want to be able to search for firewall traffic logs and filter out any source IP and destination IP combination from the results. The following query allows for excluding source_ip from the lookup table. How would I be able to exclude source_ip and destination_ip combination?   index=firewall sourcetype=<source_type> NOT [ | inputlookup test.csv table source_ip] | table _time, source_ip, destination_ip, action, protocol Thanks.
Some of my events are displaying UTC time while others display PST time, as they should since I have my preferences set to PST. The UTC times are skewing my results. Is there a way to convert my resu... See more...
Some of my events are displaying UTC time while others display PST time, as they should since I have my preferences set to PST. The UTC times are skewing my results. Is there a way to convert my results so that all events show UTC time or at least have a variable e.g., PST_time which shows the UTC > PST conversion?
I'm trying to create a dashboard that displays the data for splunk restart  the current search I'm using is index="_audit"   but this shows the no. of times I've logged in instead of the no. of tim... See more...
I'm trying to create a dashboard that displays the data for splunk restart  the current search I'm using is index="_audit"   but this shows the no. of times I've logged in instead of the no. of times I've restarted
Anyone know what's going on here? It won't let me delete a local user. I can see them in the UI, but cannot manage them. I tried to delete via the CLI and this is what I get: $ sudo /opt/splunk/... See more...
Anyone know what's going on here? It won't let me delete a local user. I can see them in the UI, but cannot manage them. I tried to delete via the CLI and this is what I get: $ sudo /opt/splunk/bin/splunk remove user test1 Attempted to delete a user that does not exist: test1 $ sudo /opt/splunk/bin/splunk list user | grep 'test1' username:        test1
I have a bunch of indexes, but one in particular I want to keep smaller. How do I do this? From the docs it looks like this could work?  Adding maxTotalDataSizeMB to the index config? Anyknow know ... See more...
I have a bunch of indexes, but one in particular I want to keep smaller. How do I do this? From the docs it looks like this could work?  Adding maxTotalDataSizeMB to the index config? Anyknow know for sure? /opt/splunk/etc/master-apps/_cluster/local/indexes.conf: [webapp1] maxTotalDataSizeMB = <nonnegative integer> * The maximum size of an index (in MB). * If an index grows larger than the maximum size, the oldest data is frozen. * This parameter only applies to hot, warm, and cold buckets. It does not apply to thawed buckets. * CAUTION: This setting takes precedence over other settings like 'frozenTimePeriodInSecs' with regard.....
Hi Folks, From last couple of  weeks we have observed an issue in our newly developed Splunk app(Radware Bot Risk Scanner ). our app schedules a saved search which runs every hour and extract some d... See more...
Hi Folks, From last couple of  weeks we have observed an issue in our newly developed Splunk app(Radware Bot Risk Scanner ). our app schedules a saved search which runs every hour and extract some data from indices and forwards to custom search command which we developed and saves the result in result indices. Flow:  Splunk Search -> Custom Search Command (which preforms REST API call for each record) -> save result to new indice. Saved Searches got stuck in Running state. when I try to stop it manually, its going to Finalizing state not done state. Ideal time for this saved search to finish is ~2mins including all Rest API calls, yet you can see often its running from a very long time. please refer attached screenshot for the same         Wanted to attach search log as well but can't due to message restriction Any help or idea over here is very much appreciated, thanks in advance . P.S: Very important thing to notice is if I run any job for any hour manually, I wasn't facing any issues at all  .
Hi All, I have a search with a subsearch that references a lookup file test.csv with a single field. "Account_Name". I want to remove names from the lookup table that meet a certain criteria.  Th... See more...
