All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm trying to extract logname from the following.  So the logname value would be message.log/bblog.log/api.log Please Note :  When the timestamp date is between10-31 there is no extra space where w... See more...
I'm trying to extract logname from the following.  So the logname value would be message.log/bblog.log/api.log Please Note :  When the timestamp date is between10-31 there is no extra space where when the timestamp date is single digit i.e.,(1-9 ) there is an extra space at the beginning of the event. ex: <10>Jan<space><space>4 15:30:02        <10>Dec<space>31 15:30:02 Here are the sample events  <10>Jan  4 15:30:02 a2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:02 message.log INFORMATION apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false   <10>Jan  4 15:30:02 ia2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:02 bblog.log INFORMATION apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false   <10>Dec 31 15:30:04 a2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:04 api.log INFORMATION apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false
I'm creating a dashboard with custom widget builder, I haven't problem with this, but I notice that every day the graphics for all application that I have, stop graphing to 14:00 hrs until 20:00 hrs ... See more...
I'm creating a dashboard with custom widget builder, I haven't problem with this, but I notice that every day the graphics for all application that I have, stop graphing to 14:00 hrs until 20:00 hrs  in that time between 14:00 and 20:00 hrs every day the graphic don't show nothing about the business transactions, that is not possible because in the default dashboard the transaction is working. This happen with 5 applications that I have configured on appdynamics ¿how can I resolve this?, I need see information all day, all the time. Thank you for your answer
Hi  I need to count how many times a webhook alert action is executed, the idea is can controller if the alert was execute then doing counting, if the counting is major to 5 wont sent the alert again
So, I'm pretty sure that I shouldn't be seeing these errors during an upgrade to 9.0.3. This should probably go into a bug report.   /opt/splunk/bin/splunk btool check --debug 1.  Checking: /opt/... See more...
So, I'm pretty sure that I shouldn't be seeing these errors during an upgrade to 9.0.3. This should probably go into a bug report.   /opt/splunk/bin/splunk btool check --debug 1.  Checking: /opt/splunk/etc/apps/search/local/alert_actions.conf Invalid key in stanza [email] in /opt/splunk/etc/apps/search/local/alert_actions.conf, line 2: show_password (value: True). Did you mean 'sendcsv'? Did you mean 'sendpdf'? Did you mean 'sendresults'? Did you mean 'sslAltNameToCheck'? Did you mean 'sslCommonNameToCheck'? Did you mean 'sslVerifyServerCert'? Did you mean 'sslVerifyServerName'? Did you mean 'sslVersions'? Did you mean 'subject'? Did you mean 'subject.alert'? Did you mean 'subject.report'? 2. Invalid key in stanza [instrumentation.usage.tlsBestPractices] in /opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf, line 451: | append [| rest /services/configs/conf-pythonSslClientConfig | eval sslVerifyServerCert (value: if(isnull(sslVerifyServerCert),"unset",sslVerifyServerCert), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as python_configuredApp values(sslVerifyServerCert) as python_sslVerifyServerCert by splunk_server | eval python_configuredSystem=if(python_configuredApp="system","true","false") | fields python_sslVerifyServerCert, splunk_server, python_configuredSystem] | append [| rest /services/configs/conf-web/settings | eval mgmtHostPort=if(isnull(mgmtHostPort),"unset",mgmtHostPort), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as fwdrMgmtHostPort_configuredApp values(mgmtHostPort) as fwdr_mgmtHostPort by splunk_server | eval fwdrMgmtHostPort_configuredSystem=if(fwdrMgmtHostPort_configuredApp="system","true","false") | fields fwdrMgmtHostPort_sslVerifyServerCert, splunk_server, fwdrMgmtHostPort_configuredSystem] | append [| rest /services/configs/conf-server/sslConfig | eval cliVerifyServerName=if(isnull(cliVerifyServerName),"feature",cliVerifyServerName), splunk_server=sha256(splunk_server) | stats values(cliVerifyServerName) as servername_cliVerifyServerName values(eai:acl.app) as servername_configuredApp by splunk_server | eval cli_configuredSystem=if(cli_configuredApp="system","true","false") | fields cli_sslVerifyServerCert, splunk_server, cli_configuredSystem]
Hello,  I am using splunk 9.0.0.1, and running btool to list out my index settings.  The trouble is I only want one stanza, but btool treats the stanza as a wildcard. splunk btool --debug indexes... See more...
Hello,  I am using splunk 9.0.0.1, and running btool to list out my index settings.  The trouble is I only want one stanza, but btool treats the stanza as a wildcard. splunk btool --debug indexes list cisco I get all stanza's with "cisco" in them (there are 51 of them, including "index=cisco").  how do restrict this?  I only want the "cisco" index. --jason
I'm trying to create a table to view hosts in multiple indexes, and report if they are returning data.  For example Host    Index1  Index2   Index3 A           OK            OK B             ... See more...
I'm trying to create a table to view hosts in multiple indexes, and report if they are returning data.  For example Host    Index1  Index2   Index3 A           OK            OK B                              OK            OK C            OK                              OK   I've been using inputlookups to create a static list of hosts to reference, and appendcols to search indexes for the correct information. However, when used together the data isn't quite matching up like it does when I search separately. Any Suggestions?
Hi, Is there any way to execute a linux query and fetch the results of it in the Splunk search board? Following this I have written a condition to send an alert based on the command output.
I have a RHEL5 instance running  Universal Forwarder 7.0.3, currently sending logs to Splunk Enterprise. We are in the process of migration to Splunk Cloud. Splunk Cloud doesn't accept <TLS 1.2 and I... See more...
I have a RHEL5 instance running  Universal Forwarder 7.0.3, currently sending logs to Splunk Enterprise. We are in the process of migration to Splunk Cloud. Splunk Cloud doesn't accept <TLS 1.2 and I can't use HEC from the host because the TLS version is 1.0.  As part of the solution, I came up with using an intermediate forwarder - this can forward the logs however, what I am getting is all hex characters.  Something like this: \x00\x8F\x00\x00\x8Bo\xF5\x86\x84᜝h\xFCt5\xCB4T^\x9B\xBC\xE3c\xE6i\xD3\xA5\xCE/\x00\x00 \xC0,\xC00\xC0+\xC0/\xC0$\xC0(\xC0#\xC0'\x00\x9D\x00\x9C\x00<\xC0.\xC0-\xC0&\xC0%\x00\xFF\x00\x00A\x00 \x00\x00\x00 At some point, I also saw "--splunk-cooked-mode-v3--" in the logs.  The inputs file of the for the intermediate forwarder is this: [splunktcp://<Source IP>:<Port>] index = <my index> disabled = false The output is just the standard HEC.  The version of the universal forwarder that I am using is 9.0.3 The universal forwarder version of the source cannot be updated to the latest one or any more than that since it is RHEL5.  How should I be able to see clean data and not hex ones? 
Hi, I would like to have the initial administrator setup and controller's license URL /NAME/IP Range of the controller user name and Accesskey to the controller to launch the controller before we st... See more...
Hi, I would like to have the initial administrator setup and controller's license URL /NAME/IP Range of the controller user name and Accesskey to the controller to launch the controller before we start to configure the agents with the controller. I have access [Redacted]to this URL but I would like to configure the above-mentioned part to get ready to access it. I have shared my screen, I don't see any Administration in Settings options to setup user and roles  I have scheduled a support 1:1 call but no one has joined. It would be great if I get some guidance here. Regards, Raji ^ Post edited by @Ryan.Paredez to remove Controller URL/name. Please do not share Controller URL/Name on Community posts for security and privacy reasons.
We have several analysts in multiple locations that are working from the same Incident Review channel.  After someone takes it, how do I stop multiple analysts grabbing the same event?     Thanks... See more...
We have several analysts in multiple locations that are working from the same Incident Review channel.  After someone takes it, how do I stop multiple analysts grabbing the same event?     Thanks in advance-
Hi all. I have a folder with about 200 evtx files. The following command works for 1 file. How can I process/convert all of the evtx files to csv at once? Thanks. Get-WinEvent -Path C:\somewhere\fo... See more...
Hi all. I have a folder with about 200 evtx files. The following command works for 1 file. How can I process/convert all of the evtx files to csv at once? Thanks. Get-WinEvent -Path C:\somewhere\foo.evtx | Export-CSV C:\somewhere\foo.csv  
Is there a way to search for updated DAT and AMCORE files in Splunk ?
We see that the following log lines are always split into multiple events. I've tried multiple variations of LINE_BREAKER,  BREAK_ONLY_BEFORE and  MUST_NOT_BREAK_AFTER  but nothing worked. Does anyon... See more...
We see that the following log lines are always split into multiple events. I've tried multiple variations of LINE_BREAKER,  BREAK_ONLY_BEFORE and  MUST_NOT_BREAK_AFTER  but nothing worked. Does anyone know how I could go about this?  -------------------------------------------------- FlowFile Properties Key: 'entryDate' Value: 'Wed Jan 04 16:14:58 UTC 2023' Key: 'lineageStartDate' Value: 'Wed Jan 04 16:14:58 UTC 2023' Key: 'fileSize' Value: '180' FlowFile Attribute Map Content --------------------------------------------------  
Hi guys, I have a search for the host with check_id statuses: index="..." exec_mode="..." host="..."  check_id="..." | table check_id status that returns a column with 'passed'/'failed' values ... See more...
Hi guys, I have a search for the host with check_id statuses: index="..." exec_mode="..." host="..."  check_id="..." | table check_id status that returns a column with 'passed'/'failed' values I'm looking for the solution to how to check the column for 'failed' statuses in it and merge all results based on such condition: if 'failed' in statuses then statuses='failed' Table check_id status check1 Passed check1 Passed check1 Failed check1 Passed   Expected result: check_id status check1 failed   Thank you in advance.        
Hi, I want to create a line chart that contains value come from an index to see the data trend. Something like this:     |timechart span=10min avg(value) by id        Knowing that I ha... See more...
Hi, I want to create a line chart that contains value come from an index to see the data trend. Something like this:     |timechart span=10min avg(value) by id        Knowing that I have:    - An index, I have id and their events (values corresponding)    - A lookup csv which contains the id, address. I want to do a filter the search by province (group by address). Knowing that a province will have several id. So, I create a dropdown in which I find all the province  --> done ---> Next,  I have to use the dropdown token to apply to the search but I have no info of the province in the index. And the id are displayed as below, which prevent me from using append the province to each id: _time id1 id2 id3   Thanks for your help!
I am deploying the Splunk Windows TA to my UFs.  My test case if UF 8.2.9 and Splunk_TA_windows 8.5.  When I create inputs that have both renderXml=true and evt_resolve_ad_obj = 1, I am not receivi... See more...
I am deploying the Splunk Windows TA to my UFs.  My test case if UF 8.2.9 and Splunk_TA_windows 8.5.  When I create inputs that have both renderXml=true and evt_resolve_ad_obj = 1, I am not receiving the SID translations. However, it works sending back standard events instead of XML. Is evt_resolve_ad_obj not supported with renderXml? The documentation makes no mention of this. The "WinEventLog://Security" input has these settings applied, but the AD search results are not coming back for that input either. I found nothing in the splunk.log showing any errors. Here is an example I tried to build outside of the Security events. Again, the evt_resolve_ad_obj works if I remove renderXml=true:     [WinEventLog://Microsoft-Windows-PushNotification-Platform/Operational] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 index = win renderXml=true    
Good day all, I am having some issues after upgrading from Splunk Enterprise version 9.0.0 to 9.0.3. When log in to the deployment server and go to forwarder management, none of my data sources were... See more...
Good day all, I am having some issues after upgrading from Splunk Enterprise version 9.0.0 to 9.0.3. When log in to the deployment server and go to forwarder management, none of my data sources were listed and page was all blank white with nothing on there. I ensured the deployment server was enabled, checked firewalls which were ok, restarted Splunk and ensured Splunk was running which it was. No I am unable to log into the deployment server at all and gives the following errors and messages below: Failed to contact license manager: reason='Unable to connect to license manager=https://hostname:8089 Error connecting: Connection refused'
guys and gals let me start off by saying that my Search Game is weak, lol In version 9.0.0 on a Winderz platform I was in Settings \ Monitoring Console \ Forwarders: Deployment and under the Sta... See more...
guys and gals let me start off by saying that my Search Game is weak, lol In version 9.0.0 on a Winderz platform I was in Settings \ Monitoring Console \ Forwarders: Deployment and under the Status and Configuration section I clicked the Sherlock Holmes round glass thingie to Open in Search, so far so good, I then made a few tiny mods to the Search, and got the results I needed  then I clicked on Save As \ New Dashboard and this is where things get interesting, after saving my Dashboard I can't find it, it went into some black hole I guess? now I aint totally dumb so I booked marked that page first, but that is the only way I can get back to my Dashboard, so where did it get saved? I did see in the address bar that it's under the App https://MyClusterMaster.MyDomain.net:8000/en-US/app/splunk_monitoring_console/version_900_servers