Hi All, I have a search with a subsearch that references a lookup file test.csv with a single field. "Account_Name". I want to remove names from the lookup table that meet a certain criteria.  The search below currently gives the results that I want removed from the lookup file test.csv, but I cannot seem to figure out how to get the inverse of these results from the lookup file. I want everything in the lookup that does not match the result of the below query. Any advice? For example, if the below search outputs Bob and the lookup contains Bob, Alice, and Dave, I would want my final results to be Alice and Dave to overwrite back into test.csv. That's my line of thinking at least, I could be approaching this in a bad way.   index=exampleindex EventCode=4722 | stats by Target_Account_Name | rename Target_Account_Name as Account_Name | search [inputlookup test.csv | table Account_Name] | table Account_Name    
I am uploading DevOps scan result to Splunk, and these scans also have new result and some old flaw that not remediated. How can I match events and return unique.      example SPL Index= demo sour... See more...
I am uploading DevOps scan result to Splunk, and these scans also have new result and some old flaw that not remediated. How can I match events and return unique.      example SPL Index= demo sourcetype= demoscan table date, aaa, ccc, xxx, yyy, zzz
I have read the documentation about breaker characters, but within our organization there is disagreement about when they actually come into play in the main search. The docs don't say anything abou... See more...
I have read the documentation about breaker characters, but within our organization there is disagreement about when they actually come into play in the main search. The docs don't say anything about it either way, but some say we must use quotes around sourcetype, for example: index=iis sourcetype="http_err_logs" status=500 ...etc It goes without saying that they're needed within literal search phrases; the text of a specific error message, for example. But do they really also apply to comparisons for standard fields like index or sourcetype? As another example, we have sourcetypes with names like "WinEventLog:Application" and "WinEventLog:System" and some are saying that colon becomes a breaker which leads to a search of the entire raw event data. We also have index names with underscores, and so on. As a result, at this point we're playing it safe and quoting anything that has breaker characters, but is there any documentation that describes where they're actually applied or not?
I am trying to find few strings in my search query and count occurrences of them and I want to put them in a two column table. I am able to do it with stat command, but it's coming like string as col... See more...
I am trying to find few strings in my search query and count occurrences of them and I want to put them in a two column table. I am able to do it with stat command, but it's coming like string as column name and count in the row bwlow. Below is what I am using and what I ma getting.       index=<index> <search String > "Failed" | stats count AS Failed count(eval(searchmatch("Failed Acknowledged"))) AS "Failed Acknowledged" count(eval(searchmatch("UnexpectedException Caught"))) AS "UnexpectedException Caught" count(eval(searchmatch("NonRetryableException Caught"))) AS "NonRetryableException Caught"       However I want a result like below. Can anyone help? Thanks in advance.
I'm trying to identify all the dashboards broken from lookup files being deleted. But since there's way too many dashboards, is there any not-so-manual way to find out all the inconsistencies regardi... See more...
I'm trying to identify all the dashboards broken from lookup files being deleted. But since there's way too many dashboards, is there any not-so-manual way to find out all the inconsistencies regarding lookup files without running the dashboards one by one?
Hello everyone, I have the following results when running my search: _time                                        user             connection 1 2023-01-09 20:36:04   john        Transport closin... See more...
Hello everyone, I have the following results when running my search: _time                                        user             connection 1 2023-01-09 20:36:04   john        Transport closing 2 2023-01-09 20:32:45   brian      DPD failure 3 2023-01-09 19:44:26   tom         assigned to session Please, I want to configure an alert to send the _raw field by email to the specific user (by adding @Anonymous.com), every time it returns results from that user, (ex. john@gmail.com, brian@gmail.com, tom@gmail.com) Thank you in advance.
When I place event.code into an if statement, it will not evaluate as true   Currently I have this code: index = windows-security event.code IN (4624) | eval Success=if(event.code = "4624", 1,... See more...
When I place event.code into an if statement, it will not evaluate as true   Currently I have this code: index = windows-security event.code IN (4624) | eval Success=if(event.code = "4624", 1, 0) | stats count by Success   Success always evaluates to 0. I have tried using match(event.code, "4624") match(event.code, '4624') match(event.code, ".+") like(event.code, "4624") like(event.code, '4624') I even tried event.code = event.code   Always 0